Skip to content

Instantly share code, notes, and snippets.

View satos---jp's full-sized avatar

satos---jp

13 followers · 0 following
View GitHub Profile
@satos---jp
satos---jp / README.md
Last active November 28, 2024 07:06
SECCON2024予選 Reaction のwriteup

入出力に関する実験から、[0,3]{2}の出力に対してこちらから[0,3][0,12]の入力を与えてやることでプログラムが進行することがわかる。 バイナリ中の Environment::update 関数を解析すると、forループ中で2次元配列に対して操作を行っていることが伺えるので、2次元配列の内容をgdbを用いてダンプすると、

Breakpoint 2, 0x0000555555557c50 in Environment::update() ()
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
@satos---jp
satos---jp / p
Created August 17, 2024 04:54
solve EX7@atgt2024sm
11100111
11100111
11100111
01101111
11100111
00101011
11100111
00101100
11100111
01100111
@satos---jp
satos---jp / solver.py
Created June 20, 2021 08:40
ExtraTaker stage V solver
h = 6
w = 9
bo = """
#####G###
#G # ##
X X
X X
## X
@satos---jp
satos---jp / port_fstar_tdiff.py
Last active April 19, 2021 23:04
revised perf diff (raw v.s. F* extracted)
import re
class PerfData:
def __init__(self):
self.data = {}
self.duration = None
def time(self,fn):
return self.data[fn] * self.duration
@satos---jp
satos---jp / solver.py
Last active July 12, 2020 13:19
Solver for ONNXrev@tsgctf2
from PIL import Image
from PIL import ImageDraw
from PIL import ImageFont
import onnx,onnxruntime
from onnx import helper
import numpy
import string
model = onnx.load('problem.onnx','rb')
@satos---jp
satos---jp / __generator.py
Last active July 12, 2020 13:18
Solver for self host@tsgctf2
# First, compile compiler_exploit.x with the following command.
# `python3 interpreter.py compiler.x < compiler_exploit.x > tmp.s`
# Then, run this script, and you get "exploit.s", which is an answer for this problem.
s = open('tmp.s').read()
head = s[:s.index('[123,456,789]')]
tail = s[s.index('[314,159,265]')+len('[314,159,265]'):]
headstr = ''.join(str(list(map(lambda x: ord(x),head))).split(' '))
tailstr = ''.join(str(list(map(lambda x: ord(x),tail))).split(' '))
@satos---jp
satos---jp / solver.py
Last active July 12, 2020 13:04
Solver for reverse-ing@tsgctf2
# gdb -q reversing -x solver.py
def get_byte_at(s):
res = gdb.execute('x/b %s' % s,to_string=True)
res = int(res.split('\t')[-1][2:],16)
return res
xs = []
ys = []
gdb.execute('b* reverse+52')
@satos---jp
satos---jp / fed_data.py
Last active December 5, 2019 12:02
CTFZone 2019 qual StarWars solver (solver.py generates correct input & gen.py checks and converts it )
s = """
push rbx
sub rsp, 20h
mov ecx, 108h ; unsigned __int64
call ??2@YAPEAX_K@Z ; operator new(unsigned __int64)
mov r8d, 10h ; Count
mov [rsp+28h+arg_0], rax
lea rdx, Source ; "Federation ship"
mov rcx, rax ; Dest
mov rbx, rax
@satos---jp
satos---jp / decode.py
Created December 5, 2019 11:54
CTFZone 2019 qual MITM writeup
from Crypto.Cipher import AES
import hashlib
dnonce = b"531d8592bbf347cec586a5797f99da00"[:-2]
nonce = ("0" * len(dnonce))
nonce = bytes.fromhex(nonce)
B = b'0'
key = hashlib.sha256(B).digest()
@satos---jp
satos---jp / remote.py
Created December 5, 2019 11:48
CTFZone 2019 qual NTRU writeup
from cryptosystem import PKCS
from polynomials import Polynomial as P
from cryptosystem_edit import PKCS as PKCS_edit
from flag_params import flag_encrypted_password as encpass
cs = PKCS.importPublicKey(open('public.key').read())