Skip to content

Instantly share code, notes, and snippets.

@bruce30262

bruce30262/dict.py Secret

Created September 25, 2019 12:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bruce30262/9f5cd8274666167436ef1b4b12e7f268 to your computer and use it in GitHub Desktop.
Save bruce30262/9f5cd8274666167436ef1b4b12e7f268 to your computer and use it in GitHub Desktop.
Download ZIP
flareon 6 level 12 files
Raw
dict.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import string
import itertools
#k = "th1sisth33nd111"
k = "th!sisth33nd!!!"
for p in itertools.product("01", repeat=9):
ii_idx = 0
now = ""
for c in k:
cur = c
if c in string.letters:
if p[ii_idx] == '1':
cur = chr(ord(c)^0x20)
ii_idx += 1
now += cur
now = list(now)
now.insert(4, '_')
now.insert(7, '_')
now.insert(11, '_')
print ''.join(now)
Raw
script.js
function log(e) {
host.diagnostics.debugLog(e);
}
function logln(e) {
host.diagnostics.debugLog(e+"\n");
}
function enhex(s) {
var s = unescape(encodeURIComponent(s))
var h = ''
for (var i = 0; i < s.length; i++) {
h += s.charCodeAt(i).toString(16)
}
return h
}
function hex(n) {
return "0x"+n.toString(16);
}
function readmem(addr, len) {
return host.memory.readMemoryValues(addr, len);
}
function exec(cmd) {
return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmd);
}
function rc4(key, str) {
var s = [], j = 0, x, res = '';
for (var i = 0; i < 256; i++) {
s[i] = i;
}
for (i = 0; i < 256; i++) {
j = (j + s[i] + key[i % key.length]) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
}
i = 0;
j = 0;
for (var y = 0; y < str.length; y++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
res += String.fromCharCode(str[y] ^ s[(s[i] + s[j]) % 256]);
}
return res;
}
function read_u64(addr) {
return host.memory.readMemoryValues(addr, 1, 8)[0];
}
function read_u32(addr) {
return host.memory.readMemoryValues(addr, 1, 4)[0];
}
function writeDataToMemory(addr, data, sz) {
for (var i = 0 ; i < sz ; i++) {
b = data.charCodeAt(i);
cmd = "eb " + hex(addr+i) + " " + hex(b);
exec(cmd);
}
}
function dr4(key_buf, key_len) {
// decrypt dll with RC4
// !dr4 ("<key_buf_address>", "0x2c")
// e.g. !dr4("0xfffffa8004059fd0", "0x2c")
key_buf = host.parseInt64(key_buf, 16);
str_buf = read_u64(key_buf);
key_len = parseInt(key_len, 16);
str_len = read_u32(key_buf.add(16));
logln("key_buf: " + hex(key_buf));
logln("key_len: " + hex(key_len));
logln("str_buf: " + hex(str_buf));
logln("str_len: " + hex(str_len));
var key = readmem(key_buf, key_len);
var str = readmem(str_buf,str_len);
var resp = rc4(key, str);
writeDataToMemory(str_buf, resp, str_len);
logln("Done");
}
function scan_field(f) {
// scan for dllobj field 0x68/0x69
// e.g. !scf ("0x69")
f = parseInt(f, 16);
head = host.Int64(0xFFFFFA80040A11E8);
head = head.add(0x1e8); //don't know why it get 0xfffffa80040a1000
while(true) {
now = read_u64(head);
now = now.subtract(8);
o = now;
now = now.add(f);
_f = read_u32(now);
if( (_f & 0xff) != 0 ) {
logln(hex(o));
break;
}
else {
head = read_u64(head);
}
}
}
function scan_id(id) {
// scan for dllobj id
// e.g. !sci ("0xfabadada")
f = parseInt(id, 16);
head = host.Int64(0xFFFFFA80040A11E8);
head = head.add(0x1e8); //don't know why it get 0xfffffa80040a1000
while(true) {
now = read_u64(head);
now = now.subtract(8);
o = now;
_id = read_u32(now);
if( _id == id ) {
logln(hex(o));
break;
}
else {
head = read_u64(head);
}
}
}
function invokeScript() {
logln("Loaded...");
}
function initializeScript() {
return [
new host.functionAlias(dr4, "dr4"),
new host.functionAlias(scan_field, "scf"),
new host.functionAlias(scan_id, "sci")
];
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment