├── Glados ├── COMPILING ├── Makefile ├── cavejohnson.h ├── classes.cpp ├── classes.h ├── flag ├── glados ├── glados cores.txt ├── glados-uClibc++-0.2.4.patch ├── glados-uClibc-0.9.33.patch ├── glados.h ├── gmon.out ├── in_out.cpp ├── init.c ├── init.h ├── main.cpp ├── main.h ├── malloc.c └── malloc.h ├── LICENSE.md ├── amadhj ├── Makefile ├── amadhj.c └── flag ├── b3s23 ├── Makefile ├── b3s23.c ├── config └── flag ├── baby-re ├── Makefile ├── README ├── baby-re.c └── create-baby-re.c ├── badger ├── Makefile ├── badge_skin.h ├── bit_util.c ├── bit_util.h ├── cli.c ├── cli.h ├── delay.c ├── delay.h ├── glcdfont.c ├── gui.c ├── gui.h ├── hardware.h ├── image_renderer.h ├── lcd.h ├── lcd_gfx.c ├── lcd_gfx.h ├── lcd_hal.c ├── lcd_hal.h ├── lzssvw.c ├── lzssvw.h ├── main.c ├── message_handler.c ├── message_handler.h ├── omsp_system.h ├── port_helper.c ├── port_helper.h ├── radio_uart.c ├── radio_uart.h ├── sram_hal.c ├── sram_hal.h ├── strip_all ├── util.c └── util.h ├── banker ├── Makefile ├── base64.cpp ├── base64.h ├── cpp_helper.cpp ├── cpp_helper.h ├── doublelist.cpp ├── doublelist.h ├── input_reader.cpp ├── input_reader.h ├── main.cpp ├── musl-clang ├── password_generator │ ├── Makefile │ ├── base64.cpp │ ├── base64.h │ ├── cpp_helper.cpp │ ├── cpp_helper.h │ ├── main.cpp │ ├── musl-clang │ ├── strip_all │ ├── well_rng.cpp │ └── well_rng.h ├── settings.h ├── string.cpp ├── string.h ├── strip_all ├── transfer_manager.cpp ├── transfer_manager.h ├── user_manager.cpp ├── user_manager.h └── users.txt ├── crippled ├── Makefile ├── crippled.c ├── flag ├── neatcc.patch ├── neatld.patch └── start.S ├── crunchtime ├── COMPILING ├── Makefile ├── common.c ├── common.h ├── crunchtime-fixup.py ├── crunchtime.c └── flag ├── easier ├── DefconChal2.sdf ├── DefconChal2.sln ├── DefconChal2.v11.suo └── DefconChal2 │ ├── DefconChal2.cpp │ ├── DefconChal2.vcxproj │ ├── DefconChal2.vcxproj.filters │ ├── DefconChal2.vcxproj.user │ ├── ReadMe.txt │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h ├── feedme ├── Makefile ├── main.c └── strip_all ├── heapfun4u ├── Makefile ├── dc_malloc.c ├── dc_malloc.h ├── flag └── heapfun4u.c ├── int3 ├── build.sh ├── flag ├── int3rupt.c └── libc.a ├── justintime ├── Makefile ├── cioconnection.cpp ├── cioconnection.h ├── common.cpp ├── common.h ├── doublelist.cpp ├── doublelist.h ├── dummy_thread.cpp ├── dummy_thread.h ├── input_thread.cpp ├── input_thread.h ├── main.cpp ├── worker_log.cpp └── worker_log.h ├── kiss ├── Makefile ├── flag └── kiss.c ├── legit_00001 ├── Makefile ├── README ├── README.md ├── flag ├── flag_patched ├── lib │ ├── libc.c │ └── libc.h ├── poller │ └── for-release │ │ ├── machine.py │ │ └── state-graph.yaml ├── pov_1 │ └── pov.c └── src │ └── src.c ├── legit_00002 ├── Makefile ├── README.md ├── Vagrantfile ├── flag ├── flag_patched ├── lib │ ├── libc.c │ └── libc.h ├── poller │ └── for-release │ │ ├── machine.py │ │ └── state-graph.yaml ├── pov_1 │ └── pov.c └── src │ └── src.c ├── legit_00003 ├── Makefile ├── README ├── README.md ├── flag ├── flag_patched ├── lib │ ├── libc.c │ ├── libc.h │ ├── printf.c │ ├── printf.h │ └── stdarg.h ├── poller │ └── for-release │ │ ├── machine.py │ │ └── state-graph.yaml ├── pov_1 │ └── pov.c └── src │ └── src.c ├── legit_00004 ├── Makefile ├── include │ ├── malloc.h │ └── service.h ├── lib │ ├── malloc.c │ ├── mymath.c │ ├── mymath.h │ ├── new_printf.c │ ├── stdarg.h │ ├── stdint.h │ ├── stdlib.c │ └── stdlib.h ├── poller │ └── for-release │ │ ├── counts.png │ │ ├── edges.png │ │ ├── graph.dot │ │ ├── machine.py │ │ ├── nodes.png │ │ └── state-graph.yaml ├── pov_1 │ ├── new_printf.c │ └── pov1.c └── src │ ├── authenticate.c │ ├── compare_strings.c │ ├── flashcards.c │ ├── initDatabase.c │ ├── match_str.c │ ├── quiz.c │ ├── service.c │ └── wordMaint.c ├── pillpusher ├── Makefile ├── README ├── Symptoms ├── close.c ├── drugs ├── errno.h ├── exit.c ├── flag ├── insert.py ├── malloc.c ├── malloc.h ├── mmap.c ├── mmap.h ├── open.c ├── pillpusher.c ├── pillpusher.h ├── printf.c ├── printf.h ├── read.c ├── stdarg.h ├── stdlib.c ├── stdlib.h ├── stubstart.S ├── unistd.c ├── unistd.h └── write.c ├── secrf_revenge ├── Makefile ├── common.cpp ├── common.h ├── complex.cpp ├── complex.h ├── cpp_helper.cpp ├── cpp_helper.h ├── critical_exception.cpp ├── critical_exception.h ├── crypto.key ├── digital_receiver.cpp ├── digital_receiver.h ├── doublelist.cpp ├── doublelist.h ├── dsp_engine.cpp ├── dsp_engine.h ├── exception_handler.cpp ├── exception_handler.h ├── flag ├── main.cpp ├── messagehandler.cpp ├── messagehandler.h ├── musl-clang ├── packet.cpp ├── packet.h ├── radiomac.cpp ├── radiomac.h ├── radiomessage.cpp ├── radiomessage.h ├── rc4engine.cpp ├── rc4engine.h ├── string.cpp ├── string.h ├── strip_all ├── well_rng.cpp └── well_rng.h ├── step ├── Makefile ├── README ├── enc.c ├── flag ├── scramble.c └── step.c ├── thousand_cuts ├── .gitignore ├── Dockerfile ├── README.md ├── Vagrantfile ├── babysfirst │ ├── easy-prasky-with-buffalo-on-bing.raw │ ├── player.rb │ └── runner.py ├── breads.csv ├── prod-test.sh ├── sauces.csv ├── sausages.csv ├── scramble-stack │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── cgc-cb.mk │ ├── dist.sh │ ├── generator.rb │ ├── interstitial.py │ ├── lib │ │ ├── libc.c │ │ └── libc.h │ ├── player.rb │ ├── poller │ │ └── for-release │ │ │ ├── .gitignore │ │ │ ├── machine.py │ │ │ └── state-graph.yaml │ ├── pov │ │ ├── POV_00001.xml │ │ └── pov-template.xml │ ├── runner.py │ └── src │ │ └── service.c.tpl ├── stack │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── cgc-cb.mk │ ├── dist.sh │ ├── generator.rb │ ├── lib │ │ ├── libc.c │ │ └── libc.h │ ├── player.rb │ ├── poller │ │ └── for-release │ │ │ ├── .gitignore │ │ │ ├── machine.py │ │ │ └── state-graph.yaml │ ├── pov │ │ ├── POV_00001.xml │ │ └── pov-template.xml │ ├── runner.py │ └── src │ │ └── service.c └── vary-stack │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── cgc-cb.mk │ ├── dist.sh │ ├── generator.rb │ ├── interstitial.py │ ├── lib │ ├── libc.c │ └── libc.h │ ├── player.rb │ ├── poller │ └── for-release │ │ ├── .gitignore │ │ ├── machine.py │ │ └── state-graph.yaml │ ├── pov │ ├── POV_00001.xml │ └── pov-template.xml │ ├── runner.py │ └── src │ └── service.c.tpl ├── time sink └── enigma4.patch └── xkcd ├── fgetln.c ├── flag └── xkcd.c /Glados/COMPILING: -------------------------------------------------------------------------------- 1 | gcc 4.8.4 was compiled with ../gcc-4.8.4/configure --disable-libssp --disable-threads --prefix=/home/lightning/gcc-custom CFLAGS="-fPIC -fpic" CXXFLAGS="-fPIC -fpic" --enable-languages=c,c++ --disable-bootstrap --disable-nls 2 | 3 | gcc 4.8.4 was installed 4 | The two patches were applied to uClibc and uClibc++ appropriately 5 | The custom build of libsupc++.a was copied to the src/abi/libsupc folder of uClibc++ to allow for a fPIC version to be available 6 | Final compiled libaries and custom gcc used to compile Glados to allow for moving the stacic binary without hard locations being set by the compiler 7 | -------------------------------------------------------------------------------- /Glados/Makefile: -------------------------------------------------------------------------------- 1 | ROOT=/home/lightning 2 | CC=$(ROOT)/gcc-custom/bin/gcc 3 | CPP=$(ROOT)/gcc-custom/bin/g++ 4 | UCLIBC=$(ROOT)/uClibc 5 | UCLIBCPLUS=$(ROOT)/uClibc++ 6 | MODE=64 7 | CCFLAGS=-fPIC -fpic -O2 -m$(MODE) -std=c99 -Wall 8 | CPPFLAGS=-fPIC -fpic -Wno-sign-compare -Wno-unused-result -Wno-write-strings -O2 -m$(MODE) -std=c++11 -Wall -D_FORTIFY_SOURCE=0 9 | 10 | O_FILES = main.o classes.o in_out.o init.o 11 | 12 | all : $(O_FILES) 13 | $(CPP) $(CPPFLAGS) -o glados $(O_FILES) $(UCLIBC)/usr/lib/crt1.o -nostdlib -static -lc -L$(UCLIBC)/usr/lib -L$(UCLIBCPLUS)/lib -luClibc++ -lc 14 | strip -g -S -d glados 15 | strip -s glados 16 | strip -x glados 17 | strip -X glados 18 | 19 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 20 | # pull in dependency info for *existing* .o files 21 | -include $(O_FILES:.o=.d) 22 | 23 | .SUFFIXES : .o .c .cpp 24 | 25 | .cpp.o : 26 | $(CPP) $(CPPFLAGS) -c $< 27 | 28 | .c.o : 29 | $(CC) $(CCFLAGS) -c $< 30 | 31 | clean: 32 | rm -f glados *.o *.d 33 | -------------------------------------------------------------------------------- /Glados/flag: -------------------------------------------------------------------------------- 1 | The flag is: Glados hates everyone, her personality could use help 2 | -------------------------------------------------------------------------------- /Glados/glados: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/Glados/glados -------------------------------------------------------------------------------- /Glados/glados cores.txt: -------------------------------------------------------------------------------- 1 | glados 2 | 3 | requires common function for extra menu text 4 | 5 | types of modules/cores: 6 | + memory info - gives information about itself including where it is in memory 7 | gives bits of program info 8 | number of modules loaded 9 | + raw data storage and retrieval - will allow allocating a specific size amount of memory and storing data in said location 10 | another module will have a pointer that isn't set on init that if free'd will cause bug 11 | + cave johnson core 12 | cave johnson quotes - stored in a data array core 13 | menu for changing and interacting with cores 14 | attempts to link modules/portals (define this) 15 | likes to try random combinations of portals/modules with random data, probably a bad thing 16 | + glados core 17 | glados quotes - stored in a data array core 18 | menu for changing cores 19 | decides after x interactions or random (lower chance than cave johnson) to just terminate connection 20 | + random number generator core 21 | + controlled buffer overflow test core 22 | can't be uncontrolled as even the stack cookie wouldn't be good enough with data array core memory leaks 23 | could possibly be uncontrolled if 2nd cookie forced in place and adapted off of rdtsc or similar (something unguessable) 24 | but this results in brute forcing 25 | + data array core 26 | an array of data to be accessible 27 | cave johnson quotes stored in such a core 28 | allow up to 8 bytes per entry to be stored, does not do actual memory handling 29 | allow bug for improper indexing when reading ( < 0 indexing). Should allow discovery of binary location 30 | 31 | modules are stored in a linked list, no bugs. maybe red herring of not resetting forward pointer properly but never used? 32 | see Khazad linked list bug for example 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /Glados/gmon.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/Glados/gmon.out -------------------------------------------------------------------------------- /Glados/in_out.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "main.h" 5 | 6 | void WriteString(char *s, int WithNewline) 7 | { 8 | write(1, s, strlen(s)); 9 | if(WithNewline) 10 | write(1, "\n", 1); 11 | } 12 | 13 | int ReadLine(char *Buffer, int Size) 14 | { 15 | int Count = 0; 16 | int TotalCount = 0; 17 | while(1) 18 | { 19 | Count = read(0, Buffer, 1); 20 | if(Count > 0) 21 | { 22 | TotalCount += Count; 23 | if(TotalCount >= Size) 24 | return TotalCount; 25 | else if(*Buffer == '\n') 26 | { 27 | *Buffer = 0; 28 | return TotalCount - 1; 29 | } 30 | Buffer += Count; 31 | } 32 | else 33 | _exit(0); 34 | }; 35 | 36 | return TotalCount; 37 | } 38 | 39 | int ReadAll(char *Buffer, int Size) 40 | { 41 | //read the number of bytes specified 42 | int Count = 0; 43 | int TotalCount = 0; 44 | while(Size) 45 | { 46 | Count = read(0, Buffer, Size); 47 | if(Count > 0) 48 | { 49 | Size -= Count; 50 | Buffer += Count; 51 | TotalCount += Count; 52 | } 53 | else 54 | _exit(0); 55 | }; 56 | 57 | return TotalCount; 58 | } 59 | 60 | unsigned long ReadInt() 61 | { 62 | char Buffer[30]; 63 | ReadLine(Buffer, sizeof(Buffer) - 1); 64 | Buffer[sizeof(Buffer) - 1] = 0; 65 | if(strlen(Buffer) == 0) 66 | return -1; 67 | else 68 | return strtoul(Buffer, 0, 10); 69 | } 70 | -------------------------------------------------------------------------------- /Glados/init.c: -------------------------------------------------------------------------------- 1 | //for some reason _init is called when ran from xinetd but not from the command line 2 | //uClibc's version doesn't have a ret so it dies horribly. this avois it and i don't include crti.o as a result 3 | void _init() 4 | { 5 | } 6 | 7 | void _fini() 8 | { 9 | } 10 | 11 | -------------------------------------------------------------------------------- /Glados/init.h: -------------------------------------------------------------------------------- 1 | #ifndef GLADOS_INIT 2 | #define GLADOS_INIT 3 | 4 | void _init(); 5 | void _fini(); 6 | 7 | #endif 8 | 9 | -------------------------------------------------------------------------------- /Glados/main.h: -------------------------------------------------------------------------------- 1 | #ifndef GLADOS_MAIN 2 | #define GLADOS_MAIN 3 | 4 | //#define _GLADOS_DEBUG 5 | 6 | typedef struct CoreStruct 7 | { 8 | class BaseCore *Core; 9 | CoreStruct *Prev; 10 | CoreStruct *Next; 11 | } CoreStruct; 12 | 13 | extern CoreStruct *CoreHead; 14 | 15 | extern void WriteString(char *s, int WithNewline); 16 | int ReadLine(char *Buffer, int Size); 17 | int ReadAll(char *Buffer, int Size); 18 | unsigned long ReadInt(); 19 | void AddCoreEntry(CoreStruct *Entry); 20 | CoreStruct *CreateCoreEntry(int CoreType); 21 | void DeleteCoreEntry(CoreStruct *Entry); 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /amadhj/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc amadhj.c -o amadhj --static -s 3 | 4 | -------------------------------------------------------------------------------- /amadhj/flag: -------------------------------------------------------------------------------- 1 | The flag is: Da robats took err jerbs. 2 | -------------------------------------------------------------------------------- /b3s23/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -pie -m32 b3s23.c -o b3s23 -O2 -Wno-unused-result 3 | strip -s b3s23 4 | strip -g -S -d b3s23 5 | strip -x b3s23 6 | strip -X b3s23 7 | -------------------------------------------------------------------------------- /b3s23/config: -------------------------------------------------------------------------------- 1 | 15 256 2 | -------------------------------------------------------------------------------- /b3s23/flag: -------------------------------------------------------------------------------- 1 | The flag is: Who knew generated life would be interesting 2 | -------------------------------------------------------------------------------- /baby-re/Makefile: -------------------------------------------------------------------------------- 1 | all: baby-re create-baby-re 2 | 3 | create-baby-re: create-baby-re.o 4 | gcc -o create-baby-re create-baby-re.o 5 | 6 | baby-re: baby-re.o create-baby-re.o 7 | gcc -O0 -o baby-re baby-re.o 8 | 9 | baby-re.o: baby-re.c 10 | gcc -O0 -c baby-re.c 11 | 12 | create-baby-re.o: create-baby-re.c 13 | gcc -c create-baby-re.c 14 | -------------------------------------------------------------------------------- /baby-re/README: -------------------------------------------------------------------------------- 1 | baby-re is (obviously) a RE challenge. It contains a basic set of linear equations. The challenge is to RE out the coefficients for each equation's terms. Then, you can either solve the set manually or search the Internets for a site like http://equationsolver.intemodino.com/en/solve-systems-of-equations.html. The equation unknowns are the bytes of the flag. If you enter the correct values into the program, it will check them against the equations and will print out the flag (aka the bytes you entered) if they are correct. The size of the linear system is based on the length of the flag. For example, a flag with 10 characters, will have a linear system with 10 equations and 10 unknowns. 2 | 3 | To make changing the flag easier (which would result in new coefficients for the linear system), there's a create-baby-re executable which prompts for the desired flag string and outputs the C program for baby-re.c. Just dump that output into babe-re.c and run make. 4 | 5 | There are also some really basic anti-reversing bytes mixed into the program just to be annoying. 6 | 7 | -------------------------------------------------------------------------------- /badger/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -pie -fPIE 3 | #CCFLAGS=-O3 4 | CCFLAGS=-g3 -O1 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 5 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -fPIC 6 | 7 | O_FILES = main.o port_helper.o lcd_hal.o lcd_gfx.o glcdfont.o radio_uart.o cli.o sram_hal.o util.o lzssvw.o message_handler.o gui.o bit_util.o 8 | 9 | badger: $(O_FILES) 10 | $(CC) $(CCFLAGS) -o badger $(O_FILES) -lX11 11 | 12 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 13 | # pull in dependency info for *existing* .o files 14 | -include $(O_FILES:.o=.d) 15 | 16 | .SUFFIXES : .o .c 17 | 18 | .c.o : 19 | $(CC) $(CCFLAGS) -c $< 20 | $(CC) -MM $(CFLAGS) $*.c > $*.d 21 | 22 | clean: 23 | rm -f badger *.o *.d 24 | -------------------------------------------------------------------------------- /badger/bit_util.c: -------------------------------------------------------------------------------- 1 | #include "bit_util.h" 2 | 3 | void text_init_state( tBitState *state, uint8_t *data ) 4 | { 5 | state->mask = 0; 6 | state->bit_buffer = 0; 7 | state->data = data; 8 | state->cur_pos = 0; 9 | } 10 | 11 | void text_writeflush( tBitState *state ) 12 | { 13 | // Check if there is any data left to write out?? 14 | if ( state->mask == 0 ) 15 | return; 16 | 17 | state->mask++; 18 | 19 | while ( state->mask < 8 ) 20 | { 21 | state->mask++; 22 | state->bit_buffer <<=1; 23 | } 24 | 25 | // FLUSH 26 | state->data[state->cur_pos] = state->bit_buffer; 27 | state->cur_pos++; 28 | 29 | state->mask = 0; 30 | state->bit_buffer = 0; 31 | } 32 | 33 | void text_writebit( uint16_t bit_data, int16_t n, tBitState *state ) 34 | { 35 | int16_t i; 36 | 37 | for ( i = 0; i < n; i++ ) 38 | { 39 | if ( bit_data & (1<<((n-1)-i)) ) 40 | state->bit_buffer++; 41 | 42 | state->mask++; 43 | if ( state->mask == 8 ) 44 | { 45 | state->data[state->cur_pos] = state->bit_buffer; 46 | state->cur_pos++; 47 | 48 | state->bit_buffer = 0; 49 | state->mask = 0; 50 | } 51 | 52 | state->bit_buffer <<= 1; 53 | } 54 | } 55 | 56 | int16_t text_getbit( int16_t n, tBitState *state, uint16_t maxLen ) 57 | { 58 | int16_t i, x; 59 | 60 | x = 0; 61 | for (i = 0; i < n; i++) 62 | { 63 | if ( state->mask == 0) 64 | { 65 | if ( state->cur_pos >= maxLen ) 66 | return (-1); 67 | 68 | state->bit_buffer = state->data[state->cur_pos]; 69 | state->cur_pos++; 70 | 71 | state->mask = 128; 72 | } 73 | x <<= 1; 74 | 75 | if ( state->bit_buffer & state->mask ) 76 | x++; 77 | 78 | state->mask >>= 1; 79 | } 80 | return x; 81 | } 82 | 83 | -------------------------------------------------------------------------------- /badger/bit_util.h: -------------------------------------------------------------------------------- 1 | #ifndef __BIT_UTIL_H__ 2 | #define __BIT_UTIL_H__ 3 | #include 4 | 5 | typedef struct BIT_STATE_STRUCT 6 | { 7 | uint8_t mask; 8 | uint8_t bit_buffer; 9 | uint16_t cur_pos; 10 | uint8_t *data; 11 | } tBitState; 12 | 13 | void text_init_state( tBitState *state, uint8_t *data ); 14 | void text_writeflush( tBitState *state ); 15 | void text_writebit( uint16_t bit_data, int16_t n, tBitState *state ); 16 | int16_t text_getbit( int16_t n, tBitState *state, uint16_t maxLen ); 17 | 18 | #endif // __BIT_UTIL_H__ 19 | -------------------------------------------------------------------------------- /badger/cli.h: -------------------------------------------------------------------------------- 1 | #ifndef __CLI_H__ 2 | #define __CLI_H__ 3 | 4 | #include 5 | 6 | void cli_init_uart( void ); 7 | void cli_run( void ); 8 | 9 | void cli_process_command( uint8_t *pCommand ); 10 | 11 | void cli_command_help( uint8_t *pArgs ); 12 | void cli_command_msg( uint8_t *pArgs ); 13 | void cli_command_token( uint8_t *pArgs ); 14 | void cli_command_debug( uint8_t *pArgs ); 15 | void cli_command_id( uint8_t *pArgs ); 16 | 17 | void INT_cli_uart_rx( uint8_t rxdata ); 18 | 19 | #endif // __CLI_H__ 20 | -------------------------------------------------------------------------------- /badger/delay.c: -------------------------------------------------------------------------------- 1 | #include "delay.h" 2 | 3 | // Dumb delay code (doesn't use timers) 4 | /** 5 | Delay function. 6 | */ 7 | void delay(unsigned int c, unsigned int d) 8 | { 9 | volatile int i, j; 10 | for (i = 0; i 6 | 7 | #define TEAM_COUNT (20) 8 | 9 | #define MAX_SAVED_MESSAGES (80) 10 | 11 | #define GUI_STATE_NONE (0) 12 | #define GUI_STATE_SPLASH (1) // The top level window (splash screen!) 13 | #define GUI_STATE_VIEW_MESSAGE (2) // View a message (g_messageCur is the message being viewed) 14 | #define GUI_STATE_COMPOSE_WHO (3) // Pick who to compose a message to! 15 | #define GUI_STATE_COMPOSE_IMAGE (4) // Pick an image to send! 16 | #define GUI_STATE_COMPOSE_TEXT (5) // Write text 17 | #define GUI_STATE_COMPOSE_QUEUE (6) // Inform them the message is being queued 18 | 19 | // Maybe add some indicators of the RSSI??? Ya that is a big TO DO haha 20 | #define GUI_RADIOSTATE_NOCON 0 21 | #define GUI_RADIOSTATE_CON 1 22 | 23 | typedef struct MESSAGE_SRAM_INFO_STRUCT 24 | { 25 | uint8_t message_num; 26 | uint16_t sram_address; 27 | } tMessageSramInfo; 28 | 29 | typedef struct IMAGE_LOOKUP_DATA_STRUCT 30 | { 31 | uint8_t image_type; 32 | uint8_t image_compression; 33 | uint8_t image_x_size; 34 | uint8_t image_y_size; 35 | uint8_t image_size; 36 | uint8_t *image_data; 37 | } tImageLookupData; 38 | 39 | typedef struct LINE_POINT_STRUCT 40 | { 41 | uint8_t start_x, start_y; 42 | uint8_t end_x, end_y; 43 | } tLinePoint; 44 | 45 | void init_gui( void ); 46 | void run_gui( void ); 47 | void add_rendered_message( tRenderedMessage *pMessage ); 48 | void gui_render_menu( void ); 49 | void gui_render_splash( void ); 50 | void gui_render_view_message( void ); 51 | void gui_view_message_select( uint8_t button_action ); 52 | void gui_render_compose_team_list( void ); 53 | void gui_render_compose_who( void ); 54 | void gui_render_compose_image( void ); 55 | void gui_render_compose_text( void ); 56 | 57 | void gui_image_select( uint8_t button_action ); 58 | void gui_render_image( void ); 59 | void gui_clear_image_box( void ); 60 | 61 | void gui_compose_button_depress( uint8_t button_up ); 62 | void gui_text_button_depress( uint8_t button_up, uint8_t pos_last ); 63 | void gui_text_update_char_remaining( void ); 64 | 65 | void gui_send_image( void ); 66 | void gui_send_compose( void ); 67 | void gui_update_radio_state( uint8_t radioState ); 68 | 69 | void write_message_to_sram( tRenderedMessage *pRenderedMessage ); 70 | 71 | void SetButtonUp( void ); 72 | void SetButtonDown( void ); 73 | void SetButtonBack( void ); 74 | void SetButtonNext( void ); 75 | 76 | void ReleaseButtonUp( void ); 77 | void ReleaseButtonDown( void ); 78 | void ReleaseButtonBack( void ); 79 | void ReleaseButtonNext( void ); 80 | 81 | #endif // __GUI_H__ 82 | -------------------------------------------------------------------------------- /badger/image_renderer.h: -------------------------------------------------------------------------------- 1 | #ifndef __IMAGE_RENDERER_H__ 2 | #define __IMAGE_RENDERER_H__ 3 | 4 | 5 | #endif // __IMAGE_RENDERER_H__ 6 | -------------------------------------------------------------------------------- /badger/lcd.h: -------------------------------------------------------------------------------- 1 | #ifndef __LCD_H__ 2 | #define __LCD_H__ 3 | 4 | #define INITR_GREENTAB 0x0 5 | #define INITR_REDTAB 0x1 6 | #define INITR_BLACKTAB 0x2 7 | 8 | #define ST7735_TFTWIDTH 160 9 | #define ST7735_TFTHEIGHT 128 10 | 11 | #define ST7735_NOP 0x00 12 | #define ST7735_SWRESET 0x01 13 | #define ST7735_RDDID 0x04 14 | #define ST7735_RDDST 0x09 15 | 16 | #define ST7735_SLPIN 0x10 17 | #define ST7735_SLPOUT 0x11 18 | #define ST7735_PTLON 0x12 19 | #define ST7735_NORON 0x13 20 | 21 | #define ST7735_INVOFF 0x20 22 | #define ST7735_INVON 0x21 23 | #define ST7735_DISPOFF 0x28 24 | #define ST7735_DISPON 0x29 25 | #define ST7735_CASET 0x2A 26 | #define ST7735_RASET 0x2B 27 | #define ST7735_RAMWR 0x2C 28 | #define ST7735_RAMRD 0x2E 29 | 30 | #define ST7735_PTLAR 0x30 31 | #define ST7735_COLMOD 0x3A 32 | #define ST7735_MADCTL 0x36 33 | 34 | #define ST7735_FRMCTR1 0xB1 35 | #define ST7735_FRMCTR2 0xB2 36 | #define ST7735_FRMCTR3 0xB3 37 | #define ST7735_INVCTR 0xB4 38 | #define ST7735_DISSET5 0xB6 39 | 40 | #define ST7735_PWCTR1 0xC0 41 | #define ST7735_PWCTR2 0xC1 42 | #define ST7735_PWCTR3 0xC2 43 | #define ST7735_PWCTR4 0xC3 44 | #define ST7735_PWCTR5 0xC4 45 | #define ST7735_VMCTR1 0xC5 46 | 47 | #define ST7735_RDID1 0xDA 48 | #define ST7735_RDID2 0xDB 49 | #define ST7735_RDID3 0xDC 50 | #define ST7735_RDID4 0xDD 51 | 52 | #define ST7735_PWCTR6 0xFC 53 | 54 | #define ST7735_GMCTRP1 0xE0 55 | #define ST7735_GMCTRN1 0xE1 56 | 57 | // Color definitions 58 | #define ST7735_BLACK 0x0000 59 | #define ST7735_BLUE 0x001F 60 | #define ST7735_RED 0xF800 61 | #define ST7735_GREEN 0x07E0 62 | #define ST7735_CYAN 0x07FF 63 | #define ST7735_MAGENTA 0xF81F 64 | #define ST7735_YELLOW 0xFFE0 65 | #define ST7735_WHITE 0xFFFF 66 | #define ST7735_PURPLE 0xF07F 67 | 68 | #endif // __LCD_H__ 69 | -------------------------------------------------------------------------------- /badger/lcd_gfx.h: -------------------------------------------------------------------------------- 1 | #ifndef _LCD_GFX_H 2 | #define _LCD_GFX_H 3 | 4 | #include 5 | 6 | #define swap(a, b) { int16_t t = a; a = b; b = t; } 7 | 8 | void lcd_init_gfx(int16_t w, int16_t h); // Constructor 9 | 10 | void lcd_gfx_drawLine(int16_t x0, int16_t y0, int16_t x1, int16_t y1, uint16_t color); 11 | void lcd_gfx_drawFastVLine(int16_t x, int16_t y, int16_t h, uint16_t color); 12 | void lcd_gfx_drawFastHLine(int16_t x, int16_t y, int16_t w, uint16_t color); 13 | void lcd_gfx_drawRect(int16_t x, int16_t y, int16_t w, int16_t h, uint16_t color); 14 | void lcd_gfx_fillRect(int16_t x, int16_t y, int16_t w, int16_t h, uint16_t color); 15 | void lcd_gfx_fillScreen(uint16_t color); 16 | 17 | // These exist only with Adafruit_GFX (no subclass overrides) 18 | void lcd_gfx_drawCircle(int16_t x0, int16_t y0, int16_t r, uint16_t color); 19 | void lcd_gfx_drawCircleHelper(int16_t x0, int16_t y0, int16_t r, uint8_t cornername, uint16_t color); 20 | 21 | void lcd_gfx_fillCircle(int16_t x0, int16_t y0, int16_t r, uint16_t color); 22 | void lcd_gfx_fillCircleHelper(int16_t x0, int16_t y0, int16_t r, uint8_t cornername, int16_t delta, uint16_t color); 23 | void lcd_gfx_drawTriangle(int16_t x0, int16_t y0, int16_t x1, int16_t y1, int16_t x2, int16_t y2, uint16_t color); 24 | void lcd_gfx_fillTriangle(int16_t x0, int16_t y0, int16_t x1, int16_t y1, int16_t x2, int16_t y2, uint16_t color); 25 | void lcd_gfx_drawRoundRect(int16_t x0, int16_t y0, int16_t w, int16_t h, int16_t radius, uint16_t color); 26 | void lcd_gfx_fillRoundRect(int16_t x0, int16_t y0, int16_t w, int16_t h, int16_t radius, uint16_t color); 27 | void lcd_gfx_drawBitmap(int16_t x, int16_t y, const uint8_t *bitmap, int16_t w, int16_t h, uint16_t color); 28 | void lcd_gfx_drawChar(int16_t x, int16_t y, unsigned char c, uint16_t color, uint16_t bg, uint8_t size); 29 | void lcd_gfx_print(char *s); 30 | void lcd_gfx_setCursor(int16_t x, int16_t y); 31 | void lcd_gfx_setTextColor(uint16_t c, uint16_t b); 32 | void lcd_gfx_setTextSize(uint8_t s); 33 | void lcd_gfx_setTextWrap(uint8_t w); 34 | void lcd_gfx_setRotation(uint8_t r); 35 | 36 | void lcd_gfx_setTextWrapStartXPos( uint16_t x ); 37 | 38 | uint8_t lcd_gfx_getRotation(void); 39 | 40 | #endif // __LCD_GFX_H__ 41 | -------------------------------------------------------------------------------- /badger/lcd_hal.h: -------------------------------------------------------------------------------- 1 | #ifndef __LCD_HAL_H__ 2 | #define __LCD_HAL_H__ 3 | 4 | #include "hardware.h" 5 | #include "lcd.h" 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | #define LCD_PORT (P2OUT) 12 | 13 | #define LCD_CSN_BIT (0x04) 14 | #define LCD_BACKLIGHT_BIT (0x10) 15 | #define LCD_RS_BIT (0x20) 16 | #define LCD_RESET_BIT (0x40) 17 | 18 | void lcd_init_screen( unsigned char options ); 19 | //void lcd_setAddrWindow( unsigned char x0, unsigned char y0, unsigned char x1, unsigned char y1 ); 20 | void lcd_fillRect( unsigned int x, unsigned int y, unsigned int w, unsigned int h, unsigned int color ); 21 | void lcd_fillScreen( unsigned int color ); 22 | void lcd_drawPixel( unsigned int x, unsigned int y, unsigned int color); 23 | 24 | void lcd_DrawSkin( void ); 25 | 26 | Display *GetX11Display( void ); 27 | void X11Redraw( void ); 28 | void X11Flush( void ); 29 | 30 | int GetX11ConnectionNumber( void ); 31 | 32 | #endif // __LCD_HAL_H__ 33 | -------------------------------------------------------------------------------- /badger/lzssvw.c: -------------------------------------------------------------------------------- 1 | #include "lzssvw.h" 2 | #include "bit_util.h" 3 | 4 | #define LEN_WIDTH_MAX 9 5 | #define COPY_WIDTH 5 6 | #define COPY_WINDOW_SIZE (1<<5) 7 | 8 | int16_t lzssvw_decompress( uint8_t *pCompressData, uint8_t *pUncompressData, uint16_t inBufSize, uint16_t outBufSize ) 9 | { 10 | int i, j, c; 11 | int compress_len_width = 1; // Variable width length encoding (up to maximum) 12 | int out_pos; 13 | tBitState inBitState; 14 | 15 | out_pos = 0; 16 | 17 | text_init_state( &inBitState, pCompressData ); 18 | 19 | while ( (c = text_getbit( 1, &inBitState, inBufSize )) != -1 ) 20 | { 21 | if ( c ) 22 | { 23 | if ( (c = text_getbit( 8, &inBitState, inBufSize )) == -1 ) 24 | break; 25 | 26 | pUncompressData[out_pos++] = c; 27 | 28 | // FIXED OVERFLOW FROM DEF CON FINALS 2014 (Added this check) 29 | if ( out_pos >= outBufSize ) 30 | return (out_pos); 31 | } 32 | else 33 | { 34 | int lookup_distance, repeat_amount; 35 | 36 | // Lookup 37 | if ( (c = text_getbit( compress_len_width, &inBitState, inBufSize )) == -1 ) 38 | break; 39 | 40 | lookup_distance = c; 41 | 42 | if ( (c = text_getbit( COPY_WIDTH, &inBitState, inBufSize )) == -1 ) 43 | break; 44 | 45 | repeat_amount = c+1; 46 | 47 | if ( lookup_distance+1 > out_pos ) 48 | return -1; 49 | 50 | j = (out_pos-(lookup_distance+1)); 51 | for ( i = 0; i < repeat_amount; i++ ) 52 | { 53 | pUncompressData[out_pos++] = pUncompressData[j]; 54 | 55 | // FIXED OVERFLOW FROM DEF CON FINALS 2014 (Added this check) 56 | if ( out_pos >= outBufSize ) 57 | return (out_pos); 58 | 59 | j++; 60 | } 61 | } 62 | 63 | // Update after! 64 | if ( compress_len_width < LEN_WIDTH_MAX ) 65 | { 66 | while( out_pos >= (1< 5 | 6 | int16_t lzssvw_decompress( uint8_t *pCompressData, uint8_t *pUncompressData, uint16_t inBufSize, uint16_t outBufSize ); 7 | 8 | #endif // __LZSSVW_H__ 9 | -------------------------------------------------------------------------------- /badger/port_helper.h: -------------------------------------------------------------------------------- 1 | #ifndef __PORT_HELPER_H__ 2 | #define __PORT_HELPER_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void eint( void ); 10 | void dint( void ); 11 | 12 | void interrupt_handler( void ); 13 | 14 | void LEDOn( uint16_t ledBits ); 15 | void LEDOff( uint16_t ledBits ); 16 | 17 | void radio_uart_putc( char byte ); 18 | 19 | #define LPM0 ; 20 | #define LPM0_EXIT ; 21 | 22 | #endif // __PORT_HELPER_H__ 23 | -------------------------------------------------------------------------------- /badger/radio_uart.h: -------------------------------------------------------------------------------- 1 | #ifndef __RADIO_UART_H__ 2 | #define __RADIO_UART_H__ 3 | 4 | #include 5 | 6 | #define RU_DEBUG_OFF 0 7 | #define RU_DEBUG_LVL1 1 8 | #define RU_DEBUG_LVL2 2 9 | #define RU_DEBUG_LVL_MAX 3 10 | 11 | // These must match the RADIO_UART_STATE_NONE... etc defines in /radio/app_uart.c 12 | #define RU_STATE_OFF 0 // RADIO off 13 | #define RU_STATE_FINDSYNC 1 // RADIO scanning for sync 14 | #define RU_STATE_WAIT 2 // RADIO waiting (idle) 15 | #define RU_STATE_READY_DATA 3 // RADIO accepting data forard messages 16 | #define RU_STATE_READY_RESPONSE 4 // RADIO accepting response messages 17 | #define RU_STATE_MAX 5 // MAXIMUM number of radio states 18 | 19 | #define FORWARD_DATA_SIZE (254) // 86*3-4 20 | #define FRESPONSE_DATA_SIZE (82) // 86-4 21 | 22 | void radio_init_uart( void ); 23 | void radio_uart_write( uint8_t *data, uint16_t dataLen ); 24 | uint8_t radio_send_response_message( uint8_t *pData, uint8_t dataLen, uint16_t session_id, uint8_t from_tid ); 25 | uint8_t radio_send_data_message( uint8_t *pData, uint8_t dataLen, uint8_t from_tid, uint8_t to_tid ); 26 | 27 | void radio_uart_run( void ); 28 | 29 | void radio_uart_set_debug( uint8_t level ); 30 | uint8_t radio_uart_get_debug( void ); 31 | 32 | uint8_t radio_add_forward_message( uint8_t *payload, uint8_t payload_length, uint8_t from_tid, uint8_t to_tid ); 33 | 34 | void INT_radio_uart_rx( uint8_t in_char ); 35 | 36 | #endif // __RADIO_UART_H__ 37 | -------------------------------------------------------------------------------- /badger/sram_hal.h: -------------------------------------------------------------------------------- 1 | #ifndef __SRAM_HAL_H__ 2 | #define __SRAM_HAL_H__ 3 | 4 | #include 5 | 6 | #define SRAM_CSN_PORT (P2OUT) 7 | #define SRAM_CSN_BIT (0x08) // PIN 8 for non-server FPGA load 8 | 9 | //============================================================================ 10 | // SRAM SPI Controller 11 | //============================================================================ 12 | #define SRAMSPI_CTRL (*(volatile unsigned int *)0x0098) // CTRL register address 13 | #define SRAMSPI_DATA (*(volatile unsigned int *)0x009A) // Data register (8-bit or 16-bits) 14 | 15 | #define SRAMSPI_CTRL_SMCLK (0x0200) // SMCLK select 16 | #define SRAMSPI_CTRL_SENDCNT (0x0100) // Send count (1 = 16-bits, 0 = 8 bits) 17 | #define SRAMSPI_CTRL_CLOCKDIV (0x00E0) // Clock divider (power of 2) 18 | #define SRAMSPI_CTRL_IEN (0x0010) // Interrupt enable 19 | #define SRAAMSPI_CTRL_IFLG (0x0008) // Interrupt flag 20 | #define SRAMSPI_CTRL_CKPH (0x0004) // Clock Phase 21 | #define SRAMSPI_CTRL_CKPOL (0x0002) // Clock Polarity 22 | #define SRAMSPI_CTRL_EN (0x0001) // Enable 23 | 24 | 25 | 26 | void sram_init( void ); 27 | // uint8_t sram_read_mode( void ); 28 | void sram_read_u16( uint16_t address, uint16_t *dest, uint16_t length ); 29 | void sram_write_u16( uint16_t address, uint16_t *dest, uint16_t length ); 30 | 31 | 32 | #endif // SRAM_HAL_H__ 33 | -------------------------------------------------------------------------------- /badger/strip_all: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | strip -s badger 4 | strip --remove-section .note --remove-section .comment --remove-section .note.gnu.build-id badger 5 | -------------------------------------------------------------------------------- /badger/util.c: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | uint8_t hex_char_to_int( uint8_t value ) 4 | { 5 | if ( value >= '0' && value <= '9' ) 6 | return (value - '0'); 7 | else if ( value >= 'A' && value <= 'F' ) 8 | return (10 + (value - 'A')); 9 | else if ( value >= 'a' && value <= 'f' ) 10 | return (10 + (value - 'a')); 11 | else 12 | return 0; 13 | } 14 | 15 | uint8_t read_hex_uint8( char *hexString ) 16 | { 17 | int i = 0; 18 | uint8_t value = 0; 19 | 20 | for ( i = 0; i < 2; i++ ) 21 | value = value | (hex_char_to_int( hexString[i] ) << ((1-i)*4)); 22 | 23 | return value; 24 | } 25 | 26 | uint8_t int_to_hex_char( uint8_t nibble ) 27 | { 28 | if ( nibble < 10 ) 29 | return ('0'+nibble); 30 | else if ( nibble < 16 ) 31 | return ('a'+(nibble-10)); 32 | else 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /badger/util.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTIL_H__ 2 | #define __UTIL_H__ 3 | 4 | #include 5 | 6 | uint8_t hex_char_to_int( uint8_t value ); 7 | uint8_t read_hex_uint8( char *string ); 8 | uint8_t int_to_hex_char( uint8_t nibble ); 9 | 10 | #endif // __UTIL_H__ 11 | -------------------------------------------------------------------------------- /banker/Makefile: -------------------------------------------------------------------------------- 1 | CXX=g++ 2 | CXXFLAGS=-g3 -O1 -Wall -w -fno-stack-protector -static -m32 3 | #CXXFLAGS=-O2 -Wall -w -pedantic -fmessage-length=0 -pie -fPIE 4 | #CXXFLAGS=-std=c++0x -g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 5 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 6 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -fPIC 7 | 8 | O_FILES=main.o user_manager.o input_reader.o doublelist.o string.o transfer_manager.o cpp_helper.o base64.o 9 | 10 | banker : $(O_FILES) 11 | $(CXX) $(CXXFLAGS) -o banker $(O_FILES) 12 | 13 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 14 | # pull in dependency info for *existing* .o files 15 | -include $(O_FILES:.o=.d) 16 | 17 | .SUFFIXES : .o .cpp 18 | 19 | .cpp.o : 20 | $(CXX) $(CXXFLAGS) -c $< 21 | $(CXX) -MM $(CXXFLAGS) $*.cpp > $*.d 22 | 23 | clean: 24 | rm -f banker *.o *.d 25 | -------------------------------------------------------------------------------- /banker/base64.h: -------------------------------------------------------------------------------- 1 | #ifndef __BASE64_H__ 2 | #define __BASE64_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | uint8_t *base64_encode( const uint8_t *src, size_t len, size_t *out_len ); 9 | uint8_t *base64_decode( const uint8_t *src, size_t len, size_t *out_len ); 10 | 11 | #endif // __BASE64_H__ 12 | -------------------------------------------------------------------------------- /banker/cpp_helper.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "cpp_helper.h" 5 | 6 | void* operator new( size_t count ) 7 | { 8 | return (void *)malloc( count ); 9 | } 10 | 11 | void* operator new[]( size_t count ) 12 | { 13 | return (void *)malloc( count ); 14 | } 15 | 16 | void operator delete( void *ptr ) 17 | { 18 | free( ptr ); 19 | } 20 | 21 | void operator delete[]( void *ptr ) 22 | { 23 | free( ptr ); 24 | } 25 | -------------------------------------------------------------------------------- /banker/cpp_helper.h: -------------------------------------------------------------------------------- 1 | #ifndef CPP_HELPER_H__ 2 | #define CPP_HELPER_H__ 3 | 4 | void* operator new( size_t count ); 5 | void* operator new[]( size_t count ); 6 | 7 | void operator delete( void *ptr ); 8 | void operator delete[]( void *ptr ); 9 | 10 | #endif // CPP_HELPER_H__ 11 | -------------------------------------------------------------------------------- /banker/doublelist.h: -------------------------------------------------------------------------------- 1 | #ifndef __DOUBLE_LIST_H__ 2 | #define __DOUBLE_LIST_H__ 3 | 4 | #include 5 | #include 6 | 7 | // Forward declaration 8 | class CDoubleList; 9 | 10 | // A link item (carried by an item in a double list) 11 | class CDoubleLink 12 | { 13 | public: 14 | friend class CDoubleList; // Allow double list to access private data members 15 | 16 | public: 17 | CDoubleLink(); 18 | ~CDoubleLink(); 19 | 20 | bool Unlink( void ); // Unlink it from its list 21 | 22 | private: 23 | void AddToList( CDoubleList *pList ) { m_pList = pList; }; 24 | void ClearList( void ) { m_pList = NULL; }; 25 | 26 | private: 27 | CDoubleLink *m_pNext; // Next node 28 | CDoubleLink *m_pPrev; // Previous node 29 | CDoubleList *m_pList; // The list this item is in 30 | }; 31 | 32 | // Doubly linked list class 33 | class CDoubleList 34 | { 35 | public: 36 | friend class CDoubleLink; // Allow double link to access RemoveLink function 37 | 38 | public: 39 | CDoubleList(); 40 | ~CDoubleList(); 41 | 42 | // Delete everyone 43 | void DeleteAll( void ); 44 | 45 | // Accessors 46 | CDoubleLink *GetFirst( void ) { return m_pFirst; }; 47 | CDoubleLink *GetLast( void ) { return m_pLast; }; 48 | 49 | CDoubleLink *GetNext( CDoubleLink *pCur ); 50 | CDoubleLink *GetPrev( CDoubleLink *pCur ); 51 | 52 | // Remove 53 | CDoubleLink *RemoveFirst( void ); 54 | CDoubleLink *RemoveLast( void ); 55 | 56 | // Addition 57 | bool AddFirst( CDoubleLink *pItem ); 58 | bool AddAfter( CDoubleLink *pPrev, CDoubleLink *pItem ); 59 | bool AddLast( CDoubleLink *pItem ); 60 | 61 | // Item count 62 | uint32_t GetItemCount( void ) { return m_itemCount; }; 63 | 64 | private: 65 | bool RemoveLink( CDoubleLink *pItem ); 66 | 67 | private: 68 | uint32_t m_itemCount; 69 | CDoubleLink *m_pFirst; 70 | CDoubleLink *m_pLast; 71 | }; 72 | 73 | #endif // __DOUBLE_LIST_H__ 74 | -------------------------------------------------------------------------------- /banker/input_reader.cpp: -------------------------------------------------------------------------------- 1 | #include "input_reader.h" 2 | #include "string.h" 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #define STDIN (0) 11 | #define STDOUT (1) 12 | #define STDERR (2) 13 | 14 | String CInputReader::ReadLine( uint32_t maxLen ) 15 | { 16 | char *pszTemp = new char[maxLen+1]; 17 | 18 | uint32_t lastPos = 0; 19 | bool bLineFound = false; 20 | for (;;) 21 | { 22 | bLineFound = false; 23 | uint32_t curPos = 0; 24 | for ( curPos = lastPos; curPos < m_bufferLoc; curPos++ ) 25 | { 26 | if ( m_pszBuffer[curPos] == '\n' ) 27 | { 28 | bLineFound = true; 29 | break; 30 | } 31 | } 32 | 33 | if ( bLineFound ) 34 | { 35 | lastPos = curPos; 36 | break; 37 | } 38 | 39 | if ( curPos == m_bufferLoc && m_bufferLoc >= MAX_READ_BUFFER_LEN ) 40 | { 41 | // Out of line buffer 42 | lastPos = curPos; 43 | break; 44 | } 45 | 46 | lastPos = curPos; 47 | 48 | int readRemaining = (maxLen - curPos); 49 | if ( readRemaining > (MAX_READ_BUFFER_LEN-m_bufferLoc) ) 50 | readRemaining = (MAX_READ_BUFFER_LEN-m_bufferLoc); 51 | 52 | if ( readRemaining == 0 ) 53 | { 54 | // Max length reached without newline 55 | break; 56 | } 57 | 58 | // Read more into input buffer 59 | int dataRead = read( STDIN, (m_pszBuffer+m_bufferLoc), readRemaining ); 60 | 61 | if ( dataRead == 0 ) 62 | { 63 | // EOF 64 | break; 65 | } 66 | 67 | if ( dataRead == -1 ) 68 | { 69 | // Critical error 70 | exit(-1); 71 | } 72 | 73 | m_bufferLoc += dataRead; 74 | } 75 | 76 | if ( lastPos > maxLen ) 77 | lastPos = maxLen; 78 | 79 | memcpy( pszTemp, m_pszBuffer, lastPos ); 80 | pszTemp[lastPos] = '\0'; 81 | 82 | String sTemp(pszTemp); 83 | 84 | delete pszTemp; 85 | 86 | // copy back -- make sure to use memmove due to overlapping 87 | if ( bLineFound ) 88 | { 89 | memmove( m_pszBuffer, m_pszBuffer+(lastPos+1), (m_bufferLoc-(lastPos+1)) ); 90 | m_bufferLoc -= (lastPos+1); 91 | } 92 | else 93 | { 94 | // else-- only copy what we've read 95 | memmove( m_pszBuffer, m_pszBuffer+lastPos, (m_bufferLoc-lastPos) ); 96 | m_bufferLoc -= lastPos; 97 | } 98 | 99 | return sTemp; 100 | } 101 | -------------------------------------------------------------------------------- /banker/input_reader.h: -------------------------------------------------------------------------------- 1 | #ifndef __INPUT_READER_H__ 2 | #define __INPUT_READER_H__ 3 | 4 | #define MAX_READ_BUFFER_LEN (4096) 5 | 6 | #include 7 | #include "string.h" 8 | 9 | class CInputReader 10 | { 11 | public: 12 | CInputReader( ) 13 | { 14 | m_bufferLoc = 0; 15 | m_bEOF = false; 16 | } 17 | 18 | String ReadLine( uint32_t maxLen ); 19 | 20 | bool IsEOF( void ) const { return m_bEOF; }; 21 | 22 | private: 23 | char m_pszBuffer[MAX_READ_BUFFER_LEN]; 24 | uint32_t m_bufferLoc; 25 | 26 | bool m_bEOF; 27 | }; 28 | 29 | #endif // __INPUT_READER_H__ 30 | -------------------------------------------------------------------------------- /banker/musl-clang: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # musl-clang: A clang wrapper for musl C library. 4 | # Supports static linking. (-static) 5 | # 6 | # WARNING: This is not a perfect drop-in replacement 7 | # 8 | # See LICENSE file for copyright and license details. 9 | # 10 | 11 | PREFIX=${MUSL_PREFIX:-"/usr/local/musl"} 12 | if [ ! -d "${PREFIX}" ]; then 13 | echo "invalid prefix: ${PREFIX}" 14 | return 1 15 | fi 16 | 17 | CPP=no 18 | case "$0" in 19 | *++) CPP=yes ;; 20 | esac 21 | 22 | if [ "${CPP}" = "yes" ]; then 23 | CLANG=${REALCLANGPP:-"clang-3.5++"} 24 | else 25 | CLANG=${REALCLANG:-"clang-3.5"} 26 | fi 27 | 28 | hasNo() { 29 | pat="$1" 30 | shift 1 31 | 32 | for e in "$@"; do 33 | if [ "$e" = "${pat}" ]; then 34 | return 1 35 | fi 36 | done 37 | return 0 38 | } 39 | 40 | ARGS="-nostdinc -fno-exceptions -fno-rtti -static" 41 | TAIL="" 42 | 43 | if hasNo '-nostdinc' "$@"; then 44 | ARGS="${ARGS} -isystem ${PREFIX}/include" 45 | fi 46 | 47 | if \ 48 | hasNo '-c' "$@" && \ 49 | hasNo '-S' "$@" && \ 50 | hasNo '-E' "$@" 51 | then 52 | ARGS="${ARGS} -nostdlib" 53 | ARGS="${ARGS} -Wl,-dynamic-linker=${PREFIX}/lib/libc.so" 54 | ARGS="${ARGS} -L${PREFIX}/lib" 55 | #ARGS="${ARGS} -Wl,-rpath=${PREFIX}/lib" 56 | 57 | if hasNo '-nostartfiles' "$@" && \ 58 | hasNo '-nostdlib' "$@" && \ 59 | hasNo '-nodefaultlibs' "$@" 60 | then 61 | ARGS="${ARGS} ${PREFIX}/lib/crt1.o" 62 | ARGS="${ARGS} ${PREFIX}/lib/crti.o" 63 | 64 | TAIL="${TAIL} ${PREFIX}/lib/crtn.o" 65 | fi 66 | 67 | if hasNo '-nostdlib' "$@" && \ 68 | hasNo '-nodefaultlibs' "$@" 69 | then 70 | if [ "${CPP}" = "yes" ]; then 71 | TAIL="${TAIL} -lc++" 72 | TAIL="${TAIL} -lunwind" 73 | TAIL="${TAIL} -lm" 74 | fi 75 | TAIL="${TAIL} -lc" 76 | #TAIL="${TAIL} -Wl,-Bstatic -lcompiler_rt" 77 | fi 78 | fi 79 | 80 | #echo "# $0" "$@" >&2 81 | #set -x 82 | exec ${CLANG} ${ARGS} "$@" ${TAIL} 83 | -------------------------------------------------------------------------------- /banker/password_generator/Makefile: -------------------------------------------------------------------------------- 1 | CXX=./musl-clang 2 | CXXFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 3 | #CXXFLAGS=-O2 -Wall -w -pedantic -fmessage-length=0 -pie -fPIE 4 | #CXXFLAGS=-std=c++0x -g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 5 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 6 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -fPIC 7 | 8 | O_FILES=main.o well_rng.o base64.o cpp_helper.o 9 | 10 | passwdgen : $(O_FILES) 11 | $(CXX) $(CXXFLAGS) -o passwdgen $(O_FILES) 12 | 13 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 14 | # pull in dependency info for *existing* .o files 15 | -include $(O_FILES:.o=.d) 16 | 17 | .SUFFIXES : .o .cpp 18 | 19 | .cpp.o : 20 | $(CXX) $(CXXFLAGS) -c $< 21 | $(CXX) -MM $(CXXFLAGS) $*.cpp > $*.d 22 | 23 | clean: 24 | rm -f passwdgen *.o *.d 25 | -------------------------------------------------------------------------------- /banker/password_generator/base64.h: -------------------------------------------------------------------------------- 1 | #ifndef __BASE64_H__ 2 | #define __BASE64_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | uint8_t *base64_encode( const uint8_t *src, size_t len, size_t *out_len ); 9 | uint8_t *base64_decode( const uint8_t *src, size_t len, size_t *out_len ); 10 | 11 | #endif // __BASE64_H__ 12 | -------------------------------------------------------------------------------- /banker/password_generator/cpp_helper.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "cpp_helper.h" 5 | 6 | void* operator new( size_t count ) 7 | { 8 | return (void *)malloc( count ); 9 | } 10 | 11 | void* operator new[]( size_t count ) 12 | { 13 | return (void *)malloc( count ); 14 | } 15 | 16 | void operator delete( void *ptr ) 17 | { 18 | free( ptr ); 19 | } 20 | 21 | void operator delete[]( void *ptr ) 22 | { 23 | free( ptr ); 24 | } 25 | -------------------------------------------------------------------------------- /banker/password_generator/cpp_helper.h: -------------------------------------------------------------------------------- 1 | #ifndef CPP_HELPER_H__ 2 | #define CPP_HELPER_H__ 3 | 4 | void* operator new( size_t count ); 5 | void* operator new[]( size_t count ); 6 | 7 | void operator delete( void *ptr ); 8 | void operator delete[]( void *ptr ); 9 | 10 | #endif // CPP_HELPER_H__ 11 | -------------------------------------------------------------------------------- /banker/password_generator/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "base64.h" 10 | #include "well_rng.h" 11 | 12 | void ReadDevURandomSeed( void ) 13 | { 14 | FILE *pFile; 15 | uint32_t rngInitData[16]; 16 | 17 | pFile = fopen( "/dev/urandom", "rb" ); 18 | 19 | if ( !pFile ) 20 | { 21 | printf( "Couldn't open /dev/urandom reverting to seed.\n" ); 22 | srand( time(NULL) ^ getpid()); 23 | 24 | for ( uint32_t i = 0; i < 16; i++ ) 25 | rngInitData[i] = rand(); 26 | 27 | InitWELLRNG512a( rngInitData ); 28 | 29 | return; 30 | } 31 | 32 | if ( fread( rngInitData, sizeof(uint32_t), 16, pFile ) != 16 ) 33 | { 34 | printf( "Couldn't get enough entropy. Reverting to seed.\n" ); 35 | for ( uint32_t i = 0; i < 16; i++ ) 36 | rngInitData[i] = rand(); 37 | 38 | InitWELLRNG512a( rngInitData ); 39 | 40 | return; 41 | } 42 | 43 | fclose( pFile ); 44 | 45 | InitWELLRNG512a( rngInitData ); 46 | } 47 | 48 | uint32_t GetRandomCharacterIndex( void ) 49 | { 50 | return (WELLRNG512a() * 62.0); 51 | } 52 | 53 | int main( void ) 54 | { 55 | ReadDevURandomSeed(); 56 | 57 | char szPassword[12]; 58 | 59 | uint32_t i; 60 | for ( i = 0; i < 8; i++ ) 61 | { 62 | uint32_t charIdx = GetRandomCharacterIndex(); 63 | 64 | if ( charIdx < 26 ) 65 | szPassword[i] = 'a' + charIdx; 66 | else if ( charIdx < 52 ) 67 | szPassword[i] = 'A' + (charIdx-26); 68 | else 69 | szPassword[i] = '0' + (charIdx-52); 70 | } 71 | 72 | szPassword[i] = '\0'; 73 | 74 | FILE *pUserFile = fopen( "/tmp/users.txt", "w" ); 75 | 76 | if ( !pUserFile ) 77 | { 78 | printf( "Error: Couldn't open users.txt for initial container startup, contact an admin!\n" ); 79 | return 0; 80 | } 81 | 82 | uint8_t *pEncodedPassword = base64_encode( (uint8_t *)szPassword, strlen(szPassword), NULL ); 83 | fprintf( pUserFile, "admin %s 1\n", pEncodedPassword ); 84 | 85 | delete pEncodedPassword; 86 | 87 | fclose( pUserFile ); 88 | } 89 | -------------------------------------------------------------------------------- /banker/password_generator/musl-clang: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # musl-clang: A clang wrapper for musl C library. 4 | # Supports static linking. (-static) 5 | # 6 | # WARNING: This is not a perfect drop-in replacement 7 | # 8 | # See LICENSE file for copyright and license details. 9 | # 10 | 11 | PREFIX=${MUSL_PREFIX:-"/usr/local/musl"} 12 | if [ ! -d "${PREFIX}" ]; then 13 | echo "invalid prefix: ${PREFIX}" 14 | return 1 15 | fi 16 | 17 | CPP=no 18 | case "$0" in 19 | *++) CPP=yes ;; 20 | esac 21 | 22 | if [ "${CPP}" = "yes" ]; then 23 | CLANG=${REALCLANGPP:-"clang-3.5++"} 24 | else 25 | CLANG=${REALCLANG:-"clang-3.5"} 26 | fi 27 | 28 | hasNo() { 29 | pat="$1" 30 | shift 1 31 | 32 | for e in "$@"; do 33 | if [ "$e" = "${pat}" ]; then 34 | return 1 35 | fi 36 | done 37 | return 0 38 | } 39 | 40 | ARGS="-nostdinc -fno-exceptions -fno-rtti -static" 41 | TAIL="" 42 | 43 | if hasNo '-nostdinc' "$@"; then 44 | ARGS="${ARGS} -isystem ${PREFIX}/include" 45 | fi 46 | 47 | if \ 48 | hasNo '-c' "$@" && \ 49 | hasNo '-S' "$@" && \ 50 | hasNo '-E' "$@" 51 | then 52 | ARGS="${ARGS} -nostdlib" 53 | ARGS="${ARGS} -Wl,-dynamic-linker=${PREFIX}/lib/libc.so" 54 | ARGS="${ARGS} -L${PREFIX}/lib" 55 | #ARGS="${ARGS} -Wl,-rpath=${PREFIX}/lib" 56 | 57 | if hasNo '-nostartfiles' "$@" && \ 58 | hasNo '-nostdlib' "$@" && \ 59 | hasNo '-nodefaultlibs' "$@" 60 | then 61 | ARGS="${ARGS} ${PREFIX}/lib/crt1.o" 62 | ARGS="${ARGS} ${PREFIX}/lib/crti.o" 63 | 64 | TAIL="${TAIL} ${PREFIX}/lib/crtn.o" 65 | fi 66 | 67 | if hasNo '-nostdlib' "$@" && \ 68 | hasNo '-nodefaultlibs' "$@" 69 | then 70 | if [ "${CPP}" = "yes" ]; then 71 | TAIL="${TAIL} -lc++" 72 | TAIL="${TAIL} -lunwind" 73 | TAIL="${TAIL} -lm" 74 | fi 75 | TAIL="${TAIL} -lc" 76 | #TAIL="${TAIL} -Wl,-Bstatic -lcompiler_rt" 77 | fi 78 | fi 79 | 80 | #echo "# $0" "$@" >&2 81 | #set -x 82 | exec ${CLANG} ${ARGS} "$@" ${TAIL} 83 | -------------------------------------------------------------------------------- /banker/password_generator/strip_all: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | strip -s passwdgen 4 | strip --remove-section .note --remove-section .comment --remove-section .note.gnu.build-id passwdgen 5 | -------------------------------------------------------------------------------- /banker/password_generator/well_rng.cpp: -------------------------------------------------------------------------------- 1 | /* ***************************************************************************** */ 2 | /* Copyright: Francois Panneton and Pierre L'Ecuyer, University of Montreal */ 3 | /* Makoto Matsumoto, Hiroshima University */ 4 | /* Notice: This code can be used freely for personal, academic, */ 5 | /* or non-commercial purposes. For commercial purposes, */ 6 | /* please contact P. L'Ecuyer at: lecuyer@iro.UMontreal.ca */ 7 | /* ***************************************************************************** */ 8 | 9 | #include "well_rng.h" 10 | 11 | #define W 32 12 | #define R 16 13 | #define P 0 14 | #define M1 13 15 | #define M2 9 16 | #define M3 5 17 | 18 | #define MAT0POS(t,v) (v^(v>>t)) 19 | #define MAT0NEG(t,v) (v^(v<<(-(t)))) 20 | #define MAT3NEG(t,v) (v<<(-(t))) 21 | #define MAT4NEG(t,b,v) (v ^ ((v<<(-(t))) & b)) 22 | 23 | #define V0 STATE[state_i ] 24 | #define VM1 STATE[(state_i+M1) & 0x0000000fU] 25 | #define VM2 STATE[(state_i+M2) & 0x0000000fU] 26 | #define VM3 STATE[(state_i+M3) & 0x0000000fU] 27 | #define VRm1 STATE[(state_i+15) & 0x0000000fU] 28 | #define VRm2 STATE[(state_i+14) & 0x0000000fU] 29 | #define newV0 STATE[(state_i+15) & 0x0000000fU] 30 | #define newV1 STATE[state_i ] 31 | #define newVRm1 STATE[(state_i+14) & 0x0000000fU] 32 | 33 | #define FACT 2.32830643653869628906e-10 34 | 35 | static unsigned int state_i = 0; 36 | static unsigned int STATE[R]; 37 | static unsigned int z0, z1, z2; 38 | 39 | void InitWELLRNG512a (unsigned int *init){ 40 | int j; 41 | state_i = 0; 42 | for (j = 0; j < R; j++) 43 | STATE[j] = init[j]; 44 | } 45 | 46 | double WELLRNG512a (void){ 47 | z0 = VRm1; 48 | z1 = MAT0NEG (-16,V0) ^ MAT0NEG (-15, VM1); 49 | z2 = MAT0POS (11, VM2) ; 50 | newV1 = z1 ^ z2; 51 | newV0 = MAT0NEG (-2,z0) ^ MAT0NEG(-18,z1) ^ MAT3NEG(-28,z2) ^ MAT4NEG(-5,0xda442d24U,newV1) ; 52 | state_i = (state_i + 15) & 0x0000000fU; 53 | return ((double) STATE[state_i]) * FACT; 54 | } 55 | -------------------------------------------------------------------------------- /banker/password_generator/well_rng.h: -------------------------------------------------------------------------------- 1 | #ifndef __WELL_RNG_H__ 2 | #define __WELL_RNG_H__ 3 | 4 | void InitWELLRNG512a( unsigned int *init ); 5 | double WELLRNG512a( void ); 6 | 7 | #endif // __WELL_RNG_H__ 8 | -------------------------------------------------------------------------------- /banker/settings.h: -------------------------------------------------------------------------------- 1 | #ifndef __SETTINGS_H__ 2 | #define __SETTINGS_H__ 3 | 4 | #define USER_FILE "/tmp/users.txt" 5 | #define MAX_USERNAME_LEN (12) 6 | #define MAX_PASSWORD_LEN (8) 7 | #define MIN_PASSWORD_LEN (6) 8 | 9 | #define MAX_TRY_TILL_TIMEOUT (7) 10 | 11 | #define MAX_TRANSFER_AMOUNT (100000) 12 | 13 | #define MAX_IDLE_SECS (35) 14 | 15 | #endif // __SETTINGS_H__ 16 | -------------------------------------------------------------------------------- /banker/string.h: -------------------------------------------------------------------------------- 1 | #ifndef STRING_H 2 | #define STRING_H 3 | 4 | #include 5 | #include 6 | 7 | class String 8 | { 9 | public: 10 | String(); 11 | String(const String& rhs); 12 | String(const char* rhs); 13 | ~String(); 14 | 15 | uint32_t GetLength(void) const; 16 | String SubString(uint32_t start, uint32_t length); 17 | 18 | void Reverse(); 19 | bool IsEmpty(); 20 | char GetAt(uint32_t pos); 21 | 22 | void ToUpper(); 23 | void ToLower(); 24 | 25 | int32_t ToInt( void ) const; 26 | 27 | 28 | String &operator=(const String &rhs); // Copy assignment 29 | //String &operator=(String &rhs); // Move assignment (take values) 30 | String operator+(String &rhs); 31 | String &operator+=(String &rhs); 32 | bool operator==(String &rhs) const; 33 | bool operator==(const String &rhs) const; 34 | 35 | int32_t Compare( const String &rhs ) const; 36 | const char *CStr(void) const; 37 | 38 | private: 39 | char* m_pData; 40 | uint32_t m_size; 41 | }; 42 | 43 | #endif // STRING_H 44 | -------------------------------------------------------------------------------- /banker/strip_all: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | strip -s banker 4 | strip --remove-section .note --remove-section .comment --remove-section .note.gnu.build-id banker 5 | -------------------------------------------------------------------------------- /banker/transfer_manager.cpp: -------------------------------------------------------------------------------- 1 | #include "transfer_manager.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | uint32_t TransferManager::m_transferNumber = 0; 10 | 11 | void Transfer::CreateTransferUID( void ) 12 | { 13 | int fd = open( "/dev/urandom", O_RDONLY ); 14 | 15 | if ( fd == -1 ) 16 | { 17 | srand( time(NULL) ^ getpid() ^ 0xc3e78948 ); 18 | 19 | m_transferUID = rand()<<32|rand(); 20 | 21 | return; 22 | } 23 | 24 | if ( read( fd, &m_transferUID, 8 ) != 8 ) 25 | { 26 | srand( time(NULL) ^ getpid() ^ 0xc326ef83 ); 27 | 28 | m_transferUID = rand()<<32|rand(); 29 | 30 | return; 31 | } 32 | 33 | close( fd ); 34 | } 35 | 36 | TransferManager::TransferManager( ) 37 | { 38 | 39 | } 40 | 41 | TransferManager::~TransferManager( ) 42 | { 43 | 44 | } 45 | 46 | void TransferManager::Commit( void ) 47 | { 48 | char szTransferFileName[512]; 49 | sprintf( szTransferFileName, "/tmp/transfer_%d_%d.tsf", m_transferNumber, time(NULL) ); 50 | 51 | FILE *pTransferFile = fopen( szTransferFileName, "w" ); 52 | 53 | if ( !pTransferFile ) 54 | return; 55 | 56 | for ( Transfer *pCur = (Transfer *)m_transferList.GetFirst(); pCur; pCur = (Transfer *)m_transferList.GetNext( pCur ) ) 57 | { 58 | fprintf( pTransferFile, "%llu,%s,%s,%s,%s,%d.%d\n", pCur->GetTransferUID(), pCur->GetName().CStr(), pCur->GetBankUsername().CStr(), pCur->GetFromAccount().CStr(), pCur->GetToAccount().CStr(), pCur->GetAmountDollars(), pCur->GetAmountCents() ); 59 | } 60 | 61 | fclose( pTransferFile ); 62 | 63 | m_transferNumber++; 64 | } 65 | 66 | void TransferManager::AddTransfer( String sBankUsername, String sName, String sFromAccount, String sToAccount, uint32_t amountDollars, uint32_t amountCents ) 67 | { 68 | m_transferList.AddLast( new Transfer( sBankUsername, sName, sFromAccount, sToAccount, amountDollars, amountCents ) ); 69 | } 70 | 71 | CDoubleList *TransferManager::GetTransferList( void ) 72 | { 73 | return &m_transferList; 74 | } 75 | 76 | Transfer *TransferManager::FindTransferByName( const String &sName ) 77 | { 78 | for ( Transfer *pCur = (Transfer *)m_transferList.GetFirst(); pCur; pCur = (Transfer *)m_transferList.GetNext( pCur ) ) 79 | { 80 | if ( sName == pCur->GetName() ) 81 | return pCur; 82 | } 83 | 84 | return (NULL); 85 | } 86 | -------------------------------------------------------------------------------- /banker/transfer_manager.h: -------------------------------------------------------------------------------- 1 | #ifndef __TRANSFER_MANAGER_H__ 2 | #define __TRANSFER_MANAGER_H__ 3 | 4 | #include "doublelist.h" 5 | #include "string.h" 6 | 7 | class Transfer : public CDoubleLink 8 | { 9 | public: 10 | Transfer( String sBankUsername, String sName, String fromAccount, String toAccount, uint32_t amountDollars, uint32_t amountCents ) 11 | : m_sBankUsername( sBankUsername ), m_sName( sName ), m_fromAccount( fromAccount ), m_toAccount( toAccount ), m_amountDollars( amountDollars ), m_amountCents( amountCents ) 12 | { 13 | CreateTransferUID(); 14 | } 15 | 16 | ~Transfer( ) 17 | { 18 | 19 | } 20 | 21 | void CreateTransferUID( void ); 22 | 23 | uint64_t GetTransferUID( void ) const { return m_transferUID; }; 24 | const String &GetName( void ) const { return m_sName; }; 25 | const String &GetBankUsername( void ) const { return m_sBankUsername; }; 26 | const String &GetFromAccount( void ) const { return m_fromAccount; }; 27 | const String &GetToAccount( void ) const { return m_toAccount; }; 28 | uint32_t GetAmountDollars( void ) const { return m_amountDollars; }; 29 | uint32_t GetAmountCents( void ) const { return m_amountCents; }; 30 | 31 | private: 32 | uint64_t m_transferUID; 33 | String m_sBankUsername; 34 | String m_sName; 35 | String m_fromAccount; 36 | String m_toAccount; 37 | uint32_t m_amountDollars; 38 | uint32_t m_amountCents; 39 | 40 | }; 41 | 42 | class TransferManager 43 | { 44 | public: 45 | TransferManager( ); 46 | ~TransferManager( ); 47 | 48 | void Commit( void ); 49 | 50 | void AddTransfer( String sBankUsername, String sName, String sFromAccount, String sToAccount, uint32_t amountDollars, uint32_t amountCents ); 51 | 52 | CDoubleList *GetTransferList( void ); 53 | 54 | Transfer *FindTransferByName( const String &sName ); 55 | 56 | private: 57 | static uint32_t m_transferNumber; 58 | CDoubleList m_transferList; 59 | }; 60 | 61 | #endif // TRANSFER_MANAGER_H__ 62 | -------------------------------------------------------------------------------- /banker/user_manager.h: -------------------------------------------------------------------------------- 1 | #ifndef __USER_MANAGER_H__ 2 | #define __USER_MANAGER_H__ 3 | 4 | #define ACCESS_USER 0 5 | #define ACCESS_ADMIN 1 6 | 7 | #include "string.h" 8 | #include "doublelist.h" 9 | 10 | class User : public CDoubleLink 11 | { 12 | public: 13 | User( String sUsername, String sPassword, uint8_t accessType ) 14 | : m_sUsername( sUsername ), m_sPassword( sPassword ), m_accessType( accessType ) 15 | { 16 | 17 | } 18 | 19 | const String &GetUsername( void ) const { return m_sUsername; }; 20 | const String &GetPassword( void ) const { return m_sPassword; }; 21 | 22 | uint8_t GetAccessType( void ) const { return m_accessType; }; 23 | 24 | bool IsAdmin( void ) const { return m_accessType == ACCESS_ADMIN; }; 25 | 26 | private: 27 | String m_sUsername; 28 | String m_sPassword; 29 | uint8_t m_accessType; 30 | }; 31 | 32 | class UserManager 33 | { 34 | public: 35 | UserManager(); 36 | ~UserManager(); 37 | 38 | void LoadUserTable( void ); 39 | void SaveUserTable( void ); 40 | 41 | void AddUser( String sUsername, String sPassword, uint8_t accessType ); 42 | bool DeleteUser( String sUsername ); 43 | User *GetUser( String sUsername ); 44 | 45 | CDoubleList *GetUserList( void ); 46 | 47 | private: 48 | CDoubleList m_userList; 49 | }; 50 | 51 | #endif // __USER_MANAGER_H__ 52 | -------------------------------------------------------------------------------- /banker/users.txt: -------------------------------------------------------------------------------- 1 | admin test 1 2 | -------------------------------------------------------------------------------- /crippled/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | #./neatcc/ncc -o test.o test.c 3 | ./fasm start.S start.o 4 | #./fasm write.S write.o 5 | #./neatld/nld -p -s -o test start.o write.o test.o 6 | gcc crippled.c -o crippled -m32 -fPIC -pie 7 | cp neatcc/ncc compiler 8 | cp neatld/nld compiler 9 | cp start.o compiler 10 | 11 | clean: 12 | rm *.o test 13 | -------------------------------------------------------------------------------- /crippled/flag: -------------------------------------------------------------------------------- 1 | The flag is: Custom compilers can be tricky at times 2 | -------------------------------------------------------------------------------- /crippled/start.S: -------------------------------------------------------------------------------- 1 | format elf 2 | 3 | section '.cs' executable 4 | extrn main 5 | 6 | public _start 7 | _start: 8 | mov ebp, esp 9 | 10 | ;open up our file 11 | mov eax, 5 12 | mov ebx, Filename 13 | xor ecx, ecx 14 | xor edx, edx 15 | int 0x80 16 | 17 | ;need to setup a kill timer 18 | mov eax, 259 19 | mov ebx, 1 ;CLOCK_REALTIME 20 | 21 | ;setup 64 bytes of stack to be 0 22 | mov ecx, 16 23 | pushloop: 24 | push 0 25 | loop pushloop 26 | 27 | ;setup the sigevent structure to send sigkill when timer fires 28 | mov ecx, esp 29 | mov [ecx+4], dword 9 30 | 31 | ;point to the stack for the return value 32 | push 0 33 | mov edx, esp 34 | int 0x80 35 | 36 | ;start the timer 37 | mov eax, 260 38 | mov ebx, [esp] 39 | xor ecx, ecx 40 | push 0 41 | push 10 ;10 second max execution 42 | push 0 43 | push 0 44 | mov edx, esp 45 | xor esi, esi 46 | int 0x80 47 | 48 | ;make sure no core 49 | ;setrlimit(RLIMIT_CORE, [0, 0]); 50 | push 0 51 | push 0 52 | mov eax, 75 53 | mov ebx, 4 54 | mov ecx, esp 55 | int 0x80 56 | 57 | ;limit to 2k of output data, the crippled loader has a 1k limit on return 58 | ;setrlimit(RLIMIT_FSIZE, [2048, 2048]); 59 | push 2048 60 | push 2048 61 | mov eax, 75 62 | mov ebx, 1 63 | mov ecx, esp 64 | int 0x80 65 | 66 | ;only allow read, write, _exit, and sigreturn 67 | ;prctl(PR_SET_SECCOMP, SECCOMP_SET_MODE_STRICT, 0, 0, 0); 68 | mov eax, 172 69 | mov ebx, 22 70 | mov ecx, 1 71 | xor edx, edx 72 | xor esi, esi 73 | xor edi, edi 74 | int 0x80 75 | 76 | ;reset the stack position and call main 77 | ;call main 78 | mov esp, ebp 79 | xor ebp, ebp 80 | push 0 81 | push 0 82 | call main 83 | 84 | ;exit 85 | mov eax, 0x1 86 | int 0x80 87 | 88 | public write 89 | write: 90 | mov eax, 4 91 | mov ebx, [esp+4] 92 | mov ecx, [esp+8] 93 | mov edx, [esp+12] 94 | int 0x80 95 | ret 96 | 97 | section '.ds' 98 | Filename: 99 | db "/home/crippled/flag", 0 100 | -------------------------------------------------------------------------------- /crunchtime/COMPILING: -------------------------------------------------------------------------------- 1 | Must be compiled with gcc 4.7.3 (using Mint 15) otherwise register usage in NewString causes trouble when returning from AddString 2 | -------------------------------------------------------------------------------- /crunchtime/Makefile: -------------------------------------------------------------------------------- 1 | SVCNAME = crunchtime 2 | 3 | EXTRAFLAGS = -Os -ffunction-sections -Wl,-Map,crunchtime.map -pie -fPIC 4 | 5 | CC = gcc 6 | CFLAGS = -g -Wall -Wshadow -Wextra -std=gnu99 $(EXTRAFLAGS) 7 | INCLUDEDIR = . 8 | 9 | CFILES = $(wildcard *.c) 10 | OBJECTS = $(patsubst %.c,%.o,$(CFILES)) 11 | 12 | $(SVCNAME): $(OBJECTS) 13 | $(CC) $(CFLAGS) $(DEFINES) $(OBJECTS) -o $(SVCNAME) $(LIBS) 14 | strip -s $(SVCNAME) 15 | strip -g -S -d $(SVCNAME) 16 | strip -x $(SVCNAME) 17 | strip -X $(SVCNAME) 18 | python crunchtime-fixup.py 19 | 20 | %.o: %.c Makefile 21 | $(CC) $(CFLAGS) $(DEFINES) -I$(INCLUDEDIR) -c $< -o $@ 22 | 23 | clean: 24 | rm -rf $(SVCNAME) *.o 25 | 26 | .PHONY: clean 27 | -------------------------------------------------------------------------------- /crunchtime/common.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | ssize_t sendMsg(char *msg) { 4 | return write(1, msg, strlen(msg)); 5 | } 6 | 7 | ssize_t sendMsgf(const char *format, ...) { 8 | ssize_t status = 0; 9 | va_list list; 10 | char *ptr = NULL; 11 | 12 | va_start(list, format); 13 | status = vasprintf(&ptr, format, list); 14 | va_end(list); 15 | 16 | if (status == -1) 17 | goto ret; 18 | 19 | status = sendMsg(ptr); 20 | 21 | ret: 22 | free(ptr); 23 | return status; 24 | } 25 | 26 | ssize_t readUntil(char *buf, size_t len, char sentinal) { 27 | char _buf; 28 | size_t i = 0; 29 | ssize_t count; 30 | 31 | if (len > 0) { 32 | for (i = 0; i < len; i++) { 33 | count = read(0, &_buf, 1); 34 | 35 | if (count <= 0) { 36 | exit(0); 37 | break; 38 | } 39 | 40 | buf[i] = _buf; 41 | 42 | if (_buf == sentinal) 43 | break; 44 | } 45 | } 46 | 47 | return i; 48 | } 49 | -------------------------------------------------------------------------------- /crunchtime/common.h: -------------------------------------------------------------------------------- 1 | #ifndef DEFCON_COMMON 2 | #define DEFCON_COMMON 3 | 4 | #ifndef __MACH__ 5 | #define _GNU_SOURCE 6 | #endif 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #ifdef _SEED_ 17 | #include 18 | #endif 19 | 20 | // socket read and write functions 21 | ssize_t sendMsg(char *); 22 | ssize_t sendMsgf(const char *, ...); 23 | //#define sendMsgf printf 24 | ssize_t readUntil(char *buf, size_t len, char sentinal); 25 | 26 | #endif 27 | -------------------------------------------------------------------------------- /crunchtime/crunchtime-fixup.py: -------------------------------------------------------------------------------- 1 | MapData = open("crunchtime.map","r").read().split("\n") 2 | Misdirection = open("crunchtime","rb").read() 3 | dataline = " .text.addstring_unlikely" 4 | for Line in xrange(0, len(MapData)): 5 | if MapData[Line][0:len(dataline)] == dataline: 6 | AddString = MapData[Line+1].split() 7 | StartPos = int(AddString[0][2:], 16) & 0xfffff 8 | EndPos = StartPos + int(AddString[1][2:], 16) 9 | NewMisdirection = Misdirection[0:StartPos] 10 | NewMisdirection += chr(0x9c) 11 | for i in xrange(StartPos, EndPos): 12 | if Misdirection[i] == chr(0x9c): 13 | NewMisdirection += Misdirection[StartPos:i] 14 | break 15 | 16 | for x in xrange(EndPos, i, -1): 17 | if Misdirection[x] == chr(0x9d): 18 | NewMisdirection += Misdirection[i+1:x] 19 | NewMisdirection += Misdirection[x+1:EndPos-1] 20 | break 21 | 22 | NewMisdirection += chr(0x9d) 23 | NewMisdirection += Misdirection[EndPos-1:] 24 | break 25 | 26 | open("crunchtime","wb").write(NewMisdirection) 27 | -------------------------------------------------------------------------------- /crunchtime/flag: -------------------------------------------------------------------------------- 1 | The flag is: CRCs are so much fun, but understanding that direction flag bit is helpful 2 | -------------------------------------------------------------------------------- /easier/DefconChal2.sdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/easier/DefconChal2.sdf -------------------------------------------------------------------------------- /easier/DefconChal2.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DefconChal2", "DefconChal2\DefconChal2.vcxproj", "{1AC5D786-3905-4F82-A969-01266F110D70}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {1AC5D786-3905-4F82-A969-01266F110D70}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {1AC5D786-3905-4F82-A969-01266F110D70}.Debug|Win32.Build.0 = Debug|Win32 14 | {1AC5D786-3905-4F82-A969-01266F110D70}.Release|Win32.ActiveCfg = Release|Win32 15 | {1AC5D786-3905-4F82-A969-01266F110D70}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /easier/DefconChal2.v11.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/easier/DefconChal2.v11.suo -------------------------------------------------------------------------------- /easier/DefconChal2/DefconChal2.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/easier/DefconChal2/DefconChal2.cpp -------------------------------------------------------------------------------- /easier/DefconChal2/DefconChal2.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /easier/DefconChal2/DefconChal2.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /easier/DefconChal2/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : DefconChal2 Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DefconChal2 application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DefconChal2 application. 9 | 10 | 11 | DefconChal2.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DefconChal2.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DefconChal2.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DefconChal2.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /easier/DefconChal2/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DefconChal2.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /easier/DefconChal2/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /easier/DefconChal2/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /feedme/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -pie -fPIE 3 | #CCFLAGS=-O3 4 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 5 | CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -m32 6 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -fPIC 7 | 8 | O_FILES = main.o 9 | 10 | feedme: $(O_FILES) 11 | $(CC) $(CCFLAGS) -o feedme $(O_FILES) 12 | 13 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 14 | # pull in dependency info for *existing* .o files 15 | -include $(O_FILES:.o=.d) 16 | 17 | .SUFFIXES : .o .c 18 | 19 | .c.o : 20 | $(CC) $(CCFLAGS) -c $< 21 | $(CC) -MM $(CFLAGS) $*.c > $*.d 22 | 23 | clean: 24 | rm -f feedme *.o *.d 25 | -------------------------------------------------------------------------------- /feedme/strip_all: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | strip -s feedme 4 | strip --remove-section .note --remove-section .comment --remove-section .note.gnu.build-id feedme 5 | -------------------------------------------------------------------------------- /heapfun4u/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -s -fno-stack-protector heapfun4u.c dc_malloc.c -o heapfun4u 3 | 4 | -------------------------------------------------------------------------------- /heapfun4u/dc_malloc.h: -------------------------------------------------------------------------------- 1 | #ifndef __MALLOC__ 2 | #define __MALLOC__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | typedef struct m_header { 10 | /// 8 byte aligned so 3 bits for flags 11 | unsigned long size; 12 | } m_header, *pm_header; 13 | 14 | typedef struct m_footer { 15 | m_header *pNext; 16 | m_header *pPrev; 17 | } m_footer, *pm_footer; 18 | 19 | typedef struct m_manager { 20 | void *free_list; 21 | } m_manager, *pm_manager; 22 | 23 | #define PAGE_SIZE 4096 24 | 25 | #define BLOCK_FOOTER( block ) ((pm_footer)( ((char *)block) + (( ( ((pm_header)block)->size & ~3) + sizeof(m_header) ) - sizeof( m_footer)))) 26 | 27 | void *dc_malloc( unsigned int size); 28 | void dc_free( void*ptr); 29 | void debug_print(); 30 | 31 | #endif 32 | -------------------------------------------------------------------------------- /heapfun4u/flag: -------------------------------------------------------------------------------- 1 | The flag is: Oh noze you pwned my h33p. 2 | -------------------------------------------------------------------------------- /heapfun4u/heapfun4u.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "dc_malloc.h" 4 | 5 | void *array[100]; 6 | int array_sz[100]; 7 | int c; 8 | 9 | void print_array() 10 | { 11 | int i =0; 12 | 13 | for ( i = 0; i < 100; i++) { 14 | if ( array[i] == NULL ) { 15 | continue; 16 | } 17 | 18 | printf("%d) %p -- %d\n", i+1, array[i], array_sz[i]); 19 | } 20 | 21 | return; 22 | } 23 | 24 | void name( void ) 25 | { 26 | int hello; 27 | 28 | printf("Here you go: %p\n", &hello); 29 | 30 | return; 31 | } 32 | 33 | void wb( ) 34 | { 35 | char stuff[16]; 36 | int sel = 0; 37 | 38 | print_array(); 39 | 40 | printf("Write where: "); 41 | if ( read( 0, stuff, 15) <= 0 ) { 42 | exit(0); 43 | } 44 | 45 | sel = atoi(stuff) - 1; 46 | 47 | if ( sel < 0 || sel >= 100 ) { 48 | exit(0); 49 | } 50 | 51 | if ( !array[sel] ) { 52 | exit(0); 53 | } 54 | 55 | printf("Write what: "); 56 | 57 | if ( read( 0, array[sel], array_sz[sel]) <= 0 ) { 58 | exit(0); 59 | } 60 | 61 | 62 | return; 63 | } 64 | 65 | int main() 66 | { 67 | memset( array, 0, sizeof(void*) * 100); 68 | c = 0; 69 | int sel = 0; 70 | char yo[256]; 71 | 72 | setvbuf( stdin, NULL, _IONBF, 0 ); 73 | setvbuf( stdout, NULL, _IONBF, 0 ); 74 | 75 | while ( 1 ) { 76 | printf("[A]llocate Buffer\n"); 77 | printf("[F]ree Buffer\n"); 78 | printf("[W]rite Buffer\n"); 79 | printf("[N]ice guy\n"); 80 | printf("[E]xit\n"); 81 | printf("| "); 82 | 83 | if ( read( 0, yo, 255) <= 0 ) { 84 | exit(0); 85 | } 86 | 87 | switch( yo[0] ) { 88 | case 'A': 89 | if ( c == 100) { 90 | exit(0); 91 | } 92 | 93 | printf("Size: "); 94 | 95 | if ( read(0,yo, 255) <= 0 ) { 96 | exit(0); 97 | } 98 | 99 | sel = atoi( yo ); 100 | array[c] = dc_malloc(sel); 101 | array_sz[c] = sel; 102 | 103 | if ( !array[c] ) { 104 | exit(0); 105 | } 106 | 107 | c++; 108 | 109 | break; 110 | case 'F': 111 | print_array(); 112 | printf("Index: "); 113 | 114 | if ( read( 0, yo, 256) <= 0 ) { 115 | exit(0); 116 | } 117 | 118 | sel = atoi(yo) - 1; 119 | 120 | if ( sel < 0 || sel >=100) { 121 | exit(0); 122 | } 123 | 124 | if ( array[sel] ) { 125 | dc_free( array[sel] ); 126 | } else { 127 | exit(0); 128 | } 129 | 130 | break; 131 | case 'W': 132 | wb(); 133 | break; 134 | case 'N': 135 | name(); 136 | break; 137 | case 'E': 138 | printf("Leave\n"); 139 | return 0; 140 | default: 141 | exit(0); 142 | break; 143 | }; 144 | } 145 | 146 | return 0; 147 | } 148 | -------------------------------------------------------------------------------- /int3/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gcc int3rupt.c -o int3rupt -fno-stack-protector -static -L . 4 | strip -s int3rupt 5 | strip -X int3rupt 6 | strip -x int3rupt 7 | strip -g -S -d int3rupt 8 | 9 | -------------------------------------------------------------------------------- /int3/flag: -------------------------------------------------------------------------------- 1 | I 0xcc for butterflies. 2 | -------------------------------------------------------------------------------- /int3/libc.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/int3/libc.a -------------------------------------------------------------------------------- /justintime/Makefile: -------------------------------------------------------------------------------- 1 | CXX=g++ 2 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -pie -fPIE 3 | #CXXFLAGS=-std=c++0x -g3 -Wall -w -pthread -fno-stack-protector -fPIC -s 4 | CXXFLAGS=-std=c++0x -g3 -Wall -w -pthread -fno-stack-protector -m32 5 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 6 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -fPIC 7 | 8 | O_FILES=main.o common.o doublelist.o cioconnection.o dummy_thread.o input_thread.o worker_log.o 9 | 10 | justintime : $(O_FILES) 11 | $(CXX) $(CXXFLAGS) -o justintime $(O_FILES) 12 | 13 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 14 | # pull in dependency info for *existing* .o files 15 | -include $(O_FILES:.o=.d) 16 | 17 | .SUFFIXES : .o .cpp 18 | 19 | .cpp.o : 20 | $(CXX) $(CXXFLAGS) -c $< 21 | $(CXX) -MM $(CXXFLAGS) $*.cpp > $*.d 22 | 23 | .c.o : 24 | $(CXX) $(CXXFLAGS) -c $< 25 | $(CXX) -MM $(CXXFLAGS) $*.c > $*.d 26 | 27 | clean: 28 | rm -f justintime *.o *.d 29 | -------------------------------------------------------------------------------- /justintime/cioconnection.h: -------------------------------------------------------------------------------- 1 | #ifndef __CIO_CONNECTION_H__ 2 | #define __CIO_CONNECTION_H__ 3 | 4 | class CIOConnection 5 | { 6 | public: 7 | 8 | virtual int32_t ReadLine( uint8_t *pBuffer, uint32_t maxLen ) = 0; 9 | virtual int32_t WriteLine( uint8_t *pBuffer, uint32_t maxLen ) = 0; 10 | 11 | virtual int32_t RecvUntil( uint8_t *pBuffer, uint32_t count ) = 0; 12 | 13 | virtual bool IsInputAvailable( void ) = 0; 14 | 15 | virtual int32_t ReadAvailableInput( uint8_t *pBuffer, uint32_t maxLen ) = 0; 16 | 17 | private: 18 | }; 19 | 20 | class CIOStdioConnection : public CIOConnection 21 | { 22 | public: 23 | 24 | int32_t ReadLine( uint8_t *pBuffer, uint32_t maxLen ); 25 | int32_t WriteLine( uint8_t *pBuffer, uint32_t maxLen ); 26 | 27 | int32_t RecvUntil( uint8_t *pBuffer, uint32_t count ); 28 | 29 | bool IsInputAvailable( void ); 30 | 31 | int32_t ReadAvailableInput( uint8_t *pBuffer, uint32_t maxLen ); 32 | }; 33 | 34 | #endif // __CIO_CONNECTION_H__ 35 | 36 | -------------------------------------------------------------------------------- /justintime/common.h: -------------------------------------------------------------------------------- 1 | #ifndef __COMMON_H__ 2 | #define __COMMON_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #define ENABLE_SIG_ALARM_HANDLER (1) 24 | 25 | #define THREAD_COUNT (5) 26 | #define TASK_PARAMETER_COUNT (4) 27 | 28 | #define TASK_NONE (0) 29 | #define TASK_GCD (1) 30 | #define TASK_LCD (2) 31 | #define TASK_PRIME (3) 32 | 33 | // Set the MAX_LINE_LEN 34 | #define MAX_LINE_LEN 1024 35 | 36 | // Signal alarm timeout for service 37 | #define MAX_IDLE_SECS 60 38 | 39 | #define SYSTEM_STATE_RUN (0) 40 | #define SYSTEM_STATE_SLEEP (1) 41 | #define SYSTEM_STATE_TERMINATE (2) 42 | #define SYSTEM_STATE_MAX (3) 43 | 44 | #define LOG_FILE_NAME "/tmp/worker_log.log" 45 | 46 | #define BUILD_TIMESTAMP 0x56c35c5b 47 | 48 | // This is used to debug input commands 49 | //#define DEBUG_INPUT_HELPER 1 50 | 51 | // Debug output data 52 | //#define DEBUG_OUTPUT 1 53 | 54 | using namespace std; 55 | 56 | typedef struct 57 | { 58 | uint8_t taskType; 59 | uint8_t taskParameterCount; 60 | uint32_t taskParameters[TASK_PARAMETER_COUNT]; 61 | } tTaskParameters; 62 | 63 | #include "doublelist.h" 64 | #include "cioconnection.h" 65 | #include "input_thread.h" 66 | #include "dummy_thread.h" 67 | #include "worker_log.h" 68 | 69 | uint32_t ReadDevURandom32( void ); 70 | void ReadDevURandom256( uint8_t *, uint32_t ); 71 | 72 | uint32_t DoCRC32( uint32_t crc, const uint8_t *pData, uint32_t size ); 73 | 74 | int32_t debug_log( uint32_t priority, const char *format, ... ); 75 | void set_log_priority( uint32_t priority ); 76 | 77 | void FreeMessageWrapper( void * ); 78 | 79 | vector SplitString( string sInStr ); 80 | 81 | bool HandleStateRun( uint32_t *pTaskArgs, uint8_t argCount, uint8_t taskType, CDummyThread * ); 82 | bool HandleStateSleep( uint32_t *pTaskArgs, uint8_t argCount, uint8_t taskType, CDummyThread * ); 83 | bool HandleStateTerminate( uint32_t *pTaskArgs, uint8_t argCount, uint8_t taskType, CDummyThread * ); 84 | 85 | #endif // __COMMON_H__ 86 | -------------------------------------------------------------------------------- /justintime/doublelist.h: -------------------------------------------------------------------------------- 1 | #ifndef __DOUBLE_LIST_H__ 2 | #define __DOUBLE_LIST_H__ 3 | 4 | // Forward declaration 5 | class CDoubleList; 6 | 7 | // A link item (carried by an item in a double list) 8 | class CDoubleLink 9 | { 10 | public: 11 | friend class CDoubleList; // Allow double list to access private data members 12 | 13 | public: 14 | CDoubleLink(); 15 | ~CDoubleLink(); 16 | 17 | bool Unlink( void ); // Unlink it from its list 18 | 19 | private: 20 | void AddToList( CDoubleList *pList ) { m_pList = pList; }; 21 | void ClearList( void ) { m_pList = NULL; }; 22 | 23 | private: 24 | CDoubleLink *m_pNext; // Next node 25 | CDoubleLink *m_pPrev; // Previous node 26 | CDoubleList *m_pList; // The list this item is in 27 | }; 28 | 29 | // Doubly linked list class 30 | class CDoubleList 31 | { 32 | public: 33 | friend class CDoubleLink; // Allow double link to access RemoveLink function 34 | 35 | public: 36 | CDoubleList(); 37 | ~CDoubleList(); 38 | 39 | // Delete everyone 40 | void DeleteAll( void ); 41 | 42 | // Accessors 43 | CDoubleLink *GetFirst( void ) { return m_pFirst; }; 44 | CDoubleLink *GetLast( void ) { return m_pLast; }; 45 | 46 | CDoubleLink *GetNext( CDoubleLink *pCur ); 47 | CDoubleLink *GetPrev( CDoubleLink *pCur ); 48 | 49 | // Remove 50 | CDoubleLink *RemoveFirst( void ); 51 | CDoubleLink *RemoveLast( void ); 52 | 53 | // Addition 54 | bool AddFirst( CDoubleLink *pItem ); 55 | bool AddAfter( CDoubleLink *pPrev, CDoubleLink *pItem ); 56 | bool AddLast( CDoubleLink *pItem ); 57 | 58 | // Item count 59 | uint32_t GetItemCount( void ) { return m_itemCount; }; 60 | 61 | private: 62 | bool RemoveLink( CDoubleLink *pItem ); 63 | 64 | private: 65 | uint32_t m_itemCount; 66 | CDoubleLink *m_pFirst; 67 | CDoubleLink *m_pLast; 68 | }; 69 | 70 | #endif // __DOUBLE_LIST_H__ 71 | -------------------------------------------------------------------------------- /justintime/dummy_thread.h: -------------------------------------------------------------------------------- 1 | #ifndef __DUMMY_THREAD_H__ 2 | #define __DUMMY_THREAD_H__ 3 | 4 | class CDummyThread 5 | { 6 | public: 7 | CDummyThread( uint32_t threadID ); 8 | 9 | void RunThread( void ); 10 | 11 | uint32_t GetThreadID( void ) const { return m_threadID; }; 12 | 13 | private: 14 | uint32_t m_threadID; 15 | 16 | uint32_t sts_cpu_clock; 17 | uint32_t sts_task_clock; 18 | 19 | uint32_t m_curTaskPos; 20 | 21 | // bool (*m_fpSystemHandler[SYSTEM_STATE_MAX])( CDummyThread * ); 22 | }; 23 | 24 | #endif // __DUMMY_THREAD_H__ 25 | -------------------------------------------------------------------------------- /justintime/input_thread.h: -------------------------------------------------------------------------------- 1 | #ifndef __INPUT_THREAD_H__ 2 | #define __INPUT_THREAD_H__ 3 | 4 | #include 5 | 6 | class CIOStdioConnection; 7 | 8 | class CInputThread 9 | { 10 | public: 11 | CInputThread( uint32_t threadID, CIOStdioConnection *pConnection ); 12 | 13 | void RunThread( void ); 14 | 15 | private: 16 | typedef bool (*tCmdHandler) ( CInputThread *pThis, vector &args ); 17 | 18 | // Command handlers 19 | std::map m_cmdMap; 20 | 21 | uint32_t m_threadID; 22 | CIOStdioConnection *m_pConnection; 23 | }; 24 | 25 | #endif // __INPUT_THREAD_H__ 26 | -------------------------------------------------------------------------------- /justintime/main.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | tTaskParameters g_threadTaskList[THREAD_COUNT]; 4 | uint32_t g_systemState = SYSTEM_STATE_RUN; 5 | CWorkerLogger g_workerLog; 6 | 7 | void sig_alarm_handler( int signum ) 8 | { 9 | printf( "Timeout! Connection closing.\n" ); 10 | 11 | exit( 1 ); 12 | } 13 | 14 | 15 | int main( void ) 16 | { 17 | #ifdef ENABLE_SIG_ALARM_HANDLER 18 | signal( SIGALRM, sig_alarm_handler ); 19 | alarm( MAX_IDLE_SECS ); 20 | #endif 21 | 22 | // Setup I/O for xinetd service 23 | setvbuf( stdout, NULL, _IONBF, 0 ); 24 | 25 | #if 0 26 | printf( "g_threadTaskList[THREAD_COUNT-1].taskParameters[TASK_PARAMETER_COUNT-1] ADDRESS: %X\n", &(g_threadTaskList[THREAD_COUNT-1].taskParameters[TASK_PARAMETER_COUNT-1]) ); 27 | printf( "g_systemState ADDRESS: %X\n", &(g_systemState) ); 28 | #endif 29 | 30 | // Seed random number generator... 31 | srand( ReadDevURandom32() ); 32 | 33 | CIOStdioConnection oIOConnection; 34 | 35 | uint32_t spawnThreadCount = THREAD_COUNT; 36 | 37 | std::thread *pThreadList[THREAD_COUNT]; 38 | CDummyThread *pDummyClassList[THREAD_COUNT]; 39 | 40 | CInputThread oInputThread( 0, &oIOConnection ); 41 | 42 | pThreadList[0] = new std::thread( &CInputThread::RunThread, &oInputThread ); 43 | 44 | for ( uint32_t i = 1; i < spawnThreadCount; i++ ) 45 | { 46 | g_threadTaskList[i].taskType = TASK_NONE; 47 | 48 | pDummyClassList[i] = new CDummyThread( i ); 49 | pThreadList[i] = new std::thread( &CDummyThread::RunThread, pDummyClassList[i] ); 50 | } 51 | 52 | pThreadList[0]->join(); 53 | 54 | return (0); 55 | } 56 | -------------------------------------------------------------------------------- /justintime/worker_log.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | CWorkerLogger::CWorkerLogger( ) 4 | : m_bEnabled( false ), m_pLogFP( NULL ) 5 | { 6 | 7 | } 8 | 9 | CWorkerLogger::~CWorkerLogger( ) 10 | { 11 | if ( m_pLogFP ) 12 | { 13 | fclose( m_pLogFP ); 14 | m_pLogFP = false; 15 | } 16 | 17 | m_bEnabled = false; 18 | } 19 | 20 | void CWorkerLogger::Disable( void ) 21 | { 22 | if ( m_pLogFP ) 23 | { 24 | m_oLogFileMutex.lock(); 25 | 26 | fclose( m_pLogFP ); 27 | m_pLogFP = NULL; 28 | 29 | m_oLogFileMutex.unlock(); 30 | } 31 | 32 | m_bEnabled = false; 33 | } 34 | 35 | void CWorkerLogger::Enable( void ) 36 | { 37 | if ( m_bEnabled ) 38 | return; 39 | 40 | if ( m_pLogFP ) 41 | Disable(); 42 | 43 | m_pLogFP = fopen( LOG_FILE_NAME, "w+" ); 44 | 45 | if ( !m_pLogFP ) 46 | return; 47 | 48 | time_t build_time = BUILD_TIMESTAMP; 49 | struct tm lt; 50 | char res[64]; 51 | 52 | localtime_r(&build_time, <); 53 | 54 | strftime( res, 64, "%a %b %d %Y", < ); 55 | 56 | fprintf( m_pLogFP, "LOG STARTED\nTool version %d.%d.%d, build timestamp=%s\n", 1, 0, 0, res ); 57 | fflush( m_pLogFP ); 58 | 59 | m_bEnabled = true; 60 | } 61 | 62 | void CWorkerLogger::WriteLogData( uint8_t workerID, const char *pszFormat, ... ) 63 | { 64 | if ( !m_bEnabled ) 65 | return; 66 | 67 | m_oLogFileMutex.lock(); 68 | if ( !m_pLogFP ) 69 | { 70 | m_oLogFileMutex.unlock(); 71 | return; 72 | } 73 | 74 | va_list args; 75 | va_start( args, pszFormat ); 76 | 77 | int32_t chars_written; 78 | 79 | char szOutput[512]; 80 | 81 | sprintf( szOutput, "WORKER[%d]::%s\n", workerID, pszFormat ); 82 | 83 | chars_written = vfprintf( m_pLogFP, szOutput, args ); 84 | 85 | fflush( m_pLogFP ); 86 | std::this_thread::sleep_for( std::chrono::milliseconds( 50 ) ); 87 | 88 | va_end( args ); 89 | 90 | m_oLogFileMutex.unlock(); 91 | } 92 | -------------------------------------------------------------------------------- /justintime/worker_log.h: -------------------------------------------------------------------------------- 1 | #ifndef __WORKER_LOG_H__ 2 | #define __WORKER_LOG_H__ 3 | 4 | class CWorkerLogger 5 | { 6 | public: 7 | CWorkerLogger(); 8 | ~CWorkerLogger(); 9 | 10 | bool IsEnabled( void ) const { return m_bEnabled; }; 11 | 12 | void Disable( void ); 13 | void Enable( void ); 14 | 15 | void WriteLogData( uint8_t workerID, const char *pszString, ... ); 16 | 17 | private: 18 | std::mutex m_oLogFileMutex; 19 | 20 | bool m_bEnabled; 21 | FILE *m_pLogFP; 22 | }; 23 | 24 | #endif // __WORKER_LOG_H__ 25 | -------------------------------------------------------------------------------- /kiss/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CCFLAGS=-fPIC -pie -Wno-unused-result -O2 -m64 -Wall 3 | 4 | O_FILES = kiss.o 5 | 6 | all : $(O_FILES) 7 | $(CC) $(CCFLAGS) -o kiss $(O_FILES) 8 | strip -g -S -d kiss 9 | strip -s kiss 10 | strip -x kiss 11 | strip -X kiss 12 | 13 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 14 | # pull in dependency info for *existing* .o files 15 | -include $(O_FILES:.o=.d) 16 | 17 | .SUFFIXES : .o .c 18 | 19 | .c.o : 20 | $(CC) $(CCFLAGS) -c $< 21 | 22 | clean: 23 | rm -f kiss *.o *.d 24 | -------------------------------------------------------------------------------- /kiss/flag: -------------------------------------------------------------------------------- 1 | The flag is: Quad derefs are not hard 2 | -------------------------------------------------------------------------------- /legit_00001/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = LEGIT 2 | SERVICE_ID = 00001 3 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed 4 | VULN_COUNT = 1 5 | 6 | include /usr/share/cb-testing/cgc-cb.mk 7 | -------------------------------------------------------------------------------- /legit_00001/README: -------------------------------------------------------------------------------- 1 | wget https://s3.amazonaws.com/cgcdist/boxes/Vagrantfile 2 | 3 | -------------------------------------------------------------------------------- /legit_00001/README.md: -------------------------------------------------------------------------------- 1 | # DEFCON Quals CTF 2 | 3 | ## Author Information 4 | hj 5 | 6 | ### LegitBS 7 | 8 | ## Description: 9 | 10 | This CB accepts a 4 byte data length and then that many bytes of data. 11 | 12 | A frequency graph is then generated based upon the bytes sent. 13 | 14 | ## Vulnerability 15 | 16 | The stack has a statically sized buffer of 512 bytes. If a user sends greater than that then they can gain control of execution. 17 | 18 | ## Challenges 19 | 20 | This is a very basic challenge and should not present much difficulty. The primary purpose is for it to serve as an example for a type 1 vulnerability. 21 | -------------------------------------------------------------------------------- /legit_00001/flag: -------------------------------------------------------------------------------- 1 | The flag is: Oooh did I just pop your CGC cherry? 2 | -------------------------------------------------------------------------------- /legit_00001/flag_patched: -------------------------------------------------------------------------------- 1 | The flag is: Yayz you patched a See G See bug. 2 | -------------------------------------------------------------------------------- /legit_00001/lib/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | int strlen( const char *str) 5 | { 6 | int count = 0; 7 | 8 | if ( str == NULL ) { 9 | return 0; 10 | } 11 | 12 | while ( str[count] ) { 13 | count++; 14 | } 15 | 16 | return count; 17 | } 18 | 19 | int sendstring( int fd, const char *str) 20 | { 21 | return senddata( fd, str, strlen(str)); 22 | } 23 | 24 | int senddata(int fd, const char *outdata, const size_t size) { 25 | size_t tx_bytes = 0; 26 | size_t count = 0; 27 | 28 | if ( outdata == NULL) { 29 | return -1; 30 | } 31 | 32 | while (count < size) { 33 | if ( transmit(fd, outdata + count, size - count, &tx_bytes) != 0 ) { 34 | _terminate(0); 35 | } 36 | 37 | if (tx_bytes <= 0) { 38 | _terminate(0); 39 | } 40 | 41 | count += tx_bytes; 42 | } 43 | 44 | return 0; 45 | } 46 | 47 | int recvdata(int fd, char *indata, const size_t size ) { 48 | size_t rx_bytes = 0; 49 | size_t total = 0; 50 | 51 | if (indata == NULL ) { 52 | return -1; 53 | } 54 | 55 | while (total < size) { 56 | if ( receive(fd, indata + total, size-total, &rx_bytes) != 0 ) { 57 | _terminate(0); 58 | } 59 | 60 | total += rx_bytes; 61 | } 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /legit_00001/lib/libc.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBC_H 2 | #define LIBC_H 3 | int senddata(int fd, const char *buf, const size_t size); 4 | int recvdata(int fd, char *buf, const size_t size); 5 | int sendstring( int fd, const char *str); 6 | int strlen( const char *str); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /legit_00001/poller/for-release/machine.py: -------------------------------------------------------------------------------- 1 | from generator.actions import Actions 2 | import string 3 | import random 4 | import struct 5 | 6 | class LEGIT_00001(Actions): 7 | 8 | def start( self ): 9 | self.read(delim=': ', expect='Enter the length: ') 10 | 11 | l = random.randint( 10,50) 12 | 13 | a = 'a'*l 14 | 15 | self.write( struct.pack('I', len(a))) 16 | self.write( a ) 17 | 18 | self.read(delim=': ', expect='Freq Anal Incoming: ') 19 | self.read(length=256) 20 | 21 | def end(self): 22 | return 23 | -------------------------------------------------------------------------------- /legit_00001/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: end 5 | 6 | edges: 7 | - start: end 8 | -------------------------------------------------------------------------------- /legit_00001/src/src.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | unsigned int get_length( ) 5 | { 6 | unsigned int length; 7 | 8 | if ( recvdata( 0, (char*)&length, sizeof(unsigned int)) != 0 ) { 9 | sendstring( 1, "recvdata fail\n"); 10 | length = 0; 11 | } 12 | 13 | return length; 14 | } 15 | 16 | void freqanal( unsigned int length, unsigned char *data ) 17 | { 18 | unsigned char fa[256]; 19 | int i = 0; 20 | 21 | if ( data == NULL ) { 22 | return; 23 | } 24 | 25 | for ( i = 0; i < 256; i++ ) { 26 | fa[i] = 0; 27 | } 28 | 29 | for ( i = 0; i < length; i++) { 30 | fa[ data[i] ] ++; 31 | } 32 | 33 | sendstring( 1, "Freq Anal Incoming: "); 34 | senddata( 1, (char*)fa, 256); 35 | 36 | return; 37 | } 38 | 39 | void getdata( unsigned int length ) 40 | { 41 | unsigned char data[512]; 42 | 43 | recvdata( 0, (char*)data, length ); 44 | 45 | freqanal( length, data ); 46 | 47 | return; 48 | } 49 | 50 | int main(void) { 51 | unsigned int length; 52 | 53 | unsigned int eax; 54 | unsigned int eip; 55 | 56 | sendstring( 1, "Enter the length: "); 57 | length = get_length(); 58 | 59 | if ( length == 0 ) { 60 | sendstring(1, "Greater than 0 length required.\n"); 61 | _terminate(0); 62 | #ifdef PATCHED_1 63 | } else if ( length > 512 ) { 64 | #else 65 | } else if ( length > 1024 ) { 66 | #endif 67 | sendstring( 1, "Too big\n"); 68 | _terminate(0); 69 | } 70 | 71 | getdata( length ); 72 | 73 | return 0; 74 | } 75 | -------------------------------------------------------------------------------- /legit_00002/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = LEGIT 2 | SERVICE_ID = 00002 3 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed 4 | VULN_COUNT = 1 5 | 6 | include /usr/share/cb-testing/cgc-cb.mk 7 | -------------------------------------------------------------------------------- /legit_00002/README.md: -------------------------------------------------------------------------------- 1 | # DEFCON Quals CTF 2 | 3 | ## Author Information 4 | hj 5 | 6 | ### LegitBS 7 | 8 | ## Description: 9 | 10 | This CB accepts a 4 byte data length and then that many bytes of data. 11 | 12 | It then adds up and if the value is 31337 it returns success otherwise failure 13 | 14 | ## Vulnerability 15 | 16 | The stack has a statically sized buffer of 804 bytes. The user will be able to overwrite the pointer that displays the sucess string. This allows the user to leak out data from the magic page. 17 | 18 | ## Challenges 19 | 20 | This is a very basic challenge and should not present much difficulty. The primary purpose is for it to serve as an example for a type 2 vulnerability. 21 | -------------------------------------------------------------------------------- /legit_00002/flag: -------------------------------------------------------------------------------- 1 | The flag is: You should be a pro CGCer at this point. 2 | -------------------------------------------------------------------------------- /legit_00002/flag_patched: -------------------------------------------------------------------------------- 1 | The flag is: Chilean Miner, stay there till Xmas. 2 | -------------------------------------------------------------------------------- /legit_00002/lib/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | int strlen( const char *str) 5 | { 6 | int count = 0; 7 | 8 | if ( str == NULL ) { 9 | return 0; 10 | } 11 | 12 | while ( str[count] ) { 13 | count++; 14 | } 15 | 16 | return count; 17 | } 18 | 19 | int sendstring( int fd, const char *str) 20 | { 21 | return senddata( fd, str, strlen(str)); 22 | } 23 | 24 | int senddata(int fd, const char *outdata, const size_t size) { 25 | size_t tx_bytes = 0; 26 | size_t count = 0; 27 | 28 | if ( outdata == NULL) { 29 | return -1; 30 | } 31 | 32 | while (count < size) { 33 | if ( transmit(fd, outdata + count, size - count, &tx_bytes) != 0 ) { 34 | _terminate(0); 35 | } 36 | 37 | if (tx_bytes <= 0) { 38 | _terminate(0); 39 | } 40 | 41 | count += tx_bytes; 42 | } 43 | 44 | return 0; 45 | } 46 | 47 | int recvdata(int fd, char *indata, const size_t size ) { 48 | size_t rx_bytes = 0; 49 | size_t total = 0; 50 | 51 | if (indata == NULL ) { 52 | return -1; 53 | } 54 | 55 | while (total < size) { 56 | if ( receive(fd, indata + total, size-total, &rx_bytes) != 0 ) { 57 | _terminate(0); 58 | } 59 | 60 | total += rx_bytes; 61 | } 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /legit_00002/lib/libc.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBC_H 2 | #define LIBC_H 3 | int senddata(int fd, const char *buf, const size_t size); 4 | int recvdata(int fd, char *buf, const size_t size); 5 | int sendstring( int fd, const char *str); 6 | int strlen( const char *str); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /legit_00002/poller/for-release/machine.py: -------------------------------------------------------------------------------- 1 | from generator.actions import Actions 2 | import string 3 | import random 4 | import struct 5 | 6 | class LEGIT_00002(Actions): 7 | 8 | def start( self ): 9 | self.read(delim=': ', expect='Enter the length: ') 10 | 11 | l = random.randint( 10,50) 12 | a = '' 13 | 14 | total = 0 15 | 16 | for _ in range(l): 17 | b = random.randint(0, 255) 18 | total += b 19 | a += chr(b) 20 | 21 | self.write( struct.pack('I', len(a))) 22 | self.write( a ) 23 | 24 | if total == 0x31337: 25 | self.read( delim='\n', expect='SUCCESS: 201527\n') 26 | else: 27 | self.read(delim='\n', expect='FAIL: %d\n' %(total)) 28 | 29 | def end(self): 30 | return 31 | -------------------------------------------------------------------------------- /legit_00002/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: end 5 | 6 | edges: 7 | - start: end 8 | -------------------------------------------------------------------------------- /legit_00003/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = LEGIT 2 | SERVICE_ID = 00003 3 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed 4 | VULN_COUNT = 1 5 | 6 | include /usr/share/cb-testing/cgc-cb.mk 7 | -------------------------------------------------------------------------------- /legit_00003/README: -------------------------------------------------------------------------------- 1 | wget https://s3.amazonaws.com/cgcdist/boxes/Vagrantfile 2 | 3 | -------------------------------------------------------------------------------- /legit_00003/README.md: -------------------------------------------------------------------------------- 1 | # DEFCON Quals CTF 2 | 3 | ## Author Information 4 | hj 5 | 6 | ### LegitBS 7 | 8 | ## Description: 9 | 10 | This CB prompts a user to enter their name, print their name or exit. 11 | 12 | ## Vulnerability 13 | 14 | This is a very basic stack overflow meant to get the people to patch though it may also be used as a type 1 pwnable. 15 | 16 | ## Challenges 17 | 18 | This is a very basic challenge and should not present much difficulty. The primary purpose is for it to serve as an example for a type 1 vulnerability as well as require patching. 19 | -------------------------------------------------------------------------------- /legit_00003/flag: -------------------------------------------------------------------------------- 1 | The flag is: Superman, Stuporhero and a Massachusetts Slurpee. 2 | -------------------------------------------------------------------------------- /legit_00003/flag_patched: -------------------------------------------------------------------------------- 1 | The flag is: Come get your grape juice and a Sex Coma. 2 | -------------------------------------------------------------------------------- /legit_00003/lib/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | int strlen( const char *str) 5 | { 6 | int count = 0; 7 | 8 | if ( str == NULL ) { 9 | return 0; 10 | } 11 | 12 | while ( str[count] ) { 13 | count++; 14 | } 15 | 16 | return count; 17 | } 18 | 19 | int sendstring( int fd, const char *str) 20 | { 21 | return senddata( fd, str, strlen(str)); 22 | } 23 | 24 | int senddata(int fd, const char *outdata, const size_t size) { 25 | size_t tx_bytes = 0; 26 | size_t count = 0; 27 | 28 | if ( outdata == NULL) { 29 | return -1; 30 | } 31 | 32 | while (count < size) { 33 | if ( transmit(fd, outdata + count, size - count, &tx_bytes) != 0 ) { 34 | _terminate(0); 35 | } 36 | 37 | if (tx_bytes <= 0) { 38 | _terminate(0); 39 | } 40 | 41 | count += tx_bytes; 42 | } 43 | 44 | return 0; 45 | } 46 | 47 | int recvdata(int fd, char *indata, const size_t size ) { 48 | size_t rx_bytes = 0; 49 | size_t total = 0; 50 | 51 | if (indata == NULL ) { 52 | return -1; 53 | } 54 | 55 | while (total < size) { 56 | if ( receive(fd, indata + total, size-total, &rx_bytes) != 0 ) { 57 | _terminate(0); 58 | } 59 | 60 | total += rx_bytes; 61 | } 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /legit_00003/lib/libc.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBC_H 2 | #define LIBC_H 3 | int senddata(int fd, const char *buf, const size_t size); 4 | int recvdata(int fd, char *buf, const size_t size); 5 | int sendstring( int fd, const char *str); 6 | int strlen( const char *str); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /legit_00003/lib/printf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Minimal snprintf() implementation 3 | * 4 | * Copyright (c) 2013 Michal Ludvig 5 | * All rights reserved. 6 | * 7 | * Redistribution and use in source and binary forms, with or without 8 | * modification, are permitted provided that the following conditions are met: 9 | * * Redistributions of source code must retain the above copyright 10 | * notice, this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * * Neither the name of the auhor nor the names of its contributors 15 | * may be used to endorse or promote products derived from this software 16 | * without specific prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 22 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | 31 | #ifndef __MINI_PRINTF__ 32 | #define __MINI_PRINTF__ 33 | 34 | #include 35 | #include "stdarg.h" 36 | 37 | int mini_vsnprintf(char* buffer, unsigned int buffer_len, char *fmt, va_list va); 38 | int mini_snprintf(char* buffer, unsigned int buffer_len, char *fmt, ...); 39 | int mini_vprintf(char *fmt, va_list va); 40 | int mini_printf( char *fmt, ...); 41 | 42 | #define vsnprintf mini_vsnprintf 43 | #define snprintf mini_snprintf 44 | #define printf mini_printf 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /legit_00003/poller/for-release/machine.py: -------------------------------------------------------------------------------- 1 | from generator.actions import Actions 2 | import string 3 | import random 4 | import struct 5 | 6 | class LEGIT_00003(Actions): 7 | 8 | def start( self ): 9 | self.read(delim='\n', expect='1) Gimme Name\n') 10 | self.read(delim='\n', expect='2) Print Name\n') 11 | self.read(delim='\n', expect='3) Exit\n') 12 | self.read(delim=': ', expect=': ') 13 | 14 | l = random.randint( 10,20) 15 | 16 | a = '' 17 | 18 | for _ in range(l): 19 | a += random.choice(string.lowercase) 20 | 21 | self.write( '1\n') 22 | self.read(delim=': ', expect='Enter Name: ') 23 | self.write( a + '\n' ) 24 | 25 | self.read(delim='\n', expect='1) Gimme Name\n') 26 | self.read(delim='\n', expect='2) Print Name\n') 27 | self.read(delim='\n', expect='3) Exit\n') 28 | self.read(delim=': ', expect=': ') 29 | 30 | self.write('2\n') 31 | self.read(delim='\n', expect='%s\n' %(a)) 32 | 33 | self.read(delim='\n', expect='1) Gimme Name\n') 34 | self.read(delim='\n', expect='2) Print Name\n') 35 | self.read(delim='\n', expect='3) Exit\n') 36 | self.read(delim=': ', expect=': ') 37 | 38 | self.write('3\n') 39 | self.read(delim='\n', expect='Exit\n') 40 | 41 | def end(self): 42 | return 43 | -------------------------------------------------------------------------------- /legit_00003/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: end 5 | 6 | edges: 7 | - start: end 8 | -------------------------------------------------------------------------------- /legit_00003/src/src.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | #include "printf.h" 4 | 5 | unsigned int get_length( ) 6 | { 7 | unsigned int length; 8 | 9 | if ( recvdata( 0, (char*)&length, sizeof(unsigned int)) != 0 ) { 10 | sendstring( 0, "recvdata fail\n"); 11 | length = 0; 12 | } 13 | 14 | return length; 15 | } 16 | 17 | 18 | int recvuntil( void *dest, unsigned int size, char delim) 19 | { 20 | unsigned int len = 0; 21 | char c = 0; 22 | 23 | while ( len < size ) { 24 | recvdata( 0, &c, 1); 25 | 26 | if ( c == delim ) { 27 | return len; 28 | } 29 | 30 | ((char*)dest)[len] = c; 31 | 32 | len++; 33 | } 34 | 35 | return len; 36 | } 37 | 38 | void memcpy( void *dest, void *src, unsigned int l) 39 | { 40 | int i = 0; 41 | 42 | for ( i = 0; i < l; i++) { 43 | ((char*)dest)[i] = ((char*)src)[i]; 44 | } 45 | 46 | return; 47 | } 48 | 49 | void memset( void *dest, char val, unsigned int l) 50 | { 51 | int i = 0; 52 | 53 | for ( i = 0; i < l; i++) { 54 | ((char*)dest)[i] = val; 55 | } 56 | 57 | return; 58 | } 59 | 60 | void readname( char *name ) 61 | { 62 | #ifdef PATCHED_1 63 | #define MAX 64 64 | #else 65 | #define MAX 32 66 | #endif 67 | 68 | unsigned char data[MAX]; 69 | register int i = 0; 70 | register int l =0; 71 | 72 | memset( data, 0, MAX); 73 | 74 | printf("Enter Name: "); 75 | 76 | l = recvuntil( data, 48, '\n' ); 77 | 78 | if ( l<= 0 ) { 79 | return; 80 | } 81 | 82 | memcpy( name, data, l); 83 | 84 | return; 85 | } 86 | 87 | int main(void) { 88 | char data[10]; 89 | char name[100]; 90 | 91 | int i = 0; 92 | 93 | while ( 1 ) { 94 | printf("1) Gimme Name\n"); 95 | printf("2) Print Name\n"); 96 | printf("3) Exit\n"); 97 | printf(": "); 98 | 99 | for ( i = 0; i < 10; i++) { 100 | data[i] = 0; 101 | } 102 | 103 | recvuntil( data, 2, '\n'); 104 | 105 | switch ( data[0]-0x30) { 106 | case 1: 107 | readname( name ); 108 | break; 109 | case 2: 110 | printf("%s\n", name); 111 | break; 112 | case 3: 113 | printf("Exit\n"); 114 | return 0; 115 | break; 116 | default: 117 | printf("Invalid\n"); 118 | break; 119 | }; 120 | } 121 | 122 | return 0; 123 | } 124 | -------------------------------------------------------------------------------- /legit_00004/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = LEGIT 2 | SERVICE_ID = 00004 3 | POLLS_RELEASE_COUNT=1000 4 | VULN_COUNT = 1 5 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed 6 | include /usr/share/cb-testing/cgc-cb.mk 7 | -------------------------------------------------------------------------------- /legit_00004/include/malloc.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Jason Williams 4 | 5 | Copyright (c) 2014 Cromulence LLC 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | #ifndef __MALLOC_H__ 27 | #define __MALLOC_H__ 28 | 29 | // In our case the lower 2-bits of the alloc_size are flags 30 | // we enforce minimum allocation sizes of 4-bytes which frees 31 | // up these lower 2-bits as flags 32 | #define MALLOC_INUSE_FLAG_BIT (1) 33 | #define MALLOC_NEXT_FLAG_BIT (2) 34 | #define MALLOC_BUCKET_COUNT (16) 35 | 36 | typedef struct MALLOC_ALLOC_HDR 37 | { 38 | size_t alloc_size; 39 | } tMallocAllocHdr; 40 | 41 | // Only free blocks have these headers (minimum allocation size is therefore 8-bytes) 42 | typedef struct MALLOC_ALLOC_FTR 43 | { 44 | struct MALLOC_ALLOC_HDR *pNext; 45 | struct MALLOC_ALLOC_HDR *pPrev; 46 | } tMallocAllocFtr; 47 | 48 | typedef struct MALLOC_MANAGER 49 | { 50 | void *pFreeList; 51 | } tMallocManager; 52 | 53 | void* calloc( size_t count, size_t obj_size ); 54 | void* malloc( size_t alloc_size ); 55 | void free( void *pMem ); 56 | 57 | #endif // __MALLOC_H__ 58 | -------------------------------------------------------------------------------- /legit_00004/include/service.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Deadwood 4 | 5 | Copyright (c) 2016 LegitBS 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | 27 | #ifndef SERVICE_H 28 | #define SERVICE_H 29 | 30 | 31 | 32 | typedef struct langInfo { 33 | 34 | char *spanishVerb; 35 | char *englishMeaning; 36 | char *yoForm; 37 | char *tuForm; 38 | char *ustedForm; 39 | char *weForm; 40 | char *theyForm; 41 | 42 | struct langInfo *next; 43 | 44 | } langInfoType; 45 | 46 | int initDB( langInfoType ** ); 47 | int compare_strings(char *, char *); 48 | int authenticateUser(char *, char *); 49 | void printWordMenu( void ); 50 | int doWordMaint( langInfoType ** ); 51 | int addNewWord( langInfoType ** ); 52 | int deleteTmpWord( langInfoType ** ); 53 | int match_str(char *search, char *target); 54 | int flashCards( langInfoType *database ); 55 | int quizWords( langInfoType *database ); 56 | 57 | #endif 58 | -------------------------------------------------------------------------------- /legit_00004/lib/mymath.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Jason Williams 4 | 5 | Copyright (c) 2014 Cromulence LLC 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | #include 27 | #include 28 | #include 29 | 30 | double floor( double val ) 31 | { 32 | if ( val > 0.0 ) 33 | return rint( val + 0.5 ) - 1.0; 34 | else if ( val < 0.0 ) 35 | return rint( val - 0.5 ) + 1.0; 36 | else 37 | return 0.0; 38 | } 39 | 40 | double round_away_from_zero( double val ) 41 | { 42 | if ( val > 0.0 ) 43 | return rint( val + 0.5 ); 44 | else if ( val < 0.0 ) 45 | return rint( val - 0.5 ); 46 | else 47 | return 0.0; 48 | } 49 | 50 | double round( double val, double n ) 51 | { 52 | // Round to n digits 53 | n = rint( n ); 54 | 55 | double high_pow10 = pow( 10, n ); 56 | double low_pow10 = pow( 10, -n ); 57 | 58 | return (round_away_from_zero( val * high_pow10 ) * low_pow10); 59 | } 60 | -------------------------------------------------------------------------------- /legit_00004/lib/mymath.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Jason Williams 4 | 5 | Copyright (c) 2014 Cromulence LLC 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | #ifndef __MYMATH_H__ 27 | #define __MYMATH_H__ 28 | 29 | double floor( double ); 30 | double round( double, double n ); 31 | 32 | #endif // __MYMATH_H__ 33 | -------------------------------------------------------------------------------- /legit_00004/lib/stdarg.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Jason Williams 4 | 5 | Copyright (c) 2014 Cromulence LLC 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | #ifndef __STDARG_H__ 27 | #define __STDARG_H__ 28 | 29 | typedef __builtin_va_list __gnuc_va_list; 30 | 31 | #define va_start(v,l) __builtin_va_start(v,l) 32 | #define va_end(v) __builtin_va_end(v) 33 | #define va_arg(v,l) __builtin_va_arg(v,l) 34 | 35 | typedef __gnuc_va_list va_list; 36 | 37 | #endif // __STDARG_H__ 38 | -------------------------------------------------------------------------------- /legit_00004/lib/stdint.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Jason Williams 4 | 5 | Copyright (c) 2014 Cromulence LLC 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | #ifndef __STDINT_H__ 27 | #define __STDINT_H__ 28 | 29 | typedef signed char int8_t; 30 | typedef short int int16_t; 31 | typedef int int32_t; 32 | typedef long long int int64_t; 33 | 34 | typedef unsigned char uint8_t; 35 | typedef unsigned short int uint16_t; 36 | typedef unsigned int uint32_t; 37 | typedef unsigned long long int uint64_t; 38 | 39 | #endif // __STDINT_H__ 40 | -------------------------------------------------------------------------------- /legit_00004/poller/for-release/counts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/legit_00004/poller/for-release/counts.png -------------------------------------------------------------------------------- /legit_00004/poller/for-release/edges.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/legit_00004/poller/for-release/edges.png -------------------------------------------------------------------------------- /legit_00004/poller/for-release/graph.dot: -------------------------------------------------------------------------------- 1 | digraph G { 2 | addWords [label="addWords"]; 3 | listWords [label="listWords"]; 4 | backToMain [label="backToMain"]; 5 | maintMenu [label="maintMenu"]; 6 | doMaint [label="doMaint"]; 7 | editWord [label="editWord"]; 8 | doQuiz [label="doQuiz"]; 9 | start [label="start", shape=box]; 10 | exit [label="exit", shape=triangle]; 11 | menu [label="menu"]; 12 | deleteWords [label="deleteWords"]; 13 | doFlashcards [label="doFlashcards"]; 14 | addWords -> maintMenu; 15 | listWords -> maintMenu; 16 | backToMain -> menu; 17 | maintMenu -> addWords; 18 | maintMenu -> deleteWords; 19 | maintMenu -> listWords; 20 | maintMenu -> editWord; 21 | maintMenu -> backToMain; 22 | doMaint -> maintMenu; 23 | editWord -> maintMenu; 24 | doQuiz -> menu; 25 | start -> menu; 26 | menu -> doQuiz; 27 | menu -> exit [label="0.1x"]; 28 | menu -> doMaint; 29 | menu -> doFlashcards; 30 | deleteWords -> maintMenu; 31 | doFlashcards -> menu; 32 | } -------------------------------------------------------------------------------- /legit_00004/poller/for-release/nodes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/legit_00004/poller/for-release/nodes.png -------------------------------------------------------------------------------- /legit_00004/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: menu 5 | - name: doFlashcards 6 | - name: doQuiz 7 | - name: doMaint 8 | - name: maintMenu 9 | - name: backToMain 10 | - name: addWords 11 | - name: editWord 12 | - name: deleteWords 13 | - name: listWords 14 | - name: exit 15 | 16 | edges: 17 | - start: menu 18 | - menu: doFlashcards 19 | - doFlashcards: menu 20 | - menu: doQuiz 21 | - doQuiz: menu 22 | - menu: doMaint 23 | - doMaint: maintMenu 24 | - maintMenu: addWords 25 | - addWords: maintMenu 26 | - maintMenu: editWord 27 | - editWord: maintMenu 28 | - maintMenu: deleteWords 29 | - deleteWords: maintMenu 30 | - maintMenu: listWords 31 | - listWords: maintMenu 32 | - maintMenu: backToMain 33 | - backToMain: menu 34 | - menu: exit 35 | weight: .1 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /legit_00004/src/authenticate.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Deadwood 4 | 5 | Copyright (c) 2016 LegitBS 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | 27 | #include "service.h" 28 | 29 | #define NAMELEN 10 30 | #define PASSLEN 10 31 | #define AUTH_DATA_ADDR 0x4347c000 32 | #define AUTH_DATA_LEN 4096 33 | 34 | extern char *initialData[][2]; 35 | 36 | int authenticateUser(char *username, char *password) { 37 | int i, x; 38 | int offset; 39 | unsigned char *authData; 40 | 41 | 42 | 43 | char tmpusername[10]; 44 | char tmppassword[10]; 45 | 46 | authData = (unsigned char *)AUTH_DATA_ADDR; 47 | 48 | for ( i=0; i < AUTH_DATA_LEN / (NAMELEN + PASSLEN ); ++i ) { 49 | 50 | offset = i * (NAMELEN + PASSLEN); 51 | 52 | for ( x=0; x < NAMELEN; ++x ) { 53 | 54 | tmpusername[x] = (*(authData + offset + x) % 26) + 'a'; 55 | tmppassword[x] = (*(authData + offset + NAMELEN + x ) % 90 ) +32; 56 | 57 | } // for (x=0;;) 58 | 59 | if (compare_strings(username, tmpusername) == 0 ) { 60 | 61 | 62 | if (compare_strings(password, tmppassword) == 0 ) 63 | return 1; 64 | else 65 | return 0; 66 | 67 | } 68 | } // for (i=0;;) 69 | 70 | for ( i=0; i < 2; ++i ) { 71 | 72 | if (compare_strings(username, initialData[32+i][0]) == 0 ) { 73 | 74 | 75 | if (compare_strings(password, initialData[32+i][1]) == 0 ) 76 | return 1; 77 | else 78 | return 0; 79 | 80 | } 81 | 82 | } // for 83 | 84 | return 0; 85 | 86 | } 87 | -------------------------------------------------------------------------------- /legit_00004/src/compare_strings.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Deadwood 4 | 5 | Copyright (c) 2016 LegitBS 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in 15 | all copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 | THE SOFTWARE. 24 | 25 | */ 26 | 27 | 28 | int compare_strings(char *str1, char *str2) { 29 | 30 | if (str1==0 && str2 != 0) 31 | return -1; 32 | else if (str1!= 0 && str2 == 0) 33 | return 1; 34 | 35 | while (*str1 && *str2) { 36 | 37 | if (*str1 > *str2) 38 | return 1; 39 | else if (*str1 < *str2) 40 | return -1; 41 | else { 42 | ++str1; 43 | ++str2; 44 | } 45 | 46 | } 47 | 48 | if (str1==0 && str2 != 0) 49 | return -1; 50 | else if (str1!= 0 && str2 == 0) 51 | return 1; 52 | else 53 | return 0; 54 | 55 | } 56 | -------------------------------------------------------------------------------- /pillpusher/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -S -fomit-frame-pointer -fno-builtin -nostdlib stubstart.S pillpusher.c write.c mmap.c exit.c printf.c malloc.c stdlib.c read.c open.c close.c 3 | python insert.py pillpusher.s 4 | python insert.py write.s 5 | python insert.py mmap.s 6 | python insert.py exit.s 7 | python insert.py printf.s 8 | python insert.py malloc.s 9 | python insert.py stdlib.s 10 | python insert.py read.s 11 | python insert.py open.s 12 | python insert.py close.s 13 | gcc -s -fno-builtin -nostdlib stubstart.S pillpusher.s write.s mmap.s exit.s printf.s malloc.s stdlib.s read.s open.s close.s -o pillpusher 14 | 15 | clean: 16 | rm *.s 17 | rm pillpusher 18 | -------------------------------------------------------------------------------- /pillpusher/README: -------------------------------------------------------------------------------- 1 | Pushing Pills 2 | 3 | Pharmacy 4 | 5 | Drugs 6 | - Name 7 | - Recommended Dosage 8 | - Side Effects 9 | - Interactions 10 | - Treatment for... 11 | 12 | Pharmacy 13 | - Name 14 | - Available Drugs 15 | - Pharmacists 16 | 17 | Pharmacists 18 | - Name 19 | - Other data 20 | 21 | Patient 22 | - Name 23 | - Symptoms 24 | - Prescriptions 25 | 26 | Prescription 27 | - Pills 28 | 29 | Add a Drug 30 | Add a Random Drug 31 | List Drugs 32 | Modify Drug 33 | 34 | 35 | Create a Pharmacy 36 | Create a random Pharmacy 37 | List Pharmacies 38 | Modify Pharmacy 39 | Remove a Pharmacy 40 | 41 | -------------------------------------------------------------------------------- /pillpusher/Symptoms: -------------------------------------------------------------------------------- 1 | Anxiety 2 | Allergic Rhinitis 3 | ADHD 4 | Anxiety and Stress 5 | Asthma, Maintenance 6 | Bipolar Disorder 7 | Back Pain 8 | Bacterial Infection 9 | Benign Prostatic Hyperplasia 10 | Birth Control 11 | Chronic Pain 12 | Constipation 13 | Cough 14 | COPD 15 | Depression 16 | Diabetes 17 | Dietary Supplementation 18 | Diabetic Peripheral Neuropathy 19 | Dental Abscess 20 | Edema 21 | Erectile Dysfunction 22 | Epilepsy 23 | Erosive Esophagitis 24 | Eczema 25 | Fibromyalgia 26 | Folic Acid Deficiency 27 | Fever 28 | Fatigue 29 | Female Infertility 30 | GERD 31 | Generalized Anxiety Disorder 32 | Gout 33 | Glaucoma 34 | Gout 35 | Galactosemia 36 | High Blood Pressure 37 | High Cholesterol 38 | Heart Failure 39 | Heart Attack 40 | Headache 41 | Insomnia 42 | Irritable Bowel Syndrome 43 | Indigestion 44 | Inflammatory Conditions 45 | Iron Deficiency Anemia 46 | Japanese Encephalitis Virus Prophylaxis 47 | Jaundice 48 | Jet Lag 49 | Jock Itch 50 | Joint Infection 51 | Joint Pain 52 | Juvenile Rheumatoid Arthritis 53 | Junctional Premature Depolarizations 54 | Keratitis 55 | Kok disease 56 | Lactation Augmentation 57 | Lip Augmentation 58 | Liposarcoma 59 | Muscle Spasm 60 | Migraine 61 | Migraine Prevention 62 | Major Depressive Disorder 63 | Muscle Pain 64 | Naophyetus salmincola 65 | Narcolepsy 66 | Neutropenia 67 | Nightmares 68 | Nocturnal Polyuria 69 | Osteoarthritis 70 | Osteoporosis 71 | Overactive Bladder 72 | Obesity 73 | Opiate Withdrawal 74 | Polycythemia 75 | Dyspareunia 76 | Postoperative Gas Pains 77 | Pouchitis 78 | Quadriplegia 79 | Quincke's disease 80 | Rheumatoid Arthritis 81 | Restless Legs Syndrome 82 | Rhinitis 83 | Rosacea 84 | Raynaud's Syndrome 85 | Sarcoidosis 86 | Scabies 87 | Schistosoma haematobium 88 | Schizophrenia 89 | Sciatica 90 | Sporotrichosis 91 | Tendonitis 92 | Trichomoniasis 93 | Temporomandibular Joint Disorder 94 | Thromboembolic Stroke Prophylaxis 95 | Trigeminal Neuralgia 96 | Underactive Thyroid 97 | Urinary Tract Infection 98 | Upper Respiratory Tract Infection 99 | Urinary Incontinence 100 | Urticaria 101 | Vaginal Dryness 102 | Varicella Pneumonitis 103 | Vasculitis 104 | Vitrectomy 105 | Vulvodynia 106 | Watery stools 107 | West Nile Virus 108 | Whipple's Disease 109 | Whipworm Infection 110 | Xerostomia 111 | Yaws 112 | Zika Virus Infection 113 | Zollinger-Ellison Syndrome 114 | Zygomycosis -------------------------------------------------------------------------------- /pillpusher/close.c: -------------------------------------------------------------------------------- 1 | #include "unistd.h" 2 | 3 | asm(".globl close\n\t" 4 | ".type close, @function\n\t" 5 | "close:\n\t" 6 | ".cfi_startproc\n\t" 7 | "movl $3, %eax\n\t" 8 | "syscall\n\t" 9 | "ret\n\t" 10 | ".cfi_endproc"); 11 | -------------------------------------------------------------------------------- /pillpusher/errno.h: -------------------------------------------------------------------------------- 1 | #ifndef __ERRNO__ 2 | #define __ERRNO__ 3 | 4 | #define EPERM 1 /* Operation not permitted */ 5 | #define ENOENT 2 /* No such file or directory */ 6 | #define ESRCH 3 /* No such process */ 7 | #define EINTR 4 /* Interrupted system call */ 8 | #define EIO 5 /* I/O error */ 9 | #define ENXIO 6 /* No such device or address */ 10 | #define E2BIG 7 /* Argument list too long */ 11 | #define ENOEXEC 8 /* Exec format error */ 12 | #define EBADF 9 /* Bad file number */ 13 | #define ECHILD 10 /* No child processes */ 14 | #define EAGAIN 11 /* Try again */ 15 | #define ENOMEM 12 /* Out of memory */ 16 | #define EACCES 13 /* Permission denied */ 17 | #define EFAULT 14 /* Bad address */ 18 | #define ENOTBLK 15 /* Block device required */ 19 | #define EBUSY 16 /* Device or resource busy */ 20 | #define EEXIST 17 /* File exists */ 21 | #define EXDEV 18 /* Cross-device link */ 22 | #define ENODEV 19 /* No such device */ 23 | #define ENOTDIR 20 /* Not a directory */ 24 | #define EISDIR 21 /* Is a directory */ 25 | #define EINVAL 22 /* Invalid argument */ 26 | #define ENFILE 23 /* File table overflow */ 27 | #define EMFILE 24 /* Too many open files */ 28 | #define ENOTTY 25 /* Not a typewriter */ 29 | #define ETXTBSY 26 /* Text file busy */ 30 | #define EFBIG 27 /* File too large */ 31 | #define ENOSPC 28 /* No space left on device */ 32 | #define ESPIPE 29 /* Illegal seek */ 33 | #define EROFS 30 /* Read-only file system */ 34 | #define EMLINK 31 /* Too many links */ 35 | #define EPIPE 32 /* Broken pipe */ 36 | #define EDOM 33 /* Math argument out of domain of func */ 37 | #define ERANGE 34 /* Math result not representable */ 38 | 39 | int errno; 40 | 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /pillpusher/exit.c: -------------------------------------------------------------------------------- 1 | #include "unistd.h" 2 | 3 | asm(".globl exit\n\t" 4 | ".type exit, @function\n\t" 5 | "exit:\n\t" 6 | ".cfi_startproc\n\t" 7 | "movl $60, %eax\n\t" 8 | "syscall\n\t" 9 | "ret\n\t" 10 | ".cfi_endproc"); 11 | -------------------------------------------------------------------------------- /pillpusher/flag: -------------------------------------------------------------------------------- 1 | The flag is: Those DFs are interesting creatures. 2 | -------------------------------------------------------------------------------- /pillpusher/malloc.h: -------------------------------------------------------------------------------- 1 | #ifndef __MALLOC__ 2 | #define __MALLOC__ 3 | 4 | #include "mmap.h" 5 | #include "unistd.h" 6 | #include "stdlib.h" 7 | #include "printf.h" 8 | 9 | typedef struct m_header { 10 | /// 8 byte aligned so 3 bits for flags 11 | unsigned long size; 12 | } m_header, *pm_header; 13 | 14 | typedef struct m_footer { 15 | m_header *pNext; 16 | m_header *pPrev; 17 | } m_footer, *pm_footer; 18 | 19 | typedef struct m_manager { 20 | void *free_list; 21 | } m_manager, *pm_manager; 22 | 23 | #define PAGE_SIZE 4096 24 | 25 | #define BLOCK_FOOTER( block ) ((pm_footer)( ((char *)block) + (( ( ((pm_header)block)->size & ~3) + sizeof(m_header) ) - sizeof( m_footer)))) 26 | 27 | void *malloc( unsigned int size); 28 | void free( void*ptr); 29 | void debug_print(); 30 | 31 | #endif 32 | -------------------------------------------------------------------------------- /pillpusher/mmap.c: -------------------------------------------------------------------------------- 1 | #include "mmap.h" 2 | 3 | asm(".globl mmap\n\t" 4 | ".type mmap, @function\n\t" 5 | "mmap:\n\t" 6 | ".cfi_startproc\n\t" 7 | "push %r10\n\t" 8 | "mov %rcx, %r10\n\t" 9 | "movl $9, %eax\n\t" 10 | "syscall\n\t" 11 | "pop %r10\n\n" 12 | "ret\n\t" 13 | ".cfi_endproc"); 14 | 15 | 16 | asm(".globl munmap\n\t" 17 | ".type munmap, @function\n\t" 18 | "munmap:\n\t" 19 | ".cfi_startproc\n\t" 20 | "movl $11, %eax\n\t" 21 | "syscall\n\t" 22 | "ret\n\t" 23 | ".cfi_endproc"); 24 | -------------------------------------------------------------------------------- /pillpusher/mmap.h: -------------------------------------------------------------------------------- 1 | #ifndef __MMAP__ 2 | #define __MMAP__ 3 | 4 | #define PROT_READ 0x1 /* page can be read */ 5 | #define PROT_WRITE 0x2 /* page can be written */ 6 | #define PROT_EXEC 0x4 /* page can be executed */ 7 | #define PROT_SEM 0x8 /* page may be used for atomic ops */ 8 | 9 | #define MAP_SHARED 0x01 /* Share changes */ 10 | #define MAP_PRIVATE 0x02 /* Changes are private */ 11 | #define MAP_TYPE 0x0f /* Mask for type of mapping */ 12 | #define MAP_FIXED 0x10 /* Interpret addr exactly */ 13 | #define MAP_ANONYMOUS 0x20 /* don't use a file */ 14 | 15 | extern void *mmap(void *addr, unsigned int length, int prot, int flags, int fd, int offset); 16 | extern void munmap(void *addr, unsigned int length); 17 | 18 | 19 | #endif 20 | -------------------------------------------------------------------------------- /pillpusher/open.c: -------------------------------------------------------------------------------- 1 | #include "unistd.h" 2 | 3 | asm(".globl open\n\t" 4 | ".type open, @function\n\t" 5 | "open:\n\t" 6 | ".cfi_startproc\n\t" 7 | "movl $2, %eax\n\t" 8 | "syscall\n\t" 9 | "ret\n\t" 10 | ".cfi_endproc"); 11 | -------------------------------------------------------------------------------- /pillpusher/printf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Minimal snprintf() implementation 3 | * 4 | * Copyright (c) 2013 Michal Ludvig 5 | * All rights reserved. 6 | * 7 | * Redistribution and use in source and binary forms, with or without 8 | * modification, are permitted provided that the following conditions are met: 9 | * * Redistributions of source code must retain the above copyright 10 | * notice, this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * * Neither the name of the auhor nor the names of its contributors 15 | * may be used to endorse or promote products derived from this software 16 | * without specific prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 22 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | 31 | #ifndef __MINI_PRINTF__ 32 | #define __MINI_PRINTF__ 33 | 34 | #include "stdarg.h" 35 | 36 | int mini_vsnprintf(char* buffer, unsigned int buffer_len, char *fmt, va_list va); 37 | int mini_snprintf(char* buffer, unsigned int buffer_len, char *fmt, ...); 38 | int mini_vprintf(char *fmt, va_list va); 39 | int mini_printf( char *fmt, ...); 40 | 41 | #define vsnprintf mini_vsnprintf 42 | #define snprintf mini_snprintf 43 | #define printf mini_printf 44 | 45 | #endif -------------------------------------------------------------------------------- /pillpusher/read.c: -------------------------------------------------------------------------------- 1 | #include "unistd.h" 2 | 3 | asm(".globl read\n\t" 4 | ".type read, @function\n\t" 5 | "read:\n\t" 6 | ".cfi_startproc\n\t" 7 | "movl $0, %eax\n\t" 8 | "syscall\n\t" 9 | "ret\n\t" 10 | ".cfi_endproc"); 11 | -------------------------------------------------------------------------------- /pillpusher/stdlib.h: -------------------------------------------------------------------------------- 1 | #ifndef __STDLIB__ 2 | #define __STDLIB__ 3 | 4 | #include "unistd.h" 5 | 6 | int strlen( const char *ptr ); 7 | void *memset( void *s, int c, unsigned int n); 8 | int atoi(const char *nptr); 9 | int isdigit( char c ); 10 | char *strcpy(char *dest, const char *src); 11 | void *memcpy(void *dest, const void *src, unsigned int n); 12 | long int random(void); 13 | int strcmp(const char *s1, const char *s2); 14 | int strncmp(const char *s1, const char *s2, unsigned int n); 15 | char *strcat( char *dest, const char *src); 16 | void *memcpy_r(void *dest, const void *src, unsigned int n); 17 | 18 | #endif -------------------------------------------------------------------------------- /pillpusher/stubstart.S: -------------------------------------------------------------------------------- 1 | .globl _start 2 | 3 | _start: 4 | call main 5 | movl $1, %eax 6 | xorl %ebx, %ebx 7 | int $0x80 8 | -------------------------------------------------------------------------------- /pillpusher/unistd.c: -------------------------------------------------------------------------------- 1 | int write( int fd, const void*buf, size_t count) 2 | { 3 | asm( "xor %rax, %rax\n\n" 4 | "inc %rax\n\n" 5 | "mov %rdi $1\n\n" 6 | 7 | 8 | } 9 | -------------------------------------------------------------------------------- /pillpusher/unistd.h: -------------------------------------------------------------------------------- 1 | #ifndef __UNISTD__ 2 | #define __UNISTD__ 3 | 4 | #define NULL (void*)0 5 | 6 | #define STDIN 0 7 | #define STDOUT 1 8 | #define STDERR 2 9 | 10 | #define O_RDONLY 00000000 11 | #define O_WRONLY 00000001 12 | #define O_RDWR 00000002 13 | 14 | 15 | extern int write(int fd, const void *buf, unsigned int count); 16 | extern void exit(int status) __attribute__ ((noreturn)); 17 | extern int read(int fd, void *buf, unsigned int count); 18 | extern int open(const char *pathname, int flags, unsigned int mode); 19 | extern int close(int fd); 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /pillpusher/write.c: -------------------------------------------------------------------------------- 1 | #include "unistd.h" 2 | 3 | asm(".globl write\n\t" 4 | ".type write, @function\n\t" 5 | "write:\n\t" 6 | ".cfi_startproc\n\t" 7 | "movl $1, %eax\n\t" 8 | "syscall\n\t" 9 | "ret\n\t" 10 | ".cfi_endproc"); 11 | -------------------------------------------------------------------------------- /secrf_revenge/Makefile: -------------------------------------------------------------------------------- 1 | CXX=./musl-clang 2 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -pie -fPIE 3 | CXXFLAGS=-g3 -Wall -w 4 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector 5 | #CCFLAGS=-g3 -Wall -w -pedantic -fmessage-length=0 -fno-stack-protector -fPIC 6 | 7 | #O_FILES=main.o exception_handler.o cpp_helper.o well_rng.o string.o common.o malloc-2.7.2.o critical_exception.o digital_receiver.o doublelist.o dsp_engine.o messagehandler.o packet.o radiomac.o rc4engine.o radiomessage.o 8 | O_FILES=main.o exception_handler.o cpp_helper.o well_rng.o string.o common.o critical_exception.o digital_receiver.o doublelist.o dsp_engine.o messagehandler.o packet.o radiomac.o rc4engine.o radiomessage.o 9 | 10 | secrf : $(O_FILES) 11 | $(CXX) $(CXXFLAGS) -o secrf $(O_FILES) 12 | 13 | # dependency stuff, see: http://www.cs.berkeley.edu/~smcpeak/autodepend/autodepend.html 14 | # pull in dependency info for *existing* .o files 15 | -include $(O_FILES:.o=.d) 16 | 17 | .SUFFIXES : .o .cpp 18 | 19 | .cpp.o : 20 | $(CXX) $(CXXFLAGS) -c $< 21 | $(CXX) -MM $(CXXFLAGS) $*.cpp > $*.d 22 | 23 | .c.o : 24 | $(CXX) $(CXXFLAGS) -c $< 25 | $(CXX) -MM $(CXXFLAGS) $*.c > $*.d 26 | 27 | clean: 28 | rm -f secrf *.o *.d 29 | -------------------------------------------------------------------------------- /secrf_revenge/common.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | #include 3 | 4 | uint8_t g_logLevel = 0; 5 | 6 | #define MAX_LOG_LEVELS (2) 7 | const char *g_szLogLevelText[MAX_LOG_LEVELS] = { 8 | "ERROR", 9 | "INFO" 10 | }; 11 | 12 | void SetLogLevel( uint8_t logLevel ) 13 | { 14 | g_logLevel = logLevel; 15 | } 16 | 17 | void LogMessage( uint8_t messageType, const char *fmt, ... ) 18 | { 19 | if ( messageType > g_logLevel ) 20 | return; 21 | 22 | va_list args; 23 | va_start(args, fmt); 24 | 25 | char szBuffer[1024]; 26 | 27 | vsprintf( szBuffer, fmt, args ); 28 | 29 | va_end(args); 30 | 31 | if ( messageType >= MAX_LOG_LEVELS ) 32 | printf( "[DBG][%d]::%s\n", messageType, szBuffer ); 33 | else 34 | printf( "[DBG][%s]::%s\n", g_szLogLevelText[messageType], szBuffer ); 35 | } 36 | -------------------------------------------------------------------------------- /secrf_revenge/common.h: -------------------------------------------------------------------------------- 1 | #ifndef __COMMON_H__ 2 | #define __COMMON_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | // NOTE: 14 | // !!!!!!!!!!!!!!!!!!!!!!!!! 15 | // CHANGE these two defines before release 16 | //#define CRYPTO_KEY_FILENAME "/home/jdub/quals_15/source_code/sirgoon/quals_15/secrf/server/crypto.key" 17 | //#define CRYPTO_KEY_FILENAME "/home/secrf/crypto.key\0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 18 | #define CRYPTO_KEY_FILENAME "/home/secrfrevenge/crypto.key\0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 19 | #define MAX_IDLE_SECS (30) 20 | 21 | //#define TEST_MODE_ON (1) 22 | 23 | #define CLOCKS_PER_SYMBOL (33) 24 | 25 | #define SAMPLE_FS (13200) 26 | #define MAX_TIME (10) 27 | #define MAX_SAMPLE_POINTS (MAX_TIME * SAMPLE_FS) 28 | #define MIN_SAMPLE_POINTS (128) 29 | 30 | #define PI_VALUE 3.1415926535897932384626433832795 31 | 32 | #define MAX_PACKET_FRAGMENTS (16) 33 | 34 | #define CRYPTO_KEY_SIZE (16) // 128 bits 35 | #define CRYPTO_RC4_DROP_AMOUNT (256) // Drop first 256 bytes 36 | 37 | #define MAX_FRAGMENT_BUFFER (16) // Maximum number of sequence numbers that can be in packet reassembly buffer 38 | 39 | #ifdef _WIN32 40 | #define snprintf _snprintf 41 | 42 | #define GET_FILE_NAME() __FILE__ 43 | #define GET_LINE_NUMBER() __LINE__ 44 | #else 45 | #define GET_FILE_NAME() __FILE__ 46 | #define GET_LINE_NUMBER() __LINE__ 47 | #endif 48 | 49 | #define DEBUG_MESSAGE_ERROR (0) 50 | #define DEBUG_MESSAGE_INFO (1) 51 | 52 | #include "cpp_helper.h" 53 | #include "exception_handler.h" 54 | #include "well_rng.h" 55 | #include "critical_exception.h" 56 | #include "doublelist.h" 57 | #include "dsp_engine.h" 58 | #include "packet.h" 59 | #include "rc4engine.h" 60 | #include "radiomessage.h" 61 | #include "radiomac.h" 62 | #include "digital_receiver.h" 63 | #include "messagehandler.h" 64 | 65 | #ifdef _WIN32 66 | static inline double round(double val) 67 | { 68 | return floor(val + 0.5); 69 | } 70 | #endif 71 | 72 | void SetLogLevel( uint8_t logLevel ); 73 | void LogMessage( uint8_t messageType, const char *fmt, ... ); 74 | 75 | #endif // __COMMON_H__ 76 | -------------------------------------------------------------------------------- /secrf_revenge/complex.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | CComplex::CComplex( ) 4 | : m_real( 0 ), m_imag( 0 ) 5 | { 6 | 7 | } 8 | 9 | CComplex::CComplex( CComplex &rhs ) 10 | : m_real( rhs.m_real ), m_imag( rhs.m_imag ) 11 | { 12 | 13 | } 14 | 15 | CComplex::CComplex( double real, double imag ) 16 | : m_real( real ), m_imag( imag ) 17 | { 18 | 19 | } 20 | 21 | CComplex::~CComplex( ) 22 | { 23 | // Do nothing 24 | } 25 | 26 | CComplex CComplex::operator+ ( CComplex &rhs ) 27 | { 28 | return CComplex( m_real + rhs.m_real, m_imag + rhs.m_imag ); 29 | } 30 | 31 | CComplex CComplex::operator- ( CComplex &rhs ) 32 | { 33 | return CComplex( m_real - rhs.m_real, m_imag - rhs.m_imag ); 34 | } 35 | 36 | CComplex CComplex::operator* ( CComplex &rhs ) 37 | { 38 | return CComplex( ((m_real * rhs.m_real) - (m_imag * rhs.m_imag)), ((m_real * rhs.m_imag) + (m_imag * rhs.m_real)) ); 39 | } 40 | 41 | 42 | // To be completed in next class 43 | CComplex CComplex::operator/ ( CComplex &rhs ) 44 | { 45 | CComplex conj = rhs.Conjugate(); 46 | double norm = rhs.Normal(); 47 | 48 | return ((*this) * conj) / (norm * norm); 49 | } 50 | 51 | CComplex CComplex::operator/ ( double scale ) 52 | { 53 | return CComplex( m_real / scale, m_imag / scale ); 54 | } 55 | 56 | CComplex CComplex::Conjugate() 57 | { 58 | // Conjugate vector 59 | return CComplex( m_real, -m_imag ); 60 | } 61 | 62 | double CComplex::Normal() 63 | { 64 | // Normal vector 65 | return sqrt( (m_real * m_real) + (m_imag * m_imag) ); 66 | } 67 | 68 | uint32_t CComplex::Print( char *szDest, uint32_t maxLen ) 69 | { 70 | if ( szDest == NULL ) 71 | return (0); 72 | 73 | return snprintf( szDest, maxLen, "(%f,%f)", m_real, m_imag ); 74 | } -------------------------------------------------------------------------------- /secrf_revenge/complex.h: -------------------------------------------------------------------------------- 1 | #ifndef __COMPLEX_H__ 2 | #define __COMPLEX_H__ 3 | 4 | // A complex class 5 | class CComplex 6 | { 7 | public: 8 | CComplex(); 9 | CComplex( CComplex &rhs ); 10 | CComplex( double real, double imag ); 11 | ~CComplex(); 12 | 13 | CComplex operator+ ( CComplex& ); 14 | CComplex operator- ( CComplex& ); 15 | CComplex operator* ( CComplex& ); 16 | CComplex operator/ ( CComplex& ); 17 | CComplex operator/ ( double scale ); 18 | 19 | CComplex Conjugate(); 20 | double Normal(); 21 | uint32_t Print( char *szDest, uint32_t maxLen ); 22 | 23 | private: 24 | double m_real; 25 | double m_imag; 26 | }; 27 | 28 | #endif // __COMPLEX_H__ -------------------------------------------------------------------------------- /secrf_revenge/cpp_helper.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "cpp_helper.h" 5 | 6 | void* operator new( size_t count ) 7 | { 8 | return (void *)malloc( count ); 9 | } 10 | 11 | void* operator new[]( size_t count ) 12 | { 13 | return (void *)malloc( count ); 14 | } 15 | 16 | void operator delete( void *ptr ) 17 | { 18 | free( ptr ); 19 | } 20 | 21 | void operator delete[]( void *ptr ) 22 | { 23 | free( ptr ); 24 | } 25 | -------------------------------------------------------------------------------- /secrf_revenge/cpp_helper.h: -------------------------------------------------------------------------------- 1 | #ifndef CPP_HELPER_H__ 2 | #define CPP_HELPER_H__ 3 | 4 | void* operator new( size_t count ); 5 | void* operator new[]( size_t count ); 6 | 7 | void operator delete( void *ptr ); 8 | void operator delete[]( void *ptr ); 9 | 10 | #endif // CPP_HELPER_H__ 11 | -------------------------------------------------------------------------------- /secrf_revenge/critical_exception.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | CCriticalException::CCriticalException( String sExceptionText, String sFileName, uint32_t lineNumber ) 4 | : CException( EXCEPTION_TYPE_CRITICAL ), m_sExceptionText( sExceptionText ), m_sFileName( sFileName ), m_lineNumber( lineNumber ) 5 | { 6 | 7 | } 8 | 9 | CCriticalException::CCriticalException( const char *pszExceptionText, const char *pszFileName, uint32_t lineNumber ) 10 | : CException( EXCEPTION_TYPE_CRITICAL ), m_sExceptionText( pszExceptionText ), m_sFileName( pszFileName ), m_lineNumber( lineNumber ) 11 | { 12 | 13 | } 14 | -------------------------------------------------------------------------------- /secrf_revenge/critical_exception.h: -------------------------------------------------------------------------------- 1 | #ifndef __CRITICAL_EXCEPTION_H__ 2 | #define __CRITICAL_EXCEPTION_H__ 3 | 4 | #include "string.h" 5 | #include "exception_handler.h" 6 | 7 | #define EXCEPTION_TYPE_CRITICAL (1) 8 | 9 | class CCriticalException : public CException 10 | { 11 | public: 12 | CCriticalException( String sExceptionText, String sFileName, uint32_t lineNumber ); 13 | CCriticalException( const char *pszExceptionText, const char *pszFileName, uint32_t lineNumber ); 14 | 15 | const String &GetExceptionText( void ) const { return m_sExceptionText; }; 16 | uint32_t GetLineNumber( void ) const { return m_lineNumber; }; 17 | const String &GetFileName( void ) const { return m_sFileName; }; 18 | 19 | private: 20 | String m_sExceptionText; 21 | String m_sFileName; 22 | uint32_t m_lineNumber; 23 | }; 24 | 25 | #endif // __CRITICAL_EXCEPTION_H__ 26 | -------------------------------------------------------------------------------- /secrf_revenge/crypto.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/secrf_revenge/crypto.key -------------------------------------------------------------------------------- /secrf_revenge/digital_receiver.h: -------------------------------------------------------------------------------- 1 | #ifndef __DIGITAL_RECEIVER_H__ 2 | #define __DIGITAL_RECEIVER_H__ 3 | 4 | class CDigitalReceiver 5 | { 6 | public: 7 | static const uint32_t RX_BIT_RATE = 330; 8 | static const uint32_t RX_BIT_RATE_SKEW = 50; // Allow +/- 50 bps skew 9 | 10 | static const uint8_t RX_STATE_PREAMBLE = 0; 11 | static const uint8_t RX_STATE_BYTE_SYNC = 1; 12 | static const uint8_t RX_STATE_HEADER = 2; 13 | static const uint8_t RX_STATE_LENGTH = 3; 14 | static const uint8_t RX_STATE_DATA = 4; 15 | static const uint8_t RX_STATE_CRC = 5; 16 | 17 | static const uint8_t RX_MARK_VALUE = 0; 18 | static const uint8_t RX_SPACE_VALUE = 1; 19 | 20 | static const uint8_t PREAMBLE_LOCK_BIT_COUNT = 24; 21 | 22 | static const uint16_t BYTE_SYNC_VALUE = 0xC3AC; 23 | 24 | public: 25 | CDigitalReceiver( CRadioMAC *pRadioMAC ); 26 | ~CDigitalReceiver(); 27 | 28 | void SetSampleRate( uint32_t sampleRate ) { m_sampleRate = sampleRate; }; 29 | 30 | void ReceiveSample( uint8_t sample ); 31 | 32 | private: 33 | void ResetLock( void ); 34 | void DoRxPreamble( uint8_t sample ); 35 | void DoRxByteSync( uint8_t sample ); 36 | void DoRxHeader( uint8_t sample ); 37 | void DoRxLength( uint8_t sample ); 38 | void DoRxData( uint8_t sample ); 39 | void DoRxCRC( uint8_t sample ); 40 | 41 | bool DoSample( void ); 42 | 43 | uint32_t GetSampleClockSkewMax( void ); 44 | uint32_t GetSampleClockSkewMin( void ); 45 | 46 | private: 47 | CRadioMAC *m_pRadioMAC; 48 | 49 | double m_clocksPerSymbol; 50 | uint32_t m_clockTransitionCounter; 51 | uint32_t m_preambleCounter; 52 | uint8_t m_lastTransitionSymbol; 53 | 54 | double m_clocksUntilNextSymbol; 55 | uint32_t m_symbolsSinceLastTransition; 56 | uint8_t m_lastPreambleSymbol; 57 | 58 | uint8_t m_byteLockPos; 59 | 60 | uint32_t m_preambleSymbolCounter; 61 | 62 | uint8_t m_rxState; 63 | uint32_t m_sampleRate; 64 | 65 | uint8_t m_packetBitPos; 66 | uint8_t m_packetDataBytePos; 67 | 68 | uint8_t m_currentPacketHdr; 69 | uint8_t m_currentPacketLen; 70 | uint8_t m_currentPacketData[256]; 71 | uint16_t m_currentPacketCRC; 72 | }; 73 | 74 | #endif // __DIGITAL_RECEIVER_H__ 75 | -------------------------------------------------------------------------------- /secrf_revenge/doublelist.h: -------------------------------------------------------------------------------- 1 | #ifndef __DOUBLE_LIST_H__ 2 | #define __DOUBLE_LIST_H__ 3 | 4 | // Forward declaration 5 | class CDoubleList; 6 | 7 | // A link item (carried by an item in a double list) 8 | class CDoubleLink 9 | { 10 | public: 11 | friend class CDoubleList; // Allow double list to access private data members 12 | 13 | public: 14 | CDoubleLink(); 15 | ~CDoubleLink(); 16 | 17 | bool Unlink( void ); // Unlink it from its list 18 | 19 | private: 20 | void AddToList( CDoubleList *pList ) { m_pList = pList; }; 21 | void ClearList( void ) { m_pList = NULL; }; 22 | 23 | private: 24 | CDoubleLink *m_pNext; // Next node 25 | CDoubleLink *m_pPrev; // Previous node 26 | CDoubleList *m_pList; // The list this item is in 27 | }; 28 | 29 | // Doubly linked list class 30 | class CDoubleList 31 | { 32 | public: 33 | friend class CDoubleLink; // Allow double link to access RemoveLink function 34 | 35 | public: 36 | CDoubleList(); 37 | ~CDoubleList(); 38 | 39 | // Delete everyone 40 | void DeleteAll( void ); 41 | 42 | // Accessors 43 | CDoubleLink *GetFirst( void ) { return m_pFirst; }; 44 | CDoubleLink *GetLast( void ) { return m_pLast; }; 45 | 46 | CDoubleLink *GetNext( CDoubleLink *pCur ); 47 | CDoubleLink *GetPrev( CDoubleLink *pCur ); 48 | 49 | // Remove 50 | CDoubleLink *RemoveFirst( void ); 51 | CDoubleLink *RemoveLast( void ); 52 | 53 | // Addition 54 | bool AddFirst( CDoubleLink *pItem ); 55 | bool AddAfter( CDoubleLink *pPrev, CDoubleLink *pItem ); 56 | bool AddLast( CDoubleLink *pItem ); 57 | 58 | // Item count 59 | uint32_t GetItemCount( void ) { return m_itemCount; }; 60 | 61 | private: 62 | bool RemoveLink( CDoubleLink *pItem ); 63 | 64 | private: 65 | uint32_t m_itemCount; 66 | CDoubleLink *m_pFirst; 67 | CDoubleLink *m_pLast; 68 | }; 69 | 70 | #endif // __DOUBLE_LIST_H__ -------------------------------------------------------------------------------- /secrf_revenge/dsp_engine.h: -------------------------------------------------------------------------------- 1 | #ifndef __DSP_ENGINE_H__ 2 | #define __DSP_ENGINE_H__ 3 | 4 | class CDSPEngine 5 | { 6 | public: 7 | static double BandpassFilter1200( double inputSample ); 8 | static double BandpassFilter2200( double inputSample ); 9 | 10 | static double EnvelopeDetector1( double inputSample ); 11 | static double EnvelopeDetector2( double inputSample ); 12 | 13 | private: 14 | }; 15 | 16 | #endif // __DSP_ENGINE_H__ 17 | -------------------------------------------------------------------------------- /secrf_revenge/exception_handler.h: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Jason Williams 3 | Copyright (c) 2014 Cromulence LLC 4 | Permission is hereby granted, free of charge, to any person obtaining a copy 5 | of this software and associated documentation files (the "Software"), to deal 6 | in the Software without restriction, including without limitation the rights 7 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | copies of the Software, and to permit persons to whom the Software is 9 | furnished to do so, subject to the following conditions: 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 13 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 15 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 16 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 17 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 18 | THE SOFTWARE. 19 | */ 20 | #ifndef __EXCEPTION_HANDLER_H__ 21 | #define __EXCEPTION_HANDLER_H__ 22 | 23 | #include 24 | #include 25 | 26 | // Implement an exception handler with setjmp/longjmp 27 | 28 | #define MAX_EXCEPTION_NAME (64) 29 | #define MAX_EXCEPTION_EXTRA (128) 30 | 31 | class CException 32 | { 33 | public: 34 | CException( uint32_t typeNumber ) 35 | { 36 | m_exceptionTypeNumber = typeNumber; 37 | } 38 | 39 | uint32_t GetType( void ) const { return m_exceptionTypeNumber; }; 40 | 41 | private: 42 | uint32_t m_exceptionTypeNumber; 43 | }; 44 | 45 | typedef struct EXCEPTION_FRAME_STRUCT 46 | { 47 | jmp_buf jmpBuffer; 48 | } tExceptionFrame; 49 | 50 | #define TRY switch( setjmp( get_next_exception_frame()->jmpBuffer ) ) { case 0: while(1) { 51 | #define CATCH(e) break; case e: 52 | #define THROW(e) longjmp( get_current_exception_frame()->jmpBuffer, SetExceptionPointer(e)->GetType() ) 53 | #define FINALLY break; } default: 54 | #define ETRY pop_exception_frame(); } 55 | 56 | void init_exception_handler( void ); 57 | tExceptionFrame *get_next_exception_frame( void ); 58 | tExceptionFrame *get_current_exception_frame( void ); 59 | tExceptionFrame *pop_exception_frame( void ); 60 | CException *GetExceptionPointer( void ); 61 | CException *SetExceptionPointer( CException *pException ); 62 | 63 | #endif // __EXCEPTION_HANDLER_H__ 64 | -------------------------------------------------------------------------------- /secrf_revenge/flag: -------------------------------------------------------------------------------- 1 | This is the flag silly!!! 2 | -------------------------------------------------------------------------------- /secrf_revenge/messagehandler.h: -------------------------------------------------------------------------------- 1 | #ifndef __MESSAGE_HANDLER_H__ 2 | #define __MESSAGE_HANDLER_H__ 3 | 4 | typedef bool (*fpTLVHandler)( void *pInstance, uint8_t *pData, uint16_t dataLen ); 5 | 6 | #define TLV_FLAG_REQUIRED (1<<0) 7 | #define TLV_FLAG_NOTFOUND (1<<1) 8 | #define TLV_FLAG_ERROR (1<<2) 9 | 10 | typedef struct TLV_FIELD_HEADER 11 | { 12 | uint8_t tlv_id; 13 | uint8_t tlv_flags; 14 | fpTLVHandler pHandlerFunc; 15 | } tTLVField; 16 | 17 | typedef struct TLV_ELEMENT 18 | { 19 | bool bPopulated; 20 | uint8_t tlv_flags; 21 | uint8_t tlv_id; 22 | fpTLVHandler pHandlerFunc; 23 | uint8_t *pData; 24 | uint32_t dataLen; 25 | } tTLVElement; 26 | 27 | class CMessageHandler 28 | { 29 | public: 30 | CMessageHandler(); 31 | ~CMessageHandler(); 32 | 33 | void ParseMessage( tTLVField *pTLVTable, uint32_t numElements, uint8_t *pMessageData, uint32_t messageLen ); 34 | 35 | private: 36 | }; 37 | 38 | #endif // __MESSAGE_HANDLER_H__ 39 | -------------------------------------------------------------------------------- /secrf_revenge/musl-clang: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # musl-clang: A clang wrapper for musl C library. 4 | # Supports static linking. (-static) 5 | # 6 | # WARNING: This is not a perfect drop-in replacement 7 | # 8 | # See LICENSE file for copyright and license details. 9 | # 10 | 11 | PREFIX=${MUSL_PREFIX:-"/usr/local/musl"} 12 | if [ ! -d "${PREFIX}" ]; then 13 | echo "invalid prefix: ${PREFIX}" 14 | return 1 15 | fi 16 | 17 | CPP=no 18 | case "$0" in 19 | *++) CPP=yes ;; 20 | esac 21 | 22 | if [ "${CPP}" = "yes" ]; then 23 | CLANG=${REALCLANGPP:-"clang-3.5++"} 24 | else 25 | CLANG=${REALCLANG:-"clang-3.5"} 26 | fi 27 | 28 | hasNo() { 29 | pat="$1" 30 | shift 1 31 | 32 | for e in "$@"; do 33 | if [ "$e" = "${pat}" ]; then 34 | return 1 35 | fi 36 | done 37 | return 0 38 | } 39 | 40 | ARGS="-nostdinc -fno-exceptions -fno-rtti -static" 41 | TAIL="" 42 | 43 | if hasNo '-nostdinc' "$@"; then 44 | ARGS="${ARGS} -isystem ${PREFIX}/include" 45 | fi 46 | 47 | if \ 48 | hasNo '-c' "$@" && \ 49 | hasNo '-S' "$@" && \ 50 | hasNo '-E' "$@" 51 | then 52 | ARGS="${ARGS} -nostdlib" 53 | ARGS="${ARGS} -Wl,-dynamic-linker=${PREFIX}/lib/libc.so" 54 | ARGS="${ARGS} -L${PREFIX}/lib" 55 | #ARGS="${ARGS} -Wl,-rpath=${PREFIX}/lib" 56 | 57 | if hasNo '-nostartfiles' "$@" && \ 58 | hasNo '-nostdlib' "$@" && \ 59 | hasNo '-nodefaultlibs' "$@" 60 | then 61 | ARGS="${ARGS} ${PREFIX}/lib/crt1.o" 62 | ARGS="${ARGS} ${PREFIX}/lib/crti.o" 63 | 64 | TAIL="${TAIL} ${PREFIX}/lib/crtn.o" 65 | fi 66 | 67 | if hasNo '-nostdlib' "$@" && \ 68 | hasNo '-nodefaultlibs' "$@" 69 | then 70 | if [ "${CPP}" = "yes" ]; then 71 | TAIL="${TAIL} -lc++" 72 | TAIL="${TAIL} -lunwind" 73 | TAIL="${TAIL} -lm" 74 | fi 75 | TAIL="${TAIL} -lc" 76 | #TAIL="${TAIL} -Wl,-Bstatic -lcompiler_rt" 77 | fi 78 | fi 79 | 80 | #echo "# $0" "$@" >&2 81 | #set -x 82 | exec ${CLANG} ${ARGS} "$@" ${TAIL} 83 | -------------------------------------------------------------------------------- /secrf_revenge/packet.h: -------------------------------------------------------------------------------- 1 | #ifndef __PACKET_H__ 2 | #define __PACKET_H__ 3 | 4 | class CPacket 5 | { 6 | public: 7 | static const uint8_t PACKET_FRAGMENT_BIT = (1<<7); 8 | static const uint8_t PACKET_LAST_FRAGMENT_BIT = (1<<6); 9 | static const uint8_t PACKET_PARITY_BIT = (1<<5); 10 | static const uint8_t PACKET_PARITY_BIT_POS = 5; 11 | static const uint8_t PACKET_HEADER_SIGNATURE = 0x19; 12 | static const uint8_t PACKET_HEADER_MASK = 0x1F; 13 | static const uint8_t PACKET_PARITY_MASK = 0xDF; 14 | 15 | public: 16 | CPacket( uint8_t hdrByte, uint8_t len, uint8_t *pData, uint16_t crc16 ); 17 | ~CPacket( ); 18 | 19 | bool IsHeaderValid( void ); 20 | bool IsCRCValid( void ); 21 | bool IsValidPacket( void ); 22 | 23 | uint8_t GetDataLength( void ); 24 | uint8_t *GetData( void ); 25 | 26 | uint8_t GetHeader( void ) const { return m_header.hdr; }; 27 | uint16_t GetCRC( void ) const { return m_crc16; }; 28 | 29 | bool IsPacketFragmented( void ) 30 | { 31 | if ( m_header.hdr & PACKET_FRAGMENT_BIT ) 32 | return (true); 33 | else 34 | return (false); 35 | } 36 | 37 | bool IsPacketLastFragment( void ) 38 | { 39 | if ( m_header.hdr & PACKET_LAST_FRAGMENT_BIT ) 40 | return (true); 41 | else 42 | return (false); 43 | } 44 | 45 | uint8_t GetFragmentNumber( void ); 46 | uint16_t GetSequenceNumber( void ); 47 | 48 | private: 49 | typedef struct 50 | { 51 | uint8_t hdr; 52 | uint8_t len; 53 | } tPacketHeader; 54 | 55 | tPacketHeader m_header; 56 | uint8_t *m_pData; 57 | uint16_t m_crc16; 58 | }; 59 | 60 | #endif // __PACKET_H__ -------------------------------------------------------------------------------- /secrf_revenge/radiomac.h: -------------------------------------------------------------------------------- 1 | #ifndef __RADIO_MAC_H__ 2 | #define __RADIO_MAC_H__ 3 | 4 | class CFragmentBuffer : public CDoubleLink 5 | { 6 | public: 7 | CFragmentBuffer( uint16_t sequenceNumber ); 8 | ~CFragmentBuffer(); 9 | 10 | uint32_t GetSequenceNumber( void ) { return m_sequenceNumber; }; 11 | 12 | bool AddFragment( CPacket *pPacket ); 13 | 14 | bool HasAllFragments( void ); 15 | 16 | uint32_t GetAssembledSize( void ); 17 | 18 | uint32_t AssemblePacket( uint8_t *pBuffer, uint32_t bufferLen ); 19 | 20 | private: 21 | CPacket *m_pSegments[MAX_PACKET_FRAGMENTS]; 22 | uint16_t m_sequenceNumber; 23 | uint8_t m_lastFragmentNumber; 24 | bool m_bHasLastFragment; 25 | }; 26 | 27 | class CRadioMAC 28 | { 29 | public: 30 | CRadioMAC(); 31 | ~CRadioMAC(); 32 | 33 | bool LoadKeyFile( const char *pszKeyFileName ); 34 | 35 | void ReceivePacket( CPacket *pPacket ); 36 | 37 | bool IsMessageAvailable( void ); 38 | 39 | CRadioMessage *PopMessage( void ); 40 | 41 | void DecryptDataToMessage( uint8_t *pData, uint32_t dataLen ); 42 | 43 | void AddFragment( CPacket *pPacket ); 44 | 45 | CFragmentBuffer *GetFragmentBufferForPacket( CPacket *pPacket ); 46 | 47 | void AssembleFragmentToMessage( CFragmentBuffer *pFragmentBuffer ); 48 | 49 | private: 50 | CDoubleList m_messageList; 51 | CDoubleList m_fragmentList; 52 | 53 | uint8_t m_keyData[CRYPTO_KEY_SIZE]; 54 | uint32_t m_messageCounter; 55 | }; 56 | 57 | #endif // __RADIO_MAC_H__ 58 | -------------------------------------------------------------------------------- /secrf_revenge/radiomessage.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | #define RADIO_MESSAGE_POOL_INIT_SIZE 16 4 | 5 | void *__dso_handle = 0; 6 | 7 | CRadioMessagePool g_messagePool; 8 | 9 | CRadioMessagePoolData::CRadioMessagePoolData( ) 10 | { 11 | m_pData = new uint8_t[RADIO_MESSAGE_SIZE]; 12 | } 13 | 14 | CRadioMessagePoolData::~CRadioMessagePoolData( ) 15 | { 16 | if ( m_pData ) 17 | delete m_pData; 18 | } 19 | 20 | CRadioMessagePool::CRadioMessagePool( ) 21 | { 22 | uint32_t i; 23 | for ( i = 0; i < RADIO_MESSAGE_POOL_INIT_SIZE; i++ ) 24 | { 25 | m_poolList.AddLast( new CRadioMessagePoolData() ); 26 | } 27 | 28 | m_poolAvailable = i; 29 | } 30 | 31 | CRadioMessagePool::~CRadioMessagePool( ) 32 | { 33 | // Do nothing -- pool deletes all items 34 | } 35 | 36 | CRadioMessagePoolData *CRadioMessagePool::GetMessageData( void ) 37 | { 38 | if ( m_poolAvailable == 0 ) 39 | { 40 | uint32_t i; 41 | for ( i = 0; i < RADIO_MESSAGE_POOL_INIT_SIZE; i++ ) 42 | { 43 | m_poolList.AddLast( new CRadioMessagePoolData() ); 44 | } 45 | 46 | m_poolAvailable = i; 47 | } 48 | 49 | CRadioMessagePoolData *pNewPoolData = (CRadioMessagePoolData *)m_poolList.RemoveFirst(); 50 | 51 | m_poolAvailable--; 52 | 53 | return pNewPoolData; 54 | } 55 | 56 | void CRadioMessagePool::FreeMessageData( CRadioMessagePoolData *pItem ) 57 | { 58 | if ( !pItem ) 59 | return; 60 | 61 | m_poolList.AddLast( pItem ); 62 | 63 | m_poolAvailable++; 64 | } 65 | 66 | CRadioMessage::CRadioMessage( uint32_t messageID, uint8_t *pData, uint32_t dataLen ) 67 | : m_messageID( messageID ), CDoubleLink() 68 | { 69 | m_pPoolData = g_messagePool.GetMessageData(); 70 | 71 | memcpy( m_pPoolData->GetData(), pData, dataLen ); 72 | 73 | m_dataLen = dataLen; 74 | 75 | /* 76 | m_pData = new uint8_t[dataLen]; 77 | 78 | memcpy( m_pData, pData, dataLen ); 79 | 80 | m_dataLen = dataLen; 81 | */ 82 | } 83 | 84 | CRadioMessage::~CRadioMessage( ) 85 | { 86 | g_messagePool.FreeMessageData( m_pPoolData ); 87 | 88 | /* 89 | if ( m_pData ) 90 | delete m_pData; 91 | */ 92 | } 93 | -------------------------------------------------------------------------------- /secrf_revenge/radiomessage.h: -------------------------------------------------------------------------------- 1 | #ifndef __RADIO_MESSAGE_H__ 2 | #define __RADIO_MESSAGE_H__ 3 | 4 | #define RADIO_MESSAGE_SIZE (4096) 5 | 6 | class CRadioMessagePoolData : public CDoubleLink 7 | { 8 | public: 9 | CRadioMessagePoolData( ); 10 | ~CRadioMessagePoolData( ); 11 | 12 | uint8_t *GetData( void ) const { return m_pData; }; 13 | 14 | private: 15 | uint8_t *m_pData; 16 | }; 17 | 18 | class CRadioMessagePool 19 | { 20 | public: 21 | CRadioMessagePool( ); 22 | ~CRadioMessagePool( ); 23 | 24 | CRadioMessagePoolData *GetMessageData( void ); 25 | 26 | void FreeMessageData( CRadioMessagePoolData *pItem ); 27 | 28 | private: 29 | CDoubleList m_poolList; 30 | uint32_t m_poolAvailable; 31 | }; 32 | 33 | class CRadioMessage : public CDoubleLink 34 | { 35 | public: 36 | CRadioMessage( uint32_t messageID, uint8_t *pData, uint32_t dataLen ); 37 | ~CRadioMessage( ); 38 | 39 | uint8_t *GetData( void ) const { return m_pPoolData->GetData(); }; 40 | uint32_t GetLength( void ) const { return m_dataLen; }; 41 | uint32_t GetMessageID( void ) const { return m_messageID; }; 42 | 43 | private: 44 | //uint8_t *m_pData; 45 | uint32_t m_messageID; 46 | CRadioMessagePoolData *m_pPoolData; 47 | uint32_t m_dataLen; 48 | }; 49 | 50 | #endif // __RADIO_MESSAGE_H__ 51 | -------------------------------------------------------------------------------- /secrf_revenge/rc4engine.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | CRC4Engine::CRC4Engine( ) 4 | { 5 | memset( m_state, 0, 256 ); 6 | } 7 | 8 | CRC4Engine::~CRC4Engine( ) 9 | { 10 | 11 | } 12 | 13 | void CRC4Engine::InitKSA( uint8_t *pKeyData, uint8_t keyLen, uint32_t dropAmount ) 14 | { 15 | uint32_t i,j=0,t; 16 | 17 | for (i=0; i < 256; ++i) 18 | m_state[i] = i; 19 | 20 | for (i=0; i < 256; ++i) 21 | { 22 | j = (j + m_state[i] + pKeyData[i % keyLen]) % 256; 23 | t = m_state[i]; 24 | m_state[i] = m_state[j]; 25 | m_state[j] = t; 26 | } 27 | 28 | uint32_t x; 29 | for (x=0; x < dropAmount; ++x) 30 | { 31 | i = (i + 1) % 256; 32 | j = (j + m_state[i]) % 256; 33 | t = m_state[i]; 34 | m_state[i] = m_state[j]; 35 | m_state[j] = t; 36 | } 37 | } 38 | 39 | void CRC4Engine::RC4Block( uint8_t *pBlock, uint8_t blockLen ) 40 | { 41 | uint32_t i=0,j=0,x,t; 42 | 43 | for (x=0; x < blockLen; ++x) 44 | { 45 | i = (i + 1) % 256; 46 | j = (j + m_state[i]) % 256; 47 | t = m_state[i]; 48 | m_state[i] = m_state[j]; 49 | m_state[j] = t; 50 | pBlock[x] = m_state[(m_state[i] + m_state[j]) % 256] ^ pBlock[x]; 51 | } 52 | } -------------------------------------------------------------------------------- /secrf_revenge/rc4engine.h: -------------------------------------------------------------------------------- 1 | #ifndef __RC4_ENGINE_H__ 2 | #define __RC4_ENGINE_H__ 3 | 4 | class CRC4Engine 5 | { 6 | public: 7 | CRC4Engine( ); 8 | ~CRC4Engine( ); 9 | 10 | void InitKSA( uint8_t *pKeyData, uint8_t keyLen, uint32_t dropAmount ); 11 | void RC4Block( uint8_t *pBlock, uint8_t blockLen ); 12 | 13 | private: 14 | uint32_t m_state[256]; 15 | }; 16 | 17 | #endif // __RC4_ENGINE_H__ -------------------------------------------------------------------------------- /secrf_revenge/string.h: -------------------------------------------------------------------------------- 1 | #ifndef STRING_H 2 | #define STRING_H 3 | 4 | #include 5 | #include 6 | 7 | class String 8 | { 9 | public: 10 | String(); 11 | String(const String& rhs); 12 | String(const char* rhs); 13 | ~String(); 14 | 15 | uint32_t GetLength(void); 16 | String SubString(uint32_t start, uint32_t length); 17 | 18 | void Reverse(); 19 | bool IsEmpty(); 20 | char GetAt(uint32_t pos); 21 | 22 | void ToUpper(); 23 | void ToLower(); 24 | 25 | 26 | String operator+(String &rhs); 27 | String &operator+=(String &rhs); 28 | bool operator==(String &rhs); 29 | 30 | int32_t Compare( String &rhs ); 31 | const char *CStr(void) const; 32 | 33 | private: 34 | char* m_pData; 35 | uint32_t m_size; 36 | }; 37 | 38 | #endif // STRING_H 39 | -------------------------------------------------------------------------------- /secrf_revenge/strip_all: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | strip -s secrf 4 | strip --remove-section .note --remove-section .comment --remove-section .note.gnu.build-id secrf 5 | -------------------------------------------------------------------------------- /secrf_revenge/well_rng.cpp: -------------------------------------------------------------------------------- 1 | /* ***************************************************************************** */ 2 | /* Copyright: Francois Panneton and Pierre L'Ecuyer, University of Montreal */ 3 | /* Makoto Matsumoto, Hiroshima University */ 4 | /* Notice: This code can be used freely for personal, academic, */ 5 | /* or non-commercial purposes. For commercial purposes, */ 6 | /* please contact P. L'Ecuyer at: lecuyer@iro.UMontreal.ca */ 7 | /* ***************************************************************************** */ 8 | 9 | #include "well_rng.h" 10 | 11 | #define W 32 12 | #define R 16 13 | #define P 0 14 | #define M1 13 15 | #define M2 9 16 | #define M3 5 17 | 18 | #define MAT0POS(t,v) (v^(v>>t)) 19 | #define MAT0NEG(t,v) (v^(v<<(-(t)))) 20 | #define MAT3NEG(t,v) (v<<(-(t))) 21 | #define MAT4NEG(t,b,v) (v ^ ((v<<(-(t))) & b)) 22 | 23 | #define V0 STATE[state_i ] 24 | #define VM1 STATE[(state_i+M1) & 0x0000000fU] 25 | #define VM2 STATE[(state_i+M2) & 0x0000000fU] 26 | #define VM3 STATE[(state_i+M3) & 0x0000000fU] 27 | #define VRm1 STATE[(state_i+15) & 0x0000000fU] 28 | #define VRm2 STATE[(state_i+14) & 0x0000000fU] 29 | #define newV0 STATE[(state_i+15) & 0x0000000fU] 30 | #define newV1 STATE[state_i ] 31 | #define newVRm1 STATE[(state_i+14) & 0x0000000fU] 32 | 33 | #define FACT 2.32830643653869628906e-10 34 | 35 | static unsigned int state_i = 0; 36 | static unsigned int STATE[R]; 37 | static unsigned int z0, z1, z2; 38 | 39 | void InitWELLRNG512a (unsigned int *init){ 40 | int j; 41 | state_i = 0; 42 | for (j = 0; j < R; j++) 43 | STATE[j] = init[j]; 44 | } 45 | 46 | double WELLRNG512a (void){ 47 | z0 = VRm1; 48 | z1 = MAT0NEG (-16,V0) ^ MAT0NEG (-15, VM1); 49 | z2 = MAT0POS (11, VM2) ; 50 | newV1 = z1 ^ z2; 51 | newV0 = MAT0NEG (-2,z0) ^ MAT0NEG(-18,z1) ^ MAT3NEG(-28,z2) ^ MAT4NEG(-5,0xda442d24U,newV1) ; 52 | state_i = (state_i + 15) & 0x0000000fU; 53 | return ((double) STATE[state_i]) * FACT; 54 | } 55 | -------------------------------------------------------------------------------- /secrf_revenge/well_rng.h: -------------------------------------------------------------------------------- 1 | #ifndef __WELL_RNG_H__ 2 | #define __WELL_RNG_H__ 3 | 4 | void InitWELLRNG512a( unsigned int *init ); 5 | double WELLRNG512a( void ); 6 | 7 | #endif // __WELL_RNG_H__ 8 | -------------------------------------------------------------------------------- /step/Makefile: -------------------------------------------------------------------------------- 1 | all: step.o enc.o scramble.o 2 | gcc -o step step.o 3 | gcc -o enc enc.o 4 | objdump -DfhprRtTxlS -M intel step > step.objdump 5 | ./enc 6 | strip --strip-all step 7 | gcc -o scramble scramble.o 8 | 9 | step.o: step.c 10 | gcc -Wno-format-security -c step.c 11 | 12 | enc.o: enc.c 13 | gcc -c enc.c 14 | 15 | scramble.o: scramble.c 16 | gcc -c scramble.c 17 | -------------------------------------------------------------------------------- /step/README: -------------------------------------------------------------------------------- 1 | step is a RE challenge with self-modifying code. Functions in the challenge are xor "encrypted" in two different ways. Some inital setup functions are encrypted using a 4-byte pass phrase (key1) and the rest of the fucntions have the first byte of each instruction encrypted with the least-significant byte of the address of that instruction. The trap flag and a handler function are used to decrypt the single byte encryption just before that particular instruction is executed. And, the trap handler also re-encrypts the instruction immediately after it's done executing. 2 | 3 | The challenge first prompts for "Key1" which is the 4-byte string used to decrypt the setup and trap handler functions. Then, it prompts for a 32-byte "Key2". The challenge then performs a per-byte permutation of the string's bits and compares the result with a hard-coded string. If they match, it prints the flag. 4 | 5 | So, the goal of this challenge is to RE the full-function decryption routine to obtain the trap handler, RE the trap handler to understand the single-byte decryption, and then RE the single-byte encrypted functions to obtain the function which performs the string permutation and comparison. With the hard-coded string and an understanding of the permutation, they can determine what 32-bytes should be sent for the program to print the flag. 6 | 7 | Current solution: 8 | echo -e "1337\n\x21\x66\xe2\xe0\xf1\xe2\x46\x40\xe6\xe0\xe5\x40\xa4\x40\x64\xe0\x73\xe2\x40\x63\x64\xe2\x40\x72\x66\xe0\xf2\x40\x76\xf6\xf3\n" | ./step 9 | 10 | 11 | 'scramble' and 'enc' programs are just helpers to create the 32-byte permuted string and to encrypt the compiled binary. 'enc' is pretty ugly...just parsing an objdump output, but hey, it works. 12 | -------------------------------------------------------------------------------- /step/flag: -------------------------------------------------------------------------------- 1 | This flag is: TBD 2 | -------------------------------------------------------------------------------- /step/scramble.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | 7 | void scramble(unsigned char in[64]) { 8 | unsigned char out[64]; 9 | uint8_t i; 10 | 11 | bzero(out, 64); 12 | 13 | for (i = 0; i < 64; i++) { 14 | out[i] = (in[i] & 0x80) ? 0x08 : 0; // 0 -> 4 15 | out[i] |= ((in[i] & 0x40) >> 1); // 1 -> 2 16 | out[i] |= ((in[i] & 0x20) << 1); // 2 -> 1 17 | out[i] |= ((in[i] & 0x10) >> 4); // 3 -> 7 18 | out[i] |= ((in[i] & 0x08) >> 1); // 4 -> 5 19 | out[i] |= ((in[i] & 0x04) >> 1); // 5 -> 6 20 | out[i] |= ((in[i] & 0x02) << 3); // 6 -> 3 21 | out[i] |= ((in[i] & 0x01) << 7); // 7 -> 0 22 | } 23 | memcpy(in, out, 64); 24 | 25 | } 26 | 27 | 28 | void unscramble(unsigned char in[64]) { 29 | unsigned char out[64]; 30 | uint8_t i; 31 | 32 | bzero(out, 64); 33 | 34 | for (i = 0; i < 64; i++) { 35 | out[i] |= (in[i] & 0x80) ? 0x1 : 0; // 0 -> 7 36 | out[i] |= ((in[i] & 0x40) >> 1); // 1 -> 2 37 | out[i] |= ((in[i] & 0x20) << 1); // 2 -> 1 38 | out[i] |= ((in[i] & 0x10) >> 3); // 3 -> 6 39 | out[i] |= ((in[i] & 0x08) << 4); // 4 -> 0 40 | out[i] |= ((in[i] & 0x04) << 1); // 5 -> 4 41 | out[i] |= ((in[i] & 0x02) << 1); // 6 -> 5 42 | out[i] |= ((in[i] & 0x01) << 4); // 7 -> 3 43 | } 44 | memcpy(in, out, 64); 45 | 46 | } 47 | 48 | int main(void) { 49 | unsigned char in[64]; 50 | int i; 51 | 52 | bzero(in, 64); 53 | printf("Target: "); 54 | fgets(in, 64, stdin); 55 | for (i = 0; i < 32; i++) { 56 | printf("\ttarget[%d] = '\\x%02x';\n", i, in[i]); 57 | } 58 | scramble(in); 59 | printf("Input string to step: "); 60 | for (i = 0; i < 32; i++) { 61 | printf("\\x%02x", in[i]); 62 | } 63 | printf("\n"); 64 | 65 | return(0); 66 | } 67 | -------------------------------------------------------------------------------- /thousand_cuts/.gitignore: -------------------------------------------------------------------------------- 1 | main 2 | .vagrant 3 | *.tar.bz2 4 | 1000_cuts 5 | 334_cuts 6 | 666_cuts 7 | easy-prasky-with-buffalo-on-bing 8 | -------------------------------------------------------------------------------- /thousand_cuts/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ruby:2.3.1 2 | 3 | COPY . /thousand_cuts 4 | 5 | WORKDIR /thousand_cuts 6 | 7 | CMD /thousand_cuts/prod-test.sh 8 | -------------------------------------------------------------------------------- /thousand_cuts/babysfirst/easy-prasky-with-buffalo-on-bing.raw: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAlddwDrwhkTEBSya_AAAAAAAAAAAAAAAA 2 | -------------------------------------------------------------------------------- /thousand_cuts/babysfirst/runner.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python -u 2 | import random 3 | from os import environ, listdir, path 4 | from sys import exit 5 | from subprocess import Popen, PIPE 6 | import signal 7 | from base64 import b64decode 8 | 9 | def alarm_handler(signum, frame): 10 | print "timed out, sorry" 11 | exit(-1) 12 | signal.signal(signal.SIGALRM, alarm_handler) 13 | 14 | input_timeout = int(environ.get('INPUT_TIMEOUT', 15)) 15 | crash_timeout = int(environ.get('CRASH_TIMEOUT', 5)) 16 | 17 | chall_path = "." 18 | 19 | picked = ["easy-prasky-with-buffalo-on-bing"] 20 | 21 | print "send your crash string as base64, followed by a newline" 22 | 23 | for c in picked: 24 | print c 25 | signal.alarm(input_timeout) 26 | crasher = b64decode(raw_input()) 27 | signal.alarm(0) 28 | 29 | signal.alarm(crash_timeout) 30 | proc = Popen(path.join(chall_path, c), 31 | stdin=PIPE, stdout=PIPE, stderr=PIPE) 32 | (out, err) = proc.communicate(crasher) 33 | signal.alarm(0) 34 | if out != "canary ok": 35 | print "didn't pass canary, sorry" 36 | exit(-1) 37 | 38 | if proc.returncode != -signal.SIGSEGV: 39 | print "didn't segfault, sorry" 40 | exit(-1) 41 | 42 | print "The flag is: {}".format( 43 | environ.get('FLAG', "I believe ghosts are like dogs and they just sort of do things arbitrarily Fogatlea")) 44 | -------------------------------------------------------------------------------- /thousand_cuts/breads.csv: -------------------------------------------------------------------------------- 1 | anpan 2 | arepa 3 | bagel 4 | baguette 5 | bammy 6 | bannock 7 | barbari 8 | barmbrack 9 | baziama 10 | bazin 11 | bialy 12 | bing 13 | biscuit 14 | bolani 15 | borodinsky 16 | brioche 17 | challah 18 | chapati 19 | cholermus 20 | cornbread 21 | dorayaki 22 | dosa 23 | doubledown 24 | eggette 25 | focaccia 26 | hubuz 27 | injera 28 | kalach 29 | lavash 30 | marraqueta 31 | matzo 32 | medianoche 33 | melonpan 34 | miche 35 | michetta 36 | milk 37 | multigrain 38 | naan 39 | ngome 40 | panbrioche 41 | pandesal 42 | pandoro 43 | piadina 44 | pikelet 45 | pistolet 46 | pita 47 | potbrood 48 | pretzel 49 | proja 50 | pumpernickel 51 | puri 52 | rugbrod 53 | rye 54 | sangak 55 | scone 56 | sgabeo 57 | shirmal 58 | shoti 59 | soda 60 | sourdough 61 | taftan 62 | tortilla 63 | ttongppang 64 | tunnbrod 65 | vanocka 66 | wheat 67 | white 68 | wonder 69 | zwieback 70 | -------------------------------------------------------------------------------- /thousand_cuts/prod-test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | pushd /thousand_cuts 4 | 5 | pushd babysfirst 6 | HOST=easy-prasky_335e35448b30ce7697fbb036cce45e34.quals.shallweplayaga.me PORT=10001 ruby player.rb 7 | popd 8 | 9 | pushd stack 10 | HOST=334_cuts_22ffeb97cf4f6ddb1802bf64c03e2aab.quals.shallweplayaga.me PORT=10334 ruby player.rb 11 | popd 12 | 13 | pushd vary-stack 14 | HOST=666_cuts_e38431570c1b4b397fa1026bb71a0576.quals.shallweplayaga.me PORT=10666 ruby player.rb 15 | popd 16 | 17 | pushd scramble-stack 18 | HOST=1000_cuts_1bf4f5b0948106ad8102b7cb141182a2.quals.shallweplayaga.me PORT=11000 ruby player.rb 19 | popd 20 | 21 | popd 22 | -------------------------------------------------------------------------------- /thousand_cuts/sauces.csv: -------------------------------------------------------------------------------- 1 | aioli 2 | ajika 3 | ajilimojili 4 | allemande 5 | bagoong 6 | bernaise 7 | bleucheese 8 | buffalo 9 | butter 10 | cebolada 11 | chancaca 12 | chermoula 13 | chimichurri 14 | chutney 15 | doubanjiang 16 | duckefett 17 | fondue 18 | franks 19 | garlicbutter 20 | garum 21 | gribiche 22 | guacamole 23 | hoisin 24 | hollandaise 25 | jelly 26 | ketchup 27 | khrenovina 28 | latik 29 | lyonnaise 30 | maafe 31 | mala 32 | marierose 33 | marinara 34 | mayonnaise 35 | mojo 36 | mole 37 | muhammara 38 | muhammara 39 | mumbo 40 | mustard 41 | namchim 42 | onion 43 | pickapeppa 44 | poivrade 45 | ponzu 46 | queso 47 | ranch 48 | redcurrant 49 | relish 50 | romesco 51 | salsa 52 | salvitxada 53 | sambal 54 | satay 55 | satsivi 56 | shito 57 | shottsuru 58 | shrewsbury 59 | skhug 60 | sriracha 61 | ssamjang 62 | tabasco 63 | teriyaki 64 | tianmianjiang 65 | tkemali 66 | twekesbury 67 | tzatziki 68 | umeboshi 69 | worchestershire 70 | -------------------------------------------------------------------------------- /thousand_cuts/sausages.csv: -------------------------------------------------------------------------------- 1 | alheira 2 | andouille 3 | androlla 4 | balkenbrij 5 | bierwurst 6 | biroldo 7 | bockwurst 8 | boledworst 9 | bologna 10 | botillo 11 | boudin 12 | braunschweiger 13 | breakfast 14 | cabanossi 15 | cervelat 16 | chalua 17 | chorizo 18 | cotechino 19 | cumberland 20 | currywurst 21 | debrecener 22 | drisheen 23 | embutido 24 | extrawurst 25 | falukorv 26 | frankfurter 27 | gsoppressata 28 | gyaung 29 | haggis 30 | hongchang 31 | isterband 32 | italian 33 | kabanos 34 | kaminwurze 35 | kielbasa 36 | krakowska 37 | krestyansakaya 38 | kulen 39 | kupati 40 | lapxurong 41 | linguica 42 | liverwurst 43 | longaniza 44 | lukanka 45 | manchester 46 | medisterpoise 47 | mettwurst 48 | morcilla 49 | moronga 50 | morteau 51 | mustamakkara 52 | newmarket 53 | ossenworst 54 | oxford 55 | prasky 56 | prinskorv 57 | rookworst 58 | ryynimakkara 59 | salami 60 | salchichon 61 | saveloy 62 | snorker 63 | stornoway 64 | sujuk 65 | toba 66 | tsorisongmacau 67 | verivost 68 | vienna 69 | weisswurst 70 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/.gitignore: -------------------------------------------------------------------------------- 1 | bin 2 | build 3 | *.pyc 4 | pcap 5 | 6 | tmp 7 | dist 8 | thousand_cuts 9 | *.tar.bz2 10 | src/service.c 11 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = VITOG 2 | SERVICE_ID = 00001 3 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed $(GENFLAGS) 4 | VULN_COUNT = 1 5 | POLLS_RELEASE_COUNT = 5 6 | 7 | NO_CB_EXTENDED_APP = 1 8 | NO_CB_DPKG = 1 9 | 10 | include cgc-cb.mk 11 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/README.md: -------------------------------------------------------------------------------- 1 | # CGC Challenge Binary Template 2 | 3 | ## Author Information 4 | 5 | "John Q Public" 6 | 7 | ### DARPA performer group 8 | Lunge Technology (LUNGE) 9 | 10 | ## Description 11 | 12 | This is a template challenge binary for use within DARPA's Cyber Grand Challenge. Typically, a concise, descriptive summary of the service appears here (i.e. A library service to help manage books.). 13 | 14 | ### Feature List 15 | 16 | This section should describe a 'feature list' suitable for a 'play-by-play' announcer during CFE. (i.e. This service supports adding new books, checking out sections of a book, keyword searching, compression, and special features such as deciphering contract officer language into understandable English. 17 | 18 | ## Vulnerability 19 | Upon specific input (input beginning with 0x4142), there is a opportunity for register set PoV or secret data leak. 20 | 21 | Specifically, in service.c:108, the input buffer is checked to be starting with 0x4142, wich signifies if a POV should be generated. 22 | 23 | If the following byte is 0x43, then a Type 1 POV is executed by setting a function pointer and argument from the socket, then calling the function. 24 | 25 | If the following byte is not 0x43, then a Type 2 POV is executed, where the entire contents of the flag page are returned. 26 | 27 | ### Generic class of vulnerability 28 | N/A 29 | 30 | ### CWE classification 31 | N/A 32 | 33 | ## Challenges 34 | 35 | This CB is only provided to show only the organizational structure used to create challenge binaries. 36 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/dist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -rf thousand_cuts thousand_cuts.tar.bz2 4 | cp -r tmp/gen/dist thousand_cuts 5 | tar jcf thousand_cuts.tar.bz2 thousand_cuts 6 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/interstitial.py: -------------------------------------------------------------------------------- 1 | import random 2 | from collections import deque 3 | from os import environ 4 | 5 | funcwords = ["str", "eq", "cpy", "mem", "main", "echo", "cat", "cmp", "get", 6 | "print", "val", "fmt", "stk", "alloc", "free", "mk", "tx", "rx", 7 | "xchg", "swap", "gs", "msr", "base", "acid", "caller", "binding", 8 | "stack", "box", "unbox", "factory", "permute", "shuffle", "rnd"] 9 | 10 | realfuncnames = ["gets", "print", "streq", "echo"] 11 | 12 | argtypes = ["int", "char", "long"] 13 | 14 | iops = ["*", "-", "+"] 15 | 16 | def makefuncname(): 17 | return ''.join(random.sample(funcwords, 4)) 18 | 19 | def makefun(): 20 | funcname = makefuncname() 21 | args = map(lambda name: 22 | random.choice(argtypes) + 23 | ("*" * random.randint(0, 3)) + 24 | " " + 25 | name 26 | , random.sample(funcwords, 3)) 27 | ret = random.choice(argtypes) 28 | 29 | buf = deque() 30 | 31 | buf.append("{} {}({}) {}".format(ret, funcname, ", ".join(args), "{")) 32 | buf.append("{} x = {};".format(ret, random.randint(-10, 10))) 33 | for i in xrange(random.randint(0, 40)): 34 | op = random.choice(iops) 35 | buf.append("x = x {} {};".format(op, random.randint(-30, 30))) 36 | buf.append("return x;}") 37 | 38 | return "\n".join(buf) 39 | 40 | random.seed(environ['INTERSTITIAL_SEED']) 41 | 42 | funcsubs = map(lambda realfunc: 43 | [realfunc, makefuncname()] 44 | , realfuncnames) 45 | 46 | with open("./src/service.c.tpl") as f: 47 | with open("./src/service.c", "w") as g: 48 | src = f.read() 49 | subbed = reduce(lambda accum, pair: 50 | accum.replace(pair[0], pair[1]) 51 | , funcsubs, src) 52 | segments = subbed.split("###") 53 | g.write(segments[0]) 54 | bits = random.sample(segments[1:], len(segments) - 1) 55 | 56 | for fun in bits: 57 | g.write(makefun()) 58 | g.write(fun) 59 | g.write(makefun()) 60 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/lib/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | void bzero(char *buf, int n); 5 | void ready(int fd); 6 | 7 | void bzero(char *buf, int n) { 8 | for (int i = 0; i < n; i++) { 9 | buf[i] = 0; 10 | } 11 | } 12 | 13 | void ready(int fd) { 14 | fd_set write_fds; 15 | int ret; 16 | int ready_fd; 17 | struct timeval tv; 18 | 19 | bzero((char *)&write_fds, sizeof(write_fds)); 20 | FD_SET(fd, &write_fds); 21 | 22 | tv.tv_sec = 10; 23 | tv.tv_usec = 0; 24 | 25 | ret = fdwait(fd + 1, NULL, &write_fds, &tv, &ready_fd); 26 | 27 | if (ret != 0) { 28 | _terminate(1); 29 | } 30 | 31 | if (!FD_ISSET(ready_fd, &write_fds)) 32 | _terminate(1); 33 | } 34 | 35 | int transmit_all(int fd, const char *buf, const size_t size) { 36 | size_t sent = 0; 37 | size_t sent_now = 0; 38 | int ret; 39 | 40 | if (!buf) 41 | return 1; 42 | 43 | if (!size) 44 | return 2; 45 | 46 | while (sent < size) { 47 | ready(fd); 48 | 49 | ret = transmit(fd, buf + sent, size - sent, &sent_now); 50 | if (ret != 0) { 51 | return 4; 52 | } 53 | sent += sent_now; 54 | } 55 | 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/lib/libc.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBC_H 2 | #define LIBC_H 3 | int transmit_all(int fd, const char *buf, const size_t size); 4 | #endif 5 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/poller/for-release/.gitignore: -------------------------------------------------------------------------------- 1 | *.xml 2 | *.png 3 | *.dot 4 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/poller/for-release/machine.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from generator.actions import Actions 4 | import random 5 | 6 | 7 | class TemplateGenerator(Actions): 8 | def start(self): 9 | 1 + 1 #noop 10 | 11 | def echo(self): 12 | self.write("vito\n") 13 | self.read(length=4, expect="vito") 14 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: echo 5 | 6 | edges: 7 | - start: echo 8 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/pov/POV_00001.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | service 5 | 6 | AAAAAAAAAAAAAAAAAAAAAAAAvito\x00AAAAAAAAAAAAAAAAAAAAAAAA\x0a 7 | 8 | 9 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/pov/pov-template.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | service 5 | 6 | DATA 7 | 8 | 9 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/runner.py: -------------------------------------------------------------------------------- 1 | import random 2 | from os import environ, listdir, path 3 | from sys import exit 4 | from subprocess import Popen, PIPE 5 | import signal 6 | from base64 import b64decode 7 | 8 | def alarm_handler(signum, frame): 9 | print "timed out, sorry" 10 | exit(-1) 11 | signal.signal(signal.SIGALRM, alarm_handler) 12 | 13 | input_timeout = int(environ.get('INPUT_TIMEOUT', 15)) 14 | crash_timeout = int(environ.get('CRASH_TIMEOUT', 5)) 15 | 16 | chall_path = "./tmp/gen/cb" 17 | all_challs = set(listdir(chall_path)) 18 | 19 | picked = random.sample(all_challs, 10) 20 | 21 | print "send your crash string as base64, followed by a newline" 22 | 23 | for c in picked: 24 | print c 25 | signal.alarm(input_timeout) 26 | crasher = b64decode(raw_input()) 27 | signal.alarm(0) 28 | 29 | signal.alarm(crash_timeout) 30 | proc = Popen(path.join(chall_path, c), 31 | stdin=PIPE, stdout=PIPE, stderr=PIPE) 32 | (out, err) = proc.communicate(crasher) 33 | signal.alarm(0) 34 | 35 | if out != "canary ok": 36 | print "didn't pass canary, sorry" 37 | exit(-1) 38 | 39 | if proc.returncode != -signal.SIGSEGV: 40 | print "didn't segfault, sorry" 41 | exit(-1) 42 | 43 | print "The flag is: {}".format( 44 | environ.get('FLAG', "do you want a thousand bandages gruanfir3")) 45 | -------------------------------------------------------------------------------- /thousand_cuts/scramble-stack/src/service.c.tpl: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | /* #define GETS_BUF_LEN 16 */ 5 | /* #define PRINT_BUF_LEN 16 */ 6 | /* #define CANARY "vito" */ 7 | /* #define ECHO_BUF_LEN 24 */ 8 | 9 | void *memcpy(void *dest, const void *src, size_t n); 10 | int gets(char* dest); 11 | void print(char* src); 12 | int streq(char* left, char* right, int count); 13 | void echo(); 14 | int main(); 15 | 16 | ### 17 | 18 | void *memcpy(void *dest, const void *src, size_t n) 19 | { 20 | char *dp = dest; 21 | const char *sp = src; 22 | while (n--) 23 | *dp++ = *sp++; 24 | return dest; 25 | } 26 | 27 | ### 28 | 29 | int gets(char* dest) { 30 | char buf[GETS_BUF_LEN]; 31 | 32 | int dest_cursor = 0; 33 | 34 | while (1) { 35 | size_t got; 36 | if (receive(STDIN, buf, GETS_BUF_LEN, &got) != 0) _terminate(-1); 37 | 38 | for (int buf_cursor = 0; buf_cursor < got; buf_cursor++) { 39 | if (buf[buf_cursor] == '\n') { 40 | dest[dest_cursor + buf_cursor] = 0; 41 | return dest_cursor + buf_cursor; 42 | } 43 | 44 | #ifdef PATCHED_1 45 | if (dest_cursor + buf_cursor > ECHO_BUF_LEN) _terminate(-1); 46 | #endif 47 | 48 | dest[dest_cursor + buf_cursor] = buf[buf_cursor]; 49 | } 50 | 51 | dest_cursor += got; 52 | } 53 | } 54 | 55 | ### 56 | 57 | void print(char* src) { 58 | int src_len = 0; 59 | 60 | while (1) { 61 | if (src[src_len] == 0) break; 62 | src_len++; 63 | } 64 | 65 | int total_sent = 0; 66 | 67 | while(1) { 68 | int remaining = src_len - total_sent; 69 | int to_send = (PRINT_BUF_LEN < remaining) ? PRINT_BUF_LEN : remaining; 70 | 71 | size_t did_send; 72 | 73 | if (transmit(STDOUT, src + total_sent, to_send, &did_send) != 0) { 74 | _terminate(-1); 75 | } 76 | 77 | total_sent += did_send; 78 | 79 | if (total_sent >= src_len) return; 80 | } 81 | } 82 | 83 | ### 84 | 85 | int streq(char* left, char* right, int count) { 86 | for (int cursor = 0; cursor < count; cursor++) { 87 | char l = left[cursor]; 88 | char r = right[cursor]; 89 | 90 | if (l != r) return 0; 91 | } 92 | 93 | return 1; 94 | } 95 | 96 | ### 97 | 98 | void echo() { 99 | char canary[] = CANARY; 100 | char buf[ECHO_BUF_LEN]; 101 | 102 | gets(buf); 103 | 104 | if (!streq(canary, CANARY, 4)) { 105 | print("hacking detected, see ya"); 106 | _terminate(-1); 107 | } 108 | 109 | print("canary ok"); 110 | } 111 | 112 | ### 113 | 114 | int main() { 115 | echo(); 116 | return 0; 117 | } 118 | 119 | ### 120 | -------------------------------------------------------------------------------- /thousand_cuts/stack/.gitignore: -------------------------------------------------------------------------------- 1 | bin 2 | build 3 | *.pyc 4 | pcap 5 | 6 | tmp 7 | dist 8 | thousand_cuts 9 | *.tar.bz2 10 | -------------------------------------------------------------------------------- /thousand_cuts/stack/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = VITOG 2 | SERVICE_ID = 00001 3 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed $(GENFLAGS) 4 | VULN_COUNT = 1 5 | POLLS_RELEASE_COUNT = 5 6 | 7 | NO_CB_EXTENDED_APP = 1 8 | NO_CB_DPKG = 1 9 | 10 | include cgc-cb.mk 11 | -------------------------------------------------------------------------------- /thousand_cuts/stack/README.md: -------------------------------------------------------------------------------- 1 | # CGC Challenge Binary Template 2 | 3 | ## Author Information 4 | 5 | "John Q Public" 6 | 7 | ### DARPA performer group 8 | Lunge Technology (LUNGE) 9 | 10 | ## Description 11 | 12 | This is a template challenge binary for use within DARPA's Cyber Grand Challenge. Typically, a concise, descriptive summary of the service appears here (i.e. A library service to help manage books.). 13 | 14 | ### Feature List 15 | 16 | This section should describe a 'feature list' suitable for a 'play-by-play' announcer during CFE. (i.e. This service supports adding new books, checking out sections of a book, keyword searching, compression, and special features such as deciphering contract officer language into understandable English. 17 | 18 | ## Vulnerability 19 | Upon specific input (input beginning with 0x4142), there is a opportunity for register set PoV or secret data leak. 20 | 21 | Specifically, in service.c:108, the input buffer is checked to be starting with 0x4142, wich signifies if a POV should be generated. 22 | 23 | If the following byte is 0x43, then a Type 1 POV is executed by setting a function pointer and argument from the socket, then calling the function. 24 | 25 | If the following byte is not 0x43, then a Type 2 POV is executed, where the entire contents of the flag page are returned. 26 | 27 | ### Generic class of vulnerability 28 | N/A 29 | 30 | ### CWE classification 31 | N/A 32 | 33 | ## Challenges 34 | 35 | This CB is only provided to show only the organizational structure used to create challenge binaries. 36 | -------------------------------------------------------------------------------- /thousand_cuts/stack/dist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -rf thousand_cuts thousand_cuts.tar.bz2 4 | cp -r tmp/gen/dist thousand_cuts 5 | tar jcf thousand_cuts.tar.bz2 thousand_cuts 6 | -------------------------------------------------------------------------------- /thousand_cuts/stack/lib/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | void bzero(char *buf, int n); 5 | void ready(int fd); 6 | 7 | void bzero(char *buf, int n) { 8 | for (int i = 0; i < n; i++) { 9 | buf[i] = 0; 10 | } 11 | } 12 | 13 | void ready(int fd) { 14 | fd_set write_fds; 15 | int ret; 16 | int ready_fd; 17 | struct timeval tv; 18 | 19 | bzero((char *)&write_fds, sizeof(write_fds)); 20 | FD_SET(fd, &write_fds); 21 | 22 | tv.tv_sec = 10; 23 | tv.tv_usec = 0; 24 | 25 | ret = fdwait(fd + 1, NULL, &write_fds, &tv, &ready_fd); 26 | 27 | if (ret != 0) { 28 | _terminate(1); 29 | } 30 | 31 | if (!FD_ISSET(ready_fd, &write_fds)) 32 | _terminate(1); 33 | } 34 | 35 | int transmit_all(int fd, const char *buf, const size_t size) { 36 | size_t sent = 0; 37 | size_t sent_now = 0; 38 | int ret; 39 | 40 | if (!buf) 41 | return 1; 42 | 43 | if (!size) 44 | return 2; 45 | 46 | while (sent < size) { 47 | ready(fd); 48 | 49 | ret = transmit(fd, buf + sent, size - sent, &sent_now); 50 | if (ret != 0) { 51 | return 4; 52 | } 53 | sent += sent_now; 54 | } 55 | 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /thousand_cuts/stack/lib/libc.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBC_H 2 | #define LIBC_H 3 | int transmit_all(int fd, const char *buf, const size_t size); 4 | #endif 5 | -------------------------------------------------------------------------------- /thousand_cuts/stack/poller/for-release/.gitignore: -------------------------------------------------------------------------------- 1 | *.xml 2 | *.png 3 | *.dot 4 | -------------------------------------------------------------------------------- /thousand_cuts/stack/poller/for-release/machine.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from generator.actions import Actions 4 | import random 5 | 6 | 7 | class TemplateGenerator(Actions): 8 | def start(self): 9 | 1 + 1 #noop 10 | 11 | def echo(self): 12 | self.write("vito\n") 13 | self.read(length=4, expect="vito") 14 | -------------------------------------------------------------------------------- /thousand_cuts/stack/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: echo 5 | 6 | edges: 7 | - start: echo 8 | -------------------------------------------------------------------------------- /thousand_cuts/stack/pov/POV_00001.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | service 5 | 6 | AAAAAAAAAAAAAAAAAAAAAAAAvito\x00AAAAAAAAAAAAAAAAAAAAAAAA\x0a 7 | 8 | 9 | -------------------------------------------------------------------------------- /thousand_cuts/stack/pov/pov-template.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | service 5 | 6 | DATA 7 | 8 | 9 | -------------------------------------------------------------------------------- /thousand_cuts/stack/runner.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python -u 2 | import random 3 | from os import environ, listdir, path 4 | from sys import exit 5 | from subprocess import Popen, PIPE 6 | import signal 7 | from base64 import b64decode 8 | 9 | def alarm_handler(signum, frame): 10 | print "timed out, sorry" 11 | exit(-1) 12 | signal.signal(signal.SIGALRM, alarm_handler) 13 | 14 | first_chall = environ.get('FIRST_CHALLENGE_NAME', None) 15 | input_timeout = int(environ.get('INPUT_TIMEOUT', 15)) 16 | crash_timeout = int(environ.get('CRASH_TIMEOUT', 5)) 17 | 18 | chall_path = "./tmp/gen/cb" 19 | all_challs = set(listdir(chall_path)) 20 | all_challs.remove(first_chall) 21 | 22 | picked = [first_chall] + random.sample(all_challs, 9) 23 | 24 | print "send your crash string as base64, followed by a newline" 25 | 26 | for c in picked: 27 | print c 28 | signal.alarm(input_timeout) 29 | crasher = b64decode(raw_input()) 30 | signal.alarm(0) 31 | 32 | signal.alarm(crash_timeout) 33 | proc = Popen(path.join(chall_path, c), 34 | stdin=PIPE, stdout=PIPE, stderr=PIPE) 35 | (out, err) = proc.communicate(crasher) 36 | signal.alarm(0) 37 | if out != "canary ok": 38 | print "didn't pass canary, sorry" 39 | exit(-1) 40 | 41 | if proc.returncode != -signal.SIGSEGV: 42 | print "didn't segfault, sorry" 43 | exit(-1) 44 | 45 | print "The flag is: {}".format( 46 | environ.get('FLAG', "baby's first crs cirvyudta")) 47 | -------------------------------------------------------------------------------- /thousand_cuts/stack/src/service.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | /* #define GETS_BUF_LEN 16 */ 5 | /* #define PRINT_BUF_LEN 16 */ 6 | /* #define CANARY "vito" */ 7 | /* #define ECHO_BUF_LEN 24 */ 8 | 9 | void *memcpy(void *dest, const void *src, size_t n) 10 | { 11 | char *dp = dest; 12 | const char *sp = src; 13 | while (n--) 14 | *dp++ = *sp++; 15 | return dest; 16 | } 17 | 18 | int gets(char* dest) { 19 | char buf[GETS_BUF_LEN]; 20 | 21 | int dest_cursor = 0; 22 | 23 | while (1) { 24 | size_t got; 25 | if (receive(STDIN, buf, GETS_BUF_LEN, &got) != 0) _terminate(-1); 26 | 27 | for (int buf_cursor = 0; buf_cursor < got; buf_cursor++) { 28 | if (buf[buf_cursor] == '\n') { 29 | dest[dest_cursor + buf_cursor] = 0; 30 | return dest_cursor + buf_cursor; 31 | } 32 | 33 | #ifdef PATCHED_1 34 | if (dest_cursor + buf_cursor > ECHO_BUF_LEN) _terminate(-1); 35 | #endif 36 | 37 | dest[dest_cursor + buf_cursor] = buf[buf_cursor]; 38 | } 39 | 40 | dest_cursor += got; 41 | } 42 | } 43 | 44 | void print(char* src) { 45 | int src_len = 0; 46 | 47 | while (1) { 48 | if (src[src_len] == 0) break; 49 | src_len++; 50 | } 51 | 52 | int total_sent = 0; 53 | 54 | while(1) { 55 | int remaining = src_len - total_sent; 56 | int to_send = (PRINT_BUF_LEN < remaining) ? PRINT_BUF_LEN : remaining; 57 | 58 | size_t did_send; 59 | 60 | if (transmit(STDOUT, src + total_sent, to_send, &did_send) != 0) { 61 | _terminate(-1); 62 | } 63 | 64 | total_sent += did_send; 65 | 66 | if (total_sent >= src_len) return; 67 | } 68 | } 69 | 70 | int streq(char* left, char* right, int count) { 71 | for (int cursor = 0; cursor < count; cursor++) { 72 | char l = left[cursor]; 73 | char r = right[cursor]; 74 | 75 | if (l != r) return 0; 76 | } 77 | 78 | return 1; 79 | } 80 | 81 | void echo() { 82 | char canary[] = CANARY; 83 | char buf[ECHO_BUF_LEN]; 84 | 85 | gets(buf); 86 | 87 | if (!streq(canary, CANARY, 4)) { 88 | print("hacking detected, see ya"); 89 | _terminate(-1); 90 | } 91 | 92 | print("canary ok"); 93 | } 94 | 95 | int main() { 96 | echo(); 97 | return 0; 98 | } 99 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/.gitignore: -------------------------------------------------------------------------------- 1 | bin 2 | build 3 | *.pyc 4 | pcap 5 | 6 | tmp 7 | dist 8 | thousand_cuts 9 | *.tar.bz2 10 | src/service.c 11 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/Makefile: -------------------------------------------------------------------------------- 1 | AUTHOR_ID = VITOG 2 | SERVICE_ID = 00001 3 | CFLAGS = -O0 -g -Werror -Wno-overlength-strings -Wno-packed $(GENFLAGS) 4 | VULN_COUNT = 1 5 | POLLS_RELEASE_COUNT = 5 6 | 7 | NO_CB_EXTENDED_APP = 1 8 | NO_CB_DPKG = 1 9 | 10 | include cgc-cb.mk 11 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/README.md: -------------------------------------------------------------------------------- 1 | # CGC Challenge Binary Template 2 | 3 | ## Author Information 4 | 5 | "John Q Public" 6 | 7 | ### DARPA performer group 8 | Lunge Technology (LUNGE) 9 | 10 | ## Description 11 | 12 | This is a template challenge binary for use within DARPA's Cyber Grand Challenge. Typically, a concise, descriptive summary of the service appears here (i.e. A library service to help manage books.). 13 | 14 | ### Feature List 15 | 16 | This section should describe a 'feature list' suitable for a 'play-by-play' announcer during CFE. (i.e. This service supports adding new books, checking out sections of a book, keyword searching, compression, and special features such as deciphering contract officer language into understandable English. 17 | 18 | ## Vulnerability 19 | Upon specific input (input beginning with 0x4142), there is a opportunity for register set PoV or secret data leak. 20 | 21 | Specifically, in service.c:108, the input buffer is checked to be starting with 0x4142, wich signifies if a POV should be generated. 22 | 23 | If the following byte is 0x43, then a Type 1 POV is executed by setting a function pointer and argument from the socket, then calling the function. 24 | 25 | If the following byte is not 0x43, then a Type 2 POV is executed, where the entire contents of the flag page are returned. 26 | 27 | ### Generic class of vulnerability 28 | N/A 29 | 30 | ### CWE classification 31 | N/A 32 | 33 | ## Challenges 34 | 35 | This CB is only provided to show only the organizational structure used to create challenge binaries. 36 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/dist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -rf thousand_cuts thousand_cuts.tar.bz2 4 | cp -r tmp/gen/dist thousand_cuts 5 | tar jcf thousand_cuts.tar.bz2 thousand_cuts 6 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/interstitial.py: -------------------------------------------------------------------------------- 1 | import random 2 | from collections import deque 3 | from os import environ 4 | 5 | funcwords = ["str", "eq", "cpy", "mem", "main", "echo", "cat", "cmp", "get", 6 | "print", "val", "fmt", "stk", "alloc", "free", "mk", "tx", "rx"] 7 | 8 | argtypes = ["int", "char", "long"] 9 | 10 | iops = ["*", "-", "+"] 11 | 12 | def makefun(): 13 | funcname = ''.join(random.sample(funcwords, 4)) 14 | args = map(lambda(name): 15 | random.choice(argtypes) + 16 | ("*" * random.randint(0, 3)) + 17 | " " + 18 | name 19 | , random.sample(funcwords, 3)) 20 | ret = random.choice(argtypes) 21 | 22 | buf = deque() 23 | 24 | buf.append("{} {}({}) {}".format(ret, funcname, ", ".join(args), "{")) 25 | buf.append("{} x = {};".format(ret, random.randint(-10, 10))) 26 | for i in xrange(random.randint(0, 40)): 27 | op = random.choice(iops) 28 | buf.append("x = x {} {};".format(op, random.randint(-30, 30))) 29 | buf.append("return x;}") 30 | 31 | return "\n".join(buf) 32 | 33 | random.seed(environ['INTERSTITIAL_SEED']) 34 | 35 | with open("./src/service.c.tpl") as f: 36 | with open("./src/service.c", "w") as g: 37 | for line in f: 38 | if "###" == line.strip(): 39 | g.write(makefun()) 40 | else: 41 | g.write(line) 42 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/lib/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | void bzero(char *buf, int n); 5 | void ready(int fd); 6 | 7 | void bzero(char *buf, int n) { 8 | for (int i = 0; i < n; i++) { 9 | buf[i] = 0; 10 | } 11 | } 12 | 13 | void ready(int fd) { 14 | fd_set write_fds; 15 | int ret; 16 | int ready_fd; 17 | struct timeval tv; 18 | 19 | bzero((char *)&write_fds, sizeof(write_fds)); 20 | FD_SET(fd, &write_fds); 21 | 22 | tv.tv_sec = 10; 23 | tv.tv_usec = 0; 24 | 25 | ret = fdwait(fd + 1, NULL, &write_fds, &tv, &ready_fd); 26 | 27 | if (ret != 0) { 28 | _terminate(1); 29 | } 30 | 31 | if (!FD_ISSET(ready_fd, &write_fds)) 32 | _terminate(1); 33 | } 34 | 35 | int transmit_all(int fd, const char *buf, const size_t size) { 36 | size_t sent = 0; 37 | size_t sent_now = 0; 38 | int ret; 39 | 40 | if (!buf) 41 | return 1; 42 | 43 | if (!size) 44 | return 2; 45 | 46 | while (sent < size) { 47 | ready(fd); 48 | 49 | ret = transmit(fd, buf + sent, size - sent, &sent_now); 50 | if (ret != 0) { 51 | return 4; 52 | } 53 | sent += sent_now; 54 | } 55 | 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/lib/libc.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBC_H 2 | #define LIBC_H 3 | int transmit_all(int fd, const char *buf, const size_t size); 4 | #endif 5 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/poller/for-release/.gitignore: -------------------------------------------------------------------------------- 1 | *.xml 2 | *.png 3 | *.dot 4 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/poller/for-release/machine.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from generator.actions import Actions 4 | import random 5 | 6 | 7 | class TemplateGenerator(Actions): 8 | def start(self): 9 | 1 + 1 #noop 10 | 11 | def echo(self): 12 | self.write("vito\n") 13 | self.read(length=4, expect="vito") 14 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/poller/for-release/state-graph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: start 4 | - name: echo 5 | 6 | edges: 7 | - start: echo 8 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/pov/POV_00001.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | service 5 | 6 | AAAAAAAAAAAAAAAAAAAAAAAAvito\x00AAAAAAAAAAAAAAAAAAAAAAAA\x0a 7 | 8 | 9 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/pov/pov-template.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | service 5 | 6 | DATA 7 | 8 | 9 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/runner.py: -------------------------------------------------------------------------------- 1 | import random 2 | from os import environ, listdir, path 3 | from sys import exit 4 | from subprocess import Popen, PIPE 5 | import signal 6 | from base64 import b64decode 7 | 8 | def alarm_handler(signum, frame): 9 | print "timed out, sorry" 10 | exit(-1) 11 | signal.signal(signal.SIGALRM, alarm_handler) 12 | 13 | input_timeout = int(environ.get('INPUT_TIMEOUT', 15)) 14 | crash_timeout = int(environ.get('CRASH_TIMEOUT', 5)) 15 | 16 | chall_path = "./tmp/gen/cb" 17 | all_challs = set(listdir(chall_path)) 18 | 19 | picked = random.sample(all_challs, 10) 20 | 21 | print "send your crash string as base64, followed by a newline" 22 | 23 | for c in picked: 24 | print c 25 | signal.alarm(input_timeout) 26 | crasher = b64decode(raw_input()) 27 | signal.alarm(0) 28 | 29 | signal.alarm(crash_timeout) 30 | proc = Popen(path.join(chall_path, c), 31 | stdin=PIPE, stdout=PIPE, stderr=PIPE) 32 | (out, err) = proc.communicate(crasher) 33 | signal.alarm(0) 34 | 35 | if out != "canary ok": 36 | print "didn't pass canary, sorry" 37 | exit(-1) 38 | 39 | if proc.returncode != -signal.SIGSEGV: 40 | print "didn't segfault, sorry" 41 | exit(-1) 42 | 43 | print "The flag is: {}".format( 44 | environ.get('FLAG', "you think this is the real quaid DeifCokIj")) 45 | -------------------------------------------------------------------------------- /thousand_cuts/vary-stack/src/service.c.tpl: -------------------------------------------------------------------------------- 1 | #include 2 | #include "libc.h" 3 | 4 | /* #define GETS_BUF_LEN 16 */ 5 | /* #define PRINT_BUF_LEN 16 */ 6 | /* #define CANARY "vito" */ 7 | /* #define ECHO_BUF_LEN 24 */ 8 | 9 | ### 10 | 11 | void *memcpy(void *dest, const void *src, size_t n) 12 | { 13 | char *dp = dest; 14 | const char *sp = src; 15 | while (n--) 16 | *dp++ = *sp++; 17 | return dest; 18 | } 19 | 20 | ### 21 | 22 | int gets(char* dest) { 23 | char buf[GETS_BUF_LEN]; 24 | 25 | int dest_cursor = 0; 26 | 27 | while (1) { 28 | size_t got; 29 | if (receive(STDIN, buf, GETS_BUF_LEN, &got) != 0) _terminate(-1); 30 | 31 | for (int buf_cursor = 0; buf_cursor < got; buf_cursor++) { 32 | if (buf[buf_cursor] == '\n') { 33 | dest[dest_cursor + buf_cursor] = 0; 34 | return dest_cursor + buf_cursor; 35 | } 36 | 37 | #ifdef PATCHED_1 38 | if (dest_cursor + buf_cursor > ECHO_BUF_LEN) _terminate(-1); 39 | #endif 40 | 41 | dest[dest_cursor + buf_cursor] = buf[buf_cursor]; 42 | } 43 | 44 | dest_cursor += got; 45 | } 46 | } 47 | 48 | ### 49 | 50 | void print(char* src) { 51 | int src_len = 0; 52 | 53 | while (1) { 54 | if (src[src_len] == 0) break; 55 | src_len++; 56 | } 57 | 58 | int total_sent = 0; 59 | 60 | while(1) { 61 | int remaining = src_len - total_sent; 62 | int to_send = (PRINT_BUF_LEN < remaining) ? PRINT_BUF_LEN : remaining; 63 | 64 | size_t did_send; 65 | 66 | if (transmit(STDOUT, src + total_sent, to_send, &did_send) != 0) { 67 | _terminate(-1); 68 | } 69 | 70 | total_sent += did_send; 71 | 72 | if (total_sent >= src_len) return; 73 | } 74 | } 75 | 76 | ### 77 | 78 | int streq(char* left, char* right, int count) { 79 | for (int cursor = 0; cursor < count; cursor++) { 80 | char l = left[cursor]; 81 | char r = right[cursor]; 82 | 83 | if (l != r) return 0; 84 | } 85 | 86 | return 1; 87 | } 88 | 89 | ### 90 | 91 | void echo() { 92 | char canary[] = CANARY; 93 | char buf[ECHO_BUF_LEN]; 94 | 95 | gets(buf); 96 | 97 | if (!streq(canary, CANARY, 4)) { 98 | print("hacking detected, see ya"); 99 | _terminate(-1); 100 | } 101 | 102 | print("canary ok"); 103 | } 104 | 105 | ### 106 | 107 | int main() { 108 | echo(); 109 | return 0; 110 | } 111 | 112 | ### 113 | -------------------------------------------------------------------------------- /time sink/enigma4.patch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/legitbs/quals-2016/ab495ee64bdb008f70608672286280b46bbdb2b7/time sink/enigma4.patch -------------------------------------------------------------------------------- /xkcd/flag: -------------------------------------------------------------------------------- 1 | The flag is: TBD 2 | -------------------------------------------------------------------------------- /xkcd/xkcd.c: -------------------------------------------------------------------------------- 1 | //With apologies to Randall Monroe 2 | 3 | #include 4 | #include 5 | struct _globals { 6 | char userEchoRequest[512]; 7 | char flagBuf[256]; 8 | } globals; 9 | 10 | int main(int argc, char ** argv) 11 | { 12 | char *line; 13 | FILE *theFlag; 14 | char *tmp; 15 | int howmany; 16 | int linelen; 17 | setvbuf(stdout, NULL, _IONBF, 0); 18 | setvbuf(stdin, NULL, _IONBF, 0); 19 | 20 | bzero(globals.flagBuf, 256); 21 | theFlag = fopen("/flag", "r"); 22 | 23 | if(theFlag == NULL) { 24 | puts("Could not open the flag."); 25 | return -1; 26 | } 27 | 28 | fread(globals.flagBuf, 1, 256, theFlag); 29 | while(1) { 30 | line = fgetln(stdin, &linelen); 31 | 32 | tmp = strtok(line, "?"); 33 | if(strcmp(tmp, "SERVER, ARE YOU STILL THERE") != 0) { 34 | puts("MALFORMED REQUEST"); 35 | exit(-1); 36 | } 37 | 38 | tmp = strtok(NULL, "\""); 39 | if(strcmp(tmp, " IF SO, REPLY ") != 0) { 40 | puts("MALFORMED REQUEST"); 41 | exit(-1); 42 | } 43 | 44 | tmp = strtok(NULL, "\""); 45 | memcpy(globals.userEchoRequest, tmp, strlen(tmp)); 46 | 47 | tmp = strtok(NULL, "("); 48 | tmp = strtok(NULL, ")"); 49 | sscanf(tmp, "%d LETTERS", &howmany); 50 | 51 | globals.userEchoRequest[howmany] = 0; 52 | if(howmany > strlen(globals.userEchoRequest)) { 53 | puts("NICE TRY"); 54 | exit(-1); 55 | } 56 | 57 | printf("%s\n", globals.userEchoRequest); 58 | } 59 | } 60 | --------------------------------------------------------------------------------