From 23125c60af0e666cf1c10be77dfc83221d3dd105 Mon Sep 17 00:00:00 2001 From: John W Date: Sat, 11 Mar 2017 20:30:25 -0600 Subject: [PATCH] Added the morphing problem Along with all of its generation script stuff... --- self-modifier/b0.bin | Bin 0 -> 512 bytes self-modifier/b1.bin | Bin 0 -> 512 bytes self-modifier/b2.bin | Bin 0 -> 512 bytes self-modifier/b3.bin | Bin 0 -> 512 bytes self-modifier/b4.bin | 1 + self-modifier/base_block.asm | 5 + self-modifier/base_block.bin | Bin 0 -> 512 bytes self-modifier/build.py | 90 ++++++++++++++++ self-modifier/char.inc | 84 +++++++++++++++ self-modifier/description.md | 2 + self-modifier/first.asm | 140 ++++++++++++++++++++++++ self-modifier/first.bin | Bin 0 -> 512 bytes self-modifier/fourth.asm | 167 +++++++++++++++++++++++++++++ self-modifier/fourth.bin | Bin 0 -> 512 bytes self-modifier/grader.py | 13 +++ self-modifier/last.asm | 37 +++++++ self-modifier/last.bin | Bin 0 -> 512 bytes self-modifier/morpher.asm | 109 +++++++++++++++++++ self-modifier/morpher.exe | Bin 0 -> 4608 bytes self-modifier/morpher.template.asm | 103 ++++++++++++++++++ self-modifier/out.txt | 39 +++++++ self-modifier/problem.yml | 7 ++ self-modifier/second.asm | 120 +++++++++++++++++++++ self-modifier/second.bin | Bin 0 -> 512 bytes self-modifier/std.inc | 32 ++++++ self-modifier/third.asm | 110 +++++++++++++++++++ self-modifier/third.bin | Bin 0 -> 512 bytes 27 files changed, 1059 insertions(+) create mode 100644 self-modifier/b0.bin create mode 100644 self-modifier/b1.bin create mode 100644 self-modifier/b2.bin create mode 100644 self-modifier/b3.bin create mode 100644 self-modifier/b4.bin create mode 100644 self-modifier/base_block.asm create mode 100644 self-modifier/base_block.bin create mode 100644 self-modifier/build.py create mode 100644 self-modifier/char.inc create mode 100644 self-modifier/description.md create mode 100644 self-modifier/first.asm create mode 100644 self-modifier/first.bin create mode 100644 self-modifier/fourth.asm create mode 100644 self-modifier/fourth.bin create mode 100644 self-modifier/grader.py create mode 100644 self-modifier/last.asm create mode 100644 self-modifier/last.bin create mode 100644 self-modifier/morpher.asm create mode 100644 self-modifier/morpher.exe create mode 100644 self-modifier/morpher.template.asm create mode 100644 self-modifier/out.txt create mode 100644 self-modifier/problem.yml create mode 100644 self-modifier/second.asm create mode 100644 self-modifier/second.bin create mode 100644 self-modifier/std.inc create mode 100644 self-modifier/third.asm create mode 100644 self-modifier/third.bin diff --git a/self-modifier/b0.bin b/self-modifier/b0.bin new file mode 100644 index 0000000000000000000000000000000000000000..3014467ff8c146632feb6515044e3f8d3b62ec7f GIT binary patch literal 512 zcmWFz4ee*^?)=Tk#U1-euIGxV@@1Df-`uB02~CihFo8=^QK{&*>C(pvg^Slp>FDWi zzH4>BI)4MBrKQzLV;w8$vrIuJTy}-c3d!B!662Y5W=iD37{1$eVG)rlLRjZ;b4|)C zPIq{r>i#%$YW2oKuetS!W#Kw)mAc=iRaMuh^c385xOT0qYkKn^6t-&n;-2WGA6ImKi`l$XFBIQO}-j=S^H>rXM1yC?5jKX?qB`hSidXh;WdqfoV#z|zSGIdIK6qv z%*oTb=iHh%sdIL(LTOf-N_uihjb=(+Vt#h5l%SCCkx=78iJgBs@3<6ZF}V4Lv-kwD zX>8uSX>y5Ult8F^T$r?(xrL>bm7SfHm7ANFm!F@Pmz!HuR9swC6oOw>RaaM4h2W#h nL-ZdzcIwo*bEi%nJ9g{Vy?eKAA^5+3{rmUp7lMy2PbK>Scogwp literal 0 HcmV?d00001 diff --git a/self-modifier/b1.bin b/self-modifier/b1.bin new file mode 100644 index 0000000000000000000000000000000000000000..21c4f15ec7e7b1d729e457fad0cd3d45bea26a08 GIT binary patch literal 512 zcmZR*CGkCo;q3QrhX0O>RyH4DF`T$V|3N^na4YMs-agST=D>CDJ@3u+yj{@X{G_+9 z=nco`CdsC~jDi0j1g3=RXB3JPEAw7_?Db<}WH`I8o8kZLxCDC#&MP|w`F8RBd&+QN zdEkEmzIL8V5qxFx7o?fbFfi~xZ(1$g&Ctth$WY=Uws*qLBem(iFHNH3Lhlr*FFKdN z^-c4``ofoqj8%O%;sqk(PZ*rFU@GO`!N_npe6<;yKf4HDlw0ZyW7Cq1$K3p~0;&J= z!Ym%ECw^8qqf(NyO4OH=Sv*Rfl}nmYKvI@JM2t&9gp*55#J$XoEry}#H)A!&J~j?c zt`nLSeEb4}LXNR6|2{r{_SDHI#Q*!>dw1{Dmgb-Td+q9#GM#^=h7U77nAAqP$4WYf zc*;fwm?UbOr> yzH;@-^+3FQ=kA^Rff&xedHd#lAb$Sx^~?7_{QT$dpZ|dv&WFmw)uZdDpZx&%yaay$ literal 0 HcmV?d00001 diff --git a/self-modifier/b3.bin b/self-modifier/b3.bin new file mode 100644 index 0000000000000000000000000000000000000000..2269674a29beb3b44425502e14e7852ce2c14f35 GIT binary patch literal 512 zcmdlpUnJ*^Rp$Fl)BBl5T5InnRoFA^zw5^o$ZN;*t(0r_?JEZY0=8_A?{%*2d_DKD zXlT*Ax+5Hsm*a1In0xx<;UEV7Z2>QY8FZP>_U4Kynp*6)iZ6Y0c#%nTTxi^~p2Xj3 z%|D;lDmM3|ge+mn{Lt&n(exvBGn2}P6)_Q!v1cBdr-iQ%P&#U<$iTp`?Qm)pM``x~ zug|s3D{O5U{tHa?Ib1DSmU6_t;Ngc!dFcf$U4I{UWhUk<-&b zwT-Q~5}%%tTB>WMyN9QQw~w!%Utn-xI1tA}Y5&6F!g3(4htmG&@*6jA+z!P1q4fES fmoHui;`>ng{KwB9zXS1qD2*YHrXRz6I@k{Y8ukaa literal 0 HcmV?d00001 diff --git a/self-modifier/b4.bin b/self-modifier/b4.bin new file mode 100644 index 0000000..52ab988 --- /dev/null +++ b/self-modifier/b4.bin @@ -0,0 +1 @@ +w;$n6i2*lu e5ry i riZ?{ hp00$ flgk5.NÓ)WLL$rr] U)xrLOM\(l%w8trrq"j9M889:<=>GGGiHqJKLNOP%Y\_μZ[\bcdghiklmb+{(>E|Q zGBzQN=`{l zOV7y6%FfBn%P%M_DlRE4E3c@ms;;T6t8Zv*YHn$5Ywzgn>h9_7>z^=j(&Q;qr%j(R zbJpxRbLY)puyE1hB}NRWEt>3V5)8;K(w{73CbJy-Yd-v@>aPZLKBS()N zKXLNZ=`&}~oxgDL(&Z~xuU)@!^VaPo;%Tz5np>)8{W= VzkUDl^Vjb`fB*ewU>xE82LR%G{{a91 literal 0 HcmV?d00001 diff --git a/self-modifier/build.py b/self-modifier/build.py new file mode 100644 index 0000000..fd7dd56 --- /dev/null +++ b/self-modifier/build.py @@ -0,0 +1,90 @@ +import subprocess +# Build a self-modifying thinga-ma-jig + +def run_command(cmd): + proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, + stderr=subprocess.PIPE, stdin=subprocess.PIPE) + stdoutput = proc.stdout.read() + proc.stderr.read() + return stdoutput + +def build_bin(name): + print(run_command('fasm %s.asm' % name)) + +def create_xor_block(last_shellcode_block, next_shellcode_block): + block = bytearray(b'') + for x in range(0, len(last_shellcode_block)): # each shellcode block should be 512 bytes + block.append((last_shellcode_block[x]) ^ (next_shellcode_block[x])) + return bytes(block) + +def get_shellcode_block(name): + build_bin(name) + f = open('%s.bin' % name, 'rb') + out = f.read() + f.close() + return out + +shellcode_files = ['first', 'second', 'third', 'fourth', 'last'] +shellcode_blocks = [get_shellcode_block('base_block')] +morpher_file = 'morpher' +morpher_template = 'morpher.template.asm' + +xor_blocks = [] +xor_block_files = [] + +def build_shellcode_files(): + for x in shellcode_files: + shellcode_blocks.append(get_shellcode_block(x)) + +def gen_xor_blocks(): + for x in range(0, len(shellcode_files)): + xor_block = create_xor_block(shellcode_blocks[x], shellcode_blocks[x+1]) + xor_blocks.append(xor_block) + f = open('b%d.bin' % x, 'wb') + f.write(xor_block) + f.close() + xor_block_files.append('b%d.bin' % x) + + +def create_morpher_file(): + _mrph = 'file \'base_block.bin\'\n' + _data = '' + _block_list = '' + + for x in xor_block_files: + _data += '%s: file \'%s\'\n' % (x, x) + _block_list += '%s, ' % x + + _data += 'block_ptrs dd %s0' % _block_list + + f = open(morpher_template, 'rb') + template = f.read().decode('utf-8') + f.close() + result = template % (_mrph, _data) + f = open('%s.asm' % morpher_file, 'wb') + f.write(result.encode('utf-8')) + f.close() + + +# The morpher has 3 sections, modifiable code, static code (morphing), data +# Modifiable code will be where each shellcode segment is done +# Static code has the morpher that sets up each shellcode segment +# Data has the XOR block pointers and indicies for the ones to use in order +# Begins by the morpher creating the first shellcode block, setting it up, then running it +# continues until the final block that will print the flag +# Kinda like a binary bomb but in one binary + +# On entrance to each shellcode segment the ebx register will be a vtable of std funcs +# printf +# puts +# scanf +# esi contains the base address of the shellcode segment +# edi contains the address of the part of the flag that this segment fills +# edx contains the number of the block + +build_shellcode_files() +gen_xor_blocks() +create_morpher_file() +build_bin(morpher_file) + +#print(create_xor_block(b'123', b'321')) +#print(get_shellcode_block('shellcode')) diff --git a/self-modifier/char.inc b/self-modifier/char.inc new file mode 100644 index 0000000..024ef9f --- /dev/null +++ b/self-modifier/char.inc @@ -0,0 +1,84 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Character defines + NULL equ 0x00 + BELL equ 0x07 + BSPC equ 0x08 + TAB equ 0x09 + ENDL equ 0x0A + CRET equ 0x0D + + CHAR_0 equ 0x30 + CHAR_1 equ 0x31 + CHAR_2 equ 0x32 + CHAR_3 equ 0x33 + CHAR_4 equ 0x34 + CHAR_5 equ 0x35 + CHAR_6 equ 0x36 + CHAR_7 equ 0x37 + CHAR_8 equ 0x38 + CHAR_9 equ 0x39 + CHAR_A equ 0x41 + CHAR_B equ 0x42 + CHAR_C equ 0x43 + CHAR_D equ 0x44 + CHAR_E equ 0x45 + CHAR_F equ 0x46 + CHAR_G equ 0x47 + CHAR_H equ 0x48 + CHAR_I equ 0x49 + CHAR_J equ 0x4a + CHAR_K equ 0x4b + CHAR_L equ 0x4c + CHAR_M equ 0x4d + CHAR_N equ 0x4e + CHAR_O equ 0x4f + CHAR_P equ 0x50 + CHAR_Q equ 0x51 + CHAR_R equ 0x52 + CHAR_S equ 0x53 + CHAR_T equ 0x54 + CHAR_U equ 0x55 + CHAR_V equ 0x56 + CHAR_W equ 0x57 + CHAR_X equ 0x58 + CHAR_Y equ 0x59 + CHAR_Z equ 0x5a + CHAR_a equ 0x61 + CHAR_b equ 0x62 + CHAR_c equ 0x63 + CHAR_d equ 0x64 + CHAR_e equ 0x65 + CHAR_f equ 0x66 + CHAR_g equ 0x67 + CHAR_h equ 0x68 + CHAR_i equ 0x69 + CHAR_j equ 0x6a + CHAR_k equ 0x6b + CHAR_l equ 0x6c + CHAR_m equ 0x6d + CHAR_n equ 0x6e + CHAR_o equ 0x6f + CHAR_p equ 0x70 + CHAR_q equ 0x71 + CHAR_r equ 0x72 + CHAR_s equ 0x73 + CHAR_t equ 0x74 + CHAR_u equ 0x75 + CHAR_v equ 0x76 + CHAR_w equ 0x77 + CHAR_x equ 0x78 + CHAR_y equ 0x79 + CHAR_z equ 0x7a +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +macro resv c_size +{ + db c_size dup (0) +} + +macro resv_stuff c_size +{ + repeat c_size + db % and 0xff + end repeat +} diff --git a/self-modifier/description.md b/self-modifier/description.md new file mode 100644 index 0000000..bb9b86f --- /dev/null +++ b/self-modifier/description.md @@ -0,0 +1,2 @@ +Welcome to the RE training course, this problem has 4 phases. Solve all four to get the flag. +[Download](${morpher_exe}) \ No newline at end of file diff --git a/self-modifier/first.asm b/self-modifier/first.asm new file mode 100644 index 0000000..b3f2be6 --- /dev/null +++ b/self-modifier/first.asm @@ -0,0 +1,140 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + +start: + push edx + push edi + push esi + + mov eax, dword [ebx] + lea ecx, [esi + base_txt] + push ecx + call dword [eax] + add esp, 4 + + xor eax, eax + push eax + mov eax, esp + push eax + + lea eax, [ebx + 8] + mov eax, dword [eax] + lea ecx, [esi+scanf_txt] + push ecx + call dword [eax] + add esp, 8 + + ; inputt'd float is now on top of the stack + pop eax + mov dword [esi+temp_val], eax + + sub esp, 8 + cvtss2sd xmm0, dword [esi+temp_val] + movsd qword [esp], xmm0 + + ; call cos + lea eax, [ebx + 0x10] + mov eax, dword [eax] + call dword [eax] + + fstp qword [esp] + movsd xmm0, qword [esp] + add esp, 8 + cvtss2sd xmm1, dword [esi+c_val] + mulsd xmm0, xmm1 + push ebp + push ebp + movsd qword [esp], xmm0 + + ; call atan + lea eax, [ebx + 0x20] + mov eax, dword [eax] + call dword [eax] + + fstp qword [esp] + movsd xmm0, qword [esp] + pop eax + cvtss2sd xmm1, dword [esi+b_val] + pop ecx + mulsd xmm0, xmm1 + push esp + push ebp + movsd qword [esp], xmm0 + + ; call sin + lea eax, [ebx + 0xc] + mov eax, dword [eax] + call dword [eax] + + fstp qword [esp] + cvtss2sd xmm1, dword [esi+a_val] + movsd xmm0, qword [esp] + mulsd xmm0, xmm1 + + movsd qword [esp], xmm0 + cvtsd2ss xmm0, qword [esp] + pop eax + movss dword [esp], xmm0 + pop eax + + pop esi + push esi + + cmp eax, dword [esi+final_val] + jnz trash + lea ecx, [esi+right_txt] + jmp past_trash +trash: + lea ecx, [esi+wrong_txt] + ; Make this so it crashes badly + inc esp +past_trash: + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + + pop esi + pop edi + pop edx + + mov eax, dword [esi+temp_val] + ; 0x61375a7b = little endian of '{Z7a' + ; 0x61375a7b ^ 0x3fab396d which is the value of the correct input 1.33769 + ; is equal to 0x5e9c6316 + xor eax, 0x5e9c6316 + mov dword [edi], eax + xor eax, eax + mov dword [esi+temp_val], eax + + retn + +b_val dd 0x4039999a +base_txt db 'Please enter the best number', ENDL, 0 +a_val dd 0x40d00000 +scanf_txt db '%f', 0 +final_val dd 0xc092e6a0 +right_txt db 'You got it!', 0 +c_val dd 0xbf99999a +wrong_txt db 'You dumb.', 0 +temp_val dd 0 + +resv_stuff 512-$ diff --git a/self-modifier/first.bin b/self-modifier/first.bin new file mode 100644 index 0000000000000000000000000000000000000000..990c9b17f10b2cddb3ceda809ed422ddc4c82875 GIT binary patch literal 512 zcmWFv59?;`?fcBYz!3Ofp!o=k;emk82LZj#9Ni4PeWHv|VUCE-HZvfn`3=Ws{wOf> z6TcvfO0Tm(H^YB{yD}=D_yt&0nvZ~_`!s+mKk-K%3=M@UQb1M|0aEfFXkjEsO$ba4 z4^$0ERuF6e&_Iw1uo<8DqgYgcI)QdZ#D!V6NdQ%pa`g7e0O{B4y?r`B+9j~pnFVA@ zY+QU)H`tM;V##yjI@t{mK%9Sg)=W!>fSlCC;#7syypq%+g_4X^g{0Kt5{10d+@#bZ zE}*k6IH;yEEO<8QKxBTYLVA9QLS~5~!>pMz_k;K;KxKMBMGOp#Ow25-Z0sDIT--do zeEb4}Lc$`VV&W2#QqnTAa`Fm_O3Es#YU&!ATG~3gdin;2M#d(lX66=_R@OGQcJ>aA zPR=f_ZtfnQUfw>we*OW0LBS!RVc`*xQPD9#4DTVIr$DxCI6nhJDbs5KkmA0- zKoN*~m%~9oc03U4GWnI}CZ!ft*@L<5AYo?JQU(xXCJ?8xhK6=N2DA$TZ3*I?0OAsEkgD!!Aa{I!)CqRaVUWaaAg<-@ z_GJJm=K}FwfqPshPQj zrIodft)0Dtqm#3XtDC!rrnub+QFU{G*KXjpheWK?uaY+QUoVp4KSYFc_mW>$7i zZeD&tVNr2OX<2ziWmR=eZC!msV^ecWYg>CqXIFPmZ(sj}iIXNznL2IyjG41$&zU=K z{(^;z7B5-4Z25|nt5&aByKeo4jhi-a*}84}j-9)9@7cR=|AB*t4j(ys?D&b3r%snAuU@}-`|kaRkDopR0PTXgm;e9( literal 0 HcmV?d00001 diff --git a/self-modifier/grader.py b/self-modifier/grader.py new file mode 100644 index 0000000..f744df0 --- /dev/null +++ b/self-modifier/grader.py @@ -0,0 +1,13 @@ +def grade(random, key): + if key.find("Z7a_ok_qfme_xt") != -1: + return True, "Correct!" + incorrect_txt = 'Wrong. ' + if key.find("Z7a") == -1: + incorrect_txt += "Phase 1 failed. " + if key.find("_ok_") == -1: + incorrect_txt += "Phase 2 failed. " + if key.find("qfme") == -1: + incorrect_txt += "Phase 3 failed. " + if key.find("_xt") == -1: + incorrect_txt += "Phase 4 failed. " + return False, incorrect_txt diff --git a/self-modifier/last.asm b/self-modifier/last.asm new file mode 100644 index 0000000..2b8311f --- /dev/null +++ b/self-modifier/last.asm @@ -0,0 +1,37 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + +jmp start + +output_text db 'Assuming you got every challenge right here is the flag: %s', ENDL, 0 + +start: + shl edx, 2 + sub edi, edx + push edi + mov eax, dword [ebx] + lea ecx, [esi + output_text] + push ecx + call dword [eax] + add esp, 8 + + ret + +resv_stuff 512-$ diff --git a/self-modifier/last.bin b/self-modifier/last.bin new file mode 100644 index 0000000000000000000000000000000000000000..a86c5becb6e6c6b15541067867ab853fdb84de02 GIT binary patch literal 512 zcmaED>sVY|nwy!Iu27j@s*s*vqL5maT2!f!oROH5lbV;Fs!)`fo>8KZky@0hkXfuy zl98&AmXnxnrJ!2O#c=QuljimCZsuM;rojIK%||#6Gcqx=u(GjpaB^|;@bd8s2nq>{ zh>D3zNJ>e|$jZqpC@LwdsH&-JXliNe=<4Yk7#bOyn3|beSXx=z*xK1UI667IxVpJ} zczSvJ`1<(=1O^3%gocGjL`Fr&#Ky%ZBqk-Nq^6~3WM*aOYz*tlu)maW^i@7TF(_ny7`_8&NS=aq_n*K2{xb|Q{{sLsDcSn~ literal 0 HcmV?d00001 diff --git a/self-modifier/morpher.asm b/self-modifier/morpher.asm new file mode 100644 index 0000000..d9150d7 --- /dev/null +++ b/self-modifier/morpher.asm @@ -0,0 +1,109 @@ +format PE console +entry start +include 'C:\\Projects/asm/INCLUDE/win32a.inc' +include 'C:\\Projects/asm/std.inc' + +section '.mrph' code readable executable writeable +mrph: + +file 'base_block.bin' + + +section '.stat' code readable executable + +data import + library msvcrt, 'msvcrt.dll' + import msvcrt, \ + printf , 'printf', \ + puts , 'puts', \ + scanf , 'scanf', \ + sin , 'sin', \ + cos , 'cos', \ + tan , 'tan', \ + asin , 'asin', \ + acos , 'acos', \ + atan , 'atan', \ + malloc , 'malloc', \ + free , 'free', \ + getchar , 'getchar' +end data + +do_morph: + push ebp + mov eax, 1 + mov edx, dword [num_block] + lea ecx, [block_ptrs + 4*edx] + mov ecx, dword [ecx] + + cmp ecx, 0 ; If the block ptr is null return + jz .finish + + inc edx + mov dword [num_block], edx + lea edx, [ecx+512] + mov edi, mrph + +.mod: + cmp ecx, edx + jz .finish + movzx eax, byte [ecx] + movzx ebp, byte [edi] + xor eax, ebp + mov byte [edi], al + inc edi + inc ecx + xor eax, eax + jmp .mod + +.finish: + pop ebp + ret + +; No args, flushes input. +flush_inp: + call [getchar] + cmp eax, -1 + jz .finish + cmp eax, ENDL + jnz flush_inp +.finish: + ret + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block +run_morphed: + mov esi, mrph + mov edx, dword [num_block] + dec edx + lea edi, [flag + 4*edx] + mov ebx, func_vtable + call mrph + ret + +start: + call do_morph + cmp eax, 0 + jnz .finish + call run_morphed + call flush_inp + jmp start + +.finish: + ret + +section '.dat' data readable writeable + +num_block dd 0 + +func_vtable dd printf, puts, scanf, sin, cos, tan, asin, acos, atan, malloc, free, 0 + +flag db 64 dup (0) + +b0.bin: file 'b0.bin' +b1.bin: file 'b1.bin' +b2.bin: file 'b2.bin' +b3.bin: file 'b3.bin' +b4.bin: file 'b4.bin' +block_ptrs dd b0.bin, b1.bin, b2.bin, b3.bin, b4.bin, 0 diff --git a/self-modifier/morpher.exe b/self-modifier/morpher.exe new file mode 100644 index 0000000000000000000000000000000000000000..2eaddeaf9e55379fc807c61e34aff2d84b148f62 GIT binary patch literal 4608 zcmd^Cc~q0f7N4*QQIl9jKtw+jRH|$W3Mdi;p-^@SOJoZWAQ(bcWCy`kwonwXDz4bN zucbv)6l~C^2%@-DSp|xK8(7~15h3q>0hQA8dV1dJ>-(ekoZsB}-8*+?@=d<^?scZ8 zA_7840a1`tiVzhiAXHiV`%NmiNpmld(Dy2}+GPZ%T5Zn=mH^}Oqr>@(C@h4*;Y16u zU?#>FaWEDKvvpmEMMZ})4W<%x-p}l|79l5sJSsd{<@4V57?BB+2?TrC6hc!*tx?*b zDF7p!Q%C!9NVa#}B9Dl;8r?Y9vm0?62p)su!^km;n{dGpdME4rwT(d(pBsTM344|8 z57#)x35L*P1A&ks1lwl(T)-e3gFlyXf*}-S5Gosna`4B1KO_9PDFMa_6`{&;RMsWP z$tx%-O;T1NPM$KAM5avpWcm!%nQH19vovRG&6$g7&zrBKyI|oWy-yb}(Kj$OGG4mO z#B})zGjofTt1MSrQLWe5*sis+|IEShb0=pPS2uT$b)GaYZy#U!dO!bwz#v9&NGLNb zJc1RufgQz(=JNOgp(ti!Y+QUoVp4KS>ZY{x&0l=EB_lH{J4c-RRo>QZ`2~gBzuvKP zSJCc0d-v@>P<-&4Zx0gJy&-A!o~7Smn$l-{3xlqdhH+A zZ&cr`sl8Qq`%eAcd-osw^zczbV^ecW>*Kcej-NZ9banSUefIpt%ig|Mzr6nEzxoH> z489$DH#{OmfA`;Sf_?l)EP{T-IR4RtP?R7hgfBD*WwR054Py=gP60{*<$xan*8#Ty z4*`z>PXWIGaQSay5aRM#9AOw9&lL#;xE8>zf*S-Z4zwZBxKYT!`;1W&VvHIQW7LeI z7;JWQ2n;}Bd?pju;Y?vj1cQ%gW%x^#t%{7ONIa!bXhB8UD(QnrxL{4@sBtU)x>X33RNOt8xQ!zS zr*`Ywcd!Z*&hi}hq%dNnk>>4|t&3fovqTEzD7-m|-*+64V~r%34~3 z2^evl?pIy3#5@wRC(B4N+E5TQtv~GnR{DPz6K$3SK4vS zY$Tp)jD)r`FXf%DN(y)GFtPV$a~}p$d;_l=)tbqP$Z*|D zypJzea-B4TM7Lw^SY|4W=$K5_qA;Z#FSCw?jMrF=j*xv!)mcSejXqbAs7at`Xpuc< z64hs@5NFP?kFitoLuo^V1m(+0kTG4?il#?wK|*Uf~nctz+6LkzRruwl+3ON&*y5dtz-m+0ZU-Zu~s z&f36=2872Y#H9c}@G<}4qsNb)1{^+r@q7i~1Ao-`s1?xF^Q@;A&^0(TCzD7F!G3PR>SdY2`G0z{IXKn|RW!TExldg^rC&rWYP?tJ=Jx%$K(S3y=CeH# zRT_V9a+R|0-N1)^dv4y4cp!4ATlaLNFIOv$nyGDSR$&n+dM+u(&p+T$4r6FR`e0X* zc6v^z=Qj$hKCz8*+8h58Ii0>Eem=hbHEk=xyidE$yK1ft-?CB(GhSJgUFrBbDgB70 zC6ZDKog@hwF`-pf+_t`LoN(^utl^F<7K45G5-&EUEI1J*k~16>vllD1quY=%KY@&y zqd0572W6|4-@yF=cuns>#=PD{Z(PPqn)g0qR+~pMSh|3@HV!gobv$EsabM@|4G0|5 zt~>#6BOql=yH50 zxJdHb<@7SVv*q_YIq7WUKPlzEBltrRvk8hAnlikS8E_<7P{i=HoLslPbI$i$bb_67 zT6g0^Ga;YPo3|s5K30aosGod5s; literal 0 HcmV?d00001 diff --git a/self-modifier/morpher.template.asm b/self-modifier/morpher.template.asm new file mode 100644 index 0000000..6b0a9e6 --- /dev/null +++ b/self-modifier/morpher.template.asm @@ -0,0 +1,103 @@ +format PE console +entry start +include 'C:\\Projects/asm/INCLUDE/win32a.inc' +include 'C:\\Projects/asm/std.inc' + +section '.mrph' code readable executable writeable +mrph: + +%s + +section '.stat' code readable executable + +data import + library msvcrt, 'msvcrt.dll' + import msvcrt, \ + printf , 'printf', \ + puts , 'puts', \ + scanf , 'scanf', \ + sin , 'sin', \ + cos , 'cos', \ + tan , 'tan', \ + asin , 'asin', \ + acos , 'acos', \ + atan , 'atan', \ + malloc , 'malloc', \ + free , 'free', \ + getchar , 'getchar' +end data + +do_morph: + push ebp + mov eax, 1 + mov edx, dword [num_block] + lea ecx, [block_ptrs + 4*edx] + mov ecx, dword [ecx] + + cmp ecx, 0 ; If the block ptr is null return + jz .finish + + inc edx + mov dword [num_block], edx + lea edx, [ecx+512] + mov edi, mrph + +.mod: + cmp ecx, edx + jz .finish + movzx eax, byte [ecx] + movzx ebp, byte [edi] + xor eax, ebp + mov byte [edi], al + inc edi + inc ecx + xor eax, eax + jmp .mod + +.finish: + pop ebp + ret + +; No args, flushes input. +flush_inp: + call [getchar] + cmp eax, -1 + jz .finish + cmp eax, ENDL + jnz flush_inp +.finish: + ret + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block +run_morphed: + mov esi, mrph + mov edx, dword [num_block] + dec edx + lea edi, [flag + 4*edx] + mov ebx, func_vtable + call mrph + ret + +start: + call do_morph + cmp eax, 0 + jnz .finish + call run_morphed + call flush_inp + jmp start + +.finish: + ret + +section '.dat' data readable writeable + +num_block dd 0 + +func_vtable dd printf, puts, scanf, sin, cos, tan, asin, acos, atan, malloc, free, 0 + +flag db 64 dup (0) + +%s diff --git a/self-modifier/out.txt b/self-modifier/out.txt new file mode 100644 index 0000000..485cc33 --- /dev/null +++ b/self-modifier/out.txt @@ -0,0 +1,39 @@ +1 +1 +3 +5 +9 +17 +31 +57 +105 +193 +355 +653 +1201 +2209 +4063 +7473 +13745 +25281 +46499 +85525 +157305 +289329 +532159 +978793 +1800281 +3311233 +6090307 +11201821 +20603361 +37895489 +69700671 +128199521 +235795681 +433695873 +797691075 +1467182629 +2698569577 +668475985 +539260895 diff --git a/self-modifier/problem.yml b/self-modifier/problem.yml new file mode 100644 index 0000000..32f222b --- /dev/null +++ b/self-modifier/problem.yml @@ -0,0 +1,7 @@ +title: Morphin +category: Reverse Engineering +value: 450 +author: r3ndom +autogen: false +files: + - morpher.exe \ No newline at end of file diff --git a/self-modifier/second.asm b/self-modifier/second.asm new file mode 100644 index 0000000..553dc2a --- /dev/null +++ b/self-modifier/second.asm @@ -0,0 +1,120 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + + push edi + + lea ecx, [esi+pattern_text] + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + + mov ecx, 0 +printLoop: + push ecx + call adv_fib + push eax + lea ecx, [esi + format_text] + mov eax, dword [ebx] + push ecx + call dword [eax] + pop ecx + pop ebp + pop ecx + inc ecx + cmp ecx, 6 + jnz printLoop + + lea ecx, [esi+empty_text] + lea eax, [ebx + 0x4] + mov eax, dword [eax] + push ecx + call dword [eax] + pop ebp + + + lea ecx, [esi+inputVal] + push ecx + lea eax, [ebx + 8] + mov eax, dword [eax] + lea ecx, [esi+unsignFmt] + push ecx + call dword [eax] + add esp, 8 + + mov ecx, dword [esi+inputVal] + pop edi + ; 433695873 is the answer + ; (struct.unpack('i_%9Ht&=~zx9=0&sQBY;AWa}}I6Nb< zL?N?Sp(G4AmYSelxb zoNCXYnxeqa{FAAkcLyWLFx679p+TO3FP{DX|35MS$hZq(ytoRaqZluM&|wCT{DM@4 z%KTD=^n9T0B??8E=@})83PGvGr8y;53el>?v0My{Ow25-Z0sDIT--doeEb4}Lc$`V zV&W2#QqnTAa`Fm_O3Es#YU&!ATG~3gdin;2M#d(lX66=_R@OGQcJ>aAPR=f_ZtfnQ zUfw>we*OW0LBS!RVc`*xQPDB6aq$U>Ny#axY3Ui6S=l+cdHDr}Ma3nhW#tu>Rn;}M zb@dI6P0cN>ZS5VMUEMvsef<+APMSPr>a^)IX3m;DXYRcD3l=U~ykzOJ$dGXcJA7}XYaoK2M!)OeB|h{<0np@I(_Esx$_q;Ub=kc>b2`PZr-|m U=kC4x4<0^x{N(Ag=PzCY0BhsX7XSbN literal 0 HcmV?d00001 diff --git a/self-modifier/std.inc b/self-modifier/std.inc new file mode 100644 index 0000000..4e57c54 --- /dev/null +++ b/self-modifier/std.inc @@ -0,0 +1,32 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Standard Includes of my +; code +include 'char.inc' + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +; File descriptor macros + STDIN equ 0 + STDOUT equ 1 + STDERR equ 2 +;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +; Standard prologue of a function +macro prologue +{ + push ebp + mov ebp, esp +} + +; Standard epilogue of a function +macro epilogue +{ + mov esp, ebp + pop ebp +} + +; Allocates space on the stack for something +macro local_alloc size +{ + sub esp,size +} \ No newline at end of file diff --git a/self-modifier/third.asm b/self-modifier/third.asm new file mode 100644 index 0000000..378c1c8 --- /dev/null +++ b/self-modifier/third.asm @@ -0,0 +1,110 @@ +format binary +use32 +include 'std.inc' + +; On entrance to each shellcode segment the ebx register will be a vtable of std funcs +; printf +; puts +; scanf +; sin +; cos +; tan +; asin +; acos +; atan +; malloc +; free +; esi contains the base address of the shellcode segment +; edi contains the address of the part of the flag that this segment fills +; edx contains the number of the block + +jmp start + +startup_text db 'What did you say?',0 + +start: + push edi + + lea ecx, [esi+startup_text] + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + + xor eax, eax + push eax + push eax + mov eax, esp + push eax + + lea eax, [ebx + 8] + mov eax, dword [eax] + lea ecx, [esi+scanf_text] + push ecx + call dword [eax] + add esp, 8 + + pop ecx + pop eax + pop edi + + mov dword [edi], ecx + + lea edx, [esi+to_match] + +.check: + movzx ecx, byte [edi] + call check_char + cmp eax, 0 + jz idiot + + inc edi + inc edx + cmp byte [edx], 0 + jnz .check + + ret + +scanf_text db '%4[^',ENDL,']' + +; ecx = input'd char +; edx = ptr to char to match +check_char: + cmp ecx, CHAR_a ; 97 + jl fail + cmp ecx, 126 + jge fail + + sub ecx, CHAR_a ; 97 + add ecx, esi + lea ecx, [ecx + alphabet] + movzx eax, byte [ecx] + cmp byte [edx], al + jnz fail + + mov eax, 1 + ret + +idiot_text db 'Wrong...', 0 + +fail: + mov eax, 0 + ret + +to_match db 'ezpr', 0 + +idiot: + lea ecx, [esi+idiot_text] + push ecx + lea eax, [ebx + 0x4] + mov eax, dword [eax] + call dword [eax] + pop ebp + dec esp + ret + +alphabet db '{m}krzyjfwngpshteoialduqxvcb|', 0 +; abcdefghijklmnopqrstuvwxyz{|} +; flag is "qfme" +resv_stuff 512-$ diff --git a/self-modifier/third.bin b/self-modifier/third.bin new file mode 100644 index 0000000000000000000000000000000000000000..6835669ba0a110de8be980384f1a1724e1b6f1ef GIT binary patch literal 512 zcmaDY6rPb-qL7lAqEMM%s!*I*Y0nVe>&Fz>>&(*4@LwR-@IXL7=YxP=XO3=$Uca!w z{{qcNI3gqBJNbL3^)fIp@NeUPAq=FOe=wA|xH~miF_gYJtZEV+#}(WBGqFak`Db0N zV)M&H#*e+73&83bEtpFAcQ69khr^5V^V0S7^cZ#kc?^eBs|t#Mmej#5_c>ghTbo@} zRhgAmo|j%woKcdRpP87GQd(G1mYh_>z{teR!pg?Z!O6wV!^_7nASfg(A}S^>At@y- zBP%Dbps1v*qN=8@p{b>IRvK4a#r*>mR3o4;V;qQy&=E?d50<*LVdJLF zTefc7zGLUE-Fx=#+kfETp~FXx9y@;GWe&gn?+js8XyZ_+f pqsLF4K70P+<*V0k-oAVP;p3;zU%r0({^RGb-+%u8`%eY`0|02b%)9^q literal 0 HcmV?d00001