Paweł Łukasik pawlos

## api_hashes.txt
# C:\Windows\System32\kernel32.dll
AcquireSRWLockExclusive,0x4784e83e
AcquireSRWLockShared,0x23c00487
ActivateActCtx,0x6aa0c20c
AddAtomA,0x7f449663
AddAtomW,0x8b902332
AddConsoleAliasA,0x3be718de
AddConsoleAliasW,0xcf33ad8f
AddIntegrityLabelToBoundaryDescriptor,0x3af410d5
AddLocalAlternateComputerNameA,0x9ea1c8ac

## grab.py
#!/bin/env python3
import selenium.webdriver.firefox.service
from selenium import webdriver
import os
import psycopg2
from datetime import *
from time import sleep, time


# Set webdriver path

## index.html
<!DOCTYPE html>
	<html>
	<head>
		<title>Pwn2Win | MessageKeeper</title>
	</head>
	<body>
		<script>
			let alphabet = "0123456789abcdef";

			const sleep = (ms) => {

## solve.py


const = 0xc6a4a7935bd1e995
#simplified mangle algorith form the binary
def mangle(a, i):
  b = 1
  c = 0x1337

  temp = c ^ (b * const)

## gist:9e94a863d089c0d6687d48d0e43cb9e5
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host crypto.2021.chall.actf.co --port 21603
from pwn import *

# Set up pwntools for the correct architecture
exe = context.binary = ELF('./chall')

# Many built-in settings can be controlled on the command-line and show up

## fix vmwp.bat
REM open cmd.exe as admin to run this

REM Creates a patched vmwp.exe replacing these bytes:
REM  0F B6 43 64 41 89 47 64 0F B6 43 65 41 89 47 68 0F B6 43 66 41 89 47 6C 0F B6 43 67 41 89 47 70
REM  41 C7 47 64 01 00 00 00 41 C7 47 68 01 00 00 00 41 C7 47 6C 01 00 00 00 41 C7 47 70 01 00 00 00
REM Enables PMU, LBR, PEBS, IPT

cd %TEMP%
copy %windir%\system32\vmwp.exe .

## xrefs.py
#script for https://www.youtube.com/watch?v=FvH7b_qLmbU
import struct
from  ghidra.program.model.symbol import *

xrefs = currentProgram.getReferenceManager()

startAddr = currentAddress
currAddr = currentAddress

while True:

## check.py
interesting_data = [0x8b,0x84,0x9a,0x9b,0x9a,0xb1,0xd6,0xaf,0x93,0xb2,0x81,0x8c,0x84,0xab,0x9d,0x9c,0x8e,0xb9,0xb0,0xd9,0xa8,0xa4,0x9c,0x81,0x85,0xa0,0xa6,0xb4,0x87,0x9a,0xbb,0x92,0x96,0xad,0x8c,0xd7,0xb0,0x8d,0x97]
shuffle =          [0x16,0x0c,0x24,0x17,0x13,0x19,0x07,0x09,0x0e,0x23,0x05,0x01,0x18,0x21,0x0d,0x10,0x12,0x1f,0x1a,0x1e,0x22,0x00,0x0f,0x0b,0x08,0x15,0x11,0x02,0x1d,0x1c,0x26,0x03,0x04,0x25,0x14,0x20,0x06,0x1b,0x0a]
interesting_data = interesting_data[:0x27]

m = 38
j = 0
for k in range(len(interesting_data)//2):
	i = shuffle.index(m)
	uVar1 = shuffle[i]
	uVar2 = interesting_data[i]

## solve3.py
F_T = '58c7661f00634702555f664b7756884c864edc4fef2d9c48881bac0911082214334e424f552f661d7752ce41d54deb70e9468949892db745545270fc333c44aa5525634f772d88699970983b8b18fe1eed3aba1d584c763201724431553e66295a2888269941aa20ef72a435b4359d36312b4b6f4048643d3b3b0927034ca846ee36c295da80b8d9fd3b97d37e51577113dc37cb3dd209a60246e43cfd488a42d938a953fd2a82ee7e8b4d9d582c2dc83b7101d057cee978ed008453950be22c89fdbea6548c106d33c344e4552e6ef87782880b9901fa5b95bcecc09e0c81ff75bd479033d24430558f66fe77b288b39961aabcbb9ccc42ddc5ee33112122e333d944ad55d4666277a78895998faaa6bbc5cca9dd12eeba112e22bf337844d9559066a077c288da998eaa3dbbb4cc38ddb9ee6011f2223233e3443d55f3664a77b2885699d4aa76bb2cccbfddeeeeda118122d0331b44bd552c66bf77af8845997baa32bb92cc7addadeebb11312211339944a855a6669577ec887699b6aab8bb8bccc0dd36ee03116f221833a344b655f366e17750882a9946aa82bbabccbdddb8eeb21152229233ed44de555766af7701888499d4aabbbb85ccb6dd37eebf11d1225833d244bf55ad66e8772e88ca99d3aaf6bb72cc49dd7ceedd1124229733bd443455fd661677b088a699f3aa87bb31ccdaddf2ee06115e221d3

## solve2.py
F_L = "9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64"

onzo = F_L.split(".")

#rigmarole(onzo(7))

def rigmarole(es):
	furphy = ""
	c = 0
	s = ""
	# C:\Windows\System32\kernel32.dll
	AcquireSRWLockExclusive,0x4784e83e
	AcquireSRWLockShared,0x23c00487
	ActivateActCtx,0x6aa0c20c
	AddAtomA,0x7f449663
	AddAtomW,0x8b902332
	AddConsoleAliasA,0x3be718de
	AddConsoleAliasW,0xcf33ad8f
	AddIntegrityLabelToBoundaryDescriptor,0x3af410d5
	AddLocalAlternateComputerNameA,0x9ea1c8ac
	#!/bin/env python3
	import selenium.webdriver.firefox.service
	from selenium import webdriver
	import os
	import psycopg2
	from datetime import *
	from time import sleep, time


	# Set webdriver path
	<!DOCTYPE html>
	<html>
	<head>
	<title>Pwn2Win \| MessageKeeper</title>
	</head>
	<body>
	<script>
	let alphabet = "0123456789abcdef";

	const sleep = (ms) => {


	const = 0xc6a4a7935bd1e995
	#simplified mangle algorith form the binary
	def mangle(a, i):
	b = 1
	c = 0x1337

	temp = c ^ (b * const)
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# This exploit template was generated via:
	# $ pwn template --host crypto.2021.chall.actf.co --port 21603
	from pwn import *

	# Set up pwntools for the correct architecture
	exe = context.binary = ELF('./chall')

	# Many built-in settings can be controlled on the command-line and show up
	REM open cmd.exe as admin to run this

	REM Creates a patched vmwp.exe replacing these bytes:
	REM 0F B6 43 64 41 89 47 64 0F B6 43 65 41 89 47 68 0F B6 43 66 41 89 47 6C 0F B6 43 67 41 89 47 70
	REM 41 C7 47 64 01 00 00 00 41 C7 47 68 01 00 00 00 41 C7 47 6C 01 00 00 00 41 C7 47 70 01 00 00 00
	REM Enables PMU, LBR, PEBS, IPT

	cd %TEMP%
	copy %windir%\system32\vmwp.exe .
	#script for https://www.youtube.com/watch?v=FvH7b_qLmbU
	import struct
	from ghidra.program.model.symbol import *

	xrefs = currentProgram.getReferenceManager()

	startAddr = currentAddress
	currAddr = currentAddress

	while True:
	interesting_data = [0x8b,0x84,0x9a,0x9b,0x9a,0xb1,0xd6,0xaf,0x93,0xb2,0x81,0x8c,0x84,0xab,0x9d,0x9c,0x8e,0xb9,0xb0,0xd9,0xa8,0xa4,0x9c,0x81,0x85,0xa0,0xa6,0xb4,0x87,0x9a,0xbb,0x92,0x96,0xad,0x8c,0xd7,0xb0,0x8d,0x97]
	shuffle = [0x16,0x0c,0x24,0x17,0x13,0x19,0x07,0x09,0x0e,0x23,0x05,0x01,0x18,0x21,0x0d,0x10,0x12,0x1f,0x1a,0x1e,0x22,0x00,0x0f,0x0b,0x08,0x15,0x11,0x02,0x1d,0x1c,0x26,0x03,0x04,0x25,0x14,0x20,0x06,0x1b,0x0a]
	interesting_data = interesting_data[:0x27]

	m = 38
	j = 0
	for k in range(len(interesting_data)//2):
	i = shuffle.index(m)
	uVar1 = shuffle[i]
	uVar2 = interesting_data[i]
	F_L = "9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64"

	onzo = F_L.split(".")

	#rigmarole(onzo(7))

	def rigmarole(es):
	furphy = ""
	c = 0
	s = ""