Skip to content

Instantly share code, notes, and snippets.

@huyphan
Last active July 21, 2016 04:46
Show Gist options
  • Save huyphan/1b089a7819f3a8dd54ca to your computer and use it in GitHub Desktop.
Save huyphan/1b089a7819f3a8dd54ca to your computer and use it in GitHub Desktop.
defcon-2014-quals-100lines-bruteforce
#include <iostream>
#include <cstdint>
using namespace std;
typedef uint8_t CHAR;
typedef uint16_t WORD;
typedef uint32_t DWORD;
typedef int8_t BYTE;
typedef int16_t SHORT;
typedef int32_t LONG;
typedef LONG INT;
typedef INT BOOL;
typedef unsigned long long ull;
#define SAR(x,y) ((x)>=0) ? ((x)>>(y)) : (~(~(x)>>(y)))
#define LOBYTE(w) ((BYTE)(((w)) & 0xff))
#define LOWORD(_dw) ((WORD)(((_dw)) & 0xffff))
#define HIWORD(_dw) ((WORD)((((_dw)) >> 16) & 0xffff))
#define LODWORD(_qw) ((DWORD)(_qw))
#define HIDWORD(_qw) ((DWORD)(((_qw) >> 32) & 0xffffffff))
ull calc(ull rdi, CHAR* rsi, unsigned long long rdx, unsigned long long rcx) {
ull var_m4 = LODWORD(rdi);
CHAR* var_m16 = rsi;
ull var_m24 = rdx;
ull var_m32 = rcx;
var_m4 = var_m4 | LODWORD(LODWORD(LOBYTE(LODWORD(SAR(LODWORD(LOBYTE(*(int8_t *)(var_m16 + 0x1 + var_m32 + (var_m24 >> 0x3)) & 0xff) & 0xff), LOBYTE(LODWORD(LODWORD(0x8) - LODWORD(LODWORD(var_m24) & 0x7))))) | LODWORD(LODWORD(LOBYTE(*(int8_t *)(var_m16 + (var_m24 >> 0x3) + var_m32) & 0xff) & 0xff) << LOBYTE(LODWORD(LODWORD(var_m24) & 0x7)))) & 0xff) << LOBYTE(LODWORD(LODWORD(LODWORD(LODWORD(0x0) - LODWORD(var_m32)) << 0x3) + 0x18)));
ull rax = var_m4;
return rax;
}
ull loop(ull rdi, CHAR* rsi, CHAR* rdx) {
ull var_16 = rdi;
CHAR* var_8 = rsi;
CHAR* char_array = rdx;
ull var_36 = 0x0;
ull var_32 = 0x0;
ull var_80 = var_16 - 0x20;
ull var_40 = 0x0;
ull rax = var_40;
while (var_40 < var_80) {
var_36 = 0x0;
ull var_56 = 0x0;
while (var_56 <= 0x3) {
var_36 = LODWORD(calc(LODWORD(var_36), var_8, var_40, var_56));
var_56 = var_56 + 0x1;
}
ull var_48 = 0x0;
while (var_48 < var_80) {
var_32 = 0x0;
ull var_64 = 0x0;
while (var_64 <= 0x3) {
var_32 = LODWORD(calc(LODWORD(var_32), var_8, var_48, var_64));
var_64 = var_64 + 0x1;
}
var_32 = var_32 ^ LODWORD(var_36);
ull var_72 = 0x0;
while (var_72 <= 0x3) {
*(int8_t *)(char_array + (var_48 + var_80 * var_40) * 0x4 + var_72) = LOBYTE(LODWORD(LODWORD(var_32) >> LOBYTE(LODWORD(LODWORD(LODWORD(LODWORD(0x0) - LODWORD(var_72)) << 0x3) + 0x18))));
var_72 = var_72 + 0x1;
}
var_48 = var_48 + 0x1;
}
var_40 = var_40 + 0x1;
}
return rax;
}
ull new_loop(ull rdi, CHAR* rsi, ull my_index) {
ull var_16 = rdi;
CHAR* var_8 = rsi;
ull var_36 = 0x0;
ull var_32 = 0x0;
ull var_80 = var_16 - 0x20;
ull var_40 = 0x0;
ull rax = var_40;
ull var_48 = 0x0;
ull var_72 = my_index % 4;
var_40 = (my_index / 4) / var_80;
var_48 = (my_index / 4) - var_80*var_40;
var_36 = 0x0;
ull var_56 = 0x0;
while (var_56 <= 0x3) {
var_36 = LODWORD(calc(LODWORD(var_36), var_8, var_40, var_56));
var_56 = var_56 + 0x1;
}
var_32 = 0x0;
ull var_64 = 0x0;
while (var_64 <= 0x3) {
var_32 = LODWORD(calc(LODWORD(var_32), var_8, var_48, var_64));
var_64 = var_64 + 0x1;
}
var_32 = var_32 ^ LODWORD(var_36);
return LOBYTE(LODWORD(LODWORD(var_32) >> LOBYTE(LODWORD(LODWORD(LODWORD(LODWORD(0x0) - LODWORD(var_72)) << 0x3) + 0x18))));
}
ull get_byte(ull my_index, ull seed, CHAR* static_buffer) {
return new_loop(seed, static_buffer, my_index);
}
int main() {
int var_40 = 0;
int var_48 = 0;
CHAR __randpad[] = {252, 138, 69, 81, 103, 140, 169, 192, 176, 253, 247, 111, 184, 80, 241, 47, 122, 98, 102, 227, 211, 195, 110, 190, 55, 57, 51, 104, 59, 198, 118, 30, 174, 170, 131, 237, 87, 26, 241, 41, 230, 193, 185, 158, 221, 162, 134, 44, 26, 220, 73, 157, 130, 1, 213, 58, 181, 211, 51, 18, 28, 206, 148, 43, 195, 176, 108, 188, 70, 115, 57, 94, 123, 199, 180, 158, 86, 240, 173, 114, 94, 131, 199, 5, 197, 233, 46, 133, 136, 121, 148, 247, 231, 172, 52, 254, 92, 206, 46, 19, 241, 204, 142, 234, 96, 131, 190, 220, 74, 187, 232, 223, 101, 32, 239, 68, 173, 250, 214, 18, 131, 213, 220, 148, 173, 31, 225, 95, 232, 250, 126, 63, 218, 97, 227, 223, 171, 91, 79, 42, 108, 36, 130, 173, 23, 137, 186, 41, 185, 70, 52, 116, 100, 247, 69, 34, 141, 175, 51, 214, 82, 181, 222, 16, 228, 83, 93, 150, 183, 226, 46, 203, 177, 117, 188, 116, 90, 33, 41, 140, 87, 179, 22, 94, 199, 200, 194, 38, 53, 72, 45, 60, 96, 123, 93, 221, 168, 41, 97, 25, 208, 239, 238, 109, 4, 221, 32, 81, 149, 29, 1, 225, 218, 218, 180, 165, 70, 217, 203, 175, 86, 181, 32, 5, 208, 107, 210, 34, 33, 47, 45, 211, 115, 151, 86, 137, 174, 172, 2, 182, 53, 210, 20, 135, 198, 73, 223, 14, 23, 133, 100, 229, 175, 110, 147, 97};
long long var_72 = LODWORD(LODWORD(LODWORD(0x100) + 0x1ffffffc) << 0x3);
long long var_80 = (var_72 * var_72 << 0x2) - 0x20;
long long var_88 = (var_72 * var_72) << 0x2;
cout<<var_88<<endl;
CHAR* var_56 = (CHAR*) malloc((var_72 * var_72) << 0x2);
CHAR* var_64 = (CHAR*) malloc(0x26);
long long var_96 = (var_80 * var_80) << 0x2;
loop(var_72, __randpad, var_56);
long long var_104[38];
for (int i=0;i<=37;i++) cin>>var_104[i];
for (int var_16 = 0; var_16 < 8; var_16 ++) {
int found = 0;
// I'm too lazy to break the expression here so just let a variable looping from 0 -> 255
for (int var_11=0; var_11<256; var_11++) {
if ((LOBYTE(LODWORD(var_11 & 0xff) == LODWORD(LODWORD(LOBYTE(LODWORD(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56)) - LODWORD(LODWORD(LOBYTE(LODWORD(LOWORD(LODWORD(LODWORD(LODWORD(LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) << 0x5) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) >> 0x8) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56)) - LODWORD(LOWORD(LODWORD(LODWORD(LODWORD(LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) << 0x5) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) >> 0x8)) >> 0x1)) >> 0x6) * LODWORD(0x5d)))) & 0xff) + 0x20) ? 0xff : 0x0) & LOBYTE(LODWORD(var_11 & 0xff) == LODWORD(LODWORD(LOBYTE(LODWORD(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56)) - LODWORD(LODWORD(LOBYTE(LODWORD(LOWORD(LODWORD(LODWORD(LODWORD(LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) << 0x5) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) >> 0x8) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56)) - LODWORD(LOWORD(LODWORD(LODWORD(LODWORD(LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) << 0x5) + LODWORD(LOBYTE(LODWORD(get_byte(*(var_104 + (LODWORD(var_16))), var_88, var_56))) & 0xff)) >> 0x8)) >> 0x1)) >> 0x6) * LODWORD(0x5d)))) & 0xff) + 0x20) ? 0xff : 0x0)) != 0x0) {
cout<<var_11<<endl;
found = 1;
break;
}
}
if (!found) {
cout<<42<<endl; // Just print anything as we couldn't find the correct value
}
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment