some reversing, crypto

CTFLearn/Reversing/188.md

@@ -0,0 +1,19 @@
+# [RE_verseDIS](https://ctflearn.com/challenge/188)
+
+1. Try `strings` command, doesn't help much.
+2. Start gdb, `break` at main, `run` with some random flag, and `disas` main
+3. Notice various comments with addresses, printing some of them using `x/s` gives some of the strings that `strings` gave, while some of them are blank which may fill up during execution
+4. Break at the end and print the strings again
+
+   ```gdb
+   (gdb) break *main+286
+   Breakpoint 2 at 0x55555540085e
+   (gdb) c
+   Continuing.
+   Input password: sdfghjkl
+   Wrong password
+
+   Breakpoint 2, 0x000055555540085e in main ()
+   (gdb) x/s 0x555555601140
+   0x555555601140 <msg>:   "AbCTF{r3vers1ng_dud3}"
+   ```

CTFLearn/Reversing/991.md

@@ -0,0 +1,61 @@
+# [Riyadh](https://ctflearn.com/challenge/991)
+
+1. Start gdb, `break` at main, `run` with some random flag, and `disas` main
+2. First of all, function *_Z4Msg1Pc* is called, after which there's a *puts*. Disassembling and observing (too complex) doesn't help much. Break after function:
+
+    ```gdb
+    (gdb) b *main+43
+    Breakpoint 2 at 0x55555555512b
+    (gdb) c
+    Continuing.
+
+    Breakpoint 2, 0x000055555555512b in main ()
+    (gdb) x/s $rbp
+    0x5555555581c0 <buffer>:    "Welcome to CTFlearn Riyadh Reversing Challenge!"
+    ```
+
+3. Function *_Z18CTFLearnHiddenFlagv* doesnt't do anything:
+
+    ```gdb
+    (gdb) disas _Z18CTFLearnHiddenFlagv
+    Dump of assembler code for function _Z18CTFLearnHiddenFlagv:
+    0x0000555555555d20 <+0>:    endbr64
+    0x0000555555555d24 <+4>:    ret
+    End of assembler dump.
+    ```
+
+4. Doing point-2 above with *_Z4Msg3Pc*:
+
+    ```gdb
+    (gdb) b *main+90
+    Breakpoint 5 at 0x55555555515a
+    (gdb) c
+    Continuing.
+
+    Breakpoint 5, 0x000055555555515a in main ()
+    (gdb) x/s $rbp
+    0x5555555581c0 <buffer>:    "CTFlearn{Reversing_Is_Easy}"
+    ```
+
+    Trying this tells this isn't the actual flag :cry: \
+    The *strcmp* after this *_Z4Msg3Pc* probably takes the program to instructions which print "You found the false flag!  It's not that easy dude!". So running with some other flag would bypass this jump.
+
+5. To reach *_Z4Msg5Pc*, we have to pass strlen test:
+
+    ```gdb
+    (gdb) b *main+117
+    Breakpoint 9 at 0x555555555175
+    (gdb) b*main+151
+    Breakpoint 10 at 0x555555555197
+    (gdb) c
+    Continuing.
+
+    Breakpoint 9, 0x0000555555555175 in main ()
+    (gdb) set $rax=0x1e
+    (gdb) c
+    Continuing.
+
+    Breakpoint 10, 0x0000555555555197 in main ()
+    (gdb) x/s $rbp
+    0x55555556b6c0: "CTFlearn{Masmak_Fortress_1865}"
+    ```

generate_readme.py

@@ -50,6 +50,7 @@ def generate_readme():
 - [XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
 - [Prototype Pollution](https://portswigger.net/web-security/prototype-pollution)
 - [Online decryption and decoding](https://cryptii.com/)
+- [Online decompiler](https://dogbolt.org/)
 
 [Other Useful Links](https://medium.com/technology-hits/capture-the-flag-ctf-resources-for-beginners-9394ee2ea07a#2e91)
 """

picoCTF/Cryptography/HideToSee.md

@@ -0,0 +1,24 @@
+# HideToSee
+
+Extract (no passphrase):
+
+```shell
+steghide extract -sf atbash.jpg
+```
+
+Atbash cipher:
+
+```python
+from Crypto.Util.number import inverse
+
+with open('encrypted.txt', 'r') as file:
+    flag = file.read().strip()
+
+    for c in flag:
+        if not c.isalpha():
+            print(c, end='')
+        elif c.isupper():
+            print(chr(ord('Z')-(ord(c) - ord('A'))), end='')
+        else:
+            print(chr(ord('z')-(ord(c) - ord('a'))), end='')
+```

picoCTF/Cryptography/basic-mod1.md

@@ -0,0 +1,16 @@
+# basic-mod1
+
+```python
+with open('message.txt', 'r') as file:
+    l = file.read().split()
+    print(l)
+
+    for num in l:
+        num = int(num)%37
+        if num < 26:
+            print(chr(num+ord('A')), end='')
+        elif num < 36:
+            print(num-26, end='')
+        else:
+            print('_', end='')
+```

picoCTF/Cryptography/basic-mod2.md

@@ -0,0 +1,19 @@
+# basic-mod2
+
+```python
+from Crypto.Util.number import inverse
+
+with open('message.txt', 'r') as file:
+    l = file.read().split()
+    print(l)
+
+    for num in l:
+        num = int(num)%41
+        num = inverse(num,41)
+        if num <= 26:
+            print(chr(num-1+ord('A')), end='')
+        elif num <= 36:
+            print(num-27, end='')
+        else:
+            print('_', end='')
+```

picoCTF/Cryptography/waves over lambda.md

@@ -0,0 +1,3 @@
+# waves over lambda
+
+[Substitution cipher](https://quipqiup.com/)

picoCTF/Reverse Engineering/Classic Crackme 0x100.md

@@ -0,0 +1,45 @@
+# Classic Crackme 0x100
+
+1. Start gdb, `break` at main, `run`, and `disas` main
+2. We see a *memcmp* at the end of code, the result of which seems to make the program jump to print success or failure message:
+
+    ```gdb
+    0x0000000000401364 <+494>:  mov    %rcx,%rsi
+    0x0000000000401367 <+497>:  mov    %rax,%rdi
+    0x000000000040136a <+500>:  call   0x401060 <memcmp@plt>
+    0x000000000040136f <+505>:  test   %eax,%eax
+    ```
+
+3. Set a breakpoint and look at the arguments of memcmp:
+
+    ```gdb
+    (gdb) b *main+500
+    Breakpoint 2 at 0x40136a: file main_sample.c, line 32.
+    (gdb) c
+    Continuing.
+    Enter the secret password: abcdef
+
+    Breakpoint 2, 0x000000000040136a in main () at main_sample.c:32
+    32  in main_sample.c
+    (gdb) x/s $rsi
+    0x7fffffffdd40: "ztqittwtxtieyfrslgtzuxovlfdnbrsnlrvyhhsdxxrfoxnjbl"
+    (gdb) x/s $rdi
+    0x7fffffffdd00: "aefjhlTWQTvWTWWZQVTWTWWZTWQZWZZ]QTNWTWWZTW]ZWZZ]TY"
+    ```
+
+    Multiple runs with different password input print the same *$rsi* but different *$rdi* \
+    On checking, *$rsi* is not the password, but could be an encoded form of it
+4. The final value of *$rsi* could be a shift of what is entered, and this can be verified by inputs "aaaaaaaaaaaaaaa..." and "bbbbbbbbbbbbb.."
+5. Simple python script to reverse the shifting:
+
+    ```python
+    s = "ruuxuxxauxxaxaaduxxaxaadxaadaddguxxaxaadxaadaddgxa" # $rsi
+    t = 'r'*len(s) # input
+
+    l = [(ord(t[i]) - ord(s[i]) + 26) % 26 for i in range(len(s))]
+
+    f = 'ztqittwtxtieyfrslgtzuxovlfdnbrsnlrvyhhsdxxrfoxnjbl' # $rdi
+
+    ans = [chr((ord(f[i]) - ord('a') + l[i]) % 26 + ord('a')) for i in range(len(f))]
+    print(''.join(ans))
+    ```