OSCE fc4.me challenge solver

1. #!/usr/bin/python2
2. # Auto solver for the OSCE challenge at fc4.me
3. # If you couldn't solve the challenge without this script
4. # You probably don't even want to try OSCE.
5.  
6. import hashlib
7. import datetime
8. import requests
9. import base64
10. import sys
11. import binascii
12.  
13. def main():
14.     # Get email address for registration.
15.     # It has to be valid, and it has to be the same as
16.     # the one you set during registration.
17.     if len(sys.argv) < 2:
18.         email=raw_input("[>] Please set an email address: ")
19.     else:
20.         email=sys.argv[1]
21.  
22.     # adding 'st', 'nd' or 'rd' when today date is 1st 2nd or 3rd
23.     # Better solution? Please share!
24.     today_day=int(datetime.datetime.now().strftime("%d"))
25.     if today_day in [1, 21, 31]:
26.         today=datetime.datetime.now().strftime("%A %dst of %B %Y")
27.     elif today_day in [2, 22]:
28.         today=datetime.datetime.now().strftime("%A %dnd of %B %Y")
29.     elif today_day in [3, 23]:
30.         today=datetime.datetime.now().strftime("%A %drd of %B %Y")
31.     else:
32.         today=datetime.datetime.now().strftime("%A %dth of %B %Y")
33.    
34.     print("[*] Today date is %s" % today)
35.    
36.     # hexdata = 'tryharder'
37.     hexdata="\x74\x72\x79\x68\x61\x72\x64\x65\x72"
38.     print("[*] Security string for today: %s%s" % (hexdata,today))
39.     m=hashlib.md5()
40.     m.update(("%s%s" % (hexdata,today)).encode('UTF-8'))
41.     dig=m.hexdigest()
42.     print("[*] MD5 digest: %s" % dig)
43.  
44.     # post request to validate the data...
45.     print("[*] Solving first challenge...")
46.     r=requests.post("http://fc4.me/fc4me.php", data={'email': email, 'securitystring': dig})
47.  
48.     try:
49.         decy=base64.b64decode(r.content[r.content.index("<blockquote>"):r.content.index("</blockquote>")].replace("<blockquote>","").replace("<br/>",""))
50.         print("[!] First challenge solved!")
51.     except Exception as e:
52.         print("[x] Error while solving first challenge...")
53.         return
54.  
55.     chunks = decy.split(":")
56.  
57.     # Registration code acquired!
58.     regcode = chunks[2].strip().split()[0]
59.     shcode = chunks[3].strip()
60.    
61.     print("[*] Extracting encoded registration key from aquired shellcode...")
62.     # the shellcode starts with a sequence of pushes with xor encoded values.
63.     # the idea is at the end of the push sequence, you end up with the
64.     # encoded registration key on the stack.
65.     # the shellcode then ends with a loop to decode the encoded key.
66.     # Instead of scraping that from memory, we can just parse the shellcode
67.     # to get the encoded key, and then decode it using the same logic.
68.     shcode_chunks=shcode.split("\\x68")[1:]
69.     shcode_chunks[-1]=shcode_chunks[-1][:16]
70.  
71.     # shcode_chunks is an array of values like '\x32\x53\xf3\x71'
72.     # It is little-endian now. We need to reverse each items. (eg. we want '\x71\xf3\x53\x32')
73.     keyarray=list()
74.     for c in reversed(shcode_chunks):
75.         valarray = c.split("\\x")[1:]
76.         for i in valarray:
77.             keyarray.append(i)
78.    
79.     # Our array is sorted. Let's decode each values using a simple xor
80.     print("[*] Encoded registration key extracted.")
81.     print("[*] Decoding registration key using xor key: 0x%x" % 0x41) # XOR key is always the same
82.     for i in range(len(keyarray)):
83.         keyarray[i] = int(keyarray[i], 16)^0x41
84.  
85.     print("[!] Registration key decoded! All the challenges are solved!")
86.     print("[+] Registration code: %s" % regcode)
87.     print("[+] Registration key: "+(''.join(chr(e) for e in keyarray))) # BOOM.
88.  
89. main()