{"id":22,"date":"2011-06-07T10:02:31","date_gmt":"2011-06-07T10:02:31","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=22"},"modified":"2016-09-28T10:02:54","modified_gmt":"2016-09-28T10:02:54","slug":"gchq-challenge-solution-stage-2","status":"publish","type":"post","link":"http:\/\/piratesecurityblog.com\/?p=22","title":{"rendered":"GCHQ Challenge Solution \u2013 Stage 2"},"content":{"rendered":"

After cracking stage 1 of the GCHQ challenge, we get the URL to the Javascript code available here<\/a>.<\/p>\n

It defines a virtual machine with four general registers, two segment registers, one flag register and of course the instruction pointer. It also includes an array of two values named \u201cfirmware\u201d, which seems rather strange. These values are not used, nor mentioned in the definition of the virtual machine that is included in a comment further down in the javascript code. The use for these values will actually become apparent in the third and final stage.<\/p>\n

Besides specifying the register values and an array with the current memory contents, there is a 54 line comment describing the virtual machine architecture, the instruction encoding and the instruction set:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n
51<\/div>\n
52<\/div>\n
53<\/div>\n
54<\/div>\n
55<\/div>\n
56<\/div>\n
57<\/div>\n
58<\/div>\n
59<\/div>\n<\/div>\n<\/td>\n
\n
\n
\u00a0\u00a0<\/span>exec<\/span>:<\/span> function<\/span>(<\/span>)<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ virtual machine architecture<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ ++++++++++++++++++++++++++++<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ segmented memory model with 16-byte segment size (notation seg:offset)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 4 general-purpose registers (r0-r3)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 2 segment registers (cs, ds equiv. to r4, r5)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 1 flags register (fl)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ instruction encoding<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ ++++++++++++++++++++<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 byte 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 byte 2 (optional)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ bits\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[ 7 6 5 4 3 2 1 0 ]\u00a0\u00a0[ 7 6 5 4 3 2 1 0 ]<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ opcode\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0– – –\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ mod\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 –\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ operand1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0– – – –<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ operand2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 – – – – – – – –<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ operand1 is always a register index<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ operand2 is optional, depending upon the instruction set specified below<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ the value of mod alters the meaning of any operand2<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 0: operand2 = reg ix<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 1: operand2 = fixed immediate value or target segment (depending on instruction)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ instruction set<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ +++++++++++++++<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ Notes:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 * r1, r2 => operand 1 is register 1, operand 2 is register 2<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 * movr r1, r2 => move contents of register r2 into register r1<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ opcode | instruction | operands (mod 0) | operands (mod 1)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ ——-+————-+——————+—————–<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x00\u00a0\u00a0 | jmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r2:r1<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x01\u00a0\u00a0 | movr\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0| r1, r2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | rx,\u00a0\u00a0 imm <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x02\u00a0\u00a0 | movm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0| r1, [ds:r2]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0| [ds:r1], r2<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x03\u00a0\u00a0 | add\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1, r2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1,\u00a0\u00a0 imm<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x04\u00a0\u00a0 | xor\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1, r2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1,\u00a0\u00a0 imm <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x05\u00a0\u00a0 | cmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1, r2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r1,\u00a0\u00a0 imm <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x06\u00a0\u00a0 | jmpe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0| r1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | r2:r1<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ 0x07\u00a0\u00a0 | hlt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | N\/A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0| N\/A<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ flags<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ +++++<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ cmp r1, r2 instruction results in:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 r1 == r2 => fl = 0<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 r1 < r2\u00a0\u00a0=> fl = 0xff<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 r1 > r2\u00a0\u00a0=> fl = 1<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ <\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ jmpe r1<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0 => if (fl == 0) jmp r1<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>\/\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else nop<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>throw<\/span> “VM.exec not yet implemented”<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

As you can see, it then throws an exception saying that VM.exec is not yet implemented. Our job is to implement this function, based on the information provided in the comment, and executing the embedded code in our virtual machine to see what it reveals. Although I don\u2019t really see how this would provide a demonstration of anything but quite basic skills, I decided to play along and continue with the challenge. I decided to make a C implementation instead though.<\/p>\n

First, I decided to only implement a disassembler and reverse-engineer the code by hand instead of actually implementing the virtual machine. After finding out that the initial piece of code actually decrypts the next part of the code, and that the decrypted code decrypts a string, I decided to actually implement the VM instead of just a disassembler.<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n<\/div>\n<\/td>\n
\n
\n
0000<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r1<\/span>,<\/span> 0x4<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> r1<\/span> =<\/span> 4<\/span> =<\/span> Start <\/span>of <\/span>loop<\/span><\/div>\n
0002<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r3<\/span>,<\/span> 0xaa<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> r3<\/span> =<\/span> 170<\/span> =<\/span> Value <\/span>to<\/span> XOR<\/span> with<\/span><\/div>\n
0004<\/span>:<\/span>\u00a0\u00a0<\/span>movm <\/span>r0<\/span>,<\/span> [<\/span>ds<\/span>:<\/span>r2<\/span>]<\/span>\u00a0\u00a0 <\/span>;<\/span> Get <\/span>encrypted <\/span>byte<\/span><\/div>\n
0006<\/span>:<\/span>\u00a0\u00a0<\/span>xor<\/span>\u00a0\u00a0<\/span>r0<\/span>,<\/span> r3<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Use<\/span> XOR<\/span> with <\/span>r3 <\/span>to<\/span> decrypt<\/span><\/div>\n
0008<\/span>:<\/span>\u00a0\u00a0<\/span>movm<\/span> [<\/span>ds<\/span>:<\/span>r2<\/span>]<\/span>,<\/span> r0<\/span>\u00a0\u00a0 <\/span>;<\/span> Write <\/span>decrypted <\/span>byte<\/span> back <\/span>to<\/span> memory<\/span><\/div>\n
000a<\/span>:<\/span>\u00a0\u00a0<\/span>add\u00a0\u00a0<\/span>r2<\/span>,<\/span> 0x1<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Increment <\/span>pointer <\/span>to<\/span> next <\/span>encrypted <\/span>byte<\/span><\/div>\n
000c<\/span>:<\/span>\u00a0\u00a0<\/span>add\u00a0\u00a0<\/span>r3<\/span>,<\/span> 0x1<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Increment <\/span>value <\/span>to<\/span> XOR<\/span> with<\/span><\/div>\n
000e<\/span>:<\/span>\u00a0\u00a0<\/span>cmp\u00a0\u00a0<\/span>r2<\/span>,<\/span> 0x50<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Compare <\/span>pointer <\/span>to<\/span> end<\/span> of <\/span>encrypted <\/span>data<\/span><\/div>\n
0010<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r0<\/span>,<\/span> 0x14<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Point <\/span>r0 <\/span>to<\/span> instruction <\/span>after <\/span>decryption <\/span>loop<\/span><\/div>\n
0012<\/span>:<\/span>\u00a0\u00a0<\/span>jmpe <\/span>r0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Jump <\/span>to<\/span> r0 <\/span>if<\/span> decryption <\/span>is<\/span> completed<\/span> (<\/span>r2<\/span> ==<\/span> 0x50<\/span>)<\/span><\/div>\n
0013<\/span>:<\/span>\u00a0\u00a0<\/span>jmp\u00a0\u00a0<\/span>r1<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Jump <\/span>to<\/span> r1<\/span> (<\/span>start <\/span>of <\/span>loop<\/span> =<\/span> 0004<\/span>)<\/span><\/div>\n
0014<\/span>:<\/span>\u00a0\u00a0<\/span>xor<\/span>\u00a0\u00a0<\/span>r0<\/span>,<\/span> r0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Decryption <\/span>completed<\/span>.<\/span> Set <\/span>r0<\/span> =<\/span> 0<\/span><\/div>\n
0016<\/span>:<\/span>\u00a0\u00a0<\/span>jmp<\/span>\u00a0\u00a0<\/span>0x10<\/span>:<\/span>r0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Jump <\/span>to<\/span> 0x10<\/span>:<\/span>0<\/span> =<\/span> 0x0100<\/span> =<\/span> The <\/span>buffer <\/span>that <\/span>was <\/span>just <\/span>decrypted<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Corresponding C-code:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/div>\n<\/td>\n
\n
\n
key<\/span> =<\/span> 0xaa<\/span>;<\/span><\/div>\n
for<\/span> (<\/span>i<\/span> =<\/span> 0<\/span>;<\/span> i<\/span> <<\/span> 0x50<\/span>;<\/span> i<\/span>++<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>buf<\/span>[<\/span>i<\/span>]<\/span> ^=<\/span> key<\/span>++<\/span>;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The decrypted code is as follows, and quite similar to the previous code:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n<\/div>\n<\/td>\n
\n
\n
0100<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r2<\/span>,<\/span> 0x0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> r2<\/span> =<\/span> 0<\/span><\/div>\n
0102<\/span>:<\/span>\u00a0\u00a0<\/span>add\u00a0\u00a0<\/span>ds<\/span>,<\/span> 0xc<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> ds<\/span> =<\/span> ds<\/span> +<\/span> 0xc<\/span> =<\/span> 0x1C<\/span><\/div>\n
0104<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r1<\/span>,<\/span> 0x8<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> r1<\/span> =<\/span> 8<\/span> =<\/span> Start <\/span>of <\/span>loop<\/span><\/div>\n
0106<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r3<\/span>,<\/span> 0x32<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> r3<\/span> =<\/span> 50<\/span> =<\/span> Value <\/span>to<\/span> XOR<\/span> with<\/span><\/div>\n
0108<\/span>:<\/span>\u00a0\u00a0<\/span>movm <\/span>r0<\/span>,<\/span> [<\/span>ds<\/span>:<\/span>r2<\/span>]<\/span>\u00a0\u00a0 <\/span>;<\/span> Get <\/span>encrypted <\/span>byte<\/span><\/div>\n
010a<\/span>:<\/span>\u00a0\u00a0<\/span>xor<\/span>\u00a0\u00a0<\/span>r0<\/span>,<\/span> r3<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Use<\/span> XOR<\/span> with <\/span>r3 <\/span>to<\/span> decrypt<\/span><\/div>\n
010c<\/span>:<\/span>\u00a0\u00a0<\/span>movm<\/span> [<\/span>ds<\/span>:<\/span>r2<\/span>]<\/span>,<\/span> r0<\/span>\u00a0\u00a0 <\/span>;<\/span> Write <\/span>decrypted <\/span>byte<\/span> back <\/span>to<\/span> memory<\/span><\/div>\n
010e<\/span>:<\/span>\u00a0\u00a0<\/span>add\u00a0\u00a0<\/span>r2<\/span>,<\/span> 0x1<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Increment <\/span>pointer <\/span>to<\/span> next <\/span>encrypted <\/span>byte<\/span><\/div>\n
0110<\/span>:<\/span>\u00a0\u00a0<\/span>add\u00a0\u00a0<\/span>r3<\/span>,<\/span> 0x3<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Increment <\/span>value <\/span>to<\/span> XOR<\/span> with <\/span>by <\/span>three<\/span><\/div>\n
0112<\/span>:<\/span>\u00a0\u00a0<\/span>cmp\u00a0\u00a0<\/span>r2<\/span>,<\/span> 0x0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Compare <\/span>pointer <\/span>with<\/span> 0<\/span>,<\/span> indicating <\/span>that <\/span>it <\/span>has <\/span>wrapped<\/span> (<\/span>it<\/span>‘s<\/span> only<\/span> a<\/span> byte<\/span>)<\/span><\/div>\n
0114<\/span>:<\/span>\u00a0\u00a0<\/span>jmpe <\/span>r3<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Jump <\/span>to<\/span> r3 <\/span>if<\/span> it <\/span>has <\/span>wrapped<\/span>.<\/span> This<\/span> will <\/span>never <\/span>happen<\/span>.<\/span>.<\/span>.<\/span><\/div>\n
0115<\/span>:<\/span>\u00a0\u00a0<\/span>cmp\u00a0\u00a0<\/span>r0<\/span>,<\/span> 0x0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>;<\/span> Compare <\/span>decrypted <\/span>byte<\/span> with<\/span> 0<\/span><\/div>\n
0117<\/span>:<\/span>\u00a0\u00a0<\/span>movr <\/span>r0<\/span>,<\/span> 0x1b<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> r0<\/span> =<\/span> 0x1b<\/span><\/div>\n
0119<\/span>:<\/span>\u00a0\u00a0<\/span>jmpe <\/span>r0<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> If<\/span> decrypted <\/span>byte<\/span> was<\/span> 0<\/span>,<\/span> jump <\/span>to<\/span> 0x011b<\/span> =<\/span> Instruction <\/span>after <\/span>the <\/span>loop<\/span><\/div>\n
011a<\/span>:<\/span>\u00a0\u00a0<\/span>jmp\u00a0\u00a0<\/span>r1<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Jump <\/span>to<\/span> r1<\/span> (<\/span>start <\/span>of <\/span>loop<\/span> =<\/span> 0x0108<\/span>)<\/span><\/div>\n
011b<\/span>:<\/span>\u00a0\u00a0<\/span>hlt<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>;<\/span> Halt <\/span>execution<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Corresponding C-code (sort of):<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n<\/div>\n<\/td>\n
\n
\n
key<\/span> =<\/span> 0x32<\/span>;<\/span><\/div>\n
do<\/span> {<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>buf<\/span>[<\/span>i<\/span>]<\/span> ^=<\/span> key<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>key<\/span> +=<\/span> 3<\/span>;<\/span><\/div>\n
}<\/span> while<\/span> (<\/span>buf<\/span>[<\/span>i<\/span>]<\/span>)<\/span>;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The instructions at 0x0112-0x0114 are not necessary, and could either be there for misdirection or possibly to indicate a hidden challenge. Further signs of this lies in the fact that there are a couple of instructions further down that are never executed:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n<\/div>\n<\/td>\n
\n
\n
0132<\/span>:<\/span>\u00a0\u00a0<\/span>add\u00a0\u00a0<\/span>ds<\/span>,<\/span> 0x10<\/span><\/div>\n
0134<\/span>:<\/span>\u00a0\u00a0<\/span>jmp\u00a0\u00a0<\/span>r1<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

There is also a 0xcc at 0x0140, that isn\u2019t even a valid a valid instruction in the instruction set for the virtual machine, but corresponds to a breakpoint in x86 assembler. Last but not least there are large chunks of memory that are neither read, written or executed. First of all, there are some zero bytes that are obviously just there for filling. What is more suspicious are these:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n<\/div>\n<\/td>\n
\n
\n
0150<\/span>:<\/span>\u00a0\u00a0<\/span>7D<\/span> 1F<\/span> 15<\/span> 60<\/span> 4D<\/span> 4D<\/span> 52<\/span> 7D<\/span> 0E<\/span> 27<\/span> 6D<\/span> 10<\/span> 6D<\/span> 5A<\/span> 06<\/span> 56<\/span>\u00a0\u00a0 <\/span>}<\/span>.<\/span>.<\/span>`<\/span>MMR<\/span>}<\/span>.<\/span>‘m.mZ.V<\/span><\/div>\n
0160:\u00a0\u00a047 14 42 0E B6 B2 B2 E6 EB B4 83 8E D7 E5 D4 D9\u00a0\u00a0 G.B………….<\/span><\/div>\n
0170:\u00a0\u00a0C3 F0 80 95 F1 82 82 9A BD 95 A4 8D 9A 2B 30 69\u00a0\u00a0 ………….+0i<\/span><\/div>\n
0180:\u00a0\u00a04A 69 65 55 1C 7B 69 1C 6E 04 74 35 21 26 2F 60\u00a0\u00a0 JieU.{i.n.t5!&\/`<\/span><\/div>\n
0190:\u00a0\u00a003 4E 37 1E 33 54 39 E6 BA B4 A2 AD A4 C5 95 C8\u00a0\u00a0 .N7.3T9………<\/span><\/div>\n
01a0:\u00a0\u00a0C1 E4 8A EC E7 92 8B E8 81 F0 AD 98 A4 D0 C0 8D\u00a0\u00a0 …………….<\/span><\/div>\n
01b0:\u00a0\u00a0AC 22 52 65 7E 27 2B 5A 12 61 0A 01 7A 6B 1D 67\u00a0\u00a0 .”Re~’<\/span>+<\/span>Z<\/span>.<\/span>a<\/span>.<\/span>.<\/span>zk<\/span>.<\/span>g<\/span><\/div>\n
.<\/span>.<\/span>.<\/span><\/div>\n
0200<\/span>:<\/span>\u00a0\u00a0<\/span>37<\/span> 7A<\/span> 07<\/span> 11<\/span> 1F<\/span> 1D<\/span> 68<\/span> 25<\/span> 32<\/span> 77<\/span> 1E<\/span> 62<\/span> 23<\/span> 5B<\/span> 47<\/span> 55<\/span>\u00a0\u00a0 <\/span>7z….h<\/span>%<\/span>2w.b<\/span>#[GU<\/span><\/div>\n
0210<\/span>:<\/span>\u00a0\u00a0<\/span>53<\/span> 30<\/span> 11<\/span> 42<\/span> F6 <\/span>F1 <\/span>B1 <\/span>E6 <\/span>C3 <\/span>CC <\/span>F8 <\/span>C5 <\/span>E4 <\/span>CC <\/span>C0 <\/span>D3\u00a0\u00a0 <\/span>S0<\/span>.<\/span>B<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span><\/div>\n
0220<\/span>:<\/span>\u00a0\u00a0<\/span>85<\/span> FD<\/span> 9A<\/span> E3 <\/span>E6<\/span> 81<\/span> B5 <\/span>BB <\/span>D7 <\/span>CD<\/span> 87<\/span> A3 <\/span>D3<\/span> 6B<\/span> 36<\/span> 6F<\/span>\u00a0\u00a0 <\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>k6o<\/span><\/div>\n
0230<\/span>:<\/span>\u00a0\u00a0<\/span>6F<\/span> 66<\/span> 55<\/span> 30<\/span> 16<\/span> 45<\/span> 5E<\/span> 09<\/span> 74<\/span> 5C<\/span> 3F<\/span> 29<\/span> 2B<\/span> 66<\/span> 3D<\/span> 0D<\/span>\u00a0\u00a0 <\/span>ofU0<\/span>.<\/span>E<\/span>^<\/span>.<\/span>t<\/span>\\<\/span>?<\/span>)<\/span>+<\/span>f<\/span>=<\/span>.<\/span><\/div>\n
0240<\/span>:<\/span>\u00a0\u00a0<\/span>02<\/span> 30<\/span> 28<\/span> 35<\/span> 15<\/span> 09<\/span> 15<\/span> DD <\/span>EC <\/span>B8 <\/span>E2 <\/span>FB <\/span>D8 <\/span>CB <\/span>D8 <\/span>D1<\/span>\u00a0\u00a0 <\/span>.<\/span>0<\/span>(<\/span>5…………<\/span><\/div>\n
0250<\/span>:<\/span>\u00a0\u00a0<\/span>8B<\/span> D5<\/span> 82<\/span> D9<\/span> 9A<\/span> F1<\/span> 92<\/span> AB <\/span>E8 <\/span>A6 <\/span>D6 <\/span>D0<\/span> 8C<\/span> AA <\/span>D2<\/span> 94<\/span>\u00a0\u00a0 <\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span><\/div>\n
0260<\/span>:<\/span>\u00a0\u00a0<\/span>CF<\/span> 45<\/span> 46<\/span> 67<\/span> 20<\/span> 7D<\/span> 44<\/span> 14<\/span> 6B<\/span> 45<\/span> 6D<\/span> 54<\/span> 03<\/span> 17<\/span> 60<\/span> 62<\/span>\u00a0\u00a0 <\/span>.<\/span>EFg<\/span> }<\/span>D<\/span>.<\/span>kEmT<\/span>.<\/span>.<\/span>`<\/span>b<\/span><\/div>\n
0270<\/span>:<\/span>\u00a0\u00a0<\/span>55<\/span> 5A<\/span> 4A<\/span> 66<\/span> 61<\/span> 11<\/span> 57<\/span> 68<\/span> 75<\/span> 05<\/span> 62<\/span> 36<\/span> 7D<\/span> 02<\/span> 10<\/span> 4B<\/span>\u00a0\u00a0 <\/span>UZJfa<\/span>.<\/span>Whu<\/span>.<\/span>b6<\/span>}<\/span>.<\/span>.<\/span>K<\/span><\/div>\n
0280<\/span>:<\/span>\u00a0\u00a0<\/span>08<\/span> 22<\/span> 42<\/span> 32<\/span> BA <\/span>E2 <\/span>B9 <\/span>E2 <\/span>D6 <\/span>B9 <\/span>FF <\/span>C3 <\/span>E9<\/span> 8A<\/span> 8F<\/span> C1<\/span>\u00a0\u00a0 <\/span>.<\/span>“B2<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span><\/div>\n
0290<\/span>:<\/span>\u00a0\u00a0<\/span>8F<\/span> E1 <\/span>B8 <\/span>A4<\/span> 96<\/span> F1<\/span> 8F<\/span> 81<\/span> B1<\/span> 8D<\/span> 89<\/span> CC <\/span>D4<\/span> 78<\/span> 76<\/span> 61<\/span>\u00a0\u00a0 <\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>xva<\/span><\/div>\n
02a0<\/span>:<\/span>\u00a0\u00a0<\/span>72<\/span> 3E<\/span> 37<\/span> 23<\/span> 56<\/span> 73<\/span> 71<\/span> 79<\/span> 63<\/span> 7C<\/span> 08<\/span> 11<\/span> 20<\/span> 69<\/span> 7A<\/span> 14<\/span>\u00a0\u00a0 <\/span>r<\/span>><\/span>7<\/span>#Vsqyc|.. iz.<\/span><\/div>\n
02b0<\/span>:<\/span>\u00a0\u00a0<\/span>68<\/span> 05<\/span> 21<\/span> 1E<\/span> 32<\/span> 27<\/span> 59<\/span> B7 <\/span>CF <\/span>AB <\/span>DD <\/span>D5 <\/span>CC<\/span> 97<\/span> 93<\/span> F2<\/span>\u00a0\u00a0 <\/span>h<\/span>.<\/span>!<\/span>.<\/span>2<\/span>‘Y<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span><\/div>\n
02c0<\/span>:<\/span>\u00a0\u00a0<\/span>E7 <\/span>C0 <\/span>EB <\/span>FF <\/span>E9 <\/span>A3 <\/span>BF <\/span>A1 <\/span>AB<\/span> 8B<\/span> BB<\/span> 9E<\/span> 9E<\/span> 8C<\/span> A0 <\/span>C1<\/span>\u00a0\u00a0 <\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span>.<\/span><\/div>\n
02d0<\/span>:<\/span>\u00a0\u00a0<\/span>9B<\/span> 5A<\/span> 2F<\/span> 2F<\/span> 4E<\/span> 4E<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span> 00<\/span>\u00a0\u00a0 <\/span>.<\/span>Z<\/span>\/\/NN……….<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

There are some interesting patterns in this data, especially when interpreting it as three 112 bytes chunks. Each chunk consists of 20 bytes < 0x80, 25 bytes >= 0x80, 26 bytes < 0x80, 26 bytes >= 0x80 and finally 15 bytes < 0x80. In other words, there is a pattern in which bytes have the most significant bit set in each of these chunks. This pattern could be the result of each chunk being XOR-encoded using the same algorithm as has been used in the previous code, with some specific start and step values. I decided not to waste any more time on this track unless the challenge seemed to lead to a dead end though. After the second decryption loop it will reveal the following string at 0x01b0:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
GET<\/span> \/<\/span>da75370fe15c4148bd4ceec861fbdaa5<\/span>.<\/span>exe <\/span>HTTP<\/span>\/<\/span>1.0<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Yet another URL, this time to an x86 Windows\/cygwin executable. To get this string I could just have dumped the virtual machine memory after execution, since I had already reverse-engineered the code I decided to get each character after it has been decoded by reading r0 at ip = 0x010c (0x010c == 268), using the code available here<\/a>.<\/p>\n

Note that I have not bothered to implement any bounds checking when reading values from memory, so running the VM on arbitrary\/random code will most likely result in a crash. \ud83d\ude42 In this case I had already seen that the code was \u201cwell behaved\u201d and just wanted to go on to the next stage of the challenge though.<\/p>\n","protected":false},"excerpt":{"rendered":"

After cracking stage 1 of the GCHQ challenge, we get the URL to the Javascript code available here. It defines a virtual machine with four general registers, two segment registers, one flag register and of course the instruction pointer. It also includes an array of two values named \u201cfirmware\u201d, which seems rather strange. These values … Continue reading GCHQ Challenge Solution \u2013 Stage 2<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/22"}],"collection":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22"}],"version-history":[{"count":1,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":23,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions\/23"}],"wp:attachment":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}