{"id":20,"date":"2011-06-05T10:01:39","date_gmt":"2011-06-05T10:01:39","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=20"},"modified":"2016-09-28T10:02:17","modified_gmt":"2016-09-28T10:02:17","slug":"gchq-challenge-solution-stage-1","status":"publish","type":"post","link":"http:\/\/piratesecurityblog.com\/?p=20","title":{"rendered":"GCHQ Challenge Solution \u2013 Stage 1"},"content":{"rendered":"<p>I heard about \u201cthe code\u201d at www.canyoucrackit.co.uk during the first friday of december (2011-12-02), and cracked the final stage on sunday two days later. The reason for not cracking it all during friday evening was, unfortunately, not because it presented much of a challenge but because I was out partying pretty much 24\/7 during friday and saturday (including after parties until dawn both nights). \ud83d\ude42<\/p>\n<p>I didn\u2019t want to publish any writeup until the challenge was over, even though I heard that there were others who didn\u2019t bother waiting. As a man who loves challenges of all kinds, I would hate to be the one spoiling it for someone who actually wanted to give it a try though.<\/p>\n<p>The first part of the code was this picture:<br \/>\n<img src=\"http:\/\/www.clevcode.org\/wp-content\/uploads\/2011\/12\/cyber.png\" alt=\"\" \/><\/p>\n<p>I recognized it as x86-assembler at the first glance, because of the \u201ceb 04\u201d (jmp $+6), the multiple \u201c31 cX\u201d (xor reg, reg), the \u201c90\u201d:s in the end (NOPs) and last but not least the \u201ccd 80\u201d (int 0x80) to mention a few of the immediately recognizable opcodes. The int 0x80 also tells me that this is most likely a Linux-based payload, since 0x80 is the interrupt used for making system calls in Linux. Looking at the code, I could see that it actually just calls exit(0) after the relevant code has been executed.<\/p>\n<p>By looking at the code in a disassembler I could see that it has a decode-loop, that looks very much like the RC4-cipher (initializing a 256 byte buffer with values 0 to 255, swapping values around based on what corresponds to the RC4-key (0xdeadbeef) followed by a decryption loop. Not that it really matters which crypto is being used, since the key is embedded into the code.<\/p>\n<p>Looking closer at the decryption loop we can see that it is actually slightly different from the original RC4 cipher, even though the same key scheduling is used.<\/p>\n<p>Original RC4 can be implemented like this:<\/p>\n<div id=\"crayon-57eb94cf11b70878539228\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b70878539228-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b70878539228-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b70878539228-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b70878539228-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b70878539228-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b70878539228-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b70878539228-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b70878539228-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b70878539228-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b70878539228-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11b70878539228-1\" class=\"crayon-line\"><span class=\"crayon-v\">i<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-v\">ptr<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-3\" class=\"crayon-line\"><span class=\"crayon-st\">while<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-o\">&#8212;<\/span> <span class=\"crayon-o\">&gt;<\/span> <span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-sy\">{<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">i<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span> <span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-5\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span> <span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-6\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">temp<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-7\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-8\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">temp<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-9\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-o\">++<\/span> <span class=\"crayon-o\">^=<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span> <span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b70878539228-10\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>This implementation changes j to the xor-byte in each iteration:<\/p>\n<div id=\"crayon-57eb94cf11b7d141244797\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b7d141244797-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b7d141244797-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b7d141244797-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b7d141244797-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b7d141244797-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b7d141244797-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b7d141244797-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b7d141244797-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b7d141244797-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b7d141244797-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b7d141244797-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11b7d141244797-1\" class=\"crayon-line\"><span class=\"crayon-v\">i<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-v\">ptr<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-3\" class=\"crayon-line\"><span class=\"crayon-st\">while<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-o\">&#8212;<\/span> <span class=\"crayon-o\">&gt;<\/span> <span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-sy\">{<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">i<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span> <span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-5\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span> <span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-6\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">temp<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-7\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-8\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">temp<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-9\" class=\"crayon-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-v\">j<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-v\">state<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-o\">&amp;<\/span> <span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-10\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-o\">++<\/span> <span class=\"crayon-o\">^=<\/span> <span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div id=\"crayon-57eb94cf11b7d141244797-11\" class=\"crayon-line\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>This is actually pretty funny, considering that GCHQ themselves have published an (very brief) explanation of the challenge now after it\u2019s over, which describes the crypto as RC4. So from what I can tell, this is an unintentional bug rather than by design. A mistake that is easily made when you\u2019re hand coding assembler, and not being careful of which registers are used for what, but a rather silly mistake nonetheless.<\/p>\n<p>Anyway. Analyzing the code further we can see that the payload seems to be missing some important parts, like the buffer that is to be decrypted for instance. This, on the other hand, is definitely by design. \ud83d\ude42<\/p>\n<p>See the \u201cAAAA\u201d (41 41 41 41) at the end of the payload? That\u2019s a tag that is checked by this piece of code:<\/p>\n<div id=\"crayon-57eb94cf11b85357428021\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b85357428021-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b85357428021-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b85357428021-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11b85357428021-1\" class=\"crayon-line\"><span class=\"crayon-cn\">00000042<\/span> <span class=\"crayon-cn\">58<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Read <\/span><span class=\"crayon-e\">last <\/span><span class=\"crayon-e\">four <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">original <\/span><span class=\"crayon-i\">payload<\/span><\/div>\n<div id=\"crayon-57eb94cf11b85357428021-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">00000043<\/span> <span class=\"crayon-cn\">3D41414141<\/span><span class=\"crayon-h\">\u00a0\u00a0<\/span><span class=\"crayon-e\">cmp <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x41414141<\/span><span class=\"crayon-h\">\u00a0\u00a0<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Compare <\/span><span class=\"crayon-e\">it <\/span><span class=\"crayon-st\">to<\/span> <span class=\"crayon-cn\">0x41414141<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;AAAA&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div id=\"crayon-57eb94cf11b85357428021-3\" class=\"crayon-line\"><span class=\"crayon-cn\">00000048<\/span> <span class=\"crayon-cn\">7543<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-i\">jnz<\/span> <span class=\"crayon-cn\">0x8d<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Jump <\/span><span class=\"crayon-st\">to<\/span> <span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-e\">code <\/span><span class=\"crayon-st\">if<\/span> <span class=\"crayon-e\">no <\/span><span class=\"crayon-v\">match<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>So far so good. If the tag isn\u2019t there, it jumps ahead to the part of the code that calls exit(0):<\/p>\n<div id=\"crayon-57eb94cf11b8c862876299\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b8c862876299-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b8c862876299-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b8c862876299-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b8c862876299-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11b8c862876299-1\" class=\"crayon-line\"><span class=\"crayon-cn\">0000008D<\/span> <span class=\"crayon-cn\">31DB<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-st\">xor<\/span> <span class=\"crayon-v\">ebx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">ebx<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-v\">ebx<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-e\">System <\/span><span class=\"crayon-e\">call <\/span><span class=\"crayon-i\">argument<\/span> <span class=\"crayon-cn\">1<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-cn\">0<\/span><\/div>\n<div id=\"crayon-57eb94cf11b8c862876299-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0000008F<\/span> <span class=\"crayon-cn\">89D8<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">ebx<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-v\">eax<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-e\">System <\/span><span class=\"crayon-e\">call <\/span><span class=\"crayon-v\">number<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-cn\">0<\/span><\/div>\n<div id=\"crayon-57eb94cf11b8c862876299-3\" class=\"crayon-line\"><span class=\"crayon-cn\">00000091<\/span> <span class=\"crayon-e\">FEC0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">inc <\/span><span class=\"crayon-i\">al<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-v\">eax<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">eax<\/span> <span class=\"crayon-o\">+<\/span> <span class=\"crayon-cn\">1<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-cn\">1<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-v\">SYS<\/span><span class=\"crayon-sy\">_<\/span>exit<\/div>\n<div id=\"crayon-57eb94cf11b8c862876299-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">00000093<\/span> <span class=\"crayon-e\">CD80\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-t\">int<\/span> <span class=\"crayon-cn\">0x80<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-st\">Do<\/span> <span class=\"crayon-e\">system <\/span><span class=\"crayon-v\">call<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Then it continues with checking for another tag (\u201cBBBB\u201d = 42 42 42 42), this tag is _not_ included in the payload:<\/p>\n<div id=\"crayon-57eb94cf11b92105417871\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b92105417871-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b92105417871-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b92105417871-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11b92105417871-1\" class=\"crayon-line\"><span class=\"crayon-cn\">0000004A<\/span> <span class=\"crayon-cn\">58<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-i\">eax<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Read <\/span><span class=\"crayon-e\">four <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-v\">more<\/span><span class=\"crayon-sy\">,<\/span> <span class=\"crayon-e\">beyond <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">original <\/span><span class=\"crayon-i\">payload<\/span><\/div>\n<div id=\"crayon-57eb94cf11b92105417871-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0000004B<\/span> <span class=\"crayon-cn\">3D42424242<\/span><span class=\"crayon-h\">\u00a0\u00a0<\/span><span class=\"crayon-e\">cmp <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x42424242<\/span><span class=\"crayon-h\">\u00a0\u00a0<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Compare <\/span><span class=\"crayon-e\">it <\/span><span class=\"crayon-st\">to<\/span> <span class=\"crayon-cn\">0x42424242<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;BBBB&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div id=\"crayon-57eb94cf11b92105417871-3\" class=\"crayon-line\"><span class=\"crayon-cn\">00000050<\/span> <span class=\"crayon-cn\">753B<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-i\">jnz<\/span> <span class=\"crayon-cn\">0x8d<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Jump <\/span><span class=\"crayon-st\">to<\/span> <span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-e\">code <\/span><span class=\"crayon-st\">if<\/span> <span class=\"crayon-e\">no <\/span><span class=\"crayon-v\">match<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Of course, we can just append this tag to the code to bypass it. This doesn\u2019t really help us much though, since the code then continues with reading a byte count to decrypt, followed by the actual encrypted data:<\/p>\n<div id=\"crayon-57eb94cf11b99982197389\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b99982197389-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b99982197389-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b99982197389-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b99982197389-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11b99982197389-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11b99982197389-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11b99982197389-1\" class=\"crayon-line\"><span class=\"crayon-cn\">00000052<\/span> <span class=\"crayon-cn\">5A<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-i\">edx<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Get <\/span><span class=\"crayon-e\">size <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">encrypted <\/span><span class=\"crayon-i\">buffer<\/span><\/div>\n<div id=\"crayon-57eb94cf11b99982197389-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">00000053<\/span> <span class=\"crayon-cn\">89D1<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">edx<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Set <\/span><span class=\"crayon-v\">ecx<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-e\">Size <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">encrypted <\/span><span class=\"crayon-i\">buffer<\/span><\/div>\n<div id=\"crayon-57eb94cf11b99982197389-3\" class=\"crayon-line\"><span class=\"crayon-cn\">00000055<\/span> <span class=\"crayon-cn\">89E6<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">esp<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Set <\/span><span class=\"crayon-v\">esi<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-e\">Start <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">encrypted <\/span><span class=\"crayon-i\">buffer<\/span><\/div>\n<div id=\"crayon-57eb94cf11b99982197389-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">00000057<\/span> <span class=\"crayon-cn\">89DF<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">ebx<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Set <\/span><span class=\"crayon-v\">edi<\/span> <span class=\"crayon-o\">=<\/span> <span class=\"crayon-e\">Pointer <\/span><span class=\"crayon-st\">to<\/span> <span class=\"crayon-e\">the <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">quite<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">RC4 <\/span><span class=\"crayon-e\">state <\/span><span class=\"crayon-i\">buffer<\/span><\/div>\n<div id=\"crayon-57eb94cf11b99982197389-5\" class=\"crayon-line\"><span class=\"crayon-cn\">00000059<\/span> <span class=\"crayon-cn\">29CF<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">sub <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-i\">ecx<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Allocate <\/span><span class=\"crayon-e\">space <\/span><span class=\"crayon-e\">before <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">quite<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">RC4 <\/span><span class=\"crayon-e\">state <\/span><span class=\"crayon-i\">buffer<\/span><\/div>\n<div id=\"crayon-57eb94cf11b99982197389-6\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0000005B<\/span> <span class=\"crayon-e\">F3A4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span class=\"crayon-e\">rep <\/span><span class=\"crayon-i\">movsb<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-e\">Copy <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">encrypted <\/span><span class=\"crayon-e\">buffer <\/span><span class=\"crayon-st\">to<\/span> <span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">allocated <\/span><span class=\"crayon-v\">space<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>After this follows the code that actually performs the decryption, and finally it calls exit(0) just like when the tag on the stack is not found. The exit(0) could be replaced by code that writes the decrypted data to stdout, or we can simply set a breakpoint there (or manually insert a 0xcc = int3 there instead) so we can read the decrypted data in a debugger.<\/p>\n<p>So, where is the missing data? My first thought was that the data is probably either hidden in the HTML code of the www.canyoucrackit.co.uk page, or that it is hidden within the image of the payload. Hiding it within the image of the payload seemed pretty likely, since it actually was a bit odd that they used an image at all instead of plain text that would allow for copy &amp; paste instead of manually writing the payload down from the image.<\/p>\n<p>There are several ways to hide data within an image, some more refined than others. The easiest way to do it is to simply inject the data to the hide into some form of meta data. Using \u201cexiftool\u201d we can extract the following text field (although I first noticed it with a simple \u201cstrings\u201d):<\/p>\n<div id=\"crayon-57eb94cf11ba1020325867\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11ba1020325867-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11ba1020325867-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11ba1020325867-1\" class=\"crayon-line\"><span class=\"crayon-v\">je<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">isis<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-sy\">$<\/span> <span class=\"crayon-e\">exiftool <\/span><span class=\"crayon-v\">cyber<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">png<\/span> <span class=\"crayon-o\">|<\/span> <span class=\"crayon-e\">grep <\/span><span class=\"crayon-e\">Comment<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba1020325867-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-v\">Comment<\/span> <span class=\"crayon-o\">:<\/span> <span class=\"crayon-v\">QkJCQjIAAACR2PFtcCA6q2eaC8SR<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">8dmD<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">zNzLQC<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">td3tFQ4qx8O447TDeuZw5P<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0SsbEcYR.78jKLw<\/span><span class=\"crayon-o\">==<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>This is quite obviously base64-encoded data, judging from the \u201c==\u201d at the end and the range of characters being used. The following command line reveals its decoded contents:<\/p>\n<div id=\"crayon-57eb94cf11ba7476988962\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11ba7476988962-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11ba7476988962-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11ba7476988962-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11ba7476988962-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11ba7476988962-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11ba7476988962-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11ba7476988962-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11ba7476988962-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11ba7476988962-1\" class=\"crayon-line\"><span class=\"crayon-v\">je<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">isis<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-sy\">$<\/span> <span class=\"crayon-e\">exiftool <\/span><span class=\"crayon-v\">cyber<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">png<\/span> <span class=\"crayon-sy\">\\<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-o\">|<\/span> <span class=\"crayon-e\">grep <\/span><span class=\"crayon-v\">Comment<\/span> <span class=\"crayon-o\">|<\/span> <span class=\"crayon-i\">awk<\/span> <span class=\"crayon-s\">&#8216;{ print $3 }&#8217;<\/span> <span class=\"crayon-sy\">\\<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-3\" class=\"crayon-line\"><span class=\"crayon-o\">|<\/span> <span class=\"crayon-v\">perl<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">MMIME<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Base64<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">e<\/span> <span class=\"crayon-s\">&#8216;print decode_base64(&lt;&gt;)&#8217;<\/span> <span class=\"crayon-o\">&gt;<\/span> <span class=\"crayon-v\">cyber<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bin<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-v\">je<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">isis<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-sy\">$<\/span> <span class=\"crayon-v\">xxd<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">g1 <\/span><span class=\"crayon-v\">cyber<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bin<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-5\" class=\"crayon-line\"><span class=\"crayon-cn\">0000000<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">32<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">91<\/span> <span class=\"crayon-e\">d8 <\/span><span class=\"crayon-i\">f1<\/span> <span class=\"crayon-cn\">6d<\/span> <span class=\"crayon-cn\">70<\/span> <span class=\"crayon-cn\">20<\/span> <span class=\"crayon-cn\">3a<\/span> <span class=\"crayon-e\">ab <\/span><span class=\"crayon-v\">BBBB2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">mp<\/span> <span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-6\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0000010<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-cn\">67<\/span> <span class=\"crayon-cn\">9a<\/span> <span class=\"crayon-cn\">0b<\/span> <span class=\"crayon-i\">c4<\/span> <span class=\"crayon-cn\">91<\/span> <span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">c7<\/span> <span class=\"crayon-cn\">66<\/span> <span class=\"crayon-cn\">0f<\/span> <span class=\"crayon-e\">fc <\/span><span class=\"crayon-e\">cd <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-i\">b4<\/span> <span class=\"crayon-cn\">02<\/span> <span class=\"crayon-e\">fa <\/span><span class=\"crayon-i\">d7<\/span> <span class=\"crayon-v\">g<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-7\" class=\"crayon-line\"><span class=\"crayon-cn\">0000020<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-cn\">77<\/span> <span class=\"crayon-i\">b4<\/span> <span class=\"crayon-cn\">54<\/span> <span class=\"crayon-cn\">38<\/span> <span class=\"crayon-i\">ab<\/span> <span class=\"crayon-cn\">1f<\/span> <span class=\"crayon-cn\">0e<\/span> <span class=\"crayon-i\">e3<\/span> <span class=\"crayon-cn\">8e<\/span> <span class=\"crayon-i\">d3<\/span> <span class=\"crayon-cn\">0d<\/span> <span class=\"crayon-i\">eb<\/span> <span class=\"crayon-cn\">99<\/span> <span class=\"crayon-i\">c3<\/span> <span class=\"crayon-cn\">93<\/span> <span class=\"crayon-i\">fe<\/span> <span class=\"crayon-v\">w<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">T8<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div id=\"crayon-57eb94cf11ba7476988962-8\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0000030<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-i\">d1<\/span> <span class=\"crayon-cn\">2b<\/span> <span class=\"crayon-cn\">1b<\/span> <span class=\"crayon-cn\">11<\/span> <span class=\"crayon-i\">c6<\/span> <span class=\"crayon-cn\">11<\/span> <span class=\"crayon-e\">ef <\/span><span class=\"crayon-e\">c8 <\/span><span class=\"crayon-i\">ca<\/span> <span class=\"crayon-cn\">2f<\/span><span class=\"crayon-h\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">\/<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>As you can see, it starts with the \u201cBBBB\u201d that the payload looked for after the end of the payload, followed by an 32-bit LSB integer (32 00 00 00 = 0x00000032 = 50 = The size of the encrypted buffer), and finally the 50 bytes of encrypted data.<\/p>\n<p>In other words, the full payload is as follows:<\/p>\n<div id=\"crayon-57eb94cf11bae939170039\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bae939170039-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bae939170039-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11bae939170039-1\" class=\"crayon-line\"><span class=\"crayon-i\">eb<\/span> <span class=\"crayon-cn\">04<\/span> <span class=\"crayon-e\">af <\/span><span class=\"crayon-e\">c2 <\/span><span class=\"crayon-e\">bf <\/span><span class=\"crayon-i\">a3<\/span> <span class=\"crayon-cn\">81<\/span> <span class=\"crayon-i\">ec<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">01<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">31<\/span> <span class=\"crayon-i\">c9<\/span> <span class=\"crayon-cn\">88<\/span> <span class=\"crayon-cn\">0c<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0c<\/span> <span class=\"crayon-e\">fe <\/span><span class=\"crayon-i\">c1<\/span> <span class=\"crayon-cn\">75<\/span> <span class=\"crayon-i\">f9<\/span> <span class=\"crayon-cn\">31<\/span> <span class=\"crayon-e\">c0 <\/span><span class=\"crayon-e\">ba <\/span><span class=\"crayon-e\">ef <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">ad <\/span><span class=\"crayon-i\">de<\/span> <span class=\"crayon-cn\">02<\/span> <span class=\"crayon-cn\">04<\/span> <span class=\"crayon-cn\">0c<\/span> <span class=\"crayon-cn\">00<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-3\" class=\"crayon-line\"><span class=\"crayon-e\">d0 <\/span><span class=\"crayon-e\">c1 <\/span><span class=\"crayon-i\">ca<\/span> <span class=\"crayon-cn\">08<\/span> <span class=\"crayon-cn\">8a<\/span> <span class=\"crayon-cn\">1c<\/span> <span class=\"crayon-cn\">0c<\/span> <span class=\"crayon-cn\">8a<\/span> <span class=\"crayon-cn\">3c<\/span> <span class=\"crayon-cn\">04<\/span> <span class=\"crayon-cn\">88<\/span> <span class=\"crayon-cn\">1c<\/span> <span class=\"crayon-cn\">04<\/span> <span class=\"crayon-cn\">88<\/span> <span class=\"crayon-cn\">3c<\/span> <span class=\"crayon-cn\">0c<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-e\">fe <\/span><span class=\"crayon-i\">c1<\/span> <span class=\"crayon-cn\">75<\/span> <span class=\"crayon-e\">e8 <\/span><span class=\"crayon-i\">e9<\/span> <span class=\"crayon-cn\">5c<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">89<\/span> <span class=\"crayon-i\">e3<\/span> <span class=\"crayon-cn\">81<\/span> <span class=\"crayon-i\">c3<\/span> <span class=\"crayon-cn\">04<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-5\" class=\"crayon-line\"><span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">5c<\/span> <span class=\"crayon-cn\">58<\/span> <span class=\"crayon-cn\">3d<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">75<\/span> <span class=\"crayon-cn\">43<\/span> <span class=\"crayon-cn\">58<\/span> <span class=\"crayon-cn\">3d<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-6\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">75<\/span> <span class=\"crayon-cn\">3b<\/span> <span class=\"crayon-cn\">5a<\/span> <span class=\"crayon-cn\">89<\/span> <span class=\"crayon-i\">d1<\/span> <span class=\"crayon-cn\">89<\/span> <span class=\"crayon-i\">e6<\/span> <span class=\"crayon-cn\">89<\/span> <span class=\"crayon-i\">df<\/span> <span class=\"crayon-cn\">29<\/span> <span class=\"crayon-e\">cf <\/span><span class=\"crayon-e\">f3 <\/span><span class=\"crayon-i\">a4<\/span> <span class=\"crayon-cn\">89<\/span> <span class=\"crayon-i\">de<\/span> <span class=\"crayon-cn\">89<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-7\" class=\"crayon-line\"><span class=\"crayon-i\">d1<\/span> <span class=\"crayon-cn\">89<\/span> <span class=\"crayon-i\">df<\/span> <span class=\"crayon-cn\">29<\/span> <span class=\"crayon-i\">cf<\/span> <span class=\"crayon-cn\">31<\/span> <span class=\"crayon-i\">c0<\/span> <span class=\"crayon-cn\">31<\/span> <span class=\"crayon-i\">db<\/span> <span class=\"crayon-cn\">31<\/span> <span class=\"crayon-e\">d2 <\/span><span class=\"crayon-e\">fe <\/span><span class=\"crayon-i\">c0<\/span> <span class=\"crayon-cn\">02<\/span> <span class=\"crayon-cn\">1c<\/span> <span class=\"crayon-cn\">06<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-8\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">8a<\/span> <span class=\"crayon-cn\">14<\/span> <span class=\"crayon-cn\">06<\/span> <span class=\"crayon-cn\">8a<\/span> <span class=\"crayon-cn\">34<\/span> <span class=\"crayon-cn\">1e<\/span> <span class=\"crayon-cn\">88<\/span> <span class=\"crayon-cn\">34<\/span> <span class=\"crayon-cn\">06<\/span> <span class=\"crayon-cn\">88<\/span> <span class=\"crayon-cn\">14<\/span> <span class=\"crayon-cn\">1e<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-i\">f2<\/span> <span class=\"crayon-cn\">30<\/span> <span class=\"crayon-i\">f6<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-9\" class=\"crayon-line\"><span class=\"crayon-cn\">8a<\/span> <span class=\"crayon-cn\">1c<\/span> <span class=\"crayon-cn\">16<\/span> <span class=\"crayon-cn\">8a<\/span> <span class=\"crayon-cn\">17<\/span> <span class=\"crayon-cn\">30<\/span> <span class=\"crayon-i\">da<\/span> <span class=\"crayon-cn\">88<\/span> <span class=\"crayon-cn\">17<\/span> <span class=\"crayon-cn\">47<\/span> <span class=\"crayon-cn\">49<\/span> <span class=\"crayon-cn\">75<\/span> <span class=\"crayon-i\">de<\/span> <span class=\"crayon-cn\">31<\/span> <span class=\"crayon-i\">db<\/span> <span class=\"crayon-cn\">89<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-10\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-e\">d8 <\/span><span class=\"crayon-e\">fe <\/span><span class=\"crayon-e\">c0 <\/span><span class=\"crayon-i\">cd<\/span> <span class=\"crayon-cn\">80<\/span> <span class=\"crayon-cn\">90<\/span> <span class=\"crayon-cn\">90<\/span> <span class=\"crayon-i\">e8<\/span> <span class=\"crayon-cn\">9d<\/span> <span class=\"crayon-e\">ff <\/span><span class=\"crayon-e\">ff <\/span><span class=\"crayon-i\">ff<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">41<\/span> <span class=\"crayon-cn\">41<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-11\" class=\"crayon-line\"><span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">42<\/span> <span class=\"crayon-cn\">32<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">00<\/span> <span class=\"crayon-cn\">91<\/span> <span class=\"crayon-e\">d8 <\/span><span class=\"crayon-i\">f1<\/span> <span class=\"crayon-cn\">6d<\/span> <span class=\"crayon-cn\">70<\/span> <span class=\"crayon-cn\">20<\/span> <span class=\"crayon-cn\">3a<\/span> <span class=\"crayon-i\">ab<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-12\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">67<\/span> <span class=\"crayon-cn\">9a<\/span> <span class=\"crayon-cn\">0b<\/span> <span class=\"crayon-i\">c4<\/span> <span class=\"crayon-cn\">91<\/span> <span class=\"crayon-e\">fb <\/span><span class=\"crayon-i\">c7<\/span> <span class=\"crayon-cn\">66<\/span> <span class=\"crayon-cn\">0f<\/span> <span class=\"crayon-e\">fc <\/span><span class=\"crayon-e\">cd <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-i\">b4<\/span> <span class=\"crayon-cn\">02<\/span> <span class=\"crayon-e\">fa <\/span><span class=\"crayon-i\">d7<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-13\" class=\"crayon-line\"><span class=\"crayon-cn\">77<\/span> <span class=\"crayon-i\">b4<\/span> <span class=\"crayon-cn\">54<\/span> <span class=\"crayon-cn\">38<\/span> <span class=\"crayon-i\">ab<\/span> <span class=\"crayon-cn\">1f<\/span> <span class=\"crayon-cn\">0e<\/span> <span class=\"crayon-i\">e3<\/span> <span class=\"crayon-cn\">8e<\/span> <span class=\"crayon-i\">d3<\/span> <span class=\"crayon-cn\">0d<\/span> <span class=\"crayon-i\">eb<\/span> <span class=\"crayon-cn\">99<\/span> <span class=\"crayon-i\">c3<\/span> <span class=\"crayon-cn\">93<\/span> <span class=\"crayon-e\">fe<\/span><\/div>\n<div id=\"crayon-57eb94cf11bae939170039-14\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-i\">d1<\/span> <span class=\"crayon-cn\">2b<\/span> <span class=\"crayon-cn\">1b<\/span> <span class=\"crayon-cn\">11<\/span> <span class=\"crayon-i\">c6<\/span> <span class=\"crayon-cn\">11<\/span> <span class=\"crayon-e\">ef <\/span><span class=\"crayon-e\">c8 <\/span><span class=\"crayon-i\">ca<\/span> <span class=\"crayon-cn\">2f<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>By embedding this payload into a small C program \u00a0and injecting a breakpoint at the exit(0) call by manually changing the \u201ccd\u201d in \u201ccd 80\u201d (int 0x80, the system call interrupt) to \u201ccc\u201d (int3) lets me read the decrypted string in a debugger.<\/p>\n<div id=\"crayon-57eb94cf11bb5286696215\" class=\"crayon-syntax crayon-theme-solarized-dark crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bb5286696215-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bb5286696215-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bb5286696215-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bb5286696215-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bb5286696215-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bb5286696215-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bb5286696215-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bb5286696215-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-57eb94cf11bb5286696215-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-57eb94cf11bb5286696215-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-57eb94cf11bb5286696215-1\" class=\"crayon-line\"><span class=\"crayon-v\">je<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">isis<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-sy\">$<\/span> <span class=\"crayon-v\">gcc<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">o<\/span> <span class=\"crayon-i\">x<\/span> <span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">c<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">m32<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-v\">execstack<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">s<\/span> <span class=\"crayon-i\">x<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-v\">je<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">isis<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-sy\">$<\/span> <span class=\"crayon-v\">gdb<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">q<\/span> <span class=\"crayon-i\">x<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-3\" class=\"crayon-line\"><span class=\"crayon-e\">Reading <\/span><span class=\"crayon-e\">symbols <\/span><span class=\"crayon-v\">from<\/span> <span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">je<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">no <\/span><span class=\"crayon-e\">debugging <\/span><span class=\"crayon-e\">symbols <\/span><span class=\"crayon-v\">found<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">done<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-4\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">gdb<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-i\">r<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-5\" class=\"crayon-line\"><span class=\"crayon-e\">Starting <\/span><span class=\"crayon-v\">program<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">je<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">x<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-6\" class=\"crayon-line crayon-striped-line\"><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-7\" class=\"crayon-line\"><span class=\"crayon-e\">Program <\/span><span class=\"crayon-e\">received <\/span><span class=\"crayon-e\">signal <\/span><span class=\"crayon-v\">SIGTRAP<\/span><span class=\"crayon-sy\">,<\/span> <span class=\"crayon-v\">Trace<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">breakpoint <\/span><span class=\"crayon-v\">trap<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-8\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0xffffd2b6<\/span> <span class=\"crayon-st\">in<\/span> <span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span> <span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-9\" class=\"crayon-line\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">gdb<\/span><span class=\"crayon-sy\">)<\/span> <span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">s<\/span> <span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">50<\/span><\/div>\n<div id=\"crayon-57eb94cf11bb5286696215-10\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-cn\">0xffffd0da<\/span><span class=\"crayon-o\">:<\/span> <span class=\"crayon-s\">&#8220;GET \/15b436de1f9107A3778aad525e5d0b20.js HTTP\/1.1&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>This gives us the URL for the next stage of the challenge<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I heard about \u201cthe code\u201d at www.canyoucrackit.co.uk during the first friday of december (2011-12-02), and cracked the final stage on sunday two days later. The reason for not cracking it all during friday evening was, unfortunately, not because it presented much of a challenge but because I was out partying pretty much 24\/7 during friday &hellip; <a href=\"http:\/\/piratesecurityblog.com\/?p=20\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">GCHQ Challenge Solution \u2013 Stage 1<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/20"}],"collection":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=20"}],"version-history":[{"count":1,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/20\/revisions"}],"predecessor-version":[{"id":21,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/20\/revisions\/21"}],"wp:attachment":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}