Olivier Arteau HoLyVieR

The encryption used was done character by character and we could decrypt any token of our choice with the "info.php" page. With this in mind, we could bruteforce each character individually until we get the character of our choice once decrypted. This would then let us craft a token with the value of our choice. Here's an example of a decrypted token that worked :

{"User":"admin","Admin":1}

Code

import httplib

target = '{"User":"admin","Admin":1}'

conn = httplib.HTTPConnection('188.40.18.87:5144')

	/**
	* This will let you export SAV file from a ROM.
	* NOTE : Just change the "filename" variable to name of the ROM.
	*/

	// Getting the data //
	var filename = "ROM_NAME";
	var rawData = JSON.parse(localStorage["SRAM_" + filename]) // Data is stored JSON format in localStorage //
	.map(function (a) { return String.fromCharCode(a); }) // We convert each value in the array to the char value //
	.join(""); // We make it into a big string which is the data of the save file //

	1. Télécharger la version portable du JRE7 de Java. (Lien : http://portableapps.com/apps/utilities/java_portable)

	2. Extraire les fichiers dans le dossier de votre choix.

	3. Dans Eclipse, aller dans Window -> Preferences -> Java -> Installed JREs -> Add

	3.1 Utiliser Standard VM
	3.2 Comme JRE Home, il faut mettre le chemin qui contient les dossier "lib" et "bin". (C'est le dossier "\CommonFiles\Java\" dans ce qui a été extrait).
	3.3 Comme JRE Name, on peut mettre ce qu'on veut.
	3.4 Cliquer "Finish" et cocher la case de votre JRE que vous venez d'ajouter.

	import md5
	import struct, string
	import httplib, urllib
	import time
	import thread

	def Encode(input, len):
	k = len >> 2
	res = apply(struct.pack, ("%iI" % k,) + tuple(input[:k]))
	return string.join(res, "")

	class PKCS7Encoder():
	"""
	Technique for padding a string as defined in RFC 2315, section 10.3,
	note #2
	"""
	class InvalidBlockSizeError(Exception):
	"""Raised for invalid block sizes"""
	pass

	def __init__(self, block_size=16):

	import os, random, struct
	from Crypto.Cipher import AES

	def egcd(a, b):
	if a == 0:
	return (b, 0, 1)
	else:
	g, y, x = egcd(b % a, a)
	return (g, x - (b // a) * y, y)

	var getStackframes = function x(a,b,c){function d(e,f){d=f}c=(b=Error)[a='prepareStackTrace'];b.captureStackTrace(b[a]=d,x);d.stack;b[a]=c;return d};

	var res = "";
	var i = 0;
	var require;

	// "require" is passed as an arguments to one of the function in the call stack.
	getStackframes().forEach(function(frame) {
	if (frame.getFunctionName() == null && i++ == 1) {
	require = frame.fun.arguments[1];

	static PyObject* Py_LLVMBuilder_BuildLandingPad(Py_LLVM_Wrapped<LLVMBuilderRef>* self, PyObject* args)
	{
	Py_LLVM_Wrapped<LLVMTypeRef>* arg0;
	long long arg1;
	const char* arg2;
	if (!PyArg_ParseTuple(args, "O!Ls", &Py_LLVMType_Type, &arg0, &arg1, &arg2))
	{
	return nullptr;
	}

	{int64_t} _IO_putc(int64_t rdi, int64_t rsi);
	{} __fprintf_chk(int64_t rdi, int64_t rsi, int64_t rdx);
	{} __gmon_start__(void);
	{int64_t} __libc_start_main(int64_t rdi, int64_t rsi, int64_t rdx, int64_t rcx, int64_t r8, int64_t r9, int64_t sp0);
	{} __memcpy_chk(int64_t rdi, int64_t rsi, int64_t rdx, int64_t rcx);
	{} __printf_chk(int64_t rdi, int64_t rsi, int64_t rdx);
	{int64_t, int64_t} __stack_chk_fail(int64_t rsi);
	{int64_t} fflush(int64_t rdi);
	{int64_t} fgets(int64_t rdi, int64_t rsi, int64_t rdx);
	{int64_t} malloc(int64_t rdi);

	.text:0000000000401380 push rbp
	.text:0000000000401381 xor eax, eax
	.text:0000000000401383 mov rbp, rsp
	.text:0000000000401386 push rbx
	.text:0000000000401387 mov rbx, rdx
	.text:000000000040138A nop word ptr [rax+rax+00h]
	.text:0000000000401390
	.text:0000000000401390 loc_401390: ; CODE XREF: Crypt+20j
	.text:0000000000401390 mov ds:byte_6020C0[rax], al
	.text:0000000000401396 add rax, 1