CreateRemoteThread/insomnihack-bender_safe.py

## insomnihack-bender_safe.py
#!/usr/bin/python

import sys
import pwn
import copy
import os

# brute force best force wins again
# fuck trying to reverse this shit

pwn.context.log_level = 'error'

f = open("testrand","r")
d = f.read()
f.close()
d_r = d.rstrip()

orig_str = "AAAAAAAA"
lock = [0,0,0,0,0,0,0,0]

def bf_try(change_posn,change_char):
  global orig_str
  global lock
  data_to_send = bytearray(copy.copy(orig_str))
  data_to_send[change_posn] = change_char
  for lc in range(0,8):
    if lock[lc] != 0:
      data_to_send[lc] = lock[lc]
  i = 0
  p = pwn.process(["./qemu-mips","bender_patched"])
  try:
    p.recvuntil(d_r)
    # print "okay, received %s" % d.rstrip()
    p.sendline(data_to_send)
    p.wait_for_close()
    ret = p.poll(block=True)
  except:
    ret = 139
  del data_to_send
  return ret

chars = "abcdefghijklmnopqrstuvwxyxABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

def bf_harness(current_check):
  global lock
  for i in range(0,8):
    if lock[i] != 0:
      print " [<] attempting check %d, char %d locked, continuing" % (current_check,i)
      continue
    for c in chars:
      if i == 7:
        print "lock 7 (status %s) attempting mutation %d:%c" % (lock,i,c)
      ret = bf_try(i,c)
      crashcount = 0
      while ret == 139:
        crashcount += 1
        if crashcount > 2:
          print " [!] too many crashes i = %d (return = %d), breaking" % (i,ret)
          break
        print " [!] crashed while iterating i = %d (return = %d), retrying" % (i,ret)
        os.system("rm *.core")
        ret = bf_try(i,c)
      if ret == 139:
        print " [!] noping out"
        return
      if ret != current_check:
        print " [>] locking %d at %c" % (i,c)
        lock[i] = c
        return

if __name__ == "__main__":
  for i in range(0,8):
    bf_harness(i)
	#!/usr/bin/python

	import sys
	import pwn
	import copy
	import os

	# brute force best force wins again
	# fuck trying to reverse this shit

	pwn.context.log_level = 'error'

	f = open("testrand","r")
	d = f.read()
	f.close()
	d_r = d.rstrip()

	orig_str = "AAAAAAAA"
	lock = [0,0,0,0,0,0,0,0]

	def bf_try(change_posn,change_char):
	global orig_str
	global lock
	data_to_send = bytearray(copy.copy(orig_str))
	data_to_send[change_posn] = change_char
	for lc in range(0,8):
	if lock[lc] != 0:
	data_to_send[lc] = lock[lc]
	i = 0
	p = pwn.process(["./qemu-mips","bender_patched"])
	try:
	p.recvuntil(d_r)
	# print "okay, received %s" % d.rstrip()
	p.sendline(data_to_send)
	p.wait_for_close()
	ret = p.poll(block=True)
	except:
	ret = 139
	del data_to_send
	return ret

	chars = "abcdefghijklmnopqrstuvwxyxABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

	def bf_harness(current_check):
	global lock
	for i in range(0,8):
	if lock[i] != 0:
	print " [<] attempting check %d, char %d locked, continuing" % (current_check,i)
	continue
	for c in chars:
	if i == 7:
	print "lock 7 (status %s) attempting mutation %d:%c" % (lock,i,c)
	ret = bf_try(i,c)
	crashcount = 0
	while ret == 139:
	crashcount += 1
	if crashcount > 2:
	print " [!] too many crashes i = %d (return = %d), breaking" % (i,ret)
	break
	print " [!] crashed while iterating i = %d (return = %d), retrying" % (i,ret)
	os.system("rm *.core")
	ret = bf_try(i,c)
	if ret == 139:
	print " [!] noping out"
	return
	if ret != current_check:
	print " [>] locking %d at %c" % (i,c)
	lock[i] = c
	return

	if __name__ == "__main__":
	for i in range(0,8):
	bf_harness(i)