API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 22nd, 2019
169
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.67 KB | None | 0 0
raw download clone embed print report
  1. Decompiled result looks liks this
  2.  
  3. __int64 __fastcall main_main(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6)
  4. {
  5. __int64 v6; // r8
  6. __int64 v7; // r9
  7. unsigned __int64 v8; // rdx
  8. unsigned __int64 v9; // rcx
  9. unsigned __int64 v10; // r8
  10. __int64 v11; // rdx
  11. __int64 v12; // r8
  12. __int64 v13; // r9
  13. __int64 *v14; // rcx
  14. __int64 i; // rdx
  15. int v16; // er8
  16. int v17; // er9
  17. __int64 v18; // rdx
  18. __int64 v19; // rdx
  19. __int64 result; // rax
  20. __int64 v21; // r8
  21. __int64 v22; // r9
  22. int v23; // edx
  23. int v24; // ecx
  24. int v25; // er8
  25. int v26; // er9
  26. __int64 v27; // rdx
  27. __int64 v28; // rdx
  28. __int64 v29; // [rsp+8h] [rbp-100h]
  29. __int64 v30; // [rsp+38h] [rbp-D0h]
  30. unsigned __int64 v31; // [rsp+40h] [rbp-C8h]
  31. __int64 v32; // [rsp+48h] [rbp-C0h]
  32. __int64 v33; // [rsp+50h] [rbp-B8h]
  33. char v34; // [rsp+78h] [rbp-90h]
  34. char v35; // [rsp+80h] [rbp-88h]
  35. __int64 v36; // [rsp+98h] [rbp-70h]
  36. __int64 v37; // [rsp+A0h] [rbp-68h]
  37. __int64 *v38; // [rsp+A8h] [rbp-60h]
  38. __int128 v39; // [rsp+B0h] [rbp-58h]
  39. __int128 v40; // [rsp+C0h] [rbp-48h]
  40. __int128 v41; // [rsp+D0h] [rbp-38h]
  41. __int128 v42; // [rsp+E0h] [rbp-28h]
  42. __int128 v43; // [rsp+F0h] [rbp-18h]
  43.  
  44. if ( (unsigned __int64)&v35 <= *(_QWORD *)(__readfsqword(0xFFFFFFF8) + 16) )
  45. runtime_morestack_noctxt();
  46. *(_QWORD *)&v42 = &unk_4C6B00;
  47. *((_QWORD *)&v42 + 1) = &off_50BB80;
  48. fmt_Fprintln(
  49. a1,
  50. a2,
  51. (__int64)&go_itab__os_File_io_Writer,
  52. (__int64)&v42,
  53. a5,
  54. a6,
  55. (__int64)&go_itab__os_File_io_Writer,
  56. os_Stdout);
  57. *(_QWORD *)&v41 = &unk_4C6B00;
  58. *((_QWORD *)&v41 + 1) = &off_50BB90;
  59. fmt_Fprintln(
  60. a1,
  61. a2,
  62. (__int64)&go_itab__os_File_io_Writer,
  63. (__int64)&v41,
  64. v6,
  65. v7,
  66. (__int64)&go_itab__os_File_io_Writer,
  67. os_Stdout);
  68. time_Sleep(a1);
  69. main_getMacAddr(a1, __PAIR128__(v8, a2), __PAIR128__(v10, v9));
  70. v32 = v29;
  71. v37 = 1000000000LL;
  72. *(_QWORD *)&v43 = MEMORY[9];
  73. *((_QWORD *)&v43 + 1) = 1LL;
  74. log_Fatal(a1, a2, 1000000000LL);
  75. if ( v29 <= 0 )
  76. {
  77. result = 0LL;
  78. }
  79. else
  80. {
  81. v14 = (__int64 *)v37;
  82. for ( i = 0LL; ; i = v33 + 1 )
  83. {
  84. v38 = v14;
  85. v33 = i;
  86. strings_Replace(a1, a2, i, (__int64)v14, v12, v13, *v14, v14[1], (__int64)&unk_4F040B);
  87. if ( v31 < 6 )
  88. runtime_panicSliceAlen(a1, a2);
  89. v36 = v30;
  90. runtime_concatstring2(a1, a2, v31, (unsigned __int64)&v34, v16, v17);
  91. strings_ToUpper(a1, a2, v18, 0LL >> 63);
  92. main_GetSHA256Hash(a1, a2, v19, 6LL);
  93. if ( v30 == 64 )
  94. break;
  95. if ( v33 + 1 >= v32 )
  96. {
  97. result = 0LL;
  98. goto LABEL_9;
  99. }
  100. v14 = v38 + 2;
  101. }
  102. runtime_memequal(a1, a2, v11, (unsigned __int64)&unk_4F827F);
  103. *(_QWORD *)&v40 = &unk_4C6B00;
  104. *((_QWORD *)&v40 + 1) = &off_50BBA0;
  105. fmt_Fprintln(
  106. a1,
  107. a2,
  108. (__int64)&go_itab__os_File_io_Writer,
  109. (__int64)&v40,
  110. v21,
  111. v22,
  112. (__int64)&go_itab__os_File_io_Writer,
  113. os_Stdout);
  114. time_Sleep(a1);
  115. runtime_concatstring2(a1, a2, v23, v24, v25, v26);
  116. strings_ToUpper(a1, a2, v27, 6LL);
  117. main_GetMD5Hash(a1, a2, v28, 6LL);
  118. main_AESDecrypt(a1, a2);
  119. result = 1LL;
  120. }
  121. LABEL_9:
  122. if ( !result )
  123. {
  124. *(_QWORD *)&v39 = &unk_4C6B00;
  125. *((_QWORD *)&v39 + 1) = &off_50BBB0;
  126. result = fmt_Fprintln(
  127. a1,
  128. a2,
  129. v11,
  130. (__int64)&go_itab__os_File_io_Writer,
  131. v12,
  132. v13,
  133. (__int64)&go_itab__os_File_io_Writer,
  134. os_Stdout);
  135. }
  136. return result;
  137. }
  138.  
  139. As we can see, the program takes the HMAC of our computer, replaces : with nothing, slice the string to take the first 6 characters and then appends the 6 characters to the original string
  140. and that result is upper cased and then sha256ed and then compared with a sha256 from the binary (a31ebf3ec8bd0d9b991a3291058e6e67323f06e4ea8903bcf7d1942ab71ac114), we need to bruteforce this using script
  141. from hashlib import sha256
  142.  
  143. for i1 in range(256):
  144. print i1
  145. for i2 in range(256):
  146. for i3 in range(256):
  147. a = (('%x'%i1).zfill(2)+('%x'%i2).zfill(2)+('%x'%i3).zfill(2)).upper()
  148. a = a + a
  149. if 'a31ebf3ec8bd0d9b991a3291058e6e67323f06e4ea8903bcf7d1942ab71ac114' == sha256(a).hexdigest():
  150. print a
  151.  
  152. and we find F09FC2F09FC2 so our MAC must begin with f0:9f:f2, we spoof our MAC and then when we execute the program we get the flag
  153.  
  154. Ubiquiti™ SecuStore® v3.1.342
  155. Checking local hardware fingerprint
  156. Local hardware identity verified! Decrypting Secrets...
  157. flag{M@C_!s_n3ver_a_g00d_HW!D!!}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!