SHARE
TWEET

Untitled

finalshare Sep 1st, 2018 54 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import sys
  2. import string as s
  3. from subprocess import call
  4. import argparse
  5. import re
  6. from unicorn import *
  7. from pwn import *
  8. from time import sleep
  9. from capstone import *
  10. from itertools import *
  11. from unicorn.x86_const import *
  12. import array
  13. charset="qwertyuiopasdfghjklzxcvbnm .,QWERTYUIOPASDFGHJKLZXCVBNM"
  14. ADDRESS =   0x400000
  15. dataAddress=0x600000
  16. index=[]
  17. num=[]
  18. address=[]
  19. funcsize=[]
  20. keyaddress=[]
  21. dump=[]
  22.  
  23. def hexDump(buf):
  24.     print ''.join('{:02x}'.format(x) for x in buf)
  25. def str2bytear(s):
  26.     return array.array('B', s)
  27. def extractInfo(mu):
  28.     buff=mu.mem_read(0x605100,0x2520)
  29.     #print buff
  30.     buff=str(buff)
  31.     for i in range(0,len(buff)/8):
  32.         dump.append(u64(buff[8*i:8*i+8]))
  33.     for i in range(0,33):
  34.         index.append(dump[36*i+1]>>32)
  35.         num.append(dump[36*i+2]&0xFFFFFFFF)
  36.         address.append(dump[36*i])
  37.         funcsize.append(dump[36*i+1]&0xFFFFFFFF)
  38.         keyaddress.append(dump[36*i+3])
  39.  
  40. def replace_str_index(text,index=0,replacement='',num=0):
  41.     return '%s%s%s'%(text[:index],replacement,text[index+num:])
  42. def decodeFunction(mu,index):
  43.     #print hex(keyaddress[index])
  44.     key=mu.mem_read(keyaddress[index],funcsize[index])
  45.     func=mu.mem_read(address[index],funcsize[index])
  46.     for i in range(funcsize[index]):
  47.         func[i]=func[i]^key[i]
  48.     mu.mem_write(address[index],str(func))
  49.     #hexDump(func)
  50.     md = Cs(CS_ARCH_X86, CS_MODE_64)
  51.     #for (add, size, mnemonic, op_str) in md.disasm_lite(str(func), address[index]):
  52.     #   print("0x%x:\t%s\t%s" %(add, mnemonic, op_str))
  53. def exeFunction(mu,index,buf):
  54.     try:
  55.         mu.mem_write(ADDRESS + 0x20000,"\x00"*0x2000)
  56.         mu.mem_write(ADDRESS+0x28000,buf)
  57.         mu.reg_write(UC_X86_REG_RDX,0x605120+index*0x120)
  58.         mu.reg_write(UC_X86_REG_RDI, ADDRESS+0x28000)
  59.         mu.reg_write(UC_X86_REG_RSI, num[index])
  60.             mu.reg_write(UC_X86_REG_RSP, ADDRESS + 0x21000)
  61.         mu.emu_start(address[index], address[index] +funcsize[index])
  62.     except UcError as e:
  63.         r_rax = mu.reg_read(UC_X86_REG_RAX)
  64.         if (r_rax==1):
  65.             return True
  66.         else :
  67.             return False
  68. def bruteFunction(mu,index):
  69.     n=num[index]
  70.        
  71.     for c in product(charset,repeat=n):
  72.         if (exeFunction(mu,index,''.join(c))):
  73.             return ''.join(c)
  74.  
  75. def do():
  76.  
  77.     serial="_"*120
  78.     global index
  79.     global num
  80.     global address
  81.     global funcsize
  82.     global keyaddress
  83.     global dump
  84.     global elf
  85.     global buf
  86.     index=[]
  87.     num=[]
  88.     address=[]
  89.     funcsize=[]
  90.     keyaddress=[]
  91.     dump=[]
  92.  
  93.     elf=open("magic","rb")
  94.     buf=elf.read()
  95.     try:
  96.  
  97.         mu = Uc(UC_ARCH_X86, UC_MODE_64)
  98.    
  99.         mu.mem_map(ADDRESS, 0x30000)
  100.         mu.mem_map(dataAddress,0x30000)
  101.         #print type(buf)
  102.         mu.mem_write(ADDRESS,buf)
  103.         mu.mem_write(dataAddress,buf)
  104.         extractInfo(mu)
  105.         #decodeFunction(mu,3)
  106.         #print "Execute Function " + str(i)
  107.         #print exeFunction(mu,3,"ng ")
  108.         #mu.hook_add(UC_HOOK_CODE, hook_code)
  109.         for i in range(0,33):
  110.             #print "Decode Function " + str(i)
  111.             decodeFunction(mu,i)
  112.             #print "Execute Function " + str(i)
  113.             res=bruteFunction(mu,i)
  114.             serial=replace_str_index(serial,index[i],res,num[i])
  115.             print serial
  116.         return serial
  117.     except UcError as e:
  118.         print("ERROR: %s" % e)
  119.  
  120. for _ in range(0,666):
  121.     res=do()
  122.     f=open("listpass.txt","a+")
  123.     f.write(res+"\n")
  124.     f.close()
  125.     sleep(1)
  126.     command = "./magic <listpass.txt"
  127.     command1= "cp  ./magic-src ./magic"
  128.     os.system(command1)
  129.     sleep(1)
  130.     print "COPY SUCCESS"
  131.     os.system(command)
  132.  
  133.     sleep(1)
  134.     print "EXECUTE SUCCESS"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top