Comments on: Picture Puzzle http://blog.didierstevens.com/2008/11/09/picture-puzzle/ (blog 'DidierStevens) Sun, 14 Mar 2010 21:22:33 +0000 http://wordpress.com/ hourly 1 By: Jim http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33719 Jim Thu, 13 Nov 2008 21:10:11 +0000 http://didierstevens.wordpress.com/?p=863#comment-33719 That commandline can be sharpened up a touch ... I tend to build up a commandline one step at a time, makes it easy to see what's going on. Once you get a good command-line solution, this can usefully form the basis of automated testing :-) As Jordan says, the key here is to run ndisasm over the file, and notice the 'mov byte' invocations. Collecting them with grep is simple, and then cut can be used to grab just the bytes themselves out. ndisasm -u picture-puzzle.bmp | grep 'mov byte' | cut -d, -f2 This produces the bytes we want, one per line. To make printf's job easier, we need to replace '^0x' with '\x...' (using single quotes here to make the \ safe from the shell, but still doubling it because of sed), and also replace 'x0$' (the null) with 'x0a' (LF) ... | sed -e 's/^0x/\\x/; s/x0$/x0a/' The tr command is a great way to strip out all the newlines, and make this one single line for the printf command ... which wraps around the whole commandline using the $() operator from bash (easier to read than the traditional shell ` backticks) printf $(ndisadm ...|tr -d '\n') Oh noes! An alphabet substitution ... quickly fixed with the caesar program, which will do a quick letter frequency count to determine the correct rotation to use ... in this case, it's 13 of course. printf $(ndisasm -u picture-puzzle.bmp | grep 'mov byte' | cut -d, -f2 | sed -e 's/^0x/\\x/; s/x0$/x0a/' | tr -d '\n' ) | caesar Hello from BMP shellcode! hfre32 ZrffntrObkN That commandline can be sharpened up a touch … I tend to build up a commandline one step at a time, makes it easy to see what’s going on.

Once you get a good command-line solution, this can usefully form the basis of automated testing :-)

As Jordan says, the key here is to run ndisasm over the file, and notice the ‘mov byte’ invocations. Collecting them with grep is simple, and then cut can be used to grab just the bytes themselves out.

ndisasm -u picture-puzzle.bmp | grep ‘mov byte’ | cut -d, -f2

This produces the bytes we want, one per line. To make printf’s job easier, we need to replace ‘^0x’ with ‘\x…’ (using single quotes here to make the \ safe from the shell, but still doubling it because of sed), and also replace ‘x0$’ (the null) with ‘x0a’ (LF)

… | sed -e ’s/^0x/\\x/; s/x0$/x0a/’

The tr command is a great way to strip out all the newlines, and make this one single line for the printf command … which wraps around the whole commandline using the $() operator from bash (easier to read than the traditional shell ` backticks)

printf $(ndisadm …|tr -d ‘\n’)

Oh noes! An alphabet substitution … quickly fixed with the caesar program, which will do a quick letter frequency count to determine the correct rotation to use … in this case, it’s 13 of course.

printf $(ndisasm -u picture-puzzle.bmp | grep ‘mov byte’ | cut -d, -f2 |
sed -e ’s/^0x/\\x/; s/x0$/x0a/’ | tr -d ‘\n’ ) | caesar

Hello from BMP shellcode!
hfre32
ZrffntrObkN

]]> By: Didier Stevens http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33718 Didier Stevens Thu, 13 Nov 2008 20:48:15 +0000 http://didierstevens.wordpress.com/?p=863#comment-33718 I'll post my solution for Windows in the coming weeks I’ll post my solution for Windows in the coming weeks

]]> By: sh4Rkb8 http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33717 sh4Rkb8 Thu, 13 Nov 2008 20:43:27 +0000 http://didierstevens.wordpress.com/?p=863#comment-33717 ... and the ascii table was superfluous (should have looked more closely at the text table in the hex editor). I'll shut up now. … and the ascii table was superfluous (should have looked more closely at the text table in the hex editor).

I’ll shut up now.

]]> By: sh4Rkb8 http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33716 sh4Rkb8 Thu, 13 Nov 2008 20:20:26 +0000 http://didierstevens.wordpress.com/?p=863#comment-33716 I was able to find the string Jordan was referring to by opening the file in a hex editor, did a hex-ascii conversion, and applying rot13 (like Jordan) arrived at the answer. However, that was clearly the easy part. I'm still trying to figure out how to trim it down to that particular string from the whole hex dump. Mind you, I don't have nearly the skills Jordan clearly does. I was able to find the string Jordan was referring to by opening the file in a hex editor, did a hex-ascii conversion, and applying rot13 (like Jordan) arrived at the answer.

However, that was clearly the easy part. I’m still trying to figure out how to trim it down to that particular string from the whole hex dump. Mind you, I don’t have nearly the skills Jordan clearly does.

]]> By: sh4Rkb8 http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33712 sh4Rkb8 Thu, 13 Nov 2008 14:58:58 +0000 http://didierstevens.wordpress.com/?p=863#comment-33712 Complete neophyte here - arrived by way of another blog. I'm very interested in learning about these analyses that you describe in your various posts. Are there useful tools (such as the shellcode wrapper or debugger that Jordan mentions) available as freeware for Windows? Thanks! Complete neophyte here – arrived by way of another blog.

I’m very interested in learning about these analyses that you describe in your various posts.

Are there useful tools (such as the shellcode wrapper or debugger that Jordan mentions) available as freeware for Windows?

Thanks!

]]> By: Jordan http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33696 Jordan Mon, 10 Nov 2008 22:30:54 +0000 http://didierstevens.wordpress.com/?p=863#comment-33696 Thanks! "If it can't be done on the command-line, it isn't worth doing" is my motto... or something like that. ;-) FYI if anybody tries to copy/paste: the smart quotes from WordPress will likely get in the way. Also, my method is certainly not the recommended way to actually learn from the challenge. Dump into a shellcode wrapper or debugger for maximum enjoyment. Thanks! “If it can’t be done on the command-line, it isn’t worth doing” is my motto… or something like that. ;-)

FYI if anybody tries to copy/paste: the smart quotes from WordPress will likely get in the way.

Also, my method is certainly not the recommended way to actually learn from the challenge. Dump into a shellcode wrapper or debugger for maximum enjoyment.

]]> By: Didier Stevens http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33692 Didier Stevens Mon, 10 Nov 2008 13:10:21 +0000 http://didierstevens.wordpress.com/?p=863#comment-33692 Nice command-line skills Jordan! Nice command-line skills Jordan!

]]> By: Jordan http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33691 Jordan Mon, 10 Nov 2008 12:57:21 +0000 http://didierstevens.wordpress.com/?p=863#comment-33691 Too late for a prize, I know, but my static method to find the answer without doing a whole lot of disassembly work: Look through file, observe some shellcode sequences, dump the whole thing straight into ndisasm: ndisasm -u picture-puzzle.bmp Notice all the bytes being directly written to a local, so grep out the interesting bytes: dd if=picture-puzzle.bmp bs=1 2>/dev/null|ndisasm -u -|grep 'mov byte'|sed 's/[^,]*,0/\\/g'|tr -d '\n' Run through printf after changing null bytes to newlines: printf '\x55\x72\x79\x79\x62\x20\x73\x65\x62\x7a\x20\x4f\x5a\x43\x20\x66\x75\x72\x79\x79\x70\x62\x71\x72\x21\x0a\x75\x73\x65\x72\x33\x32\x0a\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x0a' Uryyb sebz OZC furyypbqr! user32 MessageBoxA Looks like alphabetic substitution on the interesting string, notice no obvious operations in the shellcode to deobfuscate it, take a wild shot on rot13, get lucky, and done. Too late for a prize, I know, but my static method to find the answer without doing a whole lot of disassembly work:

Look through file, observe some shellcode sequences, dump the whole thing straight into ndisasm:

ndisasm -u picture-puzzle.bmp

Notice all the bytes being directly written to a local, so grep out the interesting bytes:

dd if=picture-puzzle.bmp bs=1 2>/dev/null|ndisasm -u -|grep ‘mov byte’|sed ’s/[^,]*,0/\\/g’|tr -d ‘\n’

Run through printf after changing null bytes to newlines:

printf ‘\x55\x72\x79\x79\x62\x20\x73\x65\x62\x7a\x20\x4f\x5a\x43\x20\x66\x75\x72\x79\x79\x70\x62\x71\x72\x21\x0a\x75\x73\x65\x72\x33\x32\x0a\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x0a’

Uryyb sebz OZC furyypbqr!
user32
MessageBoxA

Looks like alphabetic substitution on the interesting string, notice no obvious operations in the shellcode to deobfuscate it, take a wild shot on rot13, get lucky, and done.

]]> By: Didier Stevens http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33690 Didier Stevens Sun, 09 Nov 2008 22:30:56 +0000 http://didierstevens.wordpress.com/?p=863#comment-33690 Correct! Static or dynamic analysis? Correct! Static or dynamic analysis?

]]> By: Ostracon http://blog.didierstevens.com/2008/11/09/picture-puzzle/#comment-33689 Ostracon Sun, 09 Nov 2008 22:25:57 +0000 http://didierstevens.wordpress.com/?p=863#comment-33689 The message is: "Hello from BMP shellcode!" The message is: “Hello from BMP shellcode!”

]]>