API tools faq
paste
Advertisement
Guest User

magic-re.py

a guest
Apr 26th, 2018
187
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.73 KB | None | 0 0
raw download clone embed print report
  1. from __future__ import print_function
  2. from unicorn import *
  3. from unicorn.x86_const import *
  4. from binascii import hexlify
  5. from copy import deepcopy
  6.  
  7. code = b"\xbc\x00\x71\x33\x31" \
  8. "\x61" \
  9. "\x8b\x25\x20\x71\x33\x31" \
  10. "\x5f" \
  11. "\x89\x25\x20\x71\x33\x31" \
  12. "\xbc\x20\x71\x33\x31" \
  13. "\x60"
  14.  
  15. ADDRESS = 0x31337000
  16.  
  17. t = 'AAAAaaaaCAAA q31EAAAFAAAGAAAHAAATu31baaacaaadaaaeaaafaaagaaahaaabaaaaaaaCAAA q31EAAAFAAAGAAAHAAAXu31caaadaaaeaaafaaagaaahaaabaaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaaaaaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaaaaaabaaaCAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaaaaaabaaaDAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaadaaabaaaDAAA q31EAAAFAAAGAAAHAAA`u31eaaafaaagaaahaaadaaabaaaDAAA q31EAAAGAAAGAAAHAAA`u31eaaafaaagaaahaaadaaabaaaDAAA q31EAAAGAAAeaaaHAAAdu31faaagaaahaaadaaabaaaDAAA q31EAAAGAAAeaaaHAAA`u31du31faaagaaahaaadaaabaaaEAAA q31EAAAGAAAeaaaHAAA`u31du31faaagaaahaaadu31baaaEAAA q31EAAAGAAAeaaaHAAAdu31faaagaaahaaadu31baaaEAAA q31EAAAGAAAdaaaHAAAdu31faaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAAdu31faaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAA\\u31`u31EAAAfaaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAAXu31GAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31FAAAGAAAdaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31FAAAGAAAdaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaacu31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaacu31`aaaEAAA q31FAAAGAAAcaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaaTu31`aaaEAAA q31FAAAGAAAcaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaaTu31aaaaEAAA q31FAAAGAAAcaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaaTu31aaaaEAAA q31FAAAGAAAcaaaHAAASu311EAAAGAAA`u31EAAAfaaagaaahaaaTu31aaaaEAAA q31FAAAGAAAdaaaHAAASu311EAAAGAAA`u31EAAAfaaagaaahaaaUu31aaaaEAAA q31FAAAGAAAdaaaHAAASu311EAAAGAAA`u31EAAAfaaagaaahaaa1EAAaaaaEAAA q31FAAAGAAAdaaaHAAAWu31AGAAA`u31EAAAfaaagaaahaaa1EAAaaaaEAAA q31FAAAGAAAcaaaHAAAWu31AGAAA`u31EAAAfaaagaaahaaa1EAAaaaaEAAA q31FAAAAGAAcaaaHAAA[u31A`u31EAAAfaaagaaahaaaA`u3aaaaEAAA q31FAAAAGAAcaaaHAAA_u311EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAcaaaHAAA_u311EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAcaaaHAAA^u3131EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAdaaaHAAA^u3131EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAdaaaHAAAZu31GAAA31EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAdaaaHAAAVu31GAAAGAAA31EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAGAAAHAAAZu31GAAA31EAAAfaaagaaahaaaGAAAaaaaEAAA q31GAAAAGAAGAAAHAAA^u3131EAAAfaaagaaahaaaGAAAaaaaEAAA q31GAAAAGAAHAAAHAAA^u3131EAAAfaaagaaahaaaGAAA`aaaEAAA q31GAAAAGAAHAAAHAAA^u3131EAAAfaaagaaahaaaGAAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u311EAAAfaaagaaahaaa1EAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31Afaaagaaahaaa1EAAaaaaEAAA q31GAAAAGAAHAAAHAAAcu31Afaaagaaahaaa1EAAaaaaEAAA q31GAAAAGAAHAAAHAAA_u31EAAAAfaaagaaahaaa1EAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u31EAAAAfaaagaaahaaaEAAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31AfaaagaaahaaaEAAA`aaaEAAA q31GAAABGAAHAAAHAAAcu31AfaaagaaahaaaEAAA`aaaAfaa q31GAAABGAAHAAAHAAAgu31agaaahaaa'
  18.  
  19. ESPs = [ int(hexlify((i + 'haaa')[32:36][::-1]), 16) for i in t.split('haaa') if i != '']
  20. ESPs.insert(0, 0x31337550)
  21. kk = [ i + 'haaa' for i in t.split('haaa') if i != '']
  22.  
  23. def simulate(opcode, unicorn):
  24.     try:
  25.         tt = code.replace('\x5f', chr(opcode))
  26.         unicorn.mem_write(ADDRESS, tt)
  27.         unicorn.emu_start(ADDRESS, ADDRESS + len(tt))
  28.     except UcError as e:
  29.         print("ERROR %s" %e)
  30.    
  31.  
  32. def handle(opcode, state, i):
  33.     simulate(opcode, state)
  34.     try:
  35.         f = str(state.mem_read(ADDRESS + 0x100, 36))
  36.         addr = int(hexlify(str(state.mem_read(ADDRESS + 0x120, 4))[::-1]), 16)
  37.         tmp = str(state.mem_read(addr, 32))
  38.         for b in tmp:
  39.             if b  == '\x00':
  40.                 break
  41.             f += b
  42.         return f == kk[i]
  43.     except UcError as e:
  44.         return False
  45.        
  46. def resolve(i, unicorn, context, mem, key):
  47.     if i >= len(ESPs) - 1:
  48.         print(key)
  49.         return
  50.        
  51.     state = unicorn
  52.    
  53.     if ESPs[i] - ESPs[i + 1] == 0:
  54.         #inc, dec
  55.         for opcode in xrange(0x40, 0x50):
  56.             if opcode != 0x4c and opcode != 0x44:
  57.                 state.context_restore(context)
  58.                 state.mem_write(ADDRESS, mem)
  59.                 f = deepcopy(key)
  60.                 if handle(opcode, state, i):
  61.                     f += chr(opcode)
  62.                     resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
  63.                    
  64.     elif ESPs[i] - ESPs[i + 1] == -4:
  65.         #pop
  66.         for opcode in xrange(0x58, 0x60):
  67.             state.context_restore(context)
  68.             state.mem_write(ADDRESS, mem)
  69.             f = deepcopy(key)
  70.             if handle(opcode, state, i):
  71.                 f += chr(opcode)
  72.                 resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
  73.                
  74.     elif ESPs[i] - ESPs[i + 1] == 4:
  75.         #push
  76.         for opcode in xrange(0x50, 0x58):
  77.             state.context_restore(context)
  78.             state.mem_write(ADDRESS, mem)
  79.             f = deepcopy(key)
  80.             if handle(opcode, state, i):
  81.                 f += chr(opcode)
  82.                 resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
  83.                
  84.     elif ESPs[i] - ESPs[i + 1] == 1:
  85.         #dec esp
  86.         state.context_restore(context)
  87.         state.mem_write(ADDRESS, mem)
  88.         f = deepcopy(key)
  89.         if handle(0x4c, state, i):
  90.             f += chr(0x4c)
  91.             resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
  92.            
  93.     elif ESPs[i] - ESPs[i + 1] == -1:
  94.         #inc esp
  95.         state.context_restore(context)
  96.         state.mem_write(ADDRESS, mem)
  97.         f = deepcopy(key)
  98.         if handle(0x44, state, i):
  99.             f += chr(0x44)
  100.             resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
  101.            
  102. def main():
  103.     key = ''
  104.  
  105.     mu = Uc(UC_ARCH_X86, UC_MODE_32)
  106.     mu.mem_map(ADDRESS, 0x1000)
  107.     mu.mem_write(ADDRESS + 0x100, 'AAAABAAACAAADAAAEAAAFAAAGAAAHAAAPu31')
  108.     mu.mem_write(ADDRESS + 0x550, 'aaaabaaacaaadaaaeaaafaaagaaahaaa')
  109.    
  110.     resolve(0, mu, mu.context_save(), str(mu.mem_read(ADDRESS, 0x1000)), key)
  111.  
  112. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!