Skip to content

Instantly share code, notes, and snippets.

View pawlos's full-sized avatar
🐛

Paweł Łukasik pawlos

🐛
View GitHub Profile
k = "Pl3as_d0"+"n't_cR45"+"h_1n_+h!"+"s_fUnC+1"+"0n"
s = "+U]\x93\xa0C\xdd\x14"+"CR}\xe5"
print len(k), len(s)
b = []
j = 0
cnt = 0xf6
a = [0x2a,0x7c,0x2d,0x49,0x66,0x6e,0x71,0x32,
0x30,0x21,0x20,0x0a,0x41,0x5a,0x64,0x24,
0x72,0x3c,0x58,0x6f,0x5c,0x44,0x2f,0x7b,
0x4b,0x43,0x7e,0x61,0x34,0x54,0x7a,0x37,
0x29,0x59,0x5e,0x3a,0x78,0x60,0x0b,0x7d,
0x53,0x73,0x31,0x79,0x4f,0x6d,0x69,0x76,
0x23,0x0d,0x25,0x5d,0x40,0x5b,0x5f,0x4e,
0x28,0x48,0x6a,0x2c,0x56,0x51,0x75,0x67]
#include <stdio.h>
int main() {
unsigned int expected[8] = {0};
expected[0] = 0x95cb8dbd;
expected[1] = 0xf84cc79;
expected[2] = 0xb899a876;
expected[3] = 0xa5dab55;
expected[4] = 0x9a8b3bba;
data = "I&r5v1\x13\x04N^"
key = "DuMb"
import itertools
flag = [chr(ord(x) ^ (ord(y) - 7)) for x,y in zip(data, itertools.cycle(key))]
print ''.join(flag)
def encipher(num_rounds, v, key):
v0=v[0]
v1=v[1]
sum=0
delta=0x9E3779B9
for i in range(num_rounds):
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])
sum += delta
from http.server import HTTPServer, BaseHTTPRequestHandler
import base64
from io import BytesIO
def compress(data):
d = [x ^ 0x4d for x in data]
return base64.b64encode(bytearray(d))
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
@pawlos
pawlos / part4.py
Created January 11, 2020 18:28
Solving the fifth part of HitCon Quals CoreDumb
import string
import itertools
def brute(data):
s = 0xffffffff
for i in range(len(data)):
if data[i] == 0x00:
break
#iVar1 = i + 1
s = s ^ ord(data[i])
s = s & 0xffffffff
@pawlos
pawlos / decode.py
Created January 11, 2020 18:13
Hitcon CoreDumb decryptor
keys = ['4a03b58e','44daffc6','e13fea85','f29ead42','5c53e277']
keys = [x.decode('hex') for x in keys]
data = ['1f4b3c6b028059ee028ac826c37611ea0288b1ab6203b58e028af0767bc372cb8a47c0c328c5f04a4a4b72cb9a03b58e4a4b72cb9203b58e4a4b72cbaa03b58e4ac4f0664a03b58e2cc4f0624a03fd360325c7bb3c32a68a028af04b2cc4f043045d73cb850372cbf203b58e4ac4f0324b03b58e8d460d8e4a03b5657388f036026065c6c1461dc64bd3ba384288f036d3c25f904bd3366e492a65c6d20c03ca4fc336664d3274078088f036029b3dda4fd336cbf2023ecbf238f02a36bc72cbf203b58e4ae896050fbbfd1645b5e18b9a88f036029bba380e0670b68877b2490fbfb58e4a0336cbf2023ecbf238f02a36d63ecbf64b3efbb267fdbd7e269d8e4a03c18ba2b74971b5ca7600',
'119276230c5913b60c53825e209274c261f2ffc644927683bceb3f01017effc644da3883ecdaffc6441dba6a44daffc6839f4fc744daff01010a424b8f4f388390a333424b1dba1e3272667e839f2393ef87f501013a45fdcf403883a07dc774341dba2eb5e64ab4839f13cf46a62b010176ffc644da16d545daff4d0176b7a594927483dc92fe164b6cffc9fa1ada3944daff4f017e7483e892678ec98afb8ecf9f678e450af07044d541066125ffc64453ba6e
from itertools import *
import string
def xor(data, key):
return ''.join([chr(d ^ ord(k)) for d,k in zip(data, cycle(key))])
data = [0x1C,0x5C,0x22,0x00,0x00,0x17,0x02,0x62,0x07,0x00,0x06,0x0D,0x08,0x75,0x45,0x17,0x17,0x3C,0x3D,0x1C,0x31,0x32,0x02,0x2F,0x12,0x72,0x39,0x0D,0x23,0x1E,0x28,0x29,0x69,0x31,0x00,0x39]
extra = '_'+'-'+'$' +'!'+'@'+'*'+'.'
from ctypes import *
import struct
import hashlib
def readProcessMemory(address, l):
OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
CloseHandle = windll.kernel32.CloseHandle
PROCESS_ALL_ACCESS = 0x1F0FFF