# GynvaelEN mission 018


# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'
Welcome back dear admin.
Your flag: I'm not sure this is how equality is supposed to work.

Now try with <a href='superadmin.php'>superadmin.php</a>!
# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'
...
if (hash("sha256", $_GET['password']) ==
'0e12345678901234567890123456789012345678901234567890123456789012')
...
_:)

Source

https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)

References

https://www.whitehatsec.com/blog/magic-hashes/

# GynvaelEN mission 017


zeros = '\x00'*32

base64.b64encode(zeros)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='

Cookie: mission017session=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
ivencrypted.encode('hex') = '927a00302d2e13896de885ece9f3445d2de83b880d2043a6ecc6e8bbb0a831dc'

result = ''
new = '{"access_level":"admin"}'
for i in range(len(new)):
 result += chr(ord(new[i]) ^ ord(ivencrypted[i]))

base64.b64encode(result) == 6VhhU05LYPoyhOCajJ9mZw+JX+VkTmHb

Cookie: mission017session=6VhhU05LYPoyhOCajJ9mZw%2BJX%2BVkTmHb
Decrypted cookie data: {"access_level":"admin"}
Flag: HMAC? What do you mean "HMAC"?

Source

https://www.youtube.com/watch?v=9xGgZUMNl2Y (2:05:00)

References

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

# GynvaelEN mission 016


Wav to image using RX-SSTV

Slow-scan TV is a method to transmit an image over radio using frequency modulation.
This is the partial message that contains the image:

? ? R O N
D I Y M A
U Z ? ? ?
B C K P ?
? ? V W X

Y DHXDMW BQLF KDYNV

Manual decryption

Y D = I A
HX  = ??
DM  = AY
W B = ? P
QL  = ??
F K = ? ?
DY  = IM
NV  = RX

I A??AY? P??? ?AIRX ---> I ALWAYS PLAY FAIRX

Source

https://www.youtube.com/watch?v=locDS3uHv_E (2:03:00)

References

https://en.wikipedia.org/wiki/Slow-scan_television

# EkoParty CTF 2017: OnTheWire (300) - Misc



Introduction

We have sniffed some bytes of a transmission. What does it say?
51 91 51 31 51 71 112 31 51 123 91 71 95 127 121 51 112 95 121 121 91 71 112 126 112 112 95 79 121 121 95 51 91 71 112 123 121 126 112 91 112 109 91 71 95 51 121 48 112 121 112 126 95 78 121 51 112 123 112 61

Hint
You will see the flag in a lcd display

Solution

# cat onthewire.py

bytes = [51, 91, 51, 31, 51, 71, 112, 31, 51, 123, 91, 71, 95, 127, 121, 51, 112, 95, 121, 121, 91, 71, 112, 126, 112, 112, 95, 79, 121, 121, 95, 51, 91, 71, 112, 123, 121, 126, 112, 91, 112, 109, 91, 71, 95, 51, 121, 48, 112, 121, 112, 126, 95, 78, 121, 51, 112, 123, 112, 61]

r = ''
table = {}

for b in bytes:
 if hex(b) not in table:
  letter = raw_input(hex(b) + '? ')
  table[hex(b)] = letter
 else:
  letter = table[hex(b)]
 r += letter

print r.decode('hex')

# python onthewire.py
0x33? 4
0x5b? 5
0x1f? b
0x47? f
0x70? 7
0x7b? 9
0x5f? 6
0x7f? 8
0x79? 3
0x7e? 0
0x4f? e
0x6d? 2
0x30? 1
0x4e? c
0x3d? d
EKO{I_h4v3_pwn3d_y0ur_d1spl4y}

Reference

https://en.wikichip.org/wiki/seven-segment_display/representing_letters

# GynvaelEN mission 015


# cat mission_15.py
import hashlib
import itertools
import png
import numpy as np

r = png.Reader(file = open('leak.png'))
(width, height, iterator, info) = r.read()

b = [0] * width

for i in iterator:
 row = i.tolist()
 for i in xrange(0, len(row), 3):
  value = row[i:i + 3]
  if value == [255, 0, 0]:
   b[i / 3] += 1

print ''.join([chr(c) for c in b])

hashes = [
 'e6d9fe6df8fd2a07ca6636729d4a615a',
 '273e97dc41693b152c71715d099a1049',
 'bd014fafb6f235929c73a6e9d5f1e458',
 'ab892a96d92d434432d23429483c0a39',
 'b56a807858d5948a4e4604c117a62c2d'
]

alphabet = ' !ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

password = [' '] * 5
counter = 0

for result in itertools.product(alphabet, repeat = 5):
 word = ''.join(list(result))
 m = hashlib.md5()
 m.update(word)
 hd = m.hexdigest()
 if hd in hashes:
  pos = hashes.index(hd)
  print pos, word
  password[pos] = word
  counter += 1
  if counter == 5: break

print ''.join(password)

# python mission_15.py
<?php

if (!isset($_GET['password']) || !is_string($_GET['password'])) {
  die("bad password");
}

$p = $_GET['password'];

if (strlen($p) !== 25) {
  die("bad password");
}

if (md5($p) !== 'e66c97b8837d0328f3e5522ebb058f85') {
  die("bad password");
}

// Split the password in five and check the pieces.
// We need to be sure!
$values = array(
  0 => 'e6d9fe6df8fd2a07ca6636729d4a615a',
  5 => '273e97dc41693b152c71715d099a1049',
  10 => 'bd014fafb6f235929c73a6e9d5f1e458',
  15 => 'ab892a96d92d434432d23429483c0a39',
  20 => 'b56a807858d5948a4e4604c117a62c2d'
);

for ($i = 0; $i < 25; $i += 5) {
  if (md5(substr($p, $i, 5)) !== $values[$i]) {
    die("bad password");
  }
}

die("GW!");

2  are
0 Pie c
3 delic
1 harts
4 ious!
Pie charts are delicious!

Source

https://www.youtube.com/watch?v=BQRX3owv2JI (1:57:30)

# GynvaelEN mission 014


# cat mission_14.py
w = 57
h = 25

directions = {
'EAST':  (1, 0),
'NORTH': (0, -1),
'WEST':  (-1, 0),
'SOUTH': (0, 1)
}

# smap[y][x] = '#'
smap = [[' ' for x in range(w)] for y in range(h)]
stack = []

x = 0
y = 9

log  = open('log.txt').read().splitlines()

for line in log:
 if 'Trying' in line:
  d = directions[line.split()[1]]
 elif 'step' in line:
  stack.append((d[0], d[1]))
  x += d[0]
  y += d[1]
  smap[y][x] = '#'
 elif 'back' in line:
  d = stack.pop()
  x -= d[0]
  y -= d[1]

for i in smap: print ''.join(i)

# python mission_14.py

 # # #####  # ########## # # ### ## ####### #######  # #
 # # # # #  #    #    #  # # # ####       # #     ## # #
 ### # # ########## #### # #      # # # ### # ### #  # #
 # #         #    #      # ########## # #   #   #    # #
 # ####### # #  # #### ### #        # # # # ########## #
 #   #   # ###### #  ####  ## ##### #########   #      #
 ### # # # ## # # ##    ####  #  #  #   #   # # ## ## ##
     # # #    #    # ## #  # ##  ###### # #   #  #  ###
 ####### ###########  #### # #   #  #   ######## ####
   #
   #  ##################################################
 #### ##################################################
 #  # ####   ############    ############  ######    ###
 ## # ####  ############      ###########  #####  ##  ##
 #  # ###  ######  #  ##      ###########  #  ##  ##  ##
 # ## ##     #####   ###      ##      ###  #  ######  ##
 #    ##      ##       #      ###########  #  #####  ###
 #### ##      ####   ####     ##      ##  ##  ####  ####
    # ##      ###  #  #####  ###########       ##  #####
 #### ##      ############  ################  ##  ######
 #    ###    ############   ################  ##      ##
 # #  ##################################################
 #######################################################

Source

https://www.youtube.com/watch?v=rhsH-snYkIc (1:55:36)

# GynvaelEN mission 013


# cat parser.py
import sys

def rld(d):
      if '*' in d:
            i = d.index('*')
            c = d[i - 1]
            n = ord(d[i + 1]) - 28
            d = rld(d[:i - 1] + (c * n) + d[i + 2:])
      return d

def vfile(fd, files, line):
      if 'vFile:open' in line:
            next_line = data[i + 1].split('#')[0]
            if 'F-1' not in next_line:
                  name = line.split(':')[2].split(',')[0]
                  num = next_line[1:]
                  fd[num] = name
                  if name not in files:
                        files[name] = []
      elif 'vFile:close' in line:
            num = line.split(':')[2]
            fd[num] = ''
      elif 'vFile:pread' in line:
            num = line.split(':')[2].split(',')[0]
            offset = int('0x' + line.split(':')[2].split(',')[2], 16)
            next_line = data[i + 1].split('#')[0]
            d = rld(''.join(next_line.split(';')[1:]))
            name = fd[num]
            files[name].append({'offset': offset, 'data': d})

def memory(files, line, mem):
      if mem in line:
            offset = int('0x' + line.split(',')[0][1:].replace(mem, ''), 16)
            next_line = data[i + 1].split('#')[0]
            d = rld(next_line).decode('hex')
            files[mem].append({'offset': offset, 'data': d})

def write(files):
      for name in files:
            with open(name + '.bin', 'wb') as f:
                  for reg in files[name]:
                        f.seek(reg['offset'])
                        f.write(reg['data'])
fd = {}
files = {}

fn = sys.argv[1]

with open(fn) as f:
      data = f.read().split('$')

action = sys.argv[2]

if action == 'memory':
      mem = sys.argv[3]
      files[mem] = []

i = 0
while i < len(data):
      line = data[i].split('#')[0]
      if action == 'vfile':
            vfile(fd, files, line)
      elif action == 'memory':
            memory(files, line, mem)
      i += 1

write(files)

# tshark -nr session.pcapng -T fields -e data -qz follow,tcp,raw,3|tail -n +7| tr -d '=\r\n\t'|less|xxd -r -p > follow_tcp_stream3

# python parser.py follow_tcp_stream3 vfile

# ls 2f*
2f6c69622f7838365f36342d6c696e75782d676e752f6c642d322e32342e736f.bin
2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e32.bin
2f6d656469612f73665f425f44524956452f73747265616d2d6c697665636f64696e672f6d697373696f6e732f6d697373696f6e3031335f66696c65732f612e6f7574.bin
2f70726f632f353937392f6d617073.bin
2f70726f632f353937392f706572736f6e616c697479.bin
2f70726f632f353937392f7461736b2f353937392f6d617073.bin
2f70726f632f7379732f6b65726e656c2f72616e646f6d697a655f76615f7370616365.bin

# cat 2f70726f632f353937392f6d617073.bin
555555554000-555555555000 r-xp 00000000 00:2a 5868                       /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
555555754000-555555756000 rw-p 00000000 00:2a 5868                       /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 14942250                   /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffe000 rw-p 00025000 08:01 14942250                   /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

# python parser.py follow_tcp_stream3 memory 55555555

# r2 55555555.bin
[0x00000000]> s 0x00004831
[0x00004831]> pd 44
            0x00004831      48c785a8feff.  mov qword [rbp - 0x158], 0
        .-> 0x0000483c      488b85a8feff.  mov rax, qword [rbp - 0x158]
        |   0x00004843      483b85b8feff.  cmp rax, qword [rbp - 0x148]
       ,==< 0x0000484a      0f83b9000000   jae 0x4909
       ||   0x00004850      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004857      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x0000485e      4801d0         add rax, rdx                ; '('
       ||   0x00004861      0fb600         movzx eax, byte [rax]
       ||   0x00004864      83f05a         xor eax, 0x5a
       ||   0x00004867      89c1           mov ecx, eax
       ||   0x00004869      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004870      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x00004877      4801d0         add rax, rdx                ; '('
       ||   0x0000487a      8808           mov byte [rax], cl
       ||   0x0000487c      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004883      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x0000488a      4801d0         add rax, rdx                ; '('
       ||   0x0000488d      0fb600         movzx eax, byte [rax]
       ||   0x00004890      8d5063         lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
       ||   0x00004893      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x0000489a      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048a1      4801c8         add rax, rcx                ; '&'
       ||   0x000048a4      8810           mov byte [rax], dl
       ||   0x000048a6      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048ad      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048b4      4801d0         add rax, rdx                ; '('
       ||   0x000048b7      0fb600         movzx eax, byte [rax]
       ||   0x000048ba      83f05a         xor eax, 0x5a
       ||   0x000048bd      89c1           mov ecx, eax
       ||   0x000048bf      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048c6      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048cd      4801d0         add rax, rdx                ; '('
       ||   0x000048d0      8808           mov byte [rax], cl
       ||   0x000048d2      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048d9      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048e0      4801d0         add rax, rdx                ; '('
       ||   0x000048e3      0fb600         movzx eax, byte [rax]
       ||   0x000048e6      8d5063         lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
       ||   0x000048e9      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x000048f0      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048f7      4801c8         add rax, rcx                ; '&'
       ||   0x000048fa      8810           mov byte [rax], dl
       ||   0x000048fc      488385a8feff.  add qword [rbp - 0x158], 1
       |`=< 0x00004904      e933ffffff     jmp 0x483c
[0x00004831]> s 0x4909
[0x00004909]> pd 58
            0x00004909      c685c0feffff.  mov byte [rbp - 0x140], 0x8e
            0x00004910      c685c1feffff.  mov byte [rbp - 0x13f], 0x32 ; '2'
            0x00004917      c685c2feffff.  mov byte [rbp - 0x13e], 0x2f ; '/'
            0x0000491e      c685c3feffff.  mov byte [rbp - 0x13d], 0x39 ; '9'
            0x00004925      c685c4feffff.  mov byte [rbp - 0x13c], 0xea
            0x0000492c      c685c5feffff.  mov byte [rbp - 0x13b], 0x2d ; '-'
            0x00004933      c685c6feffff.  mov byte [rbp - 0x13a], 0x27 ; '''
            0x0000493a      c685c7feffff.  mov byte [rbp - 0x139], 0x39 ; '9'
            0x00004941      c685c8feffff.  mov byte [rbp - 0x138], 0xea
            0x00004948      c685c9feffff.  mov byte [rbp - 0x137], 0x27 ; '''
            0x0000494f      c685cafeffff.  mov byte [rbp - 0x136], 0xea
            0x00004956      c685cbfeffff.  mov byte [rbp - 0x135], 0x88
            0x0000495d      c685ccfeffff.  mov byte [rbp - 0x134], 0x25 ; '%'
            0x00004964      c685cdfeffff.  mov byte [rbp - 0x133], 0x94
            0x0000496b      c685cefeffff.  mov byte [rbp - 0x132], 0x3b ; ';'
            0x00004972      c685cffeffff.  mov byte [rbp - 0x131], 0x30 ; '0'
            0x00004979      c685d0feffff.  mov byte [rbp - 0x130], 0x39 ; '9'
            0x00004980      c685d1feffff.  mov byte [rbp - 0x12f], 0x2f ; '/'
            0x00004987      c685d2feffff.  mov byte [rbp - 0x12e], 0x29 ; ')'
            0x0000498e      c685d3feffff.  mov byte [rbp - 0x12d], 0x39 ; '9'
            0x00004995      c685d4feffff.  mov byte [rbp - 0x12c], 0xea
            0x0000499c      c685d5feffff.  mov byte [rbp - 0x12b], 0x2e ; '.'
            0x000049a3      c685d6feffff.  mov byte [rbp - 0x12a], 0x27 ; '''
            0x000049aa      c685d7feffff.  mov byte [rbp - 0x129], 0x39 ; '9'
            0x000049b1      c685d8feffff.  mov byte [rbp - 0x128], 0x31 ; '1'
            0x000049b8      c685d9feffff.  mov byte [rbp - 0x127], 0xea
            0x000049bf      c685dafeffff.  mov byte [rbp - 0x126], 0x8f
            0x000049c6      c685dbfeffff.  mov byte [rbp - 0x125], 0xea
            0x000049cd      c685dcfeffff.  mov byte [rbp - 0x124], 0x5d ; ']'
            0x000049d4      c685ddfeffff.  mov byte [rbp - 0x123], 0x2b ; '+'
            0x000049db      c685defeffff.  mov byte [rbp - 0x122], 0x5b ; '['
            0x000049e2      c685dffeffff.  mov byte [rbp - 0x121], 0x39 ; '9'
            0x000049e9      c685e0feffff.  mov byte [rbp - 0x120], 0x39 ; '9'
            0x000049f0      c685e1feffff.  mov byte [rbp - 0x11f], 0xf0
            0x000049f7      48c785b0feff.  mov qword [rbp - 0x150], 0
        .-> 0x00004a02      488b85b0feff.  mov rax, qword [rbp - 0x150]
        |   0x00004a09      483b85b8feff.  cmp rax, qword [rbp - 0x148]
       ,==< 0x00004a10      7349           jae 0x4a5b
       ||   0x00004a12      488d95c0feff.  lea rdx, qword [rbp - 0x140]
       ||   0x00004a19      488b85b0feff.  mov rax, qword [rbp - 0x150]
       ||   0x00004a20      4801d0         add rax, rdx                ; '('
       ||   0x00004a23      0fb610         movzx edx, byte [rax]
       ||   0x00004a26      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x00004a2d      488b85b0feff.  mov rax, qword [rbp - 0x150]
       ||   0x00004a34      4801c8         add rax, rcx                ; '&'
       ||   0x00004a37      0fb600         movzx eax, byte [rax]
       ||   0x00004a3a      38c2           cmp dl, al
      ,===< 0x00004a3c      7413           je 0x4a51
      |||   0x00004a3e      488d3dd80000.  lea rdi, qword 0x00004b1d   ; 0x4b1d
      |||   0x00004a45      e8e6fbffff     call 0x4630
      |||   0x00004a4a      b803000000     mov eax, 3
     ,====< 0x00004a4f      eb1b           jmp 0x4a6c
     |`---> 0x00004a51      488385b0feff.  add qword [rbp - 0x150], 1
     | |`=< 0x00004a59      eba7           jmp 0x4a02
     | `--> 0x00004a5b      488d3dc00000.  lea rdi, qword 0x00004b22   ; 0x4b22
     |      0x00004a62      e8c9fbffff     call 0x4630
     |      0x00004a67      b800000000     mov eax, 0
     `----> 0x00004a6c      488b75f8       mov rsi, qword [rbp - 8]

# ipython
In [1]: table = [0x8e, 0x32, 0x2f, 0x39, 0xea, 0x2d, 0x27, 0x39, 0xea, 0x27, 0xea, 0x88, 0x25, 0x94, 0x3b, 0x30, 0x39, 0x2f, 0x29, 0x39, 0xea, 0x2e, 0x27, 0x39, 0x31, 0xea, 0x8f, 0xea, 0x5d, 0x2b, 0x5b, 0x39, 0x39, 0xf0]
   ...: r = ''
   ...: for e in table:
   ...:     r += chr(((((e - 0x63) ^ 0x5a) - 0x63) ^ 0x5a) & 0xff)
   ...: print r
   ...:
This was a FoREnsics task I guess.

Source

https://www.youtube.com/watch?v=7zTtVYjjquA (1:58:10)

Reference

https://sourceware.org/gdb/onlinedocs/gdb/Remote-Protocol.html

# GynvaelEN mission 012


# curl -s http://www.computer-engineering.org/ps2keyboard/scancodes2.html | tr [:upper:] [:lower:] > scan_codes.html
# for i in 12 1b 1c 23 24 29 2c 2d 31 32 35 41 42 43 44 49 4d 52 58 59; do result=`cat scan_codes.html | grep '<tt>' | grep -m1 -B1 "<tt>$i</tt>" | sed 's/<[^>]*>//g' | tr -d ' '| tr -d '\r'`;  key=`echo "$result" | tail -n1`; value=`echo "$result" | head -n1`; echo "0x$key: '$value',"; done
0x12: 'lshft',
0x1b: 's',
0x1c: 'a',
0x23: 'd',
0x24: 'e',
0x29: 'space',
0x2c: 't',
0x2d: 'r',
0x31: 'n',
0x32: 'b',
0x35: 'y',
0x41: ',',
0x42: 'k',
0x43: 'i',
0x44: 'o',
0x49: '.',
0x4d: 'p',
0x52: ''',
0x58: 'caps',
0x59: 'rshft'

# cat keylogger.py
'''
0x58 0xf0 0x58
0x1b 0xf0 0x1b
0x58 0xf0 0x58
0x44 0xf0 0x44
0x2d 0xf0 0x2d
0x2d 0xf0 0x2d
0x35 0xf0 0x35
0x41 0xf0 0x41
0x29 0xf0 0x29
0x59 0x43 0xf0 0x43 0xf0 0x59
0x29 0xf0 0x29
0x23 0xf0 0x23
0x44 0xf0 0x44
0x31 0xf0 0x31
0x52 0xf0 0x52
0x2c 0xf0 0x2c
0x29 0xf0 0x29
0x1b 0xf0 0x1b
0x4d 0xf0 0x4d
0x24 0xf0 0x24
0x1c 0xf0 0x1c
0x42 0xf0 0x42
0x29 0xf0 0x29
0x12 0x42 0xf0 0x42 0xf0 0x12
0x24 0xf0 0x24
0x35 0xf0 0x35
0x32 0xf0 0x32
0x44 0xf0 0x44
0x1c 0xf0 0x1c
0x2d 0xf0 0x2d
0x23 0xf0 0x23
0x49 0xf0 0x49
'''

# Scan Codes
sc = {
   0x12: 'lshft',
   0x1b: 's',
   0x1c: 'a',
   0x23: 'd',
   0x24: 'e',
   0x29: ' ',
   0x2c: 't',
   0x2d: 'r',
   0x31: 'n',
   0x32: 'b',
   0x35: 'y',
   0x41: ',',
   0x42: 'k',
   0x43: 'i',
   0x44: 'o',
   0x49: '.',
   0x4d: 'p',
   0x52: '\'',
   0x58: 'caps',
   0x59: 'rshft'
}

data = [0x58, 0xf0, 0x58, 0x1b, 0xf0, 0x1b, 0x58, 0xf0, 0x58, 0x44, 0xf0, 0x44, 0x2d, 0xf0, 0x2d, 0x2d, 0xf0, 0x2d, 0x35, 0xf0, 0x35, 0x41, 0xf0, 0x41, 0x29, 0xf0, 0x29, 0x59, 0x43, 0xf0, 0x43, 0xf0, 0x59, 0x29, 0xf0, 0x29, 0x23, 0xf0, 0x23, 0x44, 0xf0, 0x44, 0x31, 0xf0, 0x31, 0x52, 0xf0, 0x52, 0x2c, 0xf0, 0x2c, 0x29, 0xf0, 0x29, 0x1b, 0xf0, 0x1b, 0x4d, 0xf0, 0x4d, 0x24, 0xf0, 0x24, 0x1c, 0xf0, 0x1c, 0x42, 0xf0, 0x42, 0x29, 0xf0, 0x29, 0x12, 0x42, 0xf0, 0x42, 0xf0, 0x12, 0x24, 0xf0, 0x24, 0x35, 0xf0, 0x35, 0x32, 0xf0, 0x32, 0x44, 0xf0, 0x44, 0x1c, 0xf0, 0x1c, 0x2d, 0xf0, 0x2d, 0x23, 0xf0, 0x23, 0x49, 0xf0, 0x49]

may = False
shift = False
stack = []

decoded = ''

for i in data:
   #print i
   if i != 240:
      letter = sc[i]
      #print letter, stack
      if letter in stack:
         stack.remove(letter)
      else:
         stack.append(letter)
         if letter == 'caps': may = not may
         elif 'shft' in letter: shift = True
         else:
            if may:
               decoded += letter.upper()
            elif shift:
               decoded += letter.upper()
               shift = False
            else:
               decoded += letter

print decoded
# python keylogger.py
Sorry, I don't speak Keyboard.

Source

https://www.youtube.com/watch?v=4Xo_FAx6P0A (1:51:20)

Done in collaboration

https://atorralba.github.io/

# GynvaelEN mission 011


# cat mission_11-firmware.txt
# Number of arguments this code object expects
co_argcount 1
# Tuple of constant objects
co_consts (None, '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89', 'hex', 89, 255, 115, 50)
# Flags
co_flags 67
# Function name
co_name check_password
# Names used
co_names ('decode', 'len', 'False', 'all', 'zip', 'ord')
# Number of local variables
co_nlocals 4
# The depth of the stack
co_stacksize 6
# Argument names
co_varnames ('s', 'good', 'cs', 'cg')

      0 LOAD_CONST          1  stack[0] = '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89'
      3 LOAD_ATTR           0  names[0] # decode
      6 LOAD_CONST          2  stack[1] = 'hex'
      9 CALL_FUNCTION       1  stack[0] = 'N]N\x92\x86ZNIZ\x86IKZ]IRRa\x86_WXSMJ\x89' # 26
     12 STORE_FAST          1  good = 'N]N\x92\x86ZNIZ\x86IKZ]IRRa\x86_WXSMJ\x89' # 26; stack is empty
     15 LOAD_GLOBAL         1  stack[0] = 'len'
     18 LOAD_FAST           0  stack[1] = 's'
     21 CALL_FUNCTION       1  ?; stack is empty
     24 LOAD_GLOBAL         1  stack[0] = 'len'
     27 LOAD_FAST           1  stack[1] = 'good'
     30 CALL_FUNCTION       1  26; stack is empty
     33 COMPARE_OP          3 (!=) len(s) != len(goog)
     36 POP_JUMP_IF_FALSE  43    if eq goto 43
     39 LOAD_GLOBAL         2    else stack[0] = 'False'
     42 RETURN_VALUE   return 'False'
>>   43 LOAD_GLOBAL         3    stack[0] = 'all'
     46 BUILD_LIST          0    stack[0] = ['all']
     49 LOAD_GLOBAL         4    stack[1] = 'zip'
     52 LOAD_FAST           0    stack[2] = 's'
     55 LOAD_FAST           1    stack[3] = 'good'
     58 CALL_FUNCTION       2    stack[0] = zip(s, good)
     61 GET_ITER      stack[0] = iter(zip(s, good))
>>   62 FOR_ITER           52 (to 117)
     65 UNPACK_SEQUENCE     2    stack[1] = s[i], good[i]
     68 STORE_FAST          2    cs = s[i]
     71 STORE_FAST          3    cg = good[i]
     74 LOAD_GLOBAL         5    stack[0] = 'ord'
     77 LOAD_FAST           2    stack[1] = cs
     80 CALL_FUNCTION       1    stack[0] = ord(cs)
     83 LOAD_CONST          3    stack[1] = 89
     86 BINARY_SUBTRACT     stack[0] = ord(cs) - 89
     87 LOAD_CONST          4    stack[1] = 255
     90 BINARY_AND      stack[0] = (ord(cs) - 89) & 255
     91 LOAD_CONST          5    stack[1] = 115
     94 BINARY_XOR      stack[0] = ((ord(cs) - 89) & 255) ^ 115
     95 LOAD_CONST          6    stack[1] = 50
     98 BINARY_XOR      stack[0] = (((ord(cs) - 89) & 255) ^ 115) ^ 50
     99 LOAD_GLOBAL         5    stack[1] = 'ord'
    102 LOAD_FAST           3    stack[2] = cg
    105 CALL_FUNCTION       1    stack[1] = ord(cg)
    108 COMPARE_OP          2 (==)  computed_cg == cg
    111 LIST_APPEND         2
    114 JUMP_ABSOLUTE      62    goto 62
>>  117 CALL_FUNCTION       1
    120 RETURN_VALUE

# cat mission_11.py
password = ''

for i in '4e5d4e92865a4e495a86494b5a5d49525261865f5758534d4a89'.decode('hex'):
    password += chr(255 & (89 + (ord(i) ^ 50 ^ 115)))

print password

# python mission_11.py
huh, that actually worked!

Source

https://www.youtube.com/watch?v=s5gOW-N9AAo (1:46:20)

# GynvaelEN mission 010


# cat mission_10.py
from pwn import *

host = '31.133.0.131' #'127.0.0.1'
port = 9393

def get_mask_len():
 i = 64
 while True:
  j = i * 8
  r = remote(host, port)
  r.sendlineafter('\n', 'A' * j)
  re = r.recvuntil('\n')
  r.close()
  if 'Meh' in re:
   break
  i += 1
 return j

def get_secret2():
 b1 = '00000001'
 mask = b1 * (ml / 8)
 r = remote(host, port)
 r.sendlineafter('\n', mask)
 re = r.recvuntil('\n')

 b0 = '0'
 bits = b0 * (ml / 8)
 r.sendline(bits)

 re = r.recvuntil('\n')
 if 'Access Granted' in re:
  for _ in range(4):
   print r.recvuntil('\n')
 r.close()

def get_bits():
 b = ''
 for i in range(len(mask)):
  if mask[i] == '1':
   b += secret1[i]
 return b

def check_result(m, b):
 r = remote(host, port)
 r.sendlineafter('\n', m)
 re = r.recvuntil('\n')
 r.sendline(b)
 re = r.recvuntil('\n')
 r.close()
 return re

def binary_to_str(binary):
 s = ''
 for i in range(0, len(binary), 8):
  b = ''
  for j in range(8):
   b = binary[i + j] + b
  s += chr(int(b, 2))
 return s

def get_secret1():
 for i in range(len(mask)):
  if mask[i] == '0':
   mask[i] = '1'
   tmask = ''.join(mask)
   for j in '01':
    secret1[i] = j
    bits = get_bits()
    if 'Access Granted' in check_result(tmask, bits):
     break


ml = get_mask_len()
get_secret2()

secret1 = ['0'] * ml
mask = [i for i in '00000001'] * (ml / 8)
get_secret1()

print binary_to_str(get_bits())

# python mission_10.py
You have received one secret message:

---

Just Another Secret Message

---

This Crypto Is Absolutely Secure And There Will Be No Problem With It.

Source

https://www.youtube.com/watch?v=Vs8PLpHCoNY (1:45:30)