Participate sciencewar 2018

Author: Qwaz

sciencewar/2018/ezbt/ezbt

@@ -0,0 +1,46 @@
+import binascii
+
+data = '''
+D9 51 44 5C 65 D5 3D 7D  C8 67 BC 68 C8 68 6F 3F
+C8 64 3F 30 48 41 72 3F  75 C8 67 F4 68 48 B9 6E
+7C C8 7F 3C 74 5C 74 3C  74 3C 5C 3C 74 3C 5C 77
+48 FE E8 67 C8 49 48 48  48 48 48 48 48 48 48 48
+71 43 00 00 00 00 00 00
+'''
+
+data = data.replace(' ', '')
+data = data.replace('\n', '')
+data = list(map(ord, binascii.unhexlify(data)))
+
+
+def unbit(val, bitsize=8):
+    diff = []
+    for _ in range(bitsize):
+        diff.append(val & 1)
+        val = val >> 1
+
+    last = 0
+    acc = 0
+    for i in range(bitsize - 1, -1, -1):
+        now = last ^ diff[i]
+        acc = (acc << 1) ^ now
+        last = now
+
+    return acc
+
+length = len(data)
+for i in range(0, length-8, 8):
+    acc = 0
+    shift = 0
+    for j in range(8):
+        acc += data[i+j] << shift
+        shift += 8
+    acc = unbit(acc, 8 * 8)
+    for j in range(8):
+        data[i+j] = acc & 0xFF
+        acc = acc >> 8
+
+for i in range(length):
+    data[i] = unbit(data[i])
+
+print ''.join(map(chr, data))

sciencewar/2018/ezbt/solver.py

@@ -0,0 +1,31 @@
+from sage.all import *
+from Crypto.Util.number import long_to_bytes
+import sys
+
+N = 63
+
+const1 = 0xA5118FA1C766BF85
+const2 = 0xE273A75A9956DAA7
+
+
+def gmul(a, b):
+    acc = 0
+    while b > 0:
+        if b & 1:
+            acc = acc.__xor__(a)
+        a = a << 1
+        if a & (1 << N):
+            a = (a.__xor__(const2)) & ((1 << 64) - 1)
+        b >>= 1
+    return acc
+
+
+data = [0x254847ec89dc651, 0x40bd6e5607da03bf, 0x45620b52aa48fa85, 0x493cd4e5fc020560]
+g.<z> = GF(2^63, modulus=GF(2^64).fetch_int(const2), check_irreducible=False)
+target = g.fetch_int(const1.__xor__(const2))
+inv_target = ((target) ^ (-1)).integer_representation()
+
+for current in data:
+    result = gmul(current, inv_target)
+    sys.stdout.write(long_to_bytes(result)[::-1])
+sys.stdout.write('\n')

sciencewar/2018/hdbt/hdbt

@@ -0,0 +1,37 @@
+
+# This file was *autogenerated* from the file solver.sage
+from sage.all_cmdline import *   # import sage library
+
+_sage_const_0x40bd6e5607da03bf = Integer(0x40bd6e5607da03bf); _sage_const_64 = Integer(64); _sage_const_0 = Integer(0); _sage_const_63 = Integer(63); _sage_const_2 = Integer(2); _sage_const_0x45620b52aa48fa85 = Integer(0x45620b52aa48fa85); _sage_const_1 = Integer(1); _sage_const_0xA5118FA1C766BF85 = Integer(0xA5118FA1C766BF85); _sage_const_0x493cd4e5fc020560 = Integer(0x493cd4e5fc020560); _sage_const_0x254847ec89dc651 = Integer(0x254847ec89dc651); _sage_const_0xE273A75A9956DAA7 = Integer(0xE273A75A9956DAA7)
+from sage.all import *
+from Crypto.Util.number import long_to_bytes
+import sys
+
+N = _sage_const_63 
+
+const1 = _sage_const_0xA5118FA1C766BF85 
+const2 = _sage_const_0xE273A75A9956DAA7 
+
+
+def gmul(a, b):
+    acc = _sage_const_0 
+    while b > _sage_const_0 :
+        if b & _sage_const_1 :
+            acc = acc.__xor__(a)
+        a = a << _sage_const_1 
+        if a & (_sage_const_1  << N):
+            a = (a.__xor__(const2)) & ((_sage_const_1  << _sage_const_64 ) - _sage_const_1 )
+        b >>= _sage_const_1 
+    return acc
+
+
+data = [_sage_const_0x254847ec89dc651 , _sage_const_0x40bd6e5607da03bf , _sage_const_0x45620b52aa48fa85 , _sage_const_0x493cd4e5fc020560 ]
+g = GF(_sage_const_2 **_sage_const_63 , modulus=GF(_sage_const_2 **_sage_const_64 ).fetch_int(const2), check_irreducible=False, names=('z',)); (z,) = g._first_ngens(1)
+target = g.fetch_int(const1.__xor__(const2))
+inv_target = ((target) ** (-_sage_const_1 )).integer_representation()
+
+for current in data:
+    result = gmul(current, inv_target)
+    sys.stdout.write(long_to_bytes(result)[::-_sage_const_1 ])
+sys.stdout.write('\n')
+

sciencewar/2018/hdbt/solver.sage

@@ -0,0 +1,158 @@
+from pwn import *
+import sys
+
+ins = ['nop', 'add', 'sub', 'shl', 'shr', 'and', 'or', 'xor', 'not', 'mov', 'jmp']
+
+
+def parseLvalue(lval):
+    global f
+
+    ltype = lval[0]
+    if ltype == 'r':
+        f.write('\x00')
+        reg_num = int(lval[1:], 10)
+        f.write(bytearray([reg_num]))
+    elif ltype == 'm':
+        f.write('\x02')
+        m_addr = int(lval[1:], 10)
+
+        if m_addr < 0:
+            m_addr = (m_addr + (1 << 32)) % (1 << 32)
+        f.write(p32(m_addr))
+    else:
+        print 'Invalid Lvalue'
+        exit()
+
+
+def parseArg(arg):
+    global f
+
+    atype = arg[0]
+    if atype == 'r':
+        f.write('\x00')
+        reg_num = int(arg[1:], 10)
+        f.write(bytearray([reg_num]))
+    elif atype == 'i':
+        f.write('\x01')
+        i_val = int(arg[1:], 10)
+        f.write(p64(i_val))
+    else:
+        print 'Invalid Arg'
+        exit()
+
+
+def parseRvalue(rval):
+    global f
+    rtype = rval[0]
+    if rtype == 'r':
+        f.write('\x00')
+        reg_num = int(rval[1:], 10)
+        f.write(bytearray([reg_num]))
+    elif rtype == 'i':
+        f.write('\x01')
+        i_val = int(rval[1:], 10)
+        f.write(p64(i_val))
+    elif rtype == 'm':
+        f.write('\x02')
+        m_addr = int(rval[1:], 10)
+        if m_addr < 0:
+            m_addr = (m_addr + (1 << 32)) % (1 << 32)
+            print m_addr
+        f.write(p32(m_addr))
+    else:
+        print 'Invalid Rvalue'
+        exit()
+
+
+def ass(asm):
+    for opcodes in asm:
+        opcode = opcodes.split(' ')
+        ins_type = opcode[0]
+
+        # invalid
+        if ins_type == ins[1]:
+            f.write('\x01')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # sub
+        elif ins_type == ins[2]:
+            f.write('\x02')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # shl
+        elif ins_type == ins[3]:
+            f.write('\x03')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # shr
+        elif ins_type == ins[4]:
+            f.write('\x04')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # and
+        elif ins_type == ins[5]:
+            f.write('\x05')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # or
+        elif ins_type == ins[6]:
+            f.write('\x06')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # xor
+        elif ins_type == ins[7]:
+            f.write('\x07')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # not
+        elif ins_type == ins[8]:
+            f.write('\x08')
+            parseArg(opcode[1])
+        # mov
+        elif ins_type == ins[9]:
+            f.write('\x09')
+            parseLvalue(opcode[1])
+            parseRvalue(opcode[2])
+        # jp
+        elif ins_type == ins[10]:
+            f.write('\x0a')
+            parseArg(opcode[1])
+        else:
+            print 'Invalid instruction'
+            exit()
+
+exit_got = 0x601FF8
+alarm_got = 0x601FC8
+puts_got = 0x601FC0
+
+bit = ''
+for i in range(12):
+    if len(sys.argv) > 1:
+        p = remote('211.239.124.246', '23904')
+    else:
+        p = process('./lvm')
+
+    f = open('bin', 'wb')
+
+    a = []
+
+    a.append('mov r0 i' + str(puts_got))
+    a.append('mov r0 m5000')
+    a.append('shr r0 i' + str(i))
+    a.append('and r0 i1')
+    a.append('shl r0 i13')
+    a.append('mov m-4144 r0')
+
+    ass(a)
+
+    with open('bin', 'r') as f:
+        payload = f.read()
+    p.send(payload)
+    p.recvline()
+    if "VM" in p.recvline():
+        bit = '1' + bit
+    else:
+        bit = '0' + bit
+    p.close()
+
+print '%03x' % int(bit, 2)