nullkal/seccamp_2014-7.cpp

## seccamp_2014-7.cpp
#include <stdio.h>

char buf[] = {
	0x2A, 0x37, 0x74, 0x35, 0x7C, 0x2E, 0x67, 0x3E, 0x77, 0x3C, 0x62, 0x24, 0x3E, 0x2E,
	0x2E, 0x66, 0x3D, 0x7D, 0x3E, 0x25, 0x2F, 0x31, 0x31, 0x35, 0x3F, 0x48, 0x2F, 0x53,
	0x54, 0x55, 0x56, 0x54, 0x37, 0x5E, 0x5D, 0x33, 0x42, 0x1D, 0x64, 0x9 , 0x70, 0xFF,
	0xFF, 0xFF, 0xFF, 0xFF
};
char key[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

void print_stat()
{
	for (int i = 0; i < 46; ++i)
	{
		printf("%02hhx ", buf[i]);
	}
	printf("\n");
}

int main(int ac, char* av[])
{
	int a, b, c;

	print_stat();
	__asm {
		push  ebp
		mov  ebp, esp
		push  ecx
		push  ebx
		push  esi
		push  edi

		mov  esi, 1
		mov  edi, 2
		mov  ebx, 3
		mov  eax, 5
		xor  ecx, ecx
		sub  esi, offset buf
		sub  edi, offset buf
		sub  ebx, offset buf
		sub  eax, offset buf
		mov  dword ptr[ebp - 4], eax
		jmp  LABEL1
		lea  esp, [esp]

	LABEL1:
		lea  eax, buf[esi + ecx]
			and  eax, 3Fh
		movzx  edx, byte ptr key[eax]
		xor  byte ptr buf[ecx], dl
		lea  eax, buf[edi + ecx]
		and  eax, 3Fh
		movzx  edx, byte ptr key[eax]
		xor  byte ptr buf + 1[ecx], dl
		mov  eax, 0AAAAAAABh
		mul  ecx
		shr  edx, 1
		lea  eax, [edx + edx * 2]
		mov  edx, ecx
		sub  edx, eax
		jne  LABEL2
		lea  eax, buf[ebx + ecx]
		and  eax, 3Fh
		mov  dl, byte ptr key[eax]
		xor  byte ptr buf + 2[ecx], dl

	LABEL2 :
		mov  eax, 0CCCCCCCDh
		mul  ecx
		shr  edx, 2
		lea  eax, [edx + edx * 4]
		mov  edx, ecx
		sub  edx, eax
		jne  LABEL3
		mov  eax, dword ptr[ebp - 4]
		lea  edx, buf[eax + ecx]
		and  edx, 3Fh
		mov  al, byte ptr key[edx]
		xor  byte ptr buf + 5[ecx], al

	LABEL3 :
		add  ecx, 2

		push  esi
		push  edi
		push  ebx
		push  eax
		push  ecx
		call print_stat
		pop  ecx
		pop  eax
		pop  ebx
		pop  edi
		pop  esi

		cmp  ecx, 29h
		jb  LABEL1

		pop  edi
		pop  esi
		mov  byte ptr[buf + 29h], 0
		mov  eax, offset buf
		pop  ebx
		mov  esp, ebp
		pop  ebp
	}

	printf("%s\n", buf);
	getchar();
	return 0;
}
	#include <stdio.h>

	char buf[] = {
	0x2A, 0x37, 0x74, 0x35, 0x7C, 0x2E, 0x67, 0x3E, 0x77, 0x3C, 0x62, 0x24, 0x3E, 0x2E,
	0x2E, 0x66, 0x3D, 0x7D, 0x3E, 0x25, 0x2F, 0x31, 0x31, 0x35, 0x3F, 0x48, 0x2F, 0x53,
	0x54, 0x55, 0x56, 0x54, 0x37, 0x5E, 0x5D, 0x33, 0x42, 0x1D, 0x64, 0x9 , 0x70, 0xFF,
	0xFF, 0xFF, 0xFF, 0xFF
	};
	char key[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

	void print_stat()
	{
	for (int i = 0; i < 46; ++i)
	{
	printf("%02hhx ", buf[i]);
	}
	printf("\n");
	}

	int main(int ac, char* av[])
	{
	int a, b, c;

	print_stat();
	__asm {
	push ebp
	mov ebp, esp
	push ecx
	push ebx
	push esi
	push edi

	mov esi, 1
	mov edi, 2
	mov ebx, 3
	mov eax, 5
	xor ecx, ecx
	sub esi, offset buf
	sub edi, offset buf
	sub ebx, offset buf
	sub eax, offset buf
	mov dword ptr[ebp - 4], eax
	jmp LABEL1
	lea esp, [esp]

	LABEL1:
	lea eax, buf[esi + ecx]
	and eax, 3Fh
	movzx edx, byte ptr key[eax]
	xor byte ptr buf[ecx], dl
	lea eax, buf[edi + ecx]
	and eax, 3Fh
	movzx edx, byte ptr key[eax]
	xor byte ptr buf + 1[ecx], dl
	mov eax, 0AAAAAAABh
	mul ecx
	shr edx, 1
	lea eax, [edx + edx * 2]
	mov edx, ecx
	sub edx, eax
	jne LABEL2
	lea eax, buf[ebx + ecx]
	and eax, 3Fh
	mov dl, byte ptr key[eax]
	xor byte ptr buf + 2[ecx], dl

	LABEL2 :
	mov eax, 0CCCCCCCDh
	mul ecx
	shr edx, 2
	lea eax, [edx + edx * 4]
	mov edx, ecx
	sub edx, eax
	jne LABEL3
	mov eax, dword ptr[ebp - 4]
	lea edx, buf[eax + ecx]
	and edx, 3Fh
	mov al, byte ptr key[edx]
	xor byte ptr buf + 5[ecx], al

	LABEL3 :
	add ecx, 2

	push esi
	push edi
	push ebx
	push eax
	push ecx
	call print_stat
	pop ecx
	pop eax
	pop ebx
	pop edi
	pop esi

	cmp ecx, 29h
	jb LABEL1

	pop edi
	pop esi
	mov byte ptr[buf + 29h], 0
	mov eax, offset buf
	pop ebx
	mov esp, ebp
	pop ebp
	}

	printf("%s\n", buf);
	getchar();
	return 0;
	}