Forum

By sharpe
Comments Off

Welcome Guest 

Show/Hide Header

Welcome Guest, posting in this forum requires registration.
Pages: 1 [2] 3
Author Topic: sat0ri RCE challenge/crackme – ten
Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: December 20, 2011, 23:59
 
00401323       mov esi,0x00200983
00401328       shl esi,1
0040132A       mov ecx,0x10

Am I on the right track with this one?
sharpe
Administrator
Posts: 21
Post Re: sat0ri RCE challenge/crackme – ten
on: December 21, 2011, 09:56

It wants the md5 of nerf:hash.

Looking good, follow that path :)

Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: December 21, 2011, 19:18

ok cool! Hopefully I can set aside some time today to get this thing finished.
Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: December 21, 2011, 21:25

Ok, so the small routine is effectively doing nothing other than bringing my attention to a certain 17 bytes? I am still not able to complete the challenge though.

My question this time around is:

Would you say that this is the basic structure of a nerf dart?:

========= =
sharpe
Administrator
Posts: 21
Post Re: sat0ri RCE challenge/crackme – ten
on: December 22, 2011, 08:26

The routine is there because is has to be. Some important stuff is decrypted there, which gives you important clues e.g. addresses, lengths.
I'll give you a big clue here: The Nerf-related part of this challenge is an image, and you must find and decrypt the image ;)

Keep moving, you're on track now.

Enjoy the day Fearlock.
Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: December 22, 2011, 18:23

Ok, So here is where I have hit a wall for now:

the shl loads a value into the register that corresponds to a nearby mem location. That is obviously no coincidence. We then load 10h into a counter and proceed to move backward from that inital location byte by byte.

This is where I am stumped:
The routine is loading the bytes, xoring them with 0 and then putting them back just as they were. So as far as decryption goes, all I am getting is a secret pointer to some data?

So maybe I am failing to see a message in this data? Or am I supposed to be taking this data elsewhere for further decryption? I've tried rotating into a key, using it as the hash, etc etc. But I must be missing some key component.

This is my first RE project. Definitely exciting to be on to something. I hope I can crack this by the years end.
sharpe
Administrator
Posts: 21
Post Re: sat0ri RCE challenge/crackme – ten
on: December 22, 2011, 23:02
 
The routine is loading the bytes, xoring them with 0 and then putting them back just as they were. So as far as decryption goes, all I am getting is a secret pointer to some data?

This is a very simple decryption routine, using a one byte key. Due to the fact that it's just one byte, there are only 255 possibilities. Here you can brute it, which shouldn't take you too long, even if you have to try all keys starting with 01 (which you won't). When You have decrypted the code you will be able to see what happens then.
There are only 16 bytes to be decrypted. Try copying the bytes out and putting them into cryptool.

This is my first RE project. Definitely exciting to be on to something. I hope I can crack this by the years end.

You're doing great, keep going!
Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: December 23, 2011, 00:45

ohhhh ok! Thanks! When i took a crack at this 2 months ago I planned to brute the entire thing. I dont think i would have ever of thought to brute this small embedded routine tho :<

Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: December 30, 2011, 00:01

Hello again,

I wrote a really small bruteforce tool for the hidden decryption routine. I verified its outputs against cryptool and ran through all 255 possibilities but nothing stood out to me.

I think I have confused myself with this mini routine because you had mentioned that decrypting this data would point out what the nerf dart# was. Maybe I am expecting too much of an obvious answer and obfuscating the bigger picture.

I'm thinking that the nerf dart# is in the tray icon. so I'm going to go ahead and use that number against all 255 outputs of the routine to test my md5.
Fearlock
Newbie
Posts: 11
Post Re: sat0ri RCE challenge/crackme – ten
on: January 9, 2012, 06:19
 
.data
	ciphertext db    000h,010h,0aeh,
                         010h,010h,010h,
                         010h,0a9h,010h,
                         012h,010h,010h,
                         09ah,014h,021h,024h
.data?
	buffer db 16 DUP(?)
	hfile db 8 DUP(?)

.code
	start:	

	main:
		xor ebx,ebx
		inckey:
		mov esi, offset ciphertext
		mov ecx, 10h
		dcrypt:
		mov al, byte ptr [esi+ecx]
		xor al,bl
		push esi
		mov esi, offset buffer
		mov byte ptr [esi+ecx],al
		pop esi
		dec ecx
		cmp ecx,00h
		jge dcrypt
		inc bl
		cmp bl,0ffh
		jbe inckey
	end start

would this be sufficient to decrypt the hidden stuff and bring me to the next step?
Pages: 1 [2] 3

Comments are closed.