REVERSE

R0ll

git clone https://github.com/Diefunction/dumbemu

from dumbemu import DumbEmu

BINARY = 'R0ll.exe'

CRYPT_FUNC = 0x1400010E0

FLAG = {
    'prefix': b'FlagY{',
    'suffix': b'}',
    'range': b'0123456789abcdef'
}

FLAG_LEN = 39

KEY = b'fbec495785a8bcf346b'
KEY_LEN = len(KEY)

if __name__ == "__main__":
    emu = DumbEmu(BINARY)
    
    key = 0x100000
    flag = 0x101000
    emu.mem.map(key, 0x1000)
    emu.mem.map(flag, 0x1000)
    
    emu.write(key, KEY)
        
    while len(FLAG['prefix']) < FLAG_LEN - 1:
        for c in FLAG['range']:
            
            _flag = FLAG['prefix'] + bytes([c])
            _flag = _flag.ljust(FLAG_LEN, b'X') + FLAG['suffix']
            
            emu.write(flag, _flag)
            
            result = emu.call(CRYPT_FUNC, None, flag, key, 0, KEY_LEN)
            
            if emu.cpu.read('r9') > len(FLAG['prefix']):
                FLAG['prefix'] += bytes([c])
                print(f"[+] Current Flag : {FLAG['prefix'].decode()}")
                if emu.cpu.read('rax') == 1:
                    break
                break
    print(f"[+] Final Flag: {FLAG['prefix'].decode()}}}")

PreviousCybernights 2025 NextPWN

Last updated 2 months ago

Was this helpful?