From 3991b4f482a7c14ee7bc6d69127a7b43cbd660ed Mon Sep 17 00:00:00 2001
From: maride <git@maride.cc>
Date: Fri, 18 Jun 2021 13:54:16 +0200
Subject: [PATCH] Add lose address (counterpart to win address)

---
 barf.py                  |  3 ++-
 barf.sh                  | 14 ++++++++++----
 src/BreakpointManager.py | 11 ++++++++++-
 src/Bruteforce.py        |  2 +-
 4 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/barf.py b/barf.py
index ee3cde7..2c43011 100644
--- a/barf.py
+++ b/barf.py
@@ -38,7 +38,7 @@ def main():
     args = getArguments()
 
     # Create our breakpoints, managed by the BreakpointManager
-    bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"])
+    bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"], args["loseAddr"])
 
     # Manage the target with the TargetManager
     tm = TargetManager(bm, args["persistent"], args["startAddr"], args["endAddr"], args["buffAddr"])
@@ -57,6 +57,7 @@ def getArguments():
     a["positiveAddr"] = barf_positive_addr
     a["negativeAddr"] = barf_negative_addr
     a["winAddr"] = barf_win_addr
+    a["loseAddr"] = barf_lose_addr
     a["startAddr"] = barf_start_addr
     a["endAddr"] = barf_end_addr
     a["buffAddr"] = barf_buff_addr
diff --git a/barf.sh b/barf.sh
index 0c61397..a71b933 100755
--- a/barf.sh
+++ b/barf.sh
@@ -9,6 +9,7 @@
 POSITIVEADDR=""
 NEGATIVEADDR=""
 WINADDR=""
+LOSEADDR=""
 STARTADDR=""
 ENDADDR=""
 BUFFADDR=""
@@ -36,6 +37,10 @@ while [[ $# -gt 0 ]]; do
 		WINADDR="$2"
 		shift; shift
 		;;
+		-l|--lose-addr)
+		LOSEADDR="$2"
+		shift; shift
+		;;
 		-s|--start-addr)
 		STARTADDR="$2"
 		shift; shift
@@ -106,12 +111,13 @@ if [ "$SHOWHELP" == 1 ]; then
 	echo "		-p | --positive-addr 0x123456	a location to be counted as good hit"
 	echo "		-n | --negative-addr 0x234567	a location to be counted as bad hit"
 	echo "		-w | --win-addr      0x345678	a location reached if your input is correct"
+	echo "		-l | --lose-addr     0x456789	a location reached if your input is incorrect"
 	echo ""
 	echo "    PERSISTENT MODE OPTIONS"
 	echo "		-x | --persistent		enable the experimental (!) persistent mode"
-	echo "		-s | --start-addr    0x456789	a location directly after your input is fed into the target"
-	echo "		-e | --end-addr	     0x56789A	a location where the to-be-fuzzed logic is done"
-	echo "		--buff-addr          0x6789AB	the location where user input is stored"
+	echo "		-s | --start-addr    0x56789A	a location directly after your input is fed into the target"
+	echo "		-e | --end-addr	     0x6789AB	a location where the to-be-fuzzed logic is done"
+	echo "		--buff-addr          0x789ABC	the location where user input is stored"
 	echo ""
 	echo "    MISC OPTIONS"
 	echo "		-b | --prefix        CTF{	a known prefix, e.g. the prefix of your flag"
@@ -124,5 +130,5 @@ if [ "$SHOWHELP" == 1 ]; then
 fi
 
 # ready for take-off
-gdb --quiet -nx --eval-command "py barf_positive_addr='$POSITIVEADDR';barf_negative_addr='$NEGATIVEADDR';barf_win_addr='$WINADDR';barf_start_addr='$STARTADDR';barf_end_addr='$ENDADDR';barf_buff_addr='$BUFFADDR';barf_known_prefix='$KNOWNPREFIX';barf_known_suffix='$KNOWNSUFFIX';barf_path='$BARFPATH';barf_chunksize=$CHUNKSIZE;barf_persistent=$PERSISTENT" --command barf.py $TARGETFILE
+gdb --quiet -nx --eval-command "py barf_positive_addr='$POSITIVEADDR';barf_negative_addr='$NEGATIVEADDR';barf_win_addr='$WINADDR';barf_lose_addr='$LOSEADDR';barf_start_addr='$STARTADDR';barf_end_addr='$ENDADDR';barf_buff_addr='$BUFFADDR';barf_known_prefix='$KNOWNPREFIX';barf_known_suffix='$KNOWNSUFFIX';barf_path='$BARFPATH';barf_chunksize=$CHUNKSIZE;barf_persistent=$PERSISTENT" --command barf.py $TARGETFILE
 
diff --git a/src/BreakpointManager.py b/src/BreakpointManager.py
index 86857e4..ca80a80 100644
--- a/src/BreakpointManager.py
+++ b/src/BreakpointManager.py
@@ -11,14 +11,17 @@ class BreakpointManager:
     posB = None
     negB = None
     winB = None
+    loseB = None
 
-    def __init__(self, pAddr, nAddr, wAddr):
+    def __init__(self, pAddr, nAddr, wAddr, lAddr):
         if pAddr:
             self.posB = CounterBreakpoint(pAddr, True)
         if nAddr:
             self.negB = CounterBreakpoint(nAddr, False)
         if wAddr:
             self.winB = CounterBreakpoint(wAddr, True)
+        if lAddr:
+            self.loseB = CounterBreakpoint(lAddr, False)
 
     def GetScore(self):
         score = 0
@@ -47,4 +50,10 @@ class BreakpointManager:
     def HitWin(self):
         if self.winB:
             return self.winB.GetScore() != 0
+        return False
+
+    def HitLose(self):
+        if self.loseB:
+            return self.loseB.GetScore() != 0
+        return True
 
diff --git a/src/Bruteforce.py b/src/Bruteforce.py
index d12ee43..7793ae5 100644
--- a/src/Bruteforce.py
+++ b/src/Bruteforce.py
@@ -65,7 +65,7 @@ def Bruteforce(bm, tm, knownPrefix, knownSuffix, chunksize):
             DisableLogging()
 
             # let's examine it further - check if we hit the win breakpoint :)
-            if bm.HitWin():
+            if bm.HitWin() or not bm.HitLose():
                 EnableLogging()
                 print("BARF found the flag - or at least managed to hit the 'win' breakpoint!")
                 print(f"Winning guess for the flag is '{knownPrefix + knownSuffix}'")