XR3X

Jump to content


Photo

[FASM] PE loader

source

  • You cannot start a new topic
  • Please log in to reply
14 replies to this topic

#1 kuupa

kuupa

    Member

  • Members +
  • 35 posts

Posted 26 January 2014 - 01:27 AM

Just a simple example of loading a PE file in fasm. Could be a crypter/packer if you added code to handle TLS callbacks and the decryption. Supports SEH. Also, left reloc code in there but it's not used.

As of now it just loads test.exe from its .rdata section into the .bss and runs it, overlaying headers, just a simple hello world message box.

Please Login or Register to see this Hidden Content



Password to archive is the name of this obfuscated std c function:

Please Login or Register to see this Hidden Content


  • Jochen, x58, Cypher and 3 others like this

The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently.


#2 Hess

Hess

    Intelligence Service

  • Loyalist
  • 3,953 posts
  • LocationBelgrade
Contributor

Posted 26 January 2014 - 03:27 AM

You could do it harder next time , so , man has to compile project and then sees the password ! :P :D


  • kuupa likes this

#3 kuupa

kuupa

    Member

  • Members +
  • 35 posts

Posted 27 January 2014 - 04:03 AM

You could do it harder next time , so , man has to compile project and then sees the password ! :P :D

Lol I think this is plenty hard. Has anyone managed to find the password?
  • Hess likes this

The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently.


#4 d3m

d3m

    Intermediate Member

  • Loyalist
  • 260 posts

Posted 28 January 2014 - 09:01 PM

Is this obfuscated code of MessageBox api ?

Please Login or Register to see this Hidden Content

Btw i like your obfuscator... Any ideas to sell it?


  • Hess likes this

#5 kuupa

kuupa

    Member

  • Members +
  • 35 posts

Posted 29 January 2014 - 07:39 AM

Is this obfuscated code of MessageBox api ?
[...]
Btw i like your obfuscator... Any ideas to sell it?

Naw, it's my own implementation of a standard c library function, so not MessageBox (WinAPI). Not a code obfuscator, just handwritten.

Standard c library is fairly small, if you cannot solve this it is not for you.
  • Hess likes this

The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently.


#6 BullDog

BullDog

    Advanced Member

  • Administrators
  • 396 posts

Posted 29 January 2014 - 09:43 AM

Removed unrelated posts.

Also, if you are not able to find the password to the archive on your own: this is not for you.


  • x58, Hess and Rottweiler like this

#7 IamLupo

IamLupo

    Intermediate Member

  • Administrators
  • 198 posts
Contributor

Posted 29 January 2014 - 11:24 AM

Like i am running your code and see that this is a function  with one parameter. This parameter has 0x3FF possibilities. What i understand that you generate the position to the C lib code. But i don't have any input value. And i don't want to bruteforce,.. like it looks like you give me not enough data.

 

Second post:

What i understand that this function with input_X generete Output_Y.

And the same input_X with a unknown C lib function generate output_Y.

 

Like what i know is that input has 1024 possibilities and the function has 1 argument.


  • Hess likes this

#8 Tigerass

Tigerass

    Member

  • Loyalist
  • 709 posts
  • LocationNorthern Syria
Contributor

Posted 30 January 2014 - 03:00 PM

I even bruteforced the input Value and didnt't get any closer than you. eax is always zero for all possibilities?

Sure the function works? I'm guessing on something like islower, isdigit, isalnum.

 

This is plenty hard! :D

Unfortunately I'm an ASM beginner and havent enough time for a completely Analysis.

But its a nice riddle.


  • Hess likes this

#9 kuupa

kuupa

    Member

  • Members +
  • 35 posts

Posted 31 January 2014 - 01:41 AM

Like i am running your code and see that this is a function  with one parameter. This parameter has 0x3FF possibilities. What i understand that you generate the position to the C lib code. But i don't have any input value. And i don't want to bruteforce,.. like it looks like you give me not enough data.
 
Second post:
What i understand that this function with input_X generete Output_Y.
And the same input_X with a unknown C lib function generate output_Y.
 
Like what i know is that input has 1024 possibilities and the function has 1 argument.

It is the name of a function. Try representing it in a higher level language, that will help you figure out what it is actually doing.

Since I have been asked for hint by multiple people, I will give one. Please do not pm me asking for help. This is NOT the disassembly of a function, it's a handwritten obfuscation that produces the same output as a c standard library function.

Hint: why are the shl and shr instructions are at the beginning of the function.
  • Hess likes this

The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently.


#10 Hess

Hess

    Intelligence Service

  • Loyalist
  • 3,953 posts
  • LocationBelgrade
Contributor

Posted 31 January 2014 - 06:59 AM

Now kuupa , next step , before this gets solved , obuscate this already obfuscated code and double password length !!!! :P :D DOn't let this get solved for at least 6 months !!!! :P :D


  • kuupa likes this

#11 Tigerass

Tigerass

    Member

  • Loyalist
  • 709 posts
  • LocationNorthern Syria
Contributor

Posted 31 January 2014 - 09:54 AM

  • xor edx, edx          ;edx=0
  • mov eax, [esp+4]  ;eax=arg0
  • shl eax, $16         
  • shr eax, $16         ;zero everything except the first 10 bit? you unsettle me with you hint :D
  • test al, $40           ;7th bit set? but why this test?
  • and ecx, edx         ;because edx=0 ecx always will be zero and the zero flag always will be set
  • cmovnz edx, eax   ;so this is irrelevant?

I will give this a try later. Thats not my level.


  • x58 and Hess like this

#12 BullDog

BullDog

    Advanced Member

  • Administrators
  • 396 posts

Posted 31 January 2014 - 11:37 AM

Do not post the password if you found it!

 

If kuupa wanted every idiot to download/leech this, he would've posted the password in plaintext himself.

Please think before you post!

 

// corresponding post removed


  • x58, Hess and kuupa like this

#13 kuupa

kuupa

    Member

  • Members +
  • 35 posts

Posted 01 February 2014 - 12:47 AM

  • xor edx, edx          ;edx=0
  • mov eax, [esp+4]  ;eax=arg0
  • shl eax, $16         
  • shr eax, $16         ;zero everything except the first 10 bit? you unsettle me with you hint :D
  • test al, $40           ;7th bit set? but why this test?
  • and ecx, edx         ;because edx=0 ecx always will be zero and the zero flag always will be set
  • cmovnz edx, eax   ;so this is irrelevant?
I will give this a try later. Thats not my level.

My apologies, the test al, $40 and and ecx, edx lines should be reversed. Flags should correspond to test. This is what I get for not debugging all possible solutions and not keeping a consistent base in all the constants.
  • Hess and Tigerass like this

The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently.


#14 Hess

Hess

    Intelligence Service

  • Loyalist
  • 3,953 posts
  • LocationBelgrade
Contributor

Posted 01 February 2014 - 01:51 AM

kuupa , mission accomplished , I told You to do it harder ! :P :D


  • kuupa likes this

#15 Jochen

Jochen

    Intermediate Member

  • Notorious
  • 149 posts
Contributor

Posted 01 September 2014 - 08:20 PM

Download link is dead. Does anyone still have the file ?  I wanted to ask Kuupa if he could reupload but (Last Active Apr 27 2014 11:04 PM.)


  • x58 likes this



Also tagged with one or more of these keywords: source