SouhailHammou/ndh2017_step4.py

## ndh2017_step4.py
from idc import *
from ctypes import c_uint32

def bruteforce_word(dword1,dword2):
    for i in range(0,256) :
        for j in range(0,256) :
            k = 0
            result = c_uint32(0xffffffff)
            while k < 2 :
                if k == 0 :
                    result.value ^= c_uint32(i).value
                else :
                    result.value ^= c_uint32(j).value
                l = 7
                while l >= 0 :
                    result.value = ( result.value >> 1 ) ^ -(result.value & 1) & dword1
                    l -= 1
                k += 1
            result.value = ~result.value
            if result.value == dword2 :
                return [i,j]

def prepare() :
    RunTo(BeginEA())
    GetDebuggerEvent(WFNE_SUSP,-1)
    #Modify the necesarry registers
    RunTo(0x4007F1)
    GetDebuggerEvent(WFNE_SUSP,-1)
    SetRegValue(0x400000,"RDI")
    RunTo(0x40084F)
    GetDebuggerEvent(WFNE_SUSP,-1)
    SetRegValue(0x40089D,"RAX")

#First stage
RIP_access_list = []
prepare()
ptr_input = DbgQword(GetRegValue("RDX"))
AddBptEx(ptr_input,1,BPT_RDWR)
while GetDebuggerEvent(WFNE_CONT|WFNE_ANY, -1) == BREAKPOINT :
    RIP_access_list.append(GetRegValue("RIP"))
DelBpt(ptr_input)

#Second stage
last_access = RIP_access_list[-1]
AddBptEx(last_access,1,BPT_EXEC)
prepare()
GetDebuggerEvent(WFNE_CONT|WFNE_ANY,-1)
DelBpt(last_access)
file = open("flag.txt","wb")
while DbgByte(ptr_input) != 0 :
    dword1 = DbgDword(GetRegValue("RBP") - 0x3c)
    dword2 = DbgDword(GetRegValue("RIP") + 0x54)
    bytes = bruteforce_word(dword1,dword2)
    file.write(chr(bytes[0])+chr(bytes[1]))
    DelBpt(ptr_input)
    ptr_input += 2
    AddBptEx(ptr_input,1,BPT_RDWR)
    if GetDebuggerEvent(WFNE_CONT|WFNE_ANY,-1) != BREAKPOINT :
        break
DelBpt(ptr_input)
file.close()
print "[+] Done !"
	from idc import *
	from ctypes import c_uint32

	def bruteforce_word(dword1,dword2):
	for i in range(0,256) :
	for j in range(0,256) :
	k = 0
	result = c_uint32(0xffffffff)
	while k < 2 :
	if k == 0 :
	result.value ^= c_uint32(i).value
	else :
	result.value ^= c_uint32(j).value
	l = 7
	while l >= 0 :
	result.value = ( result.value >> 1 ) ^ -(result.value & 1) & dword1
	l -= 1
	k += 1
	result.value = ~result.value
	if result.value == dword2 :
	return [i,j]

	def prepare() :
	RunTo(BeginEA())
	GetDebuggerEvent(WFNE_SUSP,-1)
	#Modify the necesarry registers
	RunTo(0x4007F1)
	GetDebuggerEvent(WFNE_SUSP,-1)
	SetRegValue(0x400000,"RDI")
	RunTo(0x40084F)
	GetDebuggerEvent(WFNE_SUSP,-1)
	SetRegValue(0x40089D,"RAX")

	#First stage
	RIP_access_list = []
	prepare()
	ptr_input = DbgQword(GetRegValue("RDX"))
	AddBptEx(ptr_input,1,BPT_RDWR)
	while GetDebuggerEvent(WFNE_CONT\|WFNE_ANY, -1) == BREAKPOINT :
	RIP_access_list.append(GetRegValue("RIP"))
	DelBpt(ptr_input)

	#Second stage
	last_access = RIP_access_list[-1]
	AddBptEx(last_access,1,BPT_EXEC)
	prepare()
	GetDebuggerEvent(WFNE_CONT\|WFNE_ANY,-1)
	DelBpt(last_access)
	file = open("flag.txt","wb")
	while DbgByte(ptr_input) != 0 :
	dword1 = DbgDword(GetRegValue("RBP") - 0x3c)
	dword2 = DbgDword(GetRegValue("RIP") + 0x54)
	bytes = bruteforce_word(dword1,dword2)
	file.write(chr(bytes[0])+chr(bytes[1]))
	DelBpt(ptr_input)
	ptr_input += 2
	AddBptEx(ptr_input,1,BPT_RDWR)
	if GetDebuggerEvent(WFNE_CONT\|WFNE_ANY,-1) != BREAKPOINT :
	break
	DelBpt(ptr_input)
	file.close()
	print "[+] Done !"