Created
December 22, 2019 12:26
-
-
Save pawlos/f044fde1cb78dda8d05cad4841da4efd to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import * | |
| import struct | |
| import hashlib | |
| def readProcessMemory(address, l): | |
| OpenProcess = windll.kernel32.OpenProcess | |
| ReadProcessMemory = windll.kernel32.ReadProcessMemory | |
| CloseHandle = windll.kernel32.CloseHandle | |
| PROCESS_ALL_ACCESS = 0x1F0FFF | |
| pid = 3892 # I assume you have this from somewhere. | |
| buffer = create_string_buffer(l) | |
| bufferSize = l | |
| bytesRead = c_ulong(0) | |
| processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid) | |
| #print(processHandle) | |
| res = ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)) | |
| CloseHandle(processHandle) | |
| if res: | |
| return buffer.raw | |
| else: | |
| print('error') | |
| return None | |
| def wrong(): | |
| baseAddr = 0xef0000#0x1300000 | |
| data = readProcessMemory(baseAddr, 10000) | |
| trust = data | |
| computer = string_at(trust, 1024) | |
| #print(computer) | |
| dirty, = struct.unpack_from('=I', computer, 60) | |
| print(hex(dirty)) | |
| #computer = readProcessMemory(baseAddr+dirty, 24) | |
| #print(computer) | |
| _, _, organize, _, _, _, variety, _ = struct.unpack_from('=IHHIIIHH', computer, dirty) | |
| assert variety >= 144 | |
| participate, = struct.unpack_from('=I', computer, dirty + 40) | |
| for insurance in range(organize): | |
| name, tropical, inhabitant, reader, chalk, _, _, _, _, _ = struct.unpack_from('=8sIIIIIIHHI', computer, 40 * insurance + dirty + variety + 24) | |
| if inhabitant <= participate < inhabitant + tropical: | |
| break | |
| #spare = bytearray(string_at(trust + inhabitant, tropical)) | |
| spare = bytearray(readProcessMemory(baseAddr + inhabitant, tropical)) | |
| print(hex(len(spare))) | |
| issue, digital = struct.unpack_from('=II', computer, dirty + 0xa0) | |
| #truth = string_at(trust + issue, digital) | |
| truth = readProcessMemory(baseAddr + issue, digital) | |
| expertise = 0 | |
| while expertise <= len(truth) - 8: | |
| nuance, seem = struct.unpack_from('=II', truth, expertise) | |
| if nuance == 0 and seem == 0: | |
| break | |
| slot = truth[expertise + 8:expertise + seem] | |
| for i in range(len(slot) >> 1): | |
| diet, = struct.unpack_from('=H', slot, 2 * i) | |
| fabricate = diet >> 12 | |
| if fabricate != 3: continue | |
| diet = diet & 4095 | |
| ready = nuance + diet - inhabitant | |
| if 0 <= ready < len(spare): | |
| struct.pack_into('=I', spare, ready, struct.unpack_from('=I', spare, ready)[0] - baseAddr) | |
| expertise += seem | |
| return hashlib.md5(spare).digest() | |
| xor = [212, 162, 242, 218, 101, 109, 50, 31, 125, 112, 249, 83, 55, 187, 131, 206] | |
| h = list(wrong()) | |
| h = [h[i] ^ xor[i] for i in range(16)] | |
| print(h) | |
| #launch_code = input().encode() | |
| #print(launch_code) | |
| #print(''.join(['{0:X2}'.format(ord(x)) for x in h])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment