#coding: utf-8
from pwn import *
import hashlib
import sys
def divide(t, idx, s, d, g):
if t[idx] == '\xb8':
a = 'mov eax,'
b = '0x'+t[idx+1:idx+5][::-1].encode('hex')
c = 5
s = int(b,16)
elif t[idx] == '\x2d':
a = 'sub eax,'
b = '0x'+t[idx+1:idx+5][::-1].encode('hex')
c = 5
s -= int(b,16)
elif t[idx] == '\x05':
a = 'add eax,'
b = '0x'+t[idx+1:idx+5][::-1].encode('hex')
c = 5
s += int(b,16)
elif t[idx] == '\x74':
a = 'je 0xf\nmov eax, 0x0\nmov eax,'
b = 'DWORD PTR [eax]'
c = 10
elif t[idx] == '\xf7':
a = 'mul'
b = 'edx'
c = 2
s *= d
elif t[idx] == '\xba':
a = 'mov edx,'
b = '0x'+t[idx+1:idx+5][::-1].encode('hex')
c = 5
d = int(b,16)
elif t[idx] == '\x3d':
a = 'cmp eax,'
b = '0x'+t[idx+1:idx+5][::-1].encode('hex')
c = 5
g = int(b,16)
elif t[idx] == '\x48':
a = 'mov rax, 0x3c\nmov rdi,'
b = '0x0\nsyscall'
c = 16
s &= 0xffffffff
return a, b, c, s, d, g
r = remote("buildingblocks.eatpwnnosleep.com", 46115)
for q in range(10):
print r.recvuntil(")\n")
data = r.recvuntil("]")
data = eval(data)
blocks = []
res = ""
for d in data:
blocks.append(base64.b64decode(d).encode('hex'))
#print blocks
sum_list = []
goal_list = []
start = 0
for b in blocks:
block = b.decode('hex')
idx = 0
d = 0
s = 0
g = 0
print "[*] {} block.".format(blocks.index(b))
if block[0] == '\xb8':
start = blocks.index(b)
while idx < len(block):
inst, value, i, s, d, g = divide(block, idx, s, d, g)
idx += i
print inst, value
sum_list.append(s)
goal_list.append(g)
print "[+] sum : {}\n".format(hex(s))
print sum_list
print goal_list
print start
cnt = 0
now = start
res = [start,]
while cnt < len(blocks)-1:
next = goal_list.index(sum_list[now])
now = next
cnt += 1
res.append(now)
key = ""
for i in range(len(blocks)):
key += blocks[res[i]].decode('hex')
key = hashlib.sha256(key).hexdigest()
r.sendline(key)
print r.recvuntil("}") |
