#!/usr/bin/env python3 """ SMART brute force - test range 0-100k with proper format """ import requests from concurrent.futures import ThreadPoolExecutor, as_completed import time def lcg_step(seed): return (seed * 0x52c6425d + 0xcc52c) % (2**32) def generate_keys(passcode): seed = passcode keys = [] for _ in range(6): seed = lcg_step(seed) keys.append(seed % 0xffffff) return keys def try_passcode(pc): keys = generate_keys(pc) # Keys 4 and 5 (last 2) get appended as 6 bytes key_bytes = [] for key in keys[4:6]: key_bytes.extend([key >> 16, (key >> 8) & 0xFF, key & 0xFF]) key_hex = ''.join(f'{b:02x}' for b in key_bytes) # Using extracted data sector_22 = 'cd335e314d4f8634cd1f0e0000000000' auth_code = sector_22 + key_hex data = { 'uid': '04f6555b', 'username': '6178656c5f6f757472756e', # axel_outrun 'authorization_code': auth_code, 'access_level': '5e4ce0a703078634cd1f0e0000000000' } try: r = requests.post('http://154.57.164.76:32127/api', data=data, timeout=2) result = r.json() if result.get('flag') and len(result.get('flag', '')) > 5: return (pc, result['flag']) except: pass return None print("[*] Smart brute force: 0-100,000 @ 20 workers") print() start_time = time.time() with ThreadPoolExecutor(max_workers=20) as executor: futures = {executor.submit(try_passcode, pc): pc for pc in range(100000)} for i, future in enumerate(as_completed(futures)): if i % 5000 == 0: elapsed = time.time() - start_time rate = i / elapsed if elapsed > 0 else 0 print(f"\r {i:06d}/100000 ({rate:.0f} tests/sec)", end='', flush=True) result = future.result() if result: pc, flag = result print(f"\n\n{'='*70}") print(f"FLAG FOUND!") print(f"Passcode: {pc}") print(f"FLAG: {flag}") print(f"{'='*70}") executor.shutdown(wait=False, cancel_futures=True) exit(0) print(f"\n\n[-] Not found in 0-100k range")