Created
November 11, 2016 02:50
-
-
Save levisre/1fe6e7955245dc5a792b7044fbc23b07 to your computer and use it in GitHub Desktop.
Flare-on 2016 Level 4 Solver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Flare-on 2016 Challenge 4 Solver | |
| By Levis Nickaster. | |
| Note: Put the dll file in the same folder before run the compiled exe | |
| */ | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #define DLL_NAME "flareon2016challenge.dll" | |
| typedef int (*func)(void); | |
| typedef int (*f50)(int,int); | |
| typedef struct | |
| { | |
| int dwFreq; | |
| int dwDuration; | |
| } input; | |
| //DLL Export Address Table RVA | |
| const int EAT[51] = { 0x00002570,0x00002C90,0x000020F0,0x00002C30,0x000022D0,0x00002330, | |
| 0x00001F10,0x000021B0,0x00002450,0x00001E50,0x00001D90,0x00002990, | |
| 0x000028D0,0x00002B70,0x000023F0,0x00002210,0x00001DF0,0x00002BD0, | |
| 0x00002090,0x00002270,0x00002930,0x00002030,0x00002150,0x00002E10, | |
| 0x00002510,0x00002690,0x00002B10,0x00002DB0,0x000027B0,0x00002CF0, | |
| 0x00002D50,0x00001EB0,0x00002A50,0x00002810,0x00001D30,0x00002630, | |
| 0x00002AB0,0x00001FD0,0x00002870,0x00001C70,0x000025D0,0x000024B0, | |
| 0x000026F0,0x000029F0,0x00002750,0x00001F70,0x00001CD0,0x00002390, | |
| 0x00002EE0,0x00002F50,0x00002E70}; | |
| //dwDuration and dwPreq | |
| const int music[36] ={ 0x000001F4, 0x000001B8, 0x000001F4, 0x000001B8, 0x000001F4, | |
| 0x000001B8, 0x0000015E, 0x0000015D, 0x00000096, 0x0000020B, | |
| 0x000001F4, 0x000001B8, 0x0000015E, 0x0000015D, 0x00000096, | |
| 0x0000020B, 0x000003E8, 0x000001B8, 0x000001F4, 0x00000293, | |
| 0x000001F4, 0x00000293, 0x000001F4, 0x00000293, 0x0000015E, | |
| 0x000002BA, 0x00000096, 0x0000020B, 0x000001F4, 0x0000019F, | |
| 0x0000015E, 0x0000015D, 0x00000096, 0x0000020B, 0x000003E8, | |
| 0x000001B8}; | |
| input musicData[18]; | |
| HMODULE hFlare; | |
| //Call function in EAT using Function Pointer | |
| int callFunc(int index) | |
| { | |
| int VA = (int)hFlare + EAT[index-1]; | |
| func f; | |
| f = (func)VA; | |
| int addr = (*f)(); | |
| return addr; | |
| } | |
| //Create Music Table | |
| void initMusicStruct() | |
| { | |
| int pos; | |
| for(int i=0;i<36;i+=2) | |
| { | |
| pos = i/2; | |
| musicData[pos].dwDuration=music[i]; | |
| musicData[pos].dwFreq = music[i+1]; | |
| } | |
| } | |
| int main() | |
| { | |
| hFlare = LoadLibraryA(DLL_NAME); | |
| if(hFlare) | |
| { | |
| int addr = callFunc(30); | |
| do | |
| { | |
| addr = callFunc(addr); | |
| if(addr==51) break; | |
| } | |
| while(true); | |
| callFunc(51); | |
| initMusicStruct(); | |
| f50 printflag = (f50)((int)hFlare+EAT[49]); | |
| for(int i = 0;i<18;i++) | |
| { | |
| printflag(musicData[i].dwFreq,musicData[i].dwDuration); | |
| } | |
| return 0; | |
| } | |
| else | |
| { | |
| printf("DLL not found!"); | |
| return -1; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment