GCHQ Stage 1 Solution

1. ; GCHQ canyoucrackit.co.uk stage 1 solution
2.  
3. ; Dr Gareth Owen, School of Engineering, University of Greenwich, England
4. ; [email protected]
5.  
6. ; Explanation: http://gchqchallenge.blogspot.com
7. ; To run:
8. ; nasm -f elf p1-complete.asm
9. ; gcc -o p1 p1-complete.asm
10. ; ./p1
11.  
12. global main
13. main:
14.  
15. jmp start
16.  
17. ; unused - code for part 3
18. scasd
19. ret 0xa3bf
20. ; unused - end code for part 3
21.  
22. start:
23. sub esp,0x100    ; 4096 bytes
24. xor ecx,ecx
25.  
26. ; loop through 256 bytes of memory and set values to equal offset (e.g. pos 1 = val 1)
27. ; RC4 KSA initialisation
28. ksa_part1_loop:
29. mov [esp+ecx],cl
30. inc cl
31. jnz ksa_part1_loop
32.  
33. xor eax,eax
34.  
35. ; key for RC4 algorithm
36. mov edx,0xdeadbeef
37.  
38. ksa_key_loop:   ; cl used as j (loop counter)
39. add al,[esp+ecx];
40. add al,dl   ; take cur byte from key
41. ror edx,0x8     ; next byte in key (rotate 8 bits)
42. mov bl,[esp+ecx]
43. mov bh,[esp+eax]
44. mov [esp+eax],bl
45. mov [esp+ecx],bh
46. inc cl
47. jnz ksa_key_loop
48.  
49. jmp label1
50.  
51. decrypt:       
52. mov ebx,esp
53. add ebx,0x4 ; keystream location
54.  
55. pop esp     ; loads end of program address into ESP (using location from earlier call which placed it on stack )
56.  
57. ; sanity check
58. pop eax         ; ensure we're at end of program (see last four instructions)
59. cmp eax,0x41414141
60. jnz myexit
61.  
62. ; esp = beginning of data from image
63. ; check valid data
64. pop eax
65. cmp eax,0x42424242
66. jnz myexit
67.  
68. ; begin decryption
69. pop edx     ; get num bytes ( = 50/32h)
70. mov ecx,edx
71. mov esi,esp ; stack pointer into esi
72. mov edi,ebx ; destination is old esp + 4
73. sub edi,ecx ; move back down stack 32 bytes
74. rep movsb   ; move ECX bytes from ESI to EDI
75. mov esi,ebx
76. mov ecx,edx
77. mov edi,ebx
78. sub edi,ecx
79. xor eax,eax
80. xor ebx,ebx
81. xor edx,edx
82.  
83. decrypt_loop:           ; main decrypt loop
84. inc al
85. add bl,[esi+eax]
86. mov dl,[esi+eax]
87. mov dh,[esi+ebx]
88. mov [esi+eax],dh
89. mov [esi+ebx],dl
90. add dl,dh
91. xor dh,dh
92. mov bl,[esi+edx]
93. mov dl,[edi]
94. xor dl,bl           ; xor with keystraem
95. mov [edi],dl            ; store result
96. inc edi
97. dec ecx
98. jnz decrypt_loop
99.  
100. myexit:
101. mov eax, 4 ; sys_write
102. mov ebx, 1 ; stdout
103. mov edx, 0x32 ; length
104. lea ecx, [edi-0x32] ; location
105. int 0x80
106.  
107. xor ebx,ebx  ; clear ebx
108. mov eax,ebx  ; clear eax
109. inc al       ; set eax to 1 (syscall for exit)
110. int 0x80     ; make syscall
111.  
112. label1:
113. nop
114. nop
115. call decrypt    ; CALL SO THAT WE GET THIS LOCATION ONTO THE STACK (e.g. end of file for later for decryption)
116.  
117. ; 0x41414141 (to check we're in right place later)
118. dd 0x41414141
119. ;inc ecx
120. ;inc ecx
121. ;inc ecx
122. ;inc ecx
123.  
124. ; INSERT STUFF TO BE DECRYPTED HERE
125. db  042h
126. db  042h
127. db  042h
128. db  042h
129. db  032h
130. db  00h
131. db  00h
132. db  00h
133. db  091h
134. db  0d8h
135. db  0f1h
136. db  06dh
137. db  070h
138. db  020h
139. db  03ah
140. db  0abh
141. db  067h
142. db  09ah
143. db  0bh
144. db  0c4h
145. db  091h
146. db  0fbh
147. db  0c7h
148. db  066h
149. db  0fh
150. db  0fch
151. db  0cdh
152. db  0cch
153. db  0b4h
154. db  02h
155. db  0fah
156. db  0d7h
157. db  077h
158. db  0b4h
159. db  054h
160. db  038h
161. db  0abh
162. db  01fh
163. db  0eh
164. db  0e3h
165. db  08eh
166. db  0d3h
167. db  0dh
168. db  0ebh
169. db  099h
170. db  0c3h
171. db  093h
172. db  0feh
173. db  0d1h
174. db  02bh
175. db  01bh
176. db  011h
177. db  0c6h
178. db  011h
179. db  0efh
180. db  0c8h
181. db  0cah
182. db  02fh
183.  
184.