# GynvaelEN mission 013 


# cat parser.py
import sys

def rld(d):
      if '*' in d:
            i = d.index('*')
            c = d[i - 1]
            n = ord(d[i + 1]) - 28
            d = rld(d[:i - 1] + (c * n) + d[i + 2:])
      return d

def vfile(fd, files, line):
      if 'vFile:open' in line:
            next_line = data[i + 1].split('#')[0]
            if 'F-1' not in next_line:
                  name = line.split(':')[2].split(',')[0]
                  num = next_line[1:]
                  fd[num] = name
                  if name not in files:
                        files[name] = []
      elif 'vFile:close' in line:
            num = line.split(':')[2]
            fd[num] = ''
      elif 'vFile:pread' in line:
            num = line.split(':')[2].split(',')[0]
            offset = int('0x' + line.split(':')[2].split(',')[2], 16)
            next_line = data[i + 1].split('#')[0]
            d = rld(''.join(next_line.split(';')[1:]))
            name = fd[num]
            files[name].append({'offset': offset, 'data': d})

def memory(files, line, mem):
      if mem in line:
            offset = int('0x' + line.split(',')[0][1:].replace(mem, ''), 16)
            next_line = data[i + 1].split('#')[0]
            d = rld(next_line).decode('hex')
            files[mem].append({'offset': offset, 'data': d})

def write(files):
      for name in files:
            with open(name + '.bin', 'wb') as f:
                  for reg in files[name]:
                        f.seek(reg['offset'])
                        f.write(reg['data'])
fd = {}
files = {}

fn = sys.argv[1]

with open(fn) as f:
      data = f.read().split('$')

action = sys.argv[2]

if action == 'memory':
      mem = sys.argv[3]
      files[mem] = []

i = 0
while i < len(data):
      line = data[i].split('#')[0]
      if action == 'vfile':
            vfile(fd, files, line)
      elif action == 'memory':
            memory(files, line, mem)
      i += 1

write(files)

# tshark -nr session.pcapng -T fields -e data -qz follow,tcp,raw,3|tail -n +7| tr -d '=\r\n\t'|less|xxd -r -p > follow_tcp_stream3

# python parser.py follow_tcp_stream3 vfile

# ls 2f*
2f6c69622f7838365f36342d6c696e75782d676e752f6c642d322e32342e736f.bin
2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e32.bin
2f6d656469612f73665f425f44524956452f73747265616d2d6c697665636f64696e672f6d697373696f6e732f6d697373696f6e3031335f66696c65732f612e6f7574.bin
2f70726f632f353937392f6d617073.bin
2f70726f632f353937392f706572736f6e616c697479.bin
2f70726f632f353937392f7461736b2f353937392f6d617073.bin
2f70726f632f7379732f6b65726e656c2f72616e646f6d697a655f76615f7370616365.bin

# cat 2f70726f632f353937392f6d617073.bin
555555554000-555555555000 r-xp 00000000 00:2a 5868                       /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
555555754000-555555756000 rw-p 00000000 00:2a 5868                       /media/sf_B_DRIVE/stream-livecoding/missions/mission013_files/a.out
7ffff7dd7000-7ffff7dfc000 r-xp 00000000 08:01 14942250                   /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffe000 rw-p 00025000 08:01 14942250                   /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

# python parser.py follow_tcp_stream3 memory 55555555

# r2 55555555.bin
[0x00000000]> s 0x00004831
[0x00004831]> pd 44
            0x00004831      48c785a8feff.  mov qword [rbp - 0x158], 0
        .-> 0x0000483c      488b85a8feff.  mov rax, qword [rbp - 0x158]
        |   0x00004843      483b85b8feff.  cmp rax, qword [rbp - 0x148]
       ,==< 0x0000484a      0f83b9000000   jae 0x4909
       ||   0x00004850      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004857      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x0000485e      4801d0         add rax, rdx                ; '('
       ||   0x00004861      0fb600         movzx eax, byte [rax]
       ||   0x00004864      83f05a         xor eax, 0x5a
       ||   0x00004867      89c1           mov ecx, eax
       ||   0x00004869      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004870      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x00004877      4801d0         add rax, rdx                ; '('
       ||   0x0000487a      8808           mov byte [rax], cl
       ||   0x0000487c      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x00004883      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x0000488a      4801d0         add rax, rdx                ; '('
       ||   0x0000488d      0fb600         movzx eax, byte [rax]
       ||   0x00004890      8d5063         lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
       ||   0x00004893      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x0000489a      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048a1      4801c8         add rax, rcx                ; '&'
       ||   0x000048a4      8810           mov byte [rax], dl
       ||   0x000048a6      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048ad      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048b4      4801d0         add rax, rdx                ; '('
       ||   0x000048b7      0fb600         movzx eax, byte [rax]
       ||   0x000048ba      83f05a         xor eax, 0x5a
       ||   0x000048bd      89c1           mov ecx, eax
       ||   0x000048bf      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048c6      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048cd      4801d0         add rax, rdx                ; '('
       ||   0x000048d0      8808           mov byte [rax], cl
       ||   0x000048d2      488d95f0feff.  lea rdx, qword [rbp - 0x110]
       ||   0x000048d9      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048e0      4801d0         add rax, rdx                ; '('
       ||   0x000048e3      0fb600         movzx eax, byte [rax]
       ||   0x000048e6      8d5063         lea edx, dword [rax + 0x63] ; 0x63 ; 'c'
       ||   0x000048e9      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x000048f0      488b85a8feff.  mov rax, qword [rbp - 0x158]
       ||   0x000048f7      4801c8         add rax, rcx                ; '&'
       ||   0x000048fa      8810           mov byte [rax], dl
       ||   0x000048fc      488385a8feff.  add qword [rbp - 0x158], 1
       |`=< 0x00004904      e933ffffff     jmp 0x483c
[0x00004831]> s 0x4909
[0x00004909]> pd 58
            0x00004909      c685c0feffff.  mov byte [rbp - 0x140], 0x8e
            0x00004910      c685c1feffff.  mov byte [rbp - 0x13f], 0x32 ; '2'
            0x00004917      c685c2feffff.  mov byte [rbp - 0x13e], 0x2f ; '/'
            0x0000491e      c685c3feffff.  mov byte [rbp - 0x13d], 0x39 ; '9'
            0x00004925      c685c4feffff.  mov byte [rbp - 0x13c], 0xea
            0x0000492c      c685c5feffff.  mov byte [rbp - 0x13b], 0x2d ; '-'
            0x00004933      c685c6feffff.  mov byte [rbp - 0x13a], 0x27 ; '''
            0x0000493a      c685c7feffff.  mov byte [rbp - 0x139], 0x39 ; '9'
            0x00004941      c685c8feffff.  mov byte [rbp - 0x138], 0xea
            0x00004948      c685c9feffff.  mov byte [rbp - 0x137], 0x27 ; '''
            0x0000494f      c685cafeffff.  mov byte [rbp - 0x136], 0xea
            0x00004956      c685cbfeffff.  mov byte [rbp - 0x135], 0x88
            0x0000495d      c685ccfeffff.  mov byte [rbp - 0x134], 0x25 ; '%'
            0x00004964      c685cdfeffff.  mov byte [rbp - 0x133], 0x94
            0x0000496b      c685cefeffff.  mov byte [rbp - 0x132], 0x3b ; ';'
            0x00004972      c685cffeffff.  mov byte [rbp - 0x131], 0x30 ; '0'
            0x00004979      c685d0feffff.  mov byte [rbp - 0x130], 0x39 ; '9'
            0x00004980      c685d1feffff.  mov byte [rbp - 0x12f], 0x2f ; '/'
            0x00004987      c685d2feffff.  mov byte [rbp - 0x12e], 0x29 ; ')'
            0x0000498e      c685d3feffff.  mov byte [rbp - 0x12d], 0x39 ; '9'
            0x00004995      c685d4feffff.  mov byte [rbp - 0x12c], 0xea
            0x0000499c      c685d5feffff.  mov byte [rbp - 0x12b], 0x2e ; '.'
            0x000049a3      c685d6feffff.  mov byte [rbp - 0x12a], 0x27 ; '''
            0x000049aa      c685d7feffff.  mov byte [rbp - 0x129], 0x39 ; '9'
            0x000049b1      c685d8feffff.  mov byte [rbp - 0x128], 0x31 ; '1'
            0x000049b8      c685d9feffff.  mov byte [rbp - 0x127], 0xea
            0x000049bf      c685dafeffff.  mov byte [rbp - 0x126], 0x8f
            0x000049c6      c685dbfeffff.  mov byte [rbp - 0x125], 0xea
            0x000049cd      c685dcfeffff.  mov byte [rbp - 0x124], 0x5d ; ']'
            0x000049d4      c685ddfeffff.  mov byte [rbp - 0x123], 0x2b ; '+'
            0x000049db      c685defeffff.  mov byte [rbp - 0x122], 0x5b ; '['
            0x000049e2      c685dffeffff.  mov byte [rbp - 0x121], 0x39 ; '9'
            0x000049e9      c685e0feffff.  mov byte [rbp - 0x120], 0x39 ; '9'
            0x000049f0      c685e1feffff.  mov byte [rbp - 0x11f], 0xf0
            0x000049f7      48c785b0feff.  mov qword [rbp - 0x150], 0
        .-> 0x00004a02      488b85b0feff.  mov rax, qword [rbp - 0x150]
        |   0x00004a09      483b85b8feff.  cmp rax, qword [rbp - 0x148]
       ,==< 0x00004a10      7349           jae 0x4a5b
       ||   0x00004a12      488d95c0feff.  lea rdx, qword [rbp - 0x140]
       ||   0x00004a19      488b85b0feff.  mov rax, qword [rbp - 0x150]
       ||   0x00004a20      4801d0         add rax, rdx                ; '('
       ||   0x00004a23      0fb610         movzx edx, byte [rax]
       ||   0x00004a26      488d8df0feff.  lea rcx, qword [rbp - 0x110]
       ||   0x00004a2d      488b85b0feff.  mov rax, qword [rbp - 0x150]
       ||   0x00004a34      4801c8         add rax, rcx                ; '&'
       ||   0x00004a37      0fb600         movzx eax, byte [rax]
       ||   0x00004a3a      38c2           cmp dl, al
      ,===< 0x00004a3c      7413           je 0x4a51
      |||   0x00004a3e      488d3dd80000.  lea rdi, qword 0x00004b1d   ; 0x4b1d
      |||   0x00004a45      e8e6fbffff     call 0x4630
      |||   0x00004a4a      b803000000     mov eax, 3
     ,====< 0x00004a4f      eb1b           jmp 0x4a6c
     |`---> 0x00004a51      488385b0feff.  add qword [rbp - 0x150], 1
     | |`=< 0x00004a59      eba7           jmp 0x4a02
     | `--> 0x00004a5b      488d3dc00000.  lea rdi, qword 0x00004b22   ; 0x4b22
     |      0x00004a62      e8c9fbffff     call 0x4630
     |      0x00004a67      b800000000     mov eax, 0
     `----> 0x00004a6c      488b75f8       mov rsi, qword [rbp - 8]

# ipython
In [1]: table = [0x8e, 0x32, 0x2f, 0x39, 0xea, 0x2d, 0x27, 0x39, 0xea, 0x27, 0xea, 0x88, 0x25, 0x94, 0x3b, 0x30, 0x39, 0x2f, 0x29, 0x39, 0xea, 0x2e, 0x27, 0x39, 0x31, 0xea, 0x8f, 0xea, 0x5d, 0x2b, 0x5b, 0x39, 0x39, 0xf0]
   ...: r = ''
   ...: for e in table:
   ...:     r += chr(((((e - 0x63) ^ 0x5a) - 0x63) ^ 0x5a) & 0xff)
   ...: print r
   ...:
This was a FoREnsics task I guess.

Source

https://www.youtube.com/watch?v=7zTtVYjjquA (1:58:10)

Reference

https://sourceware.org/gdb/onlinedocs/gdb/Remote-Protocol.html
Posted by t0n1
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)