Adds working config and some data

Creates a working configuration for the site. The writeups directory lists the different ctfs and each ctfs list every challenge inside of it. Also adds two ctfs to the writeups used to setup the site.
2025-06-25 19:49:06 +02:00
parent bdda221795
commit 44f9f21fc7
40 changed files with 875 additions and 2 deletions
@@ -0,0 +1,3 @@
+set confirm off
+set pagination off
+new-ui mi2 /dev/pts/4
@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+
+char * encode(char *);
+
+int main(void){
+	char passwd[17] = {0};
+	char *res = NULL;
+	int test;
+	long int part1 = 0x7b3f3a454d58604d;
+	long int part2 = 0x39485a4069796e5b;
+	for(int c = 0; c < 16; c++){
+		for(int i = 0; i < 256; ++i){
+			passwd[c] = (char) i;
+			res = encode(passwd);
+			if(c < 9){
+				test = memcmp(res, &part1, c+1);
+			}else{
+				test = memcmp(res+8, &part2, c-7);
+			}
+			if(test == 0){
+				printf("%c", (char) i);
+				break;
+			}
+		}
+	}
+	return 0;
+}
@@ -0,0 +1,51 @@
+encoded_out = open("workdir/decompiled_main.txt")
+content = encoded_out.readlines()
+
+
+main = """
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+
+char * encode(char*);
+
+int main(void){
+    int count = 0;
+	char passwd[17] = {0};
+	char *res = NULL;
+	int test;
+    long int part1 = """ + content[20][17:-1] + """
+    long int part2 = """ + content[21][17:-1] + """ 
+	for(int c = 0; c < 16; c++){
+		for(int i = 0; i < 256; ++i){
+			passwd[c] = (char) i;
+			res = encode(passwd);
+			if(c < 9){
+				test = memcmp(res, &part1, c+1);
+			}else{
+				test = memcmp(res+8, &part2, c-7);
+			}
+			if(test == 0){
+                count++;
+				printf("%c", (char) i);
+				break;
+			}
+		}
+	}
+    if(count == 16){
+        return 0;
+    }
+	return 1;
+}
+"""
+encoded_out.close()
+
+#encoder = open("workdir/decompiled_encode.c")
+#main += encoder.read()
+#encoder.close()
+
+main_file = open("workdir/main.c", "wt")
+main_file.write(main)
+main_file.close()
@@ -0,0 +1,19 @@
+from ghidra.app.decompiler import DecompInterface
+from ghidra.util.task import ConsoleTaskMonitor
+
+program = getCurrentProgram()
+ifc = DecompInterface()
+ifc.openProgram(program)
+
+f = open("workdir/decompiled_main.txt", "at")
+g = open("workdir/decompiled_encode.c", "at")
+g.write("#include <stdlib.h>\n#include <stdint.h>")
+fm = currentProgram.getFunctionManager()
+funcs = fm.getFunctions(True) # True means 'forward'
+for func in funcs: 
+    if func.getName() == "FUN_00101169":
+        f.write(ifc.decompileFunction(func, 0, ConsoleTaskMonitor()).getDecompiledFunction().getC())
+    elif func.getName() == "FUN_0010123f":
+        g.write(ifc.decompileFunction(func, 0, ConsoleTaskMonitor()).getDecompiledFunction().getC())
+f.close()
+g.close()
@@ -0,0 +1,24 @@
+import socket
+
+passwd_f = open("workdir/passwd.txt")
+passwd = passwd_f.read()
+passwd_f.close()
+token_f = open("workdir/token.txt")
+token = token_f.read()
+token_f.close()
+
+if len(passwd) != 16:
+    print("Fail")
+    quit()
+
+print(f"Passwd : {passwd}")
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("challenges.404ctf.fr", 31999))
+print(s.recv(4096).decode())
+token += "\n"
+s.send(token.encode())
+print(s.recv(4096).decode())
+passwd += "\n"
+s.send(passwd.encode())
+print(s.recv(4096).decode())
+#nc challenges.404ctf.fr 31999
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+rm -rf workdir 
+mkdir workdir
+cd workdir
+mkdir ghtest
+
+timeout 3s nc challenges.404ctf.fr 31998 > chall.zip
+#if (( `file chall.zip` = 'chall.zip : empty' )); then
+#	exit 1
+#fi
+unzip chall.zip
+cd ..
+/home/furtest/application/ghidra_10.4_PUBLIC/support/analyzeHeadless workdir/ghtest testghidra -import workdir/crackme.bin -postScript decompile.py
+sed -i 's/byte/char/g' workdir/decompiled_encode.c
+sed -i 's/void/char/g' workdir/decompiled_encode.c 
+sed -i 's/FUN_0010123f/encode/g' workdir/decompiled_encode.c
+#sed -i 's/long/char */g' workdir/decompiled_encode.c
+python3 bruteforce_gen.py
+gcc workdir/main.c workdir/decompiled_encode.c -o workdir/bruteforce
+./workdir/bruteforce > workdir/passwd.txt
+python3 send.py
+#rm -rf 'workdir'
@@ -0,0 +1,29 @@
+#include <stdlib.h>
+#include <stdint.h>
+char * encode(long param_1)
+
+{
+  char bVar1;
+  char bVar2;
+  char *pvVar3;
+  int local_c;
+  
+  pvVar3 = malloc(0x10);
+  for (local_c = 0; local_c < 0x10; local_c = local_c + 1) {
+    bVar1 = *(char *)(param_1 + local_c);
+    bVar2 = bVar1 ^ (char)(((int)(uint)bVar1 >> 6 & (int)(uint)bVar1 >> 5 & 1U) << 3) ^
+            (char)((bVar1 >> 6 & 1) << 2);
+    bVar2 = bVar2 ^ (char)((bVar2 >> 2 & 1) << 5) ^ 4;
+    bVar2 = bVar2 ^ (char)(((int)(uint)bVar2 >> 5 & (int)(uint)bVar2 >> 4 & 1U) << 3);
+    bVar2 = bVar2 ^ (char)(((int)(uint)bVar2 >> 3 & bVar2 & 1) << 2) ^ 1 ^
+            (char)((bVar1 >> 6 & 1) << 4) ^ 0x10;
+    bVar2 = bVar2 ^ (bVar1 >> 7 & (char)((int)(uint)bVar2 >> 6) & 1) * '\x02';
+    bVar2 = bVar2 ^ (char)(((int)(uint)bVar2 >> 3 & (int)(uint)bVar2 >> 1 & 1U) << 5) ^ 8;
+    bVar2 = bVar2 ^ (char)((bVar2 >> 3 & 1) << 5);
+    *(char *)((long)local_c + (long)pvVar3) =
+         bVar2 ^ (char)(((uint)(bVar1 >> 7) & (int)(uint)bVar2 >> 4 & 1U) << 2) ^ 0x10 ^
+         (bVar2 >> 5) << 7 ^ 2;
+  }
+  return pvVar3;
+}
+
@@ -0,0 +1,41 @@
+
+undefined8 FUN_00101169(int param_1,long param_2)
+
+{
+  int iVar1;
+  undefined8 uVar2;
+  size_t sVar3;
+  void *__s1;
+  undefined8 local_28;
+  undefined8 local_20;
+  int local_c;
+  
+  if (param_1 < 2) {
+    puts("J\'ai besoin d\'un argument!");
+    uVar2 = 1;
+  }
+  else {
+    sVar3 = strlen(*(char **)(param_2 + 8));
+    local_c = (int)sVar3;
+    if (local_c == 0x10) {
+      local_28 = 0x46f0b8f4eff0544d;
+      local_20 = 0x5fb844f850e415f3;
+      __s1 = (void *)FUN_0010123f(*(undefined8 *)(param_2 + 8));
+      iVar1 = memcmp(__s1,&local_28,0x10);
+      if (iVar1 == 0) {
+        puts("GG!");
+        uVar2 = 0;
+      }
+      else {
+        puts("Dommage... Essaie encore!");
+        uVar2 = 1;
+      }
+    }
+    else {
+      puts(&DAT_00102028);
+      uVar2 = 1;
+    }
+  }
+  return uVar2;
+}
+
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="7f0118e054057717349298" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="crackme.bin" />
+    </BASIC_INFO>
+</FILE_INFO>
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
@@ -0,0 +1,5 @@
+VERSION=1
+/
+  00000000:crackme.bin:7f0118e054057717349298
+NEXT-ID:1
+MD5:d41d8cd98f00b204e9800998ecf8427e
@@ -0,0 +1,2 @@
+IADD:00000000:/crackme.bin
+IDSET:/crackme.bin:7f0118e054057717349298
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="OWNER" TYPE="string" VALUE="furtest" />
+    </BASIC_INFO>
+</FILE_INFO>
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
@@ -0,0 +1,37 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+
+char * encode(char*);
+
+int main(void){
+    int count = 0;
+	char passwd[17] = {0};
+	char *res = NULL;
+	int test;
+    long int part1 = 0x46f0b8f4eff0544d;
+    long int part2 = 0x5fb844f850e415f3; 
+	for(int c = 0; c < 16; c++){
+		for(int i = 0; i < 256; ++i){
+			passwd[c] = (char) i;
+			res = encode(passwd);
+			if(c < 9){
+				test = memcmp(res, &part1, c+1);
+			}else{
+				test = memcmp(res+8, &part2, c-7);
+			}
+			if(test == 0){
+                count++;
+				printf("%c", (char) i);
+				break;
+			}
+		}
+	}
+    if(count == 16){
+        return 0;
+    }
+	return 1;
+}
@@ -0,0 +1 @@
+vKOTc7OqH2sgkS7l
@@ -0,0 +1 @@
+15e49d93918b820dc0d629ea65303531