Will Donohoe McSimp

Keybase proof

I hereby claim:

I am mcsimp on github.
I am willdonohoe (https://keybase.io/willdonohoe) on keybase.
I have a public key whose fingerprint is 8144 357B BD8A B4AA 0894 F5C0 0F85 B0F4 D305 4C78

To claim this, I am signing this object:

CySCA 2014 - Web Application Pentest

The CySCA organizers have released a VM image with most of the challenges from CySCA 2014, which you can grab from http://goo.gl/6ftZ39 to play with. Here are my solutions to the Web Application Pentest section.

Club Status

Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag.

Bug Details

The bug comes from the first if statment in sha256_final (or whatever you've called it in your code).

Yours looks like OpenSSL's, except the if statement on line 375 of md32_common.h in OpenSSL (https://github.com/openssl/openssl/blob/master/crypto/md32_common.h#L375) evaluates to if (n > 56), whereas yours evaluates to the equivalent of if (n > 55), producing erroneous hashes for data of length 55.

int HASH_FINAL (unsigned char *md, HASH_CTX *c)
{
 unsigned char *p = (unsigned char *)c-&gt;data;

	const fs = require('fs');

	class DataReader {
	constructor(data, context) {
	this.data = data;
	this.context = context;
	this.offset = 0;
	}
	readInt32LE() {
	const result = this.data.readInt32LE(this.offset);

	console.log("Starting");

	function findData(lookFor) {
	var MEM_START_OFFSET = 1;
	var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer());
	var locs = [];
	for (var i = 0; i < 0x2000000; i++) {
	var found = true;
	for (var j = 0; j < lookFor.length; j++) {
	if (memBuffer[i+j] != lookFor[j]) {

	var lzf = require('lzf');
	var crypto = require('crypto');

	function DecodeSaveData(data) {
	// Format is: .<Base64 encoded LZF compressed data>\|<MD5 hash of data>
	if (data.indexOf('.') !== 0) {
	throw Error('Invalid save data');
	}

	var splitStr = data.substr(1).split('\|');

	/*
	#############################################################################################
	# Game: Borderlands 2 #
	# Version: 1.0.8364.0 #
	# ========================================================================================= #
	# File: GameDefines.h #
	#############################################################################################
	*/

	#ifdef _MSC_VER

	#include "CNetMessageRegistration.hpp"
	#include "CNetMessage.hpp"
	#include "gm/Lua.hpp"
	#include "gm/CStateManager.hpp"

	using namespace GarrysMod::Lua;

	template <class T, int (T::*F)(CLuaInterface& Lua)>
	int LuaBindThunk(lua_State* L)
	{

	data = [
	[0xa5f7f8aaa82921f70aad9ece4eb77b62112f51ac2be75910b3137a28d22d7ef3be3d734dabb9d853221f1a17b1afb956a50236a7e858569cdfec3edf350e1f88ad13c1efdd1e98b151ce2a207e5d8b6ab31c2b66e6114b1d5384c5fa0aad92cc079965d4127339847477877d0a057335e2a761562d2d56f1bebb21374b729743L, 0x1614984a0df, 0x7ded5789929000e4d7799f910fdbe615824d04b055336de784e88ba2d119f0c708c3b21e9d551c15967eb00074b7f788d3068702b2209e4a3417c0ca09a0a2da4378aa0b16d20f2611c4658e090e7080c67dda287e7a91d8986f4f352625dceb135a84a4a7554e6b5bd95050876e0dca96dc21860df84e53962d7068cebd248dL],
	[0xa5f7f8aaa82921f70aad9ece4eb77b62112f51ac2be75910b3137a28d22d7ef3be3d734dabb9d853221f1a17b1afb956a50236a7e858569cdfec3edf350e1f88ad13c1efdd1e98b151ce2a207e5d8b6ab31c2b66e6114b1d5384c5fa0aad92cc079965d4127339847477877d0a057335e2a761562d2d56f1bebb21374b729743L, 0x15ef25e10f54a3, 0x7c5b756b500801e3ad68bd4f2d4e1a3ff94d049774bc9c37a05d4c18d212c5b223545444e7015a7600ecff9a75488ed7e609c3e931d4b2683b5954a5dc3fc2de9ae3392de4d86d77ee4920fffb13ad59a1e08fd25262a700eb26b3f930

	{
	"back": {
	"toxicwasteback": {
	"iconPath": "items/armors/backitems/toxicwaste/toxicwastebackicon.png",
	"itemPath": "items/armors/backitems/toxicwaste/toxicwaste.back"
	},
	"ironarmoravianback": {
	"iconPath": "items/armors/avian/ironarmoravian/icons.png:back",
	"itemPath": "items/armors/avian/ironarmoravian/ironarmoravian.back"
	},