hello world

Signed-off-by: degrigis <[email protected]>

Author: degrigis

angr

@@ -0,0 +1,64 @@
+
+
+
+# Converting a SimActionObject to claripy BVV
+ipdb> string_address                                                                                    
+<SAO <BV64 0x555555755060>>
+ipdb> string_address.to_claripy()                                                                       
+<BV64 0x555555755060>
+
+# Reading from memory 
+ipdb> real_addr                                                                                         
+<BV64 0x555555755060>
+data = current_state.memory._read_from(current_state.solver.eval(real_addr),8)
+
+# Printing instruction
+new_concrete_state.block(addr=0x4049bc).capstone.pp()
+
+# Printing SimStates generated by exploration technique 
+sim_manager.py
+-----------------
+328: for state in self._fetch_states(stash=stash):
+            print(state) 
+
+
+# Hook an address with a SimProc object 
+new_concrete_state.project.hook(0x405337,angr.procedures.libc.strstr)
+
+
+# Get 1 instruction from BB 
+current_state.block(addr=act.ins_addr, num_inst=1).capstone.pp()
+
+# Get a solution for a conditions over a variable 
+# n is the number of solutions you want! 
+state.solver._eval(data,n)
+
+
+# Create a BVV
+weird_nine = state.solver.BVV(9, 27)
+
+
+# Dump constraints 
+next_state.solver.constraints
+
+# Set a breakpoint on a specific instruction
+next_state.inspect.b('instruction', when=angr.BP_BEFORE, instruction= 0x40a75a)
+
+# Drop all constraints 
+next_state.solver._stored_solver.constraints = []
+next_state.solver.reload_solver()
+
+#ERROR TROUBLESHOOTING 
+
+#==========================================
+#PROBLEM 
+File "/home/degrigis/Projects/angr/angr-dev/claripy/claripy/backends/backend_z3.py", line 81, in _z3_decl_name_str
+AttributeError: module 'z3' has no attribute 'Z3_get_symbol_string_bytes'
+
+#SOLUTION
+pip uninstall claripy && pip install -e ./claripy
+#==========================================
+
+
+
+

ctf

@@ -0,0 +1,2 @@
+# quickly patch alarm and sleep in a file
+cat upload_center | sed 's/sleep/isinf/g' > upload_center.patched

docker

@@ -0,0 +1,47 @@
+
+
+# Fix permission error to connect to docker daemon
+# issue this command and reboot the machine 
+sudo usermod -a -G docker $USER
+
+
+# Example of a DockerFile 
+from ubuntu:latest
+copy example_1_nonet.bin /
+copy libc.so.6 /
+copy ld-linux-x86-64.so.2 /
+
+entrypoint [ "/ld-linux-x86-64.so.2", "--library-path", "/", "/example_1_nonet.bin", "secret_of_life", "supersecretpassword" ]
+
+
+# Build a docker container given a DockerFile 
+# give the folder that contains the DockerFile and all the binaries 
+# you need. 
+# This will give you a docker container id -> f.i. be3ced322578
+docker build example_1_nonet/
+
+
+# List all images 
+docker image ls 
+
+# List all running containers 
+docker container ls 
+
+# Run a container 
+docker run c185416be9f3
+
+# Run a container interactively
+docker run -it c185416be9f3 
+
+# Run a container and spawn a shell inside it 
+# Remember to remove any entry_point in the DockerFile 
+docker run -it c185416be9f3 bash
+
+# Execute a command in a running container 
+docker exec -it "id of running container" bash
+
+# Remove a specific image 
+docker rmi "id of image"
+
+# Remove all images 
+docker system prune

gdb

@@ -0,0 +1,19 @@
+
+# stop when eax has that value
+watch $eax == 0xdeadbeef
+
+# set zero flag ( only with gef ) 
+edit-flags +zero
+
+
+# Displays list of threads
+info threads - Displays a list of threads
+
+# Sets thread with ID of X to the selected thread
+thread X - Sets thread with ID of X to the selected thread
+
+# Applies the command Y to a list of threads, for instance 'thread apply 3 4 step" 
+thread apply X Y
+
+# Applies the command Y to all active threads 
+thread apply all Y 

pwntools

@@ -0,0 +1,36 @@
+
+# enable logs of data received and sent 
+context.log_level = "DEBUG"
+
+# create a process 
+r = process("./baby_tcache")
+
+# create a remote process
+conn = remote(sys.argv[1], sys.argv[2])
+
+# send input to process
+r.sendline("1")
+
+# read until a string 
+r.readuntil("Your choice: ")
+
+# attach gdb and set breakpoint at that address
+gdb.attach(r,'b* 0x0000555555554C6B')
+
+# get an interactive session with gdb 
+r.interactive() 
+
+# crafting shellcode assembly 
+assembly = shellcraft.i386.linux.readfile("./flag", 1) + shellcraft.i386.linux.exit()
+
+# converting asm to hex
+shellcode = asm(assembly, arch = 'i386', os = 'linux')
+
+# getting a formatted p32 word 
+stack_address_leak = output.split("\n")[2].split(" ")[-2]  # getting the string 
+stack_address_leak = int(stack_address_leak) # getting the integer associated 
+p32(stack_address_leak) # format according to the architecture in the context 
+
+
+
+

rr

@@ -0,0 +1,11 @@
+# TO BUILD
+git clone [email protected]:mozilla/rr.git
+cd rr
+./configure
+make -j
+
+# TO USE
+rr record -n <binary> [<arg1> ...]
+    # -n means no syscall buffer, makes it easier to see what's happening when single stepping
+
+rr replay [~/.local/share/rr/<replay_dir_you_wanna_see>]

wsym

@@ -0,0 +1,18 @@
+# WHAT'S THIS
+Adds symbols to an ELF file. Sort of the opposite of strip.
+
+# TO SETUP 
+git clone https://github.com/wapiflapi/wsym
+
+
+# TO USE 
+python wsym.py -f ./symbols ./binary.bin ./binary_sym.bin
+    # -f read the symbols from a file formatted in this way:
+    # 
+    # 000000012c symbol_name 
+    # 000000055b symbol_name2 
+
+python wsym.py -i ./symbols.map ./binary.bin ./binary_sym.bin
+    # -i read the symbols from an IDA .map file ( local and segments )
+    # to export the .map from IDA:
+    # File -> Produce -> .MAP file