I hereby claim:
- I am vient on github.
- I am vient (https://keybase.io/vient) on keybase.
- I have a public key whose fingerprint is 01FE 8F8B 43C5 9702 2527 6198 EA67 BB0B 7A80 47FF
To claim this, I am signing this object:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def brute(s): | |
| q = string.ascii_letters + string.digits | |
| for a in q: | |
| for b in q: | |
| for c in q: | |
| print(a+b+c) | |
| for d in q: | |
| for e in q: | |
| for f in q: | |
| m = md5() |
vient
/ keybase.md
Created
August 12, 2016 13:29
vient
/ matriochka4_ida_solve.py
Last active
April 11, 2017 15:45
"Matriochka step 4 (I did it again)" solution in the form of IDA script — Nuit du Hack Quals 2017
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from __future__ import print_function | |
| from idautils import * | |
| from idaapi import * | |
| import hashlib | |
| def step_forward(addr, n=1, checks=None): | |
| if checks: | |
| assert(n == len(checks)) |
vient
/ _enlightenment.txt
Last active
May 13, 2017 23:18
Solution for Enlightenment task from DEF CON CTF Qualifier 2017
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The idea is that in each task the key was checked character by character in the same way. | |
| So we can make a pattern from assembly code and then extract all information with simple re.search() | |
| The first task, Magic, was solved with angr though mainly because I didn't think about regexes in the first way. | |
| There are two details that differ Enlightment from pevoius tasks (subtasks here): | |
| 1. All binaries were compiled with another options so all my regexes broke as well as angr solution. | |
| Regexes are easily adjustable, but you can't use these solutions to solve previous tasks anymore. | |
| 2. Only in this task keys are sometime reversed. I decided not to find in the binary whether it reverses key or not, | |
| instead I just tried to feed the key to the binary. If return code is not 0 then we need to reverse the key. |
vient
/ description.md
Last active
July 1, 2021 13:19
This is the write-up for the task "AVX2 Encoder" from TCTF (0CTF) Finals 2017.
We are given the following files:
avx2_encoder.exe: PE32+ executable (console) x86-64, for MS Windows
vient
/ description.md
Last active
September 29, 2019 17:19
Zeronights 2017 HackQuest Day #2 Writeup
Your friend works in an antivirus company. He developed a new algorithm for generating a license key and asks you to test it.
Нам дан архив с исполняемым файлом ELF x86_64 "petrovavlic". Недолго думая, открываем его в IDA, и видим, что он запакован UPX 3.94. Сам UPX распаковать его не может, автор вырезал имена секций. Каким-нибудь образом его распаковываем, например, восстановлением названий, и продолжаем.
По строкам из распакованного файла сразу понятно, что он написан на Go. Из них же и узнаем об авторе задания.
00000fb0: 2800 0000 0400 0000 476f 0000 3766 6661 (.......Go..7ffa
00000fc0: 3865 6437 3736 6134 3236 3237 3165 3864 8ed776a426271e8d
00000fd0: 6664 3937 3062 3530 6330 3163 6637 3666 fd970b50c01cf76f
Нам дан бинарный исполняемый файл PE под x86. Открываем его в IDA, переходим в main и видим такой код:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@2
const char *v4; // ecx@3
printf("Welcome to Kaspersky CrackMe 2016!\n");
if ( argc == 3 )
{
The binary is reading format strings one by one from provided file and prints them in /dev/null.
This fprintf receives a lot of parameters, which actually are 16 bytes of memory, 16 bytes of flag, and pointers to said bytes. That are 64 parameters in total. Because of using %hhn specifiers, format strings can write to provided memory addresses, so we can perform additions with them easily.
Since given "virtual program" was pretty big, almost 3400 lines, I wrote a parser to make "virtual instructions" (format strings) more human-readable. For example, %2$*36$s%2$*41$s%4$hhn becomes mem[3] = mem[3] + mem[8].
After parsing int human-readable form patterns in code became more obvious, so the next thing I wrote were two "optimizing" passes that folded additions in multiplications and then multiplications into one big sum.
Next, after parsing we have pretty simple program already. It is clear that flag is checked using a linear system, so we can use z3 to solve it easily.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| from pwn import * | |
| from heapq import * | |
| PRIMES = (2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251) | |
| def gen_byte_generators(): | |
| res = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import pprint | |
| import struct | |
| TABLE_SIZE = 4000 | |
| table = [[]] | |
| iterators = [] | |
| locks = set() | |
| def request(cur=0, path_diff=2**64): |
OlderNewer