Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python2
- # Auto solver for the OSCE challenge at fc4.me
- # If you couldn't solve the challenge without this script
- # You probably don't even want to try OSCE.
- import hashlib
- import datetime
- import requests
- import base64
- import sys
- import binascii
- def main():
- # Get email address for registration.
- # It has to be valid, and it has to be the same as
- # the one you set during registration.
- if len(sys.argv) < 2:
- email=raw_input("[>] Please set an email address: ")
- else:
- email=sys.argv[1]
- # adding 'st', 'nd' or 'rd' when today date is 1st 2nd or 3rd
- # Better solution? Please share!
- today_day=int(datetime.datetime.now().strftime("%d"))
- if today_day in [1, 21, 31]:
- today=datetime.datetime.now().strftime("%A %dst of %B %Y")
- elif today_day in [2, 22]:
- today=datetime.datetime.now().strftime("%A %dnd of %B %Y")
- elif today_day in [3, 23]:
- today=datetime.datetime.now().strftime("%A %drd of %B %Y")
- else:
- today=datetime.datetime.now().strftime("%A %dth of %B %Y")
- print("[*] Today date is %s" % today)
- # hexdata = 'tryharder'
- hexdata="\x74\x72\x79\x68\x61\x72\x64\x65\x72"
- print("[*] Security string for today: %s%s" % (hexdata,today))
- m=hashlib.md5()
- m.update(("%s%s" % (hexdata,today)).encode('UTF-8'))
- dig=m.hexdigest()
- print("[*] MD5 digest: %s" % dig)
- # post request to validate the data...
- print("[*] Solving first challenge...")
- r=requests.post("http://fc4.me/fc4me.php", data={'email': email, 'securitystring': dig})
- try:
- decy=base64.b64decode(r.content[r.content.index("<blockquote>"):r.content.index("</blockquote>")].replace("<blockquote>","").replace("<br/>",""))
- print("[!] First challenge solved!")
- except Exception as e:
- print("[x] Error while solving first challenge...")
- return
- chunks = decy.split(":")
- # Registration code acquired!
- regcode = chunks[2].strip().split()[0]
- shcode = chunks[3].strip()
- print("[*] Extracting encoded registration key from aquired shellcode...")
- # the shellcode starts with a sequence of pushes with xor encoded values.
- # the idea is at the end of the push sequence, you end up with the
- # encoded registration key on the stack.
- # the shellcode then ends with a loop to decode the encoded key.
- # Instead of scraping that from memory, we can just parse the shellcode
- # to get the encoded key, and then decode it using the same logic.
- shcode_chunks=shcode.split("\\x68")[1:]
- shcode_chunks[-1]=shcode_chunks[-1][:16]
- # shcode_chunks is an array of values like '\x32\x53\xf3\x71'
- # It is little-endian now. We need to reverse each items. (eg. we want '\x71\xf3\x53\x32')
- keyarray=list()
- for c in reversed(shcode_chunks):
- valarray = c.split("\\x")[1:]
- for i in valarray:
- keyarray.append(i)
- # Our array is sorted. Let's decode each values using a simple xor
- print("[*] Encoded registration key extracted.")
- print("[*] Decoding registration key using xor key: 0x%x" % 0x41) # XOR key is always the same
- for i in range(len(keyarray)):
- keyarray[i] = int(keyarray[i], 16)^0x41
- print("[!] Registration key decoded! All the challenges are solved!")
- print("[+] Registration code: %s" % regcode)
- print("[+] Registration key: "+(''.join(chr(e) for e in keyarray))) # BOOM.
- main()
Add Comment
Please, Sign In to add comment