bruce30262/dict.py Secret

## dict.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import string
import itertools

#k = "th1sisth33nd111"
k = "th!sisth33nd!!!"

for p in itertools.product("01", repeat=9):
    ii_idx = 0
    now = ""
    for c in k:
        cur = c
        if c in string.letters:
            if p[ii_idx] == '1':
                cur = chr(ord(c)^0x20)
            ii_idx += 1
        now += cur
    now = list(now)
    now.insert(4, '_')
    now.insert(7, '_')
    now.insert(11, '_')
    print ''.join(now)

## script.js
function log(e) {
    host.diagnostics.debugLog(e);
}

function logln(e) {
    host.diagnostics.debugLog(e+"\n");
}

function enhex(s) {
    var s = unescape(encodeURIComponent(s))
    var h = ''
    for (var i = 0; i < s.length; i++) {
        h += s.charCodeAt(i).toString(16)
    }
    return h
}

function hex(n) {
    return "0x"+n.toString(16);
}

function readmem(addr, len) {
    return host.memory.readMemoryValues(addr, len);
}

function exec(cmd) {
    return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmd);
}

function rc4(key, str) {
	var s = [], j = 0, x, res = '';
	for (var i = 0; i < 256; i++) {
		s[i] = i;
	}
	for (i = 0; i < 256; i++) {
		j = (j + s[i] + key[i % key.length]) % 256;
		x = s[i];
		s[i] = s[j];
		s[j] = x;
	}
	i = 0;
	j = 0;
	for (var y = 0; y < str.length; y++) {
		i = (i + 1) % 256;
		j = (j + s[i]) % 256;
		x = s[i];
		s[i] = s[j];
		s[j] = x;
		res += String.fromCharCode(str[y] ^ s[(s[i] + s[j]) % 256]);
	}
	return res;
}

function read_u64(addr) {
    return host.memory.readMemoryValues(addr, 1, 8)[0];
}

function read_u32(addr) {
    return host.memory.readMemoryValues(addr, 1, 4)[0];
}

function writeDataToMemory(addr, data, sz) {
    for (var i = 0 ; i < sz ; i++) {
        b = data.charCodeAt(i);
        cmd = "eb " + hex(addr+i) + " " + hex(b);
        exec(cmd);
    }
}

function dr4(key_buf, key_len) {
    // decrypt dll with RC4
    // !dr4 ("<key_buf_address>", "0x2c")
    // e.g. !dr4("0xfffffa8004059fd0", "0x2c")
    key_buf = host.parseInt64(key_buf, 16);
    str_buf = read_u64(key_buf);
    key_len = parseInt(key_len, 16);
    str_len = read_u32(key_buf.add(16));
    logln("key_buf: " + hex(key_buf));
    logln("key_len: " + hex(key_len));
    logln("str_buf: " + hex(str_buf));
    logln("str_len: " + hex(str_len));
    var key = readmem(key_buf, key_len);
    var str = readmem(str_buf,str_len);
    var resp = rc4(key, str);
    writeDataToMemory(str_buf, resp, str_len);
    logln("Done");
}

function scan_field(f) {
    // scan for dllobj field 0x68/0x69
    // e.g. !scf ("0x69")
    f = parseInt(f, 16);
    head = host.Int64(0xFFFFFA80040A11E8);
    head = head.add(0x1e8); //don't know why it get 0xfffffa80040a1000

    while(true) {
        now = read_u64(head);
        now = now.subtract(8);
        o = now;
        now = now.add(f);
        _f = read_u32(now);
        if( (_f & 0xff) != 0 ) {
            logln(hex(o));
            break;
        }
        else {
            head = read_u64(head);
        }
    }
}

function scan_id(id) {
    // scan for dllobj id
    // e.g. !sci ("0xfabadada")
    f = parseInt(id, 16);
    head = host.Int64(0xFFFFFA80040A11E8);
    head = head.add(0x1e8); //don't know why it get 0xfffffa80040a1000

    while(true) {
        now = read_u64(head);
        now = now.subtract(8);
        o = now;
        _id = read_u32(now);
        if( _id == id ) {
            logln(hex(o));
            break;
        }
        else {
            head = read_u64(head);
        }
    }
}

function invokeScript() {
    logln("Loaded...");
}

function initializeScript() {
     return [
        new host.functionAlias(dr4, "dr4"),
        new host.functionAlias(scan_field, "scf"),
        new host.functionAlias(scan_id, "sci")
     ];
}
	#!/usr/bin/env python
	# -- coding: utf-8 --

	import string
	import itertools

	#k = "th1sisth33nd111"
	k = "th!sisth33nd!!!"

	for p in itertools.product("01", repeat=9):
	ii_idx = 0
	now = ""
	for c in k:
	cur = c
	if c in string.letters:
	if p[ii_idx] == '1':
	cur = chr(ord(c)^0x20)
	ii_idx += 1
	now += cur
	now = list(now)
	now.insert(4, '_')
	now.insert(7, '_')
	now.insert(11, '_')
	print ''.join(now)
	function log(e) {
	host.diagnostics.debugLog(e);
	}

	function logln(e) {
	host.diagnostics.debugLog(e+"\n");
	}

	function enhex(s) {
	var s = unescape(encodeURIComponent(s))
	var h = ''
	for (var i = 0; i < s.length; i++) {
	h += s.charCodeAt(i).toString(16)
	}
	return h
	}

	function hex(n) {
	return "0x"+n.toString(16);
	}

	function readmem(addr, len) {
	return host.memory.readMemoryValues(addr, len);
	}

	function exec(cmd) {
	return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmd);
	}

	function rc4(key, str) {
	var s = [], j = 0, x, res = '';
	for (var i = 0; i < 256; i++) {
	s[i] = i;
	}
	for (i = 0; i < 256; i++) {
	j = (j + s[i] + key[i % key.length]) % 256;
	x = s[i];
	s[i] = s[j];
	s[j] = x;
	}
	i = 0;
	j = 0;
	for (var y = 0; y < str.length; y++) {
	i = (i + 1) % 256;
	j = (j + s[i]) % 256;
	x = s[i];
	s[i] = s[j];
	s[j] = x;
	res += String.fromCharCode(str[y] ^ s[(s[i] + s[j]) % 256]);
	}
	return res;
	}

	function read_u64(addr) {
	return host.memory.readMemoryValues(addr, 1, 8)[0];
	}

	function read_u32(addr) {
	return host.memory.readMemoryValues(addr, 1, 4)[0];
	}

	function writeDataToMemory(addr, data, sz) {
	for (var i = 0 ; i < sz ; i++) {
	b = data.charCodeAt(i);
	cmd = "eb " + hex(addr+i) + " " + hex(b);
	exec(cmd);
	}
	}

	function dr4(key_buf, key_len) {
	// decrypt dll with RC4
	// !dr4 ("<key_buf_address>", "0x2c")
	// e.g. !dr4("0xfffffa8004059fd0", "0x2c")
	key_buf = host.parseInt64(key_buf, 16);
	str_buf = read_u64(key_buf);
	key_len = parseInt(key_len, 16);
	str_len = read_u32(key_buf.add(16));
	logln("key_buf: " + hex(key_buf));
	logln("key_len: " + hex(key_len));
	logln("str_buf: " + hex(str_buf));
	logln("str_len: " + hex(str_len));
	var key = readmem(key_buf, key_len);
	var str = readmem(str_buf,str_len);
	var resp = rc4(key, str);
	writeDataToMemory(str_buf, resp, str_len);
	logln("Done");
	}

	function scan_field(f) {
	// scan for dllobj field 0x68/0x69
	// e.g. !scf ("0x69")
	f = parseInt(f, 16);
	head = host.Int64(0xFFFFFA80040A11E8);
	head = head.add(0x1e8); //don't know why it get 0xfffffa80040a1000

	while(true) {
	now = read_u64(head);
	now = now.subtract(8);
	o = now;
	now = now.add(f);
	_f = read_u32(now);
	if( (_f & 0xff) != 0 ) {
	logln(hex(o));
	break;
	}
	else {
	head = read_u64(head);
	}
	}
	}

	function scan_id(id) {
	// scan for dllobj id
	// e.g. !sci ("0xfabadada")
	f = parseInt(id, 16);
	head = host.Int64(0xFFFFFA80040A11E8);
	head = head.add(0x1e8); //don't know why it get 0xfffffa80040a1000

	while(true) {
	now = read_u64(head);
	now = now.subtract(8);
	o = now;
	_id = read_u32(now);
	if( _id == id ) {
	logln(hex(o));
	break;
	}
	else {
	head = read_u64(head);
	}
	}
	}

	function invokeScript() {
	logln("Loaded...");
	}

	function initializeScript() {
	return [
	new host.functionAlias(dr4, "dr4"),
	new host.functionAlias(scan_field, "scf"),
	new host.functionAlias(scan_id, "sci")
	];
	}