Add the option to specify a custom charset

barf.py

@@ -23,6 +23,8 @@
 # include project path as include path
 sys.path.insert(1, barf_path)
 
+from base64 import b64decode
+
 # include project files
 from BreakpointManager import BreakpointManager
 from TargetManager import TargetManager
@@ -44,7 +46,7 @@ def main():
     tm = TargetManager(bm, args["persistent"], args["startAddr"], args["endAddr"], args["buffAddr"])
 
     # start the bruteforcing madness ;)
-    Bruteforce(bm, tm, args["knownPrefix"], args["knownSuffix"], args["chunksize"])
+    Bruteforce(bm, tm, args["knownPrefix"], args["knownSuffix"], args["chunksize"], args["charset"])
 
     # g'night, gdb
     gdb.execute("set confirm off")
@@ -64,6 +66,7 @@ def getArguments():
     a["knownPrefix"] = barf_known_prefix
     a["knownSuffix"] = barf_known_suffix
     a["chunksize"] = barf_chunksize
+    a["charset"] = b64decode(barf_charset_b64).decode()
     a["persistent"] = barf_persistent
     return a
 

barf.sh

@@ -17,6 +17,7 @@ KNOWNPREFIX=""
 KNOWNSUFFIX=""
 BARFPATH="$(dirname $(realpath $0))/src"
 CHUNKSIZE=1
+CHARSET=""
 PERSISTENT="False"
 
 # show the help and exit
@@ -39,6 +40,7 @@ function show_help {
 	echo "		-b | --prefix        CTF{	a known prefix, e.g. the prefix of your flag"
 	echo "		-a | --suffix        }		a known suffix, e.g. the suffix of your flag"
 	echo "		-c | --chunksize     2		amount of characters to try at once (default: 1)"
+	echo "		--charset            23@fl4g!   characters to use (default: printable ASCII)"
 	echo "		-h | --help			a great and useful help message, you should try it!"
 	echo ""
 	echo "See https://github.com/maride/barf for more information and examples!"
@@ -95,6 +97,10 @@ while [[ $# -gt 0 ]]; do
 		CHUNKSIZE="$2"
 		shift; shift
 		;;
+		--charset)
+		CHARSET=$(echo -n "$2" | base64)
+		shift; shift
+		;;
 		-x|--persistent)
 		PERSISTENT="1"
 		shift
@@ -135,5 +141,5 @@ if [[ "$PERSISTENT" == "1" && ("$STARTADDR" == "" || "$ENDADDR" == "" || "$BUFFA
 fi
 
 # ready for take-off
-gdb --quiet -nx --eval-command "py barf_positive_addr='$POSITIVEADDR';barf_negative_addr='$NEGATIVEADDR';barf_win_addr='$WINADDR';barf_lose_addr='$LOSEADDR';barf_start_addr='$STARTADDR';barf_end_addr='$ENDADDR';barf_buff_addr='$BUFFADDR';barf_known_prefix='$KNOWNPREFIX';barf_known_suffix='$KNOWNSUFFIX';barf_path='$BARFPATH';barf_chunksize=$CHUNKSIZE;barf_persistent=$PERSISTENT" --command barf.py $TARGETFILE
+gdb --quiet -nx --eval-command "py barf_positive_addr='$POSITIVEADDR';barf_negative_addr='$NEGATIVEADDR';barf_win_addr='$WINADDR';barf_lose_addr='$LOSEADDR';barf_start_addr='$STARTADDR';barf_end_addr='$ENDADDR';barf_buff_addr='$BUFFADDR';barf_known_prefix='$KNOWNPREFIX';barf_known_suffix='$KNOWNSUFFIX';barf_path='$BARFPATH';barf_chunksize=$CHUNKSIZE;barf_charset_b64='$CHARSET';barf_persistent=$PERSISTENT" --command barf.py $TARGETFILE
 

src/Bruteforce.py

@@ -6,11 +6,11 @@ from Helper import *
 from TargetManager import TargetManager
 
 # The charset to try, sorted by the likelihood of a character class
-charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_!?'#%+/ ;[`@-\".<,*|&$(]=)^>\\:~"
+default_charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_!?'#%+/ ;[`@-\".<,*|&$(]=)^>\\:~"
 
 # bruteforces a single character, sandwiched between the known parts.
 # Returns the most promising string.
-def BruteforceChar(bm, tm, knownPrefix, knownSuffix, chunksize):
+def BruteforceChar(bm, tm, knownPrefix, knownSuffix, chunksize, charset):
     # keyFragment is the variable were we store our found-to-be-correct chars
     keyFragment = ""
 
@@ -42,9 +42,10 @@ def BruteforceChar(bm, tm, knownPrefix, knownSuffix, chunksize):
 # Bruteforce calls BruteforceChar until:
 # - BruteforceChar was unable to increase the score using any character in the charset, OR
 # - the "win" breakpoint is hit :)
-def Bruteforce(bm, tm, knownPrefix, knownSuffix, chunksize):
+def Bruteforce(bm, tm, knownPrefix, knownSuffix, chunksize, charset):
+    charset_to_use = charset or default_charset
     while True:
-        res = BruteforceChar(bm, tm, knownPrefix, knownSuffix, chunksize)
+        res = BruteforceChar(bm, tm, knownPrefix, knownSuffix, chunksize, charset_to_use)
         if res is False:
             # no character from the given charset matched. :(
             EnableLogging()