hhc0null

int sub_8049110() 
{
 8049110:	5d                   	pop    %ebp // return address: 0x8048f06
 8049111:	8b 45 00             	mov    0x0(%ebp),%eax // eax = 0xfffffff
 8049114:	83 e0 03             	and    $0x3,%eax
    *ebp &= 3;
 8049117:	83 f8 03             	cmp    $0x3,%eax
 804911a:	75 42                	jne    804915e <exit@plt+0xb8e>
    if(*ebp == 3) {
 804911c:	6a 00                	push   $0x0

hhc0null

i. identify the version
ii. pwn it!

hhc0null

#!/usr/bin/env python2

from pwning import *
import sys

if len(sys.argv) != 2:
    print "Usage: {} [align]".format(sys.argv[0])

rhp = ("pwnable.katsudon.org", 32100)
#rhp = ("localhost", 32100)

hhc0null

" vim: set fdm=marker commentstring=:
" neobundle {{{
set nocompatible
filetype off

if has('vim_starting')
    set runtimepath+=~/.vim/bundle/neobundle.vim
    call neobundle#begin(expand('~/.vim/bundle/'))
endif

hhc0null

int table[255] = {0};
int mark = 0xdeadbeef;
int index = 0;

void generate_table()
{
    for(index; index < 0xff; index++) {
        if(table[index] == 0) {
            table[index] = mark;
        } else if((index+1)&2) {

hhc0null

--- rev ---

MIDDLE

[PoliCTF 2012] Non-Section 500
[NuitDuHack 2013] Crackme300
[NuitDuHack 2013] Crackme500
DIFFICULT

[Hack.lu CTF 2012] #12 Donn Beach - 500

hhc0null

#!/usr/bin/env python2

# too sleepy.....it's kimoi.
# N = p*q
# C = M*(M+B) mod N

import binascii
import itertools
import string

hhc0null

int filter(int size, char *shellcode)
{
    int b1; // -0x10(%ebp)
    int b2; // -0x14(%ebp)
    int x; // -0xc(%ebp)
    int y; // -0x8(%ebp)
    int i; // -0x4(%ebp)

    for(int i = 0; i < size; i+=2) {
        b1 = (unsigned int)shellcode[i];

hhc0null

# rp is verbose:( don't you think so?
rp -f [filename] -r 4|sed -r -e 's/\x1b\[[0-9]*m//g' -e 's/\(.*found\)//g'|grep -e 'ret[[:space:]]*;[[:space:]]*'

hhc0null

it's necessary to do `export JAVA_HOME=/usr/lib/jvm/<jvm-directory>'.