EvilZone
Hacking and Security => Hacking and Security => : L0rd_M@dness April 03, 2013, 11:10:21 PM
-
Practicing for a CTF contest. I'm given a set of hexadecimal numbers I'm supposed to decode, but there is no decoding algorithm. It just says "Decode the key:" following up by the hex values. How can I gather information about the type of code it is?
-
FF addon with hash identifier: https://addons.mozilla.org/en-US/firefox/addon/dorktools/?src=ss (https://addons.mozilla.org/en-US/firefox/addon/dorktools/?src=ss)
hash identifier python script: https://code.google.com/p/hash-identifier/ (https://code.google.com/p/hash-identifier/)
-
Length of the hash in bits will narrow it down a bit.
{lengthOfHexString} / 2 * 8 calculates how many bits the hash contains.
Then just look for hash algorithms of {bits} length.
I'd also Google the hash, as someone may have already cracked it.
-
It's not really a hash, just a series hex values. Apparenly they mean something, but converting them to ASCII just produces nonsense string...
-
Asking for a hash type is very confusing when you are not talking about a hash at all. I suggest you edit your title.
Have you tried Base64, octal and similar looking encodings?
I don't see a way to find it out other than trying. Maybe you find a multi decoder, where you can try to apply multiple encodings at once.
-
Can you show it to us so we can get a better understanding of it?
and remember to use the code tag
-
It changes every time I pass the previous level, but it's something like:
\x31\xC0\x50\x68\x78\x24\x20\x76\x68\x79\x75\x70\x78\x68\x75\x73\x24\x70\x68\x79\x27\x22\x75\x68\x24\x25\x22\x73\x68\x77\x74\x79\x25\x68\x72\x70\x71\x78\x68\x71\x78\x76\x22\x68\x79\x22\x75\x73\x68\x22\x27\x70\x78\x68\x78\x22\x75\x22\x68\x70\x77\x77\x79\x68\x24\x25\x23\x25\x68\x75\x72\x71\x70\x68\x24\x74\x72\x71\x68\x20\x27\x76\x24\x68\x71\x70\x79\x74\x68\x24\x22\x74\x24\x68\x20\x79\x73\x23\x68\x25\x77\x25\x73\x68\x23\x25\x25\x75\x68\x73\x20\x79\x77\x68\x70\x74\x24\x27\x68\x70\x20\x20\x24\x68\x74\x23\x75\x70\x68\x76\x72\x79\x76\x68\x79\x70\x24\x27\x68\x24\x77\x78\x79\x68\x71\x77\x75\x24\x68\x27\x77\x76\x70\x68\x24\x71\x71\x78\x68\x79\x76\x71\x75\x54\x5E\x8B\xFE\x8B\xD7\xFC\xB9\x80\x00\x00\x00\xBB\x41\x00\x00\x00\x31\xC0\x50\xAC\x33\xC3\xAA\xE2\xFA\x54\x5E\xCC
It appears to me to be content of a file, but how to know what type of file it could make?
I tried going back and changing the email address, and as expected, the given hex numbers change every time. But one thing doesn't ever change: the first 4 hex values, which are:
31 C0 50 68
This never changes. First I thought it was a magic number so i searched for it in tables online. Such thing doesn't exist.
Does anyone have a clue what "31 C0 50 68" might mean?
Staff note: no double post!
shit i did it again...
-
Look if it makes sense as shellcode.
You can convert shellcode to ASM i.e. here: http://zeltser.com/reverse-malware/convert-shellcode.html
-
I still havent really gotten anything.
Deque, thanks for the tip, but being the true noob I am, I have no idea about how to run an assembly program. I reversed the shell code to assembly, and tried compiling it with fasm, but all i get is a BIN file ???
which, again, being the noob I am, doesn't make sense to me and I don't know how to run it (expected an exe... is that not what I should get?)
This is the output from the program i have right now: pastebin.com/yi7kQNc3
And removing the line numbers, this is the asm code:
xor eax,eax
push eax
push dword(0x76202478)
push dword(0x78707579)
push dword(0x70247375)
push dword(0x75222779)
push dword(0x73222524)
push dword(0x25797477)
push dword(0x78717072)
push dword(0x22767871)
push dword(0x73752279)
push dword(0x78702722)
push dword(0x22752278)
push dword(0x79777770)
push dword(0x25232524)
push dword(0x70717275)
push dword(0x71727424)
push dword(0x24762720)
push dword(0x74797071)
push dword(0x24742224)
push dword(0x23737920)
push dword(0x73257725)
push dword(0x75252523)
push dword(0x77792073)
push dword(0x27247470)
push dword(0x24202070)
push dword(0x70752374)
push dword(0x76797276)
push dword(0x27247079)
push dword(0x79787724)
push dword(0x24757771)
push dword(0x70767727)
push dword(0x78717124)
push dword(0x75717679)
push esp
pop esi
mov edi,esi
mov edx,edi
cld
mov ecx,0x80
mov ebx,0x41
xor eax,eax
push eax
lods byte[esi]
xor eax,ebx
stos byte[es:edi]
loop 0xb7
push esp
pop esi
int 0x3
-
I still havent really gotten anything.
Deque, thanks for the tip, but being the true noob I am, I have no idea about how to run an assembly program. I reversed the shell code to assembly, and tried compiling it with fasm, but all i get is a BIN file ???
which, again, being the noob I am, doesn't make sense to me and I don't know how to run it (expected an exe... is that not what I should get?)
This is the output from the program i have right now: pastebin.com/yi7kQNc3
And removing the line numbers, this is the asm code:
xor eax,eax
push eax
push dword(0x76202478)
push dword(0x78707579)
push dword(0x70247375)
push dword(0x75222779)
push dword(0x73222524)
push dword(0x25797477)
push dword(0x78717072)
push dword(0x22767871)
push dword(0x73752279)
push dword(0x78702722)
push dword(0x22752278)
push dword(0x79777770)
push dword(0x25232524)
push dword(0x70717275)
push dword(0x71727424)
push dword(0x24762720)
push dword(0x74797071)
push dword(0x24742224)
push dword(0x23737920)
push dword(0x73257725)
push dword(0x75252523)
push dword(0x77792073)
push dword(0x27247470)
push dword(0x24202070)
push dword(0x70752374)
push dword(0x76797276)
push dword(0x27247079)
push dword(0x79787724)
push dword(0x24757771)
push dword(0x70767727)
push dword(0x78717124)
push dword(0x75717679)
push esp
pop esi
mov edi,esi
mov edx,edi
cld
mov ecx,0x80
mov ebx,0x41
xor eax,eax
push eax
lods byte[esi]
xor eax,ebx
stos byte[es:edi]
loop 0xb7
push esp
pop esi
int 0x3
Kind of annoying tot read with no adres numbers. But it's a xor decoder. See the latest xor + loop
-
try this one www.netwaredechiapas.com.mx/hash-identify.php