hugsy/greek_to_me.c Secret

## greek_to_me.c
/**
 *
 * $ ./greek_to_me
 * Starting new process 28576 with range(0, 0x20000000)
 * [...]
 * found possible key: 1073741986
 *
 * Run greek_to_me:
 * $ python greek_to_me.py 1073741986
 * Congratulations! But wait, where's my flag?
 *
 * In WinDbg:
 0:000> bp 004010f5
 0:000> da ebp-2Bh
 0018ff59  "et_tu_brute_force@flare-on.com"
 */


#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdint.h>
#include <string.h>

/*
0040107c  33 e1 c4 99 11 06 81 16-f0 32 9f c4 91 17 06 81  3........2......
0040108c  14 f0 06 81 15 f1 c4 91-1a 06 81 1b e2 06 81 18  ................
0040109c  f2 06 81 19 f1 06 81 1e-f0 c4 99 1f c4 91 1c 06  ................
004010ac  81 1d e6 06 81 62 ef 06-81 63 f2 06 81 60 e3 c4  .....b...c...`..
004010bc  99 61 06 81 66 bc 06 81-67 e6 06 81 64 e8 06 81  .a..f...g...d...
004010cc  65 9d 06 81 6a f2 c4 99-6b 06 81 68 a9 06 81 69  e...j...k..h...i
004010dc  ef 06 81 6e ee 06 81 6f-ae 06 81 6c e3 06 81 6d  ...n...o...l...m
004010ec  ef 06 81 72 e9 06 81 73-7c                       ...r...s|`
*/

uint8_t code[] = {
        0x33 ,0xe1 ,0xc4 ,0x99 ,0x11 ,0x06 ,0x81 ,0x16 ,0xf0 ,0x32 ,0x9f ,0xc4 ,0x91 ,0x17 ,0x06 ,0x81,
        0x14 ,0xf0 ,0x06 ,0x81 ,0x15 ,0xf1 ,0xc4 ,0x91 ,0x1a ,0x06 ,0x81 ,0x1b ,0xe2 ,0x06 ,0x81 ,0x18,
        0xf2 ,0x06 ,0x81 ,0x19 ,0xf1 ,0x06 ,0x81 ,0x1e ,0xf0 ,0xc4 ,0x99 ,0x1f ,0xc4 ,0x91 ,0x1c ,0x06,
        0x81 ,0x1d ,0xe6 ,0x06 ,0x81 ,0x62 ,0xef ,0x06 ,0x81 ,0x63 ,0xf2 ,0x06 ,0x81 ,0x60 ,0xe3 ,0xc4,
        0x99 ,0x61 ,0x06 ,0x81 ,0x66 ,0xbc ,0x06 ,0x81 ,0x67 ,0xe6 ,0x06 ,0x81 ,0x64 ,0xe8 ,0x06 ,0x81,
        0x65 ,0x9d ,0x06 ,0x81 ,0x6a ,0xf2 ,0xc4 ,0x99 ,0x6b ,0x06 ,0x81 ,0x68 ,0xa9 ,0x06 ,0x81 ,0x69,
        0xef ,0x06 ,0x81 ,0x6e ,0xee ,0x06 ,0x81 ,0x6f ,0xae ,0x06 ,0x81 ,0x6c ,0xe3 ,0x06 ,0x81 ,0x6d,
        0xef ,0x06 ,0x81 ,0x72 ,0xe9 ,0x06 ,0x81 ,0x73 ,0x7c
};

size_t codelen = 0x79;


uint8_t* step1(uint32_t key)
{
        uint8_t *code2 = calloc(sizeof(uint8_t), codelen);
        memcpy(code2, code, codelen);
        uint8_t k = key & 0xff;

        for (int i=0; i<codelen; i++){
                code2[i] = (k ^ code[i]) + 0x22;
        }

        return code2;
}


uint16_t step2(uint8_t *code2)
{
        uint32_t v2;
        uint16_t v3;
        uint8_t* v4;
        uint16_t v5;
        int32_t v6;
        uint16_t v8;
        int i = 0;

        v3 = 255;
        v8 = 255;
        v2 = 0x79;
        v4 = code2;


        do {
                v5 = v8;
                v6 = (v2 > 0x20) ? 0x14 : v2;
                v2 -= v6;

                do {
                        v5 += code2[i];
                        v3 += v5;
                        i++;
                        v6--;
                } while(v6);

                v8 = (v5 >> 8) + (uint8_t)v5;
                v3 = (v3 >> 8) + (uint8_t)v3;
        } while (v2);

        return ((v8 >> 8) + (uint8_t)v8) | ((v3<<8) + (v3 & 0xff00));
}


int test(uint32_t key)
{
        uint8_t* code2 = step1(key);
        return (step2(code2) == 0xfb5e);
}


void func(uint64_t start, uint64_t finish)
{
        for (int i=start; i<finish; i++){
                if (test(i)){
                        printf("Found valid key: %d\n", i);
                        exit(0);
                }
        }
}


int main(int argc, char** argv)
{
        uint32_t nb_cpu = 8;
        uint64_t range = 4294967296 / nb_cpu;
        uint64_t start;
        uint64_t finish;

        for (int i=0; i<nb_cpu; i ++){
                start = i*range;
                finish = start + range;
                pid_t pid = fork();
                if(pid==0){
                        printf("Starting new process %d with range(%#lx, %#lx)\n", getpid(), start, finish);
                        func(start, finish);
                        return 0;
                }
        }

        return 0;
}
	/**
	*
	* $ ./greek_to_me
	* Starting new process 28576 with range(0, 0x20000000)
	* [...]
	* found possible key: 1073741986
	*
	* Run greek_to_me:
	* $ python greek_to_me.py 1073741986
	* Congratulations! But wait, where's my flag?
	*
	* In WinDbg:
	0:000> bp 004010f5
	0:000> da ebp-2Bh
	0018ff59 "et_tu_brute_force@flare-on.com"
	*/


	#include <stdlib.h>
	#include <stdio.h>
	#include <sys/types.h>
	#include <unistd.h>
	#include <stdint.h>
	#include <string.h>

	/*
	0040107c 33 e1 c4 99 11 06 81 16-f0 32 9f c4 91 17 06 81 3........2......
	0040108c 14 f0 06 81 15 f1 c4 91-1a 06 81 1b e2 06 81 18 ................
	0040109c f2 06 81 19 f1 06 81 1e-f0 c4 99 1f c4 91 1c 06 ................
	004010ac 81 1d e6 06 81 62 ef 06-81 63 f2 06 81 60 e3 c4 .....b...c...`..
	004010bc 99 61 06 81 66 bc 06 81-67 e6 06 81 64 e8 06 81 .a..f...g...d...
	004010cc 65 9d 06 81 6a f2 c4 99-6b 06 81 68 a9 06 81 69 e...j...k..h...i
	004010dc ef 06 81 6e ee 06 81 6f-ae 06 81 6c e3 06 81 6d ...n...o...l...m
	004010ec ef 06 81 72 e9 06 81 73-7c ...r...s\|`
	*/

	uint8_t code[] = {
	0x33 ,0xe1 ,0xc4 ,0x99 ,0x11 ,0x06 ,0x81 ,0x16 ,0xf0 ,0x32 ,0x9f ,0xc4 ,0x91 ,0x17 ,0x06 ,0x81,
	0x14 ,0xf0 ,0x06 ,0x81 ,0x15 ,0xf1 ,0xc4 ,0x91 ,0x1a ,0x06 ,0x81 ,0x1b ,0xe2 ,0x06 ,0x81 ,0x18,
	0xf2 ,0x06 ,0x81 ,0x19 ,0xf1 ,0x06 ,0x81 ,0x1e ,0xf0 ,0xc4 ,0x99 ,0x1f ,0xc4 ,0x91 ,0x1c ,0x06,
	0x81 ,0x1d ,0xe6 ,0x06 ,0x81 ,0x62 ,0xef ,0x06 ,0x81 ,0x63 ,0xf2 ,0x06 ,0x81 ,0x60 ,0xe3 ,0xc4,
	0x99 ,0x61 ,0x06 ,0x81 ,0x66 ,0xbc ,0x06 ,0x81 ,0x67 ,0xe6 ,0x06 ,0x81 ,0x64 ,0xe8 ,0x06 ,0x81,
	0x65 ,0x9d ,0x06 ,0x81 ,0x6a ,0xf2 ,0xc4 ,0x99 ,0x6b ,0x06 ,0x81 ,0x68 ,0xa9 ,0x06 ,0x81 ,0x69,
	0xef ,0x06 ,0x81 ,0x6e ,0xee ,0x06 ,0x81 ,0x6f ,0xae ,0x06 ,0x81 ,0x6c ,0xe3 ,0x06 ,0x81 ,0x6d,
	0xef ,0x06 ,0x81 ,0x72 ,0xe9 ,0x06 ,0x81 ,0x73 ,0x7c
	};

	size_t codelen = 0x79;


	uint8_t* step1(uint32_t key)
	{
	uint8_t *code2 = calloc(sizeof(uint8_t), codelen);
	memcpy(code2, code, codelen);
	uint8_t k = key & 0xff;

	for (int i=0; i<codelen; i++){
	code2[i] = (k ^ code[i]) + 0x22;
	}

	return code2;
	}


	uint16_t step2(uint8_t *code2)
	{
	uint32_t v2;
	uint16_t v3;
	uint8_t* v4;
	uint16_t v5;
	int32_t v6;
	uint16_t v8;
	int i = 0;

	v3 = 255;
	v8 = 255;
	v2 = 0x79;
	v4 = code2;


	do {
	v5 = v8;
	v6 = (v2 > 0x20) ? 0x14 : v2;
	v2 -= v6;

	do {
	v5 += code2[i];
	v3 += v5;
	i++;
	v6--;
	} while(v6);

	v8 = (v5 >> 8) + (uint8_t)v5;
	v3 = (v3 >> 8) + (uint8_t)v3;
	} while (v2);

	return ((v8 >> 8) + (uint8_t)v8) \| ((v3<<8) + (v3 & 0xff00));
	}


	int test(uint32_t key)
	{
	uint8_t* code2 = step1(key);
	return (step2(code2) == 0xfb5e);
	}


	void func(uint64_t start, uint64_t finish)
	{
	for (int i=start; i<finish; i++){
	if (test(i)){
	printf("Found valid key: %d\n", i);
	exit(0);
	}
	}
	}


	int main(int argc, char** argv)
	{
	uint32_t nb_cpu = 8;
	uint64_t range = 4294967296 / nb_cpu;
	uint64_t start;
	uint64_t finish;

	for (int i=0; i<nb_cpu; i ++){
	start = i*range;
	finish = start + range;
	pid_t pid = fork();
	if(pid==0){
	printf("Starting new process %d with range(%#lx, %#lx)\n", getpid(), start, finish);
	func(start, finish);
	return 0;
	}
	}

	return 0;
	}