Didier Stevens

Sunday 9 November 2008

Picture Puzzle

Filed under: Puzzle — Didier Stevens @ 7:41

As I announced via Twitter, here’s a new puzzle. Find the message I’ve hidden in this picture.

First one to post a comment with the correct answer can get a sticker. For those who don’t know, comments are moderated.

10 Comments »

  1. The message is: “Hello from BMP shellcode!”

    Comment by Ostracon — Sunday 9 November 2008 @ 22:25

  2. Correct! Static or dynamic analysis?

    Comment by Didier Stevens — Sunday 9 November 2008 @ 22:30

  3. Too late for a prize, I know, but my static method to find the answer without doing a whole lot of disassembly work:

    Look through file, observe some shellcode sequences, dump the whole thing straight into ndisasm:

    ndisasm -u picture-puzzle.bmp

    Notice all the bytes being directly written to a local, so grep out the interesting bytes:

    dd if=picture-puzzle.bmp bs=1 2>/dev/null|ndisasm -u -|grep ‘mov byte’|sed ‘s/[^,]*,0/\\/g’|tr -d ‘\n’

    Run through printf after changing null bytes to newlines:

    printf ‘\x55\x72\x79\x79\x62\x20\x73\x65\x62\x7a\x20\x4f\x5a\x43\x20\x66\x75\x72\x79\x79\x70\x62\x71\x72\x21\x0a\x75\x73\x65\x72\x33\x32\x0a\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x0a’

    Uryyb sebz OZC furyypbqr!
    user32
    MessageBoxA

    Looks like alphabetic substitution on the interesting string, notice no obvious operations in the shellcode to deobfuscate it, take a wild shot on rot13, get lucky, and done.

    Comment by Jordan — Monday 10 November 2008 @ 12:57

  4. Nice command-line skills Jordan!

    Comment by Didier Stevens — Monday 10 November 2008 @ 13:10

  5. Thanks! “If it can’t be done on the command-line, it isn’t worth doing” is my motto… or something like that. ;-)

    FYI if anybody tries to copy/paste: the smart quotes from WordPress will likely get in the way.

    Also, my method is certainly not the recommended way to actually learn from the challenge. Dump into a shellcode wrapper or debugger for maximum enjoyment.

    Comment by Jordan — Monday 10 November 2008 @ 22:30

  6. Complete neophyte here – arrived by way of another blog.

    I’m very interested in learning about these analyses that you describe in your various posts.

    Are there useful tools (such as the shellcode wrapper or debugger that Jordan mentions) available as freeware for Windows?

    Thanks!

    Comment by sh4Rkb8 — Thursday 13 November 2008 @ 14:58

  7. I was able to find the string Jordan was referring to by opening the file in a hex editor, did a hex-ascii conversion, and applying rot13 (like Jordan) arrived at the answer.

    However, that was clearly the easy part. I’m still trying to figure out how to trim it down to that particular string from the whole hex dump. Mind you, I don’t have nearly the skills Jordan clearly does.

    Comment by sh4Rkb8 — Thursday 13 November 2008 @ 20:20

  8. … and the ascii table was superfluous (should have looked more closely at the text table in the hex editor).

    I’ll shut up now.

    Comment by sh4Rkb8 — Thursday 13 November 2008 @ 20:43

  9. I’ll post my solution for Windows in the coming weeks

    Comment by Didier Stevens — Thursday 13 November 2008 @ 20:48

  10. That commandline can be sharpened up a touch … I tend to build up a commandline one step at a time, makes it easy to see what’s going on.

    Once you get a good command-line solution, this can usefully form the basis of automated testing :-)

    As Jordan says, the key here is to run ndisasm over the file, and notice the ‘mov byte’ invocations. Collecting them with grep is simple, and then cut can be used to grab just the bytes themselves out.

    ndisasm -u picture-puzzle.bmp | grep ‘mov byte’ | cut -d, -f2

    This produces the bytes we want, one per line. To make printf’s job easier, we need to replace ‘^0x’ with ‘\x…’ (using single quotes here to make the \ safe from the shell, but still doubling it because of sed), and also replace ‘x0$’ (the null) with ‘x0a’ (LF)

    … | sed -e ‘s/^0x/\\x/; s/x0$/x0a/’

    The tr command is a great way to strip out all the newlines, and make this one single line for the printf command … which wraps around the whole commandline using the $() operator from bash (easier to read than the traditional shell ` backticks)

    printf $(ndisadm …|tr -d ‘\n’)

    Oh noes! An alphabet substitution … quickly fixed with the caesar program, which will do a quick letter frequency count to determine the correct rotation to use … in this case, it’s 13 of course.

    printf $(ndisasm -u picture-puzzle.bmp | grep ‘mov byte’ | cut -d, -f2 |
    sed -e ‘s/^0x/\\x/; s/x0$/x0a/’ | tr -d ‘\n’ ) | caesar

    Hello from BMP shellcode!
    hfre32
    ZrffntrObkN

    Comment by Jim — Thursday 13 November 2008 @ 21:10


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 225 other followers

%d bloggers like this: