amtal

>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
>>> slv
[Implies(0@0xc777,
         A#53 ==
         Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
>>> SFR = lift2.ssa_vars['rax'][1]

amtal

""" Assembly REPL in gdb / possible sketchy binary patcher.

    Usage: 
        gdb -q ./target
            -x rappel.py    adds 'rappel' command
            [-write]        patches binary on disk, sometimes!
"""
import gdb, tempfile, keystone as ks

class Rappel(gdb.Command):

amtal

This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)

Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.

Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:

amtal

#!/usr/bin/tcc -run
#include <stdio.h>  // printf, perror, vsprintf
// injector
#include <stdlib.h> // setenv
#include <unistd.h> // execve
// hoooooks
#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
#include <dlfcn.h> // dlsym
#include <string.h> // strcmp
#include <curses.h>

amtal

"""1-byte opcode list grouped by octet.

So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!

Requires: capstone, colorama (windows), click
"""
import capstone
import click
    
engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)

amtal

"""Finding fixpoints...
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64 = Vm0wd2QyU
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64url = Vm0wd2QyU
> JJFEM -> JJFEMRKN

amtal

--       S      D    O
fp_1 :: (src -> i -> o) --   interpreter
     -> src             -- + source code
     -- partial application magic happens here
     -> (i -> o)        -- = executable

--        Static            Dyn    Output
fp_2 :: ((src -> i -> o) -> src -> (i -> o))  --   fp_1
     -> (src -> i -> o)                       -- + interpreter
     -- partial application magic happens here

amtal

"""Poke interesting instructions from Python.

Uses the nifty trick in https://github.com/AmihaiN/pyAsm to run snippets then
inspect registers. (Use at own risk, nasm.exe source not verified, etc.)
"""
from pyAsm import pyAsm, A_32BIT
        
def regs(reg, sep='\n', txt=''):
    txt = txt.strip()
    acc = []

amtal

"""Looking for collisions in Mooltipass "TRNG" output.

The "TRNG" outputs 32 bit blocks whitened with Jenkins one at a time hash,
keeping no state between samples. Running ent or diehard on the output stream
produces a predictable "pass" result, since these tests do not take the 32 bit
block structure into account.

Excessive collisions found by the following test would disprove the null
hypothesis that each 32 bit sample from the "TRNG" is uniformly distributed.

amtal

#!/usr/bin/env python3
"""Usage: vimcrypt.py [FILE]...

Guesses first 64 bytes of vim-encrypted files. Method implemented is sufficient
for plain English (preferably with lots of spaces), but any knowledge of
underlying plaintext would do.

Example:

$ ./vimcrypt.py 1.txt 2.txt 3.txt 4.txt