Compare commits

...

7 Commits

Author SHA1 Message Date
Giulio De Pasquale
a0128d323b PoliCTF challenge testata e funzionante. Polishing 2017-05-29 17:55:36 +02:00
Giulio De Pasquale
cc6cd1ee6e Decrypt asm finito 2017-05-29 17:07:00 +02:00
Giulio De Pasquale
701881b0b2 Ripulita VM::status 2017-05-29 17:00:09 +02:00
Giulio De Pasquale
645ffec880 Rimosso debg da assembly 2017-05-29 16:19:26 +02:00
Giulio De Pasquale
57022e534c Modificato file assembly per rispecchiare modifiche del loop di encrypt-decrypt 2017-05-29 16:19:08 +02:00
Giulio De Pasquale
d6964e25c4 Ordine nelle cartelle. Modificato encrypt+decrypt 2017-05-29 16:08:56 +02:00
Giulio De Pasquale
1202a2156f Ordine nelle cartelle. Modificato encrypt+decrypt 2017-05-29 16:08:47 +02:00
15 changed files with 217 additions and 93 deletions

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
*.gipu
*.out
*.elf
*.pasticciotto
.vscode/

View File

@ -1,7 +1,6 @@
import sys
import re
import struct
import IPython
import copy
import argparse

View File

@ -1,5 +1,5 @@
#include "debug.h"
#include "vm.h"
#include "../vm/debug.h"
#include "../vm/vm.h"
#include <fstream>
#include <stdint.h>
#include <stdio.h>

111
polictf/asms/decrypt.pstc Normal file
View File

@ -0,0 +1,111 @@
def datastrlen:
###############
# r0 = offset of str in data
# retval (r0) = strlen
###############
push r1
push r2
push r3
movr s2, r0
movi s1, 0
lodr s0, s2
cmpb s0, 0
jpei exit
loop:
movi s2, 0
addi s1, 1
addr s2, s1
lodr s0, s2
cmpb s0, 0
jpni loop
exit:
movr r0, s1
poop r3
poop r2
poop r1
retn
def round: # round(uint16_t text[2])
#################
# r0 = offset of text[0] in data
# r1 = offset of text[1] in data
# r2 = text[0]
# r3 = text[1]
# retval = void
################
push r1
push r2
push r3
lodr r2, r0 # text[0]
lodr r3, r1 # text[1]
movi s0, 0 # i
movi s1, 0 # sum
loop:
push s0 # saving i
# s0 and s1 will be used as tmps
#########
# calc v1
#########
movr s0, r2
shli s0, 4
addi s0, 0x7275 # s0 = (text[0] << 4) + k2
movr s1, r2
xorr s0, s1 # s0 = ((text[0] << 4) + k2) ^ text[0]
push s0
movr s0, r2
shri s0, 5
addi s0, 0x6e73 # s0 = (text[0] >> 5) + k3
poop s1
xorr s0, s1 # s0 = ((text[0] << 4) + k2) ^ text[0] ^ ((text[0] >> 5) + k3)
subr r3, s0 # r3 -= s0
#########
# calc v0
#########
movr s0, r3
shli s0, 4
addi s0, 0x7065 # s0 = (text[1] << 4) + k0
movr s1, r3
xorr s0, s1 # s0 = ((text[1] << 4) + k0) ^ text[1]
push s0
movr s0, r3
shri s0, 5
addi s0, 0x7065 # s0 = (text[1] >> 5) + k1
poop s1
xorr s0, s1 # s0 = ((text[1] << 4) + k0) ^ text[1] ^ ((text[1] >> 5) + k1)
subr r2, s0 # r2 -= s0
######
# end loop
#####
poop s0 # restoring i
addi s0, 1
cmpb s0, 127 # while (i < 128)
jpbi loop
# saving the values
strr r0, r2
strr r1, r3
poop r3
poop r2
poop r1
retn
def main:
movi r0, 0
call datastrlen
movr r2, r0
movi s0, 0
decrypt:
push s0
movi r0, 0
movi r1, 2
addr r0, s0
addr r1, s0
call round
poop s0
addi s0, 4
cmpr s0, r2
jpbi decrypt
lodi r0, 0
lodi r1, 2
lodi r2, 4
lodi r3, 6
shit

View File

@ -53,7 +53,7 @@ shli s0, 4
addi s0, 0x7065 # s0 = (text[1] << 4) + k0
movr s1, r3
poop s3 # restoring sum in s3
addr s1, s3 # s1 = text[1] + sum
#addr s1, s3 # s1 = text[1] + sum
push s3 # saving sum again
xorr s0, s1 # s0 = ((text[1] << 4) + k0) ^ (text[1] + sum)
push s0
@ -71,7 +71,7 @@ shli s0, 4
addi s0, 0x7275 # s0 = (text[0] << 4) + k2
movr s1, r2
poop s3 # restoring sum in s3
addr s1, s3 # s1 = text[0] + sum
#addr s1, s3 # s1 = text[0] + sum
push s3 # saving sum again
xorr s0, s1 # s0 = ((text[0] << 4) + k2) ^ (text[0] + sum)
push s0
@ -118,7 +118,7 @@ addr r0, s0
addr r1, s0
call round
poop s0
addi s0, 1
addi s0, 4
cmpr s0, r2
jpbi encrypt
lodi r0, 0

View File

@ -1,4 +1,4 @@
#include "../vm/vm.h"
#include "../../vm/vm.h"
#include <fstream>
#include <stdint.h>
#include <stdio.h>

Binary file not shown.

View File

@ -1 +1 @@
TheDataSectionHasBeenEncrypted
TheDataSectionHasBeenEncrypted!WhoAreYouGonnaCall?TheRuNasss!

View File

@ -0,0 +1 @@
Œê¾ªí Ðk™R%¹æØÿùézÅÄ~*ìg2E$ÐLdYí¦xþ­Ñ¼àØ:ùûùùn\RXF<58>UXE!

View File

@ -1,5 +1,5 @@
#include "../vm/vm.h"
#include "../vm/debug.h"
#include "../../vm/vm.h"
#include "../../vm/debug.h"
#include <fstream>
#include <iostream>
#include <stdint.h>
@ -25,13 +25,18 @@ void gen_random(uint8_t *s, const int len) {
}
unsigned char encrypted_data[] = {
0xcc, 0x8d, 0x5a, 0xcc, 0x73, 0xb5, 0xf2, 0xa3, 0xf3, 0x92,
0xa8, 0x8f, 0x2f, 0xf1, 0x3e, 0xf4, 0x69, 0x00, 0x4a, 0xcb,
0xed, 0xc4, 0x57, 0x9b, 0xf6, 0x9a, 0x78, 0x46, 0x83, 0xe9};
unsigned int encrypted_data_len = 30;
0x8c, 0xea, 0xbe, 0xaa, 0xed, 0xa0, 0xd0, 0x6b, 0x99, 0x1c, 0x52, 0x25,
0xb9, 0xe6, 0xd8, 0xff, 0xf9, 0xe9, 0x92, 0x7a, 0x1c, 0xc5, 0xc4, 0x7e,
0x2a, 0xec, 0x67, 0x32, 0x1f, 0x45, 0x24, 0xd0, 0x4c, 0x7f, 0x15, 0x64,
0x59, 0xed, 0xa6, 0x78, 0xfe, 0xad, 0xd1, 0xbc, 0xe0, 0xd8, 0x3a, 0xf9,
0xfb, 0xf9, 0xf9, 0x6e, 0x5c, 0x52, 0x58, 0x46, 0x8d, 0x55, 0x58, 0x45,
0x21
};
unsigned int encrypted_data_len = 61;
int main(int argc, char *argv[]) {
uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[DATAKEYLEN],
uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[encrypted_data_len],
*flag = new uint8_t[DATAKEYLEN];
uint8_t *clientcode;
uint8_t i;
@ -40,42 +45,58 @@ int main(int argc, char *argv[]) {
gen_random(key, KEYLEN);
printf("Use this: \"%s\"\n", key);
fflush(stdout);
printf("How much data are you sending me?\n");
fflush(stdout);
scanf("%d", &clientcodesize);
printf("Go ahead then!\n");
fflush(stdout);
clientcode = new uint8_t[clientcodesize];
bytesread = read(0, clientcode, clientcodesize);
if (bytesread != clientcodesize) {
printf("ERROR! Couldn't read everything!\n");
fflush(stdout);
exit(1);
}
VM vm(key, clientcode, clientcodesize);
vm.as.insData(encrypted_data, encrypted_data_len);
printf("BEFORE:\n");
for (i = 0; i < DATAKEYLEN; i++) {
fprintf(stdout, "buf[%d] = 0x%02x\n", i, vm.as.data[i]);
}
vm.run();
datap = fopen("./res/decrypteddatasection.txt", "r");
datap = fopen("../res/decrypteddatasection.txt", "r");
if (datap == NULL) {
printf("Couldn't open decrypteddatasection.txt!\n");
fflush(stdout);
exit(1);
}
fscanf(datap, "%s", decdatasec);
fclose(datap);
for (i = 0; i < DATAKEYLEN; i++) {
fprintf(stdout, "buf[%d] = 0x%02x\n", i, vm.as.data[i]);
}
for (i = 0; i < DATAKEYLEN; i++) {
if (vm.as.data[i] != decdatasec[i]) {
DBG_INFO(("Checking data[%d]..\n", i));
printf("Checking data[%d]..\n", i);
fflush(stdout);
printf("Nope!\n");
fflush(stdout);
exit(1);
}
}
flagp = fopen("./res/flag.txt", "r");
flagp = fopen("../res/flag.txt", "r");
if (flagp == NULL) {
printf("Couldn't open flag.txt!\n");
fflush(stdout);
exit(1);
}
fscanf(flagp, "%s", flag);
fclose(flagp);
printf("Congratulations!\nThe flag is: %s\n", flag);
fflush(stdout);
return 0;
}

16
polictf/server/test.py Normal file
View File

@ -0,0 +1,16 @@
from pwn import *
import subprocess
key_re = re.compile(".*\"(.*)\".*")
r = remote("127.0.0.1", 8888)
first = r.recv()
key = key_re.match(first).group(1)
print("Using key: {}".format(key))
subprocess.check_call(["python3", "../../assembler/assembler.py", "{}".format(key), "../asms/decrypt.pstc", "./out.pasticciotto"])
with open("./out.pasticciotto") as f:
data = f.read()
r.send("{}\n".format(len(data)))
print(r.recv())
r.send("{}\n".format(data))
print(r.recv(100000))

View File

@ -0,0 +1,40 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void decrypt(uint16_t *v) {
uint16_t v0 = v[0], v1 = v[1], i;
uint16_t k0 = 0x7065; // "pe"
uint16_t k1 = 0x7065; // "pe"
uint16_t k2 = 0x7275; // "ru"
uint16_t k3 = 0x6e73; // "ns"
for (i = 0; i < 128; i++) {
v1 -= ((v0 << 4) + k2) ^ (v0) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1) ^ ((v1 >> 5) + k1);
}
v[0] = v0;
v[1] = v1;
}
int main(int argc, char *argv[]) {
uint8_t buf[1000];
uint32_t buflen, i;
fprintf(stdout, "Length of the string?\n");
fflush(stdout);
fscanf(stdin, "%d", &buflen);
printf("Length: %d\n", buflen);
read(0, buf, buflen);
for (i = 0; i < buflen && i + 2 * (sizeof(uint16_t)) <= buflen;
i += sizeof(uint32_t)) {
decrypt((uint16_t *)&buf[i]);
}
for (i = 0; i < buflen; i++) {
fprintf(stdout, "buf[%d] = 0x%02x\n", i, buf[i]);
}
printf("STRING: %s\n", buf);
fflush(stdout);
}

View File

@ -5,21 +5,15 @@
#include <unistd.h>
void encrypt(uint16_t *v) {
uint16_t v0 = v[0], v1 = v[1], sum = 0, i; /* set up */
uint16_t delta = 0x626f;
uint16_t v0 = v[0], v1 = v[1], i;
uint16_t k0 = 0x7065; // "pe"
uint16_t k1 = 0x7065; // "pe"
uint16_t k2 = 0x7275; // "ru"
uint16_t k3 = 0x6e73; // "ns"
// printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
for (i = 0; i < 128; i++) {
sum += delta;
v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
// printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
v0 += ((v1 << 4) + k0) ^ (v1) ^ ((v1 >> 5) + k1);
v1 += ((v0 << 4) + k2) ^ (v0) ^ ((v0 >> 5) + k3);
}
// printf("SUM: 0x%x\n", sum);
// printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
v[0] = v0;
v[1] = v1;
}
@ -27,6 +21,7 @@ void encrypt(uint16_t *v) {
int main(int argc, char *argv[]) {
uint8_t *buf;
uint32_t buflen, i;
FILE *f;
if (argc != 2) {
printf("Usage: %s text_to_encrypt", argv[0]);
exit(1);
@ -34,11 +29,12 @@ int main(int argc, char *argv[]) {
buflen = strlen(argv[1]);
buf = (uint8_t *)malloc(buflen);
memcpy(buf, argv[1], buflen);
for (i = 0; i < buflen; i++) {
for (i = 0; i < buflen && i + 2 * (sizeof(uint16_t)) <= buflen;
i += sizeof(uint32_t)) {
encrypt((uint16_t *)&buf[i]);
}
for (i = 0; i < buflen; i++) {
printf("%c", buf[i]);
}
write(1, buf, buflen);
return 0;
}

View File

@ -1,27 +0,0 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void decrypt(uint32_t *v, uint32_t *k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i; /* set up */
uint32_t delta = 0x9e3779b9; /* a key schedule constant */
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */
for (i = 0; i < 32; i++) { /* basic cycle start */
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
} /* end cycle */
v[0] = v0;
v[1] = v1;
}
int main(int argc, char *argv[]) {
if (argc != 3) {
printf("Usage: %s text_to_decrypt key", argv[0]);
exit(1);
}
decrypt((uint32_t*)argv[1], (uint32_t*)argv[2]);
printf("Result: %s", argv[1]);
return 0;
}

View File

@ -91,41 +91,7 @@ void VM::status(void) {
DBG_SUCC(("VM Status:\n"));
DBG_SUCC(("~~~~~~~~~~\n"));
for (i = R0; i <= SP; i++) {
switch (i) {
case R0:
DBG_INFO(("R0:\t0x%x\n", this->regs[i]));
break;
case R1:
DBG_INFO(("R1:\t0x%x\n", this->regs[i]));
break;
case R2:
DBG_INFO(("R2:\t0x%x\n", this->regs[i]));
break;
case R3:
DBG_INFO(("R3:\t0x%x\n", this->regs[i]));
break;
case S0:
DBG_INFO(("S0:\t0x%x\n", this->regs[i]));
break;
case S1:
DBG_INFO(("S1:\t0x%x\n", this->regs[i]));
break;
case S2:
DBG_INFO(("S2:\t0x%x\n", this->regs[i]));
break;
case S3:
DBG_INFO(("S3:\t0x%x\n", this->regs[i]));
break;
case IP:
DBG_INFO(("IP:\t0x%x\n", this->regs[i]));
break;
case RP:
DBG_INFO(("RP:\t0x%x\n", this->regs[i]));
break;
case SP:
DBG_INFO(("SP:\t0x%x\n", this->regs[i]));
break;
}
DBG_INFO(("%s:\t0x%04x\n", getRegName(i), regs[i]));
}
DBG_INFO(("Flags: ZF = %d, CF = %d\n", flags.ZF, flags.CF));
DBG_SUCC(("~~~~~~~~~~\n"));