From 2dc9e78e22b07536b1fecbe60b4f2c7a6ccc05a6 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 25 Feb 2024 10:48:19 -0500 Subject: BraekerCTF 2024 results Signed-off-by: Malfurious --- scores.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/scores.txt b/scores.txt index 014d947..0f4d3bf 100644 --- a/scores.txt +++ b/scores.txt @@ -28,3 +28,4 @@ RITSEC CTF 2023 3472 72 /712 (717) BITSCTF 2024 1040 93 /921 lactf 2024 1347 447 /1074 +BraekerCTF 606 75 /487 (1361) -- cgit v1.2.3 From f24146370e30e4eb247976cf50e7624d52db840f Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 25 Feb 2024 11:35:22 -0500 Subject: Merge x86 tips into architecture topic doc Signed-off-by: Malfurious --- docs/re/arch_x86.txt | 45 +++++++++++++++++++++++++++++++++++++++++++++ docs/re/rep_prefix.txt | 18 ------------------ docs/re/test_v_cmp.txt | 17 ----------------- 3 files changed, 45 insertions(+), 35 deletions(-) delete mode 100644 docs/re/rep_prefix.txt delete mode 100644 docs/re/test_v_cmp.txt diff --git a/docs/re/arch_x86.txt b/docs/re/arch_x86.txt index 5d526b2..f1f2a03 100644 --- a/docs/re/arch_x86.txt +++ b/docs/re/arch_x86.txt @@ -105,3 +105,48 @@ The function return value is stored in the a register. Stack pointer register: rsp Base pointer register: rbp Return value in: rax + + + +Specific Callouts +============================================================ + +TEST vs. CMP +------------ +CMP subtracts operands and sets internal flags. Among these, it sets the +zero flag if the difference is zero (operands are equal). + +TEST sets the zero flag (ZF) when the result of the AND operation is zero. If +the two operands are equal, their bitwise AND is zero only when the operands +themselves are zero. TEST also sets the sign flag (SF) when the most +significant bit is set in the result, and the parity flag (PF) when the number +of set bits is even. + +JE (alias of JZ) tests the zero flag and jumps if it is set. This creates the +following equivalencies: + +test eax, eax +je ----> if (eax == 0) {} + +cmp eax, ebx +je ----> if (eax == ebx) {} + + +REP prefix +---------- +The "rep" prefix on a string instruction repeats that string instruction for CX +block loads. + +e.g. STOS is "Store String" +It will store the value in AX at the address in RDI +(technically, STOSB, STOSW, STOD, and STOSQ use AL, AX, EAX, and RAX respectively) +If RCX = 0x20, RDI = some buffer, and RAX = 0, + +`rep stosq` is equivalent to: + +``` +buf_ptr = buf +for(i = 0x20; i != 0; i--) + *buf_ptr = 0; + buf_ptr++; +``` diff --git a/docs/re/rep_prefix.txt b/docs/re/rep_prefix.txt deleted file mode 100644 index 23e0cec..0000000 --- a/docs/re/rep_prefix.txt +++ /dev/null @@ -1,18 +0,0 @@ -The "rep" prefix on a string instruction repeats that string instruction for CX block loads. -e.g. -STOS is "Store String" -It will store the value in AX at the address in RDI -(technically, STOSB, STOSW, STOD, and STOSQ use AL, AX, EAX, and RAX respectively) -If RCX = 0x20, RDI = some buffer, and RAX = 0, - -`rep stosq` - -is equivalent to: - -``` -buf_ptr = buf -for(i = 0x20; i != 0; i--) - *buf_ptr = 0; - buf_ptr++; -``` - diff --git a/docs/re/test_v_cmp.txt b/docs/re/test_v_cmp.txt deleted file mode 100644 index c98424f..0000000 --- a/docs/re/test_v_cmp.txt +++ /dev/null @@ -1,17 +0,0 @@ -CMP subtracts operands and sets internal flags. Among these, it sets the -zero flag if the difference is zero (operands are equal). - -TEST sets the zero flag (ZF) when the result of the AND operation is zero. If -the two operands are equal, their bitwise AND is zero only when the operands -themselves are zero. TEST also sets the sign flag (SF) when the most -significant bit is set in the result, and the parity flag (PF) when the number -of set bits is even. - -JE (alias of JZ) tests the zero flag and jumps if it is set. This creates the -following equivalencies: - -test eax, eax -je ----> if (eax == 0) {} - -cmp eax, ebx -je ----> if (eax == ebx) {} -- cgit v1.2.3 From bb7ac5c3a4f50cb34db886034df2d693d8fe3ac2 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 25 Feb 2024 11:54:53 -0500 Subject: Add x86 loop instruction callout Signed-off-by: Malfurious --- docs/re/arch_x86.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/re/arch_x86.txt b/docs/re/arch_x86.txt index f1f2a03..85cf22f 100644 --- a/docs/re/arch_x86.txt +++ b/docs/re/arch_x86.txt @@ -150,3 +150,18 @@ for(i = 0x20; i != 0; i--) *buf_ptr = 0; buf_ptr++; ``` + + +LOOP instruction +---------------- +#from stack overflow: +#https://stackoverflow.com/questions/46881279/how-exactly-does-the-x86-loop-instruction-work + +LOOP is exactly like `dec ecx / jnz`, except it doesn't set flags. + +It's like the bottom of a `do {} while (--ecx != 0);` loop in C. If execution +enters the loop with ecx=0, wrap-around means the loop will run 2**32 times +(2**64 times in 64-bit mode). + +Unlike `rep movsb/stosb/etc`, it doesn't check for ecx=0 before decrementing, +only after. -- cgit v1.2.3 From 19038376ddbd3aac7179a601f8c3cda6d17f8ea5 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 25 Feb 2024 12:31:56 -0500 Subject: Add image convolution topic doc Signed-off-by: Malfurious --- docs/forensics/image_convolution.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 docs/forensics/image_convolution.txt diff --git a/docs/forensics/image_convolution.txt b/docs/forensics/image_convolution.txt new file mode 100644 index 0000000..419389b --- /dev/null +++ b/docs/forensics/image_convolution.txt @@ -0,0 +1,2 @@ +https://medium.com/analytics-vidhya/image-convolution-from-scratch-d99bf639c32a +https://docs.gimp.org/2.6/en/plug-in-convmatrix.html -- cgit v1.2.3 From d22b2ee2abadd03285f4e9bb986b44915b24493f Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 25 Feb 2024 12:37:52 -0500 Subject: Writeup BraekerCTF 2024 / Eye Doctor Signed-off-by: Malfurious --- docs/writeups/2024/BraekerCTF/misc/eye_doctor.png | Bin 0 -> 53001 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 docs/writeups/2024/BraekerCTF/misc/eye_doctor.png diff --git a/docs/writeups/2024/BraekerCTF/misc/eye_doctor.png b/docs/writeups/2024/BraekerCTF/misc/eye_doctor.png new file mode 100644 index 0000000..58e27d3 Binary files /dev/null and b/docs/writeups/2024/BraekerCTF/misc/eye_doctor.png differ -- cgit v1.2.3 From 175d1af3bf850fd0816a730215e028045d82e037 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 25 Feb 2024 12:53:04 -0500 Subject: Writeup BraekerCTF 2024 / e Signed-off-by: Malfurious --- docs/writeups/2024/BraekerCTF/misc/e.txt | 103 +++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 docs/writeups/2024/BraekerCTF/misc/e.txt diff --git a/docs/writeups/2024/BraekerCTF/misc/e.txt b/docs/writeups/2024/BraekerCTF/misc/e.txt new file mode 100644 index 0000000..5b7f455 --- /dev/null +++ b/docs/writeups/2024/BraekerCTF/misc/e.txt @@ -0,0 +1,103 @@ +"Grrrrr". This robot just growls. The other bots tell you that it is angry +because it can't count very high. Can you teach it how? + + + +Overview +-------- +The challenge provides a C++ source file and a netcat port. The program code +appears to be a short series of prompts, which passing all of them will print +the flag. At each stage, our input is taken as a single-precision floating +point number which must pass various rounding error and precision checks. + + + +Level 1 +------- +bool flow_start() { + // Get user input + float a = get_user_input("Number that is equal to two: "); + + // Can't be two + if (a <= 2) + return false; + + // Check if equal to 2 + return (unsigned short)a == 2; +} + +I saw some solutions take advantage of the fact that large numbers would +"overflow" when truncated via the (unsigned short) cast, giving a valid input +like 65538 (0x10002). + +My solution leveraged the floating point truncation (aka: loss of decimal +places): 2.0000002384 + + + +Level 2 +------- +bool round_2() { + float total = 0; + + // Sum these numbers to 0.9 + for (int i = 0; i < 9; i++) + total += 0.1; + + // Add user input + total += get_user_input("Number to add to 0.9 to make 1: "); + + // Check if equal to one + return total == 1.0; +} + +During the for-loop, precision errors accumulate and the total will overshoot +0.9. Less than 0.1 must be given: 0.09999990 + + + +Level 3 +------- +bool level_3() { + float total = 0; + + unsigned int *seed; + vector n_arr; + + // Random seed + seed = (unsigned int *)getauxval(AT_RANDOM); + srand(*seed); + + // Add user input + add_user_input(&n_arr, "Number to add to array to equal zero: "); + + // Add many random integers + for (int i = 0; i < 1024 * (8 + rand() % 1024); i++) + n_arr.push_back((rand() % 1024) + 1); + + // Add user input + add_user_input(&n_arr, "Number to add to array to equal zero: "); + + // Get sum + for (int i = 0; i < n_arr.size(); i++) + total += n_arr[i]; + + // Check if equal to zero + return total == 0; +} + +Many random numbers between [1, 1024] are summed up in this function, and we are +asked for two more, for all of them to sum to zero. Since the range of random +numbers is known (<=1024), we can provide relatively large numbers to squeeze +out the randomness. + +Given the fixed-precision, yet floating decimal point of floats, adding a large +value to a small value can potentially reduce the smaller value to zero as its +exponent and mantissa are adjusted to match the other. + +10000000000000000 +-10000000000000000 + + + +brck{Th3_3pS1l0n_w0rkS_In_M15t3riOuS_W4yS} -- cgit v1.2.3