Olivier Arteau HoLyVieR

## gist:1616679
/**
 * This will let you export SAV file from a ROM.
 * NOTE : Just change the "filename" variable to name of the ROM.
 */

// Getting the data //
var filename = "ROM_NAME";
var rawData = JSON.parse(localStorage["SRAM_" + filename]) // Data is stored JSON format in localStorage //
				.map(function (a) { return String.fromCharCode(a); }) // We convert each value in the array to the char value //
				.join(""); // We make it into a big string which is the data of the save file //

## gist:3913293
1. Télécharger la version portable du JRE7 de Java. (Lien : http://portableapps.com/apps/utilities/java_portable)

2. Extraire les fichiers dans le dossier de votre choix.

3. Dans Eclipse, aller dans Window -> Preferences -> Java -> Installed JREs -> Add

3.1 Utiliser Standard VM
3.2 Comme JRE Home, il faut mettre le chemin qui contient les dossier "lib" et "bin". (C'est le dossier "\CommonFiles\Java\" dans ce qui a été extrait).
3.3 Comme JRE Name, on peut mettre ce qu'on veut.
3.4 Cliquer "Finish" et cocher la case de votre JRE que vous venez d'ajouter.

## gist:8920691
import md5
import struct, string
import httplib, urllib
import time
import thread

def Encode(input, len):
    k = len >> 2
    res = apply(struct.pack, ("%iI" % k,) + tuple(input[:k]))
    return string.join(res, "")

## gist:7a4e234907484062c751

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                HoLyVieR
                / gist:7a4e234907484062c751
            
            
              Created
              December 31, 2014 17:41
            
              
                Writeup SSO
              
          
    The encryption used was done character by character and we could decrypt any token of our choice with the "info.php" page. With this in mind, we could bruteforce each character individually until we get the character of our choice once decrypted. This would then let us craft a token with the value of our choice. Here's an example of a decrypted token that worked :
{"User":"admin","Admin":1}

Code
import httplib

target = '{"User":"admin","Admin":1}'

conn = httplib.HTTPConnection('188.40.18.87:5144')

  
## PKCS7Encoder
class PKCS7Encoder():
    """
    Technique for padding a string as defined in RFC 2315, section 10.3,
    note #2
    """
    class InvalidBlockSizeError(Exception):
        """Raised for invalid block sizes"""
        pass

    def __init__(self, block_size=16):

## 0 - Slab of Platinium (CSAW Crypto 500).py
import os, random, struct
from Crypto.Cipher import AES

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

## Greenbox Solution.js
var getStackframes = function x(a,b,c){function d(e,f){d=f}c=(b=Error)[a='prepareStackTrace'];b.captureStackTrace(b[a]=d,x);d.stack;b[a]=c;return d};

var res = "";
var i = 0;
var require;

// "require" is passed as an arguments to one of the function in the call stack.
getStackframes().forEach(function(frame) {
    if (frame.getFunctionName() == null && i++ == 1) {
        require = frame.fun.arguments[1];

## gist:b3a5912063b2eaea95bd
static PyObject* Py_LLVMBuilder_BuildLandingPad(Py_LLVM_Wrapped<LLVMBuilderRef>* self, PyObject* args)
{
	Py_LLVM_Wrapped<LLVMTypeRef>* arg0;
	long long arg1;
	const char* arg2;
	if (!PyArg_ParseTuple(args, "O!Ls", &Py_LLVMType_Type, &arg0, &arg1, &arg2))
	{
		return nullptr;
	}

## test.c
{int64_t} _IO_putc(int64_t rdi, int64_t rsi);
{} __fprintf_chk(int64_t rdi, int64_t rsi, int64_t rdx);
{} __gmon_start__(void);
{int64_t} __libc_start_main(int64_t rdi, int64_t rsi, int64_t rdx, int64_t rcx, int64_t r8, int64_t r9, int64_t sp0);
{} __memcpy_chk(int64_t rdi, int64_t rsi, int64_t rdx, int64_t rcx);
{} __printf_chk(int64_t rdi, int64_t rsi, int64_t rdx);
{int64_t, int64_t} __stack_chk_fail(int64_t rsi);
{int64_t} fflush(int64_t rdi);
{int64_t} fgets(int64_t rdi, int64_t rsi, int64_t rdx);
{int64_t} malloc(int64_t rdi);

## gist:753e4ebebc9c43a86ac9
.text:0000000000401380                 push    rbp
.text:0000000000401381                 xor     eax, eax
.text:0000000000401383                 mov     rbp, rsp
.text:0000000000401386                 push    rbx
.text:0000000000401387                 mov     rbx, rdx
.text:000000000040138A                 nop     word ptr [rax+rax+00h]
.text:0000000000401390
.text:0000000000401390 loc_401390:                             ; CODE XREF: Crypt+20j
.text:0000000000401390                 mov     ds:byte_6020C0[rax], al
.text:0000000000401396                 add     rax, 1
	/**
	* This will let you export SAV file from a ROM.
	* NOTE : Just change the "filename" variable to name of the ROM.
	*/

	// Getting the data //
	var filename = "ROM_NAME";
	var rawData = JSON.parse(localStorage["SRAM_" + filename]) // Data is stored JSON format in localStorage //
	.map(function (a) { return String.fromCharCode(a); }) // We convert each value in the array to the char value //
	.join(""); // We make it into a big string which is the data of the save file //
	1. Télécharger la version portable du JRE7 de Java. (Lien : http://portableapps.com/apps/utilities/java_portable)

	2. Extraire les fichiers dans le dossier de votre choix.

	3. Dans Eclipse, aller dans Window -> Preferences -> Java -> Installed JREs -> Add

	3.1 Utiliser Standard VM
	3.2 Comme JRE Home, il faut mettre le chemin qui contient les dossier "lib" et "bin". (C'est le dossier "\CommonFiles\Java\" dans ce qui a été extrait).
	3.3 Comme JRE Name, on peut mettre ce qu'on veut.
	3.4 Cliquer "Finish" et cocher la case de votre JRE que vous venez d'ajouter.
	import md5
	import struct, string
	import httplib, urllib
	import time
	import thread

	def Encode(input, len):
	k = len >> 2
	res = apply(struct.pack, ("%iI" % k,) + tuple(input[:k]))
	return string.join(res, "")
	class PKCS7Encoder():
	"""
	Technique for padding a string as defined in RFC 2315, section 10.3,
	note #2
	"""
	class InvalidBlockSizeError(Exception):
	"""Raised for invalid block sizes"""
	pass

	def __init__(self, block_size=16):
	import os, random, struct
	from Crypto.Cipher import AES

	def egcd(a, b):
	if a == 0:
	return (b, 0, 1)
	else:
	g, y, x = egcd(b % a, a)
	return (g, x - (b // a) * y, y)
	var getStackframes = function x(a,b,c){function d(e,f){d=f}c=(b=Error)[a='prepareStackTrace'];b.captureStackTrace(b[a]=d,x);d.stack;b[a]=c;return d};

	var res = "";
	var i = 0;
	var require;

	// "require" is passed as an arguments to one of the function in the call stack.
	getStackframes().forEach(function(frame) {
	if (frame.getFunctionName() == null && i++ == 1) {
	require = frame.fun.arguments[1];
	static PyObject* Py_LLVMBuilder_BuildLandingPad(Py_LLVM_Wrapped<LLVMBuilderRef>* self, PyObject* args)
	{
	Py_LLVM_Wrapped<LLVMTypeRef>* arg0;
	long long arg1;
	const char* arg2;
	if (!PyArg_ParseTuple(args, "O!Ls", &Py_LLVMType_Type, &arg0, &arg1, &arg2))
	{
	return nullptr;
	}
	{int64_t} _IO_putc(int64_t rdi, int64_t rsi);
	{} __fprintf_chk(int64_t rdi, int64_t rsi, int64_t rdx);
	{} __gmon_start__(void);
	{int64_t} __libc_start_main(int64_t rdi, int64_t rsi, int64_t rdx, int64_t rcx, int64_t r8, int64_t r9, int64_t sp0);
	{} __memcpy_chk(int64_t rdi, int64_t rsi, int64_t rdx, int64_t rcx);
	{} __printf_chk(int64_t rdi, int64_t rsi, int64_t rdx);
	{int64_t, int64_t} __stack_chk_fail(int64_t rsi);
	{int64_t} fflush(int64_t rdi);
	{int64_t} fgets(int64_t rdi, int64_t rsi, int64_t rdx);
	{int64_t} malloc(int64_t rdi);
	.text:0000000000401380 push rbp
	.text:0000000000401381 xor eax, eax
	.text:0000000000401383 mov rbp, rsp
	.text:0000000000401386 push rbx
	.text:0000000000401387 mov rbx, rdx
	.text:000000000040138A nop word ptr [rax+rax+00h]
	.text:0000000000401390
	.text:0000000000401390 loc_401390: ; CODE XREF: Crypt+20j
	.text:0000000000401390 mov ds:byte_6020C0[rax], al
	.text:0000000000401396 add rax, 1