Untitled

import sys
import string as s
from subprocess import call
import argparse
import re
from unicorn import *
from pwn import *
from time import sleep
from capstone import *
from itertools import *
from unicorn.x86_const import *
import array
charset="qwertyuiopasdfghjklzxcvbnm .,QWERTYUIOPASDFGHJKLZXCVBNM"
ADDRESS =   0x400000
dataAddress=0x600000
index=[]
num=[]
address=[]
funcsize=[]
keyaddress=[]
dump=[]

def hexDump(buf):
    print ''.join('{:02x}'.format(x) for x in buf)
def str2bytear(s):
    return array.array('B', s)
def extractInfo(mu):
    buff=mu.mem_read(0x605100,0x2520)
    #print buff
    buff=str(buff)
    for i in range(0,len(buff)/8):
        dump.append(u64(buff[8*i:8*i+8]))
    for i in range(0,33):
        index.append(dump[36*i+1]>>32)
        num.append(dump[36*i+2]&0xFFFFFFFF)
        address.append(dump[36*i])
        funcsize.append(dump[36*i+1]&0xFFFFFFFF)
        keyaddress.append(dump[36*i+3])

def replace_str_index(text,index=0,replacement='',num=0):
    return '%s%s%s'%(text[:index],replacement,text[index+num:])
def decodeFunction(mu,index):
    #print hex(keyaddress[index])
    key=mu.mem_read(keyaddress[index],funcsize[index])
    func=mu.mem_read(address[index],funcsize[index])
    for i in range(funcsize[index]):
        func[i]=func[i]^key[i]
    mu.mem_write(address[index],str(func))
    #hexDump(func)
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    #for (add, size, mnemonic, op_str) in md.disasm_lite(str(func), address[index]):
    #   print("0x%x:\t%s\t%s" %(add, mnemonic, op_str))
def exeFunction(mu,index,buf):
    try:
        mu.mem_write(ADDRESS + 0x20000,"\x00"*0x2000)
        mu.mem_write(ADDRESS+0x28000,buf)
        mu.reg_write(UC_X86_REG_RDX,0x605120+index*0x120)
        mu.reg_write(UC_X86_REG_RDI, ADDRESS+0x28000)
        mu.reg_write(UC_X86_REG_RSI, num[index])
            mu.reg_write(UC_X86_REG_RSP, ADDRESS + 0x21000)
        mu.emu_start(address[index], address[index] +funcsize[index])
    except UcError as e:
        r_rax = mu.reg_read(UC_X86_REG_RAX)
        if (r_rax==1):
            return True
        else :
            return False
def bruteFunction(mu,index):
    n=num[index]

    for c in product(charset,repeat=n):
        if (exeFunction(mu,index,''.join(c))):
            return ''.join(c)

def do():

    serial="_"*120
    global index
    global num
    global address
    global funcsize
    global keyaddress
    global dump
    global elf
    global buf
    index=[]
    num=[]
    address=[]
    funcsize=[]
    keyaddress=[]
    dump=[]

    elf=open("magic","rb")
    buf=elf.read()
    try:

        mu = Uc(UC_ARCH_X86, UC_MODE_64)

        mu.mem_map(ADDRESS, 0x30000)
        mu.mem_map(dataAddress,0x30000)
        #print type(buf)
        mu.mem_write(ADDRESS,buf)
        mu.mem_write(dataAddress,buf)
        extractInfo(mu)
        #decodeFunction(mu,3)
        #print "Execute Function " + str(i)
        #print exeFunction(mu,3,"ng ")
        #mu.hook_add(UC_HOOK_CODE, hook_code)
        for i in range(0,33):
            #print "Decode Function " + str(i)
            decodeFunction(mu,i)
            #print "Execute Function " + str(i)
            res=bruteFunction(mu,i)
            serial=replace_str_index(serial,index[i],res,num[i])
            print serial
        return serial
    except UcError as e:
        print("ERROR: %s" % e)

for _ in range(0,666):
    res=do()
    f=open("listpass.txt","a+")
    f.write(res+"\n")
    f.close()
    sleep(1)
    command = "./magic <listpass.txt"
    command1= "cp  ./magic-src ./magic"
    os.system(command1)
    sleep(1)
    print "COPY SUCCESS"
    os.system(command)

    sleep(1)
    print "EXECUTE SUCCESS"