Rating: 0

In this, on examiming the code, I saw that each character in the input was passed through a function, where a series of add and sub operations were done and finally it was compared to a value. So I wrote the following code to parse the assembly, recognize functions and simulate add, sub, and cmp instructions. Since the functions were correctly sorted in address I didn't have to check their calling. Also the cmp instruction can be read as sub in this case.

import telnetlib
import subprocess
tn = telnetlib.Telnet("", port = 12003) # there was some problem with DNS resolution, so this
print tn.read_until('\n')
while 1:
a = tn.read_until('\n')[:-1]
# a = " 0d88ee8a1943652170db2f47cf5d9049a954aaf71fbe8150489a467ddf8e7564"
print a
if flag in a:
cmd = "objdump " + a + " -d -M intel"
process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
o = ''
insideFn = False
c = 0
for i in output.split('\n'):
if 'push rbp' in i:
insideFn = True
c = 0
elif 'pop rbp' in i:
insideFn = False
c = -c # because we are subtracting the cmp instruction operand
if c>0 and c<128:
if insideFn:
if ('sub rdi' in i and '0x' in i) or ('cmp rdi' in i and '0x' in i):
i = int(i.split(',')[1][2:],16)
if i>100000000: # handle -ve values, take 2's complement
elif 'add rdi' in i and '0x' in i:
i = int(i.split(',')[1][2:],16)
print 'o is ', o


Function sample that we needed parsing, from IDA:
.text:0000000000402A20 sub_402A20 proc near ; CODE XREF: sub_4061B0+15Ap
.text:0000000000402A20 push rbp
.text:0000000000402A21 mov rbp, rsp
.text:0000000000402A24 test rdi, rdi
.text:0000000000402A27 jz loc_402B57
.text:0000000000402A2D sub rdi, 0Dh
.text:0000000000402A31 jo loc_402B61
.text:0000000000402A37 add rdi, 0Fh
.text:0000000000402A3B jo loc_402B63
.text:0000000000402A41 sub rdi, 3
.text:0000000000402A45 jo loc_402B65
.text:0000000000402A4B add rdi, 6
.text:0000000000402A4F jo loc_402B67
.text:0000000000402A55 sub rdi, 10h
.text:0000000000402A59 jo loc_402B69
.text:0000000000402A5F add rdi, 0Bh
.text:0000000000402A63 jo loc_402B6B
.text:0000000000402A69 add rdi, 15h
.text:0000000000402A6D jo loc_402B6D
.text:0000000000402A73 add rdi, 0Fh
.text:0000000000402A77 jo loc_402B6F
.text:0000000000402A7D sub rdi, 5
.text:0000000000402A81 jo loc_402B71
.text:0000000000402A87 sub rdi, 22h
.text:0000000000402A8B jo loc_402B73
.text:0000000000402A91 add rdi, 16h
.text:0000000000402A95 jo loc_402B75
.text:0000000000402A9B sub rdi, 7
.text:0000000000402A9F jo loc_402B77
.text:0000000000402AA5 sub rdi, 1Ch
.text:0000000000402AA9 jo loc_402B79
.text:0000000000402AAF sub rdi, 14h
.text:0000000000402AB3 jo loc_402B7B
.text:0000000000402AB9 sub rdi, 1Ch
.text:0000000000402ABD jo loc_402B7D
.text:0000000000402AC3 add rdi, 3
.text:0000000000402AC7 jo loc_402B7F
.text:0000000000402ACD add rdi, 0Ah
.text:0000000000402AD1 jo loc_402B81
.text:0000000000402AD7 sub rdi, 22h
.text:0000000000402ADB jo loc_402B83
.text:0000000000402AE1 sub rdi, 6
.text:0000000000402AE5 jo loc_402B85
.text:0000000000402AEB sub rdi, 10h
.text:0000000000402AEF jo loc_402B87
.text:0000000000402AF5 sub rdi, 10h
.text:0000000000402AF9 jo loc_402B89
.text:0000000000402AFF sub rdi, 0Ch
.text:0000000000402B03 jo loc_402B8B
.text:0000000000402B09 add rdi, 0Fh
.text:0000000000402B0D jo short loc_402B8D
.text:0000000000402B0F sub rdi, 5
.text:0000000000402B13 jo short loc_402B8F
.text:0000000000402B15 sub rdi, 10h
.text:0000000000402B19 jo short loc_402B91
.text:0000000000402B1B sub rdi, 0Ch
.text:0000000000402B1F jo short loc_402B93
.text:0000000000402B21 add rdi, 0Fh
.text:0000000000402B25 jo short loc_402B95
.text:0000000000402B27 add rdi, 0Dh
.text:0000000000402B2B jo short loc_402B97
.text:0000000000402B2D add rdi, 3
.text:0000000000402B31 jo short loc_402B99
.text:0000000000402B33 sub rdi, 18h
.text:0000000000402B37 jo short loc_402B9B
.text:0000000000402B39 sub rdi, 0Fh
.text:0000000000402B3D jo short loc_402B9D
.text:0000000000402B3F sub rdi, 1Fh
.text:0000000000402B43 jo short loc_402B9F
.text:0000000000402B45 cmp rdi, 0FFFFFFFFFFFFFF60h
.text:0000000000402B4C jnz short loc_402B57
.text:0000000000402B4E mov rax, 0FFFFFFFFFFFFFF60h
.text:0000000000402B55 pop rbp
.text:0000000000402B56 retn