For the last couple of years, I've been planting a CTF-like challenge as an easter egg in Swisscom's security.txt file (RFC 9116). The current challenge is here: https://www.swisscom.ch/.well-known/security.txt. All challenges are also archived on Github: https://github.com/swisscom/securitytxt. I thought it was about time to provide the solutions to the past challenges, so let's start with year 2022. You were given the following string:
48b8d8cfce84dac3c6c648890748b8ea
d9ddc3d9d9c9c54889470848b8c784c9
c5c7000000488947104831c98a040f34
aa88040f48ffc14883f91575ef
Given the composition of characters 0-9, a-f and the even length, it is safe to assume that it is hex-encoding. Interpreting the values is a bit harder though, it's probably not text, since there are many values outside of the range of ASCII printable characters (0x33 to 0x7e). So, some guessing is needed here (CyberChef is your friend), or you can also ask ChatGPT:
Please provide a concise answer. What does this hex represent? 48b8...5ef
This hex string represents x86-64 machine code (assembly instructions) for a specific program or function. To understand exactly what it does, it would need to be disassembled, revealing the instructions it corresponds to. It may include operations such as moving values to registers, arithmetic operations, or system calls.
Let's go ahead and analyse the machine code in a disassembler. Here's the output of the following CyberChef recipe:
Let's break down the code. Instructions in the violet box (addresses 0x00 to 0x25) are loading a total of 24 bytes into memory at an address stored in RDI (the exact address is unknown). The pattern to load a constant 64-bit (8 byte) value repeats three times:
- Load an immediate value into register RAX
- Store the value in RAX to the memory address stored in [RDI + offset]
Note that x86-64 uses little-endian format, therefore the resulting memory content at address referred by RDI is:
RDI+00 D8 CF CE 84 DA C3 C6 C6
RDI+08 EA D9 DD C3 D9 D9 C9 C5
RDI+16 C7 84 C9 C5 C7 00 00 00
Moving on, let's look at the instructions in the orange box (addresses 0x29 to 0x3b). This code iterates over 21 bytes in memory (from [RDI] to [RDI+20]), XOR-ing each byte with the value 0xaa (binary b10101010). Let's look at the instructions in detail:
- XOR RCX, RCX: Clears RCX (sets it to 0). RCX will be used as the loop counter
- MOV AL, BYTE PTR [RDI+RCX]: Load a byte from the memory address RDI with offset RCX into the low byte of RAX (AL)
- XOR AL, AA: Perform an XOR operation between the byte in AL and the immediate value 0xaa
- MOV BYTE PTR [RDI+RCX], AL: Write the result of the XOR operation back to memory address RDI at offset RCX.
- CMP RCX, 0x15: Compare the current loop counter (ECX) with value 21 (decimal)
- JNE 0x2c: If the loop counter (RCX) is not equal to 21, jump back to the instruction at address 0x2c, which is where the XOR loop starts.
Note that the last instruction JNE (jump not equal/zero) is encoded as 75ef, which represents a short jump, i.e. a relative jump of -17 bytes from the current instruction pointer (EIP, address 0x3d). The resulting jump address is 0x2c. So the code is actually position independent.
After processing the XOR-loop the memory content is set as follows:
RDI+00 72 65 64 2e 70 69 6c 6c |red.pill|
RDI+08 40 73 77 69 73 73 63 6f |@swissco|
RDI+16 6d 2e 63 6f 6d 00 00 00 |m.com...|
The first 10 people who wrote a message to this e-mail address received some Swisscom swag as a reward. Note: the e-mail address was chosen as a reference to the 1999 hacker/cyberpunk movie The Matrix, following the nomenclature of the meeting rooms in the Swisscom Cyber Defence offices. Any other references are explicitly excluded.
No comments:
Post a Comment