One more reverse challenge from coursera malware class. This is the 2014 class.
similar to previous challenge which is posted in previous blog.
seed@seed-desktop:~/projects/2$ ./reverse-challenge
Are you feeling lucky today? s
^C
[6]+ Stopped ./reverse-challenge
seed@seed-desktop:~/projects/2$ file reverse-challenge
reverse-challenge: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped
seed@seed-desktop:~/projects/2$ grep "41 72" rc
8048cba: 00 41 72 add %al,0x72(%ecx)
8048a54: c7 04 24 bb 8c 04 08 movl $0x8048cbb,(%esp)
8048a5b: e8 c0 fa ff ff call 8048520 <printf@plt>
This is where the question "Are you feeling lucky today?" gets asked as detailed in previous blog.
Then we have switch of 0x43, 0x4e and 0x41.
0x4e (N) case is interesting which jumps to 0x8048743 others are dead-end.
804872d: 55 push %ebp
804872e: 89 e5 mov %esp,%ebp
8048730: 31 db xor %ebx,%ebx
8048732: 6a 04 push $0x4
8048734: 5b pop %ebx
8048735: 01 e3 add %esp,%ebx
8048737: 8b 1b mov (%ebx),%ebx
8048739: 83 c3 10 add $0x10,%ebx
804873c: b8 11 00 00 00 mov $0x11,%eax
8048741: 5d pop %ebp
8048742: c3 ret
8048743: 55 push %ebp
8048744: 89 e5 mov %esp,%ebp
8048746: 83 ec 28 sub $0x28,%esp
8048749: 8b 45 08 mov 0x8(%ebp),%eax
804874c: 89 45 f4 mov %eax,-0xc(%ebp)
804874f: 53 push %ebx
8048750: 31 db xor %ebx,%ebx
8048752: 6a 30 push $0x30
8048754: 5b pop %ebx
8048755: 01 e3 add %esp,%ebx
8048757: e8 d1 ff ff ff call 804872d <close@plt+0x10d>
804875c: 8b 55 0c mov 0xc(%ebp),%edx
804875f: 50 push %eax
8048760: 31 c0 xor %eax,%eax
8048762: 6a 0c push $0xc
8048764: 58 pop %eax
8048765: 01 d0 add %edx,%eax
8048767: 50 push %eax
8048768: 53 push %ebx
8048769: c3 ret
804876a: b8 01 c7 45 f0 mov $0xf045c701,%eax
804876a: b8 01 c7 45 f0 mov $0xf045c701,%eax
804876f: fa cli
8048770: 00 00 add %al,(%eax)
8048772: 00 58 eb add %bl,-0x15(%eax)
8048775: 27 daa
8048776: 8b 45 f4 mov -0xc(%ebp),%eax
8048779: 0f b6 00 movzbl (%eax),%eax
804877c: 83 c0 01 add $0x1,%eax
804877f: 89 c2 mov %eax,%edx
8048781: 8b 45 f4 mov -0xc(%ebp),%eax
8048784: 88 10 mov %dl,(%eax)
8048786: 8b 45 f4 mov -0xc(%ebp),%eax
8048789: 0f b6 00 movzbl (%eax),%eax
804878c: 8b 55 f0 mov -0x10(%ebp),%edx
804878f: 83 e2 2b and $0x2b,%edx
8048792: 31 c2 xor %eax,%edx
8048794: 8b 45 f4 mov -0xc(%ebp),%eax
8048797: 88 10 mov %dl,(%eax)
8048799: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804879d: 8b 45 f4 mov -0xc(%ebp),%eax
80487a0: 0f b6 00 movzbl (%eax),%eax
80487a3: 84 c0 test %al,%al
80487a5: 75 cf jne 8048776 <close@plt+0x156>
80487a7: c7 44 24 04 80 8c 04 movl $0x8048c80,0x4(%esp)
80487ae: 08
80487af: 8b 45 08 mov 0x8(%ebp),%eax
80487b2: 89 04 24 mov %eax,(%esp)
80487b5: e8 46 fd ff ff call 8048500 <strcmp@plt>
80487ba: 85 c0 test %eax,%eax
80487bc: 75 07 jne 80487c5 <close@plt+0x1a5>
80487be: b8 01 00 00 00 mov $0x1,%eax
80487c3: eb 05 jmp 80487ca <close@plt+0x1aa>
80487c5: b8 00 00 00 00 mov $0x0,%eax
80487ca: c9 leave
80487cb: c3 ret
(gdb) p/x 0x5c + 0x10
$3 = 0x6c
This code just adds 0x10 to 804875c and jumps to 804876c. compared to previous example it has a detour by calling a function
but the gist is it jumps to middle of instruction at
804876a: b8 01 c7 45 f0 mov $0xf045c701,%eax
The actual disassembly is as in prev blog starting at 804876c.
0: c7 45 f0 fa 00 00 00 movl $0xfa,-0x10(%ebp)
7: 58 pop %eax
8: eb 17 jmp 0x21
Next is the loop doing the magic conversion of input and strcmp thereafter.
8048776: 8b 45 f4 mov -0xc(%ebp),%eax
8048779: 0f b6 00 movzbl (%eax),%eax
804877c: 83 c0 01 add $0x1,%eax
804877f: 89 c2 mov %eax,%edx
8048781: 8b 45 f4 mov -0xc(%ebp),%eax
8048784: 88 10 mov %dl,(%eax)
8048786: 8b 45 f4 mov -0xc(%ebp),%eax
8048789: 0f b6 00 movzbl (%eax),%eax
804878c: 8b 55 f0 mov -0x10(%ebp),%edx
804878f: 83 e2 2b and $0x2b,%edx
8048792: 31 c2 xor %eax,%edx
8048794: 8b 45 f4 mov -0xc(%ebp),%eax
8048797: 88 10 mov %dl,(%eax)
8048799: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804879d: 8b 45 f4 mov -0xc(%ebp),%eax
80487a0: 0f b6 00 movzbl (%eax),%eax
80487a3: 84 c0 test %al,%al
80487a5: 75 cf jne 8048776 <close@plt+0x156>
This is modified input = (input +1) ^ 0x2a (where 0x2a is got from 0xfa & 0x2b).
80487a7: c7 44 24 04 80 8c 04 movl $0x8048c80,0x4(%esp)
80487ae: 08
80487af: 8b 45 08 mov 0x8(%ebp),%eax
80487b2: 89 04 24 mov %eax,(%esp)
80487b5: e8 46 fd ff ff call 8048500 <strcmp@plt>
80487ba: 85 c0 test %eax,%eax
80487bc: 75 07 jne 80487c5 <close@plt+0x1a5>
80487be: b8 01 00 00 00 mov $0x1,%eax
80487c3: eb 05 jmp 80487ca <close@plt+0x1aa>
80487c5: b8 00 00 00 00 mov $0x0,%eax
80487ca: c9 leave
80487cb: c3 ret
The modified input is getting strcmp with string at 0x8048c80.
(gdb) x/s 0x8048c80
0x8048c80: "@EHJ~@DZEL"
modified input == "@EHJ~@DZEL"
so input = (modified input ^ 0x2a) - 1
seed@seed-desktop:~/projects/2$ python -c 'print "".join([chr((ord (k)^0x2A)-1) for k in "@EHJ~@DZEL"])'
ina_Simone
The first character of input is 'N'.
So the secret input is Nina_Simone.
seed@seed-desktop:~/projects/2$ ./reverse-challenge
Are you feeling lucky today? Nina_Simone
[+] WooT! THE KEY IS: Nina_Simone
[+] If you want, now open a terminal and type:
echo "Nina_Simone" | nc 134.219.148.8 8080
similar to previous challenge which is posted in previous blog.
seed@seed-desktop:~/projects/2$ ./reverse-challenge
Are you feeling lucky today? s
^C
[6]+ Stopped ./reverse-challenge
seed@seed-desktop:~/projects/2$ file reverse-challenge
reverse-challenge: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped
seed@seed-desktop:~/projects/2$ grep "41 72" rc
8048cba: 00 41 72 add %al,0x72(%ecx)
8048a54: c7 04 24 bb 8c 04 08 movl $0x8048cbb,(%esp)
8048a5b: e8 c0 fa ff ff call 8048520 <printf@plt>
This is where the question "Are you feeling lucky today?" gets asked as detailed in previous blog.
Then we have switch of 0x43, 0x4e and 0x41.
0x4e (N) case is interesting which jumps to 0x8048743 others are dead-end.
804872d: 55 push %ebp
804872e: 89 e5 mov %esp,%ebp
8048730: 31 db xor %ebx,%ebx
8048732: 6a 04 push $0x4
8048734: 5b pop %ebx
8048735: 01 e3 add %esp,%ebx
8048737: 8b 1b mov (%ebx),%ebx
8048739: 83 c3 10 add $0x10,%ebx
804873c: b8 11 00 00 00 mov $0x11,%eax
8048741: 5d pop %ebp
8048742: c3 ret
8048743: 55 push %ebp
8048744: 89 e5 mov %esp,%ebp
8048746: 83 ec 28 sub $0x28,%esp
8048749: 8b 45 08 mov 0x8(%ebp),%eax
804874c: 89 45 f4 mov %eax,-0xc(%ebp)
804874f: 53 push %ebx
8048750: 31 db xor %ebx,%ebx
8048752: 6a 30 push $0x30
8048754: 5b pop %ebx
8048755: 01 e3 add %esp,%ebx
8048757: e8 d1 ff ff ff call 804872d <close@plt+0x10d>
804875c: 8b 55 0c mov 0xc(%ebp),%edx
804875f: 50 push %eax
8048760: 31 c0 xor %eax,%eax
8048762: 6a 0c push $0xc
8048764: 58 pop %eax
8048765: 01 d0 add %edx,%eax
8048767: 50 push %eax
8048768: 53 push %ebx
8048769: c3 ret
804876a: b8 01 c7 45 f0 mov $0xf045c701,%eax
804876a: b8 01 c7 45 f0 mov $0xf045c701,%eax
804876f: fa cli
8048770: 00 00 add %al,(%eax)
8048772: 00 58 eb add %bl,-0x15(%eax)
8048775: 27 daa
8048776: 8b 45 f4 mov -0xc(%ebp),%eax
8048779: 0f b6 00 movzbl (%eax),%eax
804877c: 83 c0 01 add $0x1,%eax
804877f: 89 c2 mov %eax,%edx
8048781: 8b 45 f4 mov -0xc(%ebp),%eax
8048784: 88 10 mov %dl,(%eax)
8048786: 8b 45 f4 mov -0xc(%ebp),%eax
8048789: 0f b6 00 movzbl (%eax),%eax
804878c: 8b 55 f0 mov -0x10(%ebp),%edx
804878f: 83 e2 2b and $0x2b,%edx
8048792: 31 c2 xor %eax,%edx
8048794: 8b 45 f4 mov -0xc(%ebp),%eax
8048797: 88 10 mov %dl,(%eax)
8048799: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804879d: 8b 45 f4 mov -0xc(%ebp),%eax
80487a0: 0f b6 00 movzbl (%eax),%eax
80487a3: 84 c0 test %al,%al
80487a5: 75 cf jne 8048776 <close@plt+0x156>
80487a7: c7 44 24 04 80 8c 04 movl $0x8048c80,0x4(%esp)
80487ae: 08
80487af: 8b 45 08 mov 0x8(%ebp),%eax
80487b2: 89 04 24 mov %eax,(%esp)
80487b5: e8 46 fd ff ff call 8048500 <strcmp@plt>
80487ba: 85 c0 test %eax,%eax
80487bc: 75 07 jne 80487c5 <close@plt+0x1a5>
80487be: b8 01 00 00 00 mov $0x1,%eax
80487c3: eb 05 jmp 80487ca <close@plt+0x1aa>
80487c5: b8 00 00 00 00 mov $0x0,%eax
80487ca: c9 leave
80487cb: c3 ret
(gdb) p/x 0x5c + 0x10
$3 = 0x6c
This code just adds 0x10 to 804875c and jumps to 804876c. compared to previous example it has a detour by calling a function
but the gist is it jumps to middle of instruction at
804876a: b8 01 c7 45 f0 mov $0xf045c701,%eax
The actual disassembly is as in prev blog starting at 804876c.
0: c7 45 f0 fa 00 00 00 movl $0xfa,-0x10(%ebp)
7: 58 pop %eax
8: eb 17 jmp 0x21
Next is the loop doing the magic conversion of input and strcmp thereafter.
8048776: 8b 45 f4 mov -0xc(%ebp),%eax
8048779: 0f b6 00 movzbl (%eax),%eax
804877c: 83 c0 01 add $0x1,%eax
804877f: 89 c2 mov %eax,%edx
8048781: 8b 45 f4 mov -0xc(%ebp),%eax
8048784: 88 10 mov %dl,(%eax)
8048786: 8b 45 f4 mov -0xc(%ebp),%eax
8048789: 0f b6 00 movzbl (%eax),%eax
804878c: 8b 55 f0 mov -0x10(%ebp),%edx
804878f: 83 e2 2b and $0x2b,%edx
8048792: 31 c2 xor %eax,%edx
8048794: 8b 45 f4 mov -0xc(%ebp),%eax
8048797: 88 10 mov %dl,(%eax)
8048799: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804879d: 8b 45 f4 mov -0xc(%ebp),%eax
80487a0: 0f b6 00 movzbl (%eax),%eax
80487a3: 84 c0 test %al,%al
80487a5: 75 cf jne 8048776 <close@plt+0x156>
This is modified input = (input +1) ^ 0x2a (where 0x2a is got from 0xfa & 0x2b).
80487a7: c7 44 24 04 80 8c 04 movl $0x8048c80,0x4(%esp)
80487ae: 08
80487af: 8b 45 08 mov 0x8(%ebp),%eax
80487b2: 89 04 24 mov %eax,(%esp)
80487b5: e8 46 fd ff ff call 8048500 <strcmp@plt>
80487ba: 85 c0 test %eax,%eax
80487bc: 75 07 jne 80487c5 <close@plt+0x1a5>
80487be: b8 01 00 00 00 mov $0x1,%eax
80487c3: eb 05 jmp 80487ca <close@plt+0x1aa>
80487c5: b8 00 00 00 00 mov $0x0,%eax
80487ca: c9 leave
80487cb: c3 ret
The modified input is getting strcmp with string at 0x8048c80.
(gdb) x/s 0x8048c80
0x8048c80: "@EHJ~@DZEL"
modified input == "@EHJ~@DZEL"
so input = (modified input ^ 0x2a) - 1
seed@seed-desktop:~/projects/2$ python -c 'print "".join([chr((ord (k)^0x2A)-1) for k in "@EHJ~@DZEL"])'
ina_Simone
The first character of input is 'N'.
So the secret input is Nina_Simone.
seed@seed-desktop:~/projects/2$ ./reverse-challenge
Are you feeling lucky today? Nina_Simone
[+] WooT! THE KEY IS: Nina_Simone
[+] If you want, now open a terminal and type:
echo "Nina_Simone" | nc 134.219.148.8 8080