Added Hidden hash task (rev 250)

Author: awengar

HiddenHash/create/hhsh.elf

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+g++ -m32 -o hhsh.elf task.cpp
+execstack -s hhsh.elf
+

HiddenHash/create/make.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/python
+import sys
+from re import *
+from scipy.fftpack import *
+
+def getNum(s_num):
+	tk = findall(r'\S\S',s_num)
+	ssum=0
+	for i in range(len(tk)):
+		cc = int(tk[len(tk)-i-1],16)
+		ssum = (ssum << 8) + cc
+	return ssum
+def getProcCode(fn,fname):
+	ff = open(fn,"r")
+	seq=[]
+	start=0
+	for line in ff:
+		if (fname in line) and ("ENDP" in line):
+			start = 0
+		if start == 1:
+			if line[0] == ';':
+				continue
+			data = findall(r'\S{5}\s+(.+?)\t',line)
+			print fname,"! ",data,hex(getNum(data[0]))
+			seq.append(getNum(data[0]) * 1.0)
+
+		if (fname in line) and ("PROC" in line):
+			start = 1
+	ff.close();
+	return seq
+
+start = 0
+seq1 = getProcCode(sys.argv[1],"hash1")
+seq2 = getProcCode(sys.argv[1],"hash2")
+seq1=seq1[6:-5]
+seq2=seq2[6:-5]
+print seq1
+print seq2
+
+dseq1 = dct(seq1,1)
+dseq2 = dct(seq2,1)
+print seq1
+print "double q1 [] = {"+",".join(map(str,dseq1))+"};"
+print "unsigned int q1_len = %d;" % len(dseq1)
+print map(lambda x:round(x/(2.0*(len(seq1)-1))),idct(dseq1,1))
+print seq2
+print "double q2 [] = {"+",".join(map(str,dseq2))+"};"
+print "unsigned int q2_len = %d;" % len(dseq2)
+print map(lambda x:round(x/(2.0*(len(seq2)-1))),idct(dseq2,1))
+
+

HiddenHash/create/parse_code.py

@@ -0,0 +1,87 @@
+#include <stdio.h>
+#include <math.h>
+#include <string.h>
+#define PI 3.1415926535897932384626433832795
+double q1 [] = {255037122.0,21228535.6118,-31222210.0099,32787438.909,-67417641.7612,-74270237.8351,-20427819.8469,-6292819.17092,-16225114.2612,-20437144.9698,-28156796.7643,-34376782.6837,11241782.3525,115468022.912,4863824.80768,26436635.1965,62538224.0342,-33011432.1142,-39764910.7944,-8608542.09469,-3089987.61241,-11055025.7609,1304209.85595,-15692216.0};
+unsigned int q1_len = 24;
+double q2 [] = {254612100.0,14027280.6281,-18784685.5744,35210085.7106,-60778878.333,-54393839.4879,-31986439.8741,-28616874.5518,-15757295.0602,2670129.26556,-79931500.0356,-6838426.50206,68760875.0765,16732018.0,582881.752764,51517017.2399,4467959.98166,17323759.1217,29756440.1578,-33108393.768,52029323.5888,-23700083.7673,-108993287.426,-36736303.4412,29052879.7462,45939111.5525,11178756.0};
+unsigned int q2_len = 27;
+
+
+double MakeMagic (double * x,int k,int N){
+	/*
+                                   N-2
+y[k] = x[0] + (-1)**k x[N-1] + 2 * sum x[n]*cos(pi*k*n/(N-1))
+                                   n=1
+	*/
+	double res = 0.0f;
+	res = x[0];
+	double oone=1.0;
+	for (int i=0;i<k; i++)
+		oone = oone * (-1.0);
+	res = res + oone * x[N-1];
+	for (int n=1; n<N-1;n++){
+		res = res + 2.0*x[n] * cos(PI * k * 1.0 * n * 1.0 / (1.0*(N-1.0)));
+	}
+	res = res /(2*(N-1.0));
+	return res;
+}
+void fix (long long int &cmd){
+	if ((cmd & 0xFF00) == 0){
+		cmd = cmd | 0xC300;
+		
+	}
+	else if ((cmd & 0xFF0000L) == 0){
+		cmd = cmd | 0xC30000L;
+		
+	}
+	else if ((cmd & 0xFF000000L) == 0){
+		cmd = cmd | 0xC3000000L;
+		
+	}
+	else if ((cmd & 0xFF00000000L) == 0){
+		cmd = cmd | 0xC300000000L;
+		
+	}
+	else if ((cmd & 0xFF0000000000L) == 0){
+		cmd = cmd | 0xC30000000000L;	
+	}
+}
+unsigned int getHash(double *data,unsigned int data_len,char * st){
+	long long int cmd;
+	void * ccmd = &cmd;
+	unsigned int s_eax,s_ecx;
+	for (int i=0; i<data_len; i++){
+		double qw = MakeMagic(data,i,data_len);
+		//printf("%f\n",qw);
+		cmd = round(qw);
+		//printf("%llx \n", cmd);
+		fix(cmd);
+		__asm__ __volatile__ ("mov %0,%%esi"::"m"(st));
+		__asm__ __volatile__ ("mov %0,%%ecx"::"m"(s_ecx));
+		__asm__ __volatile__ ("mov %0,%%eax"::"m"(s_eax));
+		__asm__ __volatile__ ("lea %0,%%edi"::"m"(ccmd));
+		__asm__ __volatile__ ("call *0x0(%edi)");
+		__asm__ __volatile__ ("movl %%esi,%0":"=m"(st));
+		__asm__ __volatile__ ("movl %%ecx,%0":"=m"(s_ecx));
+		__asm__ __volatile__ ("movl %%eax,%0":"=m"(s_eax));
+		
+	}
+	return s_eax;
+}
+int main (int argc, char * argv[] ){
+	if (argc <2){
+		printf("Usage: <progname> <key>\n");
+		return 0;
+	}
+	unsigned int hash1 = getHash(q1,q1_len,argv[1]);
+	unsigned int hash2 = getHash(q2,q2_len,argv[1]);
+	//printf("%x %x\n",hash1,hash2);	bffeefac 213f522
+	if (hash1 == 0xbffeefac && hash2 == 0x213f522){//53Kur3dh
+		printf("Correct key: STCTF#%s#\n",argv[1]);
+	}
+	else{
+		printf("Incorrect key\n");
+	}
+	return 0;
+}

HiddenHash/create/task.cpp

@@ -0,0 +1,211 @@
+; Listing generated by Microsoft (R) Optimizing Compiler Version 17.00.50727.1 
+
+	TITLE	C:\stepCTF\rev300\task_cod.cpp
+	.686P
+	.XMM
+	include listing.inc
+	.model	flat
+
+INCLUDELIB LIBCMT
+INCLUDELIB OLDNAMES
+
+CONST	SEGMENT
+$SG4305	DB	'%x %x', 0aH, 00H
+CONST	ENDS
+PUBLIC	?hash1@@YAIPAD@Z				; hash1
+PUBLIC	?hash2@@YAIPAD@Z				; hash2
+PUBLIC	_main
+EXTRN	_printf:PROC
+; Function compile flags: /Odtp
+_TEXT	SEGMENT
+_argc$ = 8						; size = 4
+_argv$ = 12						; size = 4
+_main	PROC
+; File c:\stepctf\rev300\task_cod.cpp
+; Line 85
+  00000	55		 push	 ebp
+  00001	8b ec		 mov	 ebp, esp
+; Line 86
+  00003	83 7d 08 01	 cmp	 DWORD PTR _argc$[ebp], 1
+  00007	7e 3d		 jle	 SHORT $LN1@main
+; Line 87
+  00009	b8 04 00 00 00	 mov	 eax, 4
+  0000e	c1 e0 00	 shl	 eax, 0
+  00011	8b 4d 0c	 mov	 ecx, DWORD PTR _argv$[ebp]
+  00014	8b 14 01	 mov	 edx, DWORD PTR [ecx+eax]
+  00017	52		 push	 edx
+  00018	e8 00 00 00 00	 call	 ?hash2@@YAIPAD@Z	; hash2
+  0001d	83 c4 04	 add	 esp, 4
+  00020	50		 push	 eax
+  00021	b8 04 00 00 00	 mov	 eax, 4
+  00026	c1 e0 00	 shl	 eax, 0
+  00029	8b 4d 0c	 mov	 ecx, DWORD PTR _argv$[ebp]
+  0002c	8b 14 01	 mov	 edx, DWORD PTR [ecx+eax]
+  0002f	52		 push	 edx
+  00030	e8 00 00 00 00	 call	 ?hash1@@YAIPAD@Z	; hash1
+  00035	83 c4 04	 add	 esp, 4
+  00038	50		 push	 eax
+  00039	68 00 00 00 00	 push	 OFFSET $SG4305
+  0003e	e8 00 00 00 00	 call	 _printf
+  00043	83 c4 0c	 add	 esp, 12			; 0000000cH
+$LN1@main:
+; Line 90
+  00046	33 c0		 xor	 eax, eax
+; Line 91
+  00048	5d		 pop	 ebp
+  00049	c3		 ret	 0
+_main	ENDP
+_TEXT	ENDS
+; Function compile flags: /Odtp
+_TEXT	SEGMENT
+_key_val_ref$ = 8					; size = 4
+?hash2@@YAIPAD@Z PROC					; hash2
+; File c:\stepctf\rev300\task_cod.cpp
+; Line 42
+  00000	55		 push	 ebp
+  00001	8b ec		 mov	 ebp, esp
+  00003	56		 push	 esi
+; Line 45
+  00004	51		 push	 ecx
+; Line 46
+  00005	56		 push	 esi
+; Line 47
+  00006	8b 75 08	 mov	 esi, DWORD PTR _key_val_ref$[ebp]
+; Line 49
+  00009	33 c9		 xor	 ecx, ecx
+; Line 50
+  0000b	8b 06		 mov	 eax, DWORD PTR [esi]
+; Line 51
+  0000d	33 c8		 xor	 ecx, eax
+; Line 52
+  0000f	80 f1 ac	 xor	 cl, -84			; ffffffacH
+; Line 53
+  00012	80 f5 fa	 xor	 ch, -6			; fffffffaH
+; Line 54
+  00015	c1 c9 08	 ror	 ecx, 8
+; Line 55
+  00018	80 f1 af	 xor	 cl, -81			; ffffffafH
+; Line 56
+  0001b	90		 npad	 1
+; Line 57
+  0001c	80 f5 ca	 xor	 ch, -54			; ffffffcaH
+; Line 58
+  0001f	c1 c9 08	 ror	 ecx, 8
+; Line 60
+  00022	8b 46 04	 mov	 eax, DWORD PTR [esi+4]
+; Line 61
+  00025	c1 c0 08	 rol	 eax, 8
+; Line 62
+  00028	33 c8		 xor	 ecx, eax
+; Line 63
+  0002a	80 f1 ef	 xor	 cl, -17			; ffffffefH
+; Line 64
+  0002d	90		 npad	 1
+; Line 65
+  0002e	80 f5 5e	 xor	 ch, 94			; 0000005eH
+; Line 66
+  00031	c1 c9 08	 ror	 ecx, 8
+; Line 67
+  00034	80 f1 ac	 xor	 cl, -84			; ffffffacH
+; Line 68
+  00037	80 f5 fc	 xor	 ch, -4			; fffffffcH
+; Line 69
+  0003a	c1 c9 08	 ror	 ecx, 8
+; Line 71
+  0003d	80 f1 45	 xor	 cl, 69			; 00000045H
+; Line 72
+  00040	80 f5 65	 xor	 ch, 101			; 00000065H
+; Line 73
+  00043	c1 c9 08	 ror	 ecx, 8
+; Line 74
+  00046	80 f1 65	 xor	 cl, 101			; 00000065H
+; Line 75
+  00049	80 f5 24	 xor	 ch, 36			; 00000024H
+; Line 76
+  0004c	c1 c9 08	 ror	 ecx, 8
+; Line 78
+  0004f	8b c1		 mov	 eax, ecx
+; Line 79
+  00051	5e		 pop	 esi
+; Line 80
+  00052	59		 pop	 ecx
+; Line 82
+  00053	5e		 pop	 esi
+  00054	5d		 pop	 ebp
+  00055	c3		 ret	 0
+?hash2@@YAIPAD@Z ENDP					; hash2
+_TEXT	ENDS
+; Function compile flags: /Odtp
+_TEXT	SEGMENT
+_key_val_ref$ = 8					; size = 4
+?hash1@@YAIPAD@Z PROC					; hash1
+; File c:\stepctf\rev300\task_cod.cpp
+; Line 4
+  00000	55		 push	 ebp
+  00001	8b ec		 mov	 ebp, esp
+  00003	56		 push	 esi
+; Line 7
+  00004	51		 push	 ecx
+; Line 8
+  00005	56		 push	 esi
+; Line 9
+  00006	8b 75 08	 mov	 esi, DWORD PTR _key_val_ref$[ebp]
+; Line 11
+  00009	33 c9		 xor	 ecx, ecx
+; Line 12
+  0000b	8b 06		 mov	 eax, DWORD PTR [esi]
+; Line 13
+  0000d	33 c8		 xor	 ecx, eax
+; Line 14
+  0000f	80 f1 fe	 xor	 cl, -2			; fffffffeH
+; Line 15
+  00012	80 f5 ca	 xor	 ch, -54			; ffffffcaH
+; Line 16
+  00015	c1 c9 08	 ror	 ecx, 8
+; Line 17
+  00018	80 f1 be	 xor	 cl, -66			; ffffffbeH
+; Line 18
+  0001b	80 f5 ba	 xor	 ch, -70			; ffffffbaH
+; Line 19
+  0001e	c1 c9 08	 ror	 ecx, 8
+; Line 21
+  00021	8b 46 04	 mov	 eax, DWORD PTR [esi+4]
+; Line 22
+  00024	33 c8		 xor	 ecx, eax
+; Line 23
+  00026	80 f1 7f	 xor	 cl, 127			; 0000007fH
+; Line 24
+  00029	80 f5 5c	 xor	 ch, 92			; 0000005cH
+; Line 25
+  0002c	c1 c9 08	 ror	 ecx, 8
+; Line 26
+  0002f	80 f1 f5	 xor	 cl, -11			; fffffff5H
+; Line 27
+  00032	80 f5 c7	 xor	 ch, -57			; ffffffc7H
+; Line 28
+  00035	c1 c9 08	 ror	 ecx, 8
+; Line 30
+  00038	80 f1 96	 xor	 cl, -106		; ffffff96H
+; Line 31
+  0003b	80 f5 83	 xor	 ch, -125		; ffffff83H
+; Line 32
+  0003e	c1 c9 08	 ror	 ecx, 8
+; Line 33
+  00041	80 f1 13	 xor	 cl, 19			; 00000013H
+; Line 34
+  00044	80 f5 50	 xor	 ch, 80			; 00000050H
+; Line 35
+  00047	c1 c9 08	 ror	 ecx, 8
+; Line 37
+  0004a	8b c1		 mov	 eax, ecx
+; Line 38
+  0004c	5e		 pop	 esi
+; Line 39
+  0004d	59		 pop	 ecx
+; Line 41
+  0004e	5e		 pop	 esi
+  0004f	5d		 pop	 ebp
+  00050	c3		 ret	 0
+?hash1@@YAIPAD@Z ENDP					; hash1
+_TEXT	ENDS
+END