SHARE
TWEET

Defcon 100lines

tunz May 19th, 2014 392 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from socket import *
  2. import time
  3.  
  4. randpad = "FC8A4551678CA9C0B0FDF76FB850F12F7A6266E3D3C36EBE373933683BC6761EAEAA83ED571AF129E6C1B99EDDA2862C1ADC499D8201D53AB5D333121CCE942BC3B06CBC4673395E7BC7B49E56F0AD725E83C705C5E92E85887994F7E7AC34FE5CCE2E13F1CC8EEA6083BEDC4ABBE8DF6520EF44ADFAD61283D5DC94AD1FE15FE8FA7E3FDA61E3DFAB5B4F2A6C2482AD1789BA29B946347464F745228DAF33D652B5DE10E4535D96B7E22ECBB175BC745A21298C57B3165EC7C8C22635482D3C607B5DDDA8296119D0EFEE6D04DD2051951D01E1DADAB4A546D9CBAF56B52005D06BD222212F2DD373975689AEAC02B635D21487C649DF0E178564E5AF6E9361".decode('hex')
  5.  
  6. """
  7. def loop(table, size):
  8.        idx1=0
  9.        loop_count = size - 0x20
  10.        while idx1 < loop_count:
  11.                idx2=0
  12.                calculated = 0
  13.                while idx2 <= 3:
  14.                        calculated = calculated | calc(table, idx1, idx2)
  15.                        idx2 += 1
  16.                idx3 = 0
  17.                while idx3 < loop_count:
  18.                        idx4 = 0
  19.                        calculated2 = 0
  20.                        while idx4 <= 3:
  21.                                calculated2 = calculated2 | calc(table, idx3, idx4)
  22.                                idx4 += 1
  23.                        calculated2 = calculated ^ calculated2
  24.                        idx5 = 0
  25.                        while idx5 <= 3:
  26.                                offset = (idx3 + loop_count * idx1)*4 + idx5
  27.                                ecx = (((-idx5) & 0xFFFFFFFF) << 3) + 0x18
  28.                                eax = calculated2 >> (ecx & 0xFF)
  29.                                result[offset] = eax & 0xFF
  30.                                idx5 += 1
  31. """
  32.  
  33. def calc(table, idx1, idx2):
  34.         offset = (idx1 >> 3) + idx2
  35.         edx = ((ord(table[offset]) << (idx1 & 7)) | (ord(table[offset + 1]) >> (8 - (idx1 & 7)))) & 0xFF
  36.         ecx = (((-idx2) & 0xFF) << 3) + 0x18
  37.         edx = edx << (ecx & 0xFF)
  38.         return edx
  39.  
  40. def optimized_loop(table, size, offset):
  41.         loop_count = size - 0x20
  42.         idx5 = offset & 3
  43.         offset -= idx5
  44.         offset = offset / 4
  45.         idx3 = offset % loop_count
  46.         idx1 = offset / loop_count
  47.  
  48.         calculated = 0
  49.         idx2 = 0
  50.         while idx2 <= 3:
  51.                 calculated = calculated | calc(table, idx1, idx2)
  52.                 idx2 += 1
  53.  
  54.         calculated2 = 0
  55.         idx4 = 0
  56.         while idx4 <= 3:
  57.                 calculated2 = calculated2 | calc(table, idx3, idx4)
  58.                 idx4 += 1
  59.         calculated2 = calculated ^ calculated2
  60.         ecx = (((-idx5) & 0xFFFFFFFF) << 3) + 0x18
  61.         eax = calculated2 >> (ecx & 0xFF)
  62.         return eax & 0xFF
  63.  
  64. def calc2(idx1, idx2):
  65.         global randpad
  66.         offset = (idx1 >> 3) + idx2
  67.         edx = ((optimized_loop(randpad, 0x7e0, offset) << (idx1 & 7)) | (optimized_loop(randpad, 0x7e0, offset + 1) >> (8 - idx1 & 7))) & 0xFF
  68.         ecx = ((-idx2) << 3) + 0x18
  69.         edx = edx << (ecx & 0xFF)
  70.         return edx
  71.  
  72.  
  73. def findAnswer(offset):
  74.         loop_count = 0xf81000 - 0x20
  75.         idx5 = offset & 3
  76.         offset -= idx5
  77.         offset = offset / 4
  78.         idx3 = offset % loop_count
  79.         idx1 = offset / loop_count
  80.  
  81.         calculated = 0
  82.         idx2 = 0
  83.         while idx2 <= 3:
  84.                 calculated = calculated | calc2(idx1, idx2)
  85.                 idx2 += 1
  86.  
  87.         calculated2 = 0
  88.         idx4 = 0
  89.         while idx4 <= 3:
  90.                 calculated2 = calculated2 | calc2(idx3, idx4)
  91.                 idx4 += 1
  92.         calculated2 = calculated ^ calculated2
  93.         ecx = (((-idx5) & 0xFFFFFFFF) << 3) + 0x18
  94.         eax = calculated2 >> (ecx & 0xFF)
  95.         return eax & 0xFF
  96. s = socket(AF_INET , SOCK_STREAM)
  97. s.connect(('100lines_53ac15fc7aa93da92629d37a669e106c.2014.shallweplayaga.me', 20689))
  98.  
  99. time.sleep(0.5)
  100. data = s.recv(65000)
  101. data += s.recv(65000)
  102.  
  103. data =  data.split(None)[2:]
  104. print data
  105. OTP = [int(x[2:],16) for x in data]
  106.  
  107. for i in range(0, 8):
  108.         #s.send(findAnswer(int(data[i][2:],16)))
  109.         #number = int(data[i][2:],16)
  110.         #print hex(number)
  111.         number = OTP[i]
  112.         answer = findAnswer(number)
  113.         edx = answer
  114.         eax = edx*3
  115.         eax = eax << 5
  116.         eax += edx
  117.         eax = (eax & 0xFFFF0000) + ((eax & 0xFFFF) >> 8)
  118.         ecx = edx
  119.         ecx -= eax
  120.         ecx = (ecx & 0xFFFFFF00) + ((ecx & 0xFF) >> 1)
  121.         eax += ecx
  122.         eax = (eax & 0xFFFFFF00) + ((eax & 0xFF) >> 6)
  123.         ecx = 0x5D
  124.         eax = eax * ecx
  125.         edx -= eax
  126.         eax = edx
  127.         eax = (eax & 0xFF) + 0x20
  128.         print hex(eax)
  129.         s.send(chr(eax))
  130.  
  131. time.sleep(3)
  132.  
  133. data = ""
  134. data += s.recv(1024)
  135. data += s.recv(1024)
  136. data += s.recv(1024)
  137. data += s.recv(1024)
  138. data += s.recv(1024)
  139. data += s.recv(1024)
  140. data += s.recv(1024)
  141. data += s.recv(1024)
  142. data += s.recv(1024)
  143.  
  144.  
  145. data = data.strip()
  146.  
  147. flags = data.split(",")
  148.  
  149. if len(flags) > 1:
  150.         flags = [int(x[2:],16) for x in flags]
  151.         answer = ""
  152.         i=0
  153.         while i<len(flags):
  154.                 answer += chr( findAnswer( OTP[i] ) ^ flags[i] )
  155.                 i+=1
  156.  
  157. print answer
  158.  
  159. s.close()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top