amtal

## Hybrids.md

      
              1 file
            
          
              6 forks
            
          
                12 comments
              
            
              29 stars
            
          
                amtal
                / Hybrids.md
            
            
              Created
              January 17, 2017 08:28
            
              
                Walkthrough of two dupes and an item corruption exploit for Diablo 2 in layman's terms
              
          
    This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)
Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.
Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:


## rappel.py
""" Assembly REPL in gdb / possible sketchy binary patcher.

    Usage:
        gdb -q ./target
            -x rappel.py    adds 'rappel' command
            [-write]        patches binary on disk, sometimes!
"""
import gdb, tempfile, keystone as ks

class Rappel(gdb.Command):

## fileop.erl
-module(fileop).
-export([write_file/3]).
-compile({parse_transform,do}).

%% Uses an error monad to neatly compose a bunch of failing functions.
%%
%% Everything being composed returns ok|{ok,Result}|{error,Reason}. At
%% the first error, the reason term is returned. The monad factors out
%% the behaviour of piping all possible errors to the output (via a
%% try-throw or case tree) if they occur.

## Instructions.hs
-- | Complete abstract description of the DCPU-16 instruction set.
--
-- Based on Version 1.1 of the DCPU-16 Specification by Mojang, retrieved from 0x10c.com.
--
-- Contains a trivial "Label" extension, which isn't present in machine code
-- but is useful for dealing with assembly.
module DCPU16.Instructions where
import Data.Word hiding (Word)
import Data.ByteString

## soundtools.py
>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
>>> slv
[Implies(0@0xc777,
         A#53 ==
         Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
>>> SFR = lift2.ssa_vars['rax'][1]

## preload.c
#!/usr/bin/tcc -run
#include <stdio.h>  // printf, perror, vsprintf
// injector
#include <stdlib.h> // setenv
#include <unistd.h> // execve
// hoooooks
#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
#include <dlfcn.h> // dlsym
#include <string.h> // strcmp
#include <curses.h>

## opcodes.py
"""1-byte opcode list grouped by octet.

So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!

Requires: capstone, colorama (windows), click
"""
import capstone
import click

engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)

## vimcrypt.py
#!/usr/bin/env python3
"""Usage: vimcrypt.py [FILE]...

Guesses first 64 bytes of vim-encrypted files. Method implemented is sufficient
for plain English (preferably with lots of spaces), but any knowledge of
underlying plaintext would do.

Example:

$ ./vimcrypt.py 1.txt 2.txt 3.txt 4.txt

## communications_extraterrestrial_intelligence.py
# based on http://www.nsa.gov/public_info/_files/tech_journals/communications_extraterrestrial_intelligence.pdf
# two related documents I know of:
#  just message, shorter alphabet, longer: http://www.nsa.gov/public_info/_files/tech_journals/extraterrestrial_intelligence.pdf
#  solutions: http://www.nsa.gov/public_info/_files/tech_journals/extraterrestrial_messages.pdf
"""
 (1) A. B. C. D. E. F. G. H. I. J. K. L. M. N. O. P. Q. R. S. T. U. V. W. X. Y.
     Z. *. &. $. ^. #. @.       A. B. C. D. E. F. G. H. I. J. K. L. M. N. O. P.
     Q. R. S. T. U. V. W. X. Y. Z. *. &. $. ^. #. @.
 (2) A A, B; A A A, C; A A A A, D; A A A A A, E; A A A A A A, F;
     A A A A A A A, G; A A A A A A A A, H; A A A A A A A A A, I;

## b64_fixpoint.py
"""Finding fixpoints...
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64 = Vm0wd2QyU
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64url = Vm0wd2QyU
> JJFEM -> JJFEMRKN
	""" Assembly REPL in gdb / possible sketchy binary patcher.

	Usage:
	gdb -q ./target
	-x rappel.py adds 'rappel' command
	[-write] patches binary on disk, sometimes!
	"""
	import gdb, tempfile, keystone as ks

	class Rappel(gdb.Command):
	-module(fileop).
	-export([write_file/3]).
	-compile({parse_transform,do}).

	%% Uses an error monad to neatly compose a bunch of failing functions.
	%%
	%% Everything being composed returns ok\|{ok,Result}\|{error,Reason}. At
	%% the first error, the reason term is returned. The monad factors out
	%% the behaviour of piping all possible errors to the output (via a
	%% try-throw or case tree) if they occur.
	-- \| Complete abstract description of the DCPU-16 instruction set.
	--
	-- Based on Version 1.1 of the DCPU-16 Specification by Mojang, retrieved from 0x10c.com.
	--
	-- Contains a trivial "Label" extension, which isn't present in machine code
	-- but is useful for dealing with assembly.
	module DCPU16.Instructions where
	import Data.Word hiding (Word)
	import Data.ByteString
	>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
	<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
	<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
	>>> slv
	[Implies(0@0xc777,
	A#53 ==
	Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
	>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
	<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
	>>> SFR = lift2.ssa_vars['rax'][1]
	#!/usr/bin/tcc -run
	#include <stdio.h> // printf, perror, vsprintf
	// injector
	#include <stdlib.h> // setenv
	#include <unistd.h> // execve
	// hoooooks
	#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
	#include <dlfcn.h> // dlsym
	#include <string.h> // strcmp
	#include <curses.h>
	"""1-byte opcode list grouped by octet.

	So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!

	Requires: capstone, colorama (windows), click
	"""
	import capstone
	import click

	engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
	#!/usr/bin/env python3
	"""Usage: vimcrypt.py [FILE]...

	Guesses first 64 bytes of vim-encrypted files. Method implemented is sufficient
	for plain English (preferably with lots of spaces), but any knowledge of
	underlying plaintext would do.

	Example:

	$ ./vimcrypt.py 1.txt 2.txt 3.txt 4.txt
	# based on http://www.nsa.gov/public_info/_files/tech_journals/communications_extraterrestrial_intelligence.pdf
	# two related documents I know of:
	# just message, shorter alphabet, longer: http://www.nsa.gov/public_info/_files/tech_journals/extraterrestrial_intelligence.pdf
	# solutions: http://www.nsa.gov/public_info/_files/tech_journals/extraterrestrial_messages.pdf
	"""
	(1) A. B. C. D. E. F. G. H. I. J. K. L. M. N. O. P. Q. R. S. T. U. V. W. X. Y.
	Z. *. &. $. ^. #. @. A. B. C. D. E. F. G. H. I. J. K. L. M. N. O. P.
	Q. R. S. T. U. V. W. X. Y. Z. *. &. $. ^. #. @.
	(2) A A, B; A A A, C; A A A A, D; A A A A A, E; A A A A A A, F;
	A A A A A A A, G; A A A A A A A A, H; A A A A A A A A A, I;
	"""Finding fixpoints...
	> Vm0 -> Vm0w
	> wd2 -> d2Qy
	> QyU -> UXlV
	[x] base64 = Vm0wd2QyU
	> Vm0 -> Vm0w
	> wd2 -> d2Qy
	> QyU -> UXlV
	[x] base64url = Vm0wd2QyU
	> JJFEM -> JJFEMRKN