14 replies to this topic

[kuupa]

Just a simple example of loading a PE file in fasm. Could be a crypter/packer if you added code to handle TLS callbacks and the decryption. Supports SEH. Also, left reloc code in there but it's not used.

As of now it just loads test.exe from its .rdata section into the .bss and runs it, overlaying headers, just a simple hello world message box.

Please Login or Register to see this Hidden Content

Password to archive is the name of this obfuscated std c function:

Please Login or Register to see this Hidden Content

[Hess]

You could do it harder next time , so , man has to compile project and then sees the password !

[kuupa]

Hess, on 26 Jan 2014 - 02:27 AM, said:

You could do it harder next time , so , man has to compile project and then sees the password !

Lol I think this is plenty hard. Has anyone managed to find the password?

[d3m]

Is this obfuscated code of MessageBox api ?

Please Login or Register to see this Hidden Content

Btw i like your obfuscator... Any ideas to sell it?

[kuupa]

d3m, on 28 Jan 2014 - 8:01 PM, said:

Is this obfuscated code of MessageBox api ?
[...]
Btw i like your obfuscator... Any ideas to sell it?

Naw, it's my own implementation of a standard c library function, so not MessageBox (WinAPI). Not a code obfuscator, just handwritten.

Standard c library is fairly small, if you cannot solve this it is not for you.

[BullDog]

Removed unrelated posts.

Also, if you are not able to find the password to the archive on your own: this is not for you.

[IamLupo]

Like i am running your code and see that this is a function  with one parameter. This parameter has 0x3FF possibilities. What i understand that you generate the position to the C lib code. But i don't have any input value. And i don't want to bruteforce,.. like it looks like you give me not enough data.

 

Second post:

What i understand that this function with input_X generete Output_Y.

And the same input_X with a unknown C lib function generate output_Y.

 

Like what i know is that input has 1024 possibilities and the function has 1 argument.

[Tigerass]

I even bruteforced the input Value and didnt't get any closer than you. eax is always zero for all possibilities?

Sure the function works? I'm guessing on something like islower, isdigit, isalnum.

 

This is plenty hard!

Unfortunately I'm an ASM beginner and havent enough time for a completely Analysis.

But its a nice riddle.

[kuupa]

IamLupo, on 29 Jan 2014 - 10:24 AM, said:

Like i am running your code and see that this is a function  with one parameter. This parameter has 0x3FF possibilities. What i understand that you generate the position to the C lib code. But i don't have any input value. And i don't want to bruteforce,.. like it looks like you give me not enough data.
 
Second post:
What i understand that this function with input_X generete Output_Y.
And the same input_X with a unknown C lib function generate output_Y.
 
Like what i know is that input has 1024 possibilities and the function has 1 argument.

It is the name of a function. Try representing it in a higher level language, that will help you figure out what it is actually doing.

Since I have been asked for hint by multiple people, I will give one. Please do not pm me asking for help. This is NOT the disassembly of a function, it's a handwritten obfuscation that produces the same output as a c standard library function.

Hint: why are the shl and shr instructions are at the beginning of the function.

[Hess]

Now kuupa , next step , before this gets solved , obuscate this already obfuscated code and double password length !!!! DOn't let this get solved for at least 6 months !!!!

[Tigerass]

• xor edx, edx          ;edx=0
• mov eax, [esp+4]  ;eax=arg0
• shl eax, $16         
• shr eax, $16         ;zero everything except the first 10 bit? you unsettle me with you hint
• test al, $40           ;7th bit set? but why this test?
• and ecx, edx         ;because edx=0 ecx always will be zero and the zero flag always will be set
• cmovnz edx, eax   ;so this is irrelevant?

I will give this a try later. Thats not my level.

[BullDog]

Do not post the password if you found it!

 

If kuupa wanted every idiot to download/leech this, he would've posted the password in plaintext himself.

Please think before you post!

 

// corresponding post removed

[kuupa]

Tigerass, on 31 Jan 2014 - 08:54 AM, said:

• xor edx, edx          ;edx=0
• mov eax, [esp+4]  ;eax=arg0
• shl eax, $16         
• shr eax, $16         ;zero everything except the first 10 bit? you unsettle me with you hint
• test al, $40           ;7th bit set? but why this test?
• and ecx, edx         ;because edx=0 ecx always will be zero and the zero flag always will be set
• cmovnz edx, eax   ;so this is irrelevant?

I will give this a try later. Thats not my level.

My apologies, the test al, $40 and and ecx, edx lines should be reversed. Flags should correspond to test. This is what I get for not debugging all possible solutions and not keeping a consistent base in all the constants.

[Hess]

kuupa , mission accomplished , I told You to do it harder !

[Jochen]

Download link is dead. Does anyone still have the file ?  I wanted to ask Kuupa if he could reupload but (Last Active Apr 27 2014 11:04 PM.)