From 783cd4c64b04bedfe1fc691d42067de827fcaea7 Mon Sep 17 00:00:00 2001
From: maride <git@maride.cc>
Date: Thu, 17 Jun 2021 17:06:58 +0200
Subject: [PATCH] Add example 'xor-o-rama', delete binaries

---
 examples/double-trouble | Bin 16760 -> 0 bytes
 examples/single-char    | Bin 16704 -> 0 bytes
 examples/xor-o-rama.c   |  63 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)
 delete mode 100755 examples/double-trouble
 delete mode 100755 examples/single-char
 create mode 100644 examples/xor-o-rama.c

diff --git a/examples/double-trouble b/examples/double-trouble
deleted file mode 100755
index 2f0b77734238ea0841e376d8d25d86d3a3a3c9bf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 16760
zcmeHOZ)_aJ6`#9{6DK5RCnUv9fGjBpht?N6B*qCC?rfj4Mow^pO+h7W&c3tn;CvU|
z?LiEsL^2>wsex8Sq8}=SqM{=8gDW8vA+;n8B_LJEP!*vf)PO*B_-iP%Mh&_C-pstq
z?)r?>FMO!>S-WrEZ{B<J_U-I?=62@3cz<s&5D-iuajhWfK%+vUx?+BZE`UWvhd2-C
zi^WA^DdZ&*Q}t2BP^%~%bn|+Rhrr41H@e=-FVuR>IYQ!Ow-_~2Kp^HqUkBOM$qG7w
zG|v3@Iu7QHSKBkBl@K1DCIt|4ryYed+ajyQY^R&w?8yt;5lnXT+HPLkF+Zi-W6t@c
zoY3)t_Uq+6s3T%dx<mu-*-0uJ21yI~H3}BY+3x$W)2Y@PU(Yz*dv$w@<)ul-&s<-w
z*pkf*w{P2$O}1n+xzfRwgB|TH?b{;7d}OP<?zL#1`qZvHL!$ku6%Us8UVlNMapUuU
z`Siob?rVGGDvFz8Ab+GoMEbfp$tjmqudeF}aR_C?mg9Ie^~(6zP=YT5h?@o=8g58R
z<Zn$4oUmGW^CI}lMer<e1BaLH0bqDR$lu1XsRmBhyc)I9sH)_CB@UGAqA1$QOiqlB
zrDVB~P344TjT}r^qnTVHo4Gp$5jSYWD%y#HZH*_OO)}k|cCo9!udCbI8rd4zF08)6
z-BvPHNR4HRcB(MAyE~iDr3MqjS@JP9p3i9?mQt;$C_@b5p3xr>bGm;4u@ea2sM7ij
zZeOt4@A*08>l;`t9f&#ooH5?0@s6mfXPo6Xu2VSWjqWkiDF@Ea3f0XzaOZO~=fIb-
z6YzNl&TUgQ-yeFHQNLtrimDR%P&rYu;lQcCGc`w5iS*@rkt=-eXTZ;Zp8-Dueg^yu
z_!;ms@PC~FbMnJ_^Kji;TZAwlIA#YcGv?$A^(U&=T-p8(sw$Vgi*v)qC`u%!ss8k-
z3h1)GkxWD2(=$?jjbs{vo<1h!pFtjdlnjX4KI$vKdYf5($DDk3ZeXx~s_qKtnp3Mz
zz=b*0c^o>Gb-l3pykTRHgnj|RoT?)~=8k!L9m2hs$_RIP<y6DQL*(~_=5Udb`rC(z
zZ9Z$3=gi|DUuPbl51D}%%~#LbYvJIFh;mS0IW;QVVf#a!ZLkxiEkovH=j+fCX8ApP
zrFpn>1@PGxT+(bBrx)v%Lk{d?JLaeFLFEu^kl6j@dw*+|OGnJ3-GjaN+;yduHlN!z
za);HHvyx^xK5dqVj+#eH+p=x;#3lDWN0$Nk7~q%8!|Q%UAx_0-{$NP_<m?k?E0vS+
zGo*GhK2Pj}YY)fg&Bq&_9ju$trJlO!jz5+*L7F@kI9H_wRl8&|ekM2>pAS}TX6`>`
zudPbckd{u~JHPSAM-TwQJUP1#Z66*wV~)IL?wBd9M3zskLOMSFs!};hk-W^;ANxW7
zROch#6(V+1U-|XeP+$3r*kG)DX2_gsIRyB|{>@)epPQY8sd@aXkiDVp&4!Jlzx-K$
z`Qx7QKVp@&e>W#j1k4?8mENbm_``j%TVwlTx5X^9A*g4{KI`hG6oOBF2K)^88SpdU
zXTZ;Zp8-Dueg^yu_!;ms@O2po;A_!DV&Z#-ole-77r|1-Xf`o+iLrAt*#$O)uBLCl
z@|)FMrScHUQSfQ-0q~o_w|`oxyae9*879ZzkAk=Ak7D#)mMC!dUJ*Fh7}&6KS^cAd
zWsQVih-2=PN(IxxD%I8(;!<dk{sHJmNju!w8*aM3;k>)*4~gs6Uwy@umu@1M?D4aK
zcnEs+1ZX1LTXCci^XG)c!i^6GyH_m@eu9XU&5r;_aV`6(zAN1LNU$&5^l&I1Hl~)u
z!_7ab>j}3$xYP`HOfK6Mj@};bh=p5Y;pVQe(G_ljepk3&es_EU<~PHSP62uI$<KhF
z0Y3wN2K)^88SpdUXTZ;Zp8-Du-&h8Cog=Sn<hjXC9RaN`m82I=;_IHIXY?XfS~p6>
z>nArTQLc}r;(9IfI!c;v5%C=Ci?fxyl=UJ+UUO(Hk!pI)E#{EAeuaX?W163*d6VYr
zG-syGFo9DDeSju16_fKqD)Ji33pD<c4utVJ9S_I-hSuY?mfZe-D(ZSrEmiS-R9@eV
zw#QdsDRZ7N?UeGfy8cToSL4?0eAA5Am3!N5*ZrVZ^P4nhy^g3V?dtB{X*BnwhBJwr
z(bkGJzHKe-n{~<9+Pbx^wXLm{t!ncSR?zbLf2T$WzfJHub~hdpvwVXc6(Otyudk8N
z5LUQyzjCN!{r6JA{m+dr6MUcCc)j5J>&BN0?l*3Hh2Z|>#?hNS`K0=gSSgH}_$sl#
zCLXTt({TH55d7S_aX2xYh$@G$^4qA1uMzue;^$Z215R%tJZ1d+yYY3RRzC}gZwX#U
z?bgTB8FeD691=~UwI+UU-MZ5%RDCO*L+N>3B0jC0LsW_0e?buzM?85BYkbCoU!rk-
zpDHgxT!lga>*&p>La05WZXAIc`MDi9waf2k(j~eRM?fshGrbRM#lP5fJth6D5lITz
zL$&-oBX!PSa3B8!JRla{$5*sI|6kxH-j;=h{fd5j3y6jH_dQ%d5W9-J&&3MhYmlF5
z{eK9er1dBmy6j}XmiWSc(hj`Vev4heYwdfu1$ZO+TQutQj^7u_PjKP$wSN)+#YOO+
zE`mP^oZ9vF^J(CQI}|BB4}5j7N$~raRsKvkB~u&ee>>t$;FQk+oecR~Cyb8aXhgpq
zh@#-2r?o!s2jkyrKLAep-u(Pq>ksMu6Y{rK_&Wof;`Hj*2dg1ETE!j};G0~C7Dfto
z(JqaSMn=TBZ6uaGZjI1Jk|H*dB=go-Hb0!mT1h)!C|ZfqK{1jaKafq?sbr+Jwg&BF
z$ykX(Au(a4a&}=tj205(DJxkTAD@7UL$aW0yHu0;685jO*agWEnPv6vjqQ$G@jX2j
zHnO-alEUh_WlwB(U$?tP?wtXI?MYVL)E>;9y~5hne?wQS-@2i<_s003H5lvakCRuq
z<7T8-lCgj7&Klap6LoIGksEqkh?Pnv>;!iD(C!|0jdyF0t5$9bav`__@T9i!AWHY1
z9xGYQTj@kDN&9{JZh#hc7FnfY3RyXKL6l+0!^NU@BX<;87Pbp<PH7)e&CNmXjY+P^
zM5H(|ZYPGp?SkTIE@g7qj&wjoa(O!y8OxO-!=(&%n`M$3igoq1*oiSA>(Ys0T11i)
zIrvlDE~uJ2Q-xwCpK}Qo>I$iBf(&%&K-Lx!d6f|qBV&1pcIqI`)DNMQmv<wQO6#7N
zPQnRG%2ahhWx-{%kQmR5p!vK_o)H|~)d(^vB6tYK(YI?oRsS<a<9|HTcxNl(@f&j<
z|Lbb0%Vpx<!QtGi#N#~XmpYYE=JyxF?H+p`4>C7cQFE_-5Ac6s49@ZMxRH6Yw&QsU
z&j;A;9u#O!!uCAAWIm@A>AM-_iS2p*a1$^Zs<J(gLz(lu2P%@thm&rDKywVX=kY4@
zwOX0uXFcY3pq}O|Ec3XQxuNa7@oQMzjRNJA?Rosmoaas4zW4g?*Y;i7A&--pn;Iv3
znyY#39|lG_q4*^6_)K%Magz7`mr?1oH?$q|sM8o_k9+ZRkNtkFz?|b{H!L&%rN^HC
zzcP<;VzmQqpZz`QvFGtVbDpoVzW4f{*7ntA46Uj8MOtL$wf`L|D1U5k7)q1*HA<|W
zz4p(e#%aIbP^!%9snS85H-=tDfyU<a3=#48llK*S^;u^ASJ*V*V0)go%;|mCtVh0y
zSZ4k<FzS13&+{AJw|z>-&;66__&z=kTT)?ro(H|L1t6$dvFe%anZJ)3r@e@3)mFtd
z)8NAR|A`u>J&!kAwIRpJ4!B*GzeIsBjz1bzHPJ=vz5dQZo!Zyx${1(1zr2d50_hSt
zIrlwPqt0pV(A0^i|3h?3Ievcs((}QwD@%2rrhhD;PLFeLSJl$ky0-mC9ZF-F$G{_s
F{{qOMsAK>D

diff --git a/examples/single-char b/examples/single-char
deleted file mode 100755
index dcb0b67904b7817f41f3903570bcda089cc93bd6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 16704
zcmeHOeQXrR6`%8AY`)Gm!Ht2mEQAP?#K#$oYX~lP_MKT*=A*=>jT%_izO#Mwd`Iv0
zQX4{xWE$y2olx~d5mF^+r8ZIXNBR#%k=mL-gHff%NKJ)WrF95NP12+eZ7Qb)uJ6sh
zcivr}+p1Ff*N%1j=KbEsym>pjH{+Z6TBM_`#N!cMyy7zgxr3D^5+uRs7ODUViYBoL
zuAdU06!U?fCoxkVGzmz}(qCey<%D~IqTO>OchdVvk10op6z%3J<E5sAsi1zKofHwz
zIMZVk2UEri?J3lvgC3{Am|E>HH<NXy-DI<!?s4RW?GQ%0X|kIpJEjxV9#hUI<^(^N
z$gh)zL577X>SEdRmJ!AJHU+sN)P%)0qHOm$u){e2+rnwzOYO~-ml}$nDRozDNW{Av
z8#W}Ob%}T~J6Jc^)L7Tp;LoJ|8)d(jK_ED$cI@gBkL`Z*N7Z9L{AT$2x%bX!8<w9v
z(fB6DjWM7<)WL%K)SRScz@yyk*I98K>WE>Euf~2o(ATANHvqAhc3>4dBsuiAv<SX>
z4t(((cnoj_KF(qQpg2L`vCTC_aO_)^ST2G=Q^?~-9L^dUkujq2r0DI7L0!{&26e4B
zp41cZBQap%4)kalLr)vpfDUTN;|*vOJ3881TD6V-jsDF-Ywz5tMPun$Up!;P(w#e7
z6RBjZQ}0fokG_Fal6+{UYEeautwjED%>#F46EJ)OvMb^XP=_85!Os`>Cs>7+LQIhY
z<Is6o0zs29&iu9QCXRW+d&gzMg5$X1GHJo-)gwhy7To%rOj~dqTU_{lpbw4-Wi>&(
zn&XhiD)LGYuO`mVq=~p!Hv?`4+zhxGa5La$z|DZ00XGA4XFwhPbGdr5^z{uws9zs7
zO7i3C@TKyL1%v$N>mbTMa09LttAbENz8~c`C-P7p_#N^%RlYec`R@bYdx{;@zt^6-
zdO*!xSBGy*?dj|oDg6iNsv}FjB}wxIP|R2F1Dn59tO}!~`7AK%Na<-LTc(X_2+xmo
z2ya1tqGHu?^nH;i=zm%2Z$5-%{arOTrCxY{yLw^Tt9o8huiiD5frC<VP@bRYmF=+o
z@#YYSM0P`$I^6uWAF68ZEn~5IvUw@slXcLg$$q%JQo0;?&wjRJdh;j<yTAq#c`$eE
z1vQsFqn>Z=Y&+T;2x#g{-3@82yWxnY<{~euxvul-`QAiB-|Axv#Y@-?fJXryyBxWV
zDO68Z{}^IWM<U}tSETsz<mtQl{N>0raN^zjPe!KIXDiNimX1>`T>4_u%SIX4qrz}x
z+EWmWpBOdf4<DOe_0=oG$8HP52f3>9L8qF)<GYK2yAQbsfjf`JSD;TK^!bjF=2ssQ
zBDAkP_uEicd+x(fXDD~OOC6~j1^Cg9^>=X0OkTW`&#M>ic#W0yzX!XH+^vq>`{CT5
zLiuHXREIBm)Ge=P-@&o;#r>hjL;FJqLK^zVktN5RZIog2ZgDf<X28vWn*lciZU)>8
zxEXLW;AX(hfSZAjGXoy@4Q)stdRQ^~bz@xyNKENX=zXh|t?Nb7B1onTtFRV=@~ree
z(gYNL-@5UaeEtN`WmEb53qaQb?F72ugM9uH(BA;P0kq*(KL0Q*b@BIFES@8Kg=etR
zvvP4+`6*9XCF1y-{}}j#<z}H2*N1jM1NFZE`T^ATRkrzRK3lQqE9J+<_7#sjxM}Sg
zgwZ|>pM#)h{e2B>ABRsf#5)F5gnX4xm9#FIUvd#5GHsp&coO9MQQqRKe5Rz`SM#(t
z;!{TEMSQj2C=L4pPt8|-O~Yk7e8EG$rjRcX^3}HZlonqN=(qUF<?oi52LXA&mA+ft
z47eF^GvH>x&48N$Hv?`4+zhxGa5M06Wq|iX^8QC&gW#S@EV%Df7TRFBgjj<%uP!H^
z_gStap4U<<i0A#5xURy&@(=IkQ<A66le|~5e4bRJJ-0#xNWRd7#nVI=5v?IwO_T|l
z2@y0A-YY5BgaGmSk@sBQONM7C5XQ$S9*+AO>A_}GS-Aaw=FR>9C{^J{RN24h$R2(b
zmOSSfmXDJEF3CS4z7RM0|9=zSSMF@Lk;XwAQI_*Q*&VH|Tb0^ytUInJmHGf|{jINS
zTu(J+V_;)_puV1y&&Cewg&nrM@82r&!v7?A|GFLbib=k)7J(ObfR`6Zq!)Jl^LVnT
z!@lqNg2$a5FB5!!?0C80`)bD*2p%tXe4*fRWyfI@JMxKgFFbupQGAKmQxx|V&S%*D
zR|tMy?Kn75tcY3n!pmS=QGBTwEQ;S#*k^6^=7pz=pL;uAEsBjVulR)Eeb#n;cq)Td
z#H@Qoji@b(&+KEjT6qP(jb>1M4(Gu?UuF=qhVQ)+;S;AEd4`=45+8Nos|n}#sOd$B
zPea86`|8!8iSTpZD)HI*IRrSiTX-*<X5tB{KReIg0lZlJbM@;7($7-yBnIp##r*t4
z>fAHyKE4dNN6fyDzaoA9KHw()AS<)S)d$kg?ECvFbf5%I6FHxYGQgKYeh$<35B3ww
zy--nP&3<`C;<LxeCcw#s%^(bTv2zgn0I!7c))cg<iz@U}GW+@3KZpOLbKoQ7-#MO7
z1FqPcl-%=xSC!NVe($o%Im9t(WJF&p;+KG9-YTin@_&|K^fUNW!uZ@1go>r$HZ0UX
zNaOq=lD!5v>O1rB2I)uW9K{&vzYRFX>D0dkxMFFKtBc`1zJ?hq?MWLMBiq~S?-4Vn
zNHk+W>%ns*cq}EF()tpqZatwzjZ`|L>DfWilNvajh#9e{KTuo)53<BHJ)PEvv{=$e
z4~gEiJ`mHQ*@1x}FtKnNXc{)vOg!0_h}HG<>uCr})7tiic1E<wuCNA&SnTRip@kpY
z724U}YM01!GXTNaBQ2tm2Q|D`XgfM~w}d*h-ED1;Mmn|5P)kPyy~@)zJ(;Ww{NJ9c
z!IL{d>k%AzipPd%v8Zn7>~-c0k4;G)`>`RAYcMm<>wvNS@QxPEq_loL8O4J=?Ylt>
z&JJnWObk*m6Fue<`0h-G+{mLtng-{BIDvRzsOTvm`w1jlWWt{r8Zh*3phnuH{alMD
z;oQ+-;fG%=V*b8l*593t!@03|l%P;cd!3>82`TH>GyTFJ9ZG^flNxDL@<c41iKmh_
zMgv(omeA3FYKIes@XKEMq3Z8T0c*qt;ff;;lu|PF{#ZYavHmDHVa_x)2b*cZb!b5!
zi1$GADFZ!2aCi&-kV)Z(;XVMP*!tZ3k9C~K!y^jsV6*Uij499KNi21_j`V)`;M|$*
zdEUl!Eh<?Gzo!^#go@Rk=XXpMRwU}Q4+H*pm`ii}JP%}AOLm3zhQr@3;Njb+5I@fs
znezOf&x7&0fY$;0z!s;Th4v{xo?r6%1yp3gTwBWlU~sL#_B{V&%HLfaKkG6564>L~
zgL$5(GF7NCXZ!?<BT&JR*`DXKOu7HuzO(-)$i9Uf^1PR6fN-?OHJ8&K^Mg6T_+;Vv
z7E!dZ7D{gc%0bO)uaF&6Zl4Vt?!~tq_B`Ka%JH&2^Gv_zu;=elrd6C+a=`7gKXaZo
z(|?}7Gv#$B>pT1ZJhfkFMj=h2TZv`jw8wd$_4()ZK!LI$QK$Vc9QM3!U|Q}N@SHbx
zdj%>u*T!cE3(qI{e6UlWd8V&{O$B_|p4TB$bbgxk&^H$5nZ5xSjy<;L^$MTAo}l=7
ze6k(i$7jJ7RoI@_HP<!(2&L8}g)7@LeFr2~dl4j68o2+-{;v*uo>$hAJ;zC23;k#Q
zBdB039DguqN}A@dclx^v>KH$%o5pZu`*j7xtWY|o4I;=F#;&O%uLsFtfD(`2LwHL$
pZ~Xqn=YwOHhIBcFUo248Ih=F*rWEJU#qEFEWNP3##9ADz_!oW5f`kA7

diff --git a/examples/xor-o-rama.c b/examples/xor-o-rama.c
new file mode 100644
index 0000000..10dfdbd
--- /dev/null
+++ b/examples/xor-o-rama.c
@@ -0,0 +1,63 @@
+// xor-o-rama.c
+// -------------
+//
+// This is probably a more real-life (or CTF-like at least) example than single-char and double-trouble.
+// The input gets XORed character-wise with a magic value.
+//
+// Compile with
+//  gcc -o xor-o-rama xor-o-rama.c
+//
+// Let's start easy with the very basics required by BARF:
+// - our positve-addr is at 0x0000555555555312 <+360>, where our counter variable is increased (`i++`)
+// - our win-addr is at 0x000055555555532c <+386>, where `mov eax,0x0` is preparing the value for `return 0`.
+//   Although it is not part of the code below, it is added by the compiler, because our main function needs
+//   to return an integer.
+// You may wonder why we didn't choose to use a negative address here, although we check for non-equality (!=).
+// The relevant code is sitting at 0x0000555555555307 <+349> until 0x0000555555555310 <+358>, by the way.
+// That's because the score of this breakpoint will always be -1, as we are only hitting it once, then return.
+// Even if we have guessed the correct character (thus, didn't hit it), we will hit it the next round and again
+// have a score of -1. So BARF cannot detect a right character until we give an address we only reach when a
+// character was correct.
+// So, the correct call would be:
+//  ./barf.sh --positive-addr 0x555555555312 --win-addr 0x55555555532c ./xor-o-rama
+//
+// Persistent Mode
+// To speed things up, we will dive into persistent mode.
+// - our start-addr is at 0x00005555555552d9 <+303>, right after the `fgets(...)` call
+// - our end-addr is at 0x0000555555555332 <+392>, the return instruction
+// - our buffer sits at 0x7fffffffdf00 on the stack
+// So let's get it groovin':
+//  ./barf.sh --positive-addr 0x555555555312 --win-addr 0x55555555532c --start-addr 0x5555555552d9 --end-addr 0x555555555332 --buff-addr 0x7fffffffdf00 --persistent ./xor-o-rama
+//
+
+#include <stdio.h>
+
+#define BUFSIZE 32
+
+// Takes a string and crypts it in-situ
+void crypt(char* b) {
+	char magicVal[] = {0x23, 0x42, 0x13, 0x37, 0x0B, 0x0E, 0x0E, 0x0F};
+	for(int i = 0; i < BUFSIZE; i++) {
+		b[i] = (b[i] ^ magicVal[i % 8]) % 256;
+	}
+}
+
+int main(int argc, char* argv[]) {
+	char buf[BUFSIZE];
+	int flag[BUFSIZE] = {0x60, 0x16, 0x55, 0x4c, 0x65, 0x3e, 0x51, 0x78, 0x17, 0x3b, 0x4c, 0x4e, 0x3b, 0x7b, 0x51, 0x2b, 0x13, 0x2e, 0x65, 0x4, 0x6f, 0x51, 0x7a, 0x67, 0x17, 0x36, 0x6e, 0x3d};
+	// for debugging purposes, the flag is 'CTF{n0_w4y_y0u_$0lv3d_th4t}' ;)
+
+	// read input
+	fgets(buf, BUFSIZE, stdin);
+
+	// crypt input
+	crypt(buf);
+
+	// walk input
+	int i = 0;
+	while(flag[i] != '\0' && i < BUFSIZE) {
+		if(buf[i] != flag[i]) return 1; 
+		i++;
+	}
+}
+