mirror of
https://github.com/dirtbags/moth.git
synced 2025-01-24 07:45:12 -07:00
53 lines
2.6 KiB
Markdown
53 lines
2.6 KiB
Markdown
You are doing a forensics evaluation of a linux box that you know has
|
|
been compromised. You find a binary on the system and assume it was
|
|
used by the attackers to hide data on box that that was exfiltrated.
|
|
You dissamble the file and find the x86 assembly shown below (from Ida)
|
|
- this function was used for obfuscation. You also find a file
|
|
obfuscated by this tool. Using the key you find in this encoder code
|
|
what is the unobfuscated first line of the file which starts with
|
|
|
|
8%%>p2pzpzp8%%>pe8%%>pe(#$e(+9"
|
|
|
|
HINT: The function was orginally defined as void convert_buf(unsigned
|
|
char * buf, int len).
|
|
|
|
.text:08048474 ; =============== S U B R O U T I N E =======================================
|
|
.text:08048474
|
|
.text:08048474 ; Attributes: bp-based frame
|
|
.text:08048474
|
|
.text:08048474 public convert_buf
|
|
.text:08048474 convert_buf proc near ; CODE XREF: main+B2p
|
|
.text:08048474
|
|
.text:08048474 cnt = dword ptr -4
|
|
.text:08048474 buf = dword ptr 8
|
|
.text:08048474 len = dword ptr 0Ch
|
|
.text:08048474
|
|
.text:08048474 push ebp
|
|
.text:08048475 mov ebp, esp
|
|
.text:08048477 sub esp, 10h
|
|
.text:0804847A mov [ebp+cnt], 0
|
|
.text:08048481 mov [ebp+cnt], 0
|
|
.text:08048488 jmp short loc_80484A4
|
|
.text:0804848A ; ---------------------------------------------------------------------------
|
|
.text:0804848A
|
|
.text:0804848A loc_804848A: ; CODE XREF: convert_buf+36j
|
|
.text:0804848A mov eax, [ebp+cnt]
|
|
.text:0804848D mov edx, eax
|
|
.text:0804848F add edx, [ebp+buf]
|
|
.text:08048492 mov eax, [ebp+cnt]
|
|
.text:08048495 add eax, [ebp+buf]
|
|
.text:08048498 movzx eax, byte ptr [eax]
|
|
.text:0804849B xor eax, 4Ah
|
|
.text:0804849E mov [edx], al
|
|
.text:080484A0 add [ebp+cnt], 1
|
|
.text:080484A4
|
|
.text:080484A4 loc_80484A4: ; CODE XREF: convert_buf+14j
|
|
.text:080484A4 mov eax, [ebp+cnt]
|
|
.text:080484A7 cmp eax, [ebp+len]
|
|
.text:080484AA jl short loc_804848A
|
|
.text:080484AC leave
|
|
.text:080484AD retn
|
|
.text:080484AD convert_buf endp
|
|
.text:080484AD
|
|
.text:080484AE
|
|
|