def solve_ch111(fn):
ringzer0.output('solving')
r2 = r2pipe.open(fn)
asm_lines = r2.cmd('aa; s sym.main; pif~&mov dword,rbp | grep ", 0x"').splitlines()
# mov dword [rbp - 0x60], 0x485e2beb
# mov dword [rbp - 0x5c], 0xc180c931
# (..)
shellcode = ''
for asm_line in asm_lines:
val = asm_line.split(',')[-1:][0].strip()
if val.startswith('0x'): val = val[2:]
val = val.zfill(8)
shellcode += val.decode('hex')[::-1]
dlen = 0x22 - 1
# 0x00000006 add cl, 0x22
# 0x00000009 xor byte [esi], 0x13
# 0x0000000c dec eax
# 0x0000000d inc esi
# 0x0000000f loop 9
# (..)
dloc = 0x2d + 5
# 0x0000002d e8d0ffffff call 2
buf = shellcode[dloc:dloc+dlen]
xr = 0x4a
r = ''.join(chr(ord(c) ^ xr) for c in buf).strip()
ringzer0.output('solved', r)
return r
def ch126(fp):
ringzer0.output('parsing dictionary')
wordset, wordmap = set(), {}
with open(fp, 'r') as f:
for line in f:
word = line.strip()
wordset.add(word)
mapped = ''.join(sorted(word))
wordmap[mapped] = word
ringzer0.output('done parsing dictionary')
ch, s = 126, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, words = sections['title'], sections['words']
ringzer0.output('solving')
result = []
for word in words.split(','):
if word in wordset:
result.append(word)
continue
mapped = ''.join(sorted(word))
if mapped in wordmap:
word = wordmap[mapped]
result.append(word)
result = ','.join(result)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch126(fp):
ringzer0.output('parsing dictionary')
wordset, wordmap = set(), {}
with open(fp, 'r') as f:
for line in f:
word = line.strip()
wordset.add(word)
mapped = ''.join(sorted(word))
wordmap[mapped] = word
ringzer0.output('done parsing dictionary')
ch, s = 126, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, words = sections['title'], sections['words']
ringzer0.output('solving')
result = []
for word in words.split(','):
if word in wordset:
result.append(word)
continue
mapped = ''.join(sorted(word))
if mapped in wordmap:
word = wordmap[mapped]
result.append(word)
result = ','.join(result)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def solve_ch9(fn):
ringzer0.output('solving')
# idx=05 vaddr=0x00406000 paddr=0x00001e00 sz=7680 vsz=7256 perm=-rw- name=.rsrc
exe_rsrc_vaddr = 0x00406000
exe_rsrc_paddr = 0x00001e00
exe_dll_vaddr = 0x00406058
exe_dll_paddr = exe_rsrc_paddr + (exe_dll_vaddr - exe_rsrc_vaddr)
# idx=02 vaddr=0x6e5c3000 paddr=0x00001000 sz=1024 vsz=640 perm=-r-- name=.rdata
dll_rodata_vaddr = 0x6e5c3000
dll_rodata_paddr = 0x1000
# | 0x6e5c120f be60305c6e mov esi, 0x6e5c3060
dll_buf_location_vaddr = 0x6e5c3060
dll_buf_location_paddr = dll_rodata_paddr + (dll_buf_location_vaddr -
dll_rodata_vaddr)
exe_buf_location_paddr = exe_dll_paddr + dll_buf_location_paddr
# | 0x6e5c1244 83fe1f cmp esi, 0x1f
buf_size = 0x1f
cmd = 'pf {%d}i @ %d' % (buf_size, exe_buf_location_paddr)
buf_data = ''
r2 = r2pipe.open(fn)
for line in r2.cmd(cmd).splitlines():
# .-> 0x6e5c121c 8b04b2 mov eax, dword [edx + esi*4]
# | 0x6e5c121f 83e816 sub eax, 0x16
hx = int(line.split(' ')[-1:][0])
hx = hx - 0x16
buf_data += chr(hx)
ringzer0.output('solved', buf_data)
return buf_data
def solve_ch188(fn):
ringzer0.output('solving')
flag = ''
with open(fn, 'r') as f:
for rline in f:
line = rline[:-1]
hx = line[:47].replace(' ', '')
tx = line[51:]
ex = hx.decode('hex').replace('\n', ' ')
if ex != tx:
for i in range(len(tx)):
if tx[i] != ex[i]:
flag += ex[i]
ringzer0.output('solved', flag)
return flag
def solve_ch188(fn):
ringzer0.output('solving')
flag = ''
with open(fn, 'r') as f:
for rline in f:
line = rline[:-1]
hx = line[:47].replace(' ', '')
tx = line[51:]
ex = hx.decode('hex').replace('\n', ' ')
if ex != tx:
for i in range(len(tx)):
if tx[i] != ex[i]:
flag += ex[i]
ringzer0.output('solved', flag)
return flag
def solve_ch11(fn):
ringzer0.output('solving')
r2 = r2pipe.open(fn)
asm_lines = r2.cmd('aa; s sym.main; pif~&mov,word,eax | grep ", 0x"').splitlines()
# mov dword [eax], 0x47414c46
# mov dword [eax + 4], 0x3930342d
# mov word [eax + 8], 0x32
# mov dword [eax], 0x75393438
# mov dword [eax + 4], 0x6a326f69
# mov word [eax + 8], 0x66
# mov dword [eax], 0x6a736c6b
# mov dword [eax + 4], 0x6c6b34
buf = ''
for asm_line in asm_lines:
val = asm_line.split(',')[-1:][0].strip()
if val.startswith('0x'): val = val[2:]
buf += val.decode('hex')[::-1]
ringzer0.output('solved', buf)
return buf
def solve_ch11(fn):
ringzer0.output('solving')
r2 = r2pipe.open(fn)
asm_lines = r2.cmd(
'aa; s sym.main; pif~&mov,word,eax | grep ", 0x"').splitlines()
# mov dword [eax], 0x47414c46
# mov dword [eax + 4], 0x3930342d
# mov word [eax + 8], 0x32
# mov dword [eax], 0x75393438
# mov dword [eax + 4], 0x6a326f69
# mov word [eax + 8], 0x66
# mov dword [eax], 0x6a736c6b
# mov dword [eax + 4], 0x6c6b34
buf = ''
for asm_line in asm_lines:
val = asm_line.split(',')[-1:][0].strip()
if val.startswith('0x'): val = val[2:]
buf += val.decode('hex')[::-1]
ringzer0.output('solved', buf)
return buf
def ch159():
ch, s = 159, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, sha1 = sections['title'], sections['hash']
ringzer0.output('solving')
result = check_output(['php', 'coding.ch159.lookup.php', sha1]).strip()
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch159():
ch, s = 159, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, sha1 = sections['title'], sections['hash']
ringzer0.output('solving')
result = check_output(['php', 'coding.ch159.lookup.php', sha1]).strip()
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch119():
ch, s = 119, ringzer0.login()
sections = ringzer0.read_challenge(s, ch, clean=False)
title, msg = sections['title'], sections['message']
ringzer0.output('solving')
result = parse_ascii(msg)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch125():
ch, s = 125, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, shellcode = sections['title'], sections['shellcode']
ringzer0.output('solving')
sc = shellcode.replace('\\x', '').decode('hex')
hx = sc[0x57:0x57+0x0c].encode('hex')
result = ''.join(chr(int(x,16) ^ 0xff) for x in re.findall('..', hx))
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch121():
ch, s = 121, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, shellcode = sections['title'], sections['shellcode']
ringzer0.output('solving')
sc = shellcode.replace('\\x', '').decode('hex')
hx = sc[0x54:0x54 + 0x0c].encode('hex')
result = ''.join(chr(int(x, 16) ^ 0xff) for x in re.findall('..', hx))
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch56():
ch, s = 56, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, xhash = sections['title'], sections['hash']
ringzer0.output('solving')
charset = '0123456789'
result = search_hash(charset, 4, 4, hashlib.sha1, xhash)
if result is None:
ringzer0.error('could not lookup hash ' + xhash)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch17():
ch, s = 17, ringzer0.login()
r = ringzer0.open_challenge(s, ch)
wrapper = ringzer0.get_wrapper(r.text)
img = wrapper.xpath('.//img')[0]
src = img.attrib['src'].replace('data:image/png;base64,', '')
data = base64.b64decode(src)
with ringzer0.tmpfile() as (fd, fn):
ringzer0.write_bin_file(fd, data)
ringzer0.output('solving')
result = solve_ch17(fn)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch32():
ch, s = 32, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, msg = sections['title'], sections['message']
ringzer0.output('solving')
calc = ' %s ' % msg.split('=')[0]
mx = re.findall(' ([01]+) ', calc)
for b in mx:
calc = calc.replace(b, str(int(b, 2)))
result = str(eval(calc))
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch17():
ch, s = 17, ringzer0.login()
r = ringzer0.open_challenge(s, ch)
wrapper = ringzer0.get_wrapper(r.text)
img = wrapper.xpath('.//img')[0]
src = img.attrib['src'].replace('data:image/png;base64,', '')
data = base64.b64decode(src)
with ringzer0.tmpfile() as (fd, fn):
ringzer0.write_bin_file(fd, data)
ringzer0.output('solving')
result = solve_ch17(fn)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch13():
ch, s = 13, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, msg = sections['title'], sections['message']
ringzer0.output('solving')
mx = re.search(r'using ([a-z0-9]+) algorithm', title)
algorithm = mx.group(1)
h = hashlib.new(algorithm)
h.update(msg)
result = h.hexdigest()
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch32():
ch, s = 32, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, msg = sections['title'], sections['message']
ringzer0.output('solving')
calc = ' %s ' % msg.split('=')[0]
mx = re.findall(' ([01]+) ', calc)
for b in mx:
calc = calc.replace(b, str(int(b, 2)))
result = str(eval(calc))
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch57():
ch, s = 57, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, xhash, xsalt = sections['title'], sections['hash'], sections['salt']
ringzer0.output('solving')
charset = '0123456789'
transformation = lambda x: x + xsalt
result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation)
if result is None:
ringzer0.error('could not lookup hash ' + xhash)
result = result[:result.rindex(xsalt)]
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch14():
ch, s = 14, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, msg = sections['title'], sections['message']
ringzer0.output('solving')
mx = re.search(r'using ([a-z0-9]+) algorithm', title)
algorithm = mx.group(1)
h = hashlib.new(algorithm)
data = ''.join(chr(int(msg[i:i+8], 2)) for i in xrange(0, len(msg), 8))
h.update(data)
result = h.hexdigest()
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch57():
ch, s = 57, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, xhash, xsalt = sections['title'], sections['hash'], sections['salt']
ringzer0.output('solving')
charset = '0123456789'
transformation = lambda x: x + xsalt
result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation)
if result is None:
ringzer0.error('could not lookup hash ' + xhash)
result = result[:result.rindex(xsalt)]
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch16():
ch, s = 16, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, hidden_xor_key, crypted_message = sections['title'], sections['xor key'], sections['crypted message']
ringzer0.output('solving')
xor_key_len = 10
message = base64.b64decode(crypted_message)
result = ''
for i in range(0,len(hidden_xor_key) - xor_key_len + 1):
xor_key = hidden_xor_key[i:i+xor_key_len]
xored = xor_str(message, xor_key)
alpha = re.match('^[\w-]+$', xored)
if alpha:
result = xored
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch15():
ch, s = 15, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, msg, chksum = sections['title'], sections['elf message'], sections['checksum']
ringzer0.output('solving')
elf = msg
while re.match(r'^[a-zA-Z0-9+/]*={0,3}$', elf):
elf = base64.b64decode(elf)
elf = elf[::-1]
elf_md5 = hashlib.md5(elf).hexdigest()
if chksum != elf_md5:
ringzer0.error('checksum mismatch ({0} vs {1})'.format(chksum, elf_md5))
result = ''
with ringzer0.tmpfile() as (fd, fn):
ringzer0.write_bin_file(fd, elf)
r2 = r2pipe.open(fn)
asm_lines = r2.cmd('aa; s sym.main; pif~&mov,rbp').splitlines()
asm_rg = re.compile(r'^mov [^,]*\[rbp\s?-\s?([0-9a-fx]+)\],\s?([^\s]+)$')
asm_vals, top = {}, 0
for asm_line in asm_lines:
rx = re.match(asm_rg, asm_line)
if not rx:
continue
pos, val = rx.group(1), rx.group(2)
if val.startswith('r'):
continue
if val.startswith('0x'): val = val[2:]
if len(val) % 2 == 1: val = '0' + val
pos, val = int(pos, 16), val.decode('hex')
asm_vals[pos] = val
top = max(top, pos)
stack = bytearray('\0' * top)
for k in sorted(asm_vals, reverse=True):
v = asm_vals[k]
stack[top - k:len(v)] = v[::-1]
result = stack[:stack.index('\00')]
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch16():
ch, s = 16, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, hidden_xor_key, crypted_message = sections['title'], sections[
'xor key'], sections['crypted message']
ringzer0.output('solving')
xor_key_len = 10
message = base64.b64decode(crypted_message)
result = ''
for i in range(0, len(hidden_xor_key) - xor_key_len + 1):
xor_key = hidden_xor_key[i:i + xor_key_len]
xored = xor_str(message, xor_key)
alpha = re.match('^[\w-]+$', xored)
if alpha:
result = xored
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch48():
ch, s = 48, ringzer0.login()
r = s.request('GETS', ringzer0.get_url('/challenges/{0}'.format(ch)))
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)
def ch113():
ch, s = 113, ringzer0.login()
ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
ringzer0.output('solving')
ringzer0.output('resetting password')
r = s.post(ch_url, data={'reset_username':''})
lines = ringzer0.get_lines(r.text)
r2822 = lines[0]
ts = mktime_tz(parsedate_tz(r2822))
rmin, rmax = 1000000000000000, 9999999999999999
ringzer0.output('seeding random values')
password, sec_diff = None, 1
for sec in range(0, sec_diff + 1):
if password: break
diff = sec_diff - sec
seed = ts - diff
output = check_output(['./php-xrandom', str(seed), '0', str(rmin), str(rmax)]).strip()
for line in output.split('\n'):
rtype, rvalue = line.split(':')
rtype, rvalue = rtype.strip(), rvalue.strip()
if rtype != 'linux.rand.64':
continue
r = s.get('{0}/?k={1}'.format(ch_url, rvalue))
response = ringzer0.get_response(r.text)
ringzer0.output('try: {0}s => {1} ({2}) => {3}'.format(-diff, rvalue, rtype, response))
if response.find('password') != -1:
password = response
break
if password is None:
ringzer0.error('could not solve.')
sys.exit(1)
password = password.split(' ')[-1:][0]
ringzer0.output('solved', password)
r = s.post(ch_url, data={'username':'******', 'password':password})
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)
def ch48():
ch, s = 48, ringzer0.login()
r = s.request('GETS', ringzer0.get_url('/challenges/{0}'.format(ch)))
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)
def ch120():
ringzer0.output('creating token')
token = ''
for i in range(0, 16):
output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip()
for line in output.split('\n'):
rtype, rvalue = line.split(':')
rtype, rvalue = rtype.strip(), rvalue.strip()
if rtype != 'linux.rand.64':
continue
d = int(rvalue) % 10
token += str(d)
break
ringzer0.output('token', token)
ch, s = 120, ringzer0.login()
ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
password = None
for i in xrange(0, 50):
ringzer0.output('resetting password')
r = s.post(ch_url, data={'reset_username':''})
response = ringzer0.get_response(r.text)
ringzer0.output('reset #{0} => {1}'.format(i, response))
r = s.get('{0}/?k={1}'.format(ch_url, token))
response = ringzer0.get_response(r.text)
if response.find('password') != -1:
password = response
break
ringzer0.output('try #{0} => {1}'.format(i, response))
time.sleep(1.75)
if password is None:
ringzer0.error('could not solve.')
sys.exit(1)
password = password.split(' ')[-1:][0]
ringzer0.output('solved', password)
r = s.post(ch_url, data={'username':'******', 'password':password})
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)
