diff options
author | n0p <0x90@n0p.cc> | 2014-10-27 19:07:43 +0100 |
---|---|---|
committer | n0p <0x90@n0p.cc> | 2014-10-27 19:07:43 +0100 |
commit | 0bcd78be9657f35dd27a02c16cb70234b1e44d5b (patch) | |
tree | 4f1eb291ab604beaac47f011bcec6b53fc300a2d /bin | |
download | JonahHex-0bcd78be9657f35dd27a02c16cb70234b1e44d5b.tar.gz JonahHex-0bcd78be9657f35dd27a02c16cb70234b1e44d5b.zip |
Reversing challenge 300 from hack.lu 2014.
Diffstat (limited to 'bin')
-rw-r--r-- | bin/keyCalculator.py | 16 | ||||
-rw-r--r-- | bin/patcher.py | 35 |
2 files changed, 51 insertions, 0 deletions
diff --git a/bin/keyCalculator.py b/bin/keyCalculator.py new file mode 100644 index 0000000..9b96700 --- /dev/null +++ b/bin/keyCalculator.py @@ -0,0 +1,16 @@ +import pefile
+
+pe = pefile.PE("JonahHex.exe")
+
+ccCount = 0
+text_section = pe.get_data(pe.sections[0].VirtualAddress, pe.sections[0].Misc_VirtualSize)
+
+for byte in text_section:
+ if byte == '\xCC':
+ ccCount += 1
+ if ccCount % 22 == 0:
+ ccCount *= ccCount + 42
+ ccCount %= 0x100
+
+print "AddressOfEntryPoint: " + hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+print "DES key: " + 8*hex(ccCount)[2:]
\ No newline at end of file diff --git a/bin/patcher.py b/bin/patcher.py new file mode 100644 index 0000000..601b2a8 --- /dev/null +++ b/bin/patcher.py @@ -0,0 +1,35 @@ +import pefile + +pe = pefile.PE("JonahHex.exe") + +# Patching the jumps. +jmp_tls_1 = [0x00001703, 0x0000170C, 0x000020A6] +jmp_main = [0x000021AC, 0x00002830] + +xor_tls_1 = [0x8, 0x40, 0x200] +xor_main = [0x2fe095ad, 0x1660d216] + +for i, address in enumerate(jmp_tls_1): + value = pe.get_dword_at_rva(address); + pe.set_dword_at_rva(address, value ^ xor_tls_1[i]) + +for i, address in enumerate(jmp_main): + value = pe.get_dword_at_rva(address); + pe.set_dword_at_rva(address, value ^ xor_main[i]) + +# Patching the ciphertext checks. +des_intermediate_addr = [0x00002F3A, 0x00002F47] +des_output_addr = [0x00002537, 0x00002544] + +des_intermediate_value = [0xB3143B79, 0x19A2E3D5] +des_output_value = [0xEEC5860E, 0x8E0A2C1F] + +cipherxor = 0x41424344 + +for i in xrange(0, 2): + pe.set_dword_at_rva(des_intermediate_addr[i], des_intermediate_value[i] ^ cipherxor) + print "DES intermediate value " + str(i) + ": " + hex(des_intermediate_value[i] ^ cipherxor)[:-1] + pe.set_dword_at_rva(des_output_addr[i], des_output_value[i] ^ cipherxor) + print "DES output value " + str(i) + ": " + hex(des_output_value[i] ^ cipherxor)[:-1] + +pe.write(filename="JonahHex.exe")
\ No newline at end of file |