REVERSE
R0ll
git clone https://github.com/Diefunction/dumbemu
from dumbemu import DumbEmu
BINARY = 'R0ll.exe'
CRYPT_FUNC = 0x1400010E0
FLAG = {
'prefix': b'FlagY{',
'suffix': b'}',
'range': b'0123456789abcdef'
}
FLAG_LEN = 39
KEY = b'fbec495785a8bcf346b'
KEY_LEN = len(KEY)
if __name__ == "__main__":
emu = DumbEmu(BINARY)
key = 0x100000
flag = 0x101000
emu.mem.map(key, 0x1000)
emu.mem.map(flag, 0x1000)
emu.write(key, KEY)
while len(FLAG['prefix']) < FLAG_LEN - 1:
for c in FLAG['range']:
_flag = FLAG['prefix'] + bytes([c])
_flag = _flag.ljust(FLAG_LEN, b'X') + FLAG['suffix']
emu.write(flag, _flag)
result = emu.call(CRYPT_FUNC, None, flag, key, 0, KEY_LEN)
if emu.cpu.read('r9') > len(FLAG['prefix']):
FLAG['prefix'] += bytes([c])
print(f"[+] Current Flag : {FLAG['prefix'].decode()}")
if emu.cpu.read('rax') == 1:
break
break
print(f"[+] Final Flag: {FLAG['prefix'].decode()}}}")
Last updated
Was this helpful?