Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Decompiled result looks liks this
- __int64 __fastcall main_main(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6)
- {
- __int64 v6; // r8
- __int64 v7; // r9
- unsigned __int64 v8; // rdx
- unsigned __int64 v9; // rcx
- unsigned __int64 v10; // r8
- __int64 v11; // rdx
- __int64 v12; // r8
- __int64 v13; // r9
- __int64 *v14; // rcx
- __int64 i; // rdx
- int v16; // er8
- int v17; // er9
- __int64 v18; // rdx
- __int64 v19; // rdx
- __int64 result; // rax
- __int64 v21; // r8
- __int64 v22; // r9
- int v23; // edx
- int v24; // ecx
- int v25; // er8
- int v26; // er9
- __int64 v27; // rdx
- __int64 v28; // rdx
- __int64 v29; // [rsp+8h] [rbp-100h]
- __int64 v30; // [rsp+38h] [rbp-D0h]
- unsigned __int64 v31; // [rsp+40h] [rbp-C8h]
- __int64 v32; // [rsp+48h] [rbp-C0h]
- __int64 v33; // [rsp+50h] [rbp-B8h]
- char v34; // [rsp+78h] [rbp-90h]
- char v35; // [rsp+80h] [rbp-88h]
- __int64 v36; // [rsp+98h] [rbp-70h]
- __int64 v37; // [rsp+A0h] [rbp-68h]
- __int64 *v38; // [rsp+A8h] [rbp-60h]
- __int128 v39; // [rsp+B0h] [rbp-58h]
- __int128 v40; // [rsp+C0h] [rbp-48h]
- __int128 v41; // [rsp+D0h] [rbp-38h]
- __int128 v42; // [rsp+E0h] [rbp-28h]
- __int128 v43; // [rsp+F0h] [rbp-18h]
- if ( (unsigned __int64)&v35 <= *(_QWORD *)(__readfsqword(0xFFFFFFF8) + 16) )
- runtime_morestack_noctxt();
- *(_QWORD *)&v42 = &unk_4C6B00;
- *((_QWORD *)&v42 + 1) = &off_50BB80;
- fmt_Fprintln(
- a1,
- a2,
- (__int64)&go_itab__os_File_io_Writer,
- (__int64)&v42,
- a5,
- a6,
- (__int64)&go_itab__os_File_io_Writer,
- os_Stdout);
- *(_QWORD *)&v41 = &unk_4C6B00;
- *((_QWORD *)&v41 + 1) = &off_50BB90;
- fmt_Fprintln(
- a1,
- a2,
- (__int64)&go_itab__os_File_io_Writer,
- (__int64)&v41,
- v6,
- v7,
- (__int64)&go_itab__os_File_io_Writer,
- os_Stdout);
- time_Sleep(a1);
- main_getMacAddr(a1, __PAIR128__(v8, a2), __PAIR128__(v10, v9));
- v32 = v29;
- v37 = 1000000000LL;
- *(_QWORD *)&v43 = MEMORY[9];
- *((_QWORD *)&v43 + 1) = 1LL;
- log_Fatal(a1, a2, 1000000000LL);
- if ( v29 <= 0 )
- {
- result = 0LL;
- }
- else
- {
- v14 = (__int64 *)v37;
- for ( i = 0LL; ; i = v33 + 1 )
- {
- v38 = v14;
- v33 = i;
- strings_Replace(a1, a2, i, (__int64)v14, v12, v13, *v14, v14[1], (__int64)&unk_4F040B);
- if ( v31 < 6 )
- runtime_panicSliceAlen(a1, a2);
- v36 = v30;
- runtime_concatstring2(a1, a2, v31, (unsigned __int64)&v34, v16, v17);
- strings_ToUpper(a1, a2, v18, 0LL >> 63);
- main_GetSHA256Hash(a1, a2, v19, 6LL);
- if ( v30 == 64 )
- break;
- if ( v33 + 1 >= v32 )
- {
- result = 0LL;
- goto LABEL_9;
- }
- v14 = v38 + 2;
- }
- runtime_memequal(a1, a2, v11, (unsigned __int64)&unk_4F827F);
- *(_QWORD *)&v40 = &unk_4C6B00;
- *((_QWORD *)&v40 + 1) = &off_50BBA0;
- fmt_Fprintln(
- a1,
- a2,
- (__int64)&go_itab__os_File_io_Writer,
- (__int64)&v40,
- v21,
- v22,
- (__int64)&go_itab__os_File_io_Writer,
- os_Stdout);
- time_Sleep(a1);
- runtime_concatstring2(a1, a2, v23, v24, v25, v26);
- strings_ToUpper(a1, a2, v27, 6LL);
- main_GetMD5Hash(a1, a2, v28, 6LL);
- main_AESDecrypt(a1, a2);
- result = 1LL;
- }
- LABEL_9:
- if ( !result )
- {
- *(_QWORD *)&v39 = &unk_4C6B00;
- *((_QWORD *)&v39 + 1) = &off_50BBB0;
- result = fmt_Fprintln(
- a1,
- a2,
- v11,
- (__int64)&go_itab__os_File_io_Writer,
- v12,
- v13,
- (__int64)&go_itab__os_File_io_Writer,
- os_Stdout);
- }
- return result;
- }
- As we can see, the program takes the HMAC of our computer, replaces : with nothing, slice the string to take the first 6 characters and then appends the 6 characters to the original string
- and that result is upper cased and then sha256ed and then compared with a sha256 from the binary (a31ebf3ec8bd0d9b991a3291058e6e67323f06e4ea8903bcf7d1942ab71ac114), we need to bruteforce this using script
- from hashlib import sha256
- for i1 in range(256):
- print i1
- for i2 in range(256):
- for i3 in range(256):
- a = (('%x'%i1).zfill(2)+('%x'%i2).zfill(2)+('%x'%i3).zfill(2)).upper()
- a = a + a
- if 'a31ebf3ec8bd0d9b991a3291058e6e67323f06e4ea8903bcf7d1942ab71ac114' == sha256(a).hexdigest():
- print a
- and we find F09FC2F09FC2 so our MAC must begin with f0:9f:f2, we spoof our MAC and then when we execute the program we get the flag
- Ubiquiti™ SecuStore® v3.1.342
- Checking local hardware fingerprint
- Local hardware identity verified! Decrypting Secrets...
- flag{M@C_!s_n3ver_a_g00d_HW!D!!}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement