From a0128d323b9d3bd985973b2db3c2c328a9189e51 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <giulio@depasquale.eu>
Date: Mon, 29 May 2017 17:55:36 +0200
Subject: [PATCH] PoliCTF challenge testata e funzionante. Polishing

---
 .gitignore                             |   1 +
 {vm => emulator}/emulator.cpp          |   4 ++--
 polictf/asms/decrypt.pstc              |  10 ----------
 polictf/res/compiled.pstc              | Bin 266 -> 0 bytes
 polictf/res/decrypteddatasection.txt   |   2 +-
 polictf/res/encrypteddatasection       |   1 +
 polictf/server/pasticciotto_server.cpp |  24 ++++++++++++++++++------
 polictf/server/test.py                 |  16 ++++++++++++++++
 polictf/tea_cversion/decrypt_test      |   1 -
 polictf/tea_cversion/encrypted         |   1 -
 polictf/tea_cversion/tea-decrypt.c     |   8 ++------
 polictf/tea_cversion/tea-encrypt.c     |   8 +-------
 polictf/tea_cversion/test.py           |  12 ------------
 13 files changed, 42 insertions(+), 46 deletions(-)
 rename {vm => emulator}/emulator.cpp (93%)
 delete mode 100644 polictf/res/compiled.pstc
 create mode 100644 polictf/res/encrypteddatasection
 create mode 100644 polictf/server/test.py
 delete mode 100644 polictf/tea_cversion/decrypt_test
 delete mode 100644 polictf/tea_cversion/encrypted
 delete mode 100644 polictf/tea_cversion/test.py
diff --git a/.gitignore b/.gitignore
index cec544a..81214c3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 *.gipu
 *.out
 *.elf
+*.pasticciotto
 .vscode/
diff --git a/vm/emulator.cpp b/emulator/emulator.cpp
similarity index 93%
rename from vm/emulator.cpp
rename to emulator/emulator.cpp
index c70fa2e..5ab072f 100644
--- a/vm/emulator.cpp
+++ b/emulator/emulator.cpp
@@ -1,5 +1,5 @@
-#include "debug.h"
-#include "vm.h"
+#include "../vm/debug.h"
+#include "../vm/vm.h"
 #include <fstream>
 #include <stdint.h>
 #include <stdio.h>
diff --git a/polictf/asms/decrypt.pstc b/polictf/asms/decrypt.pstc
index 3f5d96e..59e8af0 100644
--- a/polictf/asms/decrypt.pstc
+++ b/polictf/asms/decrypt.pstc
@@ -89,14 +89,6 @@ poop r1
 retn
 
 def main:
-movi r0, 0x93af
-movi r1, 0x9ea9
-stri 0, r0
-stri 2, r1
-movi r0, 0x2008
-movi r1, 0xc917
-stri 0x4, r0
-stri 0x6, r1
 movi r0, 0
 call datastrlen
 movr r2, r0
@@ -110,12 +102,10 @@ addr r1, s0
 call round
 poop s0
 addi s0, 4
-debg
 cmpr s0, r2
 jpbi decrypt
 lodi r0, 0
 lodi r1, 2
 lodi r2, 4
 lodi r3, 6
-debg
 shit
\ No newline at end of file
diff --git a/polictf/res/compiled.pstc b/polictf/res/compiled.pstc
deleted file mode 100644
index 8500d120749b918d578a0215f091cfc01163d225..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 266
zcmYk0J&FQB6ol*bydFVelHCIsxRDqLo?t{Xp|OJvOk}~#KNLYDm4WHRi)<k15#|7H
z)SYbL5%vHZIXz=wSXEz9rEothy3{fNnE)wVYKs1UGR}4AH8A*vt*hM7?4=?B$L@VF
zg5i`2r+C*wlqXT1M1m0oA#PPoTIe9DCvD$V()Uxj_|npLKbVp7WNEdjxKCY~_B7k>
zm1W@?IqkWIjZ12?vcnfDE~)jrpgKmDCz`z9&2SXQHxn3P=)0V^V?Uhqn~W`y3V~D-
N+@x@Bhd)^P<R64<L$Ck<

diff --git a/polictf/res/decrypteddatasection.txt b/polictf/res/decrypteddatasection.txt
index d0512bf..9d6cea0 100644
--- a/polictf/res/decrypteddatasection.txt
+++ b/polictf/res/decrypteddatasection.txt
@@ -1 +1 @@
-TheDataSectionHasBeenEncrypted
\ No newline at end of file
+TheDataSectionHasBeenEncrypted!WhoAreYouGonnaCall?TheRuNasss!
\ No newline at end of file
diff --git a/polictf/res/encrypteddatasection b/polictf/res/encrypteddatasection
new file mode 100644
index 0000000..6b06b68
--- /dev/null
+++ b/polictf/res/encrypteddatasection
@@ -0,0 +1 @@
+Œê¾ªí Ðk™R%¹æØÿùé’zÅÄ~*ìg2E$ÐLdYí¦xþ­Ñ¼àØ:ùûùùn\RXFUXE!
\ No newline at end of file
diff --git a/polictf/server/pasticciotto_server.cpp b/polictf/server/pasticciotto_server.cpp
index 70bc1d7..5431e5e 100644
--- a/polictf/server/pasticciotto_server.cpp
+++ b/polictf/server/pasticciotto_server.cpp
@@ -25,13 +25,18 @@ void gen_random(uint8_t *s, const int len) {
 }
 
 unsigned char encrypted_data[] = {
-    0xcc, 0x8d, 0x5a, 0xcc, 0x73, 0xb5, 0xf2, 0xa3, 0xf3, 0x92,
-    0xa8, 0x8f, 0x2f, 0xf1, 0x3e, 0xf4, 0x69, 0x00, 0x4a, 0xcb,
-    0xed, 0xc4, 0x57, 0x9b, 0xf6, 0x9a, 0x78, 0x46, 0x83, 0xe9};
-unsigned int encrypted_data_len = 30;
+  0x8c, 0xea, 0xbe, 0xaa, 0xed, 0xa0, 0xd0, 0x6b, 0x99, 0x1c, 0x52, 0x25,
+  0xb9, 0xe6, 0xd8, 0xff, 0xf9, 0xe9, 0x92, 0x7a, 0x1c, 0xc5, 0xc4, 0x7e,
+  0x2a, 0xec, 0x67, 0x32, 0x1f, 0x45, 0x24, 0xd0, 0x4c, 0x7f, 0x15, 0x64,
+  0x59, 0xed, 0xa6, 0x78, 0xfe, 0xad, 0xd1, 0xbc, 0xe0, 0xd8, 0x3a, 0xf9,
+  0xfb, 0xf9, 0xf9, 0x6e, 0x5c, 0x52, 0x58, 0x46, 0x8d, 0x55, 0x58, 0x45,
+  0x21
+};
+unsigned int encrypted_data_len = 61;
+
 
 int main(int argc, char *argv[]) {
-  uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[DATAKEYLEN],
+  uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[encrypted_data_len],
           *flag = new uint8_t[DATAKEYLEN];
   uint8_t *clientcode;
   uint8_t i;
@@ -55,6 +60,10 @@ int main(int argc, char *argv[]) {
   }
   VM vm(key, clientcode, clientcodesize);
   vm.as.insData(encrypted_data, encrypted_data_len);
+  printf("BEFORE:\n");
+  for (i = 0; i < DATAKEYLEN; i++) {
+    fprintf(stdout, "buf[%d] = 0x%02x\n", i, vm.as.data[i]);
+  }
   vm.run();
 
   datap = fopen("../res/decrypteddatasection.txt", "r");
@@ -66,9 +75,12 @@ int main(int argc, char *argv[]) {
   fscanf(datap, "%s", decdatasec);
   fclose(datap);
 
+  for (i = 0; i < DATAKEYLEN; i++) {
+    fprintf(stdout, "buf[%d] = 0x%02x\n", i, vm.as.data[i]);
+  }
   for (i = 0; i < DATAKEYLEN; i++) {
     if (vm.as.data[i] != decdatasec[i]) {
-        DBG_INFO(("Checking data[%d]..\n", i));
+        printf("Checking data[%d]..\n", i);
         fflush(stdout);
       printf("Nope!\n");
       fflush(stdout);
diff --git a/polictf/server/test.py b/polictf/server/test.py
new file mode 100644
index 0000000..0099371
--- /dev/null
+++ b/polictf/server/test.py
@@ -0,0 +1,16 @@
+from pwn import *
+import subprocess
+
+key_re = re.compile(".*\"(.*)\".*")
+r = remote("127.0.0.1", 8888)
+
+first = r.recv()
+key = key_re.match(first).group(1)
+print("Using key: {}".format(key))
+subprocess.check_call(["python3", "../../assembler/assembler.py", "{}".format(key), "../asms/decrypt.pstc", "./out.pasticciotto"])
+with open("./out.pasticciotto") as f:
+    data = f.read()
+r.send("{}\n".format(len(data)))
+print(r.recv())
+r.send("{}\n".format(data))
+print(r.recv(100000))
\ No newline at end of file
diff --git a/polictf/tea_cversion/decrypt_test b/polictf/tea_cversion/decrypt_test
deleted file mode 100644
index 4892903..0000000
--- a/polictf/tea_cversion/decrypt_test
+++ /dev/null
@@ -1 +0,0 @@
-4 test
diff --git a/polictf/tea_cversion/encrypted b/polictf/tea_cversion/encrypted
deleted file mode 100644
index b5d327a..0000000
--- a/polictf/tea_cversion/encrypted
+++ /dev/null
@@ -1 +0,0 @@
-¯“©ž É
\ No newline at end of file
diff --git a/polictf/tea_cversion/tea-decrypt.c b/polictf/tea_cversion/tea-decrypt.c
index 35667bf..79c6c2e 100644
--- a/polictf/tea_cversion/tea-decrypt.c
+++ b/polictf/tea_cversion/tea-decrypt.c
@@ -5,19 +5,15 @@
 #include <unistd.h>
 
 void decrypt(uint16_t *v) {
-  uint16_t v0 = v[0], v1 = v[1], sum = 0x3780, i; /* set up */
-  uint16_t delta = 0x626f;                        /* a key schedule constant */
+  uint16_t v0 = v[0], v1 = v[1], i;
   uint16_t k0 = 0x7065;                           // "pe"
   uint16_t k1 = 0x7065;                           // "pe"
   uint16_t k2 = 0x7275;                           // "ru"
   uint16_t k3 = 0x6e73;                           // "ns"
   for (i = 0; i < 128; i++) {
-    //printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1); /* basic cycle
-    // start */
     v1 -= ((v0 << 4) + k2) ^ (v0) ^ ((v0 >> 5) + k3);
     v0 -= ((v1 << 4) + k0) ^ (v1) ^ ((v1 >> 5) + k1);
-    sum -= delta;
-  } /* end cycle */
+  }
   v[0] = v0;
   v[1] = v1;
 }
diff --git a/polictf/tea_cversion/tea-encrypt.c b/polictf/tea_cversion/tea-encrypt.c
index 7227f07..3395365 100644
--- a/polictf/tea_cversion/tea-encrypt.c
+++ b/polictf/tea_cversion/tea-encrypt.c
@@ -5,21 +5,15 @@
 #include <unistd.h>
 
 void encrypt(uint16_t *v) {
-  uint16_t v0 = v[0], v1 = v[1], sum = 0, i; /* set up */
-  uint16_t delta = 0x626f;
+  uint16_t v0 = v[0], v1 = v[1], i;
   uint16_t k0 = 0x7065; // "pe"
   uint16_t k1 = 0x7065; // "pe"
   uint16_t k2 = 0x7275; // "ru"
   uint16_t k3 = 0x6e73; // "ns"
-  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
   for (i = 0; i < 128; i++) {
-    sum += delta;
     v0 += ((v1 << 4) + k0) ^ (v1) ^ ((v1 >> 5) + k1);
     v1 += ((v0 << 4) + k2) ^ (v0) ^ ((v0 >> 5) + k3);
-    // printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
   }
-  // printf("SUM: 0x%x\n", sum);
-  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
   v[0] = v0;
   v[1] = v1;
 }
diff --git a/polictf/tea_cversion/test.py b/polictf/tea_cversion/test.py
deleted file mode 100644
index cd58135..0000000
--- a/polictf/tea_cversion/test.py
+++ /dev/null
@@ -1,12 +0,0 @@
-from pwn import *
-
-r = remote("127.0.0.1", 8888)
-
-
-with open("./encrypted") as f:
-    data = f.read()
-
-print(r.recv())
-r.send("{}\n".format(len(data)))
-r.send("{}\n".format(data))
-print(r.recv())
\ No newline at end of file
