diff --git a/CTFLearn/Reversing/188.md b/CTFLearn/Reversing/188.md new file mode 100644 index 0000000..3b9e9d3 --- /dev/null +++ b/CTFLearn/Reversing/188.md @@ -0,0 +1,19 @@ +# [RE_verseDIS](https://ctflearn.com/challenge/188) + +1. Try `strings` command, doesn't help much. +2. Start gdb, `break` at main, `run` with some random flag, and `disas` main +3. Notice various comments with addresses, printing some of them using `x/s` gives some of the strings that `strings` gave, while some of them are blank which may fill up during execution +4. Break at the end and print the strings again + + ```gdb + (gdb) break *main+286 + Breakpoint 2 at 0x55555540085e + (gdb) c + Continuing. + Input password: sdfghjkl + Wrong password + + Breakpoint 2, 0x000055555540085e in main () + (gdb) x/s 0x555555601140 + 0x555555601140 : "AbCTF{r3vers1ng_dud3}" + ``` diff --git a/CTFLearn/Reversing/991.md b/CTFLearn/Reversing/991.md new file mode 100644 index 0000000..8e42bdd --- /dev/null +++ b/CTFLearn/Reversing/991.md @@ -0,0 +1,61 @@ +# [Riyadh](https://ctflearn.com/challenge/991) + +1. Start gdb, `break` at main, `run` with some random flag, and `disas` main +2. First of all, function *_Z4Msg1Pc* is called, after which there's a *puts*. Disassembling and observing (too complex) doesn't help much. Break after function: + + ```gdb + (gdb) b *main+43 + Breakpoint 2 at 0x55555555512b + (gdb) c + Continuing. + + Breakpoint 2, 0x000055555555512b in main () + (gdb) x/s $rbp + 0x5555555581c0 : "Welcome to CTFlearn Riyadh Reversing Challenge!" + ``` + +3. Function *_Z18CTFLearnHiddenFlagv* doesnt't do anything: + + ```gdb + (gdb) disas _Z18CTFLearnHiddenFlagv + Dump of assembler code for function _Z18CTFLearnHiddenFlagv: + 0x0000555555555d20 <+0>: endbr64 + 0x0000555555555d24 <+4>: ret + End of assembler dump. + ``` + +4. Doing point-2 above with *_Z4Msg3Pc*: + + ```gdb + (gdb) b *main+90 + Breakpoint 5 at 0x55555555515a + (gdb) c + Continuing. + + Breakpoint 5, 0x000055555555515a in main () + (gdb) x/s $rbp + 0x5555555581c0 : "CTFlearn{Reversing_Is_Easy}" + ``` + + Trying this tells this isn't the actual flag :cry: \ + The *strcmp* after this *_Z4Msg3Pc* probably takes the program to instructions which print "You found the false flag! It's not that easy dude!". So running with some other flag would bypass this jump. + +5. To reach *_Z4Msg5Pc*, we have to pass strlen test: + + ```gdb + (gdb) b *main+117 + Breakpoint 9 at 0x555555555175 + (gdb) b*main+151 + Breakpoint 10 at 0x555555555197 + (gdb) c + Continuing. + + Breakpoint 9, 0x0000555555555175 in main () + (gdb) set $rax=0x1e + (gdb) c + Continuing. + + Breakpoint 10, 0x0000555555555197 in main () + (gdb) x/s $rbp + 0x55555556b6c0: "CTFlearn{Masmak_Fortress_1865}" + ``` diff --git a/generate_readme.py b/generate_readme.py index cbad0df..181ed2a 100644 --- a/generate_readme.py +++ b/generate_readme.py @@ -50,6 +50,7 @@ def generate_readme(): - [XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) - [Prototype Pollution](https://portswigger.net/web-security/prototype-pollution) - [Online decryption and decoding](https://cryptii.com/) +- [Online decompiler](https://dogbolt.org/) [Other Useful Links](https://medium.com/technology-hits/capture-the-flag-ctf-resources-for-beginners-9394ee2ea07a#2e91) """ diff --git a/picoCTF/Cryptography/HideToSee.md b/picoCTF/Cryptography/HideToSee.md new file mode 100644 index 0000000..3405dc0 --- /dev/null +++ b/picoCTF/Cryptography/HideToSee.md @@ -0,0 +1,24 @@ +# HideToSee + +Extract (no passphrase): + +```shell +steghide extract -sf atbash.jpg +``` + +Atbash cipher: + +```python +from Crypto.Util.number import inverse + +with open('encrypted.txt', 'r') as file: + flag = file.read().strip() + + for c in flag: + if not c.isalpha(): + print(c, end='') + elif c.isupper(): + print(chr(ord('Z')-(ord(c) - ord('A'))), end='') + else: + print(chr(ord('z')-(ord(c) - ord('a'))), end='') +``` diff --git a/picoCTF/Cryptography/basic-mod1.md b/picoCTF/Cryptography/basic-mod1.md new file mode 100644 index 0000000..6a4137b --- /dev/null +++ b/picoCTF/Cryptography/basic-mod1.md @@ -0,0 +1,16 @@ +# basic-mod1 + +```python +with open('message.txt', 'r') as file: + l = file.read().split() + print(l) + + for num in l: + num = int(num)%37 + if num < 26: + print(chr(num+ord('A')), end='') + elif num < 36: + print(num-26, end='') + else: + print('_', end='') +``` diff --git a/picoCTF/Cryptography/basic-mod2.md b/picoCTF/Cryptography/basic-mod2.md new file mode 100644 index 0000000..7649a01 --- /dev/null +++ b/picoCTF/Cryptography/basic-mod2.md @@ -0,0 +1,19 @@ +# basic-mod2 + +```python +from Crypto.Util.number import inverse + +with open('message.txt', 'r') as file: + l = file.read().split() + print(l) + + for num in l: + num = int(num)%41 + num = inverse(num,41) + if num <= 26: + print(chr(num-1+ord('A')), end='') + elif num <= 36: + print(num-27, end='') + else: + print('_', end='') +``` diff --git a/picoCTF/Cryptography/waves over lambda.md b/picoCTF/Cryptography/waves over lambda.md new file mode 100644 index 0000000..ba6fbcd --- /dev/null +++ b/picoCTF/Cryptography/waves over lambda.md @@ -0,0 +1,3 @@ +# waves over lambda + +[Substitution cipher](https://quipqiup.com/) diff --git a/picoCTF/Reverse Engineering/Classic Crackme 0x100.md b/picoCTF/Reverse Engineering/Classic Crackme 0x100.md new file mode 100644 index 0000000..47e5065 --- /dev/null +++ b/picoCTF/Reverse Engineering/Classic Crackme 0x100.md @@ -0,0 +1,45 @@ +# Classic Crackme 0x100 + +1. Start gdb, `break` at main, `run`, and `disas` main +2. We see a *memcmp* at the end of code, the result of which seems to make the program jump to print success or failure message: + + ```gdb + 0x0000000000401364 <+494>: mov %rcx,%rsi + 0x0000000000401367 <+497>: mov %rax,%rdi + 0x000000000040136a <+500>: call 0x401060 + 0x000000000040136f <+505>: test %eax,%eax + ``` + +3. Set a breakpoint and look at the arguments of memcmp: + + ```gdb + (gdb) b *main+500 + Breakpoint 2 at 0x40136a: file main_sample.c, line 32. + (gdb) c + Continuing. + Enter the secret password: abcdef + + Breakpoint 2, 0x000000000040136a in main () at main_sample.c:32 + 32 in main_sample.c + (gdb) x/s $rsi + 0x7fffffffdd40: "ztqittwtxtieyfrslgtzuxovlfdnbrsnlrvyhhsdxxrfoxnjbl" + (gdb) x/s $rdi + 0x7fffffffdd00: "aefjhlTWQTvWTWWZQVTWTWWZTWQZWZZ]QTNWTWWZTW]ZWZZ]TY" + ``` + + Multiple runs with different password input print the same *$rsi* but different *$rdi* \ + On checking, *$rsi* is not the password, but could be an encoded form of it +4. The final value of *$rsi* could be a shift of what is entered, and this can be verified by inputs "aaaaaaaaaaaaaaa..." and "bbbbbbbbbbbbb.." +5. Simple python script to reverse the shifting: + + ```python + s = "ruuxuxxauxxaxaaduxxaxaadxaadaddguxxaxaadxaadaddgxa" # $rsi + t = 'r'*len(s) # input + + l = [(ord(t[i]) - ord(s[i]) + 26) % 26 for i in range(len(s))] + + f = 'ztqittwtxtieyfrslgtzuxovlfdnbrsnlrvyhhsdxxrfoxnjbl' # $rdi + + ans = [chr((ord(f[i]) - ord('a') + l[i]) % 26 + ord('a')) for i in range(len(f))] + print(''.join(ans)) + ```