Created
May 19, 2014 16:32
-
-
Save potetisensei/a1f9219056498dcc1e02 to your computer and use it in GitHub Desktop.
DEFCON 2014 Writeup 100lines
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unsigned char[] randpad = "\xfc\x8a\x45\x51\x67\x8c\xa9\xc0\xb0\xfd\xf7\x6f\xb8\x50\xf1\x2f\x7a\x62\x66\xe3\xd3\xc3\x6e\xbe\x37\x39\x33\x68\x3b\xc6\x76\x1e\xae\xaa\x83\xed\x57\x1a\xf1\x29\xe6\xc1\xb9\x9e\xdd\xa2\x86\x2c\x1a\xdc\x49\x9d\x82\x01\xd5\x3a\xb5\xd3\x33\x12\x1c\xce\x94\x2b\xc3\xb0\x6c\xbc\x46\x73\x39\x5e\x7b\xc7\xb4\x9e\x56\xf0\xad\x72\x5e\x83\xc7\x05\xc5\xe9\x2e\x85\x88\x79\x94\xf7\xe7\xac\x34\xfe\x5c\xce\x2e\x13\xf1\xcc\x8e\xea\x60\x83\xbe\xdc\x4a\xbb\xe8\xdf\x65\x20\xef\x44\xad\xfa\xd6\x12\x83\xd5\xdc\x94\xad\x1f\xe1\x5f\xe8\xfa\x7e\x3f\xda\x61\xe3\xdf\xab\x5b\x4f\x2a\x6c\x24\x82\xad\x17\x89\xba\x29\xb9\x46\x34\x74\x64\xf7\x45\x22\x8d\xaf\x33\xd6\x52\xb5\xde\x10\xe4\x53\x5d\x96\xb7\xe2\x2e\xcb\xb1\x75\xbc\x74\x5a\x21\x29\x8c\x57\xb3\x16\x5e\xc7\xc8\xc2\x26\x35\x48\x2d\x3c\x60\x7b\x5d\xdd\xa8\x29\x61\x19\xd0\xef\xee\x6d\x04\xdd\x20\x51\x95\x1d\x01\xe1\xda\xda\xb4\xa5\x46\xd9\xcb\xaf\x56\xb5\x20\x05\xd0\x6b\xd2\x22\x21\x2f\x2d\xd3\x73\x97\x56\x89\xae\xac\x02\xb6\x35\xd2\x14\x87\xc6\x49\xdf\x0e\x17\x85\x64\xe5\xaf\x6e\x93\x61"; | |
| unsigned int4 randpad_len = 0x100; | |
| unsigned int4 calc(unsigned int sum, unsigned char * buf, unsigned long long i, unsigned long long j) { | |
| unsigned int4 ret = 0; | |
| ret |= buf[i/8 + j] << (i%7); | |
| ret |= buf[i/8 + j +1] >> (8 - j%7); /* rotate */ | |
| ret %= 0x100; | |
| ret <<= (24-j*8); /* store straight */ | |
| sum |= ret; | |
| return sum; | |
| } | |
| void loop(unsigned longlong8 arg1, unsigned char *arg2, unsigned char *stored) { | |
| unsigned longlong8 len = arg1 - 0x20; | |
| for (unsigned longlong8 i=0; i<len; i++) {/* var_30: i*/ | |
| unsigned int4 sum1 = 0; /* sum1: var_34 */ | |
| var_20 = 0; | |
| for (unsigned longlong8 j=0; j<4; j++) { /* var_20:j */ | |
| sum = calc(sum, arg2, i, j); | |
| } | |
| for (unsigned longlong8 j=0; j<len; j++) { /* var_28:j*/ | |
| unsigned int4 sum2 = 0; /* sum2:var_38 */ | |
| for (unsigned longlong8 k=0; k<4; k++) { /*var_18:k*/ | |
| sum2 = calc(sum2, arg2, j, k); | |
| } | |
| sum2 ^= sum1; | |
| for (unsigned longlong8 k=0; k<4; k++) { /* k:var_10 */ | |
| stored[(i*len+j)*4+k] = sum2 >> (24 - k*8); /* store reverse */ | |
| } | |
| } | |
| } | |
| } | |
| unsigned char getByte(unsigned longlong8 index, unsigned longlong8 arg2, unsigned char* arg3) { | |
| unsigned longlong8 size = (arg2 - 0x20) * (arg2 - 0x20) * 4; | |
| unsigned char *stored = malloc(size); | |
| if (stored == NULL) exit(0); | |
| loop(arg2, arg3, stored); | |
| unsigned char ret = stored[index]; | |
| if (stored) delete [] stored; | |
| return ret; | |
| } | |
| int main() { | |
| FILE *stream = NULL; | |
| s = NULL; | |
| unsigned char* var_48 = 0; | |
| var_40 = 0; | |
| unsigned longlong8 var_38 = (long8)((randpad_len + 0x1FFFFFFC) * 8); | |
| unsigned longlong8 var_30 = (var_38 * var_38 * 4) - 0x20; | |
| unsigned longlong8 size = var_38 * var_38 * 4; | |
| unsigned long4 *array = new unsigned long4[size]; /* var_48 */ | |
| unsigned long4 *var_40 = new unsigned long4[0x26]; | |
| unsigned longlong8 var_20 = var_30 * var_30 * 4; | |
| loop(var_38, randpad, array); | |
| unsigned long4 *var_18 = new unsigned long4[0x130]; | |
| int fd = open("/dev/urandom", R_ONLY); /* fd:[rbp+fd] */ | |
| puts("OTP locations:"); | |
| for (int i=0; i<0x26; i++) { /* i:var_74 */ | |
| unsigned longlong8 val; /* val:var_60:[rbp+buf] */ | |
| read(fd, &val, 8); | |
| val %= var_20; | |
| printf("0x%016llx ", val); | |
| var_18[i] = val; | |
| fflush(stdout); | |
| } | |
| for (int i=0; i<8; i++) { /* i:var_70 */ | |
| var_75 = fgetc(stdin); | |
| char g = getByte(var_18[i], var_28, var_48); | |
| g = g - (g*97/256 + (g - g*97/256)/2)/64*0x5D + 0x20; | |
| /* edx = eax = getByte(var_18[i], var_28, var_48); | |
| ecx = edx - (eax * 97)/256 | |
| eax = edx - ((eax * 97)/256 + ecx / 2) / 64 * 0x5D + 0x20*/ | |
| if (g == var_75) var_6C++; | |
| else var_6C = 0; | |
| } | |
| putchar('\n'); | |
| if (var_6C > 6) { | |
| stream = fopen("flag", "r"); | |
| if (stream != NULL) { | |
| fseek(stream, 0, 2); | |
| var_64 = ftell(stream); | |
| rewind(stream); | |
| s = malloc(var_64 + 1); | |
| memset(s, '\0', var_64+1); | |
| fread(s, 1, var_64, stream); | |
| for (int i=0; i<0x26; i++) { /* var_74: i */ | |
| var_40[i] = getByte(var_18[i], var_28, var_48) ^ s[i]; | |
| printf("0x%02x", var_40[i]); | |
| if (i < 0x25) putchar(','); | |
| fflush(stdout); | |
| } | |
| puts("\n"); | |
| } | |
| } | |
| if (var_18) delete[] var_18; | |
| if (var_48) delete[] var_48; | |
| if (var_40) delete[] var_40; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment