celophi/flareon5-ch6

## flareon5-ch6
Flare-On 2018 challenge #6 - Magic
==================================

It's not much, but this is how I brute forced the problem.
Starting at 0x00402F0C (with .text starting at 0x00400AD0), I patched code with the following bytes.

0:  c6 45 bb 00             mov    BYTE PTR [rbp-0x45],0x0  // The third function has a static variable used in the CRC table that needs to be reset.
4:  48 8b 07                mov    rax,QWORD PTR [rdi]      // Move our key into a register so we can work with it.
7:  3c 7e                   cmp    al,0x7e                  // Anything above 127 in ASCII is not going to be part of the key, so need to rollover bits.
9:  0f 85 0f 00 00 00       jne    0x1e                     // If not 127, just increment normally.
f:  b0 ff                   mov    al,0xff                  // If 127, set it to 255, so that when we increment it rolls over to the next character in the key.
11: 48 ff c0                inc    rax                      // Increment
14: b0 20                   mov    al,0x20                  // Reset to 32 - in ASCII this is the space character.
16: 48 89 07                mov    QWORD PTR [rdi],rax      // Put our next key back so we can attempt again
19: e9 65 ff ff ff          jmp    0xffffffffffffff83       // Jump 0x83 back - this is where we re-run the previous algorithm.
1e: 48 ff c0                inc    rax                      // Increment for the rollover.
21: 48 89 07                mov    QWORD PTR [rdi],rax      // Store key again -- I was tired and couldn't think how to combine this with #16
24: e9 5a ff ff ff          jmp    0xffffffffffffff83       // Jump back to re-run the previous algorithm -- probably could be optimized better.

Here is some python code to run. Note that `sendline` is 69 space characters:

> import pexpect
> from pexpect import *
> child = pexpect.spawn('./magic_mushroom')
> child.logfile = open('log.txt', 'w')
> for i in range(0, 666):
>   child.expect("Enter key: ")
>   child.sendline("                                                                     ")
>   child.before
	Flare-On 2018 challenge #6 - Magic
	==================================

	It's not much, but this is how I brute forced the problem.
	Starting at 0x00402F0C (with .text starting at 0x00400AD0), I patched code with the following bytes.

	0: c6 45 bb 00 mov BYTE PTR [rbp-0x45],0x0 // The third function has a static variable used in the CRC table that needs to be reset.
	4: 48 8b 07 mov rax,QWORD PTR [rdi] // Move our key into a register so we can work with it.
	7: 3c 7e cmp al,0x7e // Anything above 127 in ASCII is not going to be part of the key, so need to rollover bits.
	9: 0f 85 0f 00 00 00 jne 0x1e // If not 127, just increment normally.
	f: b0 ff mov al,0xff // If 127, set it to 255, so that when we increment it rolls over to the next character in the key.
	11: 48 ff c0 inc rax // Increment
	14: b0 20 mov al,0x20 // Reset to 32 - in ASCII this is the space character.
	16: 48 89 07 mov QWORD PTR [rdi],rax // Put our next key back so we can attempt again
	19: e9 65 ff ff ff jmp 0xffffffffffffff83 // Jump 0x83 back - this is where we re-run the previous algorithm.
	1e: 48 ff c0 inc rax // Increment for the rollover.
	21: 48 89 07 mov QWORD PTR [rdi],rax // Store key again -- I was tired and couldn't think how to combine this with #16
	24: e9 5a ff ff ff jmp 0xffffffffffffff83 // Jump back to re-run the previous algorithm -- probably could be optimized better.

	Here is some python code to run. Note that `sendline` is 69 space characters:

	> import pexpect
	> from pexpect import *
	> child = pexpect.spawn('./magic_mushroom')
	> child.logfile = open('log.txt', 'w')
	> for i in range(0, 666):
	> child.expect("Enter key: ")
	> child.sendline(" ")
	> child.before