Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- import string as s
- from subprocess import call
- import argparse
- import re
- from unicorn import *
- from pwn import *
- from time import sleep
- from keystone import *
- from capstone import *
- from itertools import *
- from unicorn.x86_const import *
- import array
- charset="qwertyuiopasdfghjklzxcvbnm .,QWERTYUIOPASDFGHJKLZXCVBNM"
- ADDRESS = 0x400000
- dataAddress=0x600000
- index=[]
- num=[]
- address=[]
- funcsize=[]
- keyaddress=[]
- dump=[]
- def hexDump(buf):
- print ''.join('{:02x}'.format(x) for x in buf)
- def str2bytear(s):
- return array.array('B', s)
- def extractInfo(mu):
- buff=mu.mem_read(0x605100,0x2520)
- #print buff
- buff=str(buff)
- for i in range(0,len(buff)/8):
- dump.append(u64(buff[8*i:8*i+8]))
- for i in range(0,33):
- index.append(dump[36*i+1]>>32)
- num.append(dump[36*i+2]&0xFFFFFFFF)
- address.append(dump[36*i])
- funcsize.append(dump[36*i+1]&0xFFFFFFFF)
- keyaddress.append(dump[36*i+3])
- def replace_str_index(text,index=0,replacement='',num=0):
- return '%s%s%s'%(text[:index],replacement,text[index+num:])
- def decodeFunction(mu,index):
- #print hex(keyaddress[index])
- key=mu.mem_read(keyaddress[index],funcsize[index])
- func=mu.mem_read(address[index],funcsize[index])
- for i in range(funcsize[index]):
- func[i]=func[i]^key[i]
- mu.mem_write(address[index],str(func))
- #hexDump(func)
- md = Cs(CS_ARCH_X86, CS_MODE_64)
- #for (add, size, mnemonic, op_str) in md.disasm_lite(str(func), address[index]):
- # print("0x%x:\t%s\t%s" %(add, mnemonic, op_str))
- def exeFunction(mu,index,buf):
- try:
- mu.mem_write(ADDRESS + 0x20000,"\x00"*0x2000)
- mu.mem_write(ADDRESS+0x28000,buf)
- mu.reg_write(UC_X86_REG_RDX,0x605120+index*0x120)
- mu.reg_write(UC_X86_REG_RDI, ADDRESS+0x28000)
- mu.reg_write(UC_X86_REG_RSI, num[index])
- mu.reg_write(UC_X86_REG_RSP, ADDRESS + 0x21000)
- mu.emu_start(address[index], address[index] +funcsize[index])
- except UcError as e:
- r_rax = mu.reg_read(UC_X86_REG_RAX)
- if (r_rax==1):
- return True
- else :
- return False
- def bruteFunction(mu,index):
- n=num[index]
- for c in product(charset,repeat=n):
- if (exeFunction(mu,index,''.join(c))):
- return ''.join(c)
- def do():
- serial="_"*120
- global index
- global num
- global address
- global funcsize
- global keyaddress
- global dump
- global elf
- global buf
- index=[]
- num=[]
- address=[]
- funcsize=[]
- keyaddress=[]
- dump=[]
- elf=open("magic","rb")
- buf=elf.read()
- try:
- mu = Uc(UC_ARCH_X86, UC_MODE_64)
- mu.mem_map(ADDRESS, 0x30000)
- mu.mem_map(dataAddress,0x30000)
- #print type(buf)
- mu.mem_write(ADDRESS,buf)
- mu.mem_write(dataAddress,buf)
- extractInfo(mu)
- #decodeFunction(mu,3)
- #print "Execute Function " + str(i)
- #print exeFunction(mu,3,"ng ")
- #mu.hook_add(UC_HOOK_CODE, hook_code)
- for i in range(0,33):
- #print "Decode Function " + str(i)
- decodeFunction(mu,i)
- #print "Execute Function " + str(i)
- res=bruteFunction(mu,i)
- serial=replace_str_index(serial,index[i],res,num[i])
- print serial
- return serial
- except UcError as e:
- print("ERROR: %s" % e)
- for _ in range(0,666):
- res=do()
- f=open("listpass.txt","a+")
- f.write(res+"\n")
- f.close()
- command = "echo \"" + res + "\" | ./magic"
- try:
- output = subprocess.check_output(command,shell=True,stderr=subprocess.PIPE)
- except :
- print "EXECUTE SUCCESS " +res
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement