# Pwn2Win 2k17: Baby Regex - Misc


# cat regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt
Open your eyes is all that is needing. The heart lies and the head plays tricks with us, but the eyes see true. Look with your eyes. Hear with your ears. Taste with your mouth. Smell with your nose. Feel with your skin. Then comes the thinking, afterward, and in that way <knowing the truth.
>
Open way to combat the horizon effect is to continue search when an otherwise terminal situation is judged to be particularly dynamic. Such heuristic continuation is sometimes called feedover.

The mind which is created quick to love, is responsive to everything that is pleasing, soon as by pleasure it is awakened into activity. Your apprehensive faculty draws an impression from a real object, and unfolds it within you, so that it makes the mind turn thereto. And if, being turned, it inclines towards it, that inclination is love, for don't say blabla; that is nature, which through pleasure is bound anew within you.

Tune up your circuits, check out your Chips

Because you're going to live a Long Life.
Check the identity card, it shows your code.

Listen to the white noise in your ears - it Fades AWAY.

Watching the sunset on the end of the HIGHWAY ---
City meditation in curving reflections of NEON signs on the Chrome of the Cars.
The WeT Concrete and mirrored Streets recall shows the traffic away,
recalls you to the smell of scratching cloudy sheets.
Billboards and Cholo-Ads above are the unfocused bottle of Time.
Drink it away, FLY to the ORBITAL Fly.
Away to drivin' the ocean of blue-green.
Drivin' away to the ocean of green-blue.
# ipython
> import re
> data = open('regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt').read()
> def check(regex):
... print len(regex)
... print re.findall(regex, data)

# "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
> check('(.{7}).+-(.{5})$')
16
[("Drivin'", 'blue.')]

# "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:

# "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:

# "<knowing the truth. >, without using "line break"", with max. "8" chars:
> check('<[^>]+>')
7
['<knowing the truth. \n>']

# "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
> check('(?i)(oPEn)')
10
['Open', 'Open']

# "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
> check('(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s')
36
['unfolds', 'within', 'makes', 'inclines', 'shows']

# "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
> check(' .{32} (.{5})\n')
14
['Chips', 'code.']

# Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
> check('(?P<a>..a)(?P=a)')
16
['bla']
# cat baby_regex.py
from pwn import *

qa = {
 'BONUS': 'cnn',
 'knowing the truth': '<[^>]+>',
 'FLY': '(?i)(F.y).+\\1',
 '[Pa]': '(?P<a>..a)(?P=a)',
 '[Ope-]': '(?i)(oPEn)',
 'Drivin': '(.{7}).+-(.{5})$',
 'unfolds': '(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s',
 'Chips': ' .{32} (.{5})\\n'
}

nqa = len(qa)

host = '200.136.213.148'
port = 5000

correct = 0

while True:
 r = remote(host, port)

 while True:
  q = r.read(1024)
  print q
  if 'CTF-BR' in q: sys.exit(0)
  for k in qa:
   if k in q:
    a = qa[k]
    print 'Sending... ' + a
    r.sendline(a)
    resp = r.readline()
    if 'Nice, next...' in resp:
     correct += 1
     print '[*] OK!', correct
     print
    break
 r.close()

# python baby_regex.py
Type the regex that capture: "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
Sending...  .{32} (.{5})\n
[*] OK! 1

Type the regex that capture: "<knowing the truth. >, without using "line break"", with max. "8" chars:
Sending... <[^>]+>
[*] OK! 2

Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
Sending... (?P<a>..a)(?P=a)
[*] OK! 3

Type the regex that capture: "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
Sending... (?i)(oPEn)
[*] OK! 4

Type the regex that capture: "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:
Sending... cnn
[*] OK! 5

Type the regex that capture: "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
Sending... (.{7}).+-(.{5})$
[*] OK! 6

Type the regex that capture: "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
Sending... (?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s
[*] OK! 7

Type the regex that capture: "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:
Sending... (?i)(F.y).+\1
[*] OK! 8

CTF-BR{Counterintelligence_wants_you!}

References

https://www.regexpal.com
https://www.debuggex.com

# GynvaelEN mission 018


# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'
Welcome back dear admin.
Your flag: I'm not sure this is how equality is supposed to work.

Now try with <a href='superadmin.php'>superadmin.php</a>!
# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'
...
if (hash("sha256", $_GET['password']) ==
'0e12345678901234567890123456789012345678901234567890123456789012')
...
_:)

Source

https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)

References

https://www.whitehatsec.com/blog/magic-hashes/

# GynvaelEN mission 017


zeros = '\x00'*32

base64.b64encode(zeros)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='

Cookie: mission017session=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
ivencrypted.encode('hex') = '927a00302d2e13896de885ece9f3445d2de83b880d2043a6ecc6e8bbb0a831dc'

result = ''
new = '{"access_level":"admin"}'
for i in range(len(new)):
 result += chr(ord(new[i]) ^ ord(ivencrypted[i]))

base64.b64encode(result) == 6VhhU05LYPoyhOCajJ9mZw+JX+VkTmHb

Cookie: mission017session=6VhhU05LYPoyhOCajJ9mZw%2BJX%2BVkTmHb
Decrypted cookie data: {"access_level":"admin"}
Flag: HMAC? What do you mean "HMAC"?

Source

https://www.youtube.com/watch?v=9xGgZUMNl2Y (2:05:00)

References

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

# GynvaelEN mission 016


Wav to image using RX-SSTV

Slow-scan TV is a method to transmit an image over radio using frequency modulation.
This is the partial message that contains the image:

? ? R O N
D I Y M A
U Z ? ? ?
B C K P ?
? ? V W X

Y DHXDMW BQLF KDYNV

Manual decryption

Y D = I A
HX  = ??
DM  = AY
W B = ? P
QL  = ??
F K = ? ?
DY  = IM
NV  = RX

I A??AY? P??? ?AIRX ---> I ALWAYS PLAY FAIRX

Source

https://www.youtube.com/watch?v=locDS3uHv_E (2:03:00)

References

https://en.wikipedia.org/wiki/Slow-scan_television

# EkoParty CTF 2017: OnTheWire (300) - Misc



Introduction

We have sniffed some bytes of a transmission. What does it say?
51 91 51 31 51 71 112 31 51 123 91 71 95 127 121 51 112 95 121 121 91 71 112 126 112 112 95 79 121 121 95 51 91 71 112 123 121 126 112 91 112 109 91 71 95 51 121 48 112 121 112 126 95 78 121 51 112 123 112 61

Hint
You will see the flag in a lcd display

Solution

# cat onthewire.py

bytes = [51, 91, 51, 31, 51, 71, 112, 31, 51, 123, 91, 71, 95, 127, 121, 51, 112, 95, 121, 121, 91, 71, 112, 126, 112, 112, 95, 79, 121, 121, 95, 51, 91, 71, 112, 123, 121, 126, 112, 91, 112, 109, 91, 71, 95, 51, 121, 48, 112, 121, 112, 126, 95, 78, 121, 51, 112, 123, 112, 61]

r = ''
table = {}

for b in bytes:
 if hex(b) not in table:
  letter = raw_input(hex(b) + '? ')
  table[hex(b)] = letter
 else:
  letter = table[hex(b)]
 r += letter

print r.decode('hex')

# python onthewire.py
0x33? 4
0x5b? 5
0x1f? b
0x47? f
0x70? 7
0x7b? 9
0x5f? 6
0x7f? 8
0x79? 3
0x7e? 0
0x4f? e
0x6d? 2
0x30? 1
0x4e? c
0x3d? d
EKO{I_h4v3_pwn3d_y0ur_d1spl4y}

Reference

https://en.wikichip.org/wiki/seven-segment_display/representing_letters

# GynvaelEN mission 015


# cat mission_15.py
import hashlib
import itertools
import png
import numpy as np

r = png.Reader(file = open('leak.png'))
(width, height, iterator, info) = r.read()

b = [0] * width

for i in iterator:
 row = i.tolist()
 for i in xrange(0, len(row), 3):
  value = row[i:i + 3]
  if value == [255, 0, 0]:
   b[i / 3] += 1

print ''.join([chr(c) for c in b])

hashes = [
 'e6d9fe6df8fd2a07ca6636729d4a615a',
 '273e97dc41693b152c71715d099a1049',
 'bd014fafb6f235929c73a6e9d5f1e458',
 'ab892a96d92d434432d23429483c0a39',
 'b56a807858d5948a4e4604c117a62c2d'
]

alphabet = ' !ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

password = [' '] * 5
counter = 0

for result in itertools.product(alphabet, repeat = 5):
 word = ''.join(list(result))
 m = hashlib.md5()
 m.update(word)
 hd = m.hexdigest()
 if hd in hashes:
  pos = hashes.index(hd)
  print pos, word
  password[pos] = word
  counter += 1
  if counter == 5: break

print ''.join(password)

# python mission_15.py
<?php

if (!isset($_GET['password']) || !is_string($_GET['password'])) {
  die("bad password");
}

$p = $_GET['password'];

if (strlen($p) !== 25) {
  die("bad password");
}

if (md5($p) !== 'e66c97b8837d0328f3e5522ebb058f85') {
  die("bad password");
}

// Split the password in five and check the pieces.
// We need to be sure!
$values = array(
  0 => 'e6d9fe6df8fd2a07ca6636729d4a615a',
  5 => '273e97dc41693b152c71715d099a1049',
  10 => 'bd014fafb6f235929c73a6e9d5f1e458',
  15 => 'ab892a96d92d434432d23429483c0a39',
  20 => 'b56a807858d5948a4e4604c117a62c2d'
);

for ($i = 0; $i < 25; $i += 5) {
  if (md5(substr($p, $i, 5)) !== $values[$i]) {
    die("bad password");
  }
}

die("GW!");

2  are
0 Pie c
3 delic
1 harts
4 ious!
Pie charts are delicious!

Source

https://www.youtube.com/watch?v=BQRX3owv2JI (1:57:30)

# GynvaelEN mission 014


# cat mission_14.py
w = 57
h = 25

directions = {
'EAST':  (1, 0),
'NORTH': (0, -1),
'WEST':  (-1, 0),
'SOUTH': (0, 1)
}

# smap[y][x] = '#'
smap = [[' ' for x in range(w)] for y in range(h)]
stack = []

x = 0
y = 9

log  = open('log.txt').read().splitlines()

for line in log:
 if 'Trying' in line:
  d = directions[line.split()[1]]
 elif 'step' in line:
  stack.append((d[0], d[1]))
  x += d[0]
  y += d[1]
  smap[y][x] = '#'
 elif 'back' in line:
  d = stack.pop()
  x -= d[0]
  y -= d[1]

for i in smap: print ''.join(i)

# python mission_14.py

 # # #####  # ########## # # ### ## ####### #######  # #
 # # # # #  #    #    #  # # # ####       # #     ## # #
 ### # # ########## #### # #      # # # ### # ### #  # #
 # #         #    #      # ########## # #   #   #    # #
 # ####### # #  # #### ### #        # # # # ########## #
 #   #   # ###### #  ####  ## ##### #########   #      #
 ### # # # ## # # ##    ####  #  #  #   #   # # ## ## ##
     # # #    #    # ## #  # ##  ###### # #   #  #  ###
 ####### ###########  #### # #   #  #   ######## ####
   #
   #  ##################################################
 #### ##################################################
 #  # ####   ############    ############  ######    ###
 ## # ####  ############      ###########  #####  ##  ##
 #  # ###  ######  #  ##      ###########  #  ##  ##  ##
 # ## ##     #####   ###      ##      ###  #  ######  ##
 #    ##      ##       #      ###########  #  #####  ###
 #### ##      ####   ####     ##      ##  ##  ####  ####
    # ##      ###  #  #####  ###########       ##  #####
 #### ##      ############  ################  ##  ######
 #    ###    ############   ################  ##      ##
 # #  ##################################################
 #######################################################

Source

https://www.youtube.com/watch?v=rhsH-snYkIc (1:55:36)

# GynvaelEN mission 013


# cat parser.py
import sys

def rld(d):
      if '*' in d:
            i = d.index('*')
            c = d[i - 1]
            n = ord(d[i + 1]) - 28
            d = rld(d[:i - 1] + (c * n) + d[i + 2:])
      return d

def vfile(fd, files, line):
      if 'vFile:open' in line:
            next_line = data[i + 1].split('#')[0]
            if 'F-1' not in next_line:
                  name = line.split(':')[2].split(',')[0]
                  num = next_line[1:]
                  fd[num] = name
                  if name not in files:
                        files[name] = []
      elif 'vFile:close' in line:
            num = line.split(':')[2]
            fd[num] = ''
      elif 'vFile:pread' in line:
            num = line.split(':')[2].split(',')[0]
            offset = int('0x' + line.split(':')[2].split(',')[2], 16)
            next_line = data[i + 1].split('#')[0]
            d = rld(''.join(next_line.split(';')[1:]))
            name = fd[num]
            files[name].append({'offset': offset, 'data': d})

def memory(files, line, mem):
      if mem in line:
            offset = int('0x' + line.split(',')[0][1:].replace(mem, ''), 16)
            next_line = data[i + 1].split('#')[0]
            d = rld(next_line).decode('hex')
            files[mem].append({'offset': offset, 'data': d})

def write(files):
      for name in files:
            with open(name + '.bin', 'wb') as f:
                  for reg in files[name]:
                        f.seek(reg['offset'])
                        f.write(reg['data'])
fd = {}
files = {}

fn = sys.argv[1]

with open(fn) as f:
      data = f.read().split('$')

action = sys.argv[2]

if action == 'memory':
      mem = sys.argv[3]
      files[mem] = []

i = 0
while i < len(data):
      line = data[i].split('#')[0]
      if action == 'vfile':
            vfile(fd, files, line)
      elif action == 'memory':
            memory(files, line, mem)
      i += 1

write(files)

# tshark -nr session.pcapng -T fields -e data -qz follow,tcp,raw,3|tail -n +7| tr -d '=\r\n\t'|less|xxd -r -p > follow_tcp_stream3

# python parser.py follow_tcp_stream3 vfile

# ls 2f*
2f6c69622f7838365f36342d6c696e75782d676e752f6c642d322e32342e736f.bin
2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e32.bin
2f6d656469612f73665f425f44524956452f73747265616d2d6c697665636f64696e672f6d697373696f6e732f6d697373696f6e3031335f66696c65732f612e6f7574.bin
2f70726f632f353937392f6d617073.bin
2f70726f632f353937392f706572736f6e616c697479.bin
2f70726f632f353937392f7461736b2f353937392f6d617073.bin
2f70726f632f7379732f6b65726e656c2f72616e646f6d697a655f76615f7370616365.bin

# cat 2f70726f632f353937392f6d617073.bin
555555554000-555555555000 r-xp 00000000 00:2a 5868                       /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
555555754000-555555756000 rw-p 00000000 00:2a 5868                       /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 14942250                   /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffe000 rw-p 00025000 08:01 14942250                   /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

# python parser.py follow_tcp_stream3 memory 55555555

# r2 55555555.bin
[0x00000000]> s 0x00004831
[0x00004831]> pd 44
            0x00004831      48c785a8feff.  mov qword [rbp - 0x158], 0
        .-> 0x0000483c      488b85a8feff.  mov rax, qword [rbp - 0x158]
        |   0x00004843      483b85b8feff.  cmp rax, qword [rbp - 0x148]
       ,==< 0x0000484a      0f83b9000000   jae 0x4909
       ||   0x00004850      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004857      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x0000485e      4801d0         add rax, rdx                ; '('
       ||   0x00004861      0fb600         movzx eax, byte [rax]
       ||   0x00004864      83f05a         xor eax, 0x5a
       ||   0x00004867      89c1           mov ecx, eax
       ||   0x00004869      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004870      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x00004877      4801d0         add rax, rdx                ; '('
       ||   0x0000487a      8808           mov byte [rax], cl
       ||   0x0000487c      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004883      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x0000488a      4801d0         add rax, rdx                ; '('
       ||   0x0000488d      0fb600         movzx eax, byte [rax]
       ||   0x00004890      8d5063         lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
       ||   0x00004893      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x0000489a      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048a1      4801c8         add rax, rcx                ; '&'
       ||   0x000048a4      8810           mov byte [rax], dl
       ||   0x000048a6      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048ad      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048b4      4801d0         add rax, rdx                ; '('
       ||   0x000048b7      0fb600         movzx eax, byte [rax]
       ||   0x000048ba      83f05a         xor eax, 0x5a
       ||   0x000048bd      89c1           mov ecx, eax
       ||   0x000048bf      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048c6      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048cd      4801d0         add rax, rdx                ; '('
       ||   0x000048d0      8808           mov byte [rax], cl
       ||   0x000048d2      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048d9      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048e0      4801d0         add rax, rdx                ; '('
       ||   0x000048e3      0fb600         movzx eax, byte [rax]
       ||   0x000048e6      8d5063         lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
       ||   0x000048e9      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x000048f0      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048f7      4801c8         add rax, rcx                ; '&'
       ||   0x000048fa      8810           mov byte [rax], dl
       ||   0x000048fc      488385a8feff.  add qword [rbp - 0x158], 1
       |`=< 0x00004904      e933ffffff     jmp 0x483c
[0x00004831]> s 0x4909
[0x00004909]> pd 58
            0x00004909      c685c0feffff.  mov byte [rbp - 0x140], 0x8e
            0x00004910      c685c1feffff.  mov byte [rbp - 0x13f], 0x32 ; '2'
            0x00004917      c685c2feffff.  mov byte [rbp - 0x13e], 0x2f ; '/'
            0x0000491e      c685c3feffff.  mov byte [rbp - 0x13d], 0x39 ; '9'
            0x00004925      c685c4feffff.  mov byte [rbp - 0x13c], 0xea
            0x0000492c      c685c5feffff.  mov byte [rbp - 0x13b], 0x2d ; '-'
            0x00004933      c685c6feffff.  mov byte [rbp - 0x13a], 0x27 ; '''
            0x0000493a      c685c7feffff.  mov byte [rbp - 0x139], 0x39 ; '9'
            0x00004941      c685c8feffff.  mov byte [rbp - 0x138], 0xea
            0x00004948      c685c9feffff.  mov byte [rbp - 0x137], 0x27 ; '''
            0x0000494f      c685cafeffff.  mov byte [rbp - 0x136], 0xea
            0x00004956      c685cbfeffff.  mov byte [rbp - 0x135], 0x88
            0x0000495d      c685ccfeffff.  mov byte [rbp - 0x134], 0x25 ; '%'
            0x00004964      c685cdfeffff.  mov byte [rbp - 0x133], 0x94
            0x0000496b      c685cefeffff.  mov byte [rbp - 0x132], 0x3b ; ';'
            0x00004972      c685cffeffff.  mov byte [rbp - 0x131], 0x30 ; '0'
            0x00004979      c685d0feffff.  mov byte [rbp - 0x130], 0x39 ; '9'
            0x00004980      c685d1feffff.  mov byte [rbp - 0x12f], 0x2f ; '/'
            0x00004987      c685d2feffff.  mov byte [rbp - 0x12e], 0x29 ; ')'
            0x0000498e      c685d3feffff.  mov byte [rbp - 0x12d], 0x39 ; '9'
            0x00004995      c685d4feffff.  mov byte [rbp - 0x12c], 0xea
            0x0000499c      c685d5feffff.  mov byte [rbp - 0x12b], 0x2e ; '.'
            0x000049a3      c685d6feffff.  mov byte [rbp - 0x12a], 0x27 ; '''
            0x000049aa      c685d7feffff.  mov byte [rbp - 0x129], 0x39 ; '9'
            0x000049b1      c685d8feffff.  mov byte [rbp - 0x128], 0x31 ; '1'
            0x000049b8      c685d9feffff.  mov byte [rbp - 0x127], 0xea
            0x000049bf      c685dafeffff.  mov byte [rbp - 0x126], 0x8f
            0x000049c6      c685dbfeffff.  mov byte [rbp - 0x125], 0xea
            0x000049cd      c685dcfeffff.  mov byte [rbp - 0x124], 0x5d ; ']'
            0x000049d4      c685ddfeffff.  mov byte [rbp - 0x123], 0x2b ; '+'
            0x000049db      c685defeffff.  mov byte [rbp - 0x122], 0x5b ; '['
            0x000049e2      c685dffeffff.  mov byte [rbp - 0x121], 0x39 ; '9'
            0x000049e9      c685e0feffff.  mov byte [rbp - 0x120], 0x39 ; '9'
            0x000049f0      c685e1feffff.  mov byte [rbp - 0x11f], 0xf0
            0x000049f7      48c785b0feff.  mov qword [rbp - 0x150], 0
        .-> 0x00004a02      488b85b0feff.  mov rax, qword [rbp - 0x150]
        |   0x00004a09      483b85b8feff.  cmp rax, qword [rbp - 0x148]
       ,==< 0x00004a10      7349           jae 0x4a5b
       ||   0x00004a12      488d95c0feff.  lea rdx, qword [rbp - 0x140]
       ||   0x00004a19      488b85b0feff.  mov rax, qword [rbp - 0x150]
       ||   0x00004a20      4801d0         add rax, rdx                ; '('
       ||   0x00004a23      0fb610         movzx edx, byte [rax]
       ||   0x00004a26      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x00004a2d      488b85b0feff.  mov rax, qword [rbp - 0x150]
       ||   0x00004a34      4801c8         add rax, rcx                ; '&'
       ||   0x00004a37      0fb600         movzx eax, byte [rax]
       ||   0x00004a3a      38c2           cmp dl, al
      ,===< 0x00004a3c      7413           je 0x4a51
      |||   0x00004a3e      488d3dd80000.  lea rdi, qword 0x00004b1d   ; 0x4b1d
      |||   0x00004a45      e8e6fbffff     call 0x4630
      |||   0x00004a4a      b803000000     mov eax, 3
     ,====< 0x00004a4f      eb1b           jmp 0x4a6c
     |`---> 0x00004a51      488385b0feff.  add qword [rbp - 0x150], 1
     | |`=< 0x00004a59      eba7           jmp 0x4a02
     | `--> 0x00004a5b      488d3dc00000.  lea rdi, qword 0x00004b22   ; 0x4b22
     |      0x00004a62      e8c9fbffff     call 0x4630
     |      0x00004a67      b800000000     mov eax, 0
     `----> 0x00004a6c      488b75f8       mov rsi, qword [rbp - 8]

# ipython
In [1]: table = [0x8e, 0x32, 0x2f, 0x39, 0xea, 0x2d, 0x27, 0x39, 0xea, 0x27, 0xea, 0x88, 0x25, 0x94, 0x3b, 0x30, 0x39, 0x2f, 0x29, 0x39, 0xea, 0x2e, 0x27, 0x39, 0x31, 0xea, 0x8f, 0xea, 0x5d, 0x2b, 0x5b, 0x39, 0x39, 0xf0]
   ...: r = ''
   ...: for e in table:
   ...:     r += chr(((((e - 0x63) ^ 0x5a) - 0x63) ^ 0x5a) & 0xff)
   ...: print r
   ...:
This was a FoREnsics task I guess.

Source

https://www.youtube.com/watch?v=7zTtVYjjquA (1:58:10)

Reference

https://sourceware.org/gdb/onlinedocs/gdb/Remote-Protocol.html

# GynvaelEN mission 012


# curl -s http://www.computer-engineering.org/ps2keyboard/scancodes2.html | tr [:upper:] [:lower:] > scan_codes.html
# for i in 12 1b 1c 23 24 29 2c 2d 31 32 35 41 42 43 44 49 4d 52 58 59; do result=`cat scan_codes.html | grep '<tt>' | grep -m1 -B1 "<tt>$i</tt>" | sed 's/<[^>]*>//g' | tr -d ' '| tr -d '\r'`;  key=`echo "$result" | tail -n1`; value=`echo "$result" | head -n1`; echo "0x$key: '$value',"; done
0x12: 'lshft',
0x1b: 's',
0x1c: 'a',
0x23: 'd',
0x24: 'e',
0x29: 'space',
0x2c: 't',
0x2d: 'r',
0x31: 'n',
0x32: 'b',
0x35: 'y',
0x41: ',',
0x42: 'k',
0x43: 'i',
0x44: 'o',
0x49: '.',
0x4d: 'p',
0x52: ''',
0x58: 'caps',
0x59: 'rshft'

# cat keylogger.py
'''
0x58 0xf0 0x58
0x1b 0xf0 0x1b
0x58 0xf0 0x58
0x44 0xf0 0x44
0x2d 0xf0 0x2d
0x2d 0xf0 0x2d
0x35 0xf0 0x35
0x41 0xf0 0x41
0x29 0xf0 0x29
0x59 0x43 0xf0 0x43 0xf0 0x59
0x29 0xf0 0x29
0x23 0xf0 0x23
0x44 0xf0 0x44
0x31 0xf0 0x31
0x52 0xf0 0x52
0x2c 0xf0 0x2c
0x29 0xf0 0x29
0x1b 0xf0 0x1b
0x4d 0xf0 0x4d
0x24 0xf0 0x24
0x1c 0xf0 0x1c
0x42 0xf0 0x42
0x29 0xf0 0x29
0x12 0x42 0xf0 0x42 0xf0 0x12
0x24 0xf0 0x24
0x35 0xf0 0x35
0x32 0xf0 0x32
0x44 0xf0 0x44
0x1c 0xf0 0x1c
0x2d 0xf0 0x2d
0x23 0xf0 0x23
0x49 0xf0 0x49
'''

# Scan Codes
sc = {
   0x12: 'lshft',
   0x1b: 's',
   0x1c: 'a',
   0x23: 'd',
   0x24: 'e',
   0x29: ' ',
   0x2c: 't',
   0x2d: 'r',
   0x31: 'n',
   0x32: 'b',
   0x35: 'y',
   0x41: ',',
   0x42: 'k',
   0x43: 'i',
   0x44: 'o',
   0x49: '.',
   0x4d: 'p',
   0x52: '\'',
   0x58: 'caps',
   0x59: 'rshft'
}

data = [0x58, 0xf0, 0x58, 0x1b, 0xf0, 0x1b, 0x58, 0xf0, 0x58, 0x44, 0xf0, 0x44, 0x2d, 0xf0, 0x2d, 0x2d, 0xf0, 0x2d, 0x35, 0xf0, 0x35, 0x41, 0xf0, 0x41, 0x29, 0xf0, 0x29, 0x59, 0x43, 0xf0, 0x43, 0xf0, 0x59, 0x29, 0xf0, 0x29, 0x23, 0xf0, 0x23, 0x44, 0xf0, 0x44, 0x31, 0xf0, 0x31, 0x52, 0xf0, 0x52, 0x2c, 0xf0, 0x2c, 0x29, 0xf0, 0x29, 0x1b, 0xf0, 0x1b, 0x4d, 0xf0, 0x4d, 0x24, 0xf0, 0x24, 0x1c, 0xf0, 0x1c, 0x42, 0xf0, 0x42, 0x29, 0xf0, 0x29, 0x12, 0x42, 0xf0, 0x42, 0xf0, 0x12, 0x24, 0xf0, 0x24, 0x35, 0xf0, 0x35, 0x32, 0xf0, 0x32, 0x44, 0xf0, 0x44, 0x1c, 0xf0, 0x1c, 0x2d, 0xf0, 0x2d, 0x23, 0xf0, 0x23, 0x49, 0xf0, 0x49]

may = False
shift = False
stack = []

decoded = ''

for i in data:
   #print i
   if i != 240:
      letter = sc[i]
      #print letter, stack
      if letter in stack:
         stack.remove(letter)
      else:
         stack.append(letter)
         if letter == 'caps': may = not may
         elif 'shft' in letter: shift = True
         else:
            if may:
               decoded += letter.upper()
            elif shift:
               decoded += letter.upper()
               shift = False
            else:
               decoded += letter

print decoded
# python keylogger.py
Sorry, I don't speak Keyboard.

Source

https://www.youtube.com/watch?v=4Xo_FAx6P0A (1:51:20)

Done in collaboration

https://atorralba.github.io/

# GynvaelEN mission 011


# cat mission_11-firmware.txt
# Number of arguments this code object expects
co_argcount 1
# Tuple of constant objects
co_consts (None, '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89', 'hex', 89, 255, 115, 50)
# Flags
co_flags 67
# Function name
co_name check_password
# Names used
co_names ('decode', 'len', 'False', 'all', 'zip', 'ord')
# Number of local variables
co_nlocals 4
# The depth of the stack
co_stacksize 6
# Argument names
co_varnames ('s', 'good', 'cs', 'cg')

      0 LOAD_CONST          1  stack[0] = '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89'
      3 LOAD_ATTR           0  names[0] # decode
      6 LOAD_CONST          2  stack[1] = 'hex'
      9 CALL_FUNCTION       1  stack[0] = 'N]N\x92\x86ZNIZ\x86IKZ]IRRa\x86_WXSMJ\x89' # 26
     12 STORE_FAST          1  good = 'N]N\x92\x86ZNIZ\x86IKZ]IRRa\x86_WXSMJ\x89' # 26; stack is empty
     15 LOAD_GLOBAL         1  stack[0] = 'len'
     18 LOAD_FAST           0  stack[1] = 's'
     21 CALL_FUNCTION       1  ?; stack is empty
     24 LOAD_GLOBAL         1  stack[0] = 'len'
     27 LOAD_FAST           1  stack[1] = 'good'
     30 CALL_FUNCTION       1  26; stack is empty
     33 COMPARE_OP          3 (!=) len(s) != len(goog)
     36 POP_JUMP_IF_FALSE  43    if eq goto 43
     39 LOAD_GLOBAL         2    else stack[0] = 'False'
     42 RETURN_VALUE   return 'False'
>>   43 LOAD_GLOBAL         3    stack[0] = 'all'
     46 BUILD_LIST          0    stack[0] = ['all']
     49 LOAD_GLOBAL         4    stack[1] = 'zip'
     52 LOAD_FAST           0    stack[2] = 's'
     55 LOAD_FAST           1    stack[3] = 'good'
     58 CALL_FUNCTION       2    stack[0] = zip(s, good)
     61 GET_ITER      stack[0] = iter(zip(s, good))
>>   62 FOR_ITER           52 (to 117)
     65 UNPACK_SEQUENCE     2    stack[1] = s[i], good[i]
     68 STORE_FAST          2    cs = s[i]
     71 STORE_FAST          3    cg = good[i]
     74 LOAD_GLOBAL         5    stack[0] = 'ord'
     77 LOAD_FAST           2    stack[1] = cs
     80 CALL_FUNCTION       1    stack[0] = ord(cs)
     83 LOAD_CONST          3    stack[1] = 89
     86 BINARY_SUBTRACT     stack[0] = ord(cs) - 89
     87 LOAD_CONST          4    stack[1] = 255
     90 BINARY_AND      stack[0] = (ord(cs) - 89) & 255
     91 LOAD_CONST          5    stack[1] = 115
     94 BINARY_XOR      stack[0] = ((ord(cs) - 89) & 255) ^ 115
     95 LOAD_CONST          6    stack[1] = 50
     98 BINARY_XOR      stack[0] = (((ord(cs) - 89) & 255) ^ 115) ^ 50
     99 LOAD_GLOBAL         5    stack[1] = 'ord'
    102 LOAD_FAST           3    stack[2] = cg
    105 CALL_FUNCTION       1    stack[1] = ord(cg)
    108 COMPARE_OP          2 (==)  computed_cg == cg
    111 LIST_APPEND         2
    114 JUMP_ABSOLUTE      62    goto 62
>>  117 CALL_FUNCTION       1
    120 RETURN_VALUE

# cat mission_11.py
password = ''

for i in '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89'.decode('hex'):
    password += chr(255 & (89 + (ord(i) ^ 50 ^ 115)))

print password

# python mission_11.py
huh, that actually worked!

Source

https://www.youtube.com/watch?v=s5gOW-N9AAo (1:46:20)