A look at SANS Brussels Challenges

sans_emea-125x125This morning, a colleague of mine pointed out me to some reversing challenges” addressed to participants of SANS Brussels 2015 (what? I was not there?). Why not to take a quick look and try to solve them ? I hope to publish the solutions/suggestions is not cause of rage for mentors of SANS, for whom I have a lot of esteem.

However, at the time of this writing these challenges are online and accessible without any particular restriction at https://www.sansemea.com/challenges.php, therefore I do not think there will be particular problems

 

Challange One (EASY):

Encoded string:

IF2CAU2BJZJSAQTSOVZXGZLMOMQGK3TDN5SGS3THEBUXGIDXMVWGYIDVNZSGK4TTORXW6ZBAMFYHAYLSMVXHI3DZ

Decoded String:

At SANS Brussels encoding is well understood apparently

Solutions:

The plain text has been Base32 encoded. (base32 ? how this was in your mind ?)

Challange two (MEDIUM):

var _0xb618=[\x53\x61\x79\x48\x65\x6C\x6C\x6F”,”\x47\x65\x74\x43\x6F\x75\x6E\x74″,”\x4D\x65\x73\x73\x61\x67\x65\x20\x3A\x20″,”\x4F\x62\x76\x69\x6F\x75\x73\x6C\x79\x20\x79\x6F\x75\x20\x61\x72\x65\x20\x70\x72\x65\x74\x74\x79\x20\x6E\x65\x61\x74\x20\x61\x74\x20\x72\x65\x76\x65\x72\x73\x69\x6E\x67\x2E\x20\x54\x68\x65\x20\x77\x69\x6E\x6E\x69\x6E\x67\x20\x63\x6F\x64\x65\x20\x66\x6F\x72\x20\x74\x68\x69\x73\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x20\x69\x73\x20\x43\x75\x72\x6C\x79\x20\x68\x61\x73\x20\x77\x61\x79\x20\x74\x6F\x6F\x20\x6D\x75\x63\x68\x20\x74\x69\x6D\x65\x2E];function NewObject(_0x3c81x2){var _0x3c81x3=0;this[_0xb618[0]]=function (_0x3c81x4){_0x3c81x3++;alert(_0x3c81x2+_0x3c81x4);} ;this[_0xb618[1]]=function (){return _0x3c81x3;} ;} ;var obj= new NewObject(_0xb618[2]);obj.SayHello(_0xb618[3]);

… okok it’s seem a chaos but… look at “SayHello(_0xb618[3]” and start to count HEX encoded string from 0 to 3 as they appear during the allocation to “var_oxb618″… we will get this:

\x4F\x62\x76\x69\x6F\x75\x73\x6C\x79\x20\x79\x6F\x75\x20\x61\x72\x65\x20\x70\x72\x65\x74\x74\x79\x20\x6E\x65\x61\x74\x20\x61\x74\x20\x72\x65\x76\x65\x72\x73\x69\x6E\x67\x2E\x20\x54\x68\x65\x20\x77\x69\x6E\x6E\x69\x6E\x67\x20\x63\x6F\x64\x65\x20\x66\x6F\x72\x20\x74\x68\x69\x73\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x20\x69\x73\x20\x43\x75\x72\x6C\x79\x20\x68\x61\x73\x20\x77\x61\x79\x20\x74\x6F\x6F\x20\x6D\x75\x63\x68\x20\x74\x69\x6D\x65\x2E

now we have to do a bit of cleaning:

4F6276696F75736C7920796F752061726520707265747479206E65617420617420726576657273696E672E205468652077696E6E696E6720636F646520666F722074686973206368616C6C656E6765206973204375726C79206861732077617920746F6F206D7563682074696D652E

and convert to ASCII …. we’ll get:

Obviously you are pretty neat at reversing. The winning code for this challenge is Curly has way too much time.

Challange three (not so -> HARD) :D

ok. I don’t know exactly what they were expecting here but… I did a very very quick thing …. We have

“\xd9\xea\xb8\x6d\x12\x73\x19\xd9\x74\x24\xf4\x5a\x33\xc9\xb1\x23\x31\x42\x18\x83\xc2\x04\x03\x42\x79\xf0\x86\x73\x83\xac\xa5\x04\x06\x8c\x42\x03\x39\xcd\x1b\x0a\xf4\x4d\x6a\xc4\x37\x95\xe7\x90\x6f\xe4\x78\x2d\x54\x9c\x6f\x16\xa7\xe1\xa1\x6f\x06\x39\xab\x29\x30\x70\xac\xdc\xfd\x03\x4e\x4a\xda\x4b\x5c\x0b\xad\xb5\x06\xc1\x2d\x74\x77\x89\x4b\x1f\x59\x04\x1a\x3c\xcf\x65\x45\x73\x1c\x5b\xf5\x91\xe7\x09\xc8\xdc\xc1\x96\xff\x5f\x9b\x2d\xa7\xc6\x0e\x54\x3f\xd4\xcd\x11\x58\x4e\x3d\x51\xce\x8f\x29\xba\x6c\xf9\xc7\x4d\x93\xab\xff\x59\x53\x4c\x00\x49\x31\x3e\x75\xfd\xd1\xd1\x0c\x92\x6c\x4b\x99\x09\xe0\xff\x0c\xb4\x88\xd1\xba\x40\x04\x2e\x14\xe2\x6d\xcf\x57\x84″

w0w… it looks like shellcode… have you noticed \x33\xc9 ? A classic XOR instruction… Ok. Let’s start to see what there is in it:

shellcode_first

 

 

 

 

 

 

 

There a trick based on FPU instructions to get PC. First executing any FP (floating point) instruction on top and then FSTENV PTR SS: [ESP-C] will result in getting the address of the first FP instruction. So… EDX==EIP !! mov eax,0x1973126d moves the key (6d127319) on EAX register. I had thought of writing a note to handly dexor but my will failed. However, i tried to emulate it:

I firstly converted it

converter

and then i launched it:

emulate

these are results:

shellcode

 

 

Ok … just a little help to see everything graphically :)

So, now we have to…. wait…wait… do you think i have to do everything myself ??? Try to solve it… i think now it’s quite clear…

3 Comments

  1. Alicia

    Nice post. I was checking constantly this weblog and I am inspired!
    Very useful information particularly the last phase :) I maintain such
    information much. I used to be looking for this particular
    info for a very long time. Thanks and best of luck.

Leave a Reply

Your email address will not be published. Required fields are marked *


5 + = 12