Skip to content

Instantly share code, notes, and snippets.

@BenGardiner
Last active January 2, 2023 14:38
Show Gist options
  • Save BenGardiner/a25296c7dde63013ac49c2aabfa8cc1b to your computer and use it in GitHub Desktop.
Save BenGardiner/a25296c7dde63013ac49c2aabfa8cc1b to your computer and use it in GitHub Desktop.
jupyter lab workspace for montrehack

Solving Zack Deveau's SNES NSec 2021 Challenges with radare2 and Jupyter Notebooks

Use files in this gist to make your own solve of these fun challenges by zdeveau! The extra challenge is that you must do it using only static analysis in radare2. To make things a bit easier on you we will use Jupyter (Labs) Notebooks.

Install the python (tested with python-3.10) packages you will need (a full tested pip freeze is in requirements.txt also):

pip3 install jupyterlab r2pipe

Then start with jupyter-lab (and open the url with token that it shows you).

Open the __your_solve.ipynb file in the browser UI of jupyter-lab and you will find a place to work on your own solution to the challenges. Start with this file. It will direct you to install a specific version of radare2:

git clone --depth=1 https://github.com/radare/radare2 && cd radare2
./sys/install-rev.sh v5.4.2

The rest of the files contain SPOILERS! Open them when following along with the training or you need spoilers to get un-stuck:

  1. _intro.ipynb -- concepts and tools, some steps to start
  2. hands-on-1.ipynb -- find the code handling the joypad reads and what are the magic joypad inputs?
  3. hands-on-2.ipynb -- find all the variable in memory tainted by correct button presses, follow the start button pressed code, flag the flag!
  4. hands-on-3.ipynb -- find the flag, find the code making ref to the flag, find the code tainting variables which are used by the code making ref to the flag, flag the flag!
Display the source blob
Display the rendered blob
Raw
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Display the source blob
Display the rendered blob
Raw
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Display the source blob
Display the rendered blob
Raw
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Display the source blob
Display the rendered blob
Raw
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Display the source blob
Display the rendered blob
Raw
View raw

(Sorry about that, but we can’t show files that are this big right now.)

Display the source blob
Display the rendered blob
Raw
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View raw

(Sorry about that, but we can’t show files that are this big right now.)

View raw

(Sorry about that, but we can’t show files that are this big right now.)

View raw

(Sorry about that, but we can’t show files that are this big right now.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment