Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
import sys
doc = Document.getCurrentDocument()
seg = doc.getCurrentSegment()
adr = seg.getStartingAddress()
last = adr + seg.getLength()
state_value = "0xfe129837"
cmp_starting_address = 0x40064d
cmp_ending_address = 0x400ef5
FLAG = ""
visited_states = {}
KEEP_PROCESSING = True
print "-------------------------- vuln 300 --]"
"""
Core
"""
def process_movstateval(addr):
if addr not in visited_states:
process_stateval(addr)
else:
global KEEP_PROCESSING, FLAG
KEEP_PROCESSING = False
print "[>] Flag is %s" %(FLAG)
def process_lettercmp(addr):
global FLAG, KEEP_PROCESSING
print "[+] Jumping to : %s" %(hex(addr))
instr = None
while KEEP_PROCESSING:
instr = seg.getInstructionAtAddress(addr)
if instr.getInstructionString() == "cmp" and instr.getFormattedArgument(0) == "al":
compared_char = chr(int(instr.getFormattedArgument(1), 16))
print "[+] Found char %s" %(compared_char)
FLAG += compared_char
elif instr.getInstructionString() == "mov" and instr.getFormattedArgument(0) == "0x606b18":
process_movstateval(instr.getFormattedArgument(1))
break
addr += instr.getInstructionLength()
def process_stateval(state_value):
visited_states[state_value] = 1
print "[+] Attempting to find state value check for %s" %(state_value)
addr = cmp_starting_address
while KEEP_PROCESSING:
instr = seg.getInstructionAtAddress(addr)
if instr.getInstructionString() == "cmp" and instr.getFormattedArgument(0) == "eax" and instr.getFormattedArgument(1) == state_value:
print "[+] Stateval block comparing against %s found at %x" %(state_value, addr)
addr += instr.getInstructionLength()
instr = seg.getInstructionAtAddress(addr)
if instr.getInstructionString() == "je":
block_two = int(instr.getFormattedArgument(0), 16)
process_lettercmp(block_two)
else:
print "[x] Unexpected instruction found : %s" %(instr.getInstructionString())
else:
addr += instr.getInstructionLength()
continue
process_stateval(state_value)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment