Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from __future__ import print_function
- from unicorn import *
- from unicorn.x86_const import *
- from binascii import hexlify
- from copy import deepcopy
- code = b"\xbc\x00\x71\x33\x31" \
- "\x61" \
- "\x8b\x25\x20\x71\x33\x31" \
- "\x5f" \
- "\x89\x25\x20\x71\x33\x31" \
- "\xbc\x20\x71\x33\x31" \
- "\x60"
- ADDRESS = 0x31337000
- t = 'AAAAaaaaCAAA q31EAAAFAAAGAAAHAAATu31baaacaaadaaaeaaafaaagaaahaaabaaaaaaaCAAA q31EAAAFAAAGAAAHAAAXu31caaadaaaeaaafaaagaaahaaabaaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaaaaaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaaaaaabaaaCAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaaaaaabaaaDAAA q31EAAAFAAAGAAAHAAA\\u31daaaeaaafaaagaaahaaadaaabaaaDAAA q31EAAAFAAAGAAAHAAA`u31eaaafaaagaaahaaadaaabaaaDAAA q31EAAAGAAAGAAAHAAA`u31eaaafaaagaaahaaadaaabaaaDAAA q31EAAAGAAAeaaaHAAAdu31faaagaaahaaadaaabaaaDAAA q31EAAAGAAAeaaaHAAA`u31du31faaagaaahaaadaaabaaaEAAA q31EAAAGAAAeaaaHAAA`u31du31faaagaaahaaadu31baaaEAAA q31EAAAGAAAeaaaHAAAdu31faaagaaahaaadu31baaaEAAA q31EAAAGAAAdaaaHAAAdu31faaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAAdu31faaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAA\\u31`u31EAAAfaaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAAXu31GAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31EAAAGAAAdaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31FAAAGAAAdaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31FAAAGAAAdaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaadu31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaacu31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaacu31`aaaEAAA q31FAAAGAAAcaaaHAAAPu31Tu31EAAAGAAA`u31EAAAfaaagaaahaaaTu31`aaaEAAA q31FAAAGAAAcaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaaTu31aaaaEAAA q31FAAAGAAAcaaaHAAATu31EAAAGAAA`u31EAAAfaaagaaahaaaTu31aaaaEAAA q31FAAAGAAAcaaaHAAASu311EAAAGAAA`u31EAAAfaaagaaahaaaTu31aaaaEAAA q31FAAAGAAAdaaaHAAASu311EAAAGAAA`u31EAAAfaaagaaahaaaUu31aaaaEAAA q31FAAAGAAAdaaaHAAASu311EAAAGAAA`u31EAAAfaaagaaahaaa1EAAaaaaEAAA q31FAAAGAAAdaaaHAAAWu31AGAAA`u31EAAAfaaagaaahaaa1EAAaaaaEAAA q31FAAAGAAAcaaaHAAAWu31AGAAA`u31EAAAfaaagaaahaaa1EAAaaaaEAAA q31FAAAAGAAcaaaHAAA[u31A`u31EAAAfaaagaaahaaaA`u3aaaaEAAA q31FAAAAGAAcaaaHAAA_u311EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAcaaaHAAA_u311EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAcaaaHAAA^u3131EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAdaaaHAAA^u3131EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAdaaaHAAAZu31GAAA31EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAdaaaHAAAVu31GAAAGAAA31EAAAfaaagaaahaaaA`u3aaaaEAAA q31GAAAAGAAGAAAHAAAZu31GAAA31EAAAfaaagaaahaaaGAAAaaaaEAAA q31GAAAAGAAGAAAHAAA^u3131EAAAfaaagaaahaaaGAAAaaaaEAAA q31GAAAAGAAHAAAHAAA^u3131EAAAfaaagaaahaaaGAAA`aaaEAAA q31GAAAAGAAHAAAHAAA^u3131EAAAfaaagaaahaaaGAAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u311EAAAfaaagaaahaaa1EAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31Afaaagaaahaaa1EAAaaaaEAAA q31GAAAAGAAHAAAHAAAcu31Afaaagaaahaaa1EAAaaaaEAAA q31GAAAAGAAHAAAHAAA_u31EAAAAfaaagaaahaaa1EAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u31EAAAAfaaagaaahaaaEAAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31AfaaagaaahaaaEAAA`aaaEAAA q31GAAABGAAHAAAHAAAcu31AfaaagaaahaaaEAAA`aaaAfaa q31GAAABGAAHAAAHAAAgu31agaaahaaa'
- ESPs = [ int(hexlify((i + 'haaa')[32:36][::-1]), 16) for i in t.split('haaa') if i != '']
- ESPs.insert(0, 0x31337550)
- kk = [ i + 'haaa' for i in t.split('haaa') if i != '']
- def simulate(opcode, unicorn):
- try:
- tt = code.replace('\x5f', chr(opcode))
- unicorn.mem_write(ADDRESS, tt)
- unicorn.emu_start(ADDRESS, ADDRESS + len(tt))
- except UcError as e:
- print("ERROR %s" %e)
- def handle(opcode, state, i):
- simulate(opcode, state)
- try:
- f = str(state.mem_read(ADDRESS + 0x100, 36))
- addr = int(hexlify(str(state.mem_read(ADDRESS + 0x120, 4))[::-1]), 16)
- tmp = str(state.mem_read(addr, 32))
- for b in tmp:
- if b == '\x00':
- break
- f += b
- return f == kk[i]
- except UcError as e:
- return False
- def resolve(i, unicorn, context, mem, key):
- if i >= len(ESPs) - 1:
- print(key)
- return
- state = unicorn
- if ESPs[i] - ESPs[i + 1] == 0:
- #inc, dec
- for opcode in xrange(0x40, 0x50):
- if opcode != 0x4c and opcode != 0x44:
- state.context_restore(context)
- state.mem_write(ADDRESS, mem)
- f = deepcopy(key)
- if handle(opcode, state, i):
- f += chr(opcode)
- resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
- elif ESPs[i] - ESPs[i + 1] == -4:
- #pop
- for opcode in xrange(0x58, 0x60):
- state.context_restore(context)
- state.mem_write(ADDRESS, mem)
- f = deepcopy(key)
- if handle(opcode, state, i):
- f += chr(opcode)
- resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
- elif ESPs[i] - ESPs[i + 1] == 4:
- #push
- for opcode in xrange(0x50, 0x58):
- state.context_restore(context)
- state.mem_write(ADDRESS, mem)
- f = deepcopy(key)
- if handle(opcode, state, i):
- f += chr(opcode)
- resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
- elif ESPs[i] - ESPs[i + 1] == 1:
- #dec esp
- state.context_restore(context)
- state.mem_write(ADDRESS, mem)
- f = deepcopy(key)
- if handle(0x4c, state, i):
- f += chr(0x4c)
- resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
- elif ESPs[i] - ESPs[i + 1] == -1:
- #inc esp
- state.context_restore(context)
- state.mem_write(ADDRESS, mem)
- f = deepcopy(key)
- if handle(0x44, state, i):
- f += chr(0x44)
- resolve(i + 1, state, state.context_save(), str(state.mem_read(ADDRESS, 0x1000)), f)
- def main():
- key = ''
- mu = Uc(UC_ARCH_X86, UC_MODE_32)
- mu.mem_map(ADDRESS, 0x1000)
- mu.mem_write(ADDRESS + 0x100, 'AAAABAAACAAADAAAEAAAFAAAGAAAHAAAPu31')
- mu.mem_write(ADDRESS + 0x550, 'aaaabaaacaaadaaaeaaafaaagaaahaaa')
- resolve(0, mu, mu.context_save(), str(mu.mem_read(ADDRESS, 0x1000)), key)
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement