Add example 'xor-o-rama', delete binaries

examples/xor-o-rama.c

@@ -0,0 +1,63 @@
+// xor-o-rama.c
+// -------------
+//
+// This is probably a more real-life (or CTF-like at least) example than single-char and double-trouble.
+// The input gets XORed character-wise with a magic value.
+//
+// Compile with
+//  gcc -o xor-o-rama xor-o-rama.c
+//
+// Let's start easy with the very basics required by BARF:
+// - our positve-addr is at 0x0000555555555312 <+360>, where our counter variable is increased (`i++`)
+// - our win-addr is at 0x000055555555532c <+386>, where `mov eax,0x0` is preparing the value for `return 0`.
+//   Although it is not part of the code below, it is added by the compiler, because our main function needs
+//   to return an integer.
+// You may wonder why we didn't choose to use a negative address here, although we check for non-equality (!=).
+// The relevant code is sitting at 0x0000555555555307 <+349> until 0x0000555555555310 <+358>, by the way.
+// That's because the score of this breakpoint will always be -1, as we are only hitting it once, then return.
+// Even if we have guessed the correct character (thus, didn't hit it), we will hit it the next round and again
+// have a score of -1. So BARF cannot detect a right character until we give an address we only reach when a
+// character was correct.
+// So, the correct call would be:
+//  ./barf.sh --positive-addr 0x555555555312 --win-addr 0x55555555532c ./xor-o-rama
+//
+// Persistent Mode
+// To speed things up, we will dive into persistent mode.
+// - our start-addr is at 0x00005555555552d9 <+303>, right after the `fgets(...)` call
+// - our end-addr is at 0x0000555555555332 <+392>, the return instruction
+// - our buffer sits at 0x7fffffffdf00 on the stack
+// So let's get it groovin':
+//  ./barf.sh --positive-addr 0x555555555312 --win-addr 0x55555555532c --start-addr 0x5555555552d9 --end-addr 0x555555555332 --buff-addr 0x7fffffffdf00 --persistent ./xor-o-rama
+//
+
+#include <stdio.h>
+
+#define BUFSIZE 32
+
+// Takes a string and crypts it in-situ
+void crypt(char* b) {
+	char magicVal[] = {0x23, 0x42, 0x13, 0x37, 0x0B, 0x0E, 0x0E, 0x0F};
+	for(int i = 0; i < BUFSIZE; i++) {
+		b[i] = (b[i] ^ magicVal[i % 8]) % 256;
+	}
+}
+
+int main(int argc, char* argv[]) {
+	char buf[BUFSIZE];
+	int flag[BUFSIZE] = {0x60, 0x16, 0x55, 0x4c, 0x65, 0x3e, 0x51, 0x78, 0x17, 0x3b, 0x4c, 0x4e, 0x3b, 0x7b, 0x51, 0x2b, 0x13, 0x2e, 0x65, 0x4, 0x6f, 0x51, 0x7a, 0x67, 0x17, 0x36, 0x6e, 0x3d};
+	// for debugging purposes, the flag is 'CTF{n0_w4y_y0u_$0lv3d_th4t}' ;)
+
+	// read input
+	fgets(buf, BUFSIZE, stdin);
+
+	// crypt input
+	crypt(buf);
+
+	// walk input
+	int i = 0;
+	while(flag[i] != '\0' && i < BUFSIZE) {
+		if(buf[i] != flag[i]) return 1; 
+		i++;
+	}
+}
+