finish 6.6

src/writeup/6.6_re_xhpctf2017_dont_panic/dont_panic.cpp

@@ -0,0 +1,69 @@
+#include <iostream>
+#include <fstream>
+#include "pin.H"
+
+ofstream OutFile;
+
+// The running count of instructions is kept here
+// make it static to help the compiler optimize docount
+static UINT64 icount = 0;
+
+// This function is called before every instruction is executed
+VOID docount(void *ip) {
+    if ((long int)ip == 0x0047b96e) icount++;   // 0x0047b960: compare mapanic(provided_flag[i]) with constant_binary_blob[i]
+}
+
+// Pin calls this function every time a new instruction is encountered
+VOID Instruction(INS ins, VOID *v)
+{
+    // Insert a call to docount before every instruction, no arguments are passed
+    INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_INST_PTR, IARG_END);  // IARG_INST_PTR: Type: ADDRINT. The address of the instrumented instruction.
+}
+
+KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool",
+    "o", "inscount.out", "specify output file name");
+
+// This function is called when the application exits
+VOID Fini(INT32 code, VOID *v)
+{
+    // Write to a file since cout and cerr maybe closed by the application
+    OutFile.setf(ios::showbase);
+    OutFile << "Count " << icount << endl;
+    OutFile.close();
+}
+
+/* ===================================================================== */
+/* Print Help Message                                                    */
+/* ===================================================================== */
+
+INT32 Usage()
+{
+    cerr << "This tool counts the number of dynamic instructions executed" << endl;
+    cerr << endl << KNOB_BASE::StringKnobSummary() << endl;
+    return -1;
+}
+
+/* ===================================================================== */
+/* Main                                                                  */
+/* ===================================================================== */
+/*   argc, argv are the entire command line: pin -t <toolname> -- ...    */
+/* ===================================================================== */
+
+int main(int argc, char * argv[])
+{
+    // Initialize pin
+    if (PIN_Init(argc, argv)) return Usage();
+
+    OutFile.open(KnobOutputFile.Value().c_str());
+
+    // Register Instruction to be called to instrument instructions
+    INS_AddInstrumentFunction(Instruction, 0);
+
+    // Register Fini to be called when the application exits
+    PIN_AddFiniFunction(Fini, 0);
+
+    // Start the program, never returns
+    PIN_StartProgram();
+
+    return 0;
+}

src/writeup/6.6_re_xhpctf2017_dont_panic/exp_gdb.py

@@ -0,0 +1,30 @@
+#HXP CTF 2017 - dont_panic 100 pts
+#Writeup link : https://rce4fun.blogspot.com/2017/11/hxp-ctf-2017-dontpanic-reversing-100.html
+#Souhail Hammou
+import gdb
+
+CHAR_SUCCESS = 0x47B976
+NOPE = 0x47BA23
+gdb.execute("set pagination off")
+gdb.execute("b*0x47B976") #Success for a given character
+gdb.execute("b*0x47BA23") #Block displaying "Nope"
+charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+*{}'"
+flag = list('A'*42) #junk
+for i in range(0,len(flag)) :
+	for c in charset:
+		flag[i] = c
+		# the number of times we need to hit the
+		# success bp for the previous correct characters
+		success_hits = i
+		gdb.execute("r " + '"' + "".join(flag) + '"')
+		while success_hits > 0 :
+			gdb.execute('c')
+			success_hits -= 1
+		#we break either on success or on fail
+		rip = int(gdb.parse_and_eval("$rip"))
+		if rip == CHAR_SUCCESS:
+			break #right one. To the next character
+		if rip == NOPE: #added for clarity
+			continue
+print("".join(flag))
+#flag : hxp{k3eP_C4lM_AnD_D0n't_P4n1c__G0_i5_S4F3}

src/writeup/6.6_re_xhpctf2017_dont_panic/exp_pin.py

@@ -0,0 +1,21 @@
+import os
+
+def get_count(flag):
+    os.system("../../../pin -t obj-intel64/dont_panic.so -o inscount.out -- ~/dont_panic " + "\"" + flag + "\"")
+    with open("inscount.out") as f:
+        count = int(f.read().split(" ")[1])
+    return count
+
+charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+*'"
+
+flag = list("hxp{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}")
+count = 0
+while count != 42:
+    for i in range(4, 41):  # only compare "a" in "hex{}"
+        for c in charset:
+            flag[i] = c
+            # print("".join(flag))
+            count = get_count("".join(flag))
+            if count == i+2:
+                break
+    print("".join(flag))