I have recieved a challenge from simo36 called easyHW it's a reverse engineering one, so let us dive into the assembly. The challenge contains two files easyHW which is a 32bit elf, and opcode.bin which contains some opcodes. Download files from here[1]. Let us dive into what easyHW does and how it work.

1: https://github.com/q6r/others/tree/master/chals/easyHW

tools used : r2

These are calls from main it seems as if it's calling read_opcodes to get the file content and vm86 to process it. Which means opcode.bin is a file containing valid x86 opcodes, but it doesn't which means that it's obfuscated. Let see how the deobfuscation is happening

So after the read_opcodes call a global buffer is filled with the file content then we enter a loop that does xoring to the content of the buffer xor eax, 0xffffffaa then it subtracts 0xa/10 from the byte lea edx, [eax-0xa] lea in this case is used instead of sub by the compiler as an optimization I assume this binary was compiled with optimization enabled or this is the normal behaviour of gcc?.

Now let us deal with opcode.bin and deobfuscate it with this information

First we need to xor all the bytes with 0xaa then subtract them with 0xa.

Nice we can see some strings :) since if we run this it asks for a password so we assume it compares the password with something so looking for cmp or any comparision methods.

we have three suspecious comparisions so after looking at them seems like 0x00000067 is a the one that compares the password since it loops. Let see the loop.

From cmp cx, 0x14 we know that the password is 20 characters, and if we get all the characters right we go to je 0xbe otherwise we compare.. if the comparision fails at cmp bl, dl then we go to jne 0x9d otherwise we jump back to the beginning of the comparision loop jmp 0x67 ..etc

So this xors bytes at bl/[ebx] with 0xcd and subtracts 0x1 then it compares to dl/[edx] so we know that our input is at bl/[ebx] and the actual password is at dl/[edx] so where does this dl/[edx] comes from ? so we go back a little and we find

so di which is moved to bx/bl/[ebx] is our input and si which is moved to dl/dx/[edx] is our password. So input is at 0x500 password is at 0x263 so lets see

this seems to be it, remember xor 0xcd subtract 0x01 from the input so it's add one and xor by 0xcd to the actual password.

that's it password is Emul4t0rs4r3b4d4ss.!

Proxied content from gemini://0x80.org/gemlog/2014-06-07-easyhw.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
Status code