# Finding Secret Key in the Assembly code

• 03-28-2017, 10:43 AM
[s]
Finding Secret Key in the Assembly code
So we have follow given assembly code and we need to find the secrete key out of it. The following method, I've used to extract secrete key.

Code:

`>>> a="\x31\xC0\x50\x68\x23\x25\x24\x76\x68\x76\x79\x20\x25\x68\x23\x78\x25\x72\x68\x25\x74\x20\x20\x68\x72\x73\x25\x27\x68\x75\x78\x77\x79\x68\x22\x72\x75\x77\x68\x71\x25\x75\x71\x68\x24\x27\x23\x20\x68\x25\x24\x78\x23\x68\x77\x76\x71\x76\x68\x23\x24\x77\x75\x68\x74\x24\x78\x24\x68\x71\x73\x70\x27\x68\x77\x74\x74\x23\x68\x79\x77\x70\x22\x68\x75\x20\x23\x24\x68\x79\x20\x78\x79\x68\x20\x79\x75\x20\x68\x76\x75\x23\x78\x68\x70\x74\x23\x79\x68\x22\x71\x79\x77\x68\x22\x76\x25\x72\x68\x77\x74\x22\x74\x68\x75\x73\x78\x22\x68\x22\x72\x20\x77\x68\x27\x27\x20\x79\x68\x79\x22\x72\x76\x68\x24\x79\x24\x78\x68\x25\x73\x27\x27\x68\x24\x25\x73\x24\x68\x20\x77\x74\x71\x54\x5E\x8B\xFE\x8B\xD7\xFC\xB9\x80\x00\x00\x00\xBB\x41\x00\x00\x00\x31\xC0\x50\xAC\x33\xC3\xAA\xE2\xFA\x54\x5E\xCC"`
Code:

`>>> open("asdf.bin", "wb").write(a)`
Code:

```>>> __import__("os").system("ndisasm -b32 asdf.bin") 00000000  31C0              xor eax,eax 00000002  50                push eax 00000003  6823252476        push dword 0x76242523 00000008  6876792025        push dword 0x25207976 0000000D  6823782572        push dword 0x72257823 00000012  6825742020        push dword 0x20207425 00000017  6872732527        push dword 0x27257372 0000001C  6875787779        push dword 0x79777875 00000021  6822727577        push dword 0x77757222 00000026  6871257571        push dword 0x71752571 0000002B  6824272320        push dword 0x20232724 00000030  6825247823        push dword 0x23782425 00000035  6877767176        push dword 0x76717677 0000003A  6823247775        push dword 0x75772423 0000003F  6874247824        push dword 0x24782474 00000044  6871737027        push dword 0x27707371 00000049  6877747423        push dword 0x23747477 0000004E  6879777022        push dword 0x22707779 00000053  6875202324        push dword 0x24232075 00000058  6879207879        push dword 0x79782079 0000005D  6820797520        push dword 0x20757920 00000062  6876752378        push dword 0x78237576 00000067  6870742379        push dword 0x79237470 0000006C  6822717977        push dword 0x77797122 00000071  6822762572        push dword 0x72257622 00000076  6877742274        push dword 0x74227477 0000007B  6875737822        push dword 0x22787375 00000080  6822722077        push dword 0x77207222 00000085  6827272079        push dword 0x79202727 0000008A  6879227276        push dword 0x76722279 0000008F  6824792478        push dword 0x78247924 00000094  6825732727        push dword 0x27277325 00000099  6824257324        push dword 0x24732524 0000009E  6820777471        push dword 0x71747720 000000A3  54                push esp 000000A4  5E                pop esi 000000A5  8BFE              mov edi,esi 000000A7  8BD7              mov edx,edi 000000A9  FC                cld 000000AA  B980000000        mov ecx,0x80 000000AF  BB41000000        mov ebx,0x41 000000B4  31C0              xor eax,eax 000000B6  50                push eax 000000B7  AC                lodsb 000000B8  33C3              xor eax,ebx 000000BA  AA                stosb 000000BB  E2FA              loop 0xb7 000000BD  54                push esp 000000BE  5E                pop esi 000000BF  CC                int3```
Code:

```>>> ab=bytearray(a) >>> enc = [] >>> for i in range(3,0xa3): ...  if (i - 3) % 5 == 0: ...    continue ...  enc.append(ab[i]) ... >>> enc [35, 37, 36, 118, 118, 121, 32, 37, 35, 120, 37, 114, 37, 116, 32, 32, 114, 115, 37, 39, 117, 120, 119, 121, 34, 114, 117, 119, 113, 37, 117, 113, 36, 39, 35, 32, 37, 36, 120, 35, 119, 118, 113, 118, 35, 36, 119, 117, 116, 36, 120, 36, 113, 115, 112, 39, 119, 116, 116, 35, 121, 119, 112, 34, 117, 32, 35, 36, 121, 32, 120, 121, 32, 121, 117, 32, 118, 117, 35, 120, 112, 116, 35, 121, 34, 113, 121, 119, 34, 118, 37, 114, 119, 116, 34, 116, 117, 115, 120, 34, 34, 114, 32, 119, 39, 39, 32, 121, 121, 34, 114, 118, 36, 121, 36, 120, 37, 115, 39, 39, 36, 37, 115, 36, 32, 119, 116, 113]                                                                                                >>> dec = ''.join([chr(x^0x41) for x in enc])```
Code:

```>>> dec 'bde778adb9d3d5aa32df4968c3460d40efbade9b6707be645e9e021f655b861c4abe8a98a84a74b915b8c086c7d365c5429cc3a6ffa88c37e8e9d2ffed2ea650'```
The order was wrong, since push moves esp backwards; need to fix:
Code:

```>>> ''.join([dec[i*4:(i+1)*4] for i in range(len(dec)/4)][::-1]) 'a650ed2ed2ffe8e98c37ffa8c3a6429c65c5c7d3c08615b874b9a84a8a984abe861c655b021f5e9ebe646707de9befba0d40c346496832dfd5aab9d378adbde7'```
Cheers