From a21c3183dab5110ec6e02c9cae6c463ba4e59722 Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Fri, 10 Mar 2017 21:49:41 -0600 Subject: [PATCH 01/51] points --- listen-closely/problem.yml | 2 +- match-me/problem.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/listen-closely/problem.yml b/listen-closely/problem.yml index 051ef0d..85e8766 100644 --- a/listen-closely/problem.yml +++ b/listen-closely/problem.yml @@ -4,6 +4,6 @@ hint: 1, 16, 8000 category: Cryptography autogen: false programming: false -value: 300 +value: 200 files: - listenclosely.wav diff --git a/match-me/problem.yml b/match-me/problem.yml index bf9854d..4b0985f 100644 --- a/match-me/problem.yml +++ b/match-me/problem.yml @@ -4,7 +4,7 @@ hint: This is a fairly well-known graph problem, there's probably some sort of i category: Algorithms autogen: false programming: false -value: 400 +value: 300 files: - female_prefs.txt - male_prefs.txt From dab837b405b2f0335673b74634fa56f839d3ce9f Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Fri, 10 Mar 2017 23:38:46 -0600 Subject: [PATCH 02/51] undirect -> tiny-eval --- tiny-eval/description.md | 1 + {undirect => tiny-eval}/grader.py | 0 tiny-eval/problem.yml | 7 +++++++ undirect/description.md | 1 - undirect/problem.yml | 7 ------- 5 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 tiny-eval/description.md rename {undirect => tiny-eval}/grader.py (100%) create mode 100644 tiny-eval/problem.yml delete mode 100644 undirect/description.md delete mode 100644 undirect/problem.yml diff --git a/tiny-eval/description.md b/tiny-eval/description.md new file mode 100644 index 0000000..09005c5 --- /dev/null +++ b/tiny-eval/description.md @@ -0,0 +1 @@ +This [page](https://tinyeval.web.easyctf.com) will evaluate anything you give it. diff --git a/undirect/grader.py b/tiny-eval/grader.py similarity index 100% rename from undirect/grader.py rename to tiny-eval/grader.py diff --git a/tiny-eval/problem.yml b/tiny-eval/problem.yml new file mode 100644 index 0000000..e5eabc0 --- /dev/null +++ b/tiny-eval/problem.yml @@ -0,0 +1,7 @@ +author: mzhang +title: TinyEval +hint: How can you eval in as little characters as possible? +category: Web +autogen: false +programming: false +value: 100 diff --git a/undirect/description.md b/undirect/description.md deleted file mode 100644 index a942164..0000000 --- a/undirect/description.md +++ /dev/null @@ -1 +0,0 @@ -Seems like we got ourselves stuck in a [redirect loop](http://undirect.web.easyctf.com). Help me undirect myself from its clutches and get the flag! \ No newline at end of file diff --git a/undirect/problem.yml b/undirect/problem.yml deleted file mode 100644 index fb251d4..0000000 --- a/undirect/problem.yml +++ /dev/null @@ -1,7 +0,0 @@ -author: mzhang -title: Undirect -hint: How can you find out more about what the server is really sending back? -category: Web -autogen: false -programming: false -value: 100 \ No newline at end of file From 1536b13da5d2f494465324cc3ef85e086a49868d Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Fri, 10 Mar 2017 23:53:45 -0600 Subject: [PATCH 03/51] Create problem.yml --- library/problem.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 library/problem.yml diff --git a/library/problem.yml b/library/problem.yml new file mode 100644 index 0000000..4d77da8 --- /dev/null +++ b/library/problem.yml @@ -0,0 +1,10 @@ +author: arxenix +title: library +category: Programming +autogen: false +programming: true +value: 75 + +test_cases: 10 +time_limit: 1000 +memory_limit: 256000 From afd661e85e27c55de486d9efda0e140d634b9ef1 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 00:11:38 -0600 Subject: [PATCH 04/51] Update description.md --- library/description.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/description.md b/library/description.md index 1bab618..8d975aa 100644 --- a/library/description.md +++ b/library/description.md @@ -2,10 +2,10 @@ Your librarian has a 2-row bookshelf that can contain N books in each row. She w Input: the integer, N (1<=N<=2^1024) -Output: the number of ways you can place red-colored books and blue-colored books onto the bookshelf. Since this number might be really big, output it mod 10^9+7. +Output: the number of ways you can place red-colored books and blue-colored books onto a N-column bookshelf. Since this number might be really big, output it mod 10^9+7. Example: -Input: 3 +Input: 2 Your valid bookshelf layouts are: ``` From 55f65cac5d65f022893879b3cdc14aa96cf38024 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 00:30:58 -0600 Subject: [PATCH 05/51] Create generator.py --- library/generator.py | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 library/generator.py diff --git a/library/generator.py b/library/generator.py new file mode 100644 index 0000000..ea66ed5 --- /dev/null +++ b/library/generator.py @@ -0,0 +1,11 @@ +import random +C = input() + +if C==1: + print 1 +elif C==2: + print 2 +elif C==3 or C==4: + print random.randint(3, 100) +else: + print random.randint(2**(C**3-1), 2**(C**3)) From 41cf2ab68a09a024d24c4cc48033f39135749382 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 00:32:58 -0600 Subject: [PATCH 06/51] Create grader.py --- library/grader.py | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 library/grader.py diff --git a/library/grader.py b/library/grader.py new file mode 100644 index 0000000..fcccfc1 --- /dev/null +++ b/library/grader.py @@ -0,0 +1,39 @@ +x = input() + +mat = [[0,0,1,0],[0,1,0,1],[1,0,2,0],[0,2,0,1]] +mod = 10**9+7 + +def egcd(a, b): + if a == 0: + return (b, 0, 1) + else: + g, y, x = egcd(b % a, a) + return (g, x - (b // a) * y, y) + +def modinv(a, m): + g, x, y = egcd(a, m) + if g != 1: + raise Exception('modular inverse does not exist') + else: + return x % m + +def matmult(mtx_a, mtx_b, mod): + tpos_b = zip( *mtx_b) + rtn = [[ sum( ea*eb for ea,eb in zip(a,b))%mod for b in tpos_b] for a in mtx_a] + return rtn + +def trace(A): + return sum(A[j][j] for j in range(len(A))) + +def matpow(A, p): + ret = A + for bit in bin(p)[3:]: + ret = matmult(ret, ret, mod) + if bit=='1': + ret = matmult(ret, A, mod) + return ret + +inv4 = modinv(4, mod) +ans = trace(matpow(mat, x))%mod +ans = (ans * inv4)% mod +print ans From 8802d17a24b1cb6298f1bb8bdc13be5d0c2f15b3 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 00:34:41 -0600 Subject: [PATCH 07/51] Fix grader.py --- library/grader.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/grader.py b/library/grader.py index fcccfc1..b98e56c 100644 --- a/library/grader.py +++ b/library/grader.py @@ -1,4 +1,4 @@ -x = input() +x = input() + 1 mat = [[0,0,1,0],[0,1,0,1],[1,0,2,0],[0,2,0,1]] mod = 10**9+7 From fd1421bff5dc56c05f456373dfe588530e7128c6 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 00:38:01 -0600 Subject: [PATCH 08/51] Update description.md --- library2/description.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library2/description.md b/library2/description.md index 9e733f0..449651a 100644 --- a/library2/description.md +++ b/library2/description.md @@ -28,3 +28,7 @@ Output: ``` 1 ``` + +Explanation: + +If you understand the word 'ok', you can understand the word 'blah'. If you understand 'ok' and 'blah', you can understand 'iz'. 'iz', and 'ok' lets you understand 'yiq'. 'yiq', 'iz', and 'blah' let you understand 'arggiq'. From f54973edc886cbdc2c1871ed898d8e4040730569 Mon Sep 17 00:00:00 2001 From: Jacob Magnuson Date: Sat, 11 Mar 2017 06:47:41 +0000 Subject: [PATCH 09/51] fix rsa3 and kill rsa4 --- fizz-buzz-1/description.md | 24 ++++++++++---- fizz-buzz-1/grader.py | 16 ++++++--- rsa3/description.md | 6 +--- rsa3/grader.py | 52 ------------------------------ rsa3/problem.yml | 12 +------ rsa4/description.md | 1 - rsa4/description.md.BACKUP.137.md | 8 ----- rsa4/description.md.BACKUP.20.md | 8 ----- rsa4/description.md.BASE.137.md | 1 - rsa4/description.md.BASE.20.md | 1 - rsa4/description.md.LOCAL.137.md | 5 --- rsa4/description.md.LOCAL.20.md | 5 --- rsa4/description.md.REMOTE.137.md | 0 rsa4/description.md.REMOTE.20.md | 0 rsa4/grader.py | 4 --- rsa4/problem.yml | 9 ------ rsa4/rsa3 | 2 -- rsa4/rsa4 | 2 -- things-add-up/problem.yml | 1 + things-dont-add-up/generator.py | 2 +- things-dont-add-up/grader.class | Bin 0 -> 960 bytes things-dont-add-up/grader.py | 1 - things-dont-add-up/problem.yml | 1 + 23 files changed, 34 insertions(+), 127 deletions(-) delete mode 100644 rsa4/description.md delete mode 100644 rsa4/description.md.BACKUP.137.md delete mode 100644 rsa4/description.md.BACKUP.20.md delete mode 100644 rsa4/description.md.BASE.137.md delete mode 100644 rsa4/description.md.BASE.20.md delete mode 100644 rsa4/description.md.LOCAL.137.md delete mode 100644 rsa4/description.md.LOCAL.20.md delete mode 100644 rsa4/description.md.REMOTE.137.md delete mode 100644 rsa4/description.md.REMOTE.20.md delete mode 100644 rsa4/grader.py delete mode 100644 rsa4/problem.yml delete mode 100644 rsa4/rsa3 delete mode 100644 rsa4/rsa4 create mode 100644 things-dont-add-up/grader.class delete mode 100644 things-dont-add-up/grader.py diff --git a/fizz-buzz-1/description.md b/fizz-buzz-1/description.md index 3eac10a..eda6cd1 100644 --- a/fizz-buzz-1/description.md +++ b/fizz-buzz-1/description.md @@ -1,9 +1,17 @@ -Write a program that outputs the numbers 1 through n, in incremental order, one per line. +Write a program that takes an integer `n` as input. -However, replace any line that is a multiple of 3 with "Fizz" and any that are a multiple of 5 with "Buzz". Any line that is a multiple of 3 and 5 should be written as "FizzBuzz". +Output the numbers 1 through `n`, in increasing order, one per line. + +However, replace any line that is a multiple of 3 with `Fizz` and any that are a multiple of 5 with `Buzz`. Any line that is a multiple of 3 and 5 should be written as `FizzBuzz`. The input will be the number of lines to write, n, followed by a linebreak. +Sample input: + +``` +17 +``` + Sample output: ``` @@ -12,14 +20,16 @@ Sample output: Fizz 4 Buzz - -... - +Fizz +7 +8 +Fizz +Buzz +11 +Fizz 13 14 FizzBuzz 16 17 - -... ``` \ No newline at end of file diff --git a/fizz-buzz-1/grader.py b/fizz-buzz-1/grader.py index d5a341a..4233db8 100644 --- a/fizz-buzz-1/grader.py +++ b/fizz-buzz-1/grader.py @@ -1,4 +1,12 @@ -def grade(random, key): - if key.find("PUT A NEW KEY HERE!!!!") != -1: - return True, "Correct!" - return False, "Nope." \ No newline at end of file +n = input() + +for i in range(1, n + 1): + if i % 3 == 0 and i % 5 == 0: + print 'FizzBuzz' + elif i % 3 == 0: + print 'Fizz' + elif i % 5 == 0: + print 'Buzz' + else: + print i + diff --git a/rsa3/description.md b/rsa3/description.md index c61c847..a01623f 100644 --- a/rsa3/description.md +++ b/rsa3/description.md @@ -1,5 +1 @@ -<<<<<<< HEAD -I found somebody's notes on their private RSA! Help me crack [this](${ciphertext_txt}). -======= -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 +We came across another [message]($rsa3) that follows the same cryptographic schema as those other RSA messages. Take a look and see if you can crack it. diff --git a/rsa3/grader.py b/rsa3/grader.py index 4f6a800..e9ca30f 100644 --- a/rsa3/grader.py +++ b/rsa3/grader.py @@ -1,56 +1,4 @@ -<<<<<<< HEAD -from cStringIO import StringIO - -flag = "wh3n_y0u_h4ve_p&q_RSA_iz_ez" - -def modx(base,exp,mod): - r = 1; - while (exp > 0): - if (exp % 2 == 1): - r = (r * base) % mod - base = (base * base) % mod - exp = exp/2 - return r - -def probprime(s): - if s%2==0: - s += 1 - smolprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97] - while len(set([modx(i,s-1,s) for i in smolprimes])) != 1 or modx(2,s-1,s) != 1: - s+=2 - return(s) - -def get_problem(random): - # add Probable Prime function later - p = probprime(random.randint(3*10**79,4*10**79)) - q = probprime(random.randint(3*10**79,4*10**79)) - e = 3 - salt = "".join([random.choice("0123456789abcdef") for i in range(8)]) - return (p, q, e, salt) - -def generate_ciphertext(random): - p, q, e, salt = get_problem(random) - encoded = int(("easyctf{%s_%s}" % (flag, salt)).encode('hex'),16) - ciphertext = 'p: '+str(p)+'\n' - ciphertext += 'q: '+str(q)+'\n' - ciphertext += 'e: '+str(e)+'\n' - ciphertext += 'c: '+str(pow(encoded, e, p*q))+'\n' - - return StringIO(ciphertext) - -def generate(random): - return dict(files={ - "ciphertext_rsa1.txt": generate_ciphertext - }) - -def grade(random, key): - n, salt = get_problem(random) - if key.find("%s_%s" % (flag, salt)) >= 0: - return True, "Correct!" - return False, "Nope." -======= def grade(autogen, key): if key.find("tw0_v3ry_merrry_tw1n_pr1m35!!_417c0d") != -1: return True, "Really Superb! Applause!" return False, "RIP" ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 diff --git a/rsa3/problem.yml b/rsa3/problem.yml index 8ff5a4d..10bc296 100644 --- a/rsa3/problem.yml +++ b/rsa3/problem.yml @@ -1,19 +1,9 @@ -<<<<<<< HEAD -title: RSA 1 -author: neptunia -hint: Go google RSA if you're stuck. -category: Cryptography -autogen: true -programming: false -value: 25 -======= author: blockingthesky title: RSA 3 hint: You might want to read up on how RSA works. category: Cryptography autogen: false programming: false -value: 70 +value: 135 files: - rsa3 ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 diff --git a/rsa4/description.md b/rsa4/description.md deleted file mode 100644 index 2d61669..0000000 --- a/rsa4/description.md +++ /dev/null @@ -1 +0,0 @@ -We came across another [message]($rsa4) that follows the same cryptographic schema as those other RSA messages. Take a look and see if you can crack it. \ No newline at end of file diff --git a/rsa4/description.md.BACKUP.137.md b/rsa4/description.md.BACKUP.137.md deleted file mode 100644 index 68f5e9f..0000000 --- a/rsa4/description.md.BACKUP.137.md +++ /dev/null @@ -1,8 +0,0 @@ -<<<<<<< HEAD -<<<<<<< HEAD -I found somebody's notes on their private RSA! Help me crack [this](${ciphertext_txt}). -======= -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 -======= ->>>>>>> f9a58afef003d40f3ada9c1645eda26363521cf3 diff --git a/rsa4/description.md.BACKUP.20.md b/rsa4/description.md.BACKUP.20.md deleted file mode 100644 index 68f5e9f..0000000 --- a/rsa4/description.md.BACKUP.20.md +++ /dev/null @@ -1,8 +0,0 @@ -<<<<<<< HEAD -<<<<<<< HEAD -I found somebody's notes on their private RSA! Help me crack [this](${ciphertext_txt}). -======= -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 -======= ->>>>>>> f9a58afef003d40f3ada9c1645eda26363521cf3 diff --git a/rsa4/description.md.BASE.137.md b/rsa4/description.md.BASE.137.md deleted file mode 100644 index 6f6a960..0000000 --- a/rsa4/description.md.BASE.137.md +++ /dev/null @@ -1 +0,0 @@ -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. \ No newline at end of file diff --git a/rsa4/description.md.BASE.20.md b/rsa4/description.md.BASE.20.md deleted file mode 100644 index 6f6a960..0000000 --- a/rsa4/description.md.BASE.20.md +++ /dev/null @@ -1 +0,0 @@ -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. \ No newline at end of file diff --git a/rsa4/description.md.LOCAL.137.md b/rsa4/description.md.LOCAL.137.md deleted file mode 100644 index c61c847..0000000 --- a/rsa4/description.md.LOCAL.137.md +++ /dev/null @@ -1,5 +0,0 @@ -<<<<<<< HEAD -I found somebody's notes on their private RSA! Help me crack [this](${ciphertext_txt}). -======= -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 diff --git a/rsa4/description.md.LOCAL.20.md b/rsa4/description.md.LOCAL.20.md deleted file mode 100644 index c61c847..0000000 --- a/rsa4/description.md.LOCAL.20.md +++ /dev/null @@ -1,5 +0,0 @@ -<<<<<<< HEAD -I found somebody's notes on their private RSA! Help me crack [this](${ciphertext_txt}). -======= -We came across another [message]($rsa3) that follows the same cryptographic schema as those other Really Scary Admin messages. Take a look and see if you can crack it. ->>>>>>> 93577ddee37a489cf0aa1a4b987d23a3bc3d2657 diff --git a/rsa4/description.md.REMOTE.137.md b/rsa4/description.md.REMOTE.137.md deleted file mode 100644 index e69de29..0000000 diff --git a/rsa4/description.md.REMOTE.20.md b/rsa4/description.md.REMOTE.20.md deleted file mode 100644 index e69de29..0000000 diff --git a/rsa4/grader.py b/rsa4/grader.py deleted file mode 100644 index e9ca30f..0000000 --- a/rsa4/grader.py +++ /dev/null @@ -1,4 +0,0 @@ -def grade(autogen, key): - if key.find("tw0_v3ry_merrry_tw1n_pr1m35!!_417c0d") != -1: - return True, "Really Superb! Applause!" - return False, "RIP" diff --git a/rsa4/problem.yml b/rsa4/problem.yml deleted file mode 100644 index 17fc9de..0000000 --- a/rsa4/problem.yml +++ /dev/null @@ -1,9 +0,0 @@ -author: blockingthesky -title: RSA 4 -hint: You might want to read up on how RSA works. -category: Cryptography -autogen: false -programming: false -value: 130 -files: - - rsa3 diff --git a/rsa4/rsa3 b/rsa4/rsa3 deleted file mode 100644 index bda7c13..0000000 --- a/rsa4/rsa3 +++ /dev/null @@ -1,2 +0,0 @@ -{N : e : c} -{0x27335d21ca51432fa000ddf9e81f630314a0ef2e35d81a839584c5a7356b94934630ebfc2ef9c55b111e8c373f2db66ca3be0c0818b1d4eda7d53c1bd0067f66a12897099b5e322d85a8da45b72b828813af23L : 0x10001 : 0x9b9c138e0d473b6e6cf44acfa3becb358b91d0ba9bfb37bf11effcebf9e0fe4a86439e8217819c273ea5c1c5acfd70147533aa550aa70f2e07cc98be1a1b0ea36c0738d1c994c50b1bd633e3873fc0cb377e7L} \ No newline at end of file diff --git a/rsa4/rsa4 b/rsa4/rsa4 deleted file mode 100644 index bda7c13..0000000 --- a/rsa4/rsa4 +++ /dev/null @@ -1,2 +0,0 @@ -{N : e : c} -{0x27335d21ca51432fa000ddf9e81f630314a0ef2e35d81a839584c5a7356b94934630ebfc2ef9c55b111e8c373f2db66ca3be0c0818b1d4eda7d53c1bd0067f66a12897099b5e322d85a8da45b72b828813af23L : 0x10001 : 0x9b9c138e0d473b6e6cf44acfa3becb358b91d0ba9bfb37bf11effcebf9e0fe4a86439e8217819c273ea5c1c5acfd70147533aa550aa70f2e07cc98be1a1b0ea36c0738d1c994c50b1bd633e3873fc0cb377e7L} \ No newline at end of file diff --git a/things-add-up/problem.yml b/things-add-up/problem.yml index 02eefe1..5111e51 100644 --- a/things-add-up/problem.yml +++ b/things-add-up/problem.yml @@ -5,6 +5,7 @@ autogen: false programming: true value: 15 +grader_language: python test_cases: 10 time_limit: 1000 memory_limit: 256000 diff --git a/things-dont-add-up/generator.py b/things-dont-add-up/generator.py index 398325e..594e5b8 100644 --- a/things-dont-add-up/generator.py +++ b/things-dont-add-up/generator.py @@ -7,7 +7,7 @@ elif N == 1: elif N == 2: print '123 456 3\n5 7 11' elif N == 3: - print '1 10000000 16\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16' + print '1 10000000 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16' else: import random as r r.seed(N) diff --git a/things-dont-add-up/grader.class b/things-dont-add-up/grader.class new file mode 100644 index 0000000000000000000000000000000000000000..b56ab20a7687ebd69e366e2fea146fc3ea5cb842 GIT binary patch literal 960 zcmb7CJxmlq6#i!a=5BZ8?-*d=4g^sS&^r_2X+UUDlS@#HM@WQ*h6W!?HIL*<^U|jVBKb&At(}S}N+GJ(PV`!Z61MgO?yy#VD+{F?x zTG{mjhPL$l)QbDi&6eC?Ia>&;ey}_y51uN7Zt?z2cQvZ#=%dRy&T#ZIn1xEMTJ&!C zQpj4ax=UU)BUNmeuo#*n#aif>vW21>1YVWntc`ORkOgTQgBY?gjPo29Y-Et7w*ROw zG#zy_y}05PLx#i&Eix$cc?omJjuak02)#1#ayId2GQX0|2dlM^hV$I=7(++;#Dtuh z2i~JFAJC;_AL*-=8pTIKx5=L)p+wXx>HkBM#;PnTQ3F~!KRAnC#OU$lr+~bJMQGD5 zMJuCKAKC_cO#zusXhft+M;g#bF_p4cP@~+pw@~hGLfwWoHM|9VT*8EeoTlbF`QFAd7ORizk;UYHj0+$?PH15Rra;BQI zgeA;1^f_^1WpcKN340;64qKK|sLj+ZlKWhb5$-0X5M}d!g|7U+&<2dU&LX+(O&CJo z0+)U$(aiVg7YA8rk#*gK{p3i7GM8x`M>DRW1$iWJ2d$WcK!`RxK|7vO{EYbL=)g(N;seDWN$nHmzMuzR>5-b~mg{IZ!~kL(%^WR^K8^&v(LTg4G;p-C12~dm WJwKrDL;nfo7^Nsg(xZu}{kGqVXTJIX literal 0 HcmV?d00001 diff --git a/things-dont-add-up/grader.py b/things-dont-add-up/grader.py deleted file mode 100644 index d3c6fc3..0000000 --- a/things-dont-add-up/grader.py +++ /dev/null @@ -1 +0,0 @@ -# done in grader.java diff --git a/things-dont-add-up/problem.yml b/things-dont-add-up/problem.yml index e3cb42a..92241ac 100644 --- a/things-dont-add-up/problem.yml +++ b/things-dont-add-up/problem.yml @@ -5,6 +5,7 @@ autogen: false programming: true value: 210 +grader_language: java test_cases: 15 time_limit: 1000 memory_limit: 256000 \ No newline at end of file From d3ab90ea5b1de76972bfbe16fae9901718a9dd2f Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sat, 11 Mar 2017 01:24:22 -0600 Subject: [PATCH 10/51] Add injection1. --- injection1/description.md | 1 + injection1/grader.py | 4 ++++ injection1/problem.yml | 7 +++++++ 3 files changed, 12 insertions(+) create mode 100644 injection1/description.md create mode 100644 injection1/grader.py create mode 100644 injection1/problem.yml diff --git a/injection1/description.md b/injection1/description.md new file mode 100644 index 0000000..515a1bf --- /dev/null +++ b/injection1/description.md @@ -0,0 +1 @@ +I need help logging into this [website](https://injection1.web.easyctf.com) to get my flag! If it helps, my username is `admin`. \ No newline at end of file diff --git a/injection1/grader.py b/injection1/grader.py new file mode 100644 index 0000000..e05ce83 --- /dev/null +++ b/injection1/grader.py @@ -0,0 +1,4 @@ +def grade(autogen, key): + if key.find("a_prepared_statement_a_day_keeps_the_d0ctor_away!") != -1: + return True, "You got it!" + return False, "Nope. Keep poking around." diff --git a/injection1/problem.yml b/injection1/problem.yml new file mode 100644 index 0000000..22c9b0a --- /dev/null +++ b/injection1/problem.yml @@ -0,0 +1,7 @@ +author: mzhang +title: SQL Injection 1 +hint: What does "injection" mean? How can you "inject" code into your username to control the username lookup? +category: Web +autogen: false +programming: false +value: 100 From 7cffce1cfa326a23d52cbda8eb61a5f75dc7fbf3 Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Sat, 11 Mar 2017 01:43:45 -0600 Subject: [PATCH 11/51] bumping point values for RSA --- rsa1/problem.yml | 2 +- rsa2/problem.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rsa1/problem.yml b/rsa1/problem.yml index d2e137c..37677a5 100644 --- a/rsa1/problem.yml +++ b/rsa1/problem.yml @@ -4,4 +4,4 @@ hint: Go google RSA if you're stuck. category: Cryptography autogen: true programming: false -value: 25 \ No newline at end of file +value: 50 \ No newline at end of file diff --git a/rsa2/problem.yml b/rsa2/problem.yml index e9fb2d1..c7783da 100644 --- a/rsa2/problem.yml +++ b/rsa2/problem.yml @@ -4,4 +4,4 @@ hint: It's like RSA 1 but harder. Have fun! category: Cryptography autogen: true programming: false -value: 35 \ No newline at end of file +value: 80 \ No newline at end of file From 9cfa312780484d3b88ee28b1e26c9be9040e1f69 Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Sat, 11 Mar 2017 01:44:10 -0600 Subject: [PATCH 12/51] adding basic atbash problem --- flip-my-letters/description.md | 1 + flip-my-letters/grader.py | 4 ++++ flip-my-letters/problem.yml | 8 ++++++++ 3 files changed, 13 insertions(+) create mode 100644 flip-my-letters/description.md create mode 100644 flip-my-letters/grader.py create mode 100644 flip-my-letters/problem.yml diff --git a/flip-my-letters/description.md b/flip-my-letters/description.md new file mode 100644 index 0000000..8b2dd29 --- /dev/null +++ b/flip-my-letters/description.md @@ -0,0 +1 @@ +I dropped my alphabet on its head, can you help me reassemble it? `easyctf{r_wlmg_vevm_mvvw_zm_zhxrr_gzyov}` \ No newline at end of file diff --git a/flip-my-letters/grader.py b/flip-my-letters/grader.py new file mode 100644 index 0000000..359bd41 --- /dev/null +++ b/flip-my-letters/grader.py @@ -0,0 +1,4 @@ +def grade(autogen, key): + if key.find("i_dont_even_need_an_ascii_table") != -1: + return True, "Correct!" + return False, "Nope!" diff --git a/flip-my-letters/problem.yml b/flip-my-letters/problem.yml new file mode 100644 index 0000000..c32719e --- /dev/null +++ b/flip-my-letters/problem.yml @@ -0,0 +1,8 @@ +author: GenericNickname +title: Flip My Letters +hint: What happens if you turn the alphabet upside down? +category: Cyrptography +autogen: false +programming: false +value: 20 +files: From 914cdbc3234d46c21841825a9f72bf8761aafc73 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sat, 11 Mar 2017 01:51:03 -0600 Subject: [PATCH 13/51] Modified count.py --- count.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/count.py b/count.py index 60f1ed1..efaa215 100644 --- a/count.py +++ b/count.py @@ -8,17 +8,20 @@ from collections import Counter problem_names = os.listdir(os.path.dirname(os.path.abspath(__file__))) problems = [] +failed = [] + for problem_name in problem_names: + folder = os.path.dirname(os.path.abspath(__file__)) + os.sep + problem_name + if not (os.path.exists(folder) and os.path.isdir(folder)): continue try: - metadata_file = os.path.dirname(os.path.abspath(__file__)) + os.sep + problem_name + os.sep + "problem.yml" + metadata_file = folder + os.sep + "problem.yml" with open(metadata_file, "r") as f: metadata_raw = f.read() metadata = yaml.load(metadata_raw) if "category" in metadata: problems.append(metadata) except: - pass - # print traceback.format_exc() + failed.append(problem_name) problems.sort(key=lambda p: p.get("value"), reverse=True) print("Grand Total: %d" % len(problems)) @@ -34,3 +37,8 @@ for category, count in categories: for problem in problems: if problem.get("category") != category: continue print(" %s %s %sp" % (problem.get("title") + " " * (maxtitle - len(problem.get("title"))), problem.get("author") + " " * (maxauthor - len(problem.get("author"))), problem.get("value"))) + +print("\nThe following problems failed to parse.") +for title in failed: + if title in [".git"]: continue + print(" %s" % title) \ No newline at end of file From db6c6e0ec5453b01e19d3b7abd730abd96ab7f21 Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Sat, 11 Mar 2017 01:59:12 -0600 Subject: [PATCH 14/51] spelling is hard --- flip-my-letters/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flip-my-letters/problem.yml b/flip-my-letters/problem.yml index c32719e..196c69d 100644 --- a/flip-my-letters/problem.yml +++ b/flip-my-letters/problem.yml @@ -1,7 +1,7 @@ author: GenericNickname title: Flip My Letters hint: What happens if you turn the alphabet upside down? -category: Cyrptography +category: Cryptography autogen: false programming: false value: 20 From bf5eaec7cf574ce4b186e5e0b32f6a7177de3c31 Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Sat, 11 Mar 2017 02:26:42 -0600 Subject: [PATCH 15/51] added ctrl+f RE problem --- easy-re/description.md | 1 + easy-re/easy-re | Bin 0 -> 13968 bytes easy-re/grader.py | 4 ++++ easy-re/problem.yml | 9 +++++++++ 4 files changed, 14 insertions(+) create mode 100644 easy-re/description.md create mode 100644 easy-re/easy-re create mode 100644 easy-re/grader.py create mode 100644 easy-re/problem.yml diff --git a/easy-re/description.md b/easy-re/description.md new file mode 100644 index 0000000..4233bdc --- /dev/null +++ b/easy-re/description.md @@ -0,0 +1 @@ +This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](easy_re) \ No newline at end of file diff --git a/easy-re/easy-re b/easy-re/easy-re new file mode 100644 index 0000000000000000000000000000000000000000..36c507c4262b4a0404a432948e7ba98bb84a225f GIT binary patch literal 13968 zcmeHOeQZ&ANBGb3LufA@1U5z`Pbgz)}Ci^72di_Q@635X6ism;PAKC-dfBu8Lk3H|W zdF`&~cm7cO=HVra{`g9W`e-S6-9+U)vBXv>hbR6ld|t0vJG$hvOH-->Z#B<8JiW2M zY3GYz7X|XiRitNe3I10x(ltfo=VBto_)|*ot4r8_qJ;eoCFJS)DK>5l^2PX%m*D@p z1m9D_{+~+lH!A*xDLz;nhfmQYe_ZPP;GSKIf5IYv8g^!h1>%TnhZHqdScqqpe2c}7 zz`jfCk??J|(O#<)n%32mOlWC6l+ra#Xlr(9tj*0yAu z79e-}`n29?DxFM(;xWBn+vPE|@6fbxU!T|OT>%rZFg#Ah5?xKb9U15ZSmeVV=jfvf{L2Nx2_|u;ZMf(}+&6a(vrye%Zxj`Aw8@>e_Hp zy@9>V=S<5@{nG@bsz?oBgXBl5-vfGfEQS-lTzJq=I+^*gDRd&tl8p39x`AlyB{8x?(svO}OEA(R=@mp%=tq2#zLjVS z`G`l-Hxf-D9dSu|KG77)kxEJLo#PUnhd@j4e%Lhh#`fUQpM!&c8Et8AI(=evx=#d8 zpB#|r^sZ?>G5oiy+3cmxnTzq`=cQ*6@QuOchk=5FW6t2v#a#L0?X}<=SM@nLYtz`;%*A5cDP#PB zul8d;A~S0v6o(U-(YDvhJHfJjB1bwd@B=Y8c#p`GzyB2Ua>hO;h3wgFBYU7j?PC=) zeB$^KxHG&O^E*a&%;3=J;XNRv*0xh5)`p!_HT2N=q0G5R@IcwJDw^t0VAy+N@S*dz znfv#He)yqt*({v;=J5+lVD6>Qvf1Apg5hIC9;aLG@T=ej4+h?)5rP=OXuoo-o}4&A zS~upnr-$FkS)i`tbdw+63*P(lgF~m-%t>VT5mr>MIJpEtyZ}Jai{Tu!5%?Foln&rac99+H~xUFgEa?{XT&9_{X*V4() z9K%1k0+ahc)Lq`Uc|Dtl-fJGZyb>0&v(EWqiFZce)rN!`_rp9^1h#dMJAWKVQA(XMDb9hJiPiiXnt zVZHM~Z>Q!-#QU|Hcw9?WYrAXGT6Imj{~?mIEpXiJ1Ez~>DO`VyFru;*cs?RVzs3B( zmw=}rCJParrNCbSej0cm@ND!E*!HvvTVJJZ!Su-$hisE8iBHc)Ct&wh5>QZF9(K`B z@`wJB&5n|+vvQSl-kO=yc2^9Dd*GRDiFvWe$yXidOG1STRd5rK&aOhjNJ0uvFKh`>Yy zCL%Bqfr$uAMBx8B0xig+5k!$zBk(9%68OR+vIHxpoHhaTDThrk-9Tb9QbPosE4`%b zUoW{x_Ne!)3lv?c@O*{GR6pkxD91qX>D6qK@L{`;Q0|@Y(K3VPcb#YL2Fjg-^Dae{Qltv)>*iM+s8`9v|rk zIiH}CM|wxn?8m607pi_k`+xt<@3E~TeNV0Hj}?AV;nx)Yy~6J(d|Ba1NCpwiRrn@_ z>l9w4@Fs;j6_!e-FTB6G%T=|pBa_fGu3EgC@hq>)NXq*yZ=Ksy+s<@Tl7m;<|%_hUYPlHh%t&z~%ct+zu|2;L|8 z@>2xww|xH8+`i1`Ps?4O`TXf(K&@9ke}?ESvK|iM%+-VB%g+>iz320Bl_Rfg1qa^r zavg)Y&w)2lM~cc{D=2+v1qZTve6E=L9JtE)Jjv(J6_l2@f=OgdJ$Z|kL~i-(m#hnQ;0Dz!?UUb~s00erbGYQ3VWvlaYG*sUpA6nc@!j_R8{?=6X$wB}oQkjaQ@U6&-~^ z#EGGHXb&hgEj%{${9TIh$Wep;i_c!HHF^{&fK@ zuzn>~M9E-q8|8LdAgBa_D_e7>Hmq9J7C_mMzo9umN_oCV@)@$&N@y$ZTkl`j)QCP= zd=pM*WN<+L`;x4}dMYYJ^7&-Bj!})nc8$_53Z3dkH4oMBmBgIY3dpG3 zDo+X`k#th)#ulSexbbB)Hl@~)PP12pP1RS*jI68T3bP_1#yXg*<1B-J;i5LH9n|K1 z-iVp1>+-D0z(r|2L zP`B7C+$ceax>2FFTn}|AswF!E`L_Hn8>5zj^QU<~u?N-NHcLYY5f_2pGMf<|hUR}dH zu!W>CdDj0oU-bJIw?6!aG=QJ? zxX#@A%bR4)@FfuRY|r}qT*!6YF0(M&xJ~7O7nE6_pC5H)aA}@&q5ewrUq&u~$3JZM zNsYsbQ7@_Sd`N|&8LdZS8a}Mg&!cA*b4l4aaN}v2EKiPl97W8~VuChKq zFP~HT9wk_=FzfUD_bL4b?pOJq3MI(-A=0O3FsuIK;89FCKgId6%_@3>takEByhbpW?tO1s<36 ze`L|;{J&DyvYC0u*Tau{=3kbi4W^@K4feW zSsUN4231IZf)4VD^>cX>{{IUrDr_Bp41B&eNrdx@6-s|pO_;9_*5`R0hK_lB&clo? zCToTMvOZ(_E0bA2m#=Y2b@8Zya^I}Sc&bI8^E!_zefEWFjH%|D$2NNqe+A|qA>oSNjb&k?< b(0^Na{(OGY^<8ZIGgXHE&ny?5b^Lz Date: Sat, 11 Mar 2017 03:01:06 -0600 Subject: [PATCH 16/51] Create problem.yml --- doubly-dangerous/problem.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 doubly-dangerous/problem.yml diff --git a/doubly-dangerous/problem.yml b/doubly-dangerous/problem.yml new file mode 100644 index 0000000..661bb36 --- /dev/null +++ b/doubly-dangerous/problem.yml @@ -0,0 +1,9 @@ +title: Doubly Dangerous +author: arxenix +hint: How are floating-point numbers represented? +category: Binary Exploitation +autogen: false +programming: false +value: 75 +files: + - doubly_dangerous From 55f4a1a7f680f4eaa7e769d1ab60b156a7a7cb43 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 03:02:09 -0600 Subject: [PATCH 17/51] Add double-dangerous binary --- doubly-dangerous/doubly_dangerous | Bin 0 -> 7548 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 doubly-dangerous/doubly_dangerous diff --git a/doubly-dangerous/doubly_dangerous b/doubly-dangerous/doubly_dangerous new file mode 100644 index 0000000000000000000000000000000000000000..52c2b9e4e2d13c029c7e399811541689553fe0dd GIT binary patch literal 7548 zcmeHMeQ;D)6~Frtx|L;FAhvvIA0=3*$u^-8Lpz6*kQC*FhB=~KM=gc}?H*@yfbItILMN~A2};Ipf1n=x)NG}x7lyc1EEb;>^TZSs zQCGhc7?1%2QU%KVARnj`a_268fHVs-i8>TZ0uutZq^f`rB-)Fx(g&ss5jfxvkg8!+ z3u3+0d%-H9uY`^?1eruV>mXUcTd14V1ev6D9q-x+|1FT8@drq8!IoQpiP?DjjX9Z(Xwyzp5YfX@F>331aN1ule4x zuQx2Y^XgqM935PI^1UDY>(aA*?Dwr8`jD|Qq^T_X(dXVig5n8ju1lJUe8VJp(Ik1D zOE!>y&?VFUj!E*}lVo)BS|WZb=$lU?#^5sqJ{aN>XFQe(bJbe2U?KJ_lPe^JY0@5MvAk{e#L`)mbob=4e}uzbgZt+TvA;N0DwXyeu`7mJP*^+` zcw|tNKH~?vv?zdI)?He}S}kUW&jVgs#M&+DhEGeGt+3ea;UiLJYb?&%;h#vEt+EWt z2c^u`S&JzTNSUp)7^vZ$Qf6x{4wd0v$aR0+yzi~zI~O}T*IPUBEiD5->o!@>?!mk} z0KjN!!2P#>e$}8`KKxm@tEtCN@ye8Ka}UF>K$mB1-1lyAq|&0Ibh>yfeDc!ZK)?Md zahN3%fAorX-*1k-cZcWn@2=SMejyFd*fXVJxIgHSNgXJ?e_!KppKGsIqbkpmdwUCvktQ3-^I_+udbF# zsB>TQXz|HWVK2WBp8i_%rQ%4iW9X+!g?z~w9Xh0>z0H?)K6$C+oGTYUpo%YqAzMGB z$NN>u$-(}%Dn9~U`r;TWURNCH{LUEktO?NLgodxx(BFKhW9Y39Wn0cQkDjX#SjPT5 z{KP_?d-JR_hjwRacUA$1K8;RYnEB>eDn_aJwNl8BvcG-oWPfaI!pBPu3~YS3uC!^x z&>~d5Yw!<^OcvE*=X$ve|re5b?h>Se_Sy@U&~Nz#2FaxDIljVhzZ|x+C^>TeQT| znPkGSa|Ra*gXKmFMGHi0dRx-yNg6SuVCU1>?)wa}!HLI{g~9^kp=3U3qzgu0&dE!g z`$QJ@3)o1eo%K=AJm3AC09;d_!<=jbza1U!1%DcR0DL|=@G3aRQvhoK*J>uu6YGU% zN5C^L==bkMxq&jwZP5Tfv=gB~ODMQ{`c&J$T|7AV{=1h}-AVll&;fKg2QH$az#i|) zX%*hB$KeLMtPop3e}n!RaM2X>h}Lk0*Ab1=ea?<4UK<6`5-WX0 zL&0Z!jiK<<{%EMOSg|H#bcd>%LW`S1)zMIGd&p=FRYnIx;pmA_F#38Z5Ir8k`W1%x zSx^SPxMJQ+HzRN}0yiUYGXggw@c$lxi@5Ke2C<*m#w7*8Gev&@mjkgI=Ovs?1A6HAcmvP_ZIU@6A+!?@6LH-!H4dQ)>d+f(SOg!TVoJ_gbt^n~& zF#~ivs2cS$Uj@#)6dT4nGC+$j9xD3W7aFM^+kjO_oMcz@PLFQKkiKqo+Nfc^ry z44Q(t+*Xbav8|1b_Zf>fb~#zwG3q1BBTH-QY8@%o-Md7U{6|oo28l?aug8vcf!le- zEuBke?PR`JM6x+M8Hui3Rb$7x%TjmNiF7$>T(Q#$5us$o3YLf@`m*q+xSdy;ZOMEg zoy$%TOz85-4Dl+{o3TYColWD{PU5H;NkM=rmx$Rh5lLERDj(}fnpOgqT2dBfET50{ zDGQx{EDji)$9mFnRGfoD{6u6e%41idAR_TxPfs$-k#T+Ey9rCxYm9o!P_jCi?Y*X# zqeyVvDLqG`8h1+OXjJ1-$sCnJ=<(tcxS%3&Jdyk42vg%u$$W88<59^R&1zmKnWI{W z0gMwRbJpM-Tplkz!P%qc54lf-$i$17Pvkzn3n1|whTK=al{Z|IISbUhBlii;1~u=< zeR5V{UX{nOuY5AsuRzxIQ$Ljz zmgDC^JQqObTLDMvOtiPo)gS|9?T|arACA-CmisfqJ6oKG?0(03--T!U zg6JrpMR@;Wee=~6g+y71no05s$PH!xVSMjq+LymC?b{%8elR|KH`_4DJ^^_=9&0e(oQBK%a+&P3(q$I znOu0)GHPOJ%=Zbk@Ftv|o<5kkB$Mm)1ZWOxeJYcCe5q`A%lc@0v)R0+2@O}h(D@05 z31K#UVNJAsRU=R?jeKSlW^3EpmC-hHZA;6B=1#LSy0WdA?&M2kyx_?8;x)6g-5d{2 zXL}<<(;4f^@YQmA!?Fn8G0on%Xa6ut^giU$1*to#^LUR~a1jNIMRw(@(YI zMeIQqQ7s2B)oWUhtB2eP7!zAy8Kd5ES8p@dmq%A)CRQk5XqhHLsXrlOtjF5K2+M|X z@cx&H=QmDaP6PQr3J5$~>7=LkLKJX!Bu@S>0SW_oozzY%L>&q=j{7p-fvPkJT;rOM zzl^gQ{c*p3x$IBv&8a8xpN~c{qY>R3B=u>IG#5%$hc1v#4>FL z@vKN3_x}iy-1w zf_R>-25trN#BtBmxaW{(TUig+p$u>fk=KbhCa!N9$MePja061Kei##Cp9g6i*Hr_B zU2JSQ5y$i*NaMJF>_!6^7oBvy-$ns(bisA`Mc^_T1g>!}A+K@re@hq?^*6vBa^ZN+ zX#j5I2DsNy#?unIss0y+qmr(RaGn1x@;pTm$9+5a5x6&?XZwib{vZAb9REeZZ$TXQ zeg3a)s9Xjn>*e=-2c-S+d^L6he{AEh3n$MB_yE-?(}@_;2O#Z_`*k&NtVbtenB@5b zobBU2SPz`mQBNOCAA*>#rGP}-YL%70)RB0?q%WPG0&a?Sf Date: Sat, 11 Mar 2017 03:03:56 -0600 Subject: [PATCH 18/51] Add source file (don't provide to players) --- doubly-dangerous/doubly_dangerous.c | 39 +++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 doubly-dangerous/doubly_dangerous.c diff --git a/doubly-dangerous/doubly_dangerous.c b/doubly-dangerous/doubly_dangerous.c new file mode 100644 index 0000000..fdf733d --- /dev/null +++ b/doubly-dangerous/doubly_dangerous.c @@ -0,0 +1,39 @@ +//compile with: +//gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous + +#include +#include +#include +#include + +void give_flag() { + FILE *f = fopen("flag.txt", "r"); + if (f != NULL) { + char c; + + while ((c = fgetc(f)) != EOF) { + putchar(c); + } + fclose(f); + } + else { + printf("Failed to open flag file!\n"); + } +} + +int main(int argc, char **argv){ + volatile float modified; + char buffer[64]; + + modified = 0; + printf("Give me a string: \n"); + gets(buffer); + + if (modified == 11.28125) { + printf("Success! Here is your flag:\n"); + give_flag(); + } + else { + printf("nope!\n"); + } +} From e3ab2dbd99a0b8954f2119b94a348134d74e45e5 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 03:07:08 -0600 Subject: [PATCH 19/51] Update pt value --- library/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/problem.yml b/library/problem.yml index 4d77da8..b093837 100644 --- a/library/problem.yml +++ b/library/problem.yml @@ -3,7 +3,7 @@ title: library category: Programming autogen: false programming: true -value: 75 +value: 175 test_cases: 10 time_limit: 1000 From c7372e913deab423b7fecbb24cb265dce198807a Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 03:10:41 -0600 Subject: [PATCH 20/51] Update grader.py --- library/grader.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/grader.py b/library/grader.py index b98e56c..2d88fe4 100644 --- a/library/grader.py +++ b/library/grader.py @@ -1,3 +1,9 @@ +# Very easy problem. Compute a few values w/ brute force or something, then check OEIS. +# Part of: https://oeis.org/A001333 +# Tells us: f(n) = (1/4) * Trace( [[0,0,1,0],[0,1,0,1],[1,0,2,0],[0,2,0,1]] ) +# just write a program to compute this quickly +# this sol takes something like ~O(log n) i think? + x = input() + 1 mat = [[0,0,1,0],[0,1,0,1],[1,0,2,0],[0,2,0,1]] From ece1f480ef286f38f2e55501424aa6829946ceb2 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 03:12:57 -0600 Subject: [PATCH 21/51] Update description.md --- 20xx/description.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/20xx/description.md b/20xx/description.md index 198ef3b..adb449e 100644 --- a/20xx/description.md +++ b/20xx/description.md @@ -1 +1 @@ -What is this file saying? Help me. +My friend sent me this file and told me to git gud. From fb61e5916e95369a769bbf2d52e9a558c2f8a4d4 Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Sat, 11 Mar 2017 03:19:47 -0600 Subject: [PATCH 22/51] added a integer overflow problem, included source and flag but neither of those should be provided to the user --- risky-business/casino | Bin 0 -> 15224 bytes risky-business/description.md | 1 + risky-business/flag.txt | 1 + risky-business/grader.py | 4 ++ risky-business/main.cpp | 75 ++++++++++++++++++++++++++++++++++ risky-business/problem.yml | 9 ++++ 6 files changed, 90 insertions(+) create mode 100644 risky-business/casino create mode 100644 risky-business/description.md create mode 100644 risky-business/flag.txt create mode 100644 risky-business/grader.py create mode 100644 risky-business/main.cpp create mode 100644 risky-business/problem.yml diff --git a/risky-business/casino b/risky-business/casino new file mode 100644 index 0000000000000000000000000000000000000000..7cda6bedf991ed45d95b76d289f7b3f089f55449 GIT binary patch literal 15224 zcmeHOe{@vUoxd}a5EK}Kg8W+L0ivKX%#aWxt#y(xFwp?nOi)DeWim5KMkX`anKzKI z)j|X8j)-Qhb+K!Ev|U--?m4>d9uKQ-62K$av%3dcb*bIsVO_N|qHU}{NG+QEeDAyW z<;|O!3ih;r?D6Kz``+*Oe!t)Qz4w0KefNFeH{b9zt+v~2Ocp!)8Y66Ys+W`WD`UM? z92K-$b^-G;g79g#@X; z@!}O#9hS|}Q3)BWq(X9JYxYvY2)5inCqM0;e#7kh-)z5U*GoV8Ew#~7%5`I`(mvld-A1&z_>o_v9;&d< z|MbHP7W-aln!bN>Lto>TXFx7mXdNyp(qe-##pq&{<})h={76Y z@0k+%Cza5%zJ#8CDWT`5nDAoraG(VJuS)1yR)RlP!p>)~z{UDiOVHoKxQg+AT!Ma2 ziGHIc_yZ;Q&z7*~SD1%s9Ocxxc^dGICS;ZbkEf=RqgCf#MP7*Olqpi)El>|Es@S>N{b{LV!>1@ zl45FO>smD&NeXi7+J;yn9%&7>$0B-L@s>>iEtYBw1vHN*)D=vsS~3{bK=1{ExcFMo zP}LqxMMG*Lr6nW5?#5QN)vfvh*QzZytqW+^s%ogW*W>Xl*SWwHjdwN%s@1>>wbi5g zd`#U0zS?LarGh0=-58H*t31A~oSulKe9fy{0*Qc1jL_E^(Xi)4&dDT9fW@Tqu*g%b zTO92WT8d19ufgMMzKI&D)J6y7_>j$&{}p z%7;=NiHBpw#_@Y*wFZkz(`8I+t$A8Y8>+9CF|C&A#whgZ*3N0rD?+hEDx!AU^FK68+PZrLy@V?vpAqtg`#mjYw*TGXDl{jp;ma|3Kh%qhfEo!hWuEy z_-`n%Tn$vgdy6bRytF!$NNd#X=TA>nB+(&f=bUEWSVX!v$dknuZ3o%H?Kjni}gH)a9;fqqf|&f;DX1SXbYudR$dHdE-VfSG$&b%qVSycKqqk z!OshJetIb5bgGvdH3zT?{78cS^wW?HCkP+*boo4QzM^ju1K(qyQL%xuU9`J_Pme~Y z&(0-elFxk z=e3a-w+>tWcoEMJI(~{HEN_#~1EPzgE2qy=+BmGhRXi#G^mViG|?xU=xruC7Q!f9Cc4w0GS*|FPc_kd zO>|m&S$3G{(g=J*4IldI*t9KVNf z-198w=J+=WCzs199N$hjxmvE0<4MBF#d3_}cM?vnl^gjCghlOyR}y}T-~Z-Fb8F+#;Zrlb%zyMy4+lr*UF2oiZ4mshW9qzB@T)U$hzzv2oGedd4ye`dsg zD0_q7_M-p9XW9%y+a#%N>O8jjh~EE>>;Ls4g|YOs4G_%6F`=7ZEI$B}?E~J^5W@?$ zzyAi7E5rtOW}vGe{b2M#WVvMU)D1`IEtAY zqJ1};_;hS+kWTRa%+ahJ-TC+JJ_XvdP;9GraEQ1qfd^IzH5K{O25smsfLegk=752^bA=zxE(FB|q(>BG@# zPka2CBZkJK*&*dHEdr48N>2H5k_YS>*FZa{BT2ATD?jT+jr2Y}xuHp1dbZBnb zfEKHl0-rsYHHPrUCu3vJ!5Ef%1(&_MsmI;J-?(CM;!Np7Ltrr`tOY7{{>Kge>)HQ& zRDSou!NrEiy=IYlQsi_x`!HsJ+p1L$wi)c3&FmvU_RjeJWJOrRZ@uydfS+~`?lfeU zm}Q>lGI2x3c05zw2JAVyJ>{fes>*1perMAv_z+G{7?2EJv1%XumNN|G{*m7})+uwi0=D+TA`Wo3@)V5OLTJrR0 zT@l3>O!YOiu2z=2J=ZD?hzi6LI%8|HPwAtcV(HKp1+NTBC*Bg2U?>zxrAk?GD+$CS znzAjC)Vh>tYNc|y=(jl*L8w59#1Y_7x)R%z?sTY&dH`=a7FJ@>Eqrk85p5-jv~~rd zCYVy<2~7zqTk%RBR^sXIc8IUU=8vwRBBd!1KzmOj71d}ug58O9Tw^SdNGAKPQD}_a z39xO$Oa)?&dqr8qzAK|ArE{0O%K^fPDWYUivQr%u{7aR<9$&R4Fgx_kktARf3s%VAsL=j%FW zS)6cTgjcI$SKEmuN*G3+RNezw=p z;qP}i=GwR-;%Op2%-b(94`r`g_+GPfKC<^i{NBbs^ff?3SKqij)2SbfXNI}GS#PJY zR-?TV?Gb9PcUInSuXoP6&*5__`^xH_i|;M>JKcLG_?@-=6>FW|q_eip>8^7wu6HWn z1Ao19B3~z3PkLtQcP=T@%h;IhvPD-jwyFHAjir298#`>H>IoZ;(+}El0mp(xM<9O2 zw(Plb_N@Ky?Eg^CM$5{9JX{WjpV8&Z^5qPCIRpQ{XJDYx%Llj$FE> zg%mrZBIy(>qcT|sY;=m3*QN;kO`%`L8svA@xuTtp(^O=PYgBxPrTvx)JqxIO^w}6c zIqbK42{pd?9xT^!8LK*O*KrwJdP~?xFZ@(y>45P)TGR zg;k0K*V?@W4Gx^KTZ_^iOe;z+W75yf${g@|>EHSE2~6Gx`Sc1_%zqrXtEAuM^IyQE z|K`&#WYW*`>6486J)b_ADPleI=~LKKMb^W?oJM|0KL1oE_m6yfB^wd@Nkspyy zzle?E_0w7$>|#d8LThp0lqL5mbDIOZhTNa>=?KpuOl2(&Hq*!tF}FFe3(2^DJ{`NH z*njfrbJ)qEbnK$@+sv%I?%=2Ed@}9VW$b;tl;)SoKy9qhe%i0?SeFsYdeOd3bhqVs z;SzM~bA-;lHhjl+FKk0?{J9a}^}_kw4m#+E6 z)N(zA{;-boPcQI8%8#J8IIG_#xt>Blybli=1y5b8U;QQci{&r;4d@q97nX9O1RXCQ z;CC{LK2wp;(+AKm(PciFe5a&*FokpGUn(G2jQ$(0zi@w`IA1Y4y(Q=>=nG)at-?+z z+gF1BTY^sU9&^Op9ixBy&eL68oo}-{Y@NSSdy<-A^*LgR~A{vhfC;Z zeBPYwnMyBLRwq>cFZFAm!zhezF25#vkvxJv> zV`>RK`vw0QVJE%AQ#nwA|5OS3X1vcF(}6h?p=HoLU|$B`zq7Jxg4no*tfR(p0Oe(FE}Ut@fyt;GiMXi6{t#Mz`~z zor-WK604AVlMYc3PjyF;m9eI2eSKXMMAGeQqpEJI=?r!w)e31g>gtxdwLaCiZWU!} z@yU>Nq(iDczhLmMYBAKTU%fiuLt<53eUp!b@@%L43lo7SfiZQ}t?TO6Ha75qQ1Xn| z%X2aGR0}<8X(K?A{WR_4q z2_=Rlk_D+a0h+4uTotPf@@5LN&Mf`@zN9%lHSTB^zzdO&&zWQZc^%pXa6x*s;^rM zwgYNO9d^kY?zTv>hq>@2F5*HK;8HEvDX`9X+SQ(p;=c-_Vdf&NE12qHu5e!*`gEuz z^_Hzjt;NGO4^h#UjKqQ@AZk4^jk)+9;X>8bnE;B!MO^8m0Hy?AGFPNaoDI6dP$DsC zM}j22jz)Sk7309x!3T_5; znB-+V?V#vT#*qa(*CFc!@4$~@xUzp4cl(|QM9VmXv|sW`xCQbQ6PCD)&z%zT1Jnr$ z*-v&#`-w({;wH2vQeMXKdPLycPfRGXe{mEb=mL`KAaY$@stIr@1zl9|AGozw-TmM9BY` z8coGIo_|7{SzgAIht6*D1IFnSBpCK z3$)NulW$XzaV+_NXx90*j{ldCp{0`YGEO^sDQO$`R~;+FKR^T7B;}2G?q#}!wLdF9 z3O0Ffl7#$@GEvCO{|A(AB<1C}_Cv +#include +#include +#include + + +bool gamble() +{ + if (rand() % 5 == 0) + { + return true; + } + return false; +} + +void printflag() +{ + std::cout << "Welcome to our exclusive club!" << std::endl; + std::ifstream flagI("flag.txt"); + std::string flag; + getline(flagI, flag); + flagI.close(); + std::cout << "Here's our special flag: " << flag << std::endl; +} + + +int networth = 100000; +int main() +{ + std::cout << "Welcome to the EasyCTF 2017 Casino" << std::endl; + std::cout << "Try your luck and gain access to our exclusive club!" << std::endl; + while (true) + { + std::cout << std::endl; + std::cout << "Your net worth is: $" << networth << std::endl; + if (networth > 2000000000) + { + printflag(); + break; + } + std::cout << "Please enter how much you would like to bet:" << std::endl; + std::string tmp; + getline(std::cin, tmp); + std::stringstream s(tmp); + int inp; + s >> inp; + if (!s.eof() || s.fail()) + { + std::cout << "That was not a valid number :("; + continue; + } + if (inp <= 0) + { + std::cout << "You must bet a positive amount" << std::endl; + continue; + } + if (inp > 100000000) + { + std::cout << "Sorry, the most we can allow you to bet is $100,000,000" << std::endl; + continue; + } + if (!gamble()) + { + std::cout << "Sorry, I'm afraid you've lost :(" << std::endl; + networth -= inp; + } + else + { + std::cout << "Congratulations, you won!" << std::endl; + networth += inp; + } + + } + return 0; +} \ No newline at end of file diff --git a/risky-business/problem.yml b/risky-business/problem.yml new file mode 100644 index 0000000..b9f93b6 --- /dev/null +++ b/risky-business/problem.yml @@ -0,0 +1,9 @@ +author: GenericNickname +title: Risky Business +hint: I wonder how you could make a lot of money... +category: Binary Exploitation +autogen: false +programming: false +value: 100 +files: + - casino From 28fdcaee74776b9570372e1c25fe58d8cb5b8d56 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sat, 11 Mar 2017 03:19:01 -0600 Subject: [PATCH 23/51] Update description.md --- library2/description.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library2/description.md b/library2/description.md index 449651a..dbc3c9d 100644 --- a/library2/description.md +++ b/library2/description.md @@ -3,6 +3,7 @@ Your librarian is back again with another challenge for you. She recently acquir Input: ``` +N (number of words in the dictionary) word1: list of words in word1 definition word2: list of words in word2 definition ... etc @@ -17,6 +18,7 @@ Ex: Input: ``` +5 arggiq: blah iz yiq blah: ok iz: ok blah From febcc473f1110af5687e149ff0276d8a43ad5e9f Mon Sep 17 00:00:00 2001 From: Varsos Date: Sat, 11 Mar 2017 09:24:31 -0800 Subject: [PATCH 24/51] diffie problem --- diffie-cult/description.md | 1 + diffie-cult/grader.py | 4 ++++ diffie-cult/messages.txt | 3 +++ diffie-cult/problem.yml | 9 +++++++++ 4 files changed, 17 insertions(+) create mode 100644 diffie-cult/description.md create mode 100644 diffie-cult/grader.py create mode 100644 diffie-cult/messages.txt create mode 100644 diffie-cult/problem.yml diff --git a/diffie-cult/description.md b/diffie-cult/description.md new file mode 100644 index 0000000..1b51d48 --- /dev/null +++ b/diffie-cult/description.md @@ -0,0 +1 @@ +I just intercepted some odd [messages.txt](${messages}). It appears to be a Diffie-hellman protocol, but my math isn't good enough to figure out what the final shared key is. Help! (The answer is a number. There is no `easyctf{}`) \ No newline at end of file diff --git a/diffie-cult/grader.py b/diffie-cult/grader.py new file mode 100644 index 0000000..442ee76 --- /dev/null +++ b/diffie-cult/grader.py @@ -0,0 +1,4 @@ +def grade(autogen, answer): + if answer == ("421049228295820"): + return True, "Correct!" + return False, "Nope, try again." \ No newline at end of file diff --git a/diffie-cult/messages.txt b/diffie-cult/messages.txt new file mode 100644 index 0000000..1ab81e3 --- /dev/null +++ b/diffie-cult/messages.txt @@ -0,0 +1,3 @@ +g^a mod p = 421049228295820 +g^b mod p = 105262307073955 +p=442101689710611 \ No newline at end of file diff --git a/diffie-cult/problem.yml b/diffie-cult/problem.yml new file mode 100644 index 0000000..dabda4e --- /dev/null +++ b/diffie-cult/problem.yml @@ -0,0 +1,9 @@ +title: Diffie-cult +author: nicebowlofsoup +hint: Wikipedia explains Diffie-hellman pretty well. There is a also a very easy way to do this. +category: Cryptography +autogen: false +programming: false +value: 50 +files: + - messages.txt \ No newline at end of file From 23125c60af0e666cf1c10be77dfc83221d3dd105 Mon Sep 17 00:00:00 2001 From: John W Date: Sat, 11 Mar 2017 20:30:25 -0600 Subject: [PATCH 25/51] Added the morphing problem Along with all of its generation script stuff... --- self-modifier/b0.bin | Bin 0 -> 512 bytes self-modifier/b1.bin | Bin 0 -> 512 bytes self-modifier/b2.bin | Bin 0 -> 512 bytes self-modifier/b3.bin | Bin 0 -> 512 bytes self-modifier/b4.bin | 1 + self-modifier/base_block.asm | 5 + self-modifier/base_block.bin | Bin 0 -> 512 bytes self-modifier/build.py | 90 ++++++++++++++++ self-modifier/char.inc | 84 +++++++++++++++ self-modifier/description.md | 2 + self-modifier/first.asm | 140 ++++++++++++++++++++++++ self-modifier/first.bin | Bin 0 -> 512 bytes self-modifier/fourth.asm | 167 +++++++++++++++++++++++++++++ self-modifier/fourth.bin | Bin 0 -> 512 bytes self-modifier/grader.py | 13 +++ self-modifier/last.asm | 37 +++++++ self-modifier/last.bin | Bin 0 -> 512 bytes self-modifier/morpher.asm | 109 +++++++++++++++++++ self-modifier/morpher.exe | Bin 0 -> 4608 bytes self-modifier/morpher.template.asm | 103 ++++++++++++++++++ self-modifier/out.txt | 39 +++++++ self-modifier/problem.yml | 7 ++ self-modifier/second.asm | 120 +++++++++++++++++++++ self-modifier/second.bin | Bin 0 -> 512 bytes self-modifier/std.inc | 32 ++++++ self-modifier/third.asm | 110 +++++++++++++++++++ self-modifier/third.bin | Bin 0 -> 512 bytes 27 files changed, 1059 insertions(+) create mode 100644 self-modifier/b0.bin create mode 100644 self-modifier/b1.bin create mode 100644 self-modifier/b2.bin create mode 100644 self-modifier/b3.bin create mode 100644 self-modifier/b4.bin create mode 100644 self-modifier/base_block.asm create mode 100644 self-modifier/base_block.bin create mode 100644 self-modifier/build.py create mode 100644 self-modifier/char.inc create mode 100644 self-modifier/description.md create mode 100644 self-modifier/first.asm create mode 100644 self-modifier/first.bin create mode 100644 self-modifier/fourth.asm create mode 100644 self-modifier/fourth.bin create mode 100644 self-modifier/grader.py create mode 100644 self-modifier/last.asm create mode 100644 self-modifier/last.bin create mode 100644 self-modifier/morpher.asm create mode 100644 self-modifier/morpher.exe create mode 100644 self-modifier/morpher.template.asm create mode 100644 self-modifier/out.txt create mode 100644 self-modifier/problem.yml create mode 100644 self-modifier/second.asm create mode 100644 self-modifier/second.bin create mode 100644 self-modifier/std.inc create mode 100644 self-modifier/third.asm create mode 100644 self-modifier/third.bin diff --git a/self-modifier/b0.bin b/self-modifier/b0.bin new file mode 100644 index 0000000000000000000000000000000000000000..3014467ff8c146632feb6515044e3f8d3b62ec7f GIT binary patch literal 512 zcmWFz4ee*^?)=Tk#U1-euIGxV@@1Df-`uB02~CihFo8=^QK{&*>C(pvg^Slp>FDWi zzH4>BI)4MBrKQzLV;w8$vrIuJTy}-c3d!B!662Y5W=iD37{1$eVG)rlLRjZ;b4|)C zPIq{r>i#%$YW2oKuetS!W#Kw)mAc=iRaMuh^c385xOT0qYkKn^6t-&n;-2WGA6ImKi`l$XFBIQO}-j=S^H>rXM1yC?5jKX?qB`hSidXh;WdqfoV#z|zSGIdIK6qv z%*oTb=iHh%sdIL(LTOf-N_uihjb=(+Vt#h5l%SCCkx=78iJgBs@3<6ZF}V4Lv-kwD zX>8uSX>y5Ult8F^T$r?(xrL>bm7SfHm7ANFm!F@Pmz!HuR9swC6oOw>RaaM4h2W#h nL-ZdzcIwo*bEi%nJ9g{Vy?eKAA^5+3{rmUp7lMy2PbK>Scogwp literal 0 HcmV?d00001 diff --git a/self-modifier/b1.bin b/self-modifier/b1.bin new file mode 100644 index 0000000000000000000000000000000000000000..21c4f15ec7e7b1d729e457fad0cd3d45bea26a08 GIT binary patch literal 512 zcmZR*CGkCo;q3QrhX0O>RyH4DF`T$V|3N^na4YMs-agST=D>CDJ@3u+yj{@X{G_+9 z=nco`CdsC~jDi0j1g3=RXB3JPEAw7_?Db<}WH`I8o8kZLxCDC#&MP|w`F8RBd&+QN zdEkEmzIL8V5qxFx7o?fbFfi~xZ(1$g&Ctth$WY=Uws*qLBem(iFHNH3Lhlr*FFKdN z^-c4``ofoqj8%O%;sqk(PZ*rFU@GO`!N_npe6<;yKf4HDlw0ZyW7Cq1$K3p~0;&J= z!Ym%ECw^8qqf(NyO4OH=Sv*Rfl}nmYKvI@JM2t&9gp*55#J$XoEry}#H)A!&J~j?c zt`nLSeEb4}LXNR6|2{r{_SDHI#Q*!>dw1{Dmgb-Td+q9#GM#^=h7U77nAAqP$4WYf zc*;fwm?UbOr> yzH;@-^+3FQ=kA^Rff&xedHd#lAb$Sx^~?7_{QT$dpZ|dv&WFmw)uZdDpZx&%yaay$ literal 0 HcmV?d00001 diff --git a/self-modifier/b3.bin b/self-modifier/b3.bin new file mode 100644 index 0000000000000000000000000000000000000000..2269674a29beb3b44425502e14e7852ce2c14f35 GIT binary patch literal 512 zcmdlpUnJ*^Rp$Fl)BBl5T5InnRoFA^zw5^o$ZN;*t(0r_?JEZY0=8_A?{%*2d_DKD zXlT*Ax+5Hsm*a1In0xx<;UEV7Z2>QY8FZP>_U4Kynp*6)iZ6Y0c#%nTTxi^~p2Xj3 z%|D;lDmM3|ge+mn{Lt&n(exvBGn2}P6)_Q!v1cBdr-iQ%P&#U<$iTp`?Qm)pM``x~ zug|s3D{O5U{tHa?Ib1DSmU6_t;Ngc!dFcf$U4I{UWhUk<-&b zwT-Q~5}%%tTB>WMyN9QQw~w!%Utn-xI1tA}Y5&6F!g3(4htmG&@*6jA+z!P1q4fES fmoHui;`>ng{KwB9zXS1qD2*YHrXRz6I@k{Y8ukaa literal 0 HcmV?d00001 diff --git a/self-modifier/b4.bin b/self-modifier/b4.bin new file mode 100644 index 0000000..52ab988 --- /dev/null +++ b/self-modifier/b4.bin @@ -0,0 +1 @@ +w;$n6i2*lu e5ry i riZ?{ hp00$ flgk5.NÓ)WLL$rr] U)xrLOM\(l%w8trrq"j9M889:<=>GGGiHqJKLNOP%Y\_μZ[\bcdghiklmb+{(>E|Q zGBzQN=`{l zOV7y6%FfBn%P%M_DlRE4E3c@ms;;T6t8Zv*YHn$5Ywzgn>h9_7>z^=j(&Q;qr%j(R zbJpxRbLY)puyE1hB}NRWEt>3V5)8;K(w{73CbJy-Yd-v@>aPZLKBS()N zKXLNZ=`&}~oxgDL(&Z~xuU)@!^VaPo;%Tz5np>)8{W= VzkUDl^Vjb`fB*ewU>xE82LR%G{{a91 literal 0 HcmV?d00001 diff --git a/self-modifier/build.py b/self-modifier/build.py new file mode 100644 index 0000000..fd7dd56 --- /dev/null +++ b/self-modifier/build.py @@ -0,0 +1,90 @@ +import subprocess +# Build a self-modifying thinga-ma-jig + +def run_command(cmd): + proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, + stderr=subprocess.PIPE, stdin=subprocess.PIPE) + stdoutput = proc.stdout.read() + proc.stderr.read() + return stdoutput + +def build_bin(name): + print(run_command('fasm %s.asm' % name)) + +def create_xor_block(last_shellcode_block, next_shellcode_block): + block = bytearray(b'') + for x in range(0, len(last_shellcode_block)): # each shellcode block should be 512 bytes + block.append((last_shellcode_block[x]) ^ (next_shellcode_block[x])) + return bytes(block) + +def get_shellcode_block(name): + build_bin(name) + f = open('%s.bin' % name, 'rb') + out = f.read() + f.close() + return out + +shellcode_files = ['first', 'second', 'third', 'fourth', 'last'] +shellcode_blocks = [get_shellcode_block('base_block')] +morpher_file = 'morpher' +morpher_template = 'morpher.template.asm' + +xor_blocks = [] +xor_block_files = [] + +def build_shellcode_files(): + for x in shellcode_files: + shellcode_blocks.append(get_shellcode_block(x)) + +def gen_xor_blocks(): + for x in range(0, len(shellcode_files)): + xor_block = create_xor_block(shellcode_blocks[x], shellcode_blocks[x+1]) + xor_blocks.append(xor_block) + f = open('b%d.bin' % x, 'wb') + f.write(xor_block) + f.close() + xor_block_files.append('b%d.bin' % x) + + +def create_morpher_file(): + _mrph = 'file \'base_block.bin\'\n' + _data = '' + _block_list = '' + + for x in xor_block_files: + _data += '%s: file \'%s\'\n' % (x, x) + _block_list += '%s, ' % x + + _data += 'block_ptrs dd %s0' % _block_list + + f = open(morpher_template, 'rb') + template = f.read().decode('utf-8') + f.close() + result = template % (_mrph, _data) + f = open('%s.asm' % morpher_file, 'wb') + f.write(result.encode('utf-8')) + f.close() + + +# The morpher has 3 sections, modifiable code, static code (morphing), data +# Modifiable code will be where each shellcode segment is done +# Static code has the morpher that sets up each shellcode segment +# Data has the XOR block pointers and indicies for the ones to use in order +# Begins by the morpher creating the first shellcode block, setting it up, then running it +# continues until the final block that will print the flag +# Kinda like a binary bomb but in one binary + +# On entrance to each shellcode segment the ebx register will be a vtable of std funcs +# printf +# puts +# scanf +# esi contains the base address of the shellcode segment +# edi contains the address of the part of the flag that this segment fills +# edx contains the number of the block + +build_shellcode_files() +gen_xor_blocks() +create_morpher_file() +build_bin(morpher_file) + +#print(create_xor_block(b'123', b'321')) +#print(get_shellcode_block('shellcode')) diff --git a/self-modifier/char.inc b/self-modifier/char.inc new file mode 100644 index 0000000..024ef9f --- /dev/null +++ b/self-modifier/char.inc @@ -0,0 +1,84 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Character defines + NULL equ 0x00 + BELL equ 0x07 + BSPC equ 0x08 + TAB equ 0x09 + ENDL equ 0x0A + CRET equ 0x0D + + CHAR_0 equ 0x30 + CHAR_1 equ 0x31 + CHAR_2 equ 0x32 + CHAR_3 equ 0x33 + CHAR_4 equ 0x34 + CHAR_5 equ 0x35 + CHAR_6 equ 0x36 + CHAR_7 equ 0x37 + CHAR_8 equ 0x38 + CHAR_9 equ 0x39 + CHAR_A equ 0x41 + CHAR_B equ 0x42 + CHAR_C equ 0x43 + CHAR_D equ 0x44 + CHAR_E equ 0x45 + CHAR_F equ 0x46 + CHAR_G equ 0x47 + CHAR_H equ 0x48 + CHAR_I equ 0x49 + CHAR_J equ 0x4a + CHAR_K equ 0x4b + CHAR_L equ 0x4c + CHAR_M equ 0x4d + CHAR_N equ 0x4e + CHAR_O equ 0x4f + CHAR_P equ 0x50 + CHAR_Q equ 0x51 + CHAR_R equ 0x52 + CHAR_S equ 0x53 + CHAR_T equ 0x54 + CHAR_U equ 0x55 + CHAR_V equ 0x56 + CHAR_W equ 0x57 + CHAR_X equ 0x58 + CHAR_Y equ 0x59 + CHAR_Z equ 0x5a + CHAR_a equ 0x61 + CHAR_b equ 0x62 + CHAR_c equ 0x63 + CHAR_d equ 0x64 + CHAR_e equ 0x65 + CHAR_f equ 0x66 + CHAR_g equ 0x67 + CHAR_h equ 0x68 + CHAR_i equ 0x69 + CHAR_j equ 0x6a + CHAR_k equ 0x6b + CHAR_l equ 0x6c + CHAR_m equ 0x6d + CHAR_n equ 0x6e + CHAR_o equ 0x6f + CHAR_p equ 0x70 + CHAR_q equ 0x71 + CHAR_r equ 0x72 + CHAR_s equ 0x73 + CHAR_t equ 0x74 + CHAR_u equ 0x75 + CHAR_v equ 0x76 + CHAR_w equ 0x77 + CHAR_x equ 0x78 + CHAR_y equ 0x79 + CHAR_z equ 0x7a +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +macro resv c_size +{ + db c_size dup (0) +} + +macro resv_stuff c_size +{ + repeat c_size + db % and 0xff + end repeat +} diff --git a/self-modifier/description.md b/self-modifier/description.md new file mode 100644 index 0000000..bb9b86f --- /dev/null +++ b/self-modifier/description.md @@ -0,0 +1,2 @@ +Welcome to the RE training course, this problem has 4 phases. Solve all four to get the flag. +[Download](${morpher_exe}) \ No newline at end of file diff --git a/self-modifier/first.asm b/self-modifier/first.asm new file mode 100644 index 0000000..b3f2be6 --- /dev/null +++ b/self-modifier/first.asm @@ -0,0 +1,140 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + +start: + push edx + push edi + push esi + + mov eax, dword [ebx] + lea ecx, [esi + base_txt] + push ecx + call dword [eax] + add esp, 4 + + xor eax, eax + push eax + mov eax, esp + push eax + + lea eax, [ebx + 8] + mov eax, dword [eax] + lea ecx, [esi+scanf_txt] + push ecx + call dword [eax] + add esp, 8 + + ; inputt'd float is now on top of the stack + pop eax + mov dword [esi+temp_val], eax + + sub esp, 8 + cvtss2sd xmm0, dword [esi+temp_val] + movsd qword [esp], xmm0 + + ; call cos + lea eax, [ebx + 0x10] + mov eax, dword [eax] + call dword [eax] + + fstp qword [esp] + movsd xmm0, qword [esp] + add esp, 8 + cvtss2sd xmm1, dword [esi+c_val] + mulsd xmm0, xmm1 + push ebp + push ebp + movsd qword [esp], xmm0 + + ; call atan + lea eax, [ebx + 0x20] + mov eax, dword [eax] + call dword [eax] + + fstp qword [esp] + movsd xmm0, qword [esp] + pop eax + cvtss2sd xmm1, dword [esi+b_val] + pop ecx + mulsd xmm0, xmm1 + push esp + push ebp + movsd qword [esp], xmm0 + + ; call sin + lea eax, [ebx + 0xc] + mov eax, dword [eax] + call dword [eax] + + fstp qword [esp] + cvtss2sd xmm1, dword [esi+a_val] + movsd xmm0, qword [esp] + mulsd xmm0, xmm1 + + movsd qword [esp], xmm0 + cvtsd2ss xmm0, qword [esp] + pop eax + movss dword [esp], xmm0 + pop eax + + pop esi + push esi + + cmp eax, dword [esi+final_val] + jnz trash + lea ecx, [esi+right_txt] + jmp past_trash +trash: + lea ecx, [esi+wrong_txt] + ; Make this so it crashes badly + inc esp +past_trash: + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + + pop esi + pop edi + pop edx + + mov eax, dword [esi+temp_val] + ; 0x61375a7b = little endian of '{Z7a' + ; 0x61375a7b ^ 0x3fab396d which is the value of the correct input 1.33769 + ; is equal to 0x5e9c6316 + xor eax, 0x5e9c6316 + mov dword [edi], eax + xor eax, eax + mov dword [esi+temp_val], eax + + retn + +b_val dd 0x4039999a +base_txt db 'Please enter the best number', ENDL, 0 +a_val dd 0x40d00000 +scanf_txt db '%f', 0 +final_val dd 0xc092e6a0 +right_txt db 'You got it!', 0 +c_val dd 0xbf99999a +wrong_txt db 'You dumb.', 0 +temp_val dd 0 + +resv_stuff 512-$ diff --git a/self-modifier/first.bin b/self-modifier/first.bin new file mode 100644 index 0000000000000000000000000000000000000000..990c9b17f10b2cddb3ceda809ed422ddc4c82875 GIT binary patch literal 512 zcmWFv59?;`?fcBYz!3Ofp!o=k;emk82LZj#9Ni4PeWHv|VUCE-HZvfn`3=Ws{wOf> z6TcvfO0Tm(H^YB{yD}=D_yt&0nvZ~_`!s+mKk-K%3=M@UQb1M|0aEfFXkjEsO$ba4 z4^$0ERuF6e&_Iw1uo<8DqgYgcI)QdZ#D!V6NdQ%pa`g7e0O{B4y?r`B+9j~pnFVA@ zY+QU)H`tM;V##yjI@t{mK%9Sg)=W!>fSlCC;#7syypq%+g_4X^g{0Kt5{10d+@#bZ zE}*k6IH;yEEO<8QKxBTYLVA9QLS~5~!>pMz_k;K;KxKMBMGOp#Ow25-Z0sDIT--do zeEb4}Lc$`VV&W2#QqnTAa`Fm_O3Es#YU&!ATG~3gdin;2M#d(lX66=_R@OGQcJ>aA zPR=f_ZtfnQUfw>we*OW0LBS!RVc`*xQPD9#4DTVIr$DxCI6nhJDbs5KkmA0- zKoN*~m%~9oc03U4GWnI}CZ!ft*@L<5AYo?JQU(xXCJ?8xhK6=N2DA$TZ3*I?0OAsEkgD!!Aa{I!)CqRaVUWaaAg<-@ z_GJJm=K}FwfqPshPQj zrIodft)0Dtqm#3XtDC!rrnub+QFU{G*KXjpheWK?uaY+QUoVp4KSYFc_mW>$7i zZeD&tVNr2OX<2ziWmR=eZC!msV^ecWYg>CqXIFPmZ(sj}iIXNznL2IyjG41$&zU=K z{(^;z7B5-4Z25|nt5&aByKeo4jhi-a*}84}j-9)9@7cR=|AB*t4j(ys?D&b3r%snAuU@}-`|kaRkDopR0PTXgm;e9( literal 0 HcmV?d00001 diff --git a/self-modifier/grader.py b/self-modifier/grader.py new file mode 100644 index 0000000..f744df0 --- /dev/null +++ b/self-modifier/grader.py @@ -0,0 +1,13 @@ +def grade(random, key): + if key.find("Z7a_ok_qfme_xt") != -1: + return True, "Correct!" + incorrect_txt = 'Wrong. ' + if key.find("Z7a") == -1: + incorrect_txt += "Phase 1 failed. " + if key.find("_ok_") == -1: + incorrect_txt += "Phase 2 failed. " + if key.find("qfme") == -1: + incorrect_txt += "Phase 3 failed. " + if key.find("_xt") == -1: + incorrect_txt += "Phase 4 failed. " + return False, incorrect_txt diff --git a/self-modifier/last.asm b/self-modifier/last.asm new file mode 100644 index 0000000..2b8311f --- /dev/null +++ b/self-modifier/last.asm @@ -0,0 +1,37 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + +jmp start + +output_text db 'Assuming you got every challenge right here is the flag: %s', ENDL, 0 + +start: + shl edx, 2 + sub edi, edx + push edi + mov eax, dword [ebx] + lea ecx, [esi + output_text] + push ecx + call dword [eax] + add esp, 8 + + ret + +resv_stuff 512-$ diff --git a/self-modifier/last.bin b/self-modifier/last.bin new file mode 100644 index 0000000000000000000000000000000000000000..a86c5becb6e6c6b15541067867ab853fdb84de02 GIT binary patch literal 512 zcmaED>sVY|nwy!Iu27j@s*s*vqL5maT2!f!oROH5lbV;Fs!)`fo>8KZky@0hkXfuy zl98&AmXnxnrJ!2O#c=QuljimCZsuM;rojIK%||#6Gcqx=u(GjpaB^|;@bd8s2nq>{ zh>D3zNJ>e|$jZqpC@LwdsH&-JXliNe=<4Yk7#bOyn3|beSXx=z*xK1UI667IxVpJ} zczSvJ`1<(=1O^3%gocGjL`Fr&#Ky%ZBqk-Nq^6~3WM*aOYz*tlu)maW^i@7TF(_ny7`_8&NS=aq_n*K2{xb|Q{{sLsDcSn~ literal 0 HcmV?d00001 diff --git a/self-modifier/morpher.asm b/self-modifier/morpher.asm new file mode 100644 index 0000000..d9150d7 --- /dev/null +++ b/self-modifier/morpher.asm @@ -0,0 +1,109 @@ +format PE console +entry start +include 'C:\\Projects/asm/INCLUDE/win32a.inc' +include 'C:\\Projects/asm/std.inc' + +section '.mrph' code readable executable writeable +mrph: + +file 'base_block.bin' + + +section '.stat' code readable executable + +data import + library msvcrt, 'msvcrt.dll' + import msvcrt, \ + printf , 'printf', \ + puts , 'puts', \ + scanf , 'scanf', \ + sin , 'sin', \ + cos , 'cos', \ + tan , 'tan', \ + asin , 'asin', \ + acos , 'acos', \ + atan , 'atan', \ + malloc , 'malloc', \ + free , 'free', \ + getchar , 'getchar' +end data + +do_morph: + push ebp + mov eax, 1 + mov edx, dword [num_block] + lea ecx, [block_ptrs + 4*edx] + mov ecx, dword [ecx] + + cmp ecx, 0 ; If the block ptr is null return + jz .finish + + inc edx + mov dword [num_block], edx + lea edx, [ecx+512] + mov edi, mrph + +.mod: + cmp ecx, edx + jz .finish + movzx eax, byte [ecx] + movzx ebp, byte [edi] + xor eax, ebp + mov byte [edi], al + inc edi + inc ecx + xor eax, eax + jmp .mod + +.finish: + pop ebp + ret + +; No args, flushes input. +flush_inp: + call [getchar] + cmp eax, -1 + jz .finish + cmp eax, ENDL + jnz flush_inp +.finish: + ret + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block +run_morphed: + mov esi, mrph + mov edx, dword [num_block] + dec edx + lea edi, [flag + 4*edx] + mov ebx, func_vtable + call mrph + ret + +start: + call do_morph + cmp eax, 0 + jnz .finish + call run_morphed + call flush_inp + jmp start + +.finish: + ret + +section '.dat' data readable writeable + +num_block dd 0 + +func_vtable dd printf, puts, scanf, sin, cos, tan, asin, acos, atan, malloc, free, 0 + +flag db 64 dup (0) + +b0.bin: file 'b0.bin' +b1.bin: file 'b1.bin' +b2.bin: file 'b2.bin' +b3.bin: file 'b3.bin' +b4.bin: file 'b4.bin' +block_ptrs dd b0.bin, b1.bin, b2.bin, b3.bin, b4.bin, 0 diff --git a/self-modifier/morpher.exe b/self-modifier/morpher.exe new file mode 100644 index 0000000000000000000000000000000000000000..2eaddeaf9e55379fc807c61e34aff2d84b148f62 GIT binary patch literal 4608 zcmd^Cc~q0f7N4*QQIl9jKtw+jRH|$W3Mdi;p-^@SOJoZWAQ(bcWCy`kwonwXDz4bN zucbv)6l~C^2%@-DSp|xK8(7~15h3q>0hQA8dV1dJ>-(ekoZsB}-8*+?@=d<^?scZ8 zA_7840a1`tiVzhiAXHiV`%NmiNpmld(Dy2}+GPZ%T5Zn=mH^}Oqr>@(C@h4*;Y16u zU?#>FaWEDKvvpmEMMZ})4W<%x-p}l|79l5sJSsd{<@4V57?BB+2?TrC6hc!*tx?*b zDF7p!Q%C!9NVa#}B9Dl;8r?Y9vm0?62p)su!^km;n{dGpdME4rwT(d(pBsTM344|8 z57#)x35L*P1A&ks1lwl(T)-e3gFlyXf*}-S5Gosna`4B1KO_9PDFMa_6`{&;RMsWP z$tx%-O;T1NPM$KAM5avpWcm!%nQH19vovRG&6$g7&zrBKyI|oWy-yb}(Kj$OGG4mO z#B})zGjofTt1MSrQLWe5*sis+|IEShb0=pPS2uT$b)GaYZy#U!dO!bwz#v9&NGLNb zJc1RufgQz(=JNOgp(ti!Y+QUoVp4KS>ZY{x&0l=EB_lH{J4c-RRo>QZ`2~gBzuvKP zSJCc0d-v@>P<-&4Zx0gJy&-A!o~7Smn$l-{3xlqdhH+A zZ&cr`sl8Qq`%eAcd-osw^zczbV^ecW>*Kcej-NZ9banSUefIpt%ig|Mzr6nEzxoH> z489$DH#{OmfA`;Sf_?l)EP{T-IR4RtP?R7hgfBD*WwR054Py=gP60{*<$xan*8#Ty z4*`z>PXWIGaQSay5aRM#9AOw9&lL#;xE8>zf*S-Z4zwZBxKYT!`;1W&VvHIQW7LeI z7;JWQ2n;}Bd?pju;Y?vj1cQ%gW%x^#t%{7ONIa!bXhB8UD(QnrxL{4@sBtU)x>X33RNOt8xQ!zS zr*`Ywcd!Z*&hi}hq%dNnk>>4|t&3fovqTEzD7-m|-*+64V~r%34~3 z2^evl?pIy3#5@wRC(B4N+E5TQtv~GnR{DPz6K$3SK4vS zY$Tp)jD)r`FXf%DN(y)GFtPV$a~}p$d;_l=)tbqP$Z*|D zypJzea-B4TM7Lw^SY|4W=$K5_qA;Z#FSCw?jMrF=j*xv!)mcSejXqbAs7at`Xpuc< z64hs@5NFP?kFitoLuo^V1m(+0kTG4?il#?wK|*Uf~nctz+6LkzRruwl+3ON&*y5dtz-m+0ZU-Zu~s z&f36=2872Y#H9c}@G<}4qsNb)1{^+r@q7i~1Ao-`s1?xF^Q@;A&^0(TCzD7F!G3PR>SdY2`G0z{IXKn|RW!TExldg^rC&rWYP?tJ=Jx%$K(S3y=CeH# zRT_V9a+R|0-N1)^dv4y4cp!4ATlaLNFIOv$nyGDSR$&n+dM+u(&p+T$4r6FR`e0X* zc6v^z=Qj$hKCz8*+8h58Ii0>Eem=hbHEk=xyidE$yK1ft-?CB(GhSJgUFrBbDgB70 zC6ZDKog@hwF`-pf+_t`LoN(^utl^F<7K45G5-&EUEI1J*k~16>vllD1quY=%KY@&y zqd0572W6|4-@yF=cuns>#=PD{Z(PPqn)g0qR+~pMSh|3@HV!gobv$EsabM@|4G0|5 zt~>#6BOql=yH50 zxJdHb<@7SVv*q_YIq7WUKPlzEBltrRvk8hAnlikS8E_<7P{i=HoLslPbI$i$bb_67 zT6g0^Ga;YPo3|s5K30aosGod5s; literal 0 HcmV?d00001 diff --git a/self-modifier/morpher.template.asm b/self-modifier/morpher.template.asm new file mode 100644 index 0000000..6b0a9e6 --- /dev/null +++ b/self-modifier/morpher.template.asm @@ -0,0 +1,103 @@ +format PE console +entry start +include 'C:\\Projects/asm/INCLUDE/win32a.inc' +include 'C:\\Projects/asm/std.inc' + +section '.mrph' code readable executable writeable +mrph: + +%s + +section '.stat' code readable executable + +data import + library msvcrt, 'msvcrt.dll' + import msvcrt, \ + printf , 'printf', \ + puts , 'puts', \ + scanf , 'scanf', \ + sin , 'sin', \ + cos , 'cos', \ + tan , 'tan', \ + asin , 'asin', \ + acos , 'acos', \ + atan , 'atan', \ + malloc , 'malloc', \ + free , 'free', \ + getchar , 'getchar' +end data + +do_morph: + push ebp + mov eax, 1 + mov edx, dword [num_block] + lea ecx, [block_ptrs + 4*edx] + mov ecx, dword [ecx] + + cmp ecx, 0 ; If the block ptr is null return + jz .finish + + inc edx + mov dword [num_block], edx + lea edx, [ecx+512] + mov edi, mrph + +.mod: + cmp ecx, edx + jz .finish + movzx eax, byte [ecx] + movzx ebp, byte [edi] + xor eax, ebp + mov byte [edi], al + inc edi + inc ecx + xor eax, eax + jmp .mod + +.finish: + pop ebp + ret + +; No args, flushes input. +flush_inp: + call [getchar] + cmp eax, -1 + jz .finish + cmp eax, ENDL + jnz flush_inp +.finish: + ret + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block +run_morphed: + mov esi, mrph + mov edx, dword [num_block] + dec edx + lea edi, [flag + 4*edx] + mov ebx, func_vtable + call mrph + ret + +start: + call do_morph + cmp eax, 0 + jnz .finish + call run_morphed + call flush_inp + jmp start + +.finish: + ret + +section '.dat' data readable writeable + +num_block dd 0 + +func_vtable dd printf, puts, scanf, sin, cos, tan, asin, acos, atan, malloc, free, 0 + +flag db 64 dup (0) + +%s diff --git a/self-modifier/out.txt b/self-modifier/out.txt new file mode 100644 index 0000000..485cc33 --- /dev/null +++ b/self-modifier/out.txt @@ -0,0 +1,39 @@ +1 +1 +3 +5 +9 +17 +31 +57 +105 +193 +355 +653 +1201 +2209 +4063 +7473 +13745 +25281 +46499 +85525 +157305 +289329 +532159 +978793 +1800281 +3311233 +6090307 +11201821 +20603361 +37895489 +69700671 +128199521 +235795681 +433695873 +797691075 +1467182629 +2698569577 +668475985 +539260895 diff --git a/self-modifier/problem.yml b/self-modifier/problem.yml new file mode 100644 index 0000000..32f222b --- /dev/null +++ b/self-modifier/problem.yml @@ -0,0 +1,7 @@ +title: Morphin +category: Reverse Engineering +value: 450 +author: r3ndom +autogen: false +files: + - morpher.exe \ No newline at end of file diff --git a/self-modifier/second.asm b/self-modifier/second.asm new file mode 100644 index 0000000..553dc2a --- /dev/null +++ b/self-modifier/second.asm @@ -0,0 +1,120 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + + push edi + + lea ecx, [esi+pattern_text] + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + + mov ecx, 0 +printLoop: + push ecx + call adv_fib + push eax + lea ecx, [esi + format_text] + mov eax, dword [ebx] + push ecx + call dword [eax] + pop ecx + pop ebp + pop ecx + inc ecx + cmp ecx, 6 + jnz printLoop + + lea ecx, [esi+empty_text] + lea eax, [ebx + 0x4] + mov eax, dword [eax] + push ecx + call dword [eax] + pop ebp + + + lea ecx, [esi+inputVal] + push ecx + lea eax, [ebx + 8] + mov eax, dword [eax] + lea ecx, [esi+unsignFmt] + push ecx + call dword [eax] + add esp, 8 + + mov ecx, dword [esi+inputVal] + pop edi + ; 433695873 is the answer + ; (struct.unpack('i_%9Ht&=~zx9=0&sQBY;AWa}}I6Nb< zL?N?Sp(G4AmYSelxb zoNCXYnxeqa{FAAkcLyWLFx679p+TO3FP{DX|35MS$hZq(ytoRaqZluM&|wCT{DM@4 z%KTD=^n9T0B??8E=@})83PGvGr8y;53el>?v0My{Ow25-Z0sDIT--doeEb4}Lc$`V zV&W2#QqnTAa`Fm_O3Es#YU&!ATG~3gdin;2M#d(lX66=_R@OGQcJ>aAPR=f_ZtfnQ zUfw>we*OW0LBS!RVc`*xQPDB6aq$U>Ny#axY3Ui6S=l+cdHDr}Ma3nhW#tu>Rn;}M zb@dI6P0cN>ZS5VMUEMvsef<+APMSPr>a^)IX3m;DXYRcD3l=U~ykzOJ$dGXcJA7}XYaoK2M!)OeB|h{<0np@I(_Esx$_q;Ub=kc>b2`PZr-|m U=kC4x4<0^x{N(Ag=PzCY0BhsX7XSbN literal 0 HcmV?d00001 diff --git a/self-modifier/std.inc b/self-modifier/std.inc new file mode 100644 index 0000000..4e57c54 --- /dev/null +++ b/self-modifier/std.inc @@ -0,0 +1,32 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Standard Includes of my +; code +include 'char.inc' + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; File descriptor macros + STDIN equ 0 + STDOUT equ 1 + STDERR equ 2 +;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +; Standard prologue of a function +macro prologue +{ + push ebp + mov ebp, esp +} + +; Standard epilogue of a function +macro epilogue +{ + mov esp, ebp + pop ebp +} + +; Allocates space on the stack for something +macro local_alloc size +{ + sub esp,size +} \ No newline at end of file diff --git a/self-modifier/third.asm b/self-modifier/third.asm new file mode 100644 index 0000000..378c1c8 --- /dev/null +++ b/self-modifier/third.asm @@ -0,0 +1,110 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + +jmp start + +startup_text db 'What did you say?',0 + +start: + push edi + + lea ecx, [esi+startup_text] + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + + xor eax, eax + push eax + push eax + mov eax, esp + push eax + + lea eax, [ebx + 8] + mov eax, dword [eax] + lea ecx, [esi+scanf_text] + push ecx + call dword [eax] + add esp, 8 + + pop ecx + pop eax + pop edi + + mov dword [edi], ecx + + lea edx, [esi+to_match] + +.check: + movzx ecx, byte [edi] + call check_char + cmp eax, 0 + jz idiot + + inc edi + inc edx + cmp byte [edx], 0 + jnz .check + + ret + +scanf_text db '%4[^',ENDL,']' + +; ecx = input'd char +; edx = ptr to char to match +check_char: + cmp ecx, CHAR_a ; 97 + jl fail + cmp ecx, 126 + jge fail + + sub ecx, CHAR_a ; 97 + add ecx, esi + lea ecx, [ecx + alphabet] + movzx eax, byte [ecx] + cmp byte [edx], al + jnz fail + + mov eax, 1 + ret + +idiot_text db 'Wrong...', 0 + +fail: + mov eax, 0 + ret + +to_match db 'ezpr', 0 + +idiot: + lea ecx, [esi+idiot_text] + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + dec esp + ret + +alphabet db '{m}krzyjfwngpshteoialduqxvcb|', 0 +; abcdefghijklmnopqrstuvwxyz{|} +; flag is "qfme" +resv_stuff 512-$ diff --git a/self-modifier/third.bin b/self-modifier/third.bin new file mode 100644 index 0000000000000000000000000000000000000000..6835669ba0a110de8be980384f1a1724e1b6f1ef GIT binary patch literal 512 zcmaDY6rPb-qL7lAqEMM%s!*I*Y0nVe>&Fz>>&(*4@LwR-@IXL7=YxP=XO3=$Uca!w z{{qcNI3gqBJNbL3^)fIp@NeUPAq=FOe=wA|xH~miF_gYJtZEV+#}(WBGqFak`Db0N zV)M&H#*e+73&83bEtpFAcQ69khr^5V^V0S7^cZ#kc?^eBs|t#Mmej#5_c>ghTbo@} zRhgAmo|j%woKcdRpP87GQd(G1mYh_>z{teR!pg?Z!O6wV!^_7nASfg(A}S^>At@y- zBP%Dbps1v*qN=8@p{b>IRvK4a#r*>mR3o4;V;qQy&=E?d50<*LVdJLF zTefc7zGLUE-Fx=#+kfETp~FXx9y@;GWe&gn?+js8XyZ_+f pqsLF4K70P+<*V0k-oAVP;p3;zU%r0({^RGb-+%u8`%eY`0|02b%)9^q literal 0 HcmV?d00001 From 2910645c96ce5bfae8eb1f9f923c4f1bbc456fb7 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 00:29:28 -0600 Subject: [PATCH 26/51] Create grader.py --- library2/grader.py | 112 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 library2/grader.py diff --git a/library2/grader.py b/library2/grader.py new file mode 100644 index 0000000..463962b --- /dev/null +++ b/library2/grader.py @@ -0,0 +1,112 @@ +N = input() +dictionary = {} +word_idx = {} +for i in range(N): + line = raw_input() + sp = line.split(": ") + word = sp[0] + defn = sp[1].split(" ") + dictionary[word] = defn + word_idx[word] = i +#print dictionary + +graph = {} #adj-list graph of word dependencies +for i in range(N): + graph[i] = [] +for word in dictionary: + idx = word_idx[word] + for dword in dictionary[word]: + toidx = word_idx[dword] + graph[idx].append(toidx) + +#print graph + + +index = 0 + +components = [] +S = [] +v_index = {} +v_lowlink = {} +v_onStack = {} +def strongConnect(v): + global index + global components + global S + global v_index + global v_lowlink + global v_onStack + + v_index[v] = index + v_lowlink[v] = index + index += 1 + S.append(v) + v_onStack[v] = True + + # for edges of V + for w in graph[v]: + if w not in v_index: + strongConnect(w) + v_lowlink[v] = min(v_lowlink[v], v_lowlink[w]) + elif v_onStack[w]: + v_lowlink[v] = min(v_lowlink[v], v_lowlink[w]) + + if v_lowlink[v] == v_index[v]: + component = [] + while True: + w = S.pop() + v_onStack[w] = False + component.append(w) + if w==v: + break + components.append(component) +def SCC(graph): + global index + global components + global S + global v_index + global v_lowlink + global v_onStack + + index = 0 + components = [] + S = [] + v_index = {} + v_lowlink = {} + v_onStack = {} + for v in graph: + if v not in v_index: + strongConnect(v) + return components + + +comps = SCC(graph) +#print comps +newnodemap = {} +for idx in range(len(comps)): + comp = comps[idx] + for node in comp: + newnodemap[node] = idx + +newgraph = {} + +for idx in range(len(comps)): + comp = comps[idx] + outgoing = set([]) + for node in comp: + nodeout = graph[node] + newnodeout = set([]) + for no in nodeout: + newnodeout.add(newnodemap[no]) + outgoing = outgoing.union(newnodeout) + outgoing.discard(idx) + newgraph[idx] = list(outgoing) +#print newgraph +# count number of nodes with no incoming edges + +ans = 0 +for node in newgraph: + if len(newgraph[node])==0: + ans += 1 + +print ans From 34378eba52cf7432e5e04a0b8b4fa2af4cc49dd5 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 01:47:50 -0600 Subject: [PATCH 27/51] Update to set gid --- doubly-dangerous/doubly_dangerous.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doubly-dangerous/doubly_dangerous.c b/doubly-dangerous/doubly_dangerous.c index fdf733d..cd7b874 100644 --- a/doubly-dangerous/doubly_dangerous.c +++ b/doubly-dangerous/doubly_dangerous.c @@ -1,13 +1,17 @@ //compile with: //gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous +#define _GNU_SOURCE #include #include #include #include +#include void give_flag() { FILE *f = fopen("flag.txt", "r"); + gid_t gid = getegid(); + setresgid(gid, gid, gid); if (f != NULL) { char c; From c1382154346bad72931a58e9a48bbb3dc6187ab5 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 01:58:37 -0600 Subject: [PATCH 28/51] Update problem.yml --- diffie-cult/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/diffie-cult/problem.yml b/diffie-cult/problem.yml index dabda4e..0fb7ea4 100644 --- a/diffie-cult/problem.yml +++ b/diffie-cult/problem.yml @@ -6,4 +6,4 @@ autogen: false programming: false value: 50 files: - - messages.txt \ No newline at end of file + - messages.txt From c580c73b97856a33bd6256858f438c15c76c5ba5 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 03:18:54 -0500 Subject: [PATCH 29/51] Update problem.yml --- match-me/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/match-me/problem.yml b/match-me/problem.yml index 4b0985f..b62bd80 100644 --- a/match-me/problem.yml +++ b/match-me/problem.yml @@ -1,7 +1,7 @@ author: GenericNickname title: Match Me hint: This is a fairly well-known graph problem, there's probably some sort of internet source on it. -category: Algorithms +category: Programming autogen: false programming: false value: 300 From fb9998139e55cd0c56307fe80f00f7afa702d0c8 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 03:20:18 -0500 Subject: [PATCH 30/51] Update problem.yml --- serial/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serial/problem.yml b/serial/problem.yml index c66116e..bfbb8c1 100644 --- a/serial/problem.yml +++ b/serial/problem.yml @@ -3,4 +3,4 @@ category: Forensics value: 300 hint: 010100110110010101110010011010010110000101101100001011100010111000101110 author: wiresboy -autogen: true \ No newline at end of file +autogen: false From 906356dde3f2cbde2ebcbda658c8eeebb78d8fa6 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 03:26:33 -0500 Subject: [PATCH 31/51] add soln --- doubly-dangerous/doubly_dangerous.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doubly-dangerous/doubly_dangerous.c b/doubly-dangerous/doubly_dangerous.c index cd7b874..44e9af9 100644 --- a/doubly-dangerous/doubly_dangerous.c +++ b/doubly-dangerous/doubly_dangerous.c @@ -1,6 +1,8 @@ //compile with: //gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous +//sol: input "A"*40+"\x00\x80\x34\x41" + #define _GNU_SOURCE #include #include From e58d3b97c880c165d2ecc57ff4076b8b59c778a1 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 03:58:11 -0500 Subject: [PATCH 32/51] Change ciphertext_rsa2.txt -> ciphertext.txt --- rsa2/grader.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rsa2/grader.py b/rsa2/grader.py index bca12b2..6afccaf 100644 --- a/rsa2/grader.py +++ b/rsa2/grader.py @@ -38,7 +38,7 @@ def generate_ciphertext(random): def generate(random): return dict(files={ - "ciphertext_rsa2.txt": generate_ciphertext + "ciphertext.txt": generate_ciphertext }) def grade(random, key): From bb254f936c3a66af24b806bf906be7232fd7e27a Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 04:04:45 -0500 Subject: [PATCH 33/51] Update messages.txt --- diffie-cult/messages.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/diffie-cult/messages.txt b/diffie-cult/messages.txt index 1ab81e3..f876bd6 100644 --- a/diffie-cult/messages.txt +++ b/diffie-cult/messages.txt @@ -1,3 +1,4 @@ -g^a mod p = 421049228295820 -g^b mod p = 105262307073955 -p=442101689710611 \ No newline at end of file +g^a mod p = 791868216278 +g^b mod p = 722955066776 + +p = 986314922069 From f48d830b91ab5448aa4955eeb38378d3c9088777 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 04:05:16 -0500 Subject: [PATCH 34/51] Update problem.yml --- diffie-cult/problem.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/diffie-cult/problem.yml b/diffie-cult/problem.yml index 0fb7ea4..0316dea 100644 --- a/diffie-cult/problem.yml +++ b/diffie-cult/problem.yml @@ -1,9 +1,9 @@ title: Diffie-cult author: nicebowlofsoup -hint: Wikipedia explains Diffie-hellman pretty well. There is a also a very easy way to do this. +hint: Wikipedia explains Diffie-hellman pretty well. category: Cryptography autogen: false programming: false -value: 50 +value: 140 files: - messages.txt From a31f20fecde51c044b5a063760590a1cddf4eb5b Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 04:08:13 -0500 Subject: [PATCH 35/51] Update problem.yml --- diffie-cult/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/diffie-cult/problem.yml b/diffie-cult/problem.yml index 0316dea..c6d732a 100644 --- a/diffie-cult/problem.yml +++ b/diffie-cult/problem.yml @@ -1,5 +1,5 @@ title: Diffie-cult -author: nicebowlofsoup +author: arxenix hint: Wikipedia explains Diffie-hellman pretty well. category: Cryptography autogen: false From 543505ccdf08b407540dbba6d01719a727b42ecc Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 04:10:42 -0500 Subject: [PATCH 36/51] Update grader.py --- diffie-cult/grader.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/diffie-cult/grader.py b/diffie-cult/grader.py index 442ee76..abec8e0 100644 --- a/diffie-cult/grader.py +++ b/diffie-cult/grader.py @@ -1,4 +1,4 @@ def grade(autogen, answer): - if answer == ("421049228295820"): + if answer == ("906730649345"): return True, "Correct!" - return False, "Nope, try again." \ No newline at end of file + return False, "Nope, try again." From c2555cdf417db1a23300c96205d5ae841e4c2114 Mon Sep 17 00:00:00 2001 From: John W Date: Sun, 12 Mar 2017 04:12:06 -0500 Subject: [PATCH 37/51] Added hexable Simple hex-edit solvable binary problem. --- hexable-autogen/char.inc | 84 +++++++++++++++++++++++++++++++++ hexable-autogen/description.md | 2 + hexable-autogen/elf.inc | 45 ++++++++++++++++++ hexable-autogen/grader.py | 18 +++++++ hexable-autogen/hexable | Bin 0 -> 235 bytes hexable-autogen/hexable.asm | 35 ++++++++++++++ hexable-autogen/problem.yml | 5 ++ hexable-autogen/simple_gen.py | 19 ++++++++ hexable-autogen/std.inc | 32 +++++++++++++ 9 files changed, 240 insertions(+) create mode 100644 hexable-autogen/char.inc create mode 100644 hexable-autogen/description.md create mode 100644 hexable-autogen/elf.inc create mode 100644 hexable-autogen/grader.py create mode 100644 hexable-autogen/hexable create mode 100644 hexable-autogen/hexable.asm create mode 100644 hexable-autogen/problem.yml create mode 100644 hexable-autogen/simple_gen.py create mode 100644 hexable-autogen/std.inc diff --git a/hexable-autogen/char.inc b/hexable-autogen/char.inc new file mode 100644 index 0000000..024ef9f --- /dev/null +++ b/hexable-autogen/char.inc @@ -0,0 +1,84 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Character defines + NULL equ 0x00 + BELL equ 0x07 + BSPC equ 0x08 + TAB equ 0x09 + ENDL equ 0x0A + CRET equ 0x0D + + CHAR_0 equ 0x30 + CHAR_1 equ 0x31 + CHAR_2 equ 0x32 + CHAR_3 equ 0x33 + CHAR_4 equ 0x34 + CHAR_5 equ 0x35 + CHAR_6 equ 0x36 + CHAR_7 equ 0x37 + CHAR_8 equ 0x38 + CHAR_9 equ 0x39 + CHAR_A equ 0x41 + CHAR_B equ 0x42 + CHAR_C equ 0x43 + CHAR_D equ 0x44 + CHAR_E equ 0x45 + CHAR_F equ 0x46 + CHAR_G equ 0x47 + CHAR_H equ 0x48 + CHAR_I equ 0x49 + CHAR_J equ 0x4a + CHAR_K equ 0x4b + CHAR_L equ 0x4c + CHAR_M equ 0x4d + CHAR_N equ 0x4e + CHAR_O equ 0x4f + CHAR_P equ 0x50 + CHAR_Q equ 0x51 + CHAR_R equ 0x52 + CHAR_S equ 0x53 + CHAR_T equ 0x54 + CHAR_U equ 0x55 + CHAR_V equ 0x56 + CHAR_W equ 0x57 + CHAR_X equ 0x58 + CHAR_Y equ 0x59 + CHAR_Z equ 0x5a + CHAR_a equ 0x61 + CHAR_b equ 0x62 + CHAR_c equ 0x63 + CHAR_d equ 0x64 + CHAR_e equ 0x65 + CHAR_f equ 0x66 + CHAR_g equ 0x67 + CHAR_h equ 0x68 + CHAR_i equ 0x69 + CHAR_j equ 0x6a + CHAR_k equ 0x6b + CHAR_l equ 0x6c + CHAR_m equ 0x6d + CHAR_n equ 0x6e + CHAR_o equ 0x6f + CHAR_p equ 0x70 + CHAR_q equ 0x71 + CHAR_r equ 0x72 + CHAR_s equ 0x73 + CHAR_t equ 0x74 + CHAR_u equ 0x75 + CHAR_v equ 0x76 + CHAR_w equ 0x77 + CHAR_x equ 0x78 + CHAR_y equ 0x79 + CHAR_z equ 0x7a +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +macro resv c_size +{ + db c_size dup (0) +} + +macro resv_stuff c_size +{ + repeat c_size + db % and 0xff + end repeat +} diff --git a/hexable-autogen/description.md b/hexable-autogen/description.md new file mode 100644 index 0000000..5030dfb --- /dev/null +++ b/hexable-autogen/description.md @@ -0,0 +1,2 @@ +I tried to hide a flag sneakily, can you find it? +[Download](${hexable}) \ No newline at end of file diff --git a/hexable-autogen/elf.inc b/hexable-autogen/elf.inc new file mode 100644 index 0000000..c19743a --- /dev/null +++ b/hexable-autogen/elf.inc @@ -0,0 +1,45 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; ELF header for stuff + + RLIMIT_AS equ 0x09 + +macro reserve name,size +{ + name db 0 + repeat size-1 + db 0 + end repeat +} + +macro print message +{ + mov eax, message +@@: + cmp byte [eax], 0 + jz @f + inc eax + jmp @b +@@: + mov edx, eax + sub edx, message + mov eax, 4 + mov ebx, 1 + mov ecx, message + int 0x80 +} + +macro read out_buff, cnt +{ + mov ebx, 0 + mov eax, 3 + mov ecx, out_buff + mov edx, cnt + int 0x80 +} + +macro exit exitcode +{ + mov ebx, exitcode + mov eax, 1 + int 0x80 +} diff --git a/hexable-autogen/grader.py b/hexable-autogen/grader.py new file mode 100644 index 0000000..07b067d --- /dev/null +++ b/hexable-autogen/grader.py @@ -0,0 +1,18 @@ +def gen_flag(random, length): + x = '' + for i in range(0,length): + x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789')) + return x + +def grade(random, key): + if key.find(gen_flag(random, 14)) != -1: + return True, "Correct!" + return False, "Nope." + +def generate(random): + dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00' + output = bytearray(dat[:0xdb]) + flag = gen_flag(random,14) + output.extend(flag.encode('utf-8')) + output.extend(dat[0xdb+14:]) + return dict(files={"hexable":output}) diff --git a/hexable-autogen/hexable b/hexable-autogen/hexable new file mode 100644 index 0000000000000000000000000000000000000000..22538c24c580c8fc4f5100593e2dbbf061bb161b GIT binary patch literal 235 zcmb<-^>JflWMpQ50wxA#21X!zVgn0@2}}@3n=mLaFfnL=ML_Z;APiIk!tOve2(tq* zg8&0q|85|2_XHLW5HpjK=scu(Y6lBYbT`P%&XZ>w4(|l% zcyaUp|NkH(7PVmH_}?)h}59 literal 0 HcmV?d00001 diff --git a/hexable-autogen/hexable.asm b/hexable-autogen/hexable.asm new file mode 100644 index 0000000..8e6d54b --- /dev/null +++ b/hexable-autogen/hexable.asm @@ -0,0 +1,35 @@ +format ELF executable 3 +entry start + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Buffer macros + BUFF_SIZE equ 32 +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Includes of macros +include 'elf.inc' +include 'char.inc' +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Code +segment executable writeable readable +put: + print ecx + ret + +start: + mov ecx, msg + call put + exit 0 +reserve no_code,20 +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Data +segment readable writeable +msg db 'Can you find the flag?',ENDL,0 +flag db 'easyctf{abcdef__123456}' +reserve temp,1 +;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/hexable-autogen/problem.yml b/hexable-autogen/problem.yml new file mode 100644 index 0000000..3199c27 --- /dev/null +++ b/hexable-autogen/problem.yml @@ -0,0 +1,5 @@ +title: Hexable +category: Reverse Engineering +value: 10 +author: r3ndom +autogen: true diff --git a/hexable-autogen/simple_gen.py b/hexable-autogen/simple_gen.py new file mode 100644 index 0000000..aaaf618 --- /dev/null +++ b/hexable-autogen/simple_gen.py @@ -0,0 +1,19 @@ +import random + +dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00' + +def gen_flag(length): + x = '' + for i in range(0,length): + x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789')) + return x + +output = bytearray(dat[:0xdb]) +flag = gen_flag(14) +output.extend(flag.encode('utf-8')) +output.extend(dat[0xdb+14:]) + +print(output) +#o = open(flag, 'wb') +#o.write(output) +#o.close() diff --git a/hexable-autogen/std.inc b/hexable-autogen/std.inc new file mode 100644 index 0000000..4e57c54 --- /dev/null +++ b/hexable-autogen/std.inc @@ -0,0 +1,32 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Standard Includes of my +; code +include 'char.inc' + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; File descriptor macros + STDIN equ 0 + STDOUT equ 1 + STDERR equ 2 +;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +; Standard prologue of a function +macro prologue +{ + push ebp + mov ebp, esp +} + +; Standard epilogue of a function +macro epilogue +{ + mov esp, ebp + pop ebp +} + +; Allocates space on the stack for something +macro local_alloc size +{ + sub esp,size +} \ No newline at end of file From 183332cd92eaaf5ec56efdfcbbe66cc925d26832 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:21:00 -0500 Subject: [PATCH 38/51] Update --- easy-re/description.md | 2 +- hexable-autogen/grader.py | 20 ++++++++++++-------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/easy-re/description.md b/easy-re/description.md index 4233bdc..5607dec 100644 --- a/easy-re/description.md +++ b/easy-re/description.md @@ -1 +1 @@ -This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](easy_re) \ No newline at end of file +This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](${easy_re}) \ No newline at end of file diff --git a/hexable-autogen/grader.py b/hexable-autogen/grader.py index 07b067d..a8243e9 100644 --- a/hexable-autogen/grader.py +++ b/hexable-autogen/grader.py @@ -1,18 +1,22 @@ +from cStringIO import StringIO + def gen_flag(random, length): - x = '' - for i in range(0,length): - x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789')) - return x + x = '' + for i in range(0, length): + x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789')) + return x + def grade(random, key): if key.find(gen_flag(random, 14)) != -1: return True, "Correct!" return False, "Nope." + def generate(random): dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00' - output = bytearray(dat[:0xdb]) - flag = gen_flag(random,14) + output = bytearray(dat[:0xdb]) + flag = gen_flag(random, 14) output.extend(flag.encode('utf-8')) - output.extend(dat[0xdb+14:]) - return dict(files={"hexable":output}) + output.extend(dat[0xdb + 14:]) + return dict(files={"hexable": (lambda r: StringIO(output))}) From 2a3a1bd463e9ac9415f13fb811274f811a265779 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:26:54 -0500 Subject: [PATCH 39/51] Description for risky business. --- risky-business/description.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/risky-business/description.md b/risky-business/description.md index e0285df..70c2c8a 100644 --- a/risky-business/description.md +++ b/risky-business/description.md @@ -1 +1,3 @@ -We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](casino) (MZ SHELL SERVER THING) \ No newline at end of file +We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](${casino}) + +Solve this problem by logging into the shell server and navigating to `/problems`. \ No newline at end of file From 7c0a290d79a6fca7257643c5083f7198e8730006 Mon Sep 17 00:00:00 2001 From: John W Date: Sun, 12 Mar 2017 04:31:14 -0500 Subject: [PATCH 40/51] Removed easy-re, increased points of hexable --- easy-re/description.md | 1 - easy-re/easy-re | Bin 13968 -> 0 bytes easy-re/grader.py | 4 ---- easy-re/problem.yml | 9 --------- hexable-autogen/problem.yml | 2 +- 5 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 easy-re/description.md delete mode 100644 easy-re/easy-re delete mode 100644 easy-re/grader.py delete mode 100644 easy-re/problem.yml diff --git a/easy-re/description.md b/easy-re/description.md deleted file mode 100644 index 5607dec..0000000 --- a/easy-re/description.md +++ /dev/null @@ -1 +0,0 @@ -This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](${easy_re}) \ No newline at end of file diff --git a/easy-re/easy-re b/easy-re/easy-re deleted file mode 100644 index 36c507c4262b4a0404a432948e7ba98bb84a225f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13968 zcmeHOeQZ&ANBGb3LufA@1U5z`Pbgz)}Ci^72di_Q@635X6ism;PAKC-dfBu8Lk3H|W zdF`&~cm7cO=HVra{`g9W`e-S6-9+U)vBXv>hbR6ld|t0vJG$hvOH-->Z#B<8JiW2M zY3GYz7X|XiRitNe3I10x(ltfo=VBto_)|*ot4r8_qJ;eoCFJS)DK>5l^2PX%m*D@p z1m9D_{+~+lH!A*xDLz;nhfmQYe_ZPP;GSKIf5IYv8g^!h1>%TnhZHqdScqqpe2c}7 zz`jfCk??J|(O#<)n%32mOlWC6l+ra#Xlr(9tj*0yAu z79e-}`n29?DxFM(;xWBn+vPE|@6fbxU!T|OT>%rZFg#Ah5?xKb9U15ZSmeVV=jfvf{L2Nx2_|u;ZMf(}+&6a(vrye%Zxj`Aw8@>e_Hp zy@9>V=S<5@{nG@bsz?oBgXBl5-vfGfEQS-lTzJq=I+^*gDRd&tl8p39x`AlyB{8x?(svO}OEA(R=@mp%=tq2#zLjVS z`G`l-Hxf-D9dSu|KG77)kxEJLo#PUnhd@j4e%Lhh#`fUQpM!&c8Et8AI(=evx=#d8 zpB#|r^sZ?>G5oiy+3cmxnTzq`=cQ*6@QuOchk=5FW6t2v#a#L0?X}<=SM@nLYtz`;%*A5cDP#PB zul8d;A~S0v6o(U-(YDvhJHfJjB1bwd@B=Y8c#p`GzyB2Ua>hO;h3wgFBYU7j?PC=) zeB$^KxHG&O^E*a&%;3=J;XNRv*0xh5)`p!_HT2N=q0G5R@IcwJDw^t0VAy+N@S*dz znfv#He)yqt*({v;=J5+lVD6>Qvf1Apg5hIC9;aLG@T=ej4+h?)5rP=OXuoo-o}4&A zS~upnr-$FkS)i`tbdw+63*P(lgF~m-%t>VT5mr>MIJpEtyZ}Jai{Tu!5%?Foln&rac99+H~xUFgEa?{XT&9_{X*V4() z9K%1k0+ahc)Lq`Uc|Dtl-fJGZyb>0&v(EWqiFZce)rN!`_rp9^1h#dMJAWKVQA(XMDb9hJiPiiXnt zVZHM~Z>Q!-#QU|Hcw9?WYrAXGT6Imj{~?mIEpXiJ1Ez~>DO`VyFru;*cs?RVzs3B( zmw=}rCJParrNCbSej0cm@ND!E*!HvvTVJJZ!Su-$hisE8iBHc)Ct&wh5>QZF9(K`B z@`wJB&5n|+vvQSl-kO=yc2^9Dd*GRDiFvWe$yXidOG1STRd5rK&aOhjNJ0uvFKh`>Yy zCL%Bqfr$uAMBx8B0xig+5k!$zBk(9%68OR+vIHxpoHhaTDThrk-9Tb9QbPosE4`%b zUoW{x_Ne!)3lv?c@O*{GR6pkxD91qX>D6qK@L{`;Q0|@Y(K3VPcb#YL2Fjg-^Dae{Qltv)>*iM+s8`9v|rk zIiH}CM|wxn?8m607pi_k`+xt<@3E~TeNV0Hj}?AV;nx)Yy~6J(d|Ba1NCpwiRrn@_ z>l9w4@Fs;j6_!e-FTB6G%T=|pBa_fGu3EgC@hq>)NXq*yZ=Ksy+s<@Tl7m;<|%_hUYPlHh%t&z~%ct+zu|2;L|8 z@>2xww|xH8+`i1`Ps?4O`TXf(K&@9ke}?ESvK|iM%+-VB%g+>iz320Bl_Rfg1qa^r zavg)Y&w)2lM~cc{D=2+v1qZTve6E=L9JtE)Jjv(J6_l2@f=OgdJ$Z|kL~i-(m#hnQ;0Dz!?UUb~s00erbGYQ3VWvlaYG*sUpA6nc@!j_R8{?=6X$wB}oQkjaQ@U6&-~^ z#EGGHXb&hgEj%{${9TIh$Wep;i_c!HHF^{&fK@ zuzn>~M9E-q8|8LdAgBa_D_e7>Hmq9J7C_mMzo9umN_oCV@)@$&N@y$ZTkl`j)QCP= zd=pM*WN<+L`;x4}dMYYJ^7&-Bj!})nc8$_53Z3dkH4oMBmBgIY3dpG3 zDo+X`k#th)#ulSexbbB)Hl@~)PP12pP1RS*jI68T3bP_1#yXg*<1B-J;i5LH9n|K1 z-iVp1>+-D0z(r|2L zP`B7C+$ceax>2FFTn}|AswF!E`L_Hn8>5zj^QU<~u?N-NHcLYY5f_2pGMf<|hUR}dH zu!W>CdDj0oU-bJIw?6!aG=QJ? zxX#@A%bR4)@FfuRY|r}qT*!6YF0(M&xJ~7O7nE6_pC5H)aA}@&q5ewrUq&u~$3JZM zNsYsbQ7@_Sd`N|&8LdZS8a}Mg&!cA*b4l4aaN}v2EKiPl97W8~VuChKq zFP~HT9wk_=FzfUD_bL4b?pOJq3MI(-A=0O3FsuIK;89FCKgId6%_@3>takEByhbpW?tO1s<36 ze`L|;{J&DyvYC0u*Tau{=3kbi4W^@K4feW zSsUN4231IZf)4VD^>cX>{{IUrDr_Bp41B&eNrdx@6-s|pO_;9_*5`R0hK_lB&clo? zCToTMvOZ(_E0bA2m#=Y2b@8Zya^I}Sc&bI8^E!_zefEWFjH%|D$2NNqe+A|qA>oSNjb&k?< b(0^Na{(OGY^<8ZIGgXHE&ny?5b^Lz Date: Sun, 12 Mar 2017 04:28:33 -0500 Subject: [PATCH 41/51] Create description.md --- doubly-dangerous/description.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doubly-dangerous/description.md diff --git a/doubly-dangerous/description.md b/doubly-dangerous/description.md new file mode 100644 index 0000000..c45f1ff --- /dev/null +++ b/doubly-dangerous/description.md @@ -0,0 +1 @@ +There seems to be an issue with this binary. Can you exploit it? View the problem in the shell server /problems/ directory. From 428cd8d2805cef0dacab6aa6aaf1c5e3f40c2f8a Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 04:28:58 -0500 Subject: [PATCH 42/51] Update problem.yml --- doubly-dangerous/problem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doubly-dangerous/problem.yml b/doubly-dangerous/problem.yml index 661bb36..7249e0a 100644 --- a/doubly-dangerous/problem.yml +++ b/doubly-dangerous/problem.yml @@ -4,6 +4,6 @@ hint: How are floating-point numbers represented? category: Binary Exploitation autogen: false programming: false -value: 75 +value: 110 files: - doubly_dangerous From e59e9b13adff2086c7676c2985da8bd1f3f27df4 Mon Sep 17 00:00:00 2001 From: John W Date: Sun, 12 Mar 2017 04:32:55 -0500 Subject: [PATCH 43/51] Added hexable hint. --- hexable-autogen/problem.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/hexable-autogen/problem.yml b/hexable-autogen/problem.yml index e5d0310..06176b6 100644 --- a/hexable-autogen/problem.yml +++ b/hexable-autogen/problem.yml @@ -3,3 +3,4 @@ category: Reverse Engineering value: 25 author: r3ndom autogen: true +hint: Try using a hex editor. \ No newline at end of file From b66542a724e2ef72c7e2b1c49aa40a781053c7f0 Mon Sep 17 00:00:00 2001 From: Ankur Sundara Date: Sun, 12 Mar 2017 04:30:07 -0500 Subject: [PATCH 44/51] Create grader.py --- doubly-dangerous/grader.py | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 doubly-dangerous/grader.py diff --git a/doubly-dangerous/grader.py b/doubly-dangerous/grader.py new file mode 100644 index 0000000..981da52 --- /dev/null +++ b/doubly-dangerous/grader.py @@ -0,0 +1,4 @@ +def grade(random, key): + if key.find("bofs_and_floats_are_d0uble_tr0uble!") != -1: + return True, "Correct!" + return False, "Nope :(" From c1a20af2e1c01895088d77a5fa7a69fd0be8dac4 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:31:37 -0500 Subject: [PATCH 45/51] Update rsa1 --- rsa1/grader.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rsa1/grader.py b/rsa1/grader.py index 4f42f65..642dece 100644 --- a/rsa1/grader.py +++ b/rsa1/grader.py @@ -39,7 +39,7 @@ def generate_ciphertext(random): def generate(random): return dict(files={ - "ciphertext_rsa1.txt": generate_ciphertext + "ciphertext.txt": generate_ciphertext }) def grade(random, key): From 7e841043dade9a7a8683a320db9bd1cbd3fab138 Mon Sep 17 00:00:00 2001 From: John W Date: Sun, 12 Mar 2017 04:34:26 -0500 Subject: [PATCH 46/51] Hint and description changes --- r3ndom-67k/problem.yml | 1 + simple-rop/description.md | 2 ++ 2 files changed, 3 insertions(+) diff --git a/r3ndom-67k/problem.yml b/r3ndom-67k/problem.yml index 4c35b24..7428123 100644 --- a/r3ndom-67k/problem.yml +++ b/r3ndom-67k/problem.yml @@ -3,5 +3,6 @@ category: Reverse Engineering value: 450 author: r3ndom autogen: false +hint: Maybe write a script. files: - _67k.zip \ No newline at end of file diff --git a/simple-rop/description.md b/simple-rop/description.md index feda140..dbfd03a 100644 --- a/simple-rop/description.md +++ b/simple-rop/description.md @@ -1,3 +1,5 @@ On the shell there is a folder ``. + Read flag.txt + [Source](${simple-rop.c}) \ No newline at end of file From 46a9aa72cbe8666ae024306e6b6990dbd844409e Mon Sep 17 00:00:00 2001 From: Michael Barre Date: Sun, 12 Mar 2017 04:38:19 -0500 Subject: [PATCH 47/51] fixed a ? --- listen-closely/description.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/listen-closely/description.md b/listen-closely/description.md index 4363f1a..3b4a510 100644 --- a/listen-closely/description.md +++ b/listen-closely/description.md @@ -1 +1 @@ -We intercepted a secret message, but we can't tell what it's saying. Maybe you can help? [super secret message](${listenclosely_wav})? \ No newline at end of file +We intercepted a secret message, but we can't tell what it's saying. Maybe you can help? [super secret message](${listenclosely_wav}) \ No newline at end of file From 00a8bcba5368bb4a93877726d84d105bf84c2cb3 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:38:59 -0500 Subject: [PATCH 48/51] Link to 20xx file. --- 20xx/description.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/20xx/description.md b/20xx/description.md index adb449e..cacfe15 100644 --- a/20xx/description.md +++ b/20xx/description.md @@ -1 +1 @@ -My friend sent me this file and told me to git gud. +My friend sent me [this file](${20xx_dtm}) and told me to git gud. From f9ad189b0b64b4c712baffcf5d42ae05dcef2f61 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:39:43 -0500 Subject: [PATCH 49/51] Update some descriptions.g --- risky-business/description.md | 2 +- simple-rop/description.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/risky-business/description.md b/risky-business/description.md index 70c2c8a..fb18b16 100644 --- a/risky-business/description.md +++ b/risky-business/description.md @@ -1,3 +1,3 @@ We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](${casino}) -Solve this problem by logging into the shell server and navigating to `/problems`. \ No newline at end of file +Solve this problem by logging into the shell server and navigating to `/problems/casino`. \ No newline at end of file diff --git a/simple-rop/description.md b/simple-rop/description.md index dbfd03a..fb1e88a 100644 --- a/simple-rop/description.md +++ b/simple-rop/description.md @@ -1,5 +1,5 @@ -On the shell there is a folder ``. +On the shell there is a folder `/problems/simple-rop`. Read flag.txt -[Source](${simple-rop.c}) \ No newline at end of file +[Source](${simple_rop_c}) \ No newline at end of file From d47e8d74c1e208dfb4ac2b22a9625d33f98805f0 Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:42:43 -0500 Subject: [PATCH 50/51] Update --- diffie-cult/description.md | 2 +- doubly-dangerous/description.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/diffie-cult/description.md b/diffie-cult/description.md index 1b51d48..8a57654 100644 --- a/diffie-cult/description.md +++ b/diffie-cult/description.md @@ -1 +1 @@ -I just intercepted some odd [messages.txt](${messages}). It appears to be a Diffie-hellman protocol, but my math isn't good enough to figure out what the final shared key is. Help! (The answer is a number. There is no `easyctf{}`) \ No newline at end of file +I just intercepted some odd [messages.txt](${messages_txt}). It appears to be a Diffie-hellman protocol, but my math isn't good enough to figure out what the final shared key is. Help! (The answer is a number. There is no `easyctf{}`) \ No newline at end of file diff --git a/doubly-dangerous/description.md b/doubly-dangerous/description.md index c45f1ff..e079ff4 100644 --- a/doubly-dangerous/description.md +++ b/doubly-dangerous/description.md @@ -1 +1 @@ -There seems to be an issue with this binary. Can you exploit it? View the problem in the shell server /problems/ directory. +There seems to be an issue with this binary. Can you exploit it? View the problem in the shell server `/problems/doubly_dangerous` directory. From 378adfcdb7f2ccfe8ffc5be03245db3e3622c01b Mon Sep 17 00:00:00 2001 From: Michael Zhang Date: Sun, 12 Mar 2017 04:50:34 -0500 Subject: [PATCH 51/51] Link to serial. --- serial/problem.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/serial/problem.yml b/serial/problem.yml index bfbb8c1..d782b2f 100644 --- a/serial/problem.yml +++ b/serial/problem.yml @@ -4,3 +4,5 @@ value: 300 hint: 010100110110010101110010011010010110000101101100001011100010111000101110 author: wiresboy autogen: false +files: + - serial.wav \ No newline at end of file