REVERSE

R0ll

python3 -m pip install dumbemu
from dumbemu import DumbEmu

BINARY = 'R0ll.exe'

CRYPT_FUNC = 0x1400010E0

FLAG = {
    'prefix': b'FlagY{',
    'suffix': b'}',
    'charset': b'0123456789abcdef'
}

FLAG_LEN = 39

KEY = b'fbec495785a8bcf346b'
KEY_LEN = len(KEY)

if __name__ == "__main__":
    emu = DumbEmu(BINARY)
    
    key = emu.malloc(KEY_LEN)
    flag = emu.malloc(FLAG_LEN)
    
    emu.write(key, KEY)
        
    while len(FLAG['prefix']) < FLAG_LEN - 1:
        for c in FLAG['charset']:
            
            _flag = FLAG['prefix'] + bytes([c])
            _flag = _flag.ljust(FLAG_LEN, b'X') + FLAG['suffix']
            
            emu.write(flag, _flag)
            
            args = [flag, key, 0, KEY_LEN]
            result = emu.call(CRYPT_FUNC, None, *args)
            
            if emu.regs.read('r9') > len(FLAG['prefix']):
                FLAG['prefix'] += bytes([c])
                print(f"[+] Current Flag : {FLAG['prefix'].decode()}")
                if emu.regs.read('rax') == 1:
                    break
                break
    print(f"[+] Final Flag: {FLAG['prefix'].decode()}}}")

Last updated

Was this helpful?