From f635c36e5f84db17de8316c296c19e881a9a242f Mon Sep 17 00:00:00 2001 From: firmianay Date: Tue, 5 Dec 2017 19:06:40 +0800 Subject: [PATCH] add 6.2.5 --- README.md | 1 + SUMMARY.md | 1 + doc/5.2_pin.md | 5 --- doc/6.1.1_pwn_hctf2016_brop.md | 4 +- doc/6.1.2_pwn_njctf2017_pingme.md | 4 +- doc/6.1.3_pwn_xdctf2015_pwn200.md | 4 +- doc/6.1.4_pwn_backdoorctf2017_fun_signals.md | 4 +- doc/6.1.5_pwn_grehackctf2017_beerfighter.md | 4 +- doc/6.1.6_pwn_defconctf2015_fuckup.md | 5 ++- doc/6.1.7_pwn_0ctf2015_freenote.md | 3 ++ doc/6.2.1_re_xhpctf2017_dont_panic.md | 4 +- doc/6.2.2_re_ectf2016_tayy.md | 4 +- doc/6.2.3_re_codegate2017_angrybird.md | 4 +- doc/6.2.4_re_csawctf2015_wyvern.md | 2 + doc/6.2.5_re_picoctf2014_baleful.md | 39 ++++++++++++++++++ doc/6_writeup.md | 1 + doc/7.4_writeup.md | 8 ---- src/Reverse/5.2_reverse_400 | Bin 138462 -> 0 bytes src/Reverse/5.2_th3jackers_100 | Bin 5564 -> 0 bytes .../6.2.5_re_picoctf2014_baleful/baleful | Bin 0 -> 6752 bytes .../6.2.5_re_picoctf2014_baleful/baleful_de} | Bin 21 files changed, 70 insertions(+), 27 deletions(-) create mode 100644 doc/6.2.5_re_picoctf2014_baleful.md delete mode 100755 src/Reverse/5.2_reverse_400 delete mode 100755 src/Reverse/5.2_th3jackers_100 create mode 100755 src/writeup/6.2.5_re_picoctf2014_baleful/baleful rename src/{Reverse/5.2_baleful => writeup/6.2.5_re_picoctf2014_baleful/baleful_de} (100%) diff --git a/README.md b/README.md index fe7ec24..b545126 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ - [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) - [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md) - [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md) + - [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md) - [七、附录](doc/7_appendix.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) diff --git a/SUMMARY.md b/SUMMARY.md index 4d4c08b..dfd0194 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -83,6 +83,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) * [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md) * [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md) + * [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md) * [七、附录](doc/7_appendix.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md) diff --git a/doc/5.2_pin.md b/doc/5.2_pin.md index cdafb55..8522efa 100644 --- a/doc/5.2_pin.md +++ b/doc/5.2_pin.md @@ -419,11 +419,6 @@ Count 152786 - [pintool2](https://github.com/sebastiendamaye/pintool2) - [Pin 3.5 User Guide](https://software.intel.com/sites/landingpage/pintool/docs/97503/Pin/html/) -#### 练习 -- [**RE** - picoCTF 2014 - Baleful](../src/Reverse/5.2_baleful) -- [**RE** - Hack You 2014 - reverse - 400](../src/Reverse/5.2_reverse_400) -- [**RE** - th3jackers CTF 2015 - rev100 - 100](../src/Reverse/5.2_th3jackers_100) - ## 扩展:Triton Triton 是一个二进制执行框架,其具有两个重要的优点,一是可以使用 Python 调用 Pin,二是支持符号执行。[官网](https://triton.quarkslab.com/) diff --git a/doc/6.1.1_pwn_hctf2016_brop.md b/doc/6.1.1_pwn_hctf2016_brop.md index 23c6b3d..ad08f35 100644 --- a/doc/6.1.1_pwn_hctf2016_brop.md +++ b/doc/6.1.1_pwn_hctf2016_brop.md @@ -6,6 +6,8 @@ - [参考资料](#参考资料) +[下载文件](../src/writeup/6.1.1_pwn_hctf2016_brop) + ## 题目复现 出题人在 github 上开源了代码,[出题人失踪了](https://github.com/zh-explorer/hctf2016-brop)。如下: ```C @@ -368,7 +370,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.1_pwn_hctf2016_brop)相应文件夹中: +完整的 exp 如下: ```python from pwn import * diff --git a/doc/6.1.2_pwn_njctf2017_pingme.md b/doc/6.1.2_pwn_njctf2017_pingme.md index 7a095cc..c9802c5 100644 --- a/doc/6.1.2_pwn_njctf2017_pingme.md +++ b/doc/6.1.2_pwn_njctf2017_pingme.md @@ -6,6 +6,8 @@ - [参考资料](#参考资料) +[下载文件](../src/writeup/6.1.2_pwn_njctf2017_pingme) + ## 题目复现 在 6.1.1 中我们看到了 blind ROP,这一节中则将看到 blind fmt。它们的共同点是都没有二进制文件,只提供 ip 和端口。 @@ -200,7 +202,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.2_pwn_njctf2017_pingme)相应文件夹中: +完整的 exp 如下: ```python from pwn import * diff --git a/doc/6.1.3_pwn_xdctf2015_pwn200.md b/doc/6.1.3_pwn_xdctf2015_pwn200.md index 2820e16..1cdeea3 100644 --- a/doc/6.1.3_pwn_xdctf2015_pwn200.md +++ b/doc/6.1.3_pwn_xdctf2015_pwn200.md @@ -6,6 +6,8 @@ - [参考资料](#参考资料) +[下载文件](../src/writeup/6.1.3_pwn_xdctf2015_pwn200) + ## 题目复现 出题人在博客里贴出了源码,如下: ```C @@ -941,7 +943,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.3_pwn_xdctf2015_pwn200)相应文件夹中: +完整的 exp 如下: ```python from pwn import * diff --git a/doc/6.1.4_pwn_backdoorctf2017_fun_signals.md b/doc/6.1.4_pwn_backdoorctf2017_fun_signals.md index a946419..9275c70 100644 --- a/doc/6.1.4_pwn_backdoorctf2017_fun_signals.md +++ b/doc/6.1.4_pwn_backdoorctf2017_fun_signals.md @@ -9,6 +9,8 @@ - [参考资料](#参考资料) + [下载文件](../src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals) + ## SROP 原理 #### Linux 系统调用 在开始这一切之前,我想先讲一下 Linux 的系统调用。64 位和 32 位的系统调用表分别在 @@ -252,8 +254,6 @@ fake_flag_here_as_original_is_at_server\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ``` 如果连接的是远程服务器,`fake_flag_here_as_original_is_at_server` 会被替换成真正的 flag。 -其他文件放在了 [github](../src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals) 相应文件夹中。 - 这一节我们详细介绍了 SROP 的原理,并展示了一个简单的例子,在后面的章节中,会展示其更复杂的运用,包扩结合 vDSO 的用法。 diff --git a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md index 4c02bad..639446f 100644 --- a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md +++ b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md @@ -4,6 +4,8 @@ - [Exploit](#exploit) +[下载文件](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter) + ## 题目解析 ``` $ file game @@ -118,7 +120,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter)相应文件夹中: +完整的 exp 如下: ```python from pwn import * diff --git a/doc/6.1.6_pwn_defconctf2015_fuckup.md b/doc/6.1.6_pwn_defconctf2015_fuckup.md index 3482e43..08cc365 100644 --- a/doc/6.1.6_pwn_defconctf2015_fuckup.md +++ b/doc/6.1.6_pwn_defconctf2015_fuckup.md @@ -6,8 +6,9 @@ - [参考资料](#参考资料) -## ret2vdso 原理 +[下载文件](../src/writeup/6.1.6_pwn_defconctf2015_fuckup) +## ret2vdso 原理 在你使用 `ldd` 命令时,通常会显示出 vDSO,如下: ``` $ ldd /usr/bin/ls @@ -29,7 +30,7 @@ No RELRO No canary found NX enabled No PIE No RPATH No RU ``` ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.6_pwn_defconctf2015_fuckup)相应文件夹中: +完整的 exp 如下: ## 参考资料 - `man vdso` diff --git a/doc/6.1.7_pwn_0ctf2015_freenote.md b/doc/6.1.7_pwn_0ctf2015_freenote.md index 272a3a9..b0223f4 100644 --- a/doc/6.1.7_pwn_0ctf2015_freenote.md +++ b/doc/6.1.7_pwn_0ctf2015_freenote.md @@ -1 +1,4 @@ # 6.1.7 pwn 0CTF2015 freenote + + +[下载文件](../src/writeup/6.1.7_pwn_0ctf2015_freenote) diff --git a/doc/6.2.1_re_xhpctf2017_dont_panic.md b/doc/6.2.1_re_xhpctf2017_dont_panic.md index 4e75ec4..6c778e5 100644 --- a/doc/6.2.1_re_xhpctf2017_dont_panic.md +++ b/doc/6.2.1_re_xhpctf2017_dont_panic.md @@ -4,6 +4,8 @@ - [参考资料](#参考资料) +[下载文件](../src/writeup/6.2.1_re_xhpctf2017_dont_panic) + ## 题目解析 第一步当然是 file 啦: ``` @@ -423,8 +425,6 @@ print("".join(flag)) 在最后一篇参考资料里,介绍了怎样还原 Go 二进制文件的函数名,这将大大简化我们的分析。 -另外所有文件放在了[github](../src/writeup/6.2.1_re_xhpctf2017_dont_panic)相应文件夹中。 - ## 参考资料 - [Pin Tutorial](http://www.ic.unicamp.br/~rodolfo/mo801/04-PinTutorial.pdf) diff --git a/doc/6.2.2_re_ectf2016_tayy.md b/doc/6.2.2_re_ectf2016_tayy.md index fc84201..350c597 100644 --- a/doc/6.2.2_re_ectf2016_tayy.md +++ b/doc/6.2.2_re_ectf2016_tayy.md @@ -6,6 +6,8 @@ 章节 4.5 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。 +[下载文件](../src/writeup/6.2.2_re_ectf2016_tayy) + ## 题目解析 ``` Tayy is the future of AI. She is a next level chatbot developed by pro h4ckers at NIA Labs. But Tayy hides a flag. Can you convince her to give it you? @@ -235,7 +237,5 @@ void giff_flag(&flag, int key) { ``` 我们知道 flag 的格式应该是 `ECTF{...}`,所以只要初始 flag 在多次转换后出现这几个字符,就很可能是最终的 flag 了。我们已经理清了算法,接下来的事情就交给 Z3 了。 -完整的 exp 如下,其他文件在 [github](../src/writeup/6.2.2_re_ectf2016_tayy) 相应文件夹中。 - ## 参考资料 diff --git a/doc/6.2.3_re_codegate2017_angrybird.md b/doc/6.2.3_re_codegate2017_angrybird.md index cb88793..2fd291e 100644 --- a/doc/6.2.3_re_codegate2017_angrybird.md +++ b/doc/6.2.3_re_codegate2017_angrybird.md @@ -4,6 +4,8 @@ - [参考资料](#参考资料) +[下载文件](../src/writeup/6.2.3_re_codegate2017_angrybird) + ## 题目解析 看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。 ``` @@ -262,7 +264,5 @@ you typed : Im_so_cute&pretty_:) ``` 同样需要一定的运气才能通过,祝好运:) -所有文件在 [github](../src/writeup/6.2.3_re_codegate2017_angrybird) 相应文件夹中。 - ## 参考资料 diff --git a/doc/6.2.4_re_csawctf2015_wyvern.md b/doc/6.2.4_re_csawctf2015_wyvern.md index bc248d0..12f6d12 100644 --- a/doc/6.2.4_re_csawctf2015_wyvern.md +++ b/doc/6.2.4_re_csawctf2015_wyvern.md @@ -4,6 +4,8 @@ - [参考资料](#参考资料) +[下载文件](../src/writeup/6.2.4_re_csawctf2015_wyvern) + ## 题目解析 ``` $ file wyvern diff --git a/doc/6.2.5_re_picoctf2014_baleful.md b/doc/6.2.5_re_picoctf2014_baleful.md new file mode 100644 index 0000000..f5a8d7f --- /dev/null +++ b/doc/6.2.5_re_picoctf2014_baleful.md @@ -0,0 +1,39 @@ +# 6.2.5 re PicoCTF2014 Baleful + +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.2.5_re_picoctf2014_baleful) + +## 题目解析 +``` +$ file baleful +baleful: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped +$ strings baleful | grep -i upx +@UPX! +$Info: This file is packed with the UPX executable packer http://upx.sf.net $ +$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ +UPX!u +UPX! +UPX! +$ upx -d baleful -o baleful_de + Ultimate Packer for eXecutables + Copyright (C) 1996 - 2017 +UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 + + File size Ratio Format Name + -------------------- ------ ----------- ----------- + 144956 <- 6752 4.66% linux/i386 baleful_de + +Unpacked 1 file. +$ file baleful_de +baleful_de: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=35d1a373cbe6a675ecbbc904722a86f853f20ce3, stripped +``` +``` +$ ./baleful_de +Please enter your password: ABCD +Sorry, wrong password! +``` + +## 参考资料 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index d21c948..624d182 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -13,3 +13,4 @@ - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) - [6.2.3 re Codegate2017 angrybird](6.2.3_re_codegate2017_angrybird.md) - [6.2.4 re CSAWCTF2015 wyvern](6.2.4_re_csawctf2015_wyvern.md) + - [6.2.5 re PicoCTF2014 Baleful](6.2.5_re_picoctf2014_baleful.md) diff --git a/doc/7.4_writeup.md b/doc/7.4_writeup.md index 7ee9ce7..94baf07 100644 --- a/doc/7.4_writeup.md +++ b/doc/7.4_writeup.md @@ -5,14 +5,6 @@ #### **pwn** - UIUCTF 2017 - goodluck - 200 -## 5.2 Pin 动态二进制插桩 -#### **RE** - picoCTF 2014 - Baleful - -#### **RE** - Hack You 2014 - reverse - 400 - -#### **RE** - th3jackers CTF 2015 - rev100 - 100 - - ## 6.1 更多 Linux 工具 #### Strings - strings_crackme ```text diff --git a/src/Reverse/5.2_reverse_400 b/src/Reverse/5.2_reverse_400 deleted file mode 100755 index fa0001569c3cb4b528795f8e0b33098c599f825a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 138462 zcmeHQeUMbumA~E7V52ZIFe4#4xD9FC!C*Tm5D+)=)sQhG5N0rmR($q!_s|`>d#3tB z21_@?Hbf^KTsCE;tjd>Wck@Tet#xayth>4^0t%_3YO!K%*c7#4U3G^7w+Z?zWaKbZ$x|6`+Pp7FTZM11g+W~2rfard8Xe) zEm0vgO?9g4)U|3VdI+~<1T-ii+(2at`T{6TD1CtYb_Ie|+5l4_9JIA+Mcq&H#Qz1OfK_vzH6y~O~4loss+x$i` zF+9VshWAblQn?K{DjNSK-~oQ*(&KLdzJ7gYKuLw}C;o2Ar2B8mByP;4bEV-(VK8#D zg~QTK{DzHN(X#lUG3TJrz3nKpcZ7fPnFF7Hw*Ncded)^P)xUVK{rg>+mD7mtX(%*@ zxmO_-LeuQ~n=k&?ernfWx7Pu)&|W_Yj!c5@oCGhN1ousXX&w3sp>ekcP}6+Zpd`K( z2oi5IRf|%Fu`N58GYZ96zGxT<+Z3nmS*DEcP3TReb4ICfMw#kU*r)OKSa zmd>c5d^%SgP}yWQKD1M1W0}lgTovN6+yH24tlGfYSURUR^mMOTYup@J@?onBtMKDr zlle(|>Bmm`@JVu^LRWh_J%gl>LEG#%VZXZH#40roeVcj(fG4H~ufPTbsK#JHsv*4T zRDFir%p$7<lZY2~Rdf=5i4I7lrgcnI*~x9%PN&+_ZzoBOt;#z$dq zBl!5zU8%G1A7lRtg0uTBy0(tK0oDT}f6|FzRO$977omPG1a5Yn?!f1Z@B7QAeJhR^ zuG{-F%%RHreSb+L)%HDvHpy2U&yT%4g$D4I4+ZY|+QGfW>($=p|Cs18e)-ItC&Qq{ zX3lz+`p}qmI1r}3>am|6+($I8kMBA&;`giMlVo+HyTcCxSiB!(Bhc8fzy6?F-Mc&d zDRhpm3kT5sSJeF<)V(g;`cI)sAo!2xeZcmFgQI=nz-S;mHd1%f?(lSI0nuXYZ(|Cx zxh~vs7#NKDjS;0PR+A<$u^3{5wU|~=l%Ee%rAp11{VAG#GsZtX9neXF)&Mfut2|~d zK6%U4#0nHB2+Yq9nmh3oP?Idj0_Yo!zJ54*1dux2R*4>Y@ua^AJp`+A^oXzg(2;2^ zKit22f9bWu(WBIRIC_k#Q@2C0E77Co4Z(^UjgB3TzG@Miv8v-%b;7DnQdNnLEf_~# zJ{Kx3D4**p-c>%=+Op@HChBN;zkg!5Rr9VDmqJ$5 zW$z<|dFMVXuza$me9lkHYog`(>Xz3uvAh#?%loiDs~xK}a8fu^k( z{#EonVD=q9^%okqceBsJ+&9rvwR$#Mv@4@0O4A{GK^lKw$-Y*- zPda>PZ}d>5)f)5%6Zf?It-k4ziOv__`=fUsIx%{{q&}UmM329FeDr|Ti&pe35S6WG zM_W(d1svA)NbBjIO7ui!>+#VSfAOAm+sY3+Ub8xGusY_|hP~DTr`5pe7zz7wdd9xf zJ_zw7RN5Ck3Tdv4PH*`>%&TS3)A04C>B36Cd{^&S8Y|v)aQkc+{h5wRCfv36xe#3E z*f0MV?xsx5g@<3P`u9|e3m3m*`Nhh*@bb|`Vfc<9noG!sR3H0$A}zn{Tk%2Z*X2VU z_uOlI?I6}sf4zOM(h)v5(NpusPg0&$K36TaJx8s9edW`E>aj`_x=Lp)C%bQ7eaw2{ zYQGx0={-z$aeM+N7hROkP>j9Y_2pzHKA26;yE2+9Ci9`4gQa|^kj$rJnNY5j?N8=! z4XFi-ySfS(VB@ApBoeCoyz;9bArGYsp>*#4SSFpAH*X&987zkSV~Kf08cL)Sp>)w~ z=R*UT*fye$T|6J|slNz>E}Mn=3BIxhQ=1BLM>Le@)Z?ko4j#8Ryr0HyG(N4f5#Gn( zx$!wX?TelH^?qJ%f4TYX^6z8T&&}`g?`-)){0;Tj?egdNgy|L5s{=zQe&J^$wPhsJC)zMk*n&TlvW z!Rz{l>!YJ6@o&Wj5`JXPFf1hyvz30Ei{@v~V4_{wv7~kB^zjXbV9{;5K zfBNnY+4#rJznz}{O1FQ`zjJt}%fDH;{!6!iPJi95{~_V}Z}R@J^S%^z&co`fu0&I9>neGyd7__K!b=6#e|i>95=6FWvuf^5yWH{`eUCvg?2C z=6}-dU%LKFKmX_Ko5MTZ{yG2QcK)T?|Lxb$TSYP^J@%pKctmzrX7yo6;|F-aF7kKes zZvNxNf7$l$#edoI_u{{7`FAe7_w!!-_u{|Q^B?d0U$+0_-fwYuE`Rpb-l1O3zU<~- zT>R$d=k9kq|I+Or>M8pBpPYVkc&FRH^xuDwZvWE%{$svy|96#e{-yu^lXU*2+dubw z;P(7S`tLtVm%nuT=bm3Y`)~Yw%|lIQ{1EPS5}7|8OTBi4Px&&PVCJAi-|uU%LHkc}tbQ7yo73zjXbV{{Bw}c%f9e1Kne_L6-1!!V=kjOH zzO=o4T>Im`zt7FzCOrR_ZvUKqxLyB4!u8*-|8ctilWza>h3h}3zi#(`()C}u{H5Ff zOyT}dy8TN(|C4V2(w~2%>%aH?H`(uh+l9w}>Gt0uT>f7Cm+k+gpZ|H^f0M2M($9aS z+rRYuM|%ACzW*lM|4a9OA>q$I($9aSpZ`mbf8P5q+3`<${wqEHNzZ?zfB#u}{FCng zr0c)*=YQ$H|14eqGJ3Fo5OSa=VS7NPdffffBz%h{-K_tfB%iMZw~Kt`=23P z{+xeyyZoj9{tG8x4)1jP=gtq@&c9E%|J$)*ZWqaz^qBTS=c7`7|Bcgc4)1jP=hp9b z{z>PFN2&U+?OiJWoPKk7&VD%kvb+CW{O0E8?sq%?-2S+o|LzsDdWc8Q{$=Jrod0sW z{!6!iyYYw9A8vo`&d5kZ`-ID1+q-A~GX0+y|7H9C?(E#GoP0UF)A{H2&+Ytk`ssH5+j_m{f08lTG3kQ# zM`RaTHyYucZvWi+iFY^iuVpM%{#xIq^3Ulvhv)2v(=WUG&&6+Ue(rv^^Uv*%+xefH zZTFu45#yx#KhA%-UH_%qzuox5=?}NRcIW5f7dJnr-yGiQ{B!%~cK+?^htuVMRj(KS zNykZ!qzl>~kzHurXoPpV{JHfL?{4N_%UG)XwZ2Q`pVMy+&)E;BUv~GOi{IS*-2HCn zpW7d|^FKQq^uGUx7$?>LasJEg`Y+x7?ZzKYf4Kd%J3kk{xcNE#=I~DEpW8pT^KVx_ zoG$;XdS`p_-;4iZ^B?K4^qa#woquls+|IvU{cyVc+p}}M^MCL8|FY+E zp8dP~{LgOub-MrK^qa#woqsR>H@0uL%Rkt=!;Al3{P*HNbijwA<01J)g57TanqP`z z68Y!k%i+EF-#C7fPSGA-PQUExAD6#y^K*Dwd!zL`UH)yo-QN5E2KwoC`E&Z~cK&^g zeY>51yZ)EcA8vo`&TrTMbMoczPUoN7KezMG>8IQIpXvSnZ^Qh~?egdRm)rT5ZvS@U zFQ-4;{@R_Ni(lOQoPKk7r}NM4pWFGjs~=96{|@i{zZd@npMOZVf4lM5>Hd$4Zyes~ z{Cn}g@%g^n<=>t4{{D|-Om^%;(f*L^f?&7HpYvaC=U>ZMs{FOSOXZ)_Zw}Ad52s&t z_n(X3-2B}AZs(udAGh;=UC-y*h)2)U zdj8MpH-~q+{Y#g>bpG3f`~Ozq{9hrQ|LwlU@!jqIpW~0iJ3an+?|)?Le~)ngH(xma z($9aV375Zg{-xW$bon<4w|}Jn4bS)8p8tk~^Dq7UU%LPE^k26BlkWey_{QO#e*Po< z{9k(hhxA8u{^z~_kS+f`2!Q0{$&aHc?(aWC;8`;NQ-t#`{rN}w`JeRj|DbUDm(IU* z`82;SOzx4Be>CZp&h3mic^MC2*f71DvZvWDs|D?x1>Fl*MI5xpZEI@vi-mG{Lef8l&${=e+|#~-Jbt?@lUq={lfKM zdj9XlKhORt#*rVOSSaoNHy7VIJm)`YPic(H?XTYN%i+2C?SB7@TOT*S)A^VF{vWE@ zP(R%+|M|lCm;U@O{r$Ie{~r==|90~ar^kQk`tQX*+4+xj`{(?Z+w)&9{>ip~>H04{ z{z?D-r}XDP>G5Cs_ur)d|3}il|LNs_vhzRb??1f!&(nW;#;4~XIt$eKkd(jwmj3?7 z%l~BC|0^(h$@VW@|D}Kb?>*uAPqr`F{vm$R{7XOofcQnrKO~%g>F3|l?ca-kvi+ZQ z{gr{gM2Z#-#h`GDZWzLk|anub{kv@)k-JW#%J+;9`{Z zDEFXbQ64~f6y?V#2T*>A@)pW8jM0V?Mp=ro4y6~xcWu+k<(PxMW3l|53)Mc<559Y$ zI*hvi+=c4nsDtM(RG&pXjQT9<2T%v$l-kjz%lE(*<$DlAO%DVfL4OE+9VjP$ccHou zwQ3HoZ=QZf%T>j|u)6)4l{efRo=^ByDCaTfo2b?5=HMRxni*64uf2p}%=_;{_W`Ws zCzJqceAADch=A5Sg7Ss;FH~cwE&S@{=?^!pZf^Z%V0CkQdCJD-F8>|P?dUiN%*zN|$=b@b8s`X9no#YOATHMOz5=341DF^0>5;0)A@z7+`m z?t|*!Q@a8|dRLbDvp|sKc@!|cBN#!U-%unTuSTJZw)E_erUr@sRVXCOnJAw^S&nh3 z-GzDqlM8TXjme z(z#+XKcphL!D2G9dQJC@#n`qQv@KVP^q10^#Et2MiV&2F6;dja*qOt4R$a_nnER9Y zLV7TF5nuq9PiBbTY7AwHDw58n@mWj`<8uH2P=kqBF{UEPlrfNxWs^oKfjc#%BJtv2 zzJTeh>g#bJF=Q;8j$^t(41#fq9gs!pfQ5BzKE8tdr?StiH`L43>u{SdS2?M zvK@tVo!X@DGgltkDs__kr#{(9LNwcgZ9SnV(Ai1T~FEnBl!sgTpiY>b4q=Dm~sa zXluG>K=%yjUcUt0ztrf!rfP@ZXm9bG`>ILxcrVq_b%3tpGIU4l=)#~2gHDe@W9s%R zXp<~xUh-F+pgU6QLuJyDe1C;Pd=T9@=*BNG9*z0yIy&;dXF<0JeflCADq|>mywDR< zgQ3<-^ZP%bqxsGCfv)p1bZ^(jBORuT=x(r@<|oZXh5SB^rLQfZJFfxML_-(V6H*5- z+pmVO@VRK-h(bJ&ZjsK{k2iFUU*+m<)Z>BdBNzE2>TIgbN`A+JtpUitSgs!Thfx~XQBWDgchQnB>jf+;E^$AbP?u;sByk1d!y znx(H6Y(;(2OAEF#OVU3Jrl_wJ>6r!3G2zY+;ZK{e{%C?{sFzzn{iaGBlU)*xPt7uY zhhCo#5v3FTdVM~4+@*krYWw5I{(KQI%}3+<)Thh;W2e-5~Q{_g=+@LyEX{C`J{+C}`lfVSpGfuCc5b-v<57WMCw@Mi$){q!M= z@?(MH$gfFLXJPzVfPV`Zpqk~Mp%wzx`yEnq)Dpn@BI&N51b+pvmPaerX8pNL(4l+P+O&jGpe^KEnXC?jq=p zwRNb(ps_78*dNOnW@2W&$7^Z&`h3)X)%3quUd+m|37X%RoABAajgmBJrUi3`H5G5zFUeJB?&6p^SB3-MISB z?zIXSd|6~$vSD);L3X962*}B9YD+r9u*0W^I7Un~{yBbM*t)?T(qdTbo?l&w(K$wFCDf g=dNuH-L8x~?l-n1x1|esxLBKs6$;6MGUcTH4=ybF@Bjb+ diff --git a/src/Reverse/5.2_th3jackers_100 b/src/Reverse/5.2_th3jackers_100 deleted file mode 100755 index f07f1db463c197e57a2576e1dc7a2d46d11c5462..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5564 zcmeHLZEO_B8J@G(VM)xHglp?2mvpF()TU*@;23Pn*V;`z4z;xnRjO1UGL2Iw{&&{0s*0@M$`&gL$0Q`Lbl#tjW1D0q&u7ghl*Mj%J-g8XT$%|l<8H3wr2n?d>I8FK#%my&5N|?^JO!J~IL9E{z}py`ycsrG#h(7ii4_4ZzNG17e=b$=XAp<^UxXC> zK6W8qonHxlGW+NJmM7vp%M-C>iFh)5*vO=emE{;x_v2f4c0nu8gE=>X*){~`+A;3# z8eKmA>giSAysYhB+BJQ4+sB)J%Xt&eG5ocXLPGU@Z|wLmPraIqD&qm@Y^O*ktv^6*{tkfaV|P$j?juY=8+uZr8%&-q%dnH}GP{$4e?xfbezcA`N zDn`$LgLw4smKsk+fW@LbaF#wO^Dk-<`n>6P3uAr`S7+Ulytp}{uLlBBJBZ2vibYoZ zG7@J@R$^@!3o%%t_?z3Fm)jf(BhG>sXV+t@=UOoB=0eN6HTuLvZQG9QzjBvymvhfW zLVz_&z-9ttBWRJ+BE?169`q2R-Ed|KqR}k|8qSPym`|;tHYC(C-Ebzqb|M>e6OqP% zdomUL2beblj69Wr~Lx6&E8u2~KyEHh)tUfb$@ULHwh)3PsN z_DkDJTZ`}QfVxiNZ%F!xH2d+QSbVP#`z+I5EFC+Zk@){v6Lf|smttg#{)egVTxoxy zVol_0eKYV-?c;p8@V&VPk9;R&C#F9L`5kQK4>r#yaSvfY=!Bz{j_#}^v^b~l0fjlm=KSHM$f zPdyLG^B4~mJU3I~lO#0`KXOVjms!YHU_<@F#51#Mv>NC94)9)ZANU2Zif!GrX`O89 z>d7XZ?DEcd(oCmhtFhWxwX7xUJ0EK<+d>!_JL9Asvqu>5q+_KAg^^4-meIa(+cL-O zuUP%btkIK=<7ga@34@kxW^7@^jwCZj2FlV&mm@FWD>0r*-eE)$OIr!z%gSKF;ea?@ z8jf`szkM(eO2tga6ozF-`_krs6}4k%sVrgiI;nI9!1M&i^5~_uMP)wSN}^gZrt7F%o^eTOiKAvp_&XSERn_7Q>-%Cs1Sj z7WL0m6`;bk!u|yH!TwmArz-uiMoGkxd2(Zp#Ia`I2W}9$x?>=Qwc7z^-4e$de*#MR z1_KTdn)$R7zpPKI$U|Xqs{WWC z?F?Aq_zX<}*Hpprc~!Wh(3va8;WIo7T=g9ZaikZ)3McVANKF190~O+$5PKY~aJ(-Y z0xp3*6%j`|0aiG^GfJ2M?@|=0aeo8{aqL3k*eQ|d>k33)MRy?;?mgh%1McBUjDj)J zPr(Z3-*o}U+EAp%{Usa<7k*jO!zi-60zoR=n-v_US-zXY6%f~7k;4574)#YJFCD`F z19!d($IFEXaH%d9) z6cIzd0#^NnaJ3M^hTd(ye+G_z&X>0;Vc^=JE0PuELrC_wqGA)bw4zfmrkH&x>Hw~! J3`k-~{{iW4<@o>r diff --git a/src/writeup/6.2.5_re_picoctf2014_baleful/baleful b/src/writeup/6.2.5_re_picoctf2014_baleful/baleful new file mode 100755 index 0000000000000000000000000000000000000000..0281f6e7b42c6e0793dd8896017bcfb9535bfe2f GIT binary patch literal 6752 zcmZ8m30PA}w!Sy_W`P6}76lBD0HFaz!X}6y1dvS@kwsBNK$1Y%;v)&c1_TVKF-FsB zYY*D3jyByrEpD_Rpb|ha2m%U?&;h{~H8iWsfXZ^;jqlC-X5RU}s#E8$Q{H?h+N6cGgwtkdeVY6{D?U2G>Iz=!lY=`q!AN&~mj`WgB3dDvW$n$-r_84m;VEsFp`IYdO%JleDN+n1=0r1I&$)N|? zp$^W0b2v6gzeFo%1iG@xMKNwDkJuridyW*{M|}Vr0A|3dJKw`dZrD5-@TaMIlGAhe zxyb@y-Jye1sd+*oa3Jk#57V$MLvthfE7&}$NWftOTy8c#!)gCy-Hbz8R&rVf#7*U8 z1J(eS!{>HRO6i5HRP<+VnTmYQpw=Q`cLbSuJ*lb2_mw?W8d zEQ#@jq60apQ6Ujw0fEV`PVSyN7LNde($-v!Qs zspLK(vGo$N?&FV$?PC3i=W8t4_WKOo@zISwHr+L3n9xI@*mS$SQ<6-tQ&8?hzhG>y zK)H>nbE!GXy4UZevr7T^e3@iTY)=r7tM-v?8TQ8_^4&g2gJ#_?lfQko|K>2J zR%!BK69bmnST3wociz(d5R50tfFzxl^9OC$861+WIRC6@YG9Q#j5xXVS!R1;V(5}aF|BDGLhdx6~UaiT#zK7*x>%P9)`J5aL zJ!y9LfC+ALUsP1o><5jk<7ReZ)fjecbaY61Vq#`|gW<|ftaABoS_eC z;8<3q;?mz2!r&$RjCO$RL5!~q+t(eZxLI|f0~>2d^kVSJJ3 z4yzp4R@u6&D63ceG%J`WCbHmN{JlWsMrt!r_&t zcK2+Hl!5Je)cLES$FBboYx$IM&?n##b~jseuX1+1Cb_YGR2@%m!AdEjHRGq<3tu?Ua&d@Ii%5{l2Rr`|=N=74X-gbW*_4 z=ASOwz~*B|;mYfqIX>g~MoJ3hD29yNlR!^IM@ieF5Bup_^~8u5i9k7|Cw=13ELA;m z3Gg-GU{>H?IM^=QcueemD1^>L99d+acq%*f?E{-TO5f#))ox`i=L~gImpH5Oit!hq zPa9{tRZkublH4$eDD>)0SELY3>DXNQ_p@P>go&e3lph(}G8k<8q3>9}*@50E!13RK zz_y#;{`_I(%+SY}Q1MpWge8XtP0nnjxX2aO?U)JvZvpUi9o5u7HkQw(Zkq5C8ds#O z*D2{I%L`xz@>E(dfnDl2e9Tzk%l66YdTTFy9% zd%56`xG3eD7!+yig9e)E$ek-WN5t=cU6K1}l0^-gxe*Y|qojeL>;4yVs%EvM4fI+TE$OJ2MkM#m6L;rM=<(mT%FG$9oBM(dkyl6m zzSQ__a*9!-4p$+W*zzjsx5OIAQ1qeC?UY)Nuw}~?P1E`1W2^1FAzNEE;9OvvFl=2n zj4z-=T+FA)Be`cH>$Yx#j^CGkI!b09dzDwe>zm{M{5I@#o1$jOqhsNlADmB`q@Q|H zwZkLnduVdS8Q=6*H+hwc`afsC!&JVyIbM0N9zPj)cF(zqd*hWSJ`$ZkD&#$Si3&NM z8LqW|UAu@s_l6EO^C~&LEP^J*u(XO-S;e>zuPlnJ$*vr|1Yla}bMD`(-B}Lfet1@C zuX|+g)(fS|#;#)L$k8EZo4@?Gn!-ucY5M=0;Ipb9bU7rxFPuff-3gH6a8t>z>-zx9b zt_*7$iz>7Y8t>{v{PhVHm;gO&>I1(N+P+VF$d^Mffpl8w6>mk=1>Ina2Y%@Pe)yBe(BR4#LKgllsn>%>>GDZT;0&vo`CE`aTqI_NP5v?stv= zMg;&vQ1y>0^h)@J3=!=evl;%MJK;2yTZsU80K_xT@+&E%h;o>qckcUtE+fyf&rb2L zl##Kj19;p3IYr{0r0e+`aYabg_~~JY_Mr)5l3*-M-dAa0A|Vdp4HMlWpP52N1aA7d ztcGg>lM{T|EV&2(L}x7M_D!CrJF2wKhicpUU(YFWDml1{m0x*OWOZCk++B3A8tTLU za%jOL>6tq<3K}4r86D24tQv&e3v1sxN=rpaHPn<$D4hrZR=%46QxMpYJhJY7A`Vnr zxbpje`C!0|5ZKctvSM|`VK_TZ zPX*5GB|h4OD>{t|ZK1jaEfFP+g*)`wK>V(l8n$;A&nmVnv+k7|0e3wSn(yq+1cFUy z0gpuwX#vmb^2J$3i5!!|2Bjlp+Fo<9x_V(t*Iul@_iiE-h}WT7CiiTpQRjLlKXU_P zBWH4eJ$ve!slh-nqAY*wfd5ghEA?h?k#>lYJq*{p*K zLBU!pwi0I*lCJ>G6uEpZj;%cSU&NF=DnJd$@8A&0W(tr_418)bB$xB3ZEHfG88Lxf z4K6?2=%!&?XvJia`tDGH8FepMSQbMJctn=J&aZhQ&471#(gK48&$d2)P7C%U!mREr zfV!$`&EtsOOi{r}XM7{t0oQEyZWJqxiGx(9NE)s+3fb-w&?8DCayK!x7?N-03cA`x z>_>CZ9p{1OKKf@+HIVTZZ5XlA#u3$`b1cz@(0*gIVSE2q=30nZ;)MPX42O^HQvt3X z>pF$+e)qWX^}}%T2I>Nsu)M+Ju}SLAg(vyg%>CQ%Sr`$!_d@|&#Izk9Vi+h(A5IfP zhcYqbjYs`Ok;KIdVZ_FzGHiOcrvlk{|O%>^t`b^4L0&0sQbg#OuS>? z*!jnAy7B?mW08MXHfN!*_;EH6(6r`x^-7aHZN4_MovE>j*F1e=h*YhQR~c!2jAO0< zv_1w+wLZ3x;EC}Z)W`c}jNda0B9nyXX?Ls(r~Om|dRFgh(IWSFWI0>ROvX`EueZnY9?_8ZZ}s`Q zkzDRGFzJ34F{w=iSVJGplb>aq&9VT~%Ti#q0tVygmoPuGg0azMM|Ce?%#2xBSNl?3 z_Eunp>Jq9Dj4B*O6-JGX75{qdD*!~hr(GeVu>kZ9uOXwa^c0zp!H^X(93_vD39>>< zM{vQ1@gbmEgqK-LrWXy=NAP(Qx3!)88)l#c)q)w3&i|?i#$4JZ8YoY%d6a;*m&_u< zeCdOK*Khw1K}7fe5BdLfCTYf$EdlQlMDhfb8#5(Ki$`E`zWxzR0BTv7XnuS*f*>-C zqy?7ZB@bcAI4ph(c8`Z@(KrSJieuP&^$Wq!HR!-lz*)LMx`|<)+M3#`3oycRx%>_E zxD1|v&gEru=qTTtnwG_3)5Sbt23?rJp`)PCK9IZK{dWq=g~8S!o3@qOwnF6 z7Ql7NjgXU%H9X?81AXX?AL7i(0%pyo8812%YiDbIoqGaN?MoV92?nITn zA#w#8*g#I4T&#|kzKGr$QypE6&JAfB^1I}|V{4M88m--lhItCmP>?o?qpm}c?XeE+ z4F#wqeJy?Cpw`ss0P-EM-V?DHLH;sRIyB1}_bZ-?-j_`hDAsQ@-&sDy(M#rs`M^f0 zTLWMukAgL1W9HsGei~Ddvw$F+Y%UX>ULY|u9<`}LSpc`epx$m4!bds)-B?*{sQlC_ zgr-~er*BL57h+3M2wgM9U>dLu971P*~DTlE*PfDIpp@T!+l_4JG#(I}*$8 zvvxNBNdkMLw|MwmqrUT7xF%YRjs_hDuO}jQ)xU}t_~|90&xc095uNQg^a&<_$Tcnc z%LtN46wOLz2w*$w{jZ_F{wiHgZjF`iVh}QSqLVOlEwL5YzD?Q{D{b{6$QlH?nI$SP z3qd?5mMhwYgd_Nn!y=E_1-TWI3g-_Y(x4&927p{% z9}+)SPr^%QH9tWkOd9pVp6uK>garg?xve7%4RF zZz$({c;4PhsTf8Oq2AA+NXLsJ#7mTfiFp^LAtb$+SeKLjId(4ehp|smsjT+yt>Gl& zMVW|DEluj#Mlz@?NnIF)^37Kbyeyz#$aS%f2t~?o8eJB3l20jJkaHf=$iC*$!*3;B z2+}``gcs0)y>bj?TM1t81Q=;QwAI+_+0yY60inK`9xi%W_S)59UiwacUat4kCEtLT z_?4M9NdNu?m31Z(jgQ@?S-Wifm#MTx4zF^Mt844u9WPaVH!Ioi*iifs*BW#`M>q^_ zFCGGf^xDR{rs__~dYs6#Qq=%ap-_V1K;3H(iCQ9lCR19ph8R>iJC->Q6 z3Q~(bDtxu#_DK`DInF!jPPOPzi@`$9k>K)>5 z;g@ONEsT&3ZgFhDmOZPlI~J5M+0M}1ez0=2zPfHGw*fZO{6y)Nl(>V3B*i!1_P5a? zaAK~=K8heW8=_wQdG%X&&3^lrxxMWwm(JP330dTuA}XRV^JY&4r^aMHL}K=#HBLC;;tA9f3yH z^-)>73sVS~6DZSCD1d19W>*x}*36;%bx2^~2D*Lx9#O7P#EjtOrsnbK?oJ*~Zfjjc z#{J8F-s>FDW5G#~ArR)FCz_63?NZ)?kdwC;pUZdh4+vYkB3*Avg^<&8MNWG}ylnPb z9vjF=UElS`BwvTUFITWH2OngXFZN6w*(Bicb4kh6JWjSI%z`wmRwwA;{)H!w7joZ@zQdC9^QEN0h}1J zNAOh|Kc`{M^=fZ501!zan01ebi9@6RaYlAr1y=zY;WNzGtjY{JYz6Qt!NZ3c?vLMd z-O+*buUv7&E?}NwA>T^}gpu#<1_ox&;_?(#3pSL8!I0{}I8O0Oh50Q?jDS0w@I{g$ z$dap=E;NA>?Uv68lU0@HSYja4O((ElC>gRFGJQyJe_SfG6MXoPK=hzXNJYu%AiI7x zqTDY6c2ZQCT^HMxmMZgh2mg?LqEuF~`v^S0gX z3mu>t>vX~o30h`3b~(@XOoz{TAKFpq>g3)*5@g(D%w*arxU8$U%*`vgtb=zL4A|_l z8LJs*@4>iJWv?JH7$LfYT%w)^m5{i{3{Zh)m^Is4Xd(LP9E!QJq2p9h{ Vto7f_{OeyUOZz