# Thread: Finding Secret Key in the Assembly codea2a_show_title=1;a2a_num_services=14;

1. ## Finding Secret Key in the Assembly code

So we have follow given assembly code and we need to find the secrete key out of it. The following method, I've used to extract secrete key.

Code:
`>>> a="\x31\xC0\x50\x68\x23\x25\x24\x76\x68\x76\x79\x20\x25\x68\x23\x78\x25\x72\x68\x25\x74\x20\x20\x68\x72\x73\x25\x27\x68\x75\x78\x77\x79\x68\x22\x72\x75\x77\x68\x71\x25\x75\x71\x68\x24\x27\x23\x20\x68\x25\x24\x78\x23\x68\x77\x76\x71\x76\x68\x23\x24\x77\x75\x68\x74\x24\x78\x24\x68\x71\x73\x70\x27\x68\x77\x74\x74\x23\x68\x79\x77\x70\x22\x68\x75\x20\x23\x24\x68\x79\x20\x78\x79\x68\x20\x79\x75\x20\x68\x76\x75\x23\x78\x68\x70\x74\x23\x79\x68\x22\x71\x79\x77\x68\x22\x76\x25\x72\x68\x77\x74\x22\x74\x68\x75\x73\x78\x22\x68\x22\x72\x20\x77\x68\x27\x27\x20\x79\x68\x79\x22\x72\x76\x68\x24\x79\x24\x78\x68\x25\x73\x27\x27\x68\x24\x25\x73\x24\x68\x20\x77\x74\x71\x54\x5E\x8B\xFE\x8B\xD7\xFC\xB9\x80\x00\x00\x00\xBB\x41\x00\x00\x00\x31\xC0\x50\xAC\x33\xC3\xAA\xE2\xFA\x54\x5E\xCC"`
Code:
`>>> open("asdf.bin", "wb").write(a)`
Code:
```>>> __import__("os").system("ndisasm -b32 asdf.bin")
00000000  31C0              xor eax,eax
00000002  50                push eax
00000003  6823252476        push dword 0x76242523
00000008  6876792025        push dword 0x25207976
0000000D  6823782572        push dword 0x72257823
00000012  6825742020        push dword 0x20207425
00000017  6872732527        push dword 0x27257372
0000001C  6875787779        push dword 0x79777875
00000021  6822727577        push dword 0x77757222
00000026  6871257571        push dword 0x71752571
0000002B  6824272320        push dword 0x20232724
00000030  6825247823        push dword 0x23782425
00000035  6877767176        push dword 0x76717677
0000003A  6823247775        push dword 0x75772423
0000003F  6874247824        push dword 0x24782474
00000044  6871737027        push dword 0x27707371
00000049  6877747423        push dword 0x23747477
0000004E  6879777022        push dword 0x22707779
00000053  6875202324        push dword 0x24232075
00000058  6879207879        push dword 0x79782079
0000005D  6820797520        push dword 0x20757920
00000062  6876752378        push dword 0x78237576
00000067  6870742379        push dword 0x79237470
0000006C  6822717977        push dword 0x77797122
00000071  6822762572        push dword 0x72257622
00000076  6877742274        push dword 0x74227477
0000007B  6875737822        push dword 0x22787375
00000080  6822722077        push dword 0x77207222
00000085  6827272079        push dword 0x79202727
0000008A  6879227276        push dword 0x76722279
0000008F  6824792478        push dword 0x78247924
00000094  6825732727        push dword 0x27277325
00000099  6824257324        push dword 0x24732524
0000009E  6820777471        push dword 0x71747720
000000A3  54                push esp
000000A4  5E                pop esi
000000A5  8BFE              mov edi,esi
000000A7  8BD7              mov edx,edi
000000A9  FC                cld
000000AA  B980000000        mov ecx,0x80
000000AF  BB41000000        mov ebx,0x41
000000B4  31C0              xor eax,eax
000000B6  50                push eax
000000B7  AC                lodsb
000000B8  33C3              xor eax,ebx
000000BA  AA                stosb
000000BB  E2FA              loop 0xb7
000000BD  54                push esp
000000BE  5E                pop esi
000000BF  CC                int3```
Code:
```>>> ab=bytearray(a)
>>> enc = []
>>> for i in range(3,0xa3):
...   if (i - 3) % 5 == 0:
...     continue
...   enc.append(ab[i])
...
>>> enc
[35, 37, 36, 118, 118, 121, 32, 37, 35, 120, 37, 114, 37, 116, 32, 32, 114, 115, 37, 39, 117, 120, 119, 121, 34, 114, 117, 119, 113, 37, 117, 113, 36, 39, 35, 32, 37, 36, 120, 35, 119, 118, 113, 118, 35, 36, 119, 117, 116, 36, 120, 36, 113, 115, 112, 39, 119, 116, 116, 35, 121, 119, 112, 34, 117, 32, 35, 36, 121, 32, 120, 121, 32, 121, 117, 32, 118, 117, 35, 120, 112, 116, 35, 121, 34, 113, 121, 119, 34, 118, 37, 114, 119, 116, 34, 116, 117, 115, 120, 34, 34, 114, 32, 119, 39, 39, 32, 121, 121, 34, 114, 118, 36, 121, 36, 120, 37, 115, 39, 39, 36, 37, 115, 36, 32, 119, 116, 113]
>>> dec = ''.join([chr(x^0x41) for x in enc])```
Code:
```>>> dec
The order was wrong, since push moves esp backwards; need to fix:
Code:
```>>> ''.join([dec[i*4:(i+1)*4] for i in range(len(dec)/4)][::-1])

Cheers

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•