Overview

bin500 is an arm binary that de-obfuscates and prints a key by xor-ing it with a stack address.

Writeup

After opening up this binary, we see that it puts 4 strings onto the stack attempts to decrypt each of them into a valid key. We look at the decryption function and it merely xors a byte (chosen from a stack address) against each byte of the input. Rather figuring out how to run this (or waiting for ASLR to give us the right byte), we write a simple program to try every byte on all 4 strings.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>

void crypt(char* input, char byte, char* output) {
	size_t i;
	for (i = 0; i < 12; i++) {
		output[i] = byte ^ input[i];
	}
}

void check_data(char* data) {
	char output[80];
	size_t byte;
	for (byte = 0; byte < 256; byte++) {
		crypt(data, byte, output);
		if (!strncmp(output, "MCA", 3)) {
			printf("%s\n", output);
		}
	}
}

int main(int argc, char** argv) {
	char* a = "\x3F\x3E\x21\x5C\x25\x23\x28\x30\x36\x30\x38\x3F";
	char* b= "\x2C\x22\x20\x4C\x57\x51\x52\x57\x56\x27\x27\x25";
	char* c = "\x34\x21\x38\x5C\x32\x37\x30\x38\x3D\x4B\x56\x59";

	check_data(a);
	check_data(b);
	check_data(c);
}
1
2
3
% gcc bin500.c
% ./a.out
MCA-60367FFD