Barakat/year3000.py

## year3000.py
import base64
import struct

from pwn import *

def parse_x64(filename):
	with open(filename, 'rb') as fp:
		fp.seek(0x820)
		character = fp.read(1)
		fp.seek(0x819)
		size = fp.read(1)
		fp.seek(0x1010)
		rand = fp.read(8)
		return bytes(character * struct.unpack('B', size)[0]) + rand

def parse_x86(filename):
	with open(filename, 'rb') as fp:
		fp.seek(0x668)
		character = fp.read(1)
		fp.seek(0x661)
		size = fp.read(1)
		fp.seek(0x1008)
		rand = fp.read(4)
		return bytes(character * struct.unpack('B', size)[0]) + rand


def parse(filename):
	with open(filename, 'rb') as fp:
		fp.seek(4)
		if fp.read(1) == '\x01':
			return parse_x86(filename)
		return parse_x64(filename)

conn = remote('re.ctf.nullcon.net', 1234)

while True:
	r = conn.recvline().strip()
	print(r)
	if r.startswith('hackim20'):
		break
	conn.recvuntil('> ')
	conn.sendline(base64.b64encode(parse(r)))

	print(conn.recvline())

conn.close()
	import base64
	import struct

	from pwn import *

	def parse_x64(filename):
	with open(filename, 'rb') as fp:
	fp.seek(0x820)
	character = fp.read(1)
	fp.seek(0x819)
	size = fp.read(1)
	fp.seek(0x1010)
	rand = fp.read(8)
	return bytes(character * struct.unpack('B', size)[0]) + rand

	def parse_x86(filename):
	with open(filename, 'rb') as fp:
	fp.seek(0x668)
	character = fp.read(1)
	fp.seek(0x661)
	size = fp.read(1)
	fp.seek(0x1008)
	rand = fp.read(4)
	return bytes(character * struct.unpack('B', size)[0]) + rand


	def parse(filename):
	with open(filename, 'rb') as fp:
	fp.seek(4)
	if fp.read(1) == '\x01':
	return parse_x86(filename)
	return parse_x64(filename)

	conn = remote('re.ctf.nullcon.net', 1234)

	while True:
	r = conn.recvline().strip()
	print(r)
	if r.startswith('hackim20'):
	break
	conn.recvuntil('> ')
	conn.sendline(base64.b64encode(parse(r)))

	print(conn.recvline())

	conn.close()