These are notes I took while listening to Terence Tao's lecture on YouTube titled Structure and randomness in prime numbers. Most of the topics were taken and paraphrased from his slides, but I added some of his additional comments he made during the lecture. There are many other sources where these topics are treated more clearly; however, this post is intended to help me memorize the material. I'm very excited by the fact that these materials are freely available on the web, and I believe they are one of the main reasons why the internet should exist.

Description CTF took from https://ropemporium.com/challenge/badchars.html. The aim of this challenge is similar to the previous one (write4): store a string into memory and call print_file to show the content of flag.txt. The difference is that badchars are applied to every character passed as input, so the string might be handled in some way to change its content after storing it in memory. More information are shown in the linked website.

Description This challenge has been taken from https://ropemporium.com/challenge/write4.html. This time the string cat flag.txt is not contained in the binary. We’re given a couple of hints: there’s a function print_file() which takes the filename string as the first argument; we need to search for a gadget which stores a value into the memory such as mov [reg], reg. Explore the binary Download the challenge: 1 2 curl --output split.

Description This challenge has been taken from https://ropemporium.com/challenge/split.html. The purpose is to call the system() function with /bin/cat flag.txt as parameter. We also know that this string is contained in a section inside our binary. More information in the linked website. How to build the ROP chain Download the challenge: 1 2 $ curl --output split.zip https://ropemporium.com/binary/split.zip $ unzip split.zip && rm split.zip Since the string is contained in the executable, let’s start using rabin2 to locate it:

Description This challenge has been taken from https://ropemporium.com/challenge/callme.html. The purpose is to change the flow of execution such that the functions callme_one, callme_two, and callme_three are called in sequence with 0xdeadbeefdeadbeef, 0xcafebabecafebabe, and 0xd00df00dd00df00d as parameters for each of them. More information in the linked website. How to build the ROP chain Download the challenge: 1 2 $ curl --output callme.zip https://ropemporium.com/binary/callme.zip $ unzip callme.zip && rm callme.zip First, let’s see the function written by the programmer:

Description This challenge has been taken from http://aes.cryptohack.org/ecb_oracle/. What we have is an function that concats the FLAG to a plaintext given as parameter and encrypts it through EAS in ECB mode. Here’s chall.py: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 #!/usr/bin/python3 from flag import FLAG from Crypto.Cipher import AES from Crypto.