PewZ/zwiebel.c

## zwiebel.c
#include <stdio.h>
#include <assert.h>
#include <stdlib.h>
#include <capstone/capstone.h>
#include <unistd.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <string.h>

#ifdef INFO
#define pr_info(...) \
	do {\
		fprintf(stderr, "[+]");\
		fprintf(stderr, __VA_ARGS__);\
	} while (0)
#else
#define pr_info(...)
#endif

#define pr_good_shit(...) \
	do {\
		fprintf(stderr, "[!]");\
		fprintf(stderr, __VA_ARGS__);\
	} while (0)


int main(int argc, char *argv[])
{
	int fd = open("rev.bin", O_RDONLY);
	assert(fd != -1);
	unsigned char *memptr = mmap(NULL, 0x24c8d, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
	assert(memptr != MAP_FAILED);
	unsigned char *mem = memptr;

#if 0
	for (size_t i = 0; i < 10; i++)
		pr_info("%02x, ", mem[i]);
	putchar('\n');
	getchar();
#endif
	char password[0x40] = { 0 };
	strcpy(password, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");

	csh handle;
	cs_insn *insn;
	size_t count;

	if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK)
		return -1;

	count = cs_disasm(handle, mem, 0x100, 0x1000, 0, &insn);
	if (!count) {
		fprintf(stderr, "fuck :(\n");
		return -1;
	}

	for (size_t j = 0; j < count; ++j) {
		const char *mn = insn[j].mnemonic;
		const char *op = insn[j].op_str;
		uint64_t a = insn[j].address;

		pr_info("0x%llx:\t%s\t\t%s\n", a, mn, op);
		if (!strcmp(mn, "mov") && !strcmp(op, "rax, rbx")) {
			pr_info("Found move at offset %d\n", insn[j].address - 0x1000);
		} else if (!strcmp(mn, "lea") && !strcmp(op, "rsi, qword ptr [rip + 0x34]")) {
			uint64_t addr = a + 0x34 + 7;
			pr_info("Decrypt from address: %p\n", (void *)addr);
			uint64_t off = addr - 0x1000;
			uint32_t *xor_ptr = (uint32_t *)(mem + off);
			pr_info("xor_ptr: %p\n", xor_ptr);
			uint32_t rcx = *xor_ptr;
			++xor_ptr;
			uint32_t eax = *xor_ptr;
			++xor_ptr;
			pr_info("rcx: 0x%x\n", rcx);
			pr_info("eax: 0x%x\n", eax);

			for (size_t i = 0; i < rcx; i ++) {
				xor_ptr[i] ^= eax;
			}

			off += 8;
			count = cs_disasm(handle, mem + off, 0x100, 0x1000, 0, &insn);
			if (!count) {
				fprintf(stderr, "fuck :(\n");
				return -1;
			}
			mem = mem + off;
			off = 0;
			j = 0;
			continue;
		} else if (!strcmp(mn, "mov") && strstr(op, "al, byte ptr [rax +")) {
			pr_good_shit("0x%llx:\t%s\t\t%s\n", a, mn, op);
			char *tmp = strchr(op, '+');
			++tmp;
			//pr_good_shit("tmp: %s\n", tmp);
			size_t pos = strtol(tmp, NULL, 16);
			pr_good_shit("pos: 0x%lx\n", pos);
			mn = insn[j + 1].mnemonic;
			op = insn[j + 1].op_str;
			a = insn[j + 1].address;
			pr_good_shit("0x%llx:\t%s\t\t%s\n", a, mn, op);

			tmp = strchr(op, ' ');
			assert(tmp);
			size_t val = strtol(tmp, NULL, 16);
			pr_good_shit("and: 0x%lx\n", val);
			mn = insn[j + 2].mnemonic;
			op = insn[j + 2].op_str;
			a = insn[j + 2].address;
			pr_good_shit("0x%llx:\t%s\t\t%s\n", a, mn, op);

			if (!strcmp(mn, "jne")) {
				password[pos] &= ~val;
			} else if (!strcmp(mn, "je")) {
				password[pos] |= val;
			}
		}
	}
	cs_close(&handle);

	pr_info("OK\n");
	close(fd);

	pr_good_shit("password: %s\n", password);

	return 0;
}
	#include <stdio.h>
	#include <assert.h>
	#include <stdlib.h>
	#include <capstone/capstone.h>
	#include <unistd.h>
	#include <sys/mman.h>
	#include <fcntl.h>
	#include <string.h>

	#ifdef INFO
	#define pr_info(...) \
	do {\
	fprintf(stderr, "[+]");\
	fprintf(stderr, __VA_ARGS__);\
	} while (0)
	#else
	#define pr_info(...)
	#endif

	#define pr_good_shit(...) \
	do {\
	fprintf(stderr, "[!]");\
	fprintf(stderr, __VA_ARGS__);\
	} while (0)


	int main(int argc, char *argv[])
	{
	int fd = open("rev.bin", O_RDONLY);
	assert(fd != -1);
	unsigned char *memptr = mmap(NULL, 0x24c8d, PROT_READ \| PROT_WRITE, MAP_PRIVATE, fd, 0);
	assert(memptr != MAP_FAILED);
	unsigned char *mem = memptr;

	#if 0
	for (size_t i = 0; i < 10; i++)
	pr_info("%02x, ", mem[i]);
	putchar('\n');
	getchar();
	#endif
	char password[0x40] = { 0 };
	strcpy(password, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");

	csh handle;
	cs_insn *insn;
	size_t count;

	if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK)
	return -1;

	count = cs_disasm(handle, mem, 0x100, 0x1000, 0, &insn);
	if (!count) {
	fprintf(stderr, "fuck :(\n");
	return -1;
	}

	for (size_t j = 0; j < count; ++j) {
	const char *mn = insn[j].mnemonic;
	const char *op = insn[j].op_str;
	uint64_t a = insn[j].address;

	pr_info("0x%llx:\t%s\t\t%s\n", a, mn, op);
	if (!strcmp(mn, "mov") && !strcmp(op, "rax, rbx")) {
	pr_info("Found move at offset %d\n", insn[j].address - 0x1000);
	} else if (!strcmp(mn, "lea") && !strcmp(op, "rsi, qword ptr [rip + 0x34]")) {
	uint64_t addr = a + 0x34 + 7;
	pr_info("Decrypt from address: %p\n", (void *)addr);
	uint64_t off = addr - 0x1000;
	uint32_t xor_ptr = (uint32_t )(mem + off);
	pr_info("xor_ptr: %p\n", xor_ptr);
	uint32_t rcx = *xor_ptr;
	++xor_ptr;
	uint32_t eax = *xor_ptr;
	++xor_ptr;
	pr_info("rcx: 0x%x\n", rcx);
	pr_info("eax: 0x%x\n", eax);

	for (size_t i = 0; i < rcx; i ++) {
	xor_ptr[i] ^= eax;
	}

	off += 8;
	count = cs_disasm(handle, mem + off, 0x100, 0x1000, 0, &insn);
	if (!count) {
	fprintf(stderr, "fuck :(\n");
	return -1;
	}
	mem = mem + off;
	off = 0;
	j = 0;
	continue;
	} else if (!strcmp(mn, "mov") && strstr(op, "al, byte ptr [rax +")) {
	pr_good_shit("0x%llx:\t%s\t\t%s\n", a, mn, op);
	char *tmp = strchr(op, '+');
	++tmp;
	//pr_good_shit("tmp: %s\n", tmp);
	size_t pos = strtol(tmp, NULL, 16);
	pr_good_shit("pos: 0x%lx\n", pos);
	mn = insn[j + 1].mnemonic;
	op = insn[j + 1].op_str;
	a = insn[j + 1].address;
	pr_good_shit("0x%llx:\t%s\t\t%s\n", a, mn, op);

	tmp = strchr(op, ' ');
	assert(tmp);
	size_t val = strtol(tmp, NULL, 16);
	pr_good_shit("and: 0x%lx\n", val);
	mn = insn[j + 2].mnemonic;
	op = insn[j + 2].op_str;
	a = insn[j + 2].address;
	pr_good_shit("0x%llx:\t%s\t\t%s\n", a, mn, op);

	if (!strcmp(mn, "jne")) {
	password[pos] &= ~val;
	} else if (!strcmp(mn, "je")) {
	password[pos] \|= val;
	}
	}
	}
	cs_close(&handle);

	pr_info("OK\n");
	close(fd);

	pr_good_shit("password: %s\n", password);

	return 0;
	}