-
-
Save radekk/1c79d4f874f3940275a1cd49fe39fd69 to your computer and use it in GitHub Desktop.
It's a decode for SANS Hack Challenge 2016 described on my blog - https://vulnsec.com/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // elf@ca1f5b6bc249:~$ objdump -M intel -d ./wumpus | grep "<kill_wump>:" -A 134 | grep movzx | |
| // 40266b: 0f b6 50 09 movzx edx,BYTE PTR [rax+0x9] | |
| // 402684: 0f b6 40 0e movzx eax,BYTE PTR [rax+0xe] | |
| // 402699: 0f b6 40 37 movzx eax,BYTE PTR [rax+0x37] | |
| // 4026ae: 0f b6 40 12 movzx eax,BYTE PTR [rax+0x12] | |
| // 4026c3: 0f b6 40 1d movzx eax,BYTE PTR [rax+0x1d] | |
| // 4026d8: 0f b6 40 04 movzx eax,BYTE PTR [rax+0x4] | |
| // 4026ed: 0f b6 40 16 movzx eax,BYTE PTR [rax+0x16] | |
| // 402702: 0f b6 40 0e movzx eax,BYTE PTR [rax+0xe] | |
| // 402717: 0f b6 40 2e movzx eax,BYTE PTR [rax+0x2e] | |
| // 40272c: 0f b6 40 07 movzx eax,BYTE PTR [rax+0x7] | |
| // 402741: 0f b6 40 49 movzx eax,BYTE PTR [rax+0x49] | |
| // 402756: 0f b6 40 07 movzx eax,BYTE PTR [rax+0x7] | |
| // 40276b: 0f b6 40 04 movzx eax,BYTE PTR [rax+0x4] | |
| // 402780: 0f b6 40 07 movzx eax,BYTE PTR [rax+0x7] | |
| // 402795: 0f b6 40 03 movzx eax,BYTE PTR [rax+0x3] | |
| // 4027aa: 0f b6 40 0d movzx eax,BYTE PTR [rax+0xd] | |
| // 4027bf: 0f b6 40 0e movzx eax,BYTE PTR [rax+0xe] | |
| // 4027d4: 0f b6 40 06 movzx eax,BYTE PTR [rax+0x6] | |
| // 4027e9: 0f b6 00 movzx eax,BYTE PTR [rax] | |
| // 4027fd: 0f b6 00 movzx eax,BYTE PTR [rax] | |
| // 402811: 0f b6 40 06 movzx eax,BYTE PTR [rax+0x6] | |
| // 402826: 0f b6 40 0a movzx eax,BYTE PTR [rax+0xa] | |
| // 40283b: 0f b6 40 04 movzx eax,BYTE PTR [rax+0x4] | |
| $charOffset = array(0x09, 0x0e, 0x37, 0x12, 0x1d, 0x04, 0x16, 0x0e, 0x2e, 0x07, 0x49, 0x07, 0x04, 0x07, 0x03, 0x0D, 0x0E, 0x06, 0x00, 0x00, 0x06, 0x0A, 0x04); | |
| // array(m0, m1, m2, ...) | |
| // $variableAddresses = array(605120, 605128, 605130, 605118, 605138, 605140, 605148); | |
| // > objdump -s -j .data ./wumpus | |
| // 6050e8 00000000 00000000 00000000 00000000 ................ | |
| // 6050f8 ffffffff ffffffff 01000000 03000000 ................ | |
| // 605108 03000000 14000000 03000000 05000000 ................ | |
| // 605118 58294000 00000000 70294000 00000000 X)@.....p)@..... | |
| // 605128 bd294000 00000000 d8294000 00000000 .)@......)@..... | |
| // 605138 082a4000 00000000 602a4000 00000000 .*@.....`*@..... | |
| // 605148 b82a4000 00000000 02000000 .*@......... | |
| // array(^--- [$variableAddresses[i]]) | |
| $variableValuesAddresses = array(0x00402970, 0x004029bd, 0x004029d8, 0x00402958, 0x00402a08, 0x00402a60, 0x00402ab8); | |
| // elf@ca1f5b6bc249:~$ objdump -M intel -d ./wumpus | grep "<kill_wump>:" -A 134 | grep "<m.>" | sed 's/^.*<m//g;s/>//g;' | tr '\n' ' ' | |
| // 4 5 4 0 6 2 6 1 4 5 5 6 2 4 6 3 3 2 6 0 4 0 6 | |
| $variableIndexes = array(4, 5, 4, 0, 6, 2, 6, 1, 4, 5, 5, 6, 2, 4, 6, 3, 3, 2, 6, 0, 4, 0, 6); | |
| /** | |
| * readelf --string-dump=.rodata ./wumpus | |
| * .rodata start address = 0x00402950 | |
| */ | |
| $dataBaseAddress = 0x00402950; | |
| $dataSection = <<<EOD | |
| [ 8] 0123456789abcdef | |
| [ 20] The sky above the port was the color of television, tuned to a dead channel. | |
| [ 6d] Pattern Recognition. | |
| [ 88] The street finds its own uses for things. | |
| [ b8] When you want to know how things really work, study them when they're coming apart | |
| [ 110] We have no future because our present is too volatile. We have only risk management. | |
| [ 168] Stand high long enough and your lightning will come. | |
| [ 1a0] No self-respecting wumpus would live in such a small cave!^J | |
| [ 1e0] Even wumpii can't furnish caves that large!^J | |
| [ 210] Wumpii like extra doors in their caves!^J | |
| [ 239] a:b:hp:r:t: | |
| [ 248] Too many tunnels! The cave collapsed!^J(Fortunately, the wumpus escaped!)^J | |
| [ 298] The wumpus refused to enter the cave, claiming it was too crowded!^J | |
| [ 2e0] The wumpus refused to enter the cave, claiming it was too dangerous!^J | |
| [ 327] s | |
| [ 331] You're in a cave with %d rooms and %d tunnels leading from each room.^JThere are %d bat%s and %d pit%s scattered throughout the c | |
| ave, and your^Jquiver holds %d custom super anti-evil Wumpus arrows. Good luck.^J | |
| [ 970] I don't understand your answer; please enter 'y' or 'n'! | |
| [ 402] Move or shoot? (m-s) | |
| [ 419] Care to play another game? (y-n) | |
| [ 43b] In the same cave? (y-n) | |
| [ 458] k^M@ | |
| [ 462] @ | |
| [ 46a] @ | |
| [ 472] @ | |
| [ 47a] @ | |
| [ 482] @ | |
| [ 48a] @ | |
| [ 492] @ | |
| [ 49a] @ | |
| [ 4a2] @ | |
| [ 4aa] @ | |
| [ 4b2] @ | |
| [ 4ba] @ | |
| [ 4c2] @ | |
| [ 4ca] @ | |
| [ 4d2] @ | |
| [ 4da] @ | |
| [ 4e2] @ | |
| [ 4ea] @ | |
| [ 4f0] E^N@ | |
| [ 4f9] You are in room %d of the cave, and have %d arrow%s left.^J | |
| [ 538] *rustle* *rustle* (must be bats nearby) | |
| [ 560] *whoosh* (I feel a draft from some pits). | |
| [ 590] *sniff* (I can smell the evil Wumpus nearby!) | |
| [ 5c0] There are tunnels to rooms %d, | |
| [ 5e0] %d, | |
| [ 5e5] and %d.^J | |
| [ 5ee] Que pasa? | |
| [ 5f8] I don't understand! | |
| [ 610] Sorry, but we're constrained to a semi-Euclidean cave! | |
| [ 648] What? The cave surely isn't quite that big! | |
| [ 678] What? The cave isn't that big! | |
| [ 698] To which room do you wish to move? | |
| [ 6bc] *Oof!* (You hit the wall) | |
| [ 6d8] Your colorful comments awaken the wumpus! | |
| [ 702] again | |
| [ 710] *flap* *flap* *flap* (humongous bats pick you up and move you%s!)^J | |
| [ 756] ^I^J | |
| [ 760] The arrow falls to the ground at your feet! | |
| [ 790] The arrow wavers in its flight and and can go no further! | |
| [ 7d0] A faint gleam tells you the arrow has gone through a magic tunnel! | |
| [ 818] *thunk* The arrow can't find a way from %d to %d and flys back into^Jyour room!^J | |
| [ 870] *thunk* The arrow flys randomly into a magic tunnel, thence into^Jroom %d!^J | |
| [ 8c0] *thunk* The arrow can't find a way from %d to %d and flys randomly^Jinto room %d!^J | |
| [ 918] Your bowstring breaks! *twaaaaaang*^JThe arrow is weakly shot and can go no further! | |
| [ 96d] %s | |
| [ 970] I don't understand your answer; please enter 'y' or 'n'! | |
| [ 9a9] Instructions? (y-n) | |
| [ 9be] wump.info | |
| [ 9c8] Sorry, but the instruction file seems to have disappeared in a^Jpuff of greasy black smoke! (poof) | |
| [ a2a] cat | |
| [ a2e] PAGER | |
| [ a34] /usr/bin/less | |
| [ a42] open %s | |
| [ a4a] dup2 | |
| [ a4f] -c | |
| [ a52] sh | |
| [ a55] /bin/sh | |
| [ a5d] exec sh -c %s | |
| [ a6b] fork | |
| [ a70] usage: wump [parameters]^J | |
| [ a90] *ROAR* *chomp* *snurfle* *chomp*!^JMuch to the delight of the Wumpus, you walked right into his mouth,^Jmaking you one of the easiest dinners he's ever had! For you, however,^Jit's a rather unpleasant death. The only good thing is that it's been^Jso long since the evil Wumpus cleaned his teeth that you immediately^Jpassed out from the stench! | |
| [ be8] *thwock!* *groan* *crash*^J^JA horrible roar fills the cave, and you realize, with a smile, that you^Jhave slain the evil Wumpus and won the game! You don't want to tarry for^Jlong, however, because not only is the Wumpus famous, but the stench of^Jdead Wumpus is also quite well known, a stench plenty enough to slay the^Jmightiest adventurer at a single whiff!! | |
| [ d50] Passphrase: | |
| [ d61] You turn and look at your quiver, and realize with a sinking feeling^Jthat you've just shot your last arrow (figuratively, too). Sensing this^Jwith its psychic powers, the evil Wumpus rampagees through the cave, finds^Jyou, and with a mighty *ROAR* eats you alive! | |
| [ e69] *Thwack!* A sudden piercing feeling informs you that the ricochet^Jof your wild arrow has resulted in it wedging in your side, causing^Jextreme agony. The evil Wumpus, with its psychic powers, realizes this^Jand immediately rushes to your side, not to help, alas, but to EAT YOU!^J(*CHOMP*) | |
| [ f91] With a jaunty step you enter the magic tunnel. As you do, you^Jnotice that the walls are shimmering and glowing. Suddenly you feel^Ja very curious, warm sensation and find yourself in room %d!!^J | |
| [ 1058] *AAAUUUUGGGGGHHHHHhhhhhhhhhh...*^JThe whistling sound and updraft as you walked into this room of the^Jcave apparently wasn't enough to clue you in to the presence of the^Jbottomless pit. You have a lot of time to reflect on this error as^Jyou fall many miles to the core of the earth. Look on the bright side;^Jyou can at least find out if Jules Verne was right... | |
| [ 11c8] Without conscious thought you grab for the side of the cave and manage^Jto grasp onto a rocky outcrop. Beneath your feet stretches the limitless^Jdepths of a bottomless pit! Rock crumbles beneath your feet! | |
| [ 129f] ? | |
| EOD; | |
| function getCharacterFromDataSection($stringAddr, $data, $charIndex) { | |
| // 1 = addresses, 2 = strings | |
| preg_match_all('/\s+\[\s+([a-f0-9]+)\]\s+(.*)\n/i', $data, $result); | |
| $addresses = $result[1]; | |
| $strings = $result[2]; | |
| $size = count($addresses); | |
| $a = (int)$stringAddr; | |
| for ($i = 0; $i < $size - 1; $i++) { | |
| $b = hexdec($addresses[$i]); | |
| $c = hexdec($addresses[$i + 1]); | |
| if ($a >= $b && $a < $c) { | |
| print sprintf('0x%02X', $a) . "\t" . substr($strings[$i], 0, $charIndex) . '[' . substr($strings[$i], $charIndex, 1) . ']' . substr($strings[$i], $charIndex + 1) . PHP_EOL; | |
| return substr($strings[$i], $charIndex, 1); | |
| } | |
| } | |
| // return last element | |
| return $addresses[$size - 1]; | |
| } | |
| $password = ''; | |
| foreach ($variableIndexes as $i => $idx) { | |
| $password .= getCharacterFromDataSection($variableValuesAddresses[$idx] - $dataBaseAddress, $dataSection, $charOffset[$i]); | |
| } | |
| print PHP_EOL . "Password is: " . strtoupper($password) . PHP_EOL; | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment