A walkthrough of the baleful challenge from picoCTF.
Basic Static Analysis
Always start with some basic static analysis as it can save you hours. Any insight about the program you may get by reading the strings can help a lot.
In this case running strings on the program will reveal a very interesting string.
# strings -n8 baleful
d-linux.so.2
|R3$C2LYu 7
_gmon_st
.iLc99+scan"r2
L3err"r:tf$
maNGLIBC_2.47
@N!S 7 G
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
PROT_EXEC|PROT_WRITE failed.
/proc/sm
GCC: (Ubuntu/Linaro 4.6.3-1u
.shstrtab '
gnu.build-id
o dynsym
eh_frame_hs
dr ctoOn
[Gbs&com
Of all the packer they could have used, UPX is probably the easiest because the upx packer will also unpack programs for us. This means no manual unpacking of the program!
$ upx -d -o balefulunpacked ./baleful
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013
File size Ratio Format Name
-------------------- ------ ----------- -----------
148104 <- 6752 4.56% netbsd/elf386 balefulunpacked
Unpacked 1 file.Running strings on the unpacked program now yields normal results.
$ strings -n8 balefulunpacked
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
__stack_chk_fail
__isoc99_fscanf
__libc_start_main
GLIBC_2.4
GLIBC_2.7
GLIBC_2.0
GCC: (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
.shstrtab
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.eh_frame_hdr
.eh_frame
.dynamic
.got.plt
.comment
Lets move on to basic dynamic analysis
Basic Dynamic Analysis
$ ./balefulunpacked
Please enter your password: aaaa
Sorry, wrong password!It seems very simple. Asks for a password and tells you wrong password. I assume that there is a good password. However, I did not see those strings in my basic static analys hinting at some form of obfuscation still happening.
Advanced Static Analysis
Loading it in IDA, it becomes clear that its a VM. The code implements 32 instructions and simply executes virtual instructions loaded in memory to implement the logic. This is where I embarked on a 3-4 hours reversing job to map out the architecture of the vm. I ended up with the following:
| op | 0x | mne | details/explanation | arg0/addressing_mode | arg1 | arg2 | arg3 | arg4 |
|---|---|---|---|---|---|---|---|---|
| 0 | 0 | nop | ||||||
| 1 | 1 | ret | ||||||
| 2 | 2 | add | ri<-arg2 + arg3 | 0=r+r ; 1=r+im; 2=im+r; 4=im+im | ri | rj/im | rh/im | |
| 3 | 3 | sub | ri<-arg2 - arg3 | 0=r-r ; 1=r-im; 2=im-r; 4=im-im | ri | rj/im | rh/im | |
| 4 | 4 | mul | ri<-arg2 * arg3 | 0=rr ; 1=rim; 2=imr; 4=imim | ri | rj/im | rh/im | |
| 5 | 5 | div | ri<-arg3 / arg4 ; rj<-arg3 % arg4 | 0=r/r ; 1=r/im; 2=im/r; 4=im/im | ri | rj | rh/im | rh/im |
| 6 | 6 | xor | ri<-arg2 ^ arg3 | 0=r^r ; 1=r^im; 2=im^r; 4=im^im | ri | rj/im | rh/im | |
| 7 | 7 | neg | ri<- -rj | ri | rj | |||
| 8 | 8 | not | ri<- ~rj | ri | rj | |||
| 9 | 9 | and | ri<-arg2 & arg3 | 0=r&r ; 1=r&im; 2=im&r; 4=im&im | ri | rj/im | rh/im | |
| 10 | A | or | ri<-arg2 | arg3 | 0=r|r ; 1=r|im; 2=im|r; 4=im|im | ri | rj/im | rh/im | |
| 11 | B | is0 | ri<-rj == 0 | ri | rj | |||
| 12 | C | lsl | ri<-arg2 « arg3 | 0=r«r ; 1=r«im; 2=im«r; 4=im«im | ri | rj/im | rh/im | |
| 13 | D | lsr | ri<-arg2 » arg3 | 0=r»r ; 1=r»im; 2=im»r; 4=im»im | ri | rj/im | rh/im | |
| 14 | E | jmp | dest ptr | |||||
| 15 | F | call | func ptr | |||||
| 16 | 10 | jnz | jump if not 0 | dest ptr | ||||
| 17 | 11 | jlt | jump if lower than 0 | dest ptr | ||||
| 18 | 12 | jle | jump if lower or equal 0 | dest ptr | ||||
| 19 | 13 | jbt | jump if biger than 0 | dest ptr | ||||
| 20 | 14 | jbe | jump if bigger or equal 0 | dest ptr | ||||
| 21 | 15 | jz | jump if 0 | dest ptr | ||||
| 22 | 16 | test | acc<-arg1 & arg2 | 0=r&r ; 1=r&im; 2=im&r; 4=im&im | rj/im | rh/im | ||
| 23 | 17 | cmp | acc<-arg1 - arg2 | 0=r-r ; 1=r-im; 2=im-r; 4=im-im | rj/im | rh/im | ||
| 24 | 18 | mov | ri<-arg2 | 0=r ; 1=im | ri | rj/im | ||
| 25 | 19 | inc | ri++ | ri | ||||
| 26 | 1A | dec | ri– | ri | ||||
| 27 | 1B | mov | ri<-[rj] | ri | rj | |||
| 28 | 1C | mov | [ri]<-rj | ri | rj | |||
| 29 | 1D | end | ||||||
| 30 | 1E | push | top stack <- arg1 | 0=reg ; 1=imm | ri/imm | |||
| 31 | 1F | pop | ri<-top stak | ri | ||||
| 32 | 20 | syscall | r0 <- syscall(arg0, regfile) |
We are almost done but note that instruction 32 is the equivalent of the syscall accessing OS functions mostly for IO. Here are the different syscalls:
| r0 (hex) | syscall |
|---|---|
| 0 | putc |
| 1 | puti |
| 2 | puth |
| 3 | putf |
| 4 | getc |
| 5 | geti |
| 6 | geth |
| 7 | getf |
| 8 | teststdin |
| 9 | itof |
| A | load_real |
| B | real_add |
| C | real_sub |
| D | real_mul |
| E | real_div |
| F | useless |
| 10 | is_not_null |
| 11 | malloc |
Trust me I did try to wing it in an attempt to avoid having to reverse all of this but I was getting nowhere so I decided to bite the bullet and reverse the whole thing.
At this point I am executing the program in gdb and putting breakpoints at different places. The first place I tried is on the syscall instruction 0x8049c54 to try and trace my input to some comparision. However, its so convoluted that I quickly got lost using this method. I then decided that I would disassemble the virtual program. To do so I dumped the memory of the process using the generate-core-file command in gdb and opened it in IDA.
I can see the virtual memory starting at address 0x804c0c0 with the entry point of the virtual program at offset 0x1000 (0x804d0c0). Over the course of another 3 hours, I wrote a complete disassembler in python for this architecture to allow me to read the program.
#!/usr/bin/env python
# @author: GuilT
import struct
def u32(val):
return struct.unpack('<I',val)[0]
with open('core.29517','r') as f:
f.seek(0x4964)
mem = bytearray(f.read(0x41f3f))
func_table = {
0x1000:'start (unpack)',
0x103f:'putc',
0x1042:'puti',
0x1045:'puth',
0x1048:'putf',
0x104b:'getc',
0x104e:'geti',
0x1051:'geth',
0x1054:'getf',
0x1057:'peak_stdin',
0x105a:'itof',
0x105d:'load_real',
0x1060:'real_add',
0x1063:'real_sub',
0x1066:'real_mul',
0x1069:'real_div',
0x106c:'useless',
0x106f:'is_not_null',
0x107d:'get_add_bignum',
0x1080:'malloc(r0:item size, r1:n)',
0x10c2:'exit',
0x10c3:'congratulations',
0x1192:'sorry_wrong_pass',
0x12a9:'long_pass_test',
0x1881:'congratulations',
0x1952:'sorry_wrong_pass',
0x1a6d:'please_enter_password',
0x1bc0:'main' ,
0x1ebe:'validate_password'}
def preprt(IP, opcode, str):
if IP in func_table:
print '=' * 20 + ' ' + func_table[IP]
print "0x%08x : 0x%04x :0x%02x %s" %(IP+0x804c0c0,IP, opcode, str)
IP = 0x1000
END = 0x1ede
while IP < END:
opcode = mem[IP]
if opcode == 0:
preprt(IP, opcode, "nop")
IP += 1
elif opcode == 1:
preprt(IP, opcode, "retn")
IP += 1
elif opcode in {2, 3, 4, 6, 9, 0xa, 0xc, 0xd}:
if opcode == 2:
op = 'add'
elif opcode == 3:
op = 'sub'
elif opcode == 4:
op = 'mul'
elif opcode == 6:
op = 'xor'
elif opcode == 9:
op = 'and'
elif opcode == 0xa:
op = 'or'
elif opcode == 0xc:
op = 'lsl'
elif opcode == 0xd:
op = 'lsr'
addressing = mem[IP+1]
if addressing == 0:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
arg3 = 'r%d' % mem[IP+4]
tIP = 5
elif addressing == 1:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
arg3 = '0x%x' % u32(mem[IP+4:IP+8])
tIP = 8
elif addressing == 2:
arg1 = 'r%d' % mem[IP+2]
arg2 = '0x%x' % mem[IP+3:IP+7]
arg3 = 'r%d' % mem[IP+7]
tIP = 8
elif addressing == 4:
arg1 = 'r%d' % mem[IP+2]
arg2 = '0x%x' % u32(mem[IP+3:IP+7])
arg3 = '0x%x' % u32(mem[IP+7:IP+11])
tIP = 11
preprt(IP, opcode, "%-6s %s, %s, %s" % (op, arg1, arg2, arg3))
IP += tIP
elif opcode == 5:
addressing = mem[IP+1]
if addressing == 0:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
arg3 = 'r%d' % mem[IP+4]
arg4 = 'r%d' % mem[IP+5]
tIP = 5
elif addressing == 1:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
arg3 = 'r%d' % mem[IP+4]
arg4 = '0x%x' % u32(mem[IP+5:IP+9])
tIP = 9
elif addressing == 2:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
arg3 = '0x%x' % u32(mem[IP+4:IP+8])
arg4 = 'r%d' % mem[IP+8]
tIP = 9
elif addressing == 4:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
arg3 = '0x%x' % u32(mem[IP+4:IP+8])
arg4 = '0x%x' % u32(mem[IP+8:IP+12])
tIP = 12
preprt(IP, opcode, "div %s, %s, %s ; mod %s, %s, %s" % (arg1, arg3, arg4, arg2, arg3, arg4))
IP += tIP
elif opcode == 7:
arg0 = 'r%d' % mem[IP+1]
arg1 = 'r%d' % mem[IP+2]
preprt(IP, opcode, "neg %s, %s" %(arg0, arg1))
IP += 3
elif opcode == 8:
arg0 = 'r%d' % mem[IP+1]
arg1 = 'r%d' % mem[IP+2]
preprt(IP, opcode, "not %s, %s" %(arg0, arg1))
IP += 3
elif opcode == 0xb:
arg0 = 'r%d' % mem[IP+1]
arg1 = 'r%d' % mem[IP+2]
preprt(IP, opcode, "is0 %s, %s" %(arg0, arg1))
IP += 3
elif opcode == 0xe:
addr = u32(mem[IP+1 : IP+5])
arg0 = '0x%x' % addr
if addr in func_table:
arg0 += ' ; ' + func_table[addr] + '()'
preprt(IP, opcode, "jmp %s" %(arg0))
IP += 5
elif opcode == 0xf:
addr = u32(mem[IP+1 : IP+5])
arg0 = '0x%x' % addr
if addr in func_table:
arg0 += ' ; ' + func_table[addr] + '()'
preprt(IP, opcode, "call %s" %(arg0))
IP += 5
elif opcode in range(0x10, 0x16):
if opcode == 0x10:
op = 'jz'
if opcode == 0x11:
op = 'jlt'
if opcode == 0x12:
op = 'jle'
if opcode == 0x13:
op = 'jbt'
if opcode == 0x14:
op = 'jbe'
if opcode == 0x15:
op = 'jnz'
arg0 = '0x%x' % u32(mem[IP+1 : IP+5])
preprt(IP, opcode, "%-6s %s" %(op,arg0))
IP += 5
elif opcode in {0x16, 0x17}:
if opcode == 0x16:
op = 'test'
elif opcode == 0x17:
op = 'cmp'
addressing = mem[IP+1]
if addressing == 0:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
tIP = 4
elif addressing == 1:
arg1 = 'r%d' % mem[IP+2]
arg2 = '0x%x' % mem[IP+3:IP+7]
tIP = 7
elif addressing == 2:
arg1 = '0x%x' % mem[IP+2:IP+6]
arg2 = 'r%d' % mem[IP+6]
tIP = 7
elif addressing == 4:
arg1 = '0x%x' % mem[IP+2:IP+6]
arg2 = '0x%x' % mem[IP+6:IP+10]
tIP = 10
preprt(IP, opcode, "%-6s %s, %s" % (op, arg1, arg2))
IP += tIP
elif opcode == 0x18:
op = 'mov'
addressing = mem[IP+1]
if addressing == 0:
arg1 = 'r%d' % mem[IP+2]
arg2 = 'r%d' % mem[IP+3]
tIP = 4
elif addressing == 1:
arg1 = 'r%d' % mem[IP+2]
arg2 = '0x%x' % u32(mem[IP+3:IP+7])
if u32(mem[IP+3:IP+7]) in range(0x1f, 128):
arg2 += ' ; %c' % u32(mem[IP+3:IP+7])
tIP = 7
preprt(IP, opcode, "%-6s %s, %s" % (op, arg1, arg2))
IP += tIP
elif opcode in {0x19, 0x1a}:
if opcode == 0x19:
op = 'inc'
elif opcode == 0x1a:
op = 'dec'
arg0 = 'r%d' % mem[IP+1]
preprt(IP, opcode, "%-6s %s" % (op, arg0))
IP += 2
elif opcode == 0x1b:
op = 'mov'
arg0 = 'r%d' % mem[IP+1]
arg1 = '[r%d]' % mem[IP+2]
preprt(IP, opcode, "%-6s %s, %s" % (op, arg0, arg1))
IP += 3
elif opcode == 0x1c:
op = 'mov'
arg0 = '[r%d]' % mem[IP+1]
arg1 = 'r%d' % mem[IP+2]
preprt(IP, opcode, "%-6s %s, %s" % (op, arg0, arg1))
IP += 3
elif opcode == 0x1d:
op = 'END END END'
preprt(IP, opcode, "%-6s" % op)
IP += 1
elif opcode == 0x1e:
op = 'push'
addressing = mem[IP+1]
if addressing == 0:
arg1 = 'r%d' % mem[IP+2]
tIP = 3
elif addressing == 1:
arg1 = '0x%x' % mem[IP+2:IP+6]
tIP = 7
preprt(IP, opcode, "%-6s %s" % (op, arg1))
IP += tIP
elif opcode == 0x1f:
op = 'pop'
arg0 = 'r%d' % mem[IP+1]
preprt(IP, opcode, "%-6s %s" % (op, arg0))
IP += 2
elif opcode == 0x20:
op = 'syscall'
arg0 = mem[IP+1]
if arg0 == 0:
func = 'putc'
elif arg0 == 1:
func = 'puti >&2'
elif arg0 == 2:
func = 'puth >&2'
elif arg0 == 3:
func = 'putf >&2'
elif arg0 == 4:
func = 'getc'
elif arg0 == 5:
func = 'geti'
elif arg0 == 6:
func = 'geth'
elif arg0 == 7:
func = 'getf'
elif arg0 == 8:
func = 'peak_stdin'
elif arg0 == 9:
func = 'itof'
elif arg0 == 0xa:
func = 'load_real'
elif arg0 == 0xb:
func = 'real add'
elif arg0 == 0xc:
func = 'real sub'
elif arg0 == 0xd:
func = 'real mul'
elif arg0 == 0xe:
func = 'real div'
elif arg0 == 0xf:
func = 'useless'
elif arg0 == 0x10:
func = 'is_not_null'
elif arg0 == 0x11:
func = 'malloc'
else:
func = 'Uknown syscall number'
preprt(IP, opcode, "%-6s %s" % (op, func))
IP += 2
else:
preprt(IP, opcode, "Uknown instruction")
IP += 1Note that the func_table was my way of being able to name functions in the virtual program to help me reverse it better. The output of this script (a complete listing of the virtual program) looks like this:
$ ./disassembler.py
==================== start (unpack)
0x0804d0c0 : 0x1000 :0x18 mov r0, 0x103a
0x0804d0c7 : 0x1007 :0x18 mov r1, 0x1edb
0x0804d0ce : 0x100e :0x18 mov r3, r0
0x0804d0d2 : 0x1012 :0x18 mov r5, 0x174cf42
0x0804d0d9 : 0x1019 :0x1b mov r4, [r3]
0x0804d0dc : 0x101c :0x06 xor r4, r4, r5
0x0804d0e1 : 0x1021 :0x1c mov [r3], r4
0x0804d0e4 : 0x1024 :0x02 add r3, r3, 0x4
0x0804d0ec : 0x102c :0x17 cmp r1, r3
0x0804d0f0 : 0x1030 :0x14 jbe 0x1019
0x0804d0f5 : 0x1035 :0x0e jmp 0x103a
0x0804d0fa : 0x103a :0x0e jmp 0x1bc0 ; main()
==================== putc
0x0804d0ff : 0x103f :0x20 syscall putc
0x0804d101 : 0x1041 :0x01 retn
==================== puti
0x0804d102 : 0x1042 :0x20 syscall puti >&2
0x0804d104 : 0x1044 :0x01 retn
==================== puth
0x0804d105 : 0x1045 :0x20 syscall puth >&2
0x0804d107 : 0x1047 :0x01 retn
==================== putf
0x0804d108 : 0x1048 :0x20 syscall putf >&2
0x0804d10a : 0x104a :0x01 retn
==================== getc
0x0804d10b : 0x104b :0x20 syscall getc
0x0804d10d : 0x104d :0x01 retn
==================== geti
0x0804d10e : 0x104e :0x20 syscall geti
0x0804d110 : 0x1050 :0x01 retn
==================== geth
0x0804d111 : 0x1051 :0x20 syscall geth
0x0804d113 : 0x1053 :0x01 retn
==================== getf
0x0804d114 : 0x1054 :0x20 syscall getf
0x0804d116 : 0x1056 :0x01 retn
==================== peak_stdin
0x0804d117 : 0x1057 :0x20 syscall peak_stdin
0x0804d119 : 0x1059 :0x01 retn
==================== itof
0x0804d11a : 0x105a :0x20 syscall itof
0x0804d11c : 0x105c :0x01 retn
==================== load_real
0x0804d11d : 0x105d :0x20 syscall load_real
0x0804d11f : 0x105f :0x01 retn
==================== real_add
0x0804d120 : 0x1060 :0x20 syscall real add
0x0804d122 : 0x1062 :0x01 retn
==================== real_sub
0x0804d123 : 0x1063 :0x20 syscall real sub
0x0804d125 : 0x1065 :0x01 retn
==================== real_mul
0x0804d126 : 0x1066 :0x20 syscall real mul
0x0804d128 : 0x1068 :0x01 retn
==================== real_div
0x0804d129 : 0x1069 :0x20 syscall real div
0x0804d12b : 0x106b :0x01 retn
==================== useless
0x0804d12c : 0x106c :0x20 syscall useless
0x0804d12e : 0x106e :0x01 retn
==================== is_not_null
0x0804d12f : 0x106f :0x20 syscall is_not_null
0x0804d131 : 0x1071 :0x01 retn
0x0804d132 : 0x1072 :0x17 cmp r0, r0
0x0804d136 : 0x1076 :0x10 jz 0x107c
0x0804d13b : 0x107b :0x01 retn
0x0804d13c : 0x107c :0x1d END END END
==================== get_add_bignum
0x0804d13d : 0x107d :0x20 syscall get_add_bignum
0x0804d13f : 0x107f :0x01 retn
==================== malloc(r0:item size, r1:n)
0x0804d140 : 0x1080 :0x1e push r30
0x0804d143 : 0x1083 :0x1e push r29
0x0804d146 : 0x1086 :0x18 mov r30, r1
0x0804d14a : 0x108a :0x04 mul r0, r30, r0
0x0804d14f : 0x108f :0x02 add r0, r0, 0x8
0x0804d157 : 0x1097 :0x18 mov r29, r0
0x0804d15b : 0x109b :0x20 syscall get_add_bignum
0x0804d15d : 0x109d :0x16 test r0, r0
0x0804d161 : 0x10a1 :0x10 jz 0x10c2
0x0804d166 : 0x10a6 :0x18 mov r4, r29
0x0804d16a : 0x10aa :0x0d lsr r4, r4, 0x3
0x0804d172 : 0x10b2 :0x1c mov [r0], r4
0x0804d175 : 0x10b5 :0x02 add r0, r0, 0x8
0x0804d17d : 0x10bd :0x1f pop r29
0x0804d17f : 0x10bf :0x1f pop r30
0x0804d181 : 0x10c1 :0x01 retn
==================== exit
0x0804d182 : 0x10c2 :0x1d END END END
==================== congratulations
0x0804d183 : 0x10c3 :0x18 mov r0, 0x43 ; C
0x0804d18a : 0x10ca :0x0f call 0x103f ; putc()
0x0804d18f : 0x10cf :0x18 mov r0, 0x6f ; o
0x0804d196 : 0x10d6 :0x0f call 0x103f ; putc()
0x0804d19b : 0x10db :0x18 mov r0, 0x6e ; n
0x0804d1a2 : 0x10e2 :0x0f call 0x103f ; putc()
0x0804d1a7 : 0x10e7 :0x18 mov r0, 0x67 ; g
0x0804d1ae : 0x10ee :0x0f call 0x103f ; putc()
0x0804d1b3 : 0x10f3 :0x18 mov r0, 0x72 ; r
0x0804d1ba : 0x10fa :0x0f call 0x103f ; putc()
0x0804d1bf : 0x10ff :0x18 mov r0, 0x61 ; a
0x0804d1c6 : 0x1106 :0x0f call 0x103f ; putc()
0x0804d1cb : 0x110b :0x18 mov r0, 0x74 ; t
0x0804d1d2 : 0x1112 :0x0f call 0x103f ; putc()
0x0804d1d7 : 0x1117 :0x18 mov r0, 0x75 ; u
0x0804d1de : 0x111e :0x0f call 0x103f ; putc()
0x0804d1e3 : 0x1123 :0x18 mov r0, 0x6c ; l
0x0804d1ea : 0x112a :0x0f call 0x103f ; putc()
0x0804d1ef : 0x112f :0x18 mov r0, 0x61 ; a
0x0804d1f6 : 0x1136 :0x0f call 0x103f ; putc()
0x0804d1fb : 0x113b :0x18 mov r0, 0x74 ; t
0x0804d202 : 0x1142 :0x0f call 0x103f ; putc()
0x0804d207 : 0x1147 :0x18 mov r0, 0x69 ; i
0x0804d20e : 0x114e :0x0f call 0x103f ; putc()
0x0804d213 : 0x1153 :0x18 mov r0, 0x6f ; o
0x0804d21a : 0x115a :0x0f call 0x103f ; putc()
0x0804d21f : 0x115f :0x18 mov r0, 0x6e ; n
0x0804d226 : 0x1166 :0x0f call 0x103f ; putc()
0x0804d22b : 0x116b :0x18 mov r0, 0x73 ; s
0x0804d232 : 0x1172 :0x0f call 0x103f ; putc()
0x0804d237 : 0x1177 :0x18 mov r0, 0x21 ; !
0x0804d23e : 0x117e :0x0f call 0x103f ; putc()
0x0804d243 : 0x1183 :0x18 mov r0, 0xa
0x0804d24a : 0x118a :0x0f call 0x103f ; putc()
0x0804d24f : 0x118f :0x01 retn
0x0804d250 : 0x1190 :0x1d END END END
0x0804d251 : 0x1191 :0x1d END END END
==================== sorry_wrong_pass
0x0804d252 : 0x1192 :0x18 mov r0, 0x53 ; S
0x0804d259 : 0x1199 :0x0f call 0x103f ; putc()
0x0804d25e : 0x119e :0x18 mov r0, 0x6f ; o
0x0804d265 : 0x11a5 :0x0f call 0x103f ; putc()
0x0804d26a : 0x11aa :0x18 mov r0, 0x72 ; r
0x0804d271 : 0x11b1 :0x0f call 0x103f ; putc()
0x0804d276 : 0x11b6 :0x18 mov r0, 0x72 ; r
0x0804d27d : 0x11bd :0x0f call 0x103f ; putc()
0x0804d282 : 0x11c2 :0x18 mov r0, 0x79 ; y
0x0804d289 : 0x11c9 :0x0f call 0x103f ; putc()
0x0804d28e : 0x11ce :0x18 mov r0, 0x2c ; ,
0x0804d295 : 0x11d5 :0x0f call 0x103f ; putc()
0x0804d29a : 0x11da :0x18 mov r0, 0x20 ;
0x0804d2a1 : 0x11e1 :0x0f call 0x103f ; putc()
0x0804d2a6 : 0x11e6 :0x18 mov r0, 0x77 ; w
0x0804d2ad : 0x11ed :0x0f call 0x103f ; putc()
0x0804d2b2 : 0x11f2 :0x18 mov r0, 0x72 ; r
0x0804d2b9 : 0x11f9 :0x0f call 0x103f ; putc()
0x0804d2be : 0x11fe :0x18 mov r0, 0x6f ; o
0x0804d2c5 : 0x1205 :0x0f call 0x103f ; putc()
0x0804d2ca : 0x120a :0x18 mov r0, 0x6e ; n
0x0804d2d1 : 0x1211 :0x0f call 0x103f ; putc()
0x0804d2d6 : 0x1216 :0x18 mov r0, 0x67 ; g
0x0804d2dd : 0x121d :0x0f call 0x103f ; putc()
0x0804d2e2 : 0x1222 :0x18 mov r0, 0x20 ;
0x0804d2e9 : 0x1229 :0x0f call 0x103f ; putc()
0x0804d2ee : 0x122e :0x18 mov r0, 0x70 ; p
0x0804d2f5 : 0x1235 :0x0f call 0x103f ; putc()
0x0804d2fa : 0x123a :0x18 mov r0, 0x61 ; a
0x0804d301 : 0x1241 :0x0f call 0x103f ; putc()
0x0804d306 : 0x1246 :0x18 mov r0, 0x73 ; s
0x0804d30d : 0x124d :0x0f call 0x103f ; putc()
0x0804d312 : 0x1252 :0x18 mov r0, 0x73 ; s
0x0804d319 : 0x1259 :0x0f call 0x103f ; putc()
0x0804d31e : 0x125e :0x18 mov r0, 0x77 ; w
0x0804d325 : 0x1265 :0x0f call 0x103f ; putc()
0x0804d32a : 0x126a :0x18 mov r0, 0x6f ; o
0x0804d331 : 0x1271 :0x0f call 0x103f ; putc()
0x0804d336 : 0x1276 :0x18 mov r0, 0x72 ; r
0x0804d33d : 0x127d :0x0f call 0x103f ; putc()
0x0804d342 : 0x1282 :0x18 mov r0, 0x64 ; d
0x0804d349 : 0x1289 :0x0f call 0x103f ; putc()
0x0804d34e : 0x128e :0x18 mov r0, 0x21 ; !
0x0804d355 : 0x1295 :0x0f call 0x103f ; putc()
0x0804d35a : 0x129a :0x18 mov r0, 0xa
0x0804d361 : 0x12a1 :0x0f call 0x103f ; putc()
0x0804d366 : 0x12a6 :0x01 retn
0x0804d367 : 0x12a7 :0x1d END END END
0x0804d368 : 0x12a8 :0x1d END END END
==================== long_pass_test
0x0804d369 : 0x12a9 :0x1e push r9
0x0804d36c : 0x12ac :0x1e push r10
0x0804d36f : 0x12af :0x18 mov r10, r0
0x0804d373 : 0x12b3 :0x18 mov r1, 0x1e
0x0804d37a : 0x12ba :0x18 mov r0, 0x4
0x0804d381 : 0x12c1 :0x0f call 0x1080 ; malloc(r0:item size, r1:n)()
0x0804d386 : 0x12c6 :0x18 mov r9, r0
0x0804d38a : 0x12ca :0x18 mov r1, 0x4
0x0804d391 : 0x12d1 :0x18 mov r0, 0x4
0x0804d398 : 0x12d8 :0x0f call 0x1080 ; malloc(r0:item size, r1:n)()
0x0804d39d : 0x12dd :0x18 mov r5, r0
0x0804d3a1 : 0x12e1 :0x18 mov r30, 0xfd
0x0804d3a8 : 0x12e8 :0x1c mov [r5], r30
0x0804d3ab : 0x12eb :0x18 mov r30, 0x1
0x0804d3b2 : 0x12f2 :0x04 mul r30, r30, 0x4
0x0804d3ba : 0x12fa :0x18 mov r0, r5
0x0804d3be : 0x12fe :0x02 add r30, r30, r0
0x0804d3c3 : 0x1303 :0x18 mov r1, r30
0x0804d3c7 : 0x1307 :0x18 mov r30, 0xe
0x0804d3ce : 0x130e :0x1c mov [r1], r30
0x0804d3d1 : 0x1311 :0x18 mov r30, 0x1
0x0804d3d8 : 0x1318 :0x04 mul r30, r30, 0x8
0x0804d3e0 : 0x1320 :0x18 mov r0, r5
0x0804d3e4 : 0x1324 :0x02 add r30, r30, r0
0x0804d3e9 : 0x1329 :0x18 mov r1, r30
0x0804d3ed : 0x132d :0x18 mov r30, 0x63 ; c
0x0804d3f4 : 0x1334 :0x1c mov [r1], r30
0x0804d3f7 : 0x1337 :0x18 mov r30, 0x1
0x0804d3fe : 0x133e :0x04 mul r30, r30, 0xc
0x0804d406 : 0x1346 :0x18 mov r0, r5
0x0804d40a : 0x134a :0x02 add r30, r30, r0
0x0804d40f : 0x134f :0x18 mov r1, r30
0x0804d413 : 0x1353 :0x18 mov r30, 0x4f ; O
0x0804d41a : 0x135a :0x1c mov [r1], r30
0x0804d41d : 0x135d :0x18 mov r30, 0x8d
0x0804d424 : 0x1364 :0x1c mov [r9], r30
0x0804d427 : 0x1367 :0x18 mov r30, 0x1
0x0804d42e : 0x136e :0x04 mul r30, r30, 0x4
0x0804d436 : 0x1376 :0x18 mov r0, r9
0x0804d43a : 0x137a :0x02 add r30, r30, r0
0x0804d43f : 0x137f :0x18 mov r1, r30
0x0804d443 : 0x1383 :0x18 mov r30, 0x6f ; o
0x0804d44a : 0x138a :0x1c mov [r1], r30
0x0804d44d : 0x138d :0x18 mov r30, 0x1
0x0804d454 : 0x1394 :0x04 mul r30, r30, 0x8
0x0804d45c : 0x139c :0x18 mov r0, r9
0x0804d460 : 0x13a0 :0x02 add r30, r30, r0
0x0804d465 : 0x13a5 :0x18 mov r1, r30
0x0804d469 : 0x13a9 :0x18 mov r30, 0x0
0x0804d470 : 0x13b0 :0x1c mov [r1], r30
0x0804d473 : 0x13b3 :0x18 mov r30, 0x1
0x0804d47a : 0x13ba :0x04 mul r30, r30, 0xc
0x0804d482 : 0x13c2 :0x18 mov r0, r9
0x0804d486 : 0x13c6 :0x02 add r30, r30, r0
0x0804d48b : 0x13cb :0x18 mov r1, r30
0x0804d48f : 0x13cf :0x18 mov r30, 0x24 ; $
0x0804d496 : 0x13d6 :0x1c mov [r1], r30
0x0804d499 : 0x13d9 :0x18 mov r30, 0x1
0x0804d4a0 : 0x13e0 :0x04 mul r30, r30, 0x10
0x0804d4a8 : 0x13e8 :0x18 mov r0, r9
0x0804d4ac : 0x13ec :0x02 add r30, r30, r0
0x0804d4b1 : 0x13f1 :0x18 mov r1, r30
0x0804d4b5 : 0x13f5 :0x18 mov r30, 0x98
0x0804d4bc : 0x13fc :0x1c mov [r1], r30
0x0804d4bf : 0x13ff :0x18 mov r30, 0x1
0x0804d4c6 : 0x1406 :0x04 mul r30, r30, 0x14
0x0804d4ce : 0x140e :0x18 mov r0, r9
0x0804d4d2 : 0x1412 :0x02 add r30, r30, r0
0x0804d4d7 : 0x1417 :0x18 mov r1, r30
0x0804d4db : 0x141b :0x18 mov r30, 0x7c ; |
0x0804d4e2 : 0x1422 :0x1c mov [r1], r30
0x0804d4e5 : 0x1425 :0x18 mov r30, 0x1
0x0804d4ec : 0x142c :0x04 mul r30, r30, 0x18
0x0804d4f4 : 0x1434 :0x18 mov r0, r9
0x0804d4f8 : 0x1438 :0x02 add r30, r30, r0
0x0804d4fd : 0x143d :0x18 mov r1, r30
0x0804d501 : 0x1441 :0x18 mov r30, 0x10
0x0804d508 : 0x1448 :0x1c mov [r1], r30
0x0804d50b : 0x144b :0x18 mov r30, 0x1
0x0804d512 : 0x1452 :0x04 mul r30, r30, 0x1c
0x0804d51a : 0x145a :0x18 mov r0, r9
0x0804d51e : 0x145e :0x02 add r30, r30, r0
0x0804d523 : 0x1463 :0x18 mov r1, r30
0x0804d527 : 0x1467 :0x18 mov r30, 0x10
0x0804d52e : 0x146e :0x1c mov [r1], r30
0x0804d531 : 0x1471 :0x18 mov r30, 0x1
0x0804d538 : 0x1478 :0x04 mul r30, r30, 0x20
0x0804d540 : 0x1480 :0x18 mov r0, r9
0x0804d544 : 0x1484 :0x02 add r30, r30, r0
0x0804d549 : 0x1489 :0x18 mov r1, r30
0x0804d54d : 0x148d :0x18 mov r30, 0x9c
0x0804d554 : 0x1494 :0x1c mov [r1], r30
0x0804d557 : 0x1497 :0x18 mov r30, 0x1
0x0804d55e : 0x149e :0x04 mul r30, r30, 0x24
0x0804d566 : 0x14a6 :0x18 mov r0, r9
0x0804d56a : 0x14aa :0x02 add r30, r30, r0
0x0804d56f : 0x14af :0x18 mov r1, r30
0x0804d573 : 0x14b3 :0x18 mov r30, 0x60 ; `
0x0804d57a : 0x14ba :0x1c mov [r1], r30
0x0804d57d : 0x14bd :0x18 mov r30, 0x1
0x0804d584 : 0x14c4 :0x04 mul r30, r30, 0x28
0x0804d58c : 0x14cc :0x18 mov r0, r9
0x0804d590 : 0x14d0 :0x02 add r30, r30, r0
0x0804d595 : 0x14d5 :0x18 mov r1, r30
0x0804d599 : 0x14d9 :0x18 mov r30, 0x7
0x0804d5a0 : 0x14e0 :0x1c mov [r1], r30
0x0804d5a3 : 0x14e3 :0x18 mov r30, 0x1
0x0804d5aa : 0x14ea :0x04 mul r30, r30, 0x2c
0x0804d5b2 : 0x14f2 :0x18 mov r0, r9
0x0804d5b6 : 0x14f6 :0x02 add r30, r30, r0
0x0804d5bb : 0x14fb :0x18 mov r1, r30
0x0804d5bf : 0x14ff :0x18 mov r30, 0x10
0x0804d5c6 : 0x1506 :0x1c mov [r1], r30
0x0804d5c9 : 0x1509 :0x18 mov r30, 0x1
0x0804d5d0 : 0x1510 :0x04 mul r30, r30, 0x30
0x0804d5d8 : 0x1518 :0x18 mov r0, r9
0x0804d5dc : 0x151c :0x02 add r30, r30, r0
0x0804d5e1 : 0x1521 :0x18 mov r1, r30
0x0804d5e5 : 0x1525 :0x18 mov r30, 0x8b
0x0804d5ec : 0x152c :0x1c mov [r1], r30
0x0804d5ef : 0x152f :0x18 mov r30, 0x1
0x0804d5f6 : 0x1536 :0x04 mul r30, r30, 0x34
0x0804d5fe : 0x153e :0x18 mov r0, r9
0x0804d602 : 0x1542 :0x02 add r30, r30, r0
0x0804d607 : 0x1547 :0x18 mov r1, r30
0x0804d60b : 0x154b :0x18 mov r30, 0x63 ; c
0x0804d612 : 0x1552 :0x1c mov [r1], r30
0x0804d615 : 0x1555 :0x18 mov r30, 0x1
0x0804d61c : 0x155c :0x04 mul r30, r30, 0x38
0x0804d624 : 0x1564 :0x18 mov r0, r9
0x0804d628 : 0x1568 :0x02 add r30, r30, r0
0x0804d62d : 0x156d :0x18 mov r1, r30
0x0804d631 : 0x1571 :0x18 mov r30, 0x10
0x0804d638 : 0x1578 :0x1c mov [r1], r30
0x0804d63b : 0x157b :0x18 mov r30, 0x1
0x0804d642 : 0x1582 :0x04 mul r30, r30, 0x3c
0x0804d64a : 0x158a :0x18 mov r0, r9
0x0804d64e : 0x158e :0x02 add r30, r30, r0
0x0804d653 : 0x1593 :0x18 mov r1, r30
0x0804d657 : 0x1597 :0x18 mov r30, 0x10
0x0804d65e : 0x159e :0x1c mov [r1], r30
0x0804d661 : 0x15a1 :0x18 mov r30, 0x1
0x0804d668 : 0x15a8 :0x04 mul r30, r30, 0x40
0x0804d670 : 0x15b0 :0x18 mov r0, r9
0x0804d674 : 0x15b4 :0x02 add r30, r30, r0
0x0804d679 : 0x15b9 :0x18 mov r1, r30
0x0804d67d : 0x15bd :0x18 mov r30, 0x9c
0x0804d684 : 0x15c4 :0x1c mov [r1], r30
0x0804d687 : 0x15c7 :0x18 mov r30, 0x1
0x0804d68e : 0x15ce :0x04 mul r30, r30, 0x44
0x0804d696 : 0x15d6 :0x18 mov r0, r9
0x0804d69a : 0x15da :0x02 add r30, r30, r0
0x0804d69f : 0x15df :0x18 mov r1, r30
0x0804d6a3 : 0x15e3 :0x18 mov r30, 0x60 ; `
0x0804d6aa : 0x15ea :0x1c mov [r1], r30
0x0804d6ad : 0x15ed :0x18 mov r30, 0x1
0x0804d6b4 : 0x15f4 :0x04 mul r30, r30, 0x48
0x0804d6bc : 0x15fc :0x18 mov r0, r9
0x0804d6c0 : 0x1600 :0x02 add r30, r30, r0
0x0804d6c5 : 0x1605 :0x18 mov r1, r30
0x0804d6c9 : 0x1609 :0x18 mov r30, 0x7
0x0804d6d0 : 0x1610 :0x1c mov [r1], r30
0x0804d6d3 : 0x1613 :0x18 mov r30, 0x1
0x0804d6da : 0x161a :0x04 mul r30, r30, 0x4c
0x0804d6e2 : 0x1622 :0x18 mov r0, r9
0x0804d6e6 : 0x1626 :0x02 add r30, r30, r0
0x0804d6eb : 0x162b :0x18 mov r1, r30
0x0804d6ef : 0x162f :0x18 mov r30, 0x10
0x0804d6f6 : 0x1636 :0x1c mov [r1], r30
0x0804d6f9 : 0x1639 :0x18 mov r30, 0x1
0x0804d700 : 0x1640 :0x04 mul r30, r30, 0x50
0x0804d708 : 0x1648 :0x18 mov r0, r9
0x0804d70c : 0x164c :0x02 add r30, r30, r0
0x0804d711 : 0x1651 :0x18 mov r1, r30
0x0804d715 : 0x1655 :0x18 mov r30, 0x85
0x0804d71c : 0x165c :0x1c mov [r1], r30
0x0804d71f : 0x165f :0x18 mov r30, 0x1
0x0804d726 : 0x1666 :0x04 mul r30, r30, 0x54
0x0804d72e : 0x166e :0x18 mov r0, r9
0x0804d732 : 0x1672 :0x02 add r30, r30, r0
0x0804d737 : 0x1677 :0x18 mov r1, r30
0x0804d73b : 0x167b :0x18 mov r30, 0x61 ; a
0x0804d742 : 0x1682 :0x1c mov [r1], r30
0x0804d745 : 0x1685 :0x18 mov r30, 0x1
0x0804d74c : 0x168c :0x04 mul r30, r30, 0x58
0x0804d754 : 0x1694 :0x18 mov r0, r9
0x0804d758 : 0x1698 :0x02 add r30, r30, r0
0x0804d75d : 0x169d :0x18 mov r1, r30
0x0804d761 : 0x16a1 :0x18 mov r30, 0x11
0x0804d768 : 0x16a8 :0x1c mov [r1], r30
0x0804d76b : 0x16ab :0x18 mov r30, 0x1
0x0804d772 : 0x16b2 :0x04 mul r30, r30, 0x5c
0x0804d77a : 0x16ba :0x18 mov r0, r9
0x0804d77e : 0x16be :0x02 add r30, r30, r0
0x0804d783 : 0x16c3 :0x18 mov r1, r30
0x0804d787 : 0x16c7 :0x18 mov r30, 0x3c ; <
0x0804d78e : 0x16ce :0x1c mov [r1], r30
0x0804d791 : 0x16d1 :0x18 mov r30, 0x1
0x0804d798 : 0x16d8 :0x04 mul r30, r30, 0x60
0x0804d7a0 : 0x16e0 :0x18 mov r0, r9
0x0804d7a4 : 0x16e4 :0x02 add r30, r30, r0
0x0804d7a9 : 0x16e9 :0x18 mov r1, r30
0x0804d7ad : 0x16ed :0x18 mov r30, 0xa2
0x0804d7b4 : 0x16f4 :0x1c mov [r1], r30
0x0804d7b7 : 0x16f7 :0x18 mov r30, 0x1
0x0804d7be : 0x16fe :0x04 mul r30, r30, 0x64
0x0804d7c6 : 0x1706 :0x18 mov r0, r9
0x0804d7ca : 0x170a :0x02 add r30, r30, r0
0x0804d7cf : 0x170f :0x18 mov r1, r30
0x0804d7d3 : 0x1713 :0x18 mov r30, 0x61 ; a
0x0804d7da : 0x171a :0x1c mov [r1], r30
0x0804d7dd : 0x171d :0x18 mov r30, 0x1
0x0804d7e4 : 0x1724 :0x04 mul r30, r30, 0x68
0x0804d7ec : 0x172c :0x18 mov r0, r9
0x0804d7f0 : 0x1730 :0x02 add r30, r30, r0
0x0804d7f5 : 0x1735 :0x18 mov r1, r30
0x0804d7f9 : 0x1739 :0x18 mov r30, 0xb
0x0804d800 : 0x1740 :0x1c mov [r1], r30
0x0804d803 : 0x1743 :0x18 mov r30, 0x1
0x0804d80a : 0x174a :0x04 mul r30, r30, 0x6c
0x0804d812 : 0x1752 :0x18 mov r0, r9
0x0804d816 : 0x1756 :0x02 add r30, r30, r0
0x0804d81b : 0x175b :0x18 mov r1, r30
0x0804d81f : 0x175f :0x18 mov r30, 0x10
0x0804d826 : 0x1766 :0x1c mov [r1], r30
0x0804d829 : 0x1769 :0x18 mov r30, 0x1
0x0804d830 : 0x1770 :0x04 mul r30, r30, 0x70
0x0804d838 : 0x1778 :0x18 mov r0, r9
0x0804d83c : 0x177c :0x02 add r30, r30, r0
0x0804d841 : 0x1781 :0x18 mov r1, r30
0x0804d845 : 0x1785 :0x18 mov r30, 0x90
0x0804d84c : 0x178c :0x1c mov [r1], r30
0x0804d84f : 0x178f :0x18 mov r30, 0x1
0x0804d856 : 0x1796 :0x04 mul r30, r30, 0x74
0x0804d85e : 0x179e :0x18 mov r0, r9
0x0804d862 : 0x17a2 :0x02 add r30, r30, r0
0x0804d867 : 0x17a7 :0x18 mov r1, r30
0x0804d86b : 0x17ab :0x18 mov r30, 0x77 ; w
0x0804d872 : 0x17b2 :0x1c mov [r1], r30
0x0804d875 : 0x17b5 :0x18 mov r3, 0x0
0x0804d87c : 0x17bc :0x0e jmp 0x17c6
0x0804d881 : 0x17c1 :0x0e jmp 0x1878
0x0804d886 : 0x17c6 :0x18 mov r1, 0x0
0x0804d88d : 0x17cd :0x18 mov r2, 0x0
0x0804d894 : 0x17d4 :0x0e jmp 0x1860
0x0804d899 : 0x17d9 :0x18 mov r30, r2
0x0804d89d : 0x17dd :0x04 mul r30, r30, 0x4
0x0804d8a5 : 0x17e5 :0x18 mov r0, r10
0x0804d8a9 : 0x17e9 :0x02 add r30, r30, r0
0x0804d8ae : 0x17ee :0x18 mov r3, r30
0x0804d8b2 : 0x17f2 :0x1b mov r4, [r3]
0x0804d8b5 : 0x17f5 :0x05 div r0, r2, 0x4 ; mod r3, r2, 0x4
0x0804d8be : 0x17fe :0x18 mov r30, r3
0x0804d8c2 : 0x1802 :0x04 mul r30, r30, 0x4
0x0804d8ca : 0x180a :0x18 mov r0, r5
0x0804d8ce : 0x180e :0x02 add r30, r30, r0
0x0804d8d3 : 0x1813 :0x18 mov r3, r30
0x0804d8d7 : 0x1817 :0x1b mov r3, [r3]
0x0804d8da : 0x181a :0x06 xor r4, r4, r3
0x0804d8df : 0x181f :0x18 mov r30, r2
0x0804d8e3 : 0x1823 :0x04 mul r30, r30, 0x4
0x0804d8eb : 0x182b :0x18 mov r0, r9
0x0804d8ef : 0x182f :0x02 add r30, r30, r0
0x0804d8f4 : 0x1834 :0x18 mov r3, r30
0x0804d8f8 : 0x1838 :0x1b mov r3, [r3]
0x0804d8fb : 0x183b :0x18 mov r30, r4
0x0804d8ff : 0x183f :0x18 mov r0, r3
0x0804d903 : 0x1843 :0x17 cmp r30, r0
0x0804d907 : 0x1847 :0x15 jnz 0x1851
0x0804d90c : 0x184c :0x0e jmp 0x1858
0x0804d911 : 0x1851 :0x18 mov r1, 0x1
0x0804d918 : 0x1858 :0x02 add r2, r2, 0x1
0x0804d920 : 0x1860 :0x18 mov r3, r1
0x0804d924 : 0x1864 :0x18 mov r30, r2
0x0804d928 : 0x1868 :0x18 mov r0, 0x1e
0x0804d92f : 0x186f :0x17 cmp r30, r0
0x0804d933 : 0x1873 :0x11 jlt 0x17d9
0x0804d938 : 0x1878 :0x16 test r3, r3
0x0804d93c : 0x187c :0x15 jnz 0x1952
==================== congratulations
0x0804d941 : 0x1881 :0x18 mov r0, 0x43 ; C
0x0804d948 : 0x1888 :0x0f call 0x103f ; putc()
0x0804d94d : 0x188d :0x18 mov r0, 0x6f ; o
0x0804d954 : 0x1894 :0x0f call 0x103f ; putc()
0x0804d959 : 0x1899 :0x18 mov r0, 0x6e ; n
0x0804d960 : 0x18a0 :0x0f call 0x103f ; putc()
0x0804d965 : 0x18a5 :0x18 mov r0, 0x67 ; g
0x0804d96c : 0x18ac :0x0f call 0x103f ; putc()
0x0804d971 : 0x18b1 :0x18 mov r0, 0x72 ; r
0x0804d978 : 0x18b8 :0x0f call 0x103f ; putc()
0x0804d97d : 0x18bd :0x18 mov r0, 0x61 ; a
0x0804d984 : 0x18c4 :0x0f call 0x103f ; putc()
0x0804d989 : 0x18c9 :0x18 mov r0, 0x74 ; t
0x0804d990 : 0x18d0 :0x0f call 0x103f ; putc()
0x0804d995 : 0x18d5 :0x18 mov r0, 0x75 ; u
0x0804d99c : 0x18dc :0x0f call 0x103f ; putc()
0x0804d9a1 : 0x18e1 :0x18 mov r0, 0x6c ; l
0x0804d9a8 : 0x18e8 :0x0f call 0x103f ; putc()
0x0804d9ad : 0x18ed :0x18 mov r0, 0x61 ; a
0x0804d9b4 : 0x18f4 :0x0f call 0x103f ; putc()
0x0804d9b9 : 0x18f9 :0x18 mov r0, 0x74 ; t
0x0804d9c0 : 0x1900 :0x0f call 0x103f ; putc()
0x0804d9c5 : 0x1905 :0x18 mov r0, 0x69 ; i
0x0804d9cc : 0x190c :0x0f call 0x103f ; putc()
0x0804d9d1 : 0x1911 :0x18 mov r0, 0x6f ; o
0x0804d9d8 : 0x1918 :0x0f call 0x103f ; putc()
0x0804d9dd : 0x191d :0x18 mov r0, 0x6e ; n
0x0804d9e4 : 0x1924 :0x0f call 0x103f ; putc()
0x0804d9e9 : 0x1929 :0x18 mov r0, 0x73 ; s
0x0804d9f0 : 0x1930 :0x0f call 0x103f ; putc()
0x0804d9f5 : 0x1935 :0x18 mov r0, 0x21 ; !
0x0804d9fc : 0x193c :0x0f call 0x103f ; putc()
0x0804da01 : 0x1941 :0x18 mov r0, 0xa
0x0804da08 : 0x1948 :0x0f call 0x103f ; putc()
0x0804da0d : 0x194d :0x0e jmp 0x1a66
==================== sorry_wrong_pass
0x0804da12 : 0x1952 :0x18 mov r0, 0x53 ; S
0x0804da19 : 0x1959 :0x0f call 0x103f ; putc()
0x0804da1e : 0x195e :0x18 mov r0, 0x6f ; o
0x0804da25 : 0x1965 :0x0f call 0x103f ; putc()
0x0804da2a : 0x196a :0x18 mov r0, 0x72 ; r
0x0804da31 : 0x1971 :0x0f call 0x103f ; putc()
0x0804da36 : 0x1976 :0x18 mov r0, 0x72 ; r
0x0804da3d : 0x197d :0x0f call 0x103f ; putc()
0x0804da42 : 0x1982 :0x18 mov r0, 0x79 ; y
0x0804da49 : 0x1989 :0x0f call 0x103f ; putc()
0x0804da4e : 0x198e :0x18 mov r0, 0x2c ; ,
0x0804da55 : 0x1995 :0x0f call 0x103f ; putc()
0x0804da5a : 0x199a :0x18 mov r0, 0x20 ;
0x0804da61 : 0x19a1 :0x0f call 0x103f ; putc()
0x0804da66 : 0x19a6 :0x18 mov r0, 0x77 ; w
0x0804da6d : 0x19ad :0x0f call 0x103f ; putc()
0x0804da72 : 0x19b2 :0x18 mov r0, 0x72 ; r
0x0804da79 : 0x19b9 :0x0f call 0x103f ; putc()
0x0804da7e : 0x19be :0x18 mov r0, 0x6f ; o
0x0804da85 : 0x19c5 :0x0f call 0x103f ; putc()
0x0804da8a : 0x19ca :0x18 mov r0, 0x6e ; n
0x0804da91 : 0x19d1 :0x0f call 0x103f ; putc()
0x0804da96 : 0x19d6 :0x18 mov r0, 0x67 ; g
0x0804da9d : 0x19dd :0x0f call 0x103f ; putc()
0x0804daa2 : 0x19e2 :0x18 mov r0, 0x20 ;
0x0804daa9 : 0x19e9 :0x0f call 0x103f ; putc()
0x0804daae : 0x19ee :0x18 mov r0, 0x70 ; p
0x0804dab5 : 0x19f5 :0x0f call 0x103f ; putc()
0x0804daba : 0x19fa :0x18 mov r0, 0x61 ; a
0x0804dac1 : 0x1a01 :0x0f call 0x103f ; putc()
0x0804dac6 : 0x1a06 :0x18 mov r0, 0x73 ; s
0x0804dacd : 0x1a0d :0x0f call 0x103f ; putc()
0x0804dad2 : 0x1a12 :0x18 mov r0, 0x73 ; s
0x0804dad9 : 0x1a19 :0x0f call 0x103f ; putc()
0x0804dade : 0x1a1e :0x18 mov r0, 0x77 ; w
0x0804dae5 : 0x1a25 :0x0f call 0x103f ; putc()
0x0804daea : 0x1a2a :0x18 mov r0, 0x6f ; o
0x0804daf1 : 0x1a31 :0x0f call 0x103f ; putc()
0x0804daf6 : 0x1a36 :0x18 mov r0, 0x72 ; r
0x0804dafd : 0x1a3d :0x0f call 0x103f ; putc()
0x0804db02 : 0x1a42 :0x18 mov r0, 0x64 ; d
0x0804db09 : 0x1a49 :0x0f call 0x103f ; putc()
0x0804db0e : 0x1a4e :0x18 mov r0, 0x21 ; !
0x0804db15 : 0x1a55 :0x0f call 0x103f ; putc()
0x0804db1a : 0x1a5a :0x18 mov r0, 0xa
0x0804db21 : 0x1a61 :0x0f call 0x103f ; putc()
0x0804db26 : 0x1a66 :0x1f pop r10
0x0804db28 : 0x1a68 :0x1f pop r9
0x0804db2a : 0x1a6a :0x01 retn
0x0804db2b : 0x1a6b :0x1d END END END
0x0804db2c : 0x1a6c :0x1d END END END
==================== please_enter_password
0x0804db2d : 0x1a6d :0x18 mov r0, 0x50 ; P
0x0804db34 : 0x1a74 :0x0f call 0x103f ; putc()
0x0804db39 : 0x1a79 :0x18 mov r0, 0x6c ; l
0x0804db40 : 0x1a80 :0x0f call 0x103f ; putc()
0x0804db45 : 0x1a85 :0x18 mov r0, 0x65 ; e
0x0804db4c : 0x1a8c :0x0f call 0x103f ; putc()
0x0804db51 : 0x1a91 :0x18 mov r0, 0x61 ; a
0x0804db58 : 0x1a98 :0x0f call 0x103f ; putc()
0x0804db5d : 0x1a9d :0x18 mov r0, 0x73 ; s
0x0804db64 : 0x1aa4 :0x0f call 0x103f ; putc()
0x0804db69 : 0x1aa9 :0x18 mov r0, 0x65 ; e
0x0804db70 : 0x1ab0 :0x0f call 0x103f ; putc()
0x0804db75 : 0x1ab5 :0x18 mov r0, 0x20 ;
0x0804db7c : 0x1abc :0x0f call 0x103f ; putc()
0x0804db81 : 0x1ac1 :0x18 mov r0, 0x65 ; e
0x0804db88 : 0x1ac8 :0x0f call 0x103f ; putc()
0x0804db8d : 0x1acd :0x18 mov r0, 0x6e ; n
0x0804db94 : 0x1ad4 :0x0f call 0x103f ; putc()
0x0804db99 : 0x1ad9 :0x18 mov r0, 0x74 ; t
0x0804dba0 : 0x1ae0 :0x0f call 0x103f ; putc()
0x0804dba5 : 0x1ae5 :0x18 mov r0, 0x65 ; e
0x0804dbac : 0x1aec :0x0f call 0x103f ; putc()
0x0804dbb1 : 0x1af1 :0x18 mov r0, 0x72 ; r
0x0804dbb8 : 0x1af8 :0x0f call 0x103f ; putc()
0x0804dbbd : 0x1afd :0x18 mov r0, 0x20 ;
0x0804dbc4 : 0x1b04 :0x0f call 0x103f ; putc()
0x0804dbc9 : 0x1b09 :0x18 mov r0, 0x79 ; y
0x0804dbd0 : 0x1b10 :0x0f call 0x103f ; putc()
0x0804dbd5 : 0x1b15 :0x18 mov r0, 0x6f ; o
0x0804dbdc : 0x1b1c :0x0f call 0x103f ; putc()
0x0804dbe1 : 0x1b21 :0x18 mov r0, 0x75 ; u
0x0804dbe8 : 0x1b28 :0x0f call 0x103f ; putc()
0x0804dbed : 0x1b2d :0x18 mov r0, 0x72 ; r
0x0804dbf4 : 0x1b34 :0x0f call 0x103f ; putc()
0x0804dbf9 : 0x1b39 :0x18 mov r0, 0x20 ;
0x0804dc00 : 0x1b40 :0x0f call 0x103f ; putc()
0x0804dc05 : 0x1b45 :0x18 mov r0, 0x70 ; p
0x0804dc0c : 0x1b4c :0x0f call 0x103f ; putc()
0x0804dc11 : 0x1b51 :0x18 mov r0, 0x61 ; a
0x0804dc18 : 0x1b58 :0x0f call 0x103f ; putc()
0x0804dc1d : 0x1b5d :0x18 mov r0, 0x73 ; s
0x0804dc24 : 0x1b64 :0x0f call 0x103f ; putc()
0x0804dc29 : 0x1b69 :0x18 mov r0, 0x73 ; s
0x0804dc30 : 0x1b70 :0x0f call 0x103f ; putc()
0x0804dc35 : 0x1b75 :0x18 mov r0, 0x77 ; w
0x0804dc3c : 0x1b7c :0x0f call 0x103f ; putc()
0x0804dc41 : 0x1b81 :0x18 mov r0, 0x6f ; o
0x0804dc48 : 0x1b88 :0x0f call 0x103f ; putc()
0x0804dc4d : 0x1b8d :0x18 mov r0, 0x72 ; r
0x0804dc54 : 0x1b94 :0x0f call 0x103f ; putc()
0x0804dc59 : 0x1b99 :0x18 mov r0, 0x64 ; d
0x0804dc60 : 0x1ba0 :0x0f call 0x103f ; putc()
0x0804dc65 : 0x1ba5 :0x18 mov r0, 0x3a ; :
0x0804dc6c : 0x1bac :0x0f call 0x103f ; putc()
0x0804dc71 : 0x1bb1 :0x18 mov r0, 0x20 ;
0x0804dc78 : 0x1bb8 :0x0f call 0x103f ; putc()
0x0804dc7d : 0x1bbd :0x01 retn
0x0804dc7e : 0x1bbe :0x1d END END END
0x0804dc7f : 0x1bbf :0x1d END END END
==================== main
0x0804dc80 : 0x1bc0 :0x1e push r9
0x0804dc83 : 0x1bc3 :0x1e push r10
0x0804dc86 : 0x1bc6 :0x1e push r11
0x0804dc89 : 0x1bc9 :0x0f call 0x1a6d ; please_enter_password()
0x0804dc8e : 0x1bce :0x18 mov r1, 0x1e
0x0804dc95 : 0x1bd5 :0x18 mov r0, 0x4
0x0804dc9c : 0x1bdc :0x0f call 0x1080 ; malloc(r0:item size, r1:n)()
0x0804dca1 : 0x1be1 :0x18 mov r11, r0
0x0804dca5 : 0x1be5 :0x0e jmp 0x1bef
0x0804dcaa : 0x1bea :0x0e jmp 0x1d7a
0x0804dcaf : 0x1bef :0x18 mov r9, 0x0
0x0804dcb6 : 0x1bf6 :0x0e jmp 0x1d66
0x0804dcbb : 0x1bfb :0x18 mov r30, r9
0x0804dcbf : 0x1bff :0x04 mul r30, r30, 0x4
0x0804dcc7 : 0x1c07 :0x18 mov r0, r11
0x0804dccb : 0x1c0b :0x02 add r30, r30, r0
0x0804dcd0 : 0x1c10 :0x18 mov r10, r30
0x0804dcd4 : 0x1c14 :0x0f call 0x104b ; getc()
0x0804dcd9 : 0x1c19 :0x18 mov r1, r0
0x0804dcdd : 0x1c1d :0x1c mov [r10], r1
0x0804dce0 : 0x1c20 :0x1b mov r1, [r10]
0x0804dce3 : 0x1c23 :0x18 mov r30, r1
0x0804dce7 : 0x1c27 :0x18 mov r0, 0xa
0x0804dcee : 0x1c2e :0x17 cmp r30, r0
0x0804dcf2 : 0x1c32 :0x10 jz 0x1c3c
0x0804dcf7 : 0x1c37 :0x0e jmp 0x1d5e
0x0804dcfc : 0x1c3c :0x18 mov r0, 0x53 ; S
0x0804dd03 : 0x1c43 :0x0f call 0x103f ; putc()
0x0804dd08 : 0x1c48 :0x18 mov r0, 0x6f ; o
0x0804dd0f : 0x1c4f :0x0f call 0x103f ; putc()
0x0804dd14 : 0x1c54 :0x18 mov r0, 0x72 ; r
0x0804dd1b : 0x1c5b :0x0f call 0x103f ; putc()
0x0804dd20 : 0x1c60 :0x18 mov r0, 0x72 ; r
0x0804dd27 : 0x1c67 :0x0f call 0x103f ; putc()
0x0804dd2c : 0x1c6c :0x18 mov r0, 0x79 ; y
0x0804dd33 : 0x1c73 :0x0f call 0x103f ; putc()
0x0804dd38 : 0x1c78 :0x18 mov r0, 0x2c ; ,
0x0804dd3f : 0x1c7f :0x0f call 0x103f ; putc()
0x0804dd44 : 0x1c84 :0x18 mov r0, 0x20 ;
0x0804dd4b : 0x1c8b :0x0f call 0x103f ; putc()
0x0804dd50 : 0x1c90 :0x18 mov r0, 0x77 ; w
0x0804dd57 : 0x1c97 :0x0f call 0x103f ; putc()
0x0804dd5c : 0x1c9c :0x18 mov r0, 0x72 ; r
0x0804dd63 : 0x1ca3 :0x0f call 0x103f ; putc()
0x0804dd68 : 0x1ca8 :0x18 mov r0, 0x6f ; o
0x0804dd6f : 0x1caf :0x0f call 0x103f ; putc()
0x0804dd74 : 0x1cb4 :0x18 mov r0, 0x6e ; n
0x0804dd7b : 0x1cbb :0x0f call 0x103f ; putc()
0x0804dd80 : 0x1cc0 :0x18 mov r0, 0x67 ; g
0x0804dd87 : 0x1cc7 :0x0f call 0x103f ; putc()
0x0804dd8c : 0x1ccc :0x18 mov r0, 0x20 ;
0x0804dd93 : 0x1cd3 :0x0f call 0x103f ; putc()
0x0804dd98 : 0x1cd8 :0x18 mov r0, 0x70 ; p
0x0804dd9f : 0x1cdf :0x0f call 0x103f ; putc()
0x0804dda4 : 0x1ce4 :0x18 mov r0, 0x61 ; a
0x0804ddab : 0x1ceb :0x0f call 0x103f ; putc()
0x0804ddb0 : 0x1cf0 :0x18 mov r0, 0x73 ; s
0x0804ddb7 : 0x1cf7 :0x0f call 0x103f ; putc()
0x0804ddbc : 0x1cfc :0x18 mov r0, 0x73 ; s
0x0804ddc3 : 0x1d03 :0x0f call 0x103f ; putc()
0x0804ddc8 : 0x1d08 :0x18 mov r0, 0x77 ; w
0x0804ddcf : 0x1d0f :0x0f call 0x103f ; putc()
0x0804ddd4 : 0x1d14 :0x18 mov r0, 0x6f ; o
0x0804dddb : 0x1d1b :0x0f call 0x103f ; putc()
0x0804dde0 : 0x1d20 :0x18 mov r0, 0x72 ; r
0x0804dde7 : 0x1d27 :0x0f call 0x103f ; putc()
0x0804ddec : 0x1d2c :0x18 mov r0, 0x64 ; d
0x0804ddf3 : 0x1d33 :0x0f call 0x103f ; putc()
0x0804ddf8 : 0x1d38 :0x18 mov r0, 0x21 ; !
0x0804ddff : 0x1d3f :0x0f call 0x103f ; putc()
0x0804de04 : 0x1d44 :0x18 mov r0, 0xa
0x0804de0b : 0x1d4b :0x0f call 0x103f ; putc()
0x0804de10 : 0x1d50 :0x18 mov r0, 0x0
0x0804de17 : 0x1d57 :0x1f pop r11
0x0804de19 : 0x1d59 :0x1f pop r10
0x0804de1b : 0x1d5b :0x1f pop r9
0x0804de1d : 0x1d5d :0x01 retn
0x0804de1e : 0x1d5e :0x02 add r9, r9, 0x1
0x0804de26 : 0x1d66 :0x18 mov r30, r9
0x0804de2a : 0x1d6a :0x18 mov r0, 0x1e
0x0804de31 : 0x1d71 :0x17 cmp r30, r0
0x0804de35 : 0x1d75 :0x11 jlt 0x1bfb
0x0804de3a : 0x1d7a :0x0f call 0x104b ; getc()
0x0804de3f : 0x1d7f :0x18 mov r1, r0
0x0804de43 : 0x1d83 :0x18 mov r30, r1
0x0804de47 : 0x1d87 :0x18 mov r0, 0xa
0x0804de4e : 0x1d8e :0x17 cmp r30, r0
0x0804de52 : 0x1d92 :0x15 jnz 0x1d9c
0x0804de57 : 0x1d97 :0x0e jmp 0x1ebe ; validate_password()
0x0804de5c : 0x1d9c :0x18 mov r0, 0x53 ; S
0x0804de63 : 0x1da3 :0x0f call 0x103f ; putc()
0x0804de68 : 0x1da8 :0x18 mov r0, 0x6f ; o
0x0804de6f : 0x1daf :0x0f call 0x103f ; putc()
0x0804de74 : 0x1db4 :0x18 mov r0, 0x72 ; r
0x0804de7b : 0x1dbb :0x0f call 0x103f ; putc()
0x0804de80 : 0x1dc0 :0x18 mov r0, 0x72 ; r
0x0804de87 : 0x1dc7 :0x0f call 0x103f ; putc()
0x0804de8c : 0x1dcc :0x18 mov r0, 0x79 ; y
0x0804de93 : 0x1dd3 :0x0f call 0x103f ; putc()
0x0804de98 : 0x1dd8 :0x18 mov r0, 0x2c ; ,
0x0804de9f : 0x1ddf :0x0f call 0x103f ; putc()
0x0804dea4 : 0x1de4 :0x18 mov r0, 0x20 ;
0x0804deab : 0x1deb :0x0f call 0x103f ; putc()
0x0804deb0 : 0x1df0 :0x18 mov r0, 0x77 ; w
0x0804deb7 : 0x1df7 :0x0f call 0x103f ; putc()
0x0804debc : 0x1dfc :0x18 mov r0, 0x72 ; r
0x0804dec3 : 0x1e03 :0x0f call 0x103f ; putc()
0x0804dec8 : 0x1e08 :0x18 mov r0, 0x6f ; o
0x0804decf : 0x1e0f :0x0f call 0x103f ; putc()
0x0804ded4 : 0x1e14 :0x18 mov r0, 0x6e ; n
0x0804dedb : 0x1e1b :0x0f call 0x103f ; putc()
0x0804dee0 : 0x1e20 :0x18 mov r0, 0x67 ; g
0x0804dee7 : 0x1e27 :0x0f call 0x103f ; putc()
0x0804deec : 0x1e2c :0x18 mov r0, 0x20 ;
0x0804def3 : 0x1e33 :0x0f call 0x103f ; putc()
0x0804def8 : 0x1e38 :0x18 mov r0, 0x70 ; p
0x0804deff : 0x1e3f :0x0f call 0x103f ; putc()
0x0804df04 : 0x1e44 :0x18 mov r0, 0x61 ; a
0x0804df0b : 0x1e4b :0x0f call 0x103f ; putc()
0x0804df10 : 0x1e50 :0x18 mov r0, 0x73 ; s
0x0804df17 : 0x1e57 :0x0f call 0x103f ; putc()
0x0804df1c : 0x1e5c :0x18 mov r0, 0x73 ; s
0x0804df23 : 0x1e63 :0x0f call 0x103f ; putc()
0x0804df28 : 0x1e68 :0x18 mov r0, 0x77 ; w
0x0804df2f : 0x1e6f :0x0f call 0x103f ; putc()
0x0804df34 : 0x1e74 :0x18 mov r0, 0x6f ; o
0x0804df3b : 0x1e7b :0x0f call 0x103f ; putc()
0x0804df40 : 0x1e80 :0x18 mov r0, 0x72 ; r
0x0804df47 : 0x1e87 :0x0f call 0x103f ; putc()
0x0804df4c : 0x1e8c :0x18 mov r0, 0x64 ; d
0x0804df53 : 0x1e93 :0x0f call 0x103f ; putc()
0x0804df58 : 0x1e98 :0x18 mov r0, 0x21 ; !
0x0804df5f : 0x1e9f :0x0f call 0x103f ; putc()
0x0804df64 : 0x1ea4 :0x18 mov r0, 0xa
0x0804df6b : 0x1eab :0x0f call 0x103f ; putc()
0x0804df70 : 0x1eb0 :0x18 mov r0, 0x0
0x0804df77 : 0x1eb7 :0x1f pop r11
0x0804df79 : 0x1eb9 :0x1f pop r10
0x0804df7b : 0x1ebb :0x1f pop r9
0x0804df7d : 0x1ebd :0x01 retn
==================== validate_password
0x0804df7e : 0x1ebe :0x18 mov r0, r11
0x0804df82 : 0x1ec2 :0x0f call 0x12a9 ; long_pass_test()
0x0804df87 : 0x1ec7 :0x18 mov r0, 0x0
0x0804df8e : 0x1ece :0x1f pop r11
0x0804df90 : 0x1ed0 :0x1f pop r10
0x0804df92 : 0x1ed2 :0x1f pop r9
0x0804df94 : 0x1ed4 :0x01 retn
0x0804df95 : 0x1ed5 :0x1d END END END
0x0804df96 : 0x1ed6 :0x1d END END END
0x0804df97 : 0x1ed7 :0x18 mov r0, 0x0
This is where I realized I got lucky that I dumped the memory after it prompted me for my password because the virtual program is also packed (xored).
At this point it becomes just another reversing job. Reading the code you can see that it is first comparing any character entered with newline and if there were fewer than 0x1e (30) characters entered, it jumps to print Sorry, wrong password! and exits. I was interested with what it was doing with mt password before it compared it with the reference computed earlier.
To do so I did a few experiments in gdb… first I put a breakpoint on the cmp instruction (right on the real x86 sub instruction in the virtual cmp block) and looked at the 2 operands as my password was compared. I could see that if I enteed 30 A, I would get a comparision of a repeating 4 bytes to a reference. If I entered 30 B, I would get a comparision of another repeating 4 to the same reference as before. This was good news! The reference was not influenced by my input (for those who done challenge 5 of the flare-on 2016).
Reading the code, I could see that at virtual line 0x181a, my password was xored with something before it was compared to the reference. I decided to put a breakpoint on this in gdb and extract the xor key. The key I got was xorkey = '\xfd\x0e\x63\x4f'. I then wrote a simple python script to xor the reference with that key and got the password!
Here is the python script for this last step:
#!/usr/bin/env python
# @author: GuilT
"""
packers_and_vms_and_xors_oh_my
"""
xorkey = bytearray('\xfd\x0e\x63\x4f')
password = bytearray('\x8d\x6f\x00\x24\x98\x7c\x10\x10\x9c\x60\x07\x10\x8b\x63\x10\x10\x9c\x60\x07\x10\x85\x61\x11\x3c\xa2\x61\x0b\x10\x90\x77')
for i in range(len(password)):
password[i] = password[i] ^ xorkey[i % 4]
print password