Guest User

CFCS Challange 1

a guest
Oct 3rd, 2015
446
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Q1:
  2.  
  3. UPX1:0041E89B jmp near ptr word_4026F2 ; Tail jump to OEP.
  4.  
  5. Q2:
  6.  
  7. Algorithmen er en simpel XOR pad, hvor
  8.  
  9. 84963145865 er key
  10.  
  11. Hvor padden, som er stored som 32bit integers for some reason er:
  12.  
  13. 0x52 ; 0
  14. 0x5B ; 1
  15. 0x5B ; 2
  16. 0x76 ; 3
  17. 0x50 ; 4
  18. 0x57 ; 5
  19. 0x57 ; 6
  20. 0x46 ; 7
  21. 0x16 ; 8
  22. 0x52 ; 9
  23. 0x5E ; A
  24.  
  25.  
  26. Fra blocken i memory kan man let se det:
  27.  
  28. 00414590 52 00 00 00 5B 00 00 00 5B 00 00 00 76 00 00 00 R...[...[...v...
  29. 004145A0 50 00 00 00 57 00 00 00 57 00 00 00 46 00 00 00 P...W...W...F...
  30. 004145B0 16 00 00 00 52 00 00 00 5E 00 00 00 00 00 00 00 ....R...^.......
  31. 004145C0 00 00 00 00 38 34 39 36 33 31 34 35 38 36 35 00 ....84963145865.
  32.  
  33. Som det kan ses:
  34.  
  35. .text:00401320 loc_401320: ; CODE XREF: sub_4012F0+62j
  36. .text:00401320 movzx eax, byte ptr [eax+edx]
  37. .text:00401324 lea edx, [edx+1]
  38. .text:00401327 xor [edx-1], al
  39. .text:0040132A xor ebx, ebx
  40. .text:0040132C movzx eax, byte ptr [edx-1]
  41. .text:00401330 movsx eax, al
  42. .text:00401333 cmp ds:dword_414590[edi*4], eax
  43. .text:0040133A cmovnz esi, ebx
  44. .text:0040133D inc edi
  45. .text:0040133E lea ebx, [ecx+1]
  46. .text:00401341
  47. .text:00401341 loc_401341: ; CODE XREF: sub_4012F0+56j
  48. .text:00401341 mov al, [ecx]
  49. .text:00401343 inc ecx
  50. .text:00401344 test al, al
  51. .text:00401346 jnz short loc_401341
  52. .text:00401348 mov eax, [ebp+var_8]
  53. .text:0040134B sub ecx, ebx
  54. .text:0040134D cmp edi, ecx
  55. .text:0040134F mov ecx, [ebp+var_4]
  56. .text:00401352 jb short loc_401320
  57.  
  58.  
  59. Kan man grovt set bryde ned til:
  60.  
  61. key = "84963145865"
  62. solution = []
  63. xorpad = [0x52, 0x5b, 0x5b, 0x76, 0x50, 0x57, 0x57, 0x46, 0x16, 0x52, 0x5e]
  64. for x in range(len(key)):
  65. solution.append( chr(ord(key[x]) ^ xorpad[x]))
  66.  
  67. print "".join(solution)
  68. #job@cfcs.dk
RAW Paste Data