### GDB Debugging Setup and Execution Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/15-partial_overwrite/hacklu15_stackstuff/readme.md This snippet shows the GDB commands used to set up the debugging environment and start the target program. It includes following child processes and initiating the program's execution. ```gdb gef➤ set follow-fork-mode childgef➤ r Starting program: /Hackery/pod/modules/partial_overwrite/hacklu15_stackstuff/stackstuff [Attaching after process 6338 fork to child process 6345] [New inferior 2 (process 6345)] [Detaching after fork from parent process 6338] [Inferior 1 (process 6338) detached] process 6345 is executing new program: /Hackery/pod/modules/partial_overwrite/hacklu15_stackstuff/stackstuff [Switching to process 6345] ``` -------------------------------- ### Install Pwntools using pip Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/02-intro_tooling/pwntools/readme.md This command installs the pwntools library using pip. Ensure you have pip installed and sufficient permissions (using sudo if necessary). ```bash sudo pip install pwn ``` -------------------------------- ### Example Shell Interaction Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/33-custom_misc_heap/csaw17_minesweeper/readme.md Shows an example of interacting with a remote shell obtained via netcat. It includes commands like 'w' to display system information and 'ls' to list files. ```bash w 03:51:43 up 9:56, 1 user, load average: 0.19, 0.11, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT guyinatu :0 :0 17:56 ?xdm? 10:05 0.01s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --session=ubuntu ls back.py core exploit.py heapLeak.py jmp.asm jmp.o minesweeper notes readme.md ``` -------------------------------- ### C Code Example Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/01-intro_assembly/assembly/readme.md A simple C program that prints 'Hello World!' to the console. This code serves as an example to demonstrate compilation into assembly language. ```c #include void main(void) { puts("Hello World!"); } ``` -------------------------------- ### Exploit Execution and Interactive Shell Example Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/07-bof_static/bkp16_simplecalc/readme.md This example demonstrates the execution of a Python exploit script (`exploit.py`) and the subsequent interactive shell session. The output shows the process starting, switching to interactive mode, and then interacting with the shell using standard Linux commands like 'w' and 'ls'. This showcases the practical application of the interactive shell functionality. ```bash $ python exploit.py [+] Starting local process './simplecalc': pid 15676 [*] Switching to interactive mode Result for x + y is 0. Options Menu: [1] Addition. [2] Subtraction. [3] Multiplication. [4] Division. [5] Save and Exit. => $ w 20:06:39 up 5:53, 1 user, load average: 1.71, 1.30, 1.37 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT guyinatu :0 :0 14:13 ?xdm? 22:10 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu $ ls core exploit.py readme.md simplecalc ``` -------------------------------- ### Start QEMU with GDB Listener Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/34-emulated_targets/csaw17_realism/readme.md This command starts a QEMU system emulator for i386 architecture, loading a raw disk image 'main.bin'. It also enables a GDB remote debugging listener on TCP port 1234, allowing a GDB client to connect and debug the running program. ```bash qemu-system-i386 -drive format=raw,file=main.bin -gdb tcp::1234 ``` -------------------------------- ### Install Build Tools for x86 Binary Compilation Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/34-emulated_targets/csaw18_x86_pt2/readme.md Installs necessary tools like NASM (assembler) and QEMU (emulator) for compiling and running x86 assembly code. These are essential for the challenge's build process. ```bash sudo apt-get install nasm qemu qemu-system-i386 ``` -------------------------------- ### Attach GDB with Initial Script using Pwntools Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/02-intro_tooling/pwntools/readme.md Attaches GDB to the target and immediately executes the provided gdbscript. This example sets a breakpoint at the 'main' function. ```python gdb.attach(target, gdbscript='b *main') ``` -------------------------------- ### Run Local Process with Pwntools Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/02-intro_tooling/pwntools/readme.md Starts a local executable file named 'challenge' as a subprocess. The 'target' variable will then represent this running process. ```python target = process("./challenge") ``` -------------------------------- ### Network Listener and Request Handler Setup (C) Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/15-partial_overwrite/hacklu15_stackstuff/readme.md This C code snippet demonstrates the main function's logic for setting up a network listener, binding to a port, and accepting incoming connections. It forks child processes to handle each connection and then re-executes itself to manage the request, redirecting standard input and output to the accepted socket. ```c /* WARNING: Could not reconcile some variable overlaps */ undefined8 main(undefined8 uParm1,char **ppcParm2) { uint16_t uVar1; int iVar2; uint uVar3; undefined4 local_3c; ulong local_38; undefined8 local_30; undefined8 local_28; undefined4 local_20; int local_14; int local_10; int local_c; iVar2 = strcmp(*ppcParm2,"reexec"); if (iVar2 == 0) { handle_request(); } else { uVar3 = socket(10,1,0); local_c = negchke((ulong)uVar3,"unable to create socket"); local_30 = 0; local_28 = 0; local_20 = 0; local_38 = 10; uVar1 = htons(0x5ea); local_38._0_4_ = CONCAT22(uVar1,(sa_family_t)local_38); local_38 = local_38 & 0xffffffff00000000 | (ulong)(uint)local_38; local_3c = 1; uVar3 = setsockopt(local_c,1,2,&local_3c,4); negchke((ulong)uVar3,"unable to set SO_REUSEADDR"); uVar3 = bind(local_c,(sockaddr *)&local_38,0x1c); negchke((ulong)uVar3,"unable to bind"); uVar3 = listen(local_c,0x10); negchke((ulong)uVar3,"unable to listen"); signal(0x11,(__sighandler_t)0x1); while( true ) { uVar3 = accept(local_c,(sockaddr *)0x0,(socklen_t *)0x0); local_10 = negchke((ulong)uVar3,"unable to accept"); uVar3 = fork(); local_14 = negchke((ulong)uVar3,"unable to fork"); if (local_14 == 0) break; close(local_10); } close(local_c); uVar3 = dup2(local_10,0); negchke((ulong)uVar3,"unable to dup2"); uVar3 = dup2(local_10,1); negchke((ulong)uVar3,"unable to dup2"); close(local_10); uVar3 = execl("/proc/self/exe","reexec",0); negchke((ulong)uVar3,"unable to reexec"); } return 0; } ``` -------------------------------- ### Run hello_world in GDB Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/02-intro_tooling/gdb-gef/readme.md This snippet shows how to execute the 'hello_world' binary within the GDB debugger. It demonstrates the initial GDB output and the program's execution, including the 'hello world!' message. No specific dependencies are required beyond GDB and the binary itself. ```gdb gdb ./hello_world GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... GEF for linux ready, type `gef' to start, `gef config' to configure 75 commands loaded for GDB 8.1.0.20180409-git using Python engine 3.6 [*] 5 commands could not be loaded, run `gef missing` to know why. Reading symbols from ./hello_world...(no debugging symbols found)...done. gef➤ r Starting program: /home/devey/nightmare/modules/02-intro_tooling/hello_world hello world! [Inferior 1 (process 9133) exited normally] ``` -------------------------------- ### Python Script for Z3 Solver Setup Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/12-z3/tuctf_future/readme.md Initializes the Z3 solver to find the correct flag. It defines 25 symbolic bit vectors representing the input characters and starts populating a 5x5 matrix with these symbolic variables. ```python from z3 import * inp = [] for i in xrange(25): b = BitVec("%s" % i, 8) inp.append(b) h, l = 5, 5; mat = [[0 for x in range(l)] for y in range(h)] mat[0][0] = inp[0] ``` -------------------------------- ### System Setup for ARM Binary Analysis Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/14-ret_2_system/hxp18_poorCanary/readme.md Commands to install necessary tools for emulating and debugging 32-bit ARM binaries. This includes QEMU for emulation, GDB with multi-architecture support, and binutils for assembly code inspection. ```bash sudo apt-get install qemu-user sudo apt-get install gdb-multiarch sudo apt-get install binutils-arm-none-eabi ``` -------------------------------- ### GDB Disassembly of echo function Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/06-bof_shellcode/tamu19_pwn3/readme.md This GDB output provides the assembly-level view of the 'echo' function. It details the instructions executed, including stack frame setup, the call to 'printf', and critically, the call to 'gets', confirming the buffer overflow vulnerability at the assembly level. ```assembly gef➤ disas echo Dump of assembler code for function echo: 0x0000059d <+0>: push ebp 0x0000059e <+1>: mov ebp,esp 0x000005a0 <+3>: push ebx 0x000005a1 <+4>: sub esp,0x134 0x000005a7 <+10>: call 0x4a0 <__x86.get_pc_thunk.bx> 0x000005ac <+15>: add ebx,0x1a20 0x000005b2 <+21>: sub esp,0x8 0x000005b5 <+24>: lea eax,[ebp-0x12a] 0x000005bb <+30>: push eax 0x000005bc <+31>: lea eax,[ebx-0x191c] 0x000005c2 <+37>: push eax 0x000005c3 <+38>: call 0x410 0x000005c8 <+43>: add esp,0x10 0x000005cb <+46>: sub esp,0xc 0x000005ce <+49>: lea eax,[ebp-0x12a] 0x000005d4 <+55>: push eax 0x000005d5 <+56>: call 0x420 0x000005da <+61>: add esp,0x10 0x000005dd <+64>: nop 0x000005de <+65>: mov ebx,DWORD PTR [ebp-0x4] 0x000005e1 <+68>: leave 0x000005e2 <+69>: ret End of assembler dump. ``` -------------------------------- ### Install Angr with Pip Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/13-angr/securityfest_fairlight/readme.md This command installs the Angr framework using pip, a Python package installer. Ensure you have Python and pip installed on your system before running this command. It's recommended to use sudo for system-wide installation. ```bash sudo pip install angr ``` -------------------------------- ### GDB Disassembly and Execution Flow (Assembly) Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/05-bof_callfunction/csaw18_getit/readme.md This GDB output shows the disassembly of the main function, focusing on the prologue, the call to puts, the vulnerable gets call, and the epilogue. It also demonstrates setting a breakpoint after the gets call and running the program. ```assembly gef➤ disas main Dump of assembler code for function main: 0x00000000004005c7 <+0>: push rbp 0x00000000004005c8 <+1>: mov rbp,rsp 0x00000000004005cb <+4>: sub rsp,0x30 0x00000000004005cf <+8>: mov DWORD PTR [rbp-0x24],edi 0x00000000004005d2 <+11>: mov QWORD PTR [rbp-0x30],rsi 0x00000000004005d6 <+15>: mov edi,0x40068e 0x00000000004005db <+20>: call 0x400470 0x00000000004005e0 <+25>: lea rax,[rbp-0x20] 0x00000000004005e4 <+29>: mov rdi,rax 0x00000000004005e7 <+32>: mov eax,0x0 0x00000000004005ec <+37>: call 0x4004a0 0x00000000004005f1 <+42>: mov eax,0x0 0x00000000004005f6 <+47>: leave 0x00000000004005f7 <+48>: ret End of assembler dump. ggef➤ b *0x4005f1 Breakpoint 1 at 0x4005f1 gef➤ r Starting program: /Hackery/pod/modules/bof_callfunction/csaw18_getit/get_it Do you gets it?? 15935728 ``` -------------------------------- ### x86 Assembly Function Prologue and Stack Setup Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/07-bof_static/dcquals16_feedme/readme.md This x86 assembly code snippet demonstrates the standard function prologue, setting up the stack frame by pushing the base pointer and moving the stack pointer. It also includes instructions for saving registers and allocating space on the stack. ```x86 Assembly 0x8048f69 add eax, 0x57 0x8048f6c leave 0x8048f6d ret → 0x8048f6e push ebp 0x8048f6f mov ebp, esp 0x8048f71 push ebx 0x8048f72 sub esp, 0x1c 0x8048f75 mov edx, DWORD PTR [ebp+0xc] 0x8048f78 mov eax, DWORD PTR [ebp+0x10] ``` -------------------------------- ### Install Linux Perf Tools Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/22-movfuscation/swamp19_future/readme.md Command to install the generic Linux Perf tools, which are necessary for performance analysis and instruction counting. ```bash sudo apt-get install linux-tools-generic ``` -------------------------------- ### Program Execution and Input Handling Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/24-heap_overflow/protostar_heap1/readme.md Demonstrates how the 'heap1' program behaves with different command-line arguments. The successful execution with two arguments indicates the program expects specific input formats. ```bash $ ./heap1 Segmentation fault (core dumped) $ ./heap1 15935728 Segmentation fault (core dumped) $ ./heap1 15935728 75395128 and that's a wrap folks! ``` -------------------------------- ### Install Hex Editor (Bless) Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/23-custom_architecture/h3_h3machine1/readme.md Provides the command to install the Bless hex editor using apt-get, a necessary tool for patching the binary file. ```shell $ sudo apt-get install bless ``` -------------------------------- ### Emulator Command Line Usage Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/23-custom_architecture/h3_h3machine0/readme.md Demonstrates the command-line interface for the h3emu emulator. It supports running an image, enabling trace mode for instruction streaming, and displaying version or help information. ```bash h3emu [--trace] IMAGE [ARG1 [ARG2 [...]]] h3emu --version h3emu --help ``` -------------------------------- ### Heap Exploitation Example Output Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/24-heap_overflow/protostar_heap2/reamdme.md This output demonstrates a heap exploitation scenario. It shows the initial state of 'auth' and 'service' pointers, the effect of the 'auth' command, and how the 'service' command is used to overwrite heap data, leading to a successful login bypass. The key observation is the change in the 'service' pointer after its invocation. ```text $ ./heap2 [ auth = (nil), service = (nil) ] auth 15935728 [ auth = 0x55b20955da80, service = (nil) ] login please enter your password [ auth = 0x55b20955da80, service = (nil) ] service 0 [ auth = 0x55b20955da80, service = 0x55b20955daa0 ] login you have logged in already! [ auth = 0x55b20955da80, service = 0x55b20955daa0 ] ``` -------------------------------- ### Execute MBR Boot Sector with QEMU Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/34-emulated_targets/csaw17_realism/readme.md This command executes the 'main.bin' file, identified as a DOS/MBR boot sector, using the QEMU emulator. The '-drive' option specifies the raw format and file path, allowing for the simulation of a boot process that prompts for a flag. ```bash qemu-system-i386 -drive format=raw,file=main.bin ``` -------------------------------- ### Assembly Code near gets Call Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/04-bof_variable/tamu19_pwn1/Readme.md Assembly code snippet showing the `CALL gets` instruction and subsequent comparison. This reveals a check against `0xdea110c8` before calling `print_flag`. ```assembly 000108aa e8 71 fc CALL gets char * gets(char * __s) ff ff 000108af 83 c4 10 ADD ESP,0x10 000108b2 81 7d f0 CMP dword ptr [EBP + local_18],0xdea110c8 c8 10 a1 de 000108b9 75 07 JNZ LAB_000108c2 000108bb e8 3d fe CALL print_flag undefined print_flag() ff ff ``` -------------------------------- ### Binary File Information and Security Checks Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/24-heap_overflow/protostar_heap0/readme.md This snippet displays the output of the 'file' and 'pwn checksec' commands for the 'heap0' binary. It reveals the binary's architecture (32-bit), linking, and security features (or lack thereof), such as no canary and enabled NX. ```shell $ file heap0 heap0: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=ca0d25fb47b05e42811810bf08e5376b33f64501, not stripped $ pwn checksec heap0 [*] '/Hackery/pod/modules/heap_overflow/protostart_heap0/heap0' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) ``` -------------------------------- ### Memory Corruption Example Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/17-stack_pivot/dcquals19_speedrun4/readme.md A snapshot of the stack memory showing how input data can overwrite critical pointers like the return address. This example visualizes the memory layout just before or during the exploit execution. ```text ────────────────────────────────────────────────────────────────────────────────────────── stack ──── 0x00007fff383d4ba0│+0x0000: 0x0000000000000000 ← $rsp 0x00007fff383d4ba8│+0x0008: 0x0000010100000000 0x00007fff383d4bb0│+0x0010: 0x0000000000000000 ← $rax, $rsi 0x00007fff383d4bb8│+0x0018: 0x000000770000007c ("|"?) 0x00007fff383d4bc0│+0x0020: 0x0000005b0000006e ("n"?) 0x00007fff383d4bc8│+0x0028: 0x00007fff383d4b50 → 0x0000000000000029 (")"?) 0x00007fff383d4bd0│+0x0030: 0x0000000000000001 0x00007fff383d4bd8│+0x0038: 0x0000000000000140 ``` -------------------------------- ### Set Breakpoint and Run in GDB Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/02-intro_tooling/gdb-gef/readme.md This snippet demonstrates setting a breakpoint at the 'main' function in GDB and then running the program. It shows the GDB output after setting the breakpoint and starting execution, including register and stack information at the breakpoint. This is useful for examining program state at the entry point of the 'main' function. ```gdb gef➤ break main Breakpoint 1 at 0x8048409 gef➤ r Starting program: /home/devey/nightmare/modules/02-intro_tooling/hello_world [ Legend: Modified register | Code | Heap | Stack | String ] ────────────────────────────────────────────────────────────────────── registers ──── $eax : 0xf7fb9dd8 → 0xffffd19c → 0xffffd389 → "CLUTTER_IM_MODULE=xim" $ebx : 0x0 $ecx : 0xffffd100 → 0x00000001 $edx : 0xffffd124 → 0x00000000 $esp : 0xffffd0e4 → 0xffffd100 → 0x00000001 $ebp : 0xffffd0e8 → 0x00000000 $esi : 0xf7fb8000 → 0x001d4d6c $edi : 0x0 $eip : 0x08048409 → sub esp, 0x4 $eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification] $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063 ────────────────────────────────────────────────────────────────────────── stack ──── 0xffffd0e4│+0x0000: 0xffffd100 → 0x00000001 ← $esp 0xffffd0e8│+0x0004: 0x00000000 ← $ebp 0xffffd0ec│+0x0008: 0xf7dfbe81 → <__libc_start_main+241> add esp, 0x10 0xffffd0f0│+0x000c: 0xf7fb8000 → 0x001d4d6c 0xffffd0f4│+0x0010: 0xf7fb8000 → 0x001d4d6c 0xffffd0f8│+0x0014: 0x00000000 0xffffd0fc│+0x0018: 0xf7dfbe81 → <__libc_start_main+241> add esp, 0x10 0xffffd100│+0x001c: 0x00000001 ──────────────────────────────────────────────────────────────────── code:x86:32 ──── 0x8048405 push ebp 0x8048406 mov ebp, esp 0x8048408 push ecx → 0x8048409 sub esp, 0x4 0x804840c sub esp, 0xc 0x804840f push 0x80484b0 0x8048414 call 0x80482d0 0x8048419 add esp, 0x10 0x804841c mov eax, 0x0 ──────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "hello_world", stopped 0x8048409 in main (), reason: BREAKPOINT ────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x8048409 → main() ───────────────────────────────────────────────────────────────────────────────────── Breakpoint 1, 0x08048409 in main () ``` -------------------------------- ### Example Execution and Shell Output Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/17-stack_pivot/insomnihack18_onewrite/readme.md This example demonstrates the command-line execution of the exploit script and the subsequent interactive shell session. It shows the output from the exploit, including process information and the commands executed within the shell. ```bash $ python exploit.py [+] Starting local process './onewrite': pid 14815 [!] Did not find any GOT entries [*] '/Hackery/pod/modules/stack_pivot/insomnihack18_onewrite/onewrite' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] Switching to interactive mode $ w 22:42:39 up 8:27, 1 user, load average: 1.46, 1.54, 1.63 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT guyinatu :0 :0 14:15 ?xdm? 39:17 0.01s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --session=ubuntu $ ls core exploit.py onewrite readme.md ``` -------------------------------- ### Initialization Function (C) Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/31-unsortedbin_attack/0ctf16_zerostorage/README.md This C code snippet is from a function called before the main menu. It sets up buffering for stdin and stdout, configures an alarm, and reads 8 bytes from /dev/urandom into a global variable named GLOBAL_KEY. ```c setvbuf(stdin,(char *)0x0,2,0); setvbuf(stdout,(char *)0x0,2,0); alarm(0x3c); __stream = fopen("/dev/urandom","rb"); if (__stream != (FILE *)0x0) { bytes_read = fread(&GLOBAL_KEY,1,8,__stream); if (bytes_read == 8) { fclose(__stream); return; } } ``` -------------------------------- ### Start Simulation and Find Solution with angr Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/13-angr/defcamp_r100/readme.md This Python code snippet uses the angr framework to start a simulation, explore it to find a desired address, and avoid incorrect ones. It then retrieves and prints the found solution. ```python simulation.explore(find = desired_adr, avoid = wrong_adr) solution = simulation.found[0].posix.dumps(0) print solution ``` -------------------------------- ### Main Function Logic and Argument Parsing (C) Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/20-patching_and_jumping/plaid19_ppp/readme.md This C function, `FUN_00105948`, serves as the main entry point for the Nightmare binary. It parses command-line arguments to determine program behavior, initializes data structures like `placement`, and decides whether to simulate or check a dinner arrangement. It includes input validation and uses `abort()` for critical errors. Dependencies include standard C library functions like `puts`, `atoi`, `abort`, and `printf`. ```c undefined8 FUN_00105948(int arg_count,long param_2) { char cVar1; int intCpy; int first_arg; int i; int j; int k; int current_placement; setup(&x,&y); first_arg = 1; if (arg_count == 1) { puts("Alphabetical it is, I guess."); i = 0; while (i < 0xf) { *(int *)(&placement + (long)i * 0x20) = i; i = i + 1; } } else { if (arg_count != 0x11) { /* WARNING: Subroutine does not return */ abort(); } first_arg = atoi(*(char **)(param_2 + 8)); j = 0; while (j < 0xf) { intCpy = atoi(*(char **)(param_2 + ((long)j + 2) * 8)); *(int *)(&placement + (long)j * 0x20) = intCpy + -1; current_placement = *(int *)(&placement + (long)j * 0x20); if ((current_placement < 0) || (0xe < current_placement)) { /* WARNING: Subroutine does not return */ abort(); } k = 0; while (k < j) { if (current_placement == *(int *)(&placement + (long)k * 0x20)) { /* WARNING: Subroutine does not return */ abort(); } k = k + 1; } j = j + 1; } } if (first_arg == 1) { puts("Simulating the dinner...\n"); simulatingDinner(&x,&y); } else { puts("Checking the dinner...\n"); if (first_arg != 2) { /* WARNING: Subroutine does not return */ abort(); } cVar1 = checkingDinner(&x,&y); if (cVar1 != '\x01') { printf("Your dinner arrangement was unacceptable. We might never finish :("); return 1; } } return 0; } ``` -------------------------------- ### x86 Assembly Compilation Example Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/01-intro_assembly/assembly/readme.md The assembly code generated from the 'Hello World!' C program, using Intel syntax. This snippet illustrates the low-level instructions that the processor executes, including function prologue, calling the 'puts' function, and function epilogue. ```assembly 0000000000001135
: 1135: 55 push rbp 1136: 48 89 e5 mov rbp,rsp 1139: 48 8d 3d c4 0e 00 00 lea rdi,[rip+0xec4] # 2004 <_IO_stdin_used+0x4> 1140: e8 eb fe ff ff call 1030 1145: 90 nop 1146: 5d pop rbp 1147: c3 ret 1148: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0] 114f: 00 ``` -------------------------------- ### Angr Script Setup for r100 Binary Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/13-angr/defcamp_r100/readme.md This Python script demonstrates the initial setup for using the Angr framework to solve the r100 crackme challenge. It imports Angr, loads the project, and defines key addresses for symbolic execution. ```python # Import Angr import angr # Establish the Angr Project target = angr.Project('r100') # Specify the desired address which means we have the correct input desired_adr = 0x4007a1 # Specify the address which if it executes means we don't have the correct input wrong_adr = 0x400790 # Establish the entry state entry_state = target.factory.entry_state(args=["./fairlight"]) # Establish the simulation simulation = target.factory.simulation_manager(entry_state) ``` -------------------------------- ### Execute start_quest Function in x86:64 Assembly Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/36-obfuscated_reversing/csaw15_wyvern/readme.md This snippet shows the x86:64 assembly code for calling the 'start_quest' function within the 'main' function. It details the assembly instructions leading up to the call and the initial instructions of the 'start_quest' function itself. The arguments passed to 'start_quest' are also inferred. ```x86:64 0x40e250 call 0x400f20 <_ZNSsC1ERKSs@plt> 0x40e255 jmp 0x40e25a 0x40e25a lea rdi, [rbp-0x138] → 0x40e261 call 0x404350 <_Z11start_questSs> ↳ 0x404350 push rbp 0x404351 mov rbp, rsp 0x404354 push r15 0x404356 push r14 0x404358 push rbx 0x404359 sub rsp, 0x78 ``` -------------------------------- ### Disassemble Main Function in GDB Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/05-bof_callfunction/csaw16_warmup/readme.md This GDB output shows the disassembled 'main' function. It helps in understanding the assembly instructions, particularly the calls to `write`, `sprintf`, and `gets`, and identifying the exact location of the `gets` call for setting breakpoints. ```assembly gef➤ disas main Dump of assembler code for function main: 0x000000000040061d <+0>: push rbp 0x000000000040061e <+1>: mov rbp,rsp 0x0000000000400621 <+4>: add rsp,0xffffffffffffff80 0x0000000000400625 <+8>: mov edx,0xa 0x000000000040062a <+13>: mov esi,0x400741 0x000000000040062f <+18>: mov edi,0x1 0x0000000000400634 <+23>: call 0x4004c0 0x0000000000400639 <+28>: mov edx,0x4 0x000000000040063e <+33>: mov esi,0x40074c 0x0000000000400643 <+38>: mov edi,0x1 0x0000000000400648 <+43>: call 0x4004c0 0x000000000040064d <+48>: lea rax,[rbp-0x80] 0x0000000000400651 <+52>: mov edx,0x40060d 0x0000000000400656 <+57>: mov esi,0x400751 0x000000000040065b <+62>: mov rdi,rax 0x000000000040065e <+65>: mov eax,0x0 0x0000000000400663 <+70>: call 0x400510 0x0000000000400668 <+75>: lea rax,[rbp-0x80] 0x000000000040066c <+79>: mov edx,0x9 0x0000000000400671 <+84>: mov rsi,rax 0x0000000000400674 <+87>: mov edi,0x1 0x0000000000400679 <+92>: call 0x4004c0 0x000000000040067e <+97>: mov edx,0x1 0x0000000000400683 <+102>: mov esi,0x400755 0x0000000000400688 <+107>: mov edi,0x1 0x000000000040068d <+112>: call 0x4004c0 0x0000000000400692 <+117>: lea rax,[rbp-0x40] 0x0000000000400696 <+121>: mov rdi,rax 0x0000000000400699 <+124>: mov eax,0x0 0x000000000040069e <+129>: call 0x400500 0x00000000004006a3 <+134>: leave 0x00000000004006a4 <+135>: ret End of assembler dump. ``` -------------------------------- ### Initial Interaction with Cookbook Binary Source: https://github.com/guyinatuxedo/nightmare/blob/master/modules/41-house_of_force/bkp16_cookbook/readme.md Demonstrates the initial user interaction with the 'cookbook' binary, including the welcome message and the main menu options. This output helps in understanding the program's functionality and potential input points. ```bash $ ./cookbook what's your name? guyinatuxedo +-----------------------------+ | .--,--. | | `. ,.' | | |___| | | :o o: | | _`~^~' | | /' ^ `\ | | cooking manager pro v6.1... | +-----------------------------+ ==================== [l]ist ingredients [r]ecipe book [a]dd ingredient [c]reate recipe [e]xterminate ingredient [d]elete recipe [g]ive your cookbook a name! [R]emove cookbook name [q]uit ```