-
-
Save sangsoo-horangi/f8bb635498ce48109996b79c2232c494 to your computer and use it in GitHub Desktop.
[REV] HackingCamp 19TH CAN_U_LOGIN?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <sys/types.h> | |
#include <stdlib.h> | |
#include <openssl/bio.h> | |
#include <openssl/evp.h> | |
#include <openssl/buffer.h> | |
#include <stdint.h> | |
#include <string.h> | |
#include <sys/ptrace.h> | |
// set // | |
char key[] = ""; | |
// real password = #k_k9gcPSkiqp# | |
char real_enc[] = "\x65\x7a\x4d\x70\x38\x1a\x70\x43\x18\x28\x20\x34\x63\x2d"; | |
// ID set | |
char source[] = "SENBTVAyMDE5"; // HCAMP2019 | |
// xor table | |
char table[100] = "\x47\x6e\x64\x6b\x33\x31\x30\x6b\x33\x39\x23\x61\x6b\x63\x26\x61\x6b\x63\x7b\x6b\x64\x69\x75\x67\x5f\x6b\x6e\x62\x69\x39\x31\x6c\x6b\x6e\x61\x39\x30\x31\x38\x31\x33\x6b\x52\x6e\x63\x6b\x65\x24\x35\x34\x31\x69\x61\x6b\x63\x6e\x61\x6c\x70\x69\x71\x6c\x64\x6a\x6c\x71\x69\x62\x6d\x61\x6f\x71\x70\x38\x37\x67\x31\x2c\x6d\x61\x30\x38\x61\x64"; | |
// loop table | |
char loop[15] = "\x0d\x0e\x0a\x0d\x0b\x0e\x0e\x0f\x0e\x0e\x0b\x0d\x0a\x0e"; | |
// change user passwd | |
char change_pw[15] ="\0"; | |
// struct | |
struct Filter | |
{ | |
// 0 ~ 9 | |
char num[10]; | |
char big[27]; | |
char small[27]; | |
// ! @ # $ % ^ & * ( ) | |
char specific[11]; | |
}; | |
struct Count | |
{ | |
int num; | |
int big; | |
int small; | |
int specific; | |
}; | |
struct Address { | |
void (*fp)(); // compare | |
void (*fp2)(int); // generate2 | |
int (*fp3)(char*,char*); // int id_checker(char *source, char *des) | |
}; | |
/* | |
void anti() | |
{ | |
if(ptrace(PTRACE_TRACEME,0,0,0) == -1) | |
{ | |
puts("DEBUG"); | |
exit(0); | |
} | |
} | |
*/ | |
void *set_buf() | |
{ | |
setvbuf(stdout,NULL,_IONBF,0); | |
setvbuf(stdin, NULL,_IONBF,0); | |
return 0; | |
} | |
int id_checker(char *source, char *des) | |
{ | |
for(int i=0; i<sizeof(source)/sizeof(source[0]);i++) | |
{ | |
if(source[i] != des[i]) | |
return 1; | |
} | |
return 0; | |
} | |
int filter(struct Filter f, unsigned char* buffer, size_t length, struct Count c) | |
{ | |
int hap= 0; | |
// round 1 number | |
for(int i=0; i< 10; i++) | |
{ | |
if(buffer[i] == f.num[i]) | |
{ | |
c.num = 1; | |
hap += c.num; | |
break; | |
} | |
else | |
continue; | |
} | |
// round 2 upper | |
for(int i=0; i< 26; i++) | |
{ | |
if(buffer[i] == f.big[i]) | |
{ | |
c.big = 1; | |
hap += c.big; | |
break; | |
} | |
else | |
continue; | |
} | |
// round 3 small | |
for(int i=0; i< 26; i++) | |
{ | |
if(buffer[i] == f.small[i]) | |
{ | |
c.small = 1; | |
hap += c.small; | |
break; | |
} | |
else | |
continue; | |
} | |
// round 4 specific | |
for(int i=0; i< 10; i++) | |
{ | |
if(buffer[i] == f.specific[i]) | |
{ | |
c.specific = 1; | |
hap += c.specific; | |
break; | |
} | |
else | |
continue; | |
} | |
if(hap != 4) | |
{ | |
return -1; | |
} | |
return 1; | |
} | |
struct Filter Set_sandbox() | |
{ | |
struct Filter f; | |
int32_t n= 0x30; | |
unsigned char B_alpha = 'A'; | |
unsigned char S_alpha = 'a'; | |
for(int32_t i=0; i<10;i++) | |
{ | |
f.num[i] = (char)n; | |
n++; | |
} | |
for(int32_t i=0; i<26; i++) | |
{ | |
f.big[i] = B_alpha; | |
B_alpha++; | |
} | |
for(int32_t i=0; i<26; i++) | |
{ | |
f.small[i] = S_alpha; | |
S_alpha++; | |
} | |
// filter : ! @ # $ % ^ & * ( ) | |
f.specific[0] = '!'; | |
f.specific[1] = '@'; | |
f.specific[2] = '#'; | |
f.specific[3] = '$'; | |
f.specific[4] = '%'; | |
f.specific[5] = '^'; | |
f.specific[6] = '&'; | |
f.specific[7] = '*'; | |
f.specific[8] = '('; | |
f.specific[9] = ')'; | |
return f; | |
} | |
int Base64Encode(unsigned char* buffer, size_t length, char** b64text) { //Encodes a binary safe base 64 string | |
BIO *bio, *b64; | |
BUF_MEM *bufferPtr; | |
b64 = BIO_new(BIO_f_base64()); | |
bio = BIO_new(BIO_s_mem()); | |
bio = BIO_push(b64, bio); | |
BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Ignore newlines - write everything in one line | |
BIO_write(bio, buffer, length); | |
BIO_flush(bio); | |
BIO_get_mem_ptr(bio, &bufferPtr); | |
BIO_set_close(bio, BIO_NOCLOSE); | |
BIO_free_all(bio); | |
*b64text=(*bufferPtr).data; | |
return (0); //success | |
} | |
/* | |
// xor setting | |
change_pw[0] = table[2] ^ buffer[0]; // 1 | |
change_pw[1] = table[4] ^ buffer[1]; // 2 | |
change_pw[2] = table[6] ^ buffer[2]; // 3 | |
change_pw[3] = table[9] ^ buffer[3]; // 4 | |
change_pw[4] = table[10] ^ buffer[4]; // 5 | |
change_pw[5] = table[(84/3)-4] ^ buffer[5]; // 6 | |
change_pw[6] = table[(84>>3)*5] ^ buffer[6]; // 7 | |
change_pw[7] = table[50] ^ buffer[7]; // 8 | |
change_pw[8] = table[51] ^ buffer[8]; // 9 | |
change_pw[9] = table[52] ^ buffer[9]; // 10 | |
change_pw[10] = table[53] ^ buffer[10]; // 11 | |
change_pw[11] = table[75] ^ buffer[11]; // 12 | |
change_pw[12] = table[76] ^ buffer[12]; // 13 | |
change_pw[13] = table[77] ^ buffer[13]; //14 | |
*/ | |
int generatePassword(unsigned char* buffer) | |
{ | |
int hap=0; | |
static int j =0; | |
change_pw[0] = table[2] ^ buffer[0]; // 1 | |
change_pw[11] = table[75] ^ buffer[11]; // 12 | |
change_pw[3] = table[9] ^ buffer[3]; // 4 | |
change_pw[10] = table[53] ^ buffer[10]; // 11 | |
change_pw[9] = table[52] ^ buffer[9]; // 10 | |
change_pw[5] = table[(84/3)-4] ^ buffer[5]; // 6 | |
change_pw[13] = table[77] ^ buffer[13]; //14 | |
change_pw[6] = table[(84>>3)*5] ^ buffer[6]; // 7 | |
change_pw[1] = table[4] ^ buffer[1]; // 2 | |
change_pw[7] = table[50] ^ buffer[7]; // 8 | |
change_pw[4] = table[10] ^ buffer[4]; // 5 | |
change_pw[8] = table[51] ^ buffer[8]; // 9 | |
change_pw[2] = table[6] ^ buffer[2]; // 3 | |
change_pw[12] = table[76] ^ buffer[12]; // 13 | |
for(int i=5; i<85; i++) | |
{ | |
if(i%5==0 && i<75) | |
{ | |
hap += table[i] * loop[j]; | |
j++; | |
} | |
else | |
continue; | |
} | |
// first encrypt success | |
return hap; | |
} | |
void generatePassword2(int xor_value) | |
{ | |
for(int i=0; i<14; i++) | |
{ | |
change_pw[i] ^= xor_value; | |
//printf("%02x",change_pw[i]); | |
} | |
} | |
void compare() | |
{ | |
if(strcmp(change_pw,real_enc)==0) | |
{ | |
puts("go go go go go go "); | |
system("./connection"); | |
} | |
else{ | |
puts("wrong"); | |
exit(0); | |
} | |
} | |
/* | |
void fake_entry() | |
{ | |
int i=0; | |
while(i<30) | |
{ | |
puts("Welcome Hacker~"); | |
i++; | |
} | |
} | |
*/ | |
int main(int argc, char *argv[]) | |
{ | |
struct Filter sandboxset; | |
struct Count c; | |
struct Address addr; | |
char* base64EncodeOutput; | |
int hap = 0; | |
unsigned char id[20] = "\0"; | |
unsigned char pw[20] = "\0"; | |
// fake_entry(); | |
if(!set_buf()) | |
{ | |
printf("id >> "); | |
scanf("%20s",id); | |
Base64Encode(id, 9, &base64EncodeOutput); | |
//puts(base64EncodeOutput); | |
addr.fp3 = id_checker; | |
if(!addr.fp3(source,base64EncodeOutput)) | |
{ | |
printf("pw >> "); | |
scanf("%20s",pw); | |
sandboxset = Set_sandbox(); | |
if(filter(sandboxset,pw,14,c)) | |
{ | |
// pass | |
hap = generatePassword(pw); | |
hap &= 0xff; | |
addr.fp2 = generatePassword2; | |
addr.fp2(hap); | |
addr.fp = compare; | |
addr.fp(); | |
} | |
else | |
puts("Wrong"); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment