moth/packages/compaq/50/index.mdwn

You are doing a forensics evaluation of a linux box that you know has
been compromised.  You find a binary on the system and assume it was
used by the attackers to hide data on box that they were going to
exfiltrate.  You dissamble the file and find the following lines of x86
assembly - this function was used to encode a buffer in place to
obfuscate a file.  What is the 1 byte key used to obfuscate the data (in
hex)?

HINT: The function was orginally defined as void convert_buf(unsigned
char * buf, int len).  You can solve this puzzle by writing some code,
or by using some of the advanced functions of some of the hex editors
out there.

    .text:08048474 ; =============== S U B R O U T I N E =======================================
    .text:08048474
    .text:08048474 ; Attributes: bp-based frame
    .text:08048474
    .text:08048474                 public convert_buf
    .text:08048474 convert_buf     proc near               ; CODE XREF: main+B2p
    .text:08048474
    .text:08048474 cnt             = dword ptr -4
    .text:08048474 buf             = dword ptr  8
    .text:08048474 len             = dword ptr  0Ch
    .text:08048474
    .text:08048474                 push    ebp
    .text:08048475                 mov     ebp, esp
    .text:08048477                 sub     esp, 10h
    .text:0804847A                 mov     [ebp+cnt], 0
    .text:08048481                 mov     [ebp+cnt], 0
    .text:08048488                 jmp     short loc_80484A4
    .text:0804848A ; ---------------------------------------------------------------------------
    .text:0804848A
    .text:0804848A loc_804848A:                            ; CODE XREF: convert_buf+36j
    .text:0804848A                 mov     eax, [ebp+cnt]
    .text:0804848D                 mov     edx, eax
    .text:0804848F                 add     edx, [ebp+buf]
    .text:08048492                 mov     eax, [ebp+cnt]
    .text:08048495                 add     eax, [ebp+buf]
    .text:08048498                 movzx   eax, byte ptr [eax]
    .text:0804849B                 xor     eax, 4Ch
    .text:0804849E                 mov     [edx], al
    .text:080484A0                 add     [ebp+cnt], 1
    .text:080484A4
    .text:080484A4 loc_80484A4:                            ; CODE XREF: convert_buf+14j
    .text:080484A4                 mov     eax, [ebp+cnt]
    .text:080484A7                 cmp     eax, [ebp+len]
    .text:080484AA                 jl      short loc_804848A
    .text:080484AC                 leave
    .text:080484AD                 retn
    .text:080484AD convert_buf     endp
    .text:080484AD
    .text:080484AE
Add in puzzles Also, modularize the build. This is now a single project for all CTF packages. 2010-09-24 17:24:43 -06:00			`You are doing a forensics evaluation of a linux box that you know has`
			`been compromised. You find a binary on the system and assume it was`
			`used by the attackers to hide data on box that they were going to`
			`exfiltrate. You dissamble the file and find the following lines of x86`
			`assembly - this function was used to encode a buffer in place to`
			`obfuscate a file. What is the 1 byte key used to obfuscate the data (in`
			`hex)?`

			`HINT: The function was orginally defined as void convert_buf(unsigned`
			`char * buf, int len). You can solve this puzzle by writing some code,`
			`or by using some of the advanced functions of some of the hex editors`
			`out there.`

			`.text:08048474 ; =============== S U B R O U T I N E =======================================`
			`.text:08048474`
			`.text:08048474 ; Attributes: bp-based frame`
			`.text:08048474`
			`.text:08048474 public convert_buf`
			`.text:08048474 convert_buf proc near ; CODE XREF: main+B2p`
			`.text:08048474`
			`.text:08048474 cnt = dword ptr -4`
			`.text:08048474 buf = dword ptr 8`
			`.text:08048474 len = dword ptr 0Ch`
			`.text:08048474`
			`.text:08048474 push ebp`
			`.text:08048475 mov ebp, esp`
			`.text:08048477 sub esp, 10h`
			`.text:0804847A mov [ebp+cnt], 0`
			`.text:08048481 mov [ebp+cnt], 0`
			`.text:08048488 jmp short loc_80484A4`
			`.text:0804848A ; ---------------------------------------------------------------------------`
			`.text:0804848A`
			`.text:0804848A loc_804848A: ; CODE XREF: convert_buf+36j`
			`.text:0804848A mov eax, [ebp+cnt]`
			`.text:0804848D mov edx, eax`
			`.text:0804848F add edx, [ebp+buf]`
			`.text:08048492 mov eax, [ebp+cnt]`
			`.text:08048495 add eax, [ebp+buf]`
			`.text:08048498 movzx eax, byte ptr [eax]`
			`.text:0804849B xor eax, 4Ch`
			`.text:0804849E mov [edx], al`
			`.text:080484A0 add [ebp+cnt], 1`
			`.text:080484A4`
			`.text:080484A4 loc_80484A4: ; CODE XREF: convert_buf+14j`
			`.text:080484A4 mov eax, [ebp+cnt]`
			`.text:080484A7 cmp eax, [ebp+len]`
			`.text:080484AA jl short loc_804848A`
			`.text:080484AC leave`
			`.text:080484AD retn`
			`.text:080484AD convert_buf endp`
			`.text:080484AD`
			`.text:080484AE`