Friday 3 September 2021

Competitions to participate in Indian schools (class 6 - class 12)

Class 5,6,7: refer primary/Sub Junior books from AMTI

(AMTI books: https://www.amtionline.com/suggested-for-level.php)

Class 8: refer Sub Junior books from AMTI

    Just after class 7 final exams, start studying for NSEJS (Junior science Olympiad which is to be taken when the student is in 9th standard around November time.  For this exam one should have completed  Physics, Chemistry, Mathematics, Biology (PCMB) books of NCERT class 9, class10, class 11 for all science (PCMB) subjects. 

    So prepare for NSEJS/INJSO at least complete reading class 8, class 9 and class 10 NCERT books in class 8th itself. 

     Join class 8 tuition (https://www.ahaguru.com/ - for online classes or any reputed IIT coaching centre)

Class 9: NSEJS/INJSO, Bhaskara contest - refer Junior books from AMTI

     Complete class 11/12 books: (do all worked examples in Physics and Physical Chemistry)

     Physics - HC verma (Vol I, Vol II), Sears and Zemansky - University Physics

     Chemistry - Raymond Chang, RC Mukherjee

     Biology - NCERT class 11, class 12 before November

     Maths - read till class 10, and read HC verma Vol I chapter - Math foundations for Physics.

     Join class 9 IIT Foundation tuition (https://www.ahaguru.com/ - for online classes or any reputed IIT coaching centre)

    Maths - refer AOPS Vol -I book if possible.

Class 10PreRMO/RMO, NTSE, Bhaskara contest - refer Junior books from AMTI

          Join class 10 IIT foundation tuition (https://www.ahaguru.com/ - for online classes or any reputed IIT coaching centre)

    Maths - refer AOPS VOL-I if possible (https://artofproblemsolving.com/store/list/all-products)

Class 11:  PreRMO/RMO, KVPY SA

            Join integrated coaching college, dummy PU college, (For self study: online coaching - https://www.competishun.com with Resonance DLP package)

   Maths (RMO) - refer AOPS VOL-II and AOPS Intermediate books (Algebra,  Counting and Probability) if possible (https://artofproblemsolving.com/store/list/all-products).

IIT JEE books (complete IIT coaching DLP by referring to following textbooks for better understanding) 

    Physics - HC Verma Vol I, HC Verma Vol II, Cengage publications BM sharma (lot of problems), 41+ years of Topicwise JEE previous year problems/solutions. 

(Ref: Resnick, Halliday, Krane (heavier) or Walker (lighter), Ref: irodov problems, Ref: irodov solutions)

    Chemistry - PC: NCERT, RC Mukherjee (ref: Atkins), IOC - NCERT, OC - NCERT (ref: Paula Bruice), 41+ years of Topicwise JEE previous year problems/solutions.

    Mathematics - Cengage Publications , 41+ years of Topicwise JEE previous year problems/solutions.

    (Ref: SL Loney - Trigonometry,  Sl Loney - Co-ordinate Geometry, Hall and Knight - Higher Algebra)

     KVPY SA resonance books.

Class 12

        NSEP, NSEC, JEE, KVPY SB, ...

(Note: Pure science available options: KVPY rank (< 300) - IISC BS (https://ug.iisc.ac.in/), (> 300) - IISER (http://www.iiseradmission.in/), IIST (https://www.iist.ac.in/))




Friday 27 March 2020

Becoming an Systems Software Engineer

My Coursera experience becoming a better Systems Software engineer.

1) Cloud Computing Concepts part 1 - Illunois (UIUC)
2) Cloud Computing Concepts part 2 - Illunois (UIUC)
3) C++ For C Programmers Part A  - Ira Pohl
4) C++ For C Programmers Part B - Ira Pohl
4) Software Security - University of Maryland.
5) Algorithms - Tim Roughgarden (Stanford)

Skills needed:
 - C, C++, Python, Pthreads, Linux kernel, Linux device drivers
 - Distributed Systems
 - TCP/IP, socket programming, Intrusion detection systems, Firewall.

 - Storage (virtual volumes, snapshots, RAID)
 - Coding interviews (https://elementsofprogramminginterviews.com/

Coursera becoming an Engineer (Machine Learning, Data Science).

My Coursera experience, a beginners guide to become Machine Learning engineer.

1) Mathematics for Machine Learning - Imperial college London
2) Machine Learning - Andrew NG (stanford)
3) TensorFlow in Practice - deeplearning.ai
4) AI for Everyone (deeplearning.ai)
5) Deep Learning - Andrew NG (deeplearning.ai)
6) Applied Machine Learning in Python - Michigan University

My Coursera experienc, a beginners guide to become Data Science engineer.

1)  Data Science Specialization - JHU
      a) R Programming
      b) Statistical Inference
      c) Regression Models
      d) Practical Machine Learning
2)  Statistics with R - Duke University
3) Statistical learning - Hastie and Tibshirani (non-coursera)

Monday 25 September 2017

Key-Value stores (B+ trees, LSM)

If you are into storage domain, then key-value stores are the new thing. One needs to be familiar with some of the latest key-value store architectures. Following are a couple of videos to start off in this
area
  1. Berkeley DB provides the basic architecture for a key value store.
  2. Indeed's architecture would give some idea on LSM (converting random updates/writes to sequential writes).
  3. ForestDB provides details on couchbase architecture along with SSD optimizations.
  4. LevelDB, RocksDB, WiredTiger are some of the others to look at.

Lauren Foutz - BerkeleyDB [The Databaseology Lectures - CMU Fall 2015]

https://www.youtube.com/watch?v=HO9UKYomI7c


From 1 To 1 Billion: Evolution of Indeed's Document Serving System

https://www.youtube.com/watch?v=jwq_0mPNnN8


Next Generation Storage Engine: ForestDB – Couchbase Connect 2015



Optimizing ForestDB for Flash-based SSD – Couchbase Connect 2015

https://www.youtube.com/watch?v=x0T4qmc1mkI

Coding interviews

From my experience of being a systems software engineer I feel one needs to be always ready for a coding interview, since you don't know when there is an new opportunity/layoff. More the experience, more you need to prove that you are a hands-on person in any technical interview along with strong domain/product expertise.  My main experience is into C/C++, storage stack, network stack, Unix/Linux kernel. I found the following coding interview book quite good, along with this algorithms book by Cormen should get you started. Just read through the pseudo code available in Cormen to refresh your memory and then the coding interview books. I would recommend code some/all of the questions on paper/PC (for any skype interviews). Before the interview keep yourself calm which helps to be creative during interviews. The coding interview preparation should get you some of the ideas which helps you in the interview instead of reinventing the wheel for every question during the interview process.

Elements of Programming Interviews  - by Adnan Aziz  (Author), Tsung-Hsien Lee  (Author), Amit Prakash  (Author)



http://elementsofprogramminginterviews.com/ 


Typical coding questions asked in an interview from my recent experience are (If you know of one solution try to know multiple solutions). 

1)  Print a binary tree print level by level.
2)  Mirror image of a binary tree
3)  Intersection of two single linked lists, find the intersection point
4)  Print a two dimensional array in spiral form.
5)  Find duplicate numbers in an array 
6)  XOR two unsigned integers without using bitwise xor operation.
7)  How do you implement a buffer cache (typical answer from "Design of Unix operating system" by Maurice Bach).
8) Egg drop puzzle
9) bee running between two moving in trains
10) find a value in a rotated sorted array
11) reverse a linked list

Friday 7 November 2014

2014 reversing the reverse-challenge binary from coursera.

One more reverse challenge from coursera malware class. This is the 2014 class.
similar to previous challenge which is posted in previous blog.

seed@seed-desktop:~/projects/2$ ./reverse-challenge
Are you feeling lucky today? s
^C
[6]+  Stopped                 ./reverse-challenge

seed@seed-desktop:~/projects/2$ file reverse-challenge
reverse-challenge: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped

seed@seed-desktop:~/projects/2$ grep "41 72" rc
 8048cba:    00 41 72                 add    %al,0x72(%ecx)

 8048a54:       c7 04 24 bb 8c 04 08    movl   $0x8048cbb,(%esp)
 8048a5b:       e8 c0 fa ff ff          call   8048520 <printf@plt>
This is where the question "Are you feeling lucky today?" gets asked as detailed in previous blog.

Then we have switch of 0x43, 0x4e and 0x41.

0x4e (N) case is interesting which jumps to 0x8048743 others are dead-end.

 804872d:       55                      push   %ebp
 804872e:       89 e5                   mov    %esp,%ebp
 8048730:       31 db                   xor    %ebx,%ebx
 8048732:       6a 04                   push   $0x4
 8048734:       5b                      pop    %ebx
 8048735:       01 e3                   add    %esp,%ebx
 8048737:       8b 1b                   mov    (%ebx),%ebx
 8048739:       83 c3 10                add    $0x10,%ebx
 804873c:       b8 11 00 00 00          mov    $0x11,%eax
 8048741:       5d                      pop    %ebp
 8048742:       c3                      ret
 8048743:       55                      push   %ebp
 8048744:       89 e5                   mov    %esp,%ebp
 8048746:       83 ec 28                sub    $0x28,%esp
 8048749:       8b 45 08                mov    0x8(%ebp),%eax
 804874c:       89 45 f4                mov    %eax,-0xc(%ebp)
 804874f:       53                      push   %ebx
 8048750:       31 db                   xor    %ebx,%ebx
 8048752:       6a 30                   push   $0x30
 8048754:       5b                      pop    %ebx
 8048755:       01 e3                   add    %esp,%ebx
 8048757:       e8 d1 ff ff ff          call   804872d <close@plt+0x10d>
 804875c:       8b 55 0c                mov    0xc(%ebp),%edx
 804875f:       50                      push   %eax
 8048760:       31 c0                   xor    %eax,%eax
 8048762:       6a 0c                   push   $0xc
 8048764:       58                      pop    %eax
 8048765:       01 d0                   add    %edx,%eax
 8048767:       50                      push   %eax
 8048768:       53                      push   %ebx
 8048769:       c3                      ret
 804876a:       b8 01 c7 45 f0          mov    $0xf045c701,%eax
 804876a:       b8 01 c7 45 f0          mov    $0xf045c701,%eax
 804876f:       fa                      cli
 8048770:       00 00                   add    %al,(%eax)
 8048772:       00 58 eb                add    %bl,-0x15(%eax)
 8048775:       27                      daa
 8048776:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048779:       0f b6 00                movzbl (%eax),%eax
 804877c:       83 c0 01                add    $0x1,%eax
 804877f:       89 c2                   mov    %eax,%edx
 8048781:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048784:       88 10                   mov    %dl,(%eax)
 8048786:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048789:       0f b6 00                movzbl (%eax),%eax
 804878c:       8b 55 f0                mov    -0x10(%ebp),%edx
 804878f:       83 e2 2b                and    $0x2b,%edx
 8048792:       31 c2                   xor    %eax,%edx
 8048794:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048797:       88 10                   mov    %dl,(%eax)
 8048799:       83 45 f4 01             addl   $0x1,-0xc(%ebp)
 804879d:       8b 45 f4                mov    -0xc(%ebp),%eax
 80487a0:       0f b6 00                movzbl (%eax),%eax
 80487a3:       84 c0                   test   %al,%al
 80487a5:       75 cf                   jne    8048776 <close@plt+0x156>
 80487a7:       c7 44 24 04 80 8c 04    movl   $0x8048c80,0x4(%esp)
 80487ae:       08
 80487af:       8b 45 08                mov    0x8(%ebp),%eax
 80487b2:       89 04 24                mov    %eax,(%esp)
 80487b5:       e8 46 fd ff ff          call   8048500 <strcmp@plt>
 80487ba:       85 c0                   test   %eax,%eax
 80487bc:       75 07                   jne    80487c5 <close@plt+0x1a5>
 80487be:       b8 01 00 00 00          mov    $0x1,%eax
 80487c3:       eb 05                   jmp    80487ca <close@plt+0x1aa>
 80487c5:       b8 00 00 00 00          mov    $0x0,%eax
 80487ca:       c9                      leave
 80487cb:       c3                      ret

(gdb) p/x 0x5c + 0x10
$3 = 0x6c

This code just adds 0x10 to 804875c and jumps to 804876c. compared to previous example it has a detour by calling a function
but the gist is it jumps to middle of instruction at
804876a:       b8 01 c7 45 f0          mov    $0xf045c701,%eax

The actual disassembly is as in prev blog starting at 804876c.
   0:    c7 45 f0 fa 00 00 00     movl   $0xfa,-0x10(%ebp)
   7:    58                       pop    %eax
   8:    eb 17                    jmp    0x21

Next is the loop doing the magic conversion of input and strcmp thereafter.  
 8048776:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048779:       0f b6 00                movzbl (%eax),%eax
 804877c:       83 c0 01                add    $0x1,%eax
 804877f:       89 c2                   mov    %eax,%edx
 8048781:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048784:       88 10                   mov    %dl,(%eax)
 8048786:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048789:       0f b6 00                movzbl (%eax),%eax
 804878c:       8b 55 f0                mov    -0x10(%ebp),%edx
 804878f:       83 e2 2b                and    $0x2b,%edx
 8048792:       31 c2                   xor    %eax,%edx
 8048794:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048797:       88 10                   mov    %dl,(%eax)
 8048799:       83 45 f4 01             addl   $0x1,-0xc(%ebp)
 804879d:       8b 45 f4                mov    -0xc(%ebp),%eax
 80487a0:       0f b6 00                movzbl (%eax),%eax
 80487a3:       84 c0                   test   %al,%al
 80487a5:       75 cf                   jne    8048776 <close@plt+0x156>

This is modified input = (input +1)  ^ 0x2a (where 0x2a is got from 0xfa & 0x2b).

 80487a7:       c7 44 24 04 80 8c 04    movl   $0x8048c80,0x4(%esp)
 80487ae:       08
 80487af:       8b 45 08                mov    0x8(%ebp),%eax
 80487b2:       89 04 24                mov    %eax,(%esp)
 80487b5:       e8 46 fd ff ff          call   8048500 <strcmp@plt>
 80487ba:       85 c0                   test   %eax,%eax
 80487bc:       75 07                   jne    80487c5 <close@plt+0x1a5>
 80487be:       b8 01 00 00 00          mov    $0x1,%eax
 80487c3:       eb 05                   jmp    80487ca <close@plt+0x1aa>
 80487c5:       b8 00 00 00 00          mov    $0x0,%eax
 80487ca:       c9                      leave
 80487cb:       c3                      ret

The modified input is getting strcmp with string at 0x8048c80. 
(gdb) x/s 0x8048c80
0x8048c80:     "@EHJ~@DZEL"

modified input == "@EHJ~@DZEL"

so input = (modified input ^ 0x2a)  - 1

seed@seed-desktop:~/projects/2$ python -c 'print "".join([chr((ord (k)^0x2A)-1) for k in "@EHJ~@DZEL"])'
ina_Simone

The first character of input is 'N'.
So the secret input is Nina_Simone.

seed@seed-desktop:~/projects/2$ ./reverse-challenge
Are you feeling lucky today? Nina_Simone         
[+] WooT! THE KEY IS: Nina_Simone
[+] If you want, now open a terminal and type:

echo "Nina_Simone" | nc 134.219.148.8 8080

Reversing a bonus challenge binary which appeared in coursera malware class.

The challenge is to crack the challenge by answering it right.

seed@seed-desktop:~/projects/2$ ./bonus_reverse-challenge
Are you feeling lucky today? 1
^C
[2]+  Stopped                 ./bonus_reverse-challenge

seed@seed-desktop:~/projects/2$ file ./bonus_reverse-challenge
./bonus_reverse-challenge: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, stripped

This is a stripped binary so cannot find main in objdump output. So the guess is since "Are you feeling lucky today?" is printed by
a call to printf with the string as an argument in the program. we need to find where the string is and where is getting loaded to stack
just before a call to printf, then we know that we are somewhere in code section and check what happens after that to our input.

(gdb) p/x 'A'
$1 = 0x41
(gdb) p/x 'r'
$2 = 0x72
(gdb)

"Are you feeling lucky today?" starts with 'A' and 'r' so we try to find 41 and 72 in objdump.

seed@seed-desktop:~/projects/2$ objdump -D ./bonus_reverse-challenge > obj
seed@seed-desktop:~/projects/2$ grep -n "41 72" obj
1018: 8048bfa:    00 41 72                 add    %al,0x72(%ecx)
(gdb) x/s 0x8048bfb
0x8048bfb:     "Are you feeling lucky today? "
searching 8048bfb to figuring who is loading it to stack in objdump gives.
 8048997:       b8 fb 8b 04 08          mov    $0x8048bfb,%eax
 804899c:       89 04 24                mov    %eax,(%esp)
 804899f:       e8 0c fb ff ff          call   80484b0 <printf@plt>
 80489a4:       a1 60 a0 04 08          mov    0x804a060,%eax
 80489a9:       89 04 24                mov    %eax,(%esp)
 80489ac:       e8 0f fb ff ff          call   80484c0 <fflush@plt>
 80489b1:       c7 44 24 08 ff 01 00    movl   $0x1ff,0x8(%esp)
 80489b8:       00
 80489b9:       8d 44 24 20             lea    0x20(%esp),%eax
 80489bd:       89 44 24 04             mov    %eax,0x4(%esp)
 80489c1:       c7 04 24 00 00 00 00    movl   $0x0,(%esp)
 80489c8:       e8 d3 fa ff ff          call   80484a0 <read@plt>
 80489cd:       8d 44 24 20             lea    0x20(%esp),%eax
 80489d1:       c7 44 24 1c ff ff ff    movl   $0xffffffff,0x1c(%esp)
 80489d8:       ff
 80489d9:       89 c2                   mov    %eax,%edx
 80489db:       b8 00 00 00 00          mov    $0x0,%eax
 80489e0:       8b 4c 24 1c             mov    0x1c(%esp),%ecx
 80489e4:       89 d7                   mov    %edx,%edi
 80489e6:       f2 ae                   repnz scas %es:(%edi),%al
 80489e8:       89 c8                   mov    %ecx,%eax
 80489ea:       f7 d0                   not    %eax
 80489ec:       83 e8 01                sub    $0x1,%eax
 80489ef:       89 84 24 28 02 00 00    mov    %eax,0x228(%esp)
 80489f6:       8b 84 24 28 02 00 00    mov    0x228(%esp),%eax
 80489fd:       83 e8 01                sub    $0x1,%eax
 8048a00:       0f b6 44 04 20          movzbl 0x20(%esp,%eax,1),%eax
 8048a05:       3c 0a                   cmp    $0xa,%al
 8048a07:       75 0f                   jne    8048a18 <close@plt+0x498>
 8048a09:       8b 84 24 28 02 00 00    mov    0x228(%esp),%eax
 8048a10:       83 e8 01                sub    $0x1,%eax
 8048a13:       c6 44 04 20 00          movb   $0x0,0x20(%esp,%eax,1)
 8048a18:       0f b6 44 24 20          movzbl 0x20(%esp),%eax
 8048a1d:       0f be c0                movsbl %al,%eax
 8048a20:       83 f8 42                cmp    $0x42,%eax
 8048a23:       74 17                   je     8048a3c <close@plt+0x4bc>
 8048a25:       83 f8 43                cmp    $0x43,%eax
 8048a28:       74 1f                   je     8048a49 <close@plt+0x4c9>
 8048a2a:       83 f8 41                cmp    $0x41,%eax
 8048a2d:       75 27                   jne    8048a56 <close@plt+0x4d6>
 8048a2f:       c7 84 24 2c 02 00 00    movl   $0x804872b,0x22c(%esp)
 8048a36:       2b 87 04 08
 8048a3a:       eb 1c                   jmp    8048a58 <close@plt+0x4d8>
 8048a3c:       c7 84 24 2c 02 00 00    movl   $0x8048644,0x22c(%esp)
 8048a43:       44 86 04 08
 8048a47:       eb 0f                   jmp    8048a58 <close@plt+0x4d8>
 8048a49:       c7 84 24 2c 02 00 00    movl   $0x80486ca,0x22c(%esp)
 8048a50:       ca 86 04 08
 8048a54:       eb 02                   jmp    8048a58 <close@plt+0x4d8>
 8048a56:       eb fe                   jmp    8048a56 <close@plt+0x4d6>
 8048a58:       0f b6 44 24 20          movzbl 0x20(%esp),%eax
 8048a5d:       0f be c0                movsbl %al,%eax
 8048a60:       83 e8 42                sub    $0x42,%eax
 8048a63:       89 84 24 24 02 00 00    mov    %eax,0x224(%esp)
 8048a6a:       8b 84 24 24 02 00 00    mov    0x224(%esp),%eax
 8048a71:       89 44 24 04             mov    %eax,0x4(%esp)
 8048a75:       8d 44 24 20             lea    0x20(%esp),%eax
 8048a79:       83 c0 01                add    $0x1,%eax
 8048a7c:       89 04 24                mov    %eax,(%esp)
 8048a7f:       8b 84 24 2c 02 00 00    mov    0x22c(%esp),%eax
 8048a86:       ff d0                   call   *%eax
 8048a88:       89 84 24 20 02 00 00    mov    %eax,0x220(%esp)
 8048a8f:       83 bc 24 20 02 00 00    cmpl   $0x0,0x220(%esp)
 8048a96:       00
 8048a97:       74 1a                   je     8048ab3 <close@plt+0x533>
 8048a99:       b8 19 8c 04 08          mov    $0x8048c19,%eax
 8048a9e:       8d 54 24 20             lea    0x20(%esp),%edx
 8048aa2:       83 c2 01                add    $0x1,%edx
 8048aa5:       89 54 24 04             mov    %edx,0x4(%esp)
 8048aa9:       89 04 24                mov    %eax,(%esp)
 8048aac:       e8 ff f9 ff ff          call   80484b0 <printf@plt>
 8048ab1:       eb 23                   jmp    8048ad6 <close@plt+0x556>
 8048ab3:       0f b6 44 24 20          movzbl 0x20(%esp),%eax
 8048ab8:       3c 42                   cmp    $0x42,%al

As you can see this is similar to reverse-ex:
printf("Are you feeling lucky today?");
fflush()
read(0,buf,511)
if (buf[n
n = strlen(buf);
if(buf[n-1] = '\n')
    buf[n-1] = 0;
   
switch[buf[0])   
    case 0x42:
        calls 0x8048644
        break;
    case 0x43:
        calls $0x80486ca
        break;
    case 0x41:
        calls 0x804872b
        break;
    default:
        loop
       
Let's test above analysis.

seed@seed-desktop:~/projects/2$ ./bonus_reverse-challenge
Are you feeling lucky today? A
[~] Maybe.
seed@seed-desktop:~/projects/2$ ./bonus_reverse-challenge
Are you feeling lucky today? B
[-] Nope.
seed@seed-desktop:~/projects/2$ ./bonus_reverse-challenge
Are you feeling lucky today? C
[~] Maybe.
seed@seed-desktop:~/projects/2$ ./bonus_reverse-challenge
Are you feeling lucky today? D
^C
[4]+  Stopped                 ./bonus_reverse-challenge

looks like some progress. Let's choose B route since it is different. Other's will lead to dead-end
but interesting stuff.
So jumping to 0x8048644 the 'B' related answer. This function gets called with two arguments (buf + 1) and (buf[0] - 0x42 = 0).

 8048644:       55                      push   %ebp
 8048645:       89 e5                   mov    %esp,%ebp
 8048647:       57                      push   %edi
 8048648:       56                      push   %esi
 8048649:       83 ec 10                sub    $0x10,%esp
 804864c:       8b 45 08                mov    0x8(%ebp),%eax
 804864f:       89 45 f4                mov    %eax,-0xc(%ebp)
 8048652:       8b 55 0c                mov    0xc(%ebp),%edx
 8048655:       50                      push   %eax
 8048656:       31 c0                   xor    %eax,%eax
 8048658:       68 64 86 04 08          push   $0x8048664
 804865d:       58                      pop    %eax
 804865e:       01 d0                   add    %edx,%eax
 8048660:       50                      push   %eax
 8048661:       c3                      ret

Here ret is popping 0x8048664 and jumping to it, Now instruction pointer is at 0x8048664.
 8048662:       b8 01 c7 45 f0          mov    $0xf045c701,%eax
 8048667:       fa                      cli
 8048668:       00 00                   add    %al,(%eax)
 804866a:       00 58 eb                add    %bl,-0x15(%eax)
 804866d:       17                      pop    %ss
 804866e:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048671:       0f b6 00                movzbl (%eax),%eax
...
As you can 0x8048664 is middle of instruction at  0x8048662, so this means objdump disassembly for this piece of
code is bad, let's fix it to find the right instructions which get executed.

code jumps to 8048664 which is the middle of disassembled instruction at 8048662.
So we need to find to what extent the disassembly is bad and of-course the real
opcodes that will be executed.
So implemented a simple C code which converts hex to binary for the opcodes in hex
from address 8048664 for some bytes till the new disassembly (got from feeding the
binary output to objdump) matches the original disassembly.

seed@seed-desktop:~/projects/2$ cat x.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>


unsigned char a[64] = {0xc7,0x45,0xf0,0xfa,0x00,0x00,0x00,0x58,
              0xeb,0x17,0x8b,0x45,0xf4,0x0f,0xb6,0x00,
              0x8b,0x55,0xf0,0x83,0xe2,0x2b,0x31,0xc2,
              0x8b,0x45,0xf4,0x88,0x10,0x83,0x45,0xf4,
              0x01,0x8b,0x45,0xf4,0x0f,0xb6,0x00,0x84,
              0xc0,0x75,0xdf,0x8b,0x45,0x08,0x89,0xc2,
              0xb8,0xc0,0x8b,0x04,0x08,0xb9,0x0f,0x00,
              0x00,0x00,0x89,0xd6,0x89,0xc7,0xf3,0xa6};
main()
{
int fd;
int ret;

fd = open("c", O_CREAT|O_WRONLY);
if (fd > 0) {
ret = write(fd,a, 64);
}
printf("%d %d\n", fd, ret);
}

seed@seed-desktop:~/projects/2$ gcc x.c
seed@seed-desktop:~/projects/2$ ./a.out
3 64
seed@seed-desktop:~/projects/2$ objdump -D -b binary -mi386 c

c:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:    c7 45 f0 fa 00 00 00     movl   $0xfa,-0x10(%ebp)
   7:    58                       pop    %eax
   8:    eb 17                    jmp    0x21
   a:    8b 45 f4                 mov    -0xc(%ebp),%eax
   d:    0f b6 00                 movzbl (%eax),%eax
  10:    8b 55 f0                 mov    -0x10(%ebp),%edx
  13:    83 e2 2b                 and    $0x2b,%edx
  16:    31 c2                    xor    %eax,%edx
  18:    8b 45 f4                 mov    -0xc(%ebp),%eax
  1b:    88 10                    mov    %dl,(%eax)
  1d:    83 45 f4 01              addl   $0x1,-0xc(%ebp)
  21:    8b 45 f4                 mov    -0xc(%ebp),%eax
  24:    0f b6 00                 movzbl (%eax),%eax
  27:    84 c0                    test   %al,%al
  29:    75 df                    jne    0xa
  2b:    8b 45 08                 mov    0x8(%ebp),%eax
  2e:    89 c2                    mov    %eax,%edx
  30:    b8 c0 8b 04 08           mov    $0x8048bc0,%eax
  35:    b9 0f 00 00 00           mov    $0xf,%ecx
  3a:    89 d6                    mov    %edx,%esi
  3c:    89 c7                    mov    %eax,%edi
  3e:    f3 a6                    repz cmpsb %es:(%edi),%ds:(%esi)

So only the hex bytes (\xc7\x45\xf0\x00\x00\x00\x58\xeb\x17) are the bad disassembled codes
otherwise everything remains the same.
 8048662:       b8 01 c7 45 f0          mov    $0xf045c701,%eax
 8048667:       fa                      cli
 8048668:       00 00                   add    %al,(%eax)
 804866a:       00 58 eb                add    %bl,-0x15(%eax)
 804866d:       17                      pop    %ss

 is equivalent to

    0:    c7 45 f0 fa 00 00 00     movl   $0xfa,-0x10(%ebp)
   7:    58                       pop    %eax
   8:    eb 17                    jmp    0x21

 The following remaining disassembled instructions are valid.
 804866e:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048671:       0f b6 00                movzbl (%eax),%eax
 8048674:       8b 55 f0                mov    -0x10(%ebp),%edx <== 0xfa gets loaded here.
 8048677:       83 e2 2b                and    $0x2b,%edx
 804867a:       31 c2                   xor    %eax,%edx
 804867c:       8b 45 f4                mov    -0xc(%ebp),%eax
 804867f:       88 10                   mov    %dl,(%eax)
 8048681:       83 45 f4 01             addl   $0x1,-0xc(%ebp)
 8048685:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048688:       0f b6 00                movzbl (%eax),%eax
 804868b:       84 c0                   test   %al,%al
 804868d:       75 df                   jne    804866e <close@plt+0xee>
...
So it jumps to 804868d which jumps back to 804866e. As you can see this piece of code
is xoring 0x2b with (buf contents bitwise AND with 0xFA) and storing it to buf contents till buf[blah] string reaches a 0 (NULL character).

 804868f:       8b 45 08                mov    0x8(%ebp),%eax
 8048692:       89 c2                   mov    %eax,%edx
 8048694:       b8 c0 8b 04 08          mov    $0x8048bc0,%eax
 8048699:       b9 0f 00 00 00          mov    $0xf,%ecx
 804869e:       89 d6                   mov    %edx,%esi
 80486a0:       89 c7                   mov    %eax,%edi
 80486a2:       f3 a6                   repz cmpsb %es:(%edi),%ds:(%esi)
 80486a4:       0f 97 c2                seta   %dl
 80486a7:       0f 92 c0                setb   %al
 80486aa:       89 d1                   mov    %edx,%ecx
 80486ac:       28 c1                   sub    %al,%cl
 80486ae:       89 c8                   mov    %ecx,%eax
 80486b0:       0f be c0                movsbl %al,%eax
 80486b3:       85 c0                   test   %eax,%eax
 80486b5:       75 07                   jne    80486be <close@plt+0x13e>
 80486b7:       b8 01 00 00 00          mov    $0x1,%eax            <== Success
 80486bc:       eb 05                   jmp    80486c3 <close@plt+0x143>
 80486be:       b8 00 00 00 00          mov    $0x0,%eax
 80486c3:       83 c4 10                add    $0x10,%esp
 80486c6:       5e                      pop    %esi
 80486c7:       5f                      pop    %edi
 80486c8:       5d                      pop    %ebp
 80486c9:       c3                      ret

 so modified input = (input ^ (0xfa & 0x2b)) = input ^ 0x2a.
(gdb) p/x 0xfa & 0x2b
$5 = 0x2a

The above code strcmp(modified input, $0x8048bc0)
(gdb) x/s  0x8048bc0
0x8048bc0:     "xKZl_^_XCY^CIE"

input ^ 0x2a =  "xKZl_^_XCY^CIE"
input ^ 0x2a ^ 0x2a = "xKZl_^_XCY^CIE" ^ 0x2a (xoring for all characters).
input = "xKZl_^_XCY^CIE" ^ 0x2a (xoring for all characters).

$ python -c 'print "".join([chr(ord(c)^0x2a) for c in "xKZl_^_XCY^CIE"])'
RapFuturistico

So the input is "BRapFuturistico".

seed@seed-desktop:~/projects/2$ ./bonus_reverse-challenge
Are you feeling lucky today? BRapFuturistico
[+] WooT!: xKZl_^_XCY^CIE

DONE...

[NOTE:]
Actual disassembly of the function for option 'B':
 8048644:       55                      push   %ebp
 8048645:       89 e5                   mov    %esp,%ebp
 8048647:       57                      push   %edi
 8048648:       56                      push   %esi
 8048649:       83 ec 10                sub    $0x10,%esp
 804864c:       8b 45 08                mov    0x8(%ebp),%eax
 804864f:       89 45 f4                mov    %eax,-0xc(%ebp)
 8048652:       8b 55 0c                mov    0xc(%ebp),%edx
 8048655:       50                      push   %eax
 8048656:       31 c0                   xor    %eax,%eax
 8048658:       68 64 86 04 08          push   $0x8048664
 804865d:       58                      pop    %eax
 804865e:       01 d0                   add    %edx,%eax
 8048660:       50                      push   %eax
 8048661:       c3                      ret

Replace following from
 8048662:       b8 01 c7 45 f0          mov    $0xf045c701,%eax
 8048667:       fa                      cli
 8048668:       00 00                   add    %al,(%eax)
 804866a:       00 58 eb                add    %bl,-0x15(%eax)
 804866d:       17                      pop    %ss
to
   0:    c7 45 f0 fa 00 00 00     movl   $0xfa,-0x10(%ebp)
   7:    58                       pop    %eax
   8:    eb 17                    jmp    0x21 (0x 8048685)

 804866e:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048671:       0f b6 00                movzbl (%eax),%eax
 8048674:       8b 55 f0                mov    -0x10(%ebp),%edx
 8048677:       83 e2 2b                and    $0x2b,%edx
 804867a:       31 c2                   xor    %eax,%edx
 804867c:       8b 45 f4                mov    -0xc(%ebp),%eax
 804867f:       88 10                   mov    %dl,(%eax)
 8048681:       83 45 f4 01             addl   $0x1,-0xc(%ebp)
 8048685:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048688:       0f b6 00                movzbl (%eax),%eax
 804868b:       84 c0                   test   %al,%al
 804868d:       75 df                   jne    804866e <close@plt+0xee>
 804868f:       8b 45 08                mov    0x8(%ebp),%eax
 8048692:       89 c2                   mov    %eax,%edx
 8048694:       b8 c0 8b 04 08          mov    $0x8048bc0,%eax
 8048699:       b9 0f 00 00 00          mov    $0xf,%ecx
 804869e:       89 d6                   mov    %edx,%esi
 80486a0:       89 c7                   mov    %eax,%edi
 80486a2:       f3 a6                   repz cmpsb %es:(%edi),%ds:(%esi)
 80486a4:       0f 97 c2                seta   %dl
 80486a7:       0f 92 c0                setb   %al
 80486aa:       89 d1                   mov    %edx,%ecx
 80486ac:       28 c1                   sub    %al,%cl
 80486ae:       89 c8                   mov    %ecx,%eax
 80486b0:       0f be c0                movsbl %al,%eax
 80486b3:       85 c0                   test   %eax,%eax
 80486b5:       75 07                   jne    80486be <close@plt+0x13e>
 80486b7:       b8 01 00 00 00          mov    $0x1,%eax
 80486bc:       eb 05                   jmp    80486c3 <close@plt+0x143>
 80486be:       b8 00 00 00 00          mov    $0x0,%eax
 80486c3:       83 c4 10                add    $0x10,%esp
 80486c6:       5e                      pop    %esi
 80486c7:       5f                      pop    %edi
 80486c8:       5d                      pop    %ebp
 80486c9:       c3                      ret