SHARE
TWEET

Untitled

finalshare Aug 28th, 2018 79 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import sys
  2. import string as s
  3. from subprocess import call
  4. import argparse
  5. import re
  6. from unicorn import *
  7. from pwn import *
  8. from time import sleep
  9. from keystone import *
  10. from capstone import *
  11. from itertools import *
  12. from unicorn.x86_const import *
  13. import array
  14. charset="qwertyuiopasdfghjklzxcvbnm .,QWERTYUIOPASDFGHJKLZXCVBNM"
  15. ADDRESS =   0x400000
  16. dataAddress=0x600000
  17. index=[]
  18. num=[]
  19. address=[]
  20. funcsize=[]
  21. keyaddress=[]
  22. dump=[]
  23.  
  24. def hexDump(buf):
  25.     print ''.join('{:02x}'.format(x) for x in buf)
  26. def str2bytear(s):
  27.     return array.array('B', s)
  28. def extractInfo(mu):
  29.     buff=mu.mem_read(0x605100,0x2520)
  30.     #print buff
  31.     buff=str(buff)
  32.     for i in range(0,len(buff)/8):
  33.         dump.append(u64(buff[8*i:8*i+8]))
  34.     for i in range(0,33):
  35.         index.append(dump[36*i+1]>>32)
  36.         num.append(dump[36*i+2]&0xFFFFFFFF)
  37.         address.append(dump[36*i])
  38.         funcsize.append(dump[36*i+1]&0xFFFFFFFF)
  39.         keyaddress.append(dump[36*i+3])
  40.  
  41. def replace_str_index(text,index=0,replacement='',num=0):
  42.     return '%s%s%s'%(text[:index],replacement,text[index+num:])
  43. def decodeFunction(mu,index):
  44.     #print hex(keyaddress[index])
  45.     key=mu.mem_read(keyaddress[index],funcsize[index])
  46.     func=mu.mem_read(address[index],funcsize[index])
  47.     for i in range(funcsize[index]):
  48.         func[i]=func[i]^key[i]
  49.     mu.mem_write(address[index],str(func))
  50.     #hexDump(func)
  51.     md = Cs(CS_ARCH_X86, CS_MODE_64)
  52.     #for (add, size, mnemonic, op_str) in md.disasm_lite(str(func), address[index]):
  53.     #   print("0x%x:\t%s\t%s" %(add, mnemonic, op_str))
  54. def exeFunction(mu,index,buf):
  55.     try:
  56.         mu.mem_write(ADDRESS + 0x20000,"\x00"*0x2000)
  57.         mu.mem_write(ADDRESS+0x28000,buf)
  58.         mu.reg_write(UC_X86_REG_RDX,0x605120+index*0x120)
  59.         mu.reg_write(UC_X86_REG_RDI, ADDRESS+0x28000)
  60.         mu.reg_write(UC_X86_REG_RSI, num[index])
  61.             mu.reg_write(UC_X86_REG_RSP, ADDRESS + 0x21000)
  62.         mu.emu_start(address[index], address[index] +funcsize[index])
  63.     except UcError as e:
  64.         r_rax = mu.reg_read(UC_X86_REG_RAX)
  65.         if (r_rax==1):
  66.             return True
  67.         else :
  68.             return False
  69. def bruteFunction(mu,index):
  70.     n=num[index]
  71.        
  72.     for c in product(charset,repeat=n):
  73.         if (exeFunction(mu,index,''.join(c))):
  74.             return ''.join(c)
  75.  
  76. def do():
  77.  
  78.     serial="_"*120
  79.     global index
  80.     global num
  81.     global address
  82.     global funcsize
  83.     global keyaddress
  84.     global dump
  85.     global elf
  86.     global buf
  87.     index=[]
  88.     num=[]
  89.     address=[]
  90.     funcsize=[]
  91.     keyaddress=[]
  92.     dump=[]
  93.  
  94.     elf=open("magic","rb")
  95.     buf=elf.read()
  96.     try:
  97.  
  98.         mu = Uc(UC_ARCH_X86, UC_MODE_64)
  99.    
  100.         mu.mem_map(ADDRESS, 0x30000)
  101.         mu.mem_map(dataAddress,0x30000)
  102.         #print type(buf)
  103.         mu.mem_write(ADDRESS,buf)
  104.         mu.mem_write(dataAddress,buf)
  105.         extractInfo(mu)
  106.         #decodeFunction(mu,3)
  107.         #print "Execute Function " + str(i)
  108.         #print exeFunction(mu,3,"ng ")
  109.         #mu.hook_add(UC_HOOK_CODE, hook_code)
  110.         for i in range(0,33):
  111.             #print "Decode Function " + str(i)
  112.             decodeFunction(mu,i)
  113.             #print "Execute Function " + str(i)
  114.             res=bruteFunction(mu,i)
  115.             serial=replace_str_index(serial,index[i],res,num[i])
  116.             print serial
  117.         return serial
  118.     except UcError as e:
  119.         print("ERROR: %s" % e)
  120.  
  121. for _ in range(0,666):
  122.     res=do()
  123.     f=open("listpass.txt","a+")
  124.     f.write(res+"\n")
  125.     f.close()
  126.     command = "echo \"" + res + "\" | ./magic"
  127.     try:   
  128.         output = subprocess.check_output(command,shell=True,stderr=subprocess.PIPE)
  129.     except :
  130.         print "EXECUTE SUCCESS " +res
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top