Compare commits
3 Commits
bd731786d3
...
05ad0c6364
| Author | SHA1 | Date | |
|---|---|---|---|
|
05ad0c6364 | ||
|
|
b758947a87 | ||
|
|
10b01187a4 |
@ -78,44 +78,38 @@ int main(int argc, char *argv[]) {
|
||||
0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c,
|
||||
0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c, 0x2f, 0x2f, 0x5c,
|
||||
0x2f, 0x2f, 0x5c, 0x2f, 0x20, 0x20, 0x20};
|
||||
|
||||
uint8_t a[] = {0x24, 0x00, 0x38, 0x08, 0x2f, 0x18,
|
||||
0x3f, 0x40, 0x51, 0x5f, 0x53, 0x4e};
|
||||
uint8_t b[] = "totallyrandom";
|
||||
uint8_t *c = new uint8_t[12]; // PoLiCtF2017!
|
||||
unsigned char bc[] = {
|
||||
0x50, 0x00, 0xde, 0xad, 0x50, 0x01, 0xb0, 0x0b, 0xc1, 0x00, 0x00, 0x00,
|
||||
0xc1, 0x02, 0x00, 0x01, 0x50, 0x00, 0xb0, 0x0b, 0x50, 0x01, 0xfa, 0xce,
|
||||
0xc1, 0x04, 0x00, 0x00, 0xc1, 0x06, 0x00, 0x01, 0x50, 0x00, 0x00, 0x00,
|
||||
0x4d, 0xda, 0x00, 0xd4, 0x20, 0x50, 0x04, 0x00, 0x00, 0x53, 0x04, 0x50,
|
||||
0x00, 0x00, 0x00, 0x50, 0x01, 0x02, 0x00, 0xd5, 0x04, 0xd5, 0x14, 0x4d,
|
||||
0x5b, 0x00, 0x87, 0x04, 0x86, 0x04, 0x01, 0x00, 0x8c, 0x42, 0x79, 0x2d,
|
||||
0x00, 0x0e, 0x00, 0x00, 0x00, 0x0e, 0x01, 0x02, 0x00, 0x0e, 0x02, 0x04,
|
||||
0x00, 0x0e, 0x03, 0x06, 0x00, 0xcd, 0x0a, 0x53, 0x01, 0x53, 0x02, 0x53,
|
||||
0x03, 0x83, 0x20, 0x83, 0x31, 0x50, 0x04, 0x00, 0x00, 0x50, 0x05, 0x00,
|
||||
0x00, 0x53, 0x04, 0x86, 0x05, 0x6f, 0x62, 0x53, 0x05, 0xd4, 0x43, 0x25,
|
||||
0x04, 0x04, 0x00, 0x86, 0x04, 0x65, 0x70, 0xd4, 0x53, 0x87, 0x07, 0xd5,
|
||||
0x57, 0x53, 0x07, 0x6c, 0x45, 0x53, 0x04, 0xd4, 0x43, 0xb1, 0x04, 0x05,
|
||||
0x00, 0x86, 0x04, 0x65, 0x70, 0x87, 0x05, 0x6c, 0x45, 0xd5, 0x24, 0xd4,
|
||||
0x42, 0x25, 0x04, 0x04, 0x00, 0x86, 0x04, 0x75, 0x72, 0xd4, 0x52, 0x87,
|
||||
0x07, 0xd5, 0x57, 0x53, 0x07, 0x6c, 0x45, 0x53, 0x04, 0xd4, 0x42, 0xb1,
|
||||
0x04, 0x05, 0x00, 0x86, 0x04, 0x73, 0x6e, 0x87, 0x05, 0x6c, 0x45, 0xd5,
|
||||
0x34, 0x87, 0x05, 0x87, 0x04, 0x86, 0x04, 0x01, 0x00, 0x2b, 0x04, 0x7f,
|
||||
0x79, 0x6d, 0x00, 0x81, 0x02, 0x81, 0x13, 0x87, 0x03, 0x87, 0x02, 0x87,
|
||||
0x01, 0xa9, 0x53, 0x01, 0x53, 0x02, 0x53, 0x03, 0xd4, 0x60, 0x50, 0x05,
|
||||
0x00, 0x00, 0x83, 0x46, 0x2b, 0x04, 0x00, 0x78, 0x01, 0x01, 0x50, 0x06,
|
||||
0x00, 0x00, 0x86, 0x05, 0x01, 0x00, 0xd5, 0x65, 0x83, 0x46, 0x2b, 0x04,
|
||||
0x00, 0xcd, 0x80, 0xee, 0x00, 0xd4, 0x05, 0x87, 0x03, 0x87, 0x02, 0x87,
|
||||
0x01, 0xa9};
|
||||
unsigned int bclen = 266;
|
||||
0x48, 0x00, 0xde, 0xad, 0x48, 0x01, 0xb0, 0x0b, 0xd4, 0x00, 0x00, 0x00,
|
||||
0xd4, 0x02, 0x00, 0x01, 0x48, 0x00, 0xb0, 0x0b, 0x48, 0x01, 0xfa, 0xce,
|
||||
0xd4, 0x04, 0x00, 0x00, 0xd4, 0x06, 0x00, 0x01, 0x48, 0x00, 0x00, 0x00,
|
||||
0xd8, 0xd9, 0x00, 0xcb, 0x20, 0x48, 0x04, 0x00, 0x00, 0xde, 0x04, 0x48,
|
||||
0x00, 0x00, 0x00, 0x48, 0x01, 0x02, 0x00, 0x39, 0x04, 0x39, 0x14, 0xd8,
|
||||
0x5a, 0x00, 0x5c, 0x04, 0x05, 0x04, 0x01, 0x00, 0xd7, 0x42, 0x93, 0x2d,
|
||||
0x00, 0x22, 0x00, 0x00, 0x00, 0x22, 0x01, 0x02, 0x00, 0x22, 0x02, 0x04,
|
||||
0x00, 0x22, 0x03, 0x06, 0x00, 0x5d, 0xde, 0x01, 0xde, 0x02, 0xde, 0x03,
|
||||
0x12, 0x20, 0x12, 0x31, 0x48, 0x04, 0x00, 0x00, 0x48, 0x05, 0x00, 0x00,
|
||||
0xde, 0x04, 0x05, 0x05, 0x6f, 0x62, 0xde, 0x05, 0xcb, 0x43, 0x20, 0x04,
|
||||
0x04, 0x00, 0x05, 0x04, 0x65, 0x70, 0xcb, 0x53, 0x5c, 0x07, 0x39, 0x57,
|
||||
0xde, 0x07, 0xb1, 0x45, 0xde, 0x04, 0xcb, 0x43, 0x36, 0x04, 0x05, 0x00,
|
||||
0x05, 0x04, 0x65, 0x70, 0x5c, 0x05, 0xb1, 0x45, 0x39, 0x24, 0xcb, 0x42,
|
||||
0x20, 0x04, 0x04, 0x00, 0x05, 0x04, 0x75, 0x72, 0xcb, 0x52, 0x5c, 0x07,
|
||||
0x39, 0x57, 0xde, 0x07, 0xb1, 0x45, 0xde, 0x04, 0xcb, 0x42, 0x36, 0x04,
|
||||
0x05, 0x00, 0x05, 0x04, 0x73, 0x6e, 0x5c, 0x05, 0xb1, 0x45, 0x39, 0x34,
|
||||
0x5c, 0x05, 0x5c, 0x04, 0x05, 0x04, 0x01, 0x00, 0xf4, 0x04, 0x7f, 0x93,
|
||||
0x6c, 0x00, 0x4e, 0x02, 0x4e, 0x13, 0x5c, 0x03, 0x5c, 0x02, 0x5c, 0x01,
|
||||
0xbb, 0xde, 0x01, 0xde, 0x02, 0xde, 0x03, 0xcb, 0x60, 0x48, 0x05, 0x00,
|
||||
0x00, 0x12, 0x46, 0xf4, 0x04, 0x00, 0x38, 0xff, 0x00, 0x48, 0x06, 0x00,
|
||||
0x00, 0x05, 0x05, 0x01, 0x00, 0x39, 0x65, 0x12, 0x46, 0xf4, 0x04, 0x00,
|
||||
0xae, 0xed, 0x00, 0xcb, 0x05, 0x5c, 0x03, 0x5c, 0x02, 0x5c, 0x01, 0xbb};
|
||||
unsigned int bclen = 264;
|
||||
|
||||
for (uint8_t i = 0; i < 12; i++) {
|
||||
c[i] = a[i] ^ b[i % 13];
|
||||
}
|
||||
unsigned char opcode_key[] = {0x48, 0x61, 0x76, 0x65, 0x46, 0x75, 0x6e,
|
||||
0x21, 0x50, 0x6f, 0x6c, 0x69, 0x43, 0x54,
|
||||
0x46, 0x32, 0x30, 0x31, 0x37, 0x21};
|
||||
|
||||
printf("%s", banner);
|
||||
printf("\nHmmm...\n");
|
||||
VM vm(c, bc, bclen);
|
||||
VM vm(opcode_key, bc, bclen);
|
||||
vm.run();
|
||||
return 0;
|
||||
}
|
||||
81
polictf/pasticciotto_server.cpp
Normal file
81
polictf/pasticciotto_server.cpp
Normal file
@ -0,0 +1,81 @@
|
||||
#include "../vm/vm.h"
|
||||
#include "../vm/debug.h"
|
||||
#include <fstream>
|
||||
#include <iostream>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define KEYLEN 15
|
||||
#define CODESIZE 0x300
|
||||
#define DATAKEYLEN 30
|
||||
|
||||
void gen_random(uint8_t *s, const int len) {
|
||||
srand(time(NULL));
|
||||
static const char alphanum[] = "0123456789"
|
||||
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
"abcdefghijklmnopqrstuvwxyz";
|
||||
for (int i = 0; i < len; ++i) {
|
||||
s[i] = alphanum[rand() % (sizeof(alphanum) - 1)];
|
||||
}
|
||||
|
||||
s[len] = 0;
|
||||
}
|
||||
|
||||
unsigned char encrypted_data[] = {
|
||||
0xcc, 0x8d, 0x5a, 0xcc, 0x73, 0xb5, 0xf2, 0xa3, 0xf3, 0x92,
|
||||
0xa8, 0x8f, 0x2f, 0xf1, 0x3e, 0xf4, 0x69, 0x00, 0x4a, 0xcb,
|
||||
0xed, 0xc4, 0x57, 0x9b, 0xf6, 0x9a, 0x78, 0x46, 0x83, 0xe9};
|
||||
unsigned int encrypted_data_len = 30;
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[DATAKEYLEN],
|
||||
*flag = new uint8_t[DATAKEYLEN];
|
||||
uint8_t *clientcode;
|
||||
uint8_t i;
|
||||
uint32_t clientcodesize, bytesread;
|
||||
FILE *datap, *flagp;
|
||||
|
||||
gen_random(key, KEYLEN);
|
||||
printf("Use this: \"%s\"\n", key);
|
||||
printf("How much data are you sending me?\n");
|
||||
scanf("%d", &clientcodesize);
|
||||
printf("Go ahead then!\n");
|
||||
clientcode = new uint8_t[clientcodesize];
|
||||
bytesread = read(0, clientcode, clientcodesize);
|
||||
if (bytesread != clientcodesize) {
|
||||
printf("ERROR! Couldn't read everything!\n");
|
||||
exit(1);
|
||||
}
|
||||
VM vm(key, clientcode, clientcodesize);
|
||||
vm.as.insData(encrypted_data, encrypted_data_len);
|
||||
vm.run();
|
||||
|
||||
datap = fopen("./res/decrypteddatasection.txt", "r");
|
||||
if (datap == NULL) {
|
||||
printf("Couldn't open decrypteddatasection.txt!\n");
|
||||
exit(1);
|
||||
}
|
||||
fscanf(datap, "%s", decdatasec);
|
||||
fclose(datap);
|
||||
|
||||
for (i = 0; i < DATAKEYLEN; i++) {
|
||||
if (vm.as.data[i] != decdatasec[i]) {
|
||||
DBG_INFO(("Checking data[%d]..\n", i));
|
||||
printf("Nope!\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
flagp = fopen("./res/flag.txt", "r");
|
||||
if (flagp == NULL) {
|
||||
printf("Couldn't open flag.txt!\n");
|
||||
exit(1);
|
||||
}
|
||||
fscanf(flagp, "%s", flag);
|
||||
fclose(flagp);
|
||||
printf("Congratulations!\nThe flag is: %s\n", flag);
|
||||
return 0;
|
||||
}
|
||||
1
polictf/res/client_opcode_key.txt
Normal file
1
polictf/res/client_opcode_key.txt
Normal file
@ -0,0 +1 @@
|
||||
HaveFun!PoliCTF2017!
|
||||
1
polictf/res/decrypteddatasection.txt
Normal file
1
polictf/res/decrypteddatasection.txt
Normal file
@ -0,0 +1 @@
|
||||
TheDataSectionHasBeenEncrypted
|
||||
1
polictf/res/flag.txt
Normal file
1
polictf/res/flag.txt
Normal file
@ -0,0 +1 @@
|
||||
PoliCTF17{DajeFunziona}
|
||||
@ -11,15 +11,15 @@ void encrypt(uint16_t *v) {
|
||||
uint16_t k1 = 0x7065; // "pe"
|
||||
uint16_t k2 = 0x7275; // "ru"
|
||||
uint16_t k3 = 0x6e73; // "ns"
|
||||
printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
|
||||
// printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
|
||||
for (i = 0; i < 128; i++) {
|
||||
sum += delta;
|
||||
v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
|
||||
v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
|
||||
//printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
|
||||
// printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
|
||||
}
|
||||
printf("SUM: 0x%x\n", sum);
|
||||
printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
|
||||
// printf("SUM: 0x%x\n", sum);
|
||||
// printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
|
||||
v[0] = v0;
|
||||
v[1] = v1;
|
||||
}
|
||||
@ -35,13 +35,10 @@ int main(int argc, char *argv[]) {
|
||||
buf = (uint8_t *)malloc(buflen);
|
||||
memcpy(buf, argv[1], buflen);
|
||||
for (i = 0; i < buflen; i++) {
|
||||
printf("----\n");
|
||||
encrypt((uint16_t *)&buf[i]);
|
||||
}
|
||||
printf("Result:\n");
|
||||
for (i = 0; i < buflen; i++) {
|
||||
printf("%02x", buf[i]);
|
||||
printf("%c", buf[i]);
|
||||
}
|
||||
printf("\n");
|
||||
return 0;
|
||||
}
|
||||
@ -114,6 +114,7 @@ INSTRUCTION SIZE TYPES
|
||||
*/
|
||||
#define REG2REG 2
|
||||
#define IMM2REG 4
|
||||
#define REG2IMM 4
|
||||
#define BYT2REG 3
|
||||
#define REGONLY 2
|
||||
#define IMMONLY 3
|
||||
@ -155,6 +156,8 @@ INSTRUCTION SIZES
|
||||
#define CMPB_SIZE BYT2REG
|
||||
#define CMPW_SIZE IMM2REG
|
||||
#define CMPR_SIZE REG2REG
|
||||
#define JMPI_SIZE IMMONLY
|
||||
#define JMPR_SIZE REGONLY
|
||||
#define JPAI_SIZE IMMONLY
|
||||
#define JPAR_SIZE REGONLY
|
||||
#define JPBI_SIZE IMMONLY
|
||||
@ -163,6 +166,8 @@ INSTRUCTION SIZES
|
||||
#define JPER_SIZE REGONLY
|
||||
#define JPNI_SIZE IMMONLY
|
||||
#define JPNR_SIZE REGONLY
|
||||
#define RETN_SIZE SINGLE
|
||||
#define SHIT_SIZE SINGLE
|
||||
#define NOPE_SIZE SINGLE
|
||||
#define GRMN_SIZE SINGLE
|
||||
#define DEBG_SIZE SINGLE
|
||||
@ -1,11 +1,13 @@
|
||||
#include "vm.h"
|
||||
#include "debug.h"
|
||||
#include "opcodes.h"
|
||||
#include "vmas.h"
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
void VM::encryptOpcodes(uint8_t *key) {
|
||||
uint8_t arr[256], i, j;
|
||||
uint32_t tmp, keysize;
|
||||
uint8_t arr[256];
|
||||
uint32_t i, j, tmp, keysize;
|
||||
keysize = strlen((char *)key);
|
||||
|
||||
/*
|
||||
@ -25,6 +27,7 @@ void VM::encryptOpcodes(uint8_t *key) {
|
||||
OPS[i] = arr[i];
|
||||
}
|
||||
#ifdef DBG
|
||||
//#TODO ASSEGNARE I NOMI AGLI OPCODES
|
||||
DBG_INFO(("~~~~~~~~~~\nOPCODES:\n"));
|
||||
for (i = 0; i < NUM_OPS; i++) {
|
||||
DBG_INFO(("0x%x: 0x%x\n", i, OPS[i]));
|
||||
@ -149,7 +152,7 @@ VM::VM(uint8_t *key, uint8_t *code, uint32_t codesize) {
|
||||
}
|
||||
|
||||
void VM::initVariables(void) {
|
||||
uint8_t i;
|
||||
uint32_t i;
|
||||
|
||||
for (i = R0; i < NUM_REGS; i++) {
|
||||
this->regs[i] = 0;
|
||||
|
||||
3
vm/vm.h
3
vm/vm.h
@ -18,7 +18,6 @@ private:
|
||||
uint16_t regs[0xb];
|
||||
flags_t flags;
|
||||
|
||||
VMAddrSpace as;
|
||||
////////////////////////
|
||||
// FUNCTIONS
|
||||
///////////////////////
|
||||
@ -33,6 +32,7 @@ private:
|
||||
*/
|
||||
bool execMOVI(void);
|
||||
bool execMOVR(void);
|
||||
bool execMOVM(void);
|
||||
bool execLODI(void);
|
||||
bool execLODR(void);
|
||||
bool execSTRI(void);
|
||||
@ -81,6 +81,7 @@ private:
|
||||
public:
|
||||
VM(uint8_t *key);
|
||||
VM(uint8_t *key, uint8_t *code, uint32_t codesize);
|
||||
VMAddrSpace as;
|
||||
void status(void);
|
||||
void run();
|
||||
};
|
||||
|
||||
Loading…
Reference in New Issue
Block a user