REVERSE
R0ll
python3 -m pip install dumbemufrom dumbemu import DumbEmu
BINARY = 'R0ll.exe'
CRYPT_FUNC = 0x1400010E0
FLAG = {
'prefix': b'FlagY{',
'suffix': b'}',
'charset': b'0123456789abcdef'
}
FLAG_LEN = 39
KEY = b'fbec495785a8bcf346b'
KEY_LEN = len(KEY)
if __name__ == "__main__":
emu = DumbEmu(BINARY)
key = emu.malloc(KEY_LEN)
flag = emu.malloc(FLAG_LEN)
emu.write(key, KEY)
while len(FLAG['prefix']) < FLAG_LEN - 1:
for c in FLAG['charset']:
_flag = FLAG['prefix'] + bytes([c])
_flag = _flag.ljust(FLAG_LEN, b'X') + FLAG['suffix']
emu.write(flag, _flag)
args = [flag, key, 0, KEY_LEN]
result = emu.call(CRYPT_FUNC, None, *args)
if emu.regs.read('r9') > len(FLAG['prefix']):
FLAG['prefix'] += bytes([c])
print(f"[+] Current Flag : {FLAG['prefix'].decode()}")
if emu.regs.read('rax') == 1:
break
break
print(f"[+] Final Flag: {FLAG['prefix'].decode()}}}")Last updated
Was this helpful?