matthw

from z3 import *

# nop out ptrace() call and then run
# % seccomp-tools dump ./chal_patched -l 8 | grep -Pv "=======|CODE" > dis3.txt 

s = Solver()

def add_cons(v):
    # printable ascii

matthw

Linux Mail Server

In this guide, I will show you how to make a Linux Mail Server in fast and easy way. This guide was taken from tiq's tech-blog for recent version, Linux distro I using is Ubuntu 20.04 LTS

Certificate

Make sure you have Certificate and Key file ready to use.

You can use existing Web Server SSL certificate, since we going to use same domain, example.com.

If you plan to use mx.example.com or mail.example.com you need create another one for these.

matthw

from capstone import *
from unicorn import *
from unicorn.x86_const import *
import string



# opcodes for hash from 0x001089be to 0x01094cf
# ain't no time to rewrite big ass hash alg and hope for it to be correct :)
code = b'\x89\xc8\xf6\xe2\x84\xc0\x74\xba\x48\x89\xb4\x24\xd0\x00\x00\x00\x89\xcd\xc1\xe5\x08\x44\x8d\x04\x29\x41\x89\xd2\x41\xc1\xe2\x10\x45\x09\xd0\x41\x89\xd1\x41\xc1\xe1\x18\x89\xce\xc1\xe6\x10\x45\x8d\x24\x31\x45\x8d\x1c\x2c\x41\x89\xcf\x41\xc1\xe7\x18\x44\x09\xfe\x44\x8d\x2c\x2e\x45\x09\xd7\x45\x8d\x34\x2f\x89\xd7\xc1\xe7\x08\x09\xfe\x45\x09\xca\x44\x09\xd5\x41\x09\xfa\x41\x09\xff\x44\x09\xe7\x43\x8d\x1c\x01\x81\xc3\x5b\x39\xae\x4d\x48\x89\x9c\x24\xd8\x01\x00\x00\x43\x8d\x9c\x01\xf3\xa9\x5a\x86\x48\x89\x9c\x24\xd0\x01\x00\x00\x43\x8d\x9c\x01\x5e\x26\x54\x36\x89\x9c\x24\xa4\x00\x00\x00\x43\x8d\x9c\x01\xdc\x63\xe7\x52\x48\x89\x9c\x24\xc8\x01\x00\x00\x41\x8d\x1c\x13\x48\x89\x9c\x24\xc0\x01\x00\x00\x42\x8d\x9c\x1a\x1b\xf5\xca\x22\x48\x89\x9c\x24\xb8\x01\x00\x00\x42\x8d\x9c\x1a\x5f\xb9\xd2\x17

matthw

from capstone import *
from unicorn import *
from unicorn.x86_const import *
from Crypto.Cipher import ARC4
from pwn import p32
import hashlib
import sys


DEBUG = True

matthw

Amber

File is packed, drop it in unpac.me, get unpacked PE. The PE does some antidebug checks and ends up doing some RC4 decryption of the flag. If the anti debug fails, the key will be incorrect.

patch the unpacked PE with EBFE after the RC4 so it does an infinite loop:

x = bytearray(open("daa6f5823995e8ffe4fd9de4f86358ec6e0b112c38c78c36f1ae0054277e43c8", "rb").read())
x[0x162b] = 0xeb

matthw

from capstone import *
from unicorn import *
from unicorn.x86_const import *
from z3 import *



def get_code():
    with open("Astral.exe", "rb") as fp:
        fp.seek(0x122a)

matthw

import sys
sys.path.append("/data/opt/triton/lib/python3.11/site-packages/")
from triton import *


BASE_ARGV  = 0x20000000
BASE_STACK = 0x9ffffff0

FLAG_LEN = 0x30

matthw

>->>>>>,[----------[++++++++++>>>>>,>]<]>---<+[-<+]->>>>>[<+++++++++++++++++++++
+++++++++++[>>[-]+>[-]<<-<->[>-]>[-<<[-]>>>]<<<]>+++++++++++++++++++++++++++++++
++++++++++++++++>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++<[>->+<[>]>[<+>-]<<[<]>-]>[-]>[-<<+>>]>>>]+[-<+]-
>>>>>-------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------
-----------------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++
]]>>>>>---------------------------------------------------------------[[-]--+[-<
+]-<[-]+>++[-->++]]>>>>>-------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---
----------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------

matthw

#!/usr/bin/env python3
# unpacker for nanobits (PWNME 2023)

import io
import struct
import sys
import zlib
import enum
import os

matthw

from z3 import *
from pwn import *
from miasm.analysis.machine import Machine
from miasm.core.locationdb import LocationDB
from miasm.analysis.binary import Container
from miasm.jitter.csts import *
from miasm.expression.expression import *
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.ir.translators.z3_ir import TranslatorZ3
from miasm.arch.x86.lifter_model_call import LifterModelCall_x86_64