Add lose address (counterpart to win address)

2025-10-10 19:06:51 +00:00 · 2021-06-18 13:54:16 +02:00 · 2021-06-18 13:54:16 +02:00 · 3991b4f482
commit 3991b4f482
parent b1450323fd
4 changed files with 23 additions and 7 deletions
--- a/barf.py
+++ b/barf.py
@ -38,7 +38,7 @@ def main():
    args = getArguments()

    # Create our breakpoints, managed by the BreakpointManager
-    bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"])
+    bm = BreakpointManager(args["positiveAddr"], args["negativeAddr"], args["winAddr"], args["loseAddr"])

    # Manage the target with the TargetManager
    tm = TargetManager(bm, args["persistent"], args["startAddr"], args["endAddr"], args["buffAddr"])
@ -57,6 +57,7 @@ def getArguments():
    a["positiveAddr"] = barf_positive_addr
    a["negativeAddr"] = barf_negative_addr
    a["winAddr"] = barf_win_addr
+    a["loseAddr"] = barf_lose_addr
    a["startAddr"] = barf_start_addr
    a["endAddr"] = barf_end_addr
    a["buffAddr"] = barf_buff_addr
--- a/barf.sh
+++ b/barf.sh
@ -9,6 +9,7 @@
 POSITIVEADDR=""
 NEGATIVEADDR=""
 WINADDR=""
+LOSEADDR=""
 STARTADDR=""
 ENDADDR=""
 BUFFADDR=""
@ -36,6 +37,10 @@ while [[ $# -gt 0 ]]; do
 		WINADDR="$2"
 		shift; shift
 		;;
+		-l|--lose-addr)
+		LOSEADDR="$2"
+		shift; shift
+		;;
 		-s|--start-addr)
 		STARTADDR="$2"
 		shift; shift
@ -106,12 +111,13 @@ if [ "$SHOWHELP" == 1 ]; then
 	echo "		-p | --positive-addr 0x123456	a location to be counted as good hit"
 	echo "		-n | --negative-addr 0x234567	a location to be counted as bad hit"
 	echo "		-w | --win-addr      0x345678	a location reached if your input is correct"
+	echo "		-l | --lose-addr     0x456789	a location reached if your input is incorrect"
 	echo ""
 	echo "    PERSISTENT MODE OPTIONS"
 	echo "		-x | --persistent		enable the experimental (!) persistent mode"
-	echo "		-s | --start-addr    0x456789	a location directly after your input is fed into the target"
-	echo "		-e | --end-addr	     0x56789A	a location where the to-be-fuzzed logic is done"
-	echo "		--buff-addr          0x6789AB	the location where user input is stored"
+	echo "		-s | --start-addr    0x56789A	a location directly after your input is fed into the target"
+	echo "		-e | --end-addr	     0x6789AB	a location where the to-be-fuzzed logic is done"
+	echo "		--buff-addr          0x789ABC	the location where user input is stored"
 	echo ""
 	echo "    MISC OPTIONS"
 	echo "		-b | --prefix        CTF{	a known prefix, e.g. the prefix of your flag"
@ -124,5 +130,5 @@ if [ "$SHOWHELP" == 1 ]; then
 fi

 # ready for take-off
-gdb --quiet -nx --eval-command "py barf_positive_addr='$POSITIVEADDR';barf_negative_addr='$NEGATIVEADDR';barf_win_addr='$WINADDR';barf_start_addr='$STARTADDR';barf_end_addr='$ENDADDR';barf_buff_addr='$BUFFADDR';barf_known_prefix='$KNOWNPREFIX';barf_known_suffix='$KNOWNSUFFIX';barf_path='$BARFPATH';barf_chunksize=$CHUNKSIZE;barf_persistent=$PERSISTENT" --command barf.py $TARGETFILE
+gdb --quiet -nx --eval-command "py barf_positive_addr='$POSITIVEADDR';barf_negative_addr='$NEGATIVEADDR';barf_win_addr='$WINADDR';barf_lose_addr='$LOSEADDR';barf_start_addr='$STARTADDR';barf_end_addr='$ENDADDR';barf_buff_addr='$BUFFADDR';barf_known_prefix='$KNOWNPREFIX';barf_known_suffix='$KNOWNSUFFIX';barf_path='$BARFPATH';barf_chunksize=$CHUNKSIZE;barf_persistent=$PERSISTENT" --command barf.py $TARGETFILE

--- a/src/BreakpointManager.py
+++ b/src/BreakpointManager.py
@ -11,14 +11,17 @@ class BreakpointManager:
    posB = None
    negB = None
    winB = None
+    loseB = None

-    def __init__(self, pAddr, nAddr, wAddr):
+    def __init__(self, pAddr, nAddr, wAddr, lAddr):
        if pAddr:
            self.posB = CounterBreakpoint(pAddr, True)
        if nAddr:
            self.negB = CounterBreakpoint(nAddr, False)
        if wAddr:
            self.winB = CounterBreakpoint(wAddr, True)
+        if lAddr:
+            self.loseB = CounterBreakpoint(lAddr, False)

    def GetScore(self):
        score = 0
@ -47,4 +50,10 @@ class BreakpointManager:
    def HitWin(self):
        if self.winB:
            return self.winB.GetScore() != 0
+        return False
+
+    def HitLose(self):
+        if self.loseB:
+            return self.loseB.GetScore() != 0
+        return True

--- a/src/Bruteforce.py
+++ b/src/Bruteforce.py
@ -65,7 +65,7 @@ def Bruteforce(bm, tm, knownPrefix, knownSuffix, chunksize):
            DisableLogging()

            # let's examine it further - check if we hit the win breakpoint :)
-            if bm.HitWin():
+            if bm.HitWin() or not bm.HitLose():
                EnableLogging()
                print("BARF found the flag - or at least managed to hit the 'win' breakpoint!")
                print(f"Winning guess for the flag is '{knownPrefix + knownSuffix}'")