SHARE
TWEET

GCHQ Stage 1 Solution

a guest Dec 4th, 2011 2,583 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ; GCHQ canyoucrackit.co.uk stage 1 solution
  2.  
  3. ; Dr Gareth Owen, School of Engineering, University of Greenwich, England
  4. ; g.h.owen@gre.ac.uk
  5.  
  6. ; Explanation: http://gchqchallenge.blogspot.com
  7. ; To run:
  8. ; nasm -f elf p1-complete.asm
  9. ; gcc -o p1 p1-complete.asm
  10. ; ./p1
  11.  
  12. global main
  13. main:
  14.  
  15. jmp start
  16.  
  17. ; unused - code for part 3
  18. scasd
  19. ret 0xa3bf
  20. ; unused - end code for part 3
  21.  
  22. start:
  23. sub esp,0x100    ; 4096 bytes
  24. xor ecx,ecx
  25.  
  26. ; loop through 256 bytes of memory and set values to equal offset (e.g. pos 1 = val 1)
  27. ; RC4 KSA initialisation
  28. ksa_part1_loop:
  29. mov [esp+ecx],cl
  30. inc cl
  31. jnz ksa_part1_loop
  32.  
  33. xor eax,eax
  34.  
  35. ; key for RC4 algorithm
  36. mov edx,0xdeadbeef
  37.  
  38. ksa_key_loop:   ; cl used as j (loop counter)
  39. add al,[esp+ecx];
  40. add al,dl       ; take cur byte from key
  41. ror edx,0x8     ; next byte in key (rotate 8 bits)
  42. mov bl,[esp+ecx]
  43. mov bh,[esp+eax]
  44. mov [esp+eax],bl
  45. mov [esp+ecx],bh
  46. inc cl
  47. jnz ksa_key_loop
  48.  
  49. jmp label1
  50.  
  51. decrypt:               
  52. mov ebx,esp
  53. add ebx,0x4     ; keystream location
  54.  
  55. pop esp         ; loads end of program address into ESP (using location from earlier call which placed it on stack )
  56.  
  57. ; sanity check
  58. pop eax                 ; ensure we're at end of program (see last four instructions)
  59. cmp eax,0x41414141
  60. jnz myexit
  61.  
  62. ; esp = beginning of data from image
  63. ; check valid data
  64. pop eax
  65. cmp eax,0x42424242
  66. jnz myexit
  67.  
  68. ; begin decryption
  69. pop edx         ; get num bytes ( = 50/32h)
  70. mov ecx,edx
  71. mov esi,esp     ; stack pointer into esi
  72. mov edi,ebx     ; destination is old esp + 4
  73. sub edi,ecx     ; move back down stack 32 bytes
  74. rep movsb   ; move ECX bytes from ESI to EDI
  75. mov esi,ebx    
  76. mov ecx,edx    
  77. mov edi,ebx    
  78. sub edi,ecx    
  79. xor eax,eax
  80. xor ebx,ebx
  81. xor edx,edx
  82.  
  83. decrypt_loop:                   ; main decrypt loop
  84. inc al
  85. add bl,[esi+eax]
  86. mov dl,[esi+eax]
  87. mov dh,[esi+ebx]
  88. mov [esi+eax],dh
  89. mov [esi+ebx],dl
  90. add dl,dh
  91. xor dh,dh
  92. mov bl,[esi+edx]
  93. mov dl,[edi]
  94. xor dl,bl                       ; xor with keystraem
  95. mov [edi],dl                    ; store result
  96. inc edi
  97. dec ecx
  98. jnz decrypt_loop
  99.  
  100. myexit:
  101. mov eax, 4 ; sys_write
  102. mov ebx, 1 ; stdout
  103. mov edx, 0x32 ; length
  104. lea ecx, [edi-0x32] ; location
  105. int 0x80
  106.  
  107. xor ebx,ebx  ; clear ebx
  108. mov eax,ebx  ; clear eax
  109. inc al       ; set eax to 1 (syscall for exit)
  110. int 0x80     ; make syscall
  111.  
  112. label1:
  113. nop
  114. nop
  115. call decrypt    ; CALL SO THAT WE GET THIS LOCATION ONTO THE STACK (e.g. end of file for later for decryption)
  116.  
  117. ; 0x41414141 (to check we're in right place later)
  118. dd 0x41414141
  119. ;inc ecx
  120. ;inc ecx
  121. ;inc ecx
  122. ;inc ecx
  123.  
  124. ; INSERT STUFF TO BE DECRYPTED HERE
  125. db  042h
  126. db  042h
  127. db  042h
  128. db  042h
  129. db  032h
  130. db  00h
  131. db  00h
  132. db  00h
  133. db  091h
  134. db  0d8h
  135. db  0f1h
  136. db  06dh
  137. db  070h
  138. db  020h
  139. db  03ah
  140. db  0abh
  141. db  067h
  142. db  09ah
  143. db  0bh
  144. db  0c4h
  145. db  091h
  146. db  0fbh
  147. db  0c7h
  148. db  066h
  149. db  0fh
  150. db  0fch
  151. db  0cdh
  152. db  0cch
  153. db  0b4h
  154. db  02h
  155. db  0fah
  156. db  0d7h
  157. db  077h
  158. db  0b4h
  159. db  054h
  160. db  038h
  161. db  0abh
  162. db  01fh
  163. db  0eh
  164. db  0e3h
  165. db  08eh
  166. db  0d3h
  167. db  0dh
  168. db  0ebh
  169. db  099h
  170. db  0c3h
  171. db  093h
  172. db  0feh
  173. db  0d1h
  174. db  02bh
  175. db  01bh
  176. db  011h
  177. db  0c6h
  178. db  011h
  179. db  0efh
  180. db  0c8h
  181. db  0cah
  182. db  02fh
  183.  
  184.  
RAW Paste Data
Top