Skip to content

Instantly share code, notes, and snippets.

@radekk
Created January 3, 2017 15:32
Show Gist options
  • Save radekk/1c79d4f874f3940275a1cd49fe39fd69 to your computer and use it in GitHub Desktop.
Save radekk/1c79d4f874f3940275a1cd49fe39fd69 to your computer and use it in GitHub Desktop.
It's a decode for SANS Hack Challenge 2016 described on my blog - https://vulnsec.com/
<?php
// elf@ca1f5b6bc249:~$ objdump -M intel -d ./wumpus | grep "<kill_wump>:" -A 134 | grep movzx
// 40266b: 0f b6 50 09 movzx edx,BYTE PTR [rax+0x9]
// 402684: 0f b6 40 0e movzx eax,BYTE PTR [rax+0xe]
// 402699: 0f b6 40 37 movzx eax,BYTE PTR [rax+0x37]
// 4026ae: 0f b6 40 12 movzx eax,BYTE PTR [rax+0x12]
// 4026c3: 0f b6 40 1d movzx eax,BYTE PTR [rax+0x1d]
// 4026d8: 0f b6 40 04 movzx eax,BYTE PTR [rax+0x4]
// 4026ed: 0f b6 40 16 movzx eax,BYTE PTR [rax+0x16]
// 402702: 0f b6 40 0e movzx eax,BYTE PTR [rax+0xe]
// 402717: 0f b6 40 2e movzx eax,BYTE PTR [rax+0x2e]
// 40272c: 0f b6 40 07 movzx eax,BYTE PTR [rax+0x7]
// 402741: 0f b6 40 49 movzx eax,BYTE PTR [rax+0x49]
// 402756: 0f b6 40 07 movzx eax,BYTE PTR [rax+0x7]
// 40276b: 0f b6 40 04 movzx eax,BYTE PTR [rax+0x4]
// 402780: 0f b6 40 07 movzx eax,BYTE PTR [rax+0x7]
// 402795: 0f b6 40 03 movzx eax,BYTE PTR [rax+0x3]
// 4027aa: 0f b6 40 0d movzx eax,BYTE PTR [rax+0xd]
// 4027bf: 0f b6 40 0e movzx eax,BYTE PTR [rax+0xe]
// 4027d4: 0f b6 40 06 movzx eax,BYTE PTR [rax+0x6]
// 4027e9: 0f b6 00 movzx eax,BYTE PTR [rax]
// 4027fd: 0f b6 00 movzx eax,BYTE PTR [rax]
// 402811: 0f b6 40 06 movzx eax,BYTE PTR [rax+0x6]
// 402826: 0f b6 40 0a movzx eax,BYTE PTR [rax+0xa]
// 40283b: 0f b6 40 04 movzx eax,BYTE PTR [rax+0x4]
$charOffset = array(0x09, 0x0e, 0x37, 0x12, 0x1d, 0x04, 0x16, 0x0e, 0x2e, 0x07, 0x49, 0x07, 0x04, 0x07, 0x03, 0x0D, 0x0E, 0x06, 0x00, 0x00, 0x06, 0x0A, 0x04);
// array(m0, m1, m2, ...)
// $variableAddresses = array(605120, 605128, 605130, 605118, 605138, 605140, 605148);
// > objdump -s -j .data ./wumpus
// 6050e8 00000000 00000000 00000000 00000000 ................
// 6050f8 ffffffff ffffffff 01000000 03000000 ................
// 605108 03000000 14000000 03000000 05000000 ................
// 605118 58294000 00000000 70294000 00000000 X)@.....p)@.....
// 605128 bd294000 00000000 d8294000 00000000 .)@......)@.....
// 605138 082a4000 00000000 602a4000 00000000 .*@.....`*@.....
// 605148 b82a4000 00000000 02000000 .*@.........
// array(^--- [$variableAddresses[i]])
$variableValuesAddresses = array(0x00402970, 0x004029bd, 0x004029d8, 0x00402958, 0x00402a08, 0x00402a60, 0x00402ab8);
// elf@ca1f5b6bc249:~$ objdump -M intel -d ./wumpus | grep "<kill_wump>:" -A 134 | grep "<m.>" | sed 's/^.*<m//g;s/>//g;' | tr '\n' ' '
// 4 5 4 0 6 2 6 1 4 5 5 6 2 4 6 3 3 2 6 0 4 0 6
$variableIndexes = array(4, 5, 4, 0, 6, 2, 6, 1, 4, 5, 5, 6, 2, 4, 6, 3, 3, 2, 6, 0, 4, 0, 6);
/**
* readelf --string-dump=.rodata ./wumpus
* .rodata start address = 0x00402950
*/
$dataBaseAddress = 0x00402950;
$dataSection = <<<EOD
[ 8] 0123456789abcdef
[ 20] The sky above the port was the color of television, tuned to a dead channel.
[ 6d] Pattern Recognition.
[ 88] The street finds its own uses for things.
[ b8] When you want to know how things really work, study them when they're coming apart
[ 110] We have no future because our present is too volatile. We have only risk management.
[ 168] Stand high long enough and your lightning will come.
[ 1a0] No self-respecting wumpus would live in such a small cave!^J
[ 1e0] Even wumpii can't furnish caves that large!^J
[ 210] Wumpii like extra doors in their caves!^J
[ 239] a:b:hp:r:t:
[ 248] Too many tunnels! The cave collapsed!^J(Fortunately, the wumpus escaped!)^J
[ 298] The wumpus refused to enter the cave, claiming it was too crowded!^J
[ 2e0] The wumpus refused to enter the cave, claiming it was too dangerous!^J
[ 327] s
[ 331] You're in a cave with %d rooms and %d tunnels leading from each room.^JThere are %d bat%s and %d pit%s scattered throughout the c
ave, and your^Jquiver holds %d custom super anti-evil Wumpus arrows. Good luck.^J
[ 970] I don't understand your answer; please enter 'y' or 'n'!
[ 402] Move or shoot? (m-s)
[ 419] Care to play another game? (y-n)
[ 43b] In the same cave? (y-n)
[ 458] k^M@
[ 462] @
[ 46a] @
[ 472] @
[ 47a] @
[ 482] @
[ 48a] @
[ 492] @
[ 49a] @
[ 4a2] @
[ 4aa] @
[ 4b2] @
[ 4ba] @
[ 4c2] @
[ 4ca] @
[ 4d2] @
[ 4da] @
[ 4e2] @
[ 4ea] @
[ 4f0] E^N@
[ 4f9] You are in room %d of the cave, and have %d arrow%s left.^J
[ 538] *rustle* *rustle* (must be bats nearby)
[ 560] *whoosh* (I feel a draft from some pits).
[ 590] *sniff* (I can smell the evil Wumpus nearby!)
[ 5c0] There are tunnels to rooms %d,
[ 5e0] %d,
[ 5e5] and %d.^J
[ 5ee] Que pasa?
[ 5f8] I don't understand!
[ 610] Sorry, but we're constrained to a semi-Euclidean cave!
[ 648] What? The cave surely isn't quite that big!
[ 678] What? The cave isn't that big!
[ 698] To which room do you wish to move?
[ 6bc] *Oof!* (You hit the wall)
[ 6d8] Your colorful comments awaken the wumpus!
[ 702] again
[ 710] *flap* *flap* *flap* (humongous bats pick you up and move you%s!)^J
[ 756] ^I^J
[ 760] The arrow falls to the ground at your feet!
[ 790] The arrow wavers in its flight and and can go no further!
[ 7d0] A faint gleam tells you the arrow has gone through a magic tunnel!
[ 818] *thunk* The arrow can't find a way from %d to %d and flys back into^Jyour room!^J
[ 870] *thunk* The arrow flys randomly into a magic tunnel, thence into^Jroom %d!^J
[ 8c0] *thunk* The arrow can't find a way from %d to %d and flys randomly^Jinto room %d!^J
[ 918] Your bowstring breaks! *twaaaaaang*^JThe arrow is weakly shot and can go no further!
[ 96d] %s
[ 970] I don't understand your answer; please enter 'y' or 'n'!
[ 9a9] Instructions? (y-n)
[ 9be] wump.info
[ 9c8] Sorry, but the instruction file seems to have disappeared in a^Jpuff of greasy black smoke! (poof)
[ a2a] cat
[ a2e] PAGER
[ a34] /usr/bin/less
[ a42] open %s
[ a4a] dup2
[ a4f] -c
[ a52] sh
[ a55] /bin/sh
[ a5d] exec sh -c %s
[ a6b] fork
[ a70] usage: wump [parameters]^J
[ a90] *ROAR* *chomp* *snurfle* *chomp*!^JMuch to the delight of the Wumpus, you walked right into his mouth,^Jmaking you one of the easiest dinners he's ever had! For you, however,^Jit's a rather unpleasant death. The only good thing is that it's been^Jso long since the evil Wumpus cleaned his teeth that you immediately^Jpassed out from the stench!
[ be8] *thwock!* *groan* *crash*^J^JA horrible roar fills the cave, and you realize, with a smile, that you^Jhave slain the evil Wumpus and won the game! You don't want to tarry for^Jlong, however, because not only is the Wumpus famous, but the stench of^Jdead Wumpus is also quite well known, a stench plenty enough to slay the^Jmightiest adventurer at a single whiff!!
[ d50] Passphrase:
[ d61] You turn and look at your quiver, and realize with a sinking feeling^Jthat you've just shot your last arrow (figuratively, too). Sensing this^Jwith its psychic powers, the evil Wumpus rampagees through the cave, finds^Jyou, and with a mighty *ROAR* eats you alive!
[ e69] *Thwack!* A sudden piercing feeling informs you that the ricochet^Jof your wild arrow has resulted in it wedging in your side, causing^Jextreme agony. The evil Wumpus, with its psychic powers, realizes this^Jand immediately rushes to your side, not to help, alas, but to EAT YOU!^J(*CHOMP*)
[ f91] With a jaunty step you enter the magic tunnel. As you do, you^Jnotice that the walls are shimmering and glowing. Suddenly you feel^Ja very curious, warm sensation and find yourself in room %d!!^J
[ 1058] *AAAUUUUGGGGGHHHHHhhhhhhhhhh...*^JThe whistling sound and updraft as you walked into this room of the^Jcave apparently wasn't enough to clue you in to the presence of the^Jbottomless pit. You have a lot of time to reflect on this error as^Jyou fall many miles to the core of the earth. Look on the bright side;^Jyou can at least find out if Jules Verne was right...
[ 11c8] Without conscious thought you grab for the side of the cave and manage^Jto grasp onto a rocky outcrop. Beneath your feet stretches the limitless^Jdepths of a bottomless pit! Rock crumbles beneath your feet!
[ 129f] ?
EOD;
function getCharacterFromDataSection($stringAddr, $data, $charIndex) {
// 1 = addresses, 2 = strings
preg_match_all('/\s+\[\s+([a-f0-9]+)\]\s+(.*)\n/i', $data, $result);
$addresses = $result[1];
$strings = $result[2];
$size = count($addresses);
$a = (int)$stringAddr;
for ($i = 0; $i < $size - 1; $i++) {
$b = hexdec($addresses[$i]);
$c = hexdec($addresses[$i + 1]);
if ($a >= $b && $a < $c) {
print sprintf('0x%02X', $a) . "\t" . substr($strings[$i], 0, $charIndex) . '[' . substr($strings[$i], $charIndex, 1) . ']' . substr($strings[$i], $charIndex + 1) . PHP_EOL;
return substr($strings[$i], $charIndex, 1);
}
}
// return last element
return $addresses[$size - 1];
}
$password = '';
foreach ($variableIndexes as $i => $idx) {
$password .= getCharacterFromDataSection($variableValuesAddresses[$idx] - $dataBaseAddress, $dataSection, $charOffset[$i]);
}
print PHP_EOL . "Password is: " . strtoupper($password) . PHP_EOL;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment