int main()

in reversing/matryoshka/src/gen_downloader.c [132:233]

• 92 lines of code
• 11 McCabe index (conditional complexity)

    int main(int argc, char** argv)
    {
        int psocket;
        void * response_data = NULL;
        void * shellcode1 = NULL;
        void * shellcode2 = NULL;
        int ret = 0;
        uint64_t flag_integer, png_offset, png_offset2, A, B, C;
        uint32_t D;
        uint64_t VERIFY, VERIFYA, VERIFYB, VERIFYC, VERIFYD;
        unsigned char flag_text[] = FLAG_TEXT;
        unsigned char final_flag[FINAL_FLAG_LEN+1] = FLAG;
        unsigned char key[FLAG_SIZE+2];

        send_request(&psocket);
        receive_response(&psocket, &response_data);
        close(psocket);

        png_offset = check_png_header(response_data);
        if (png_offset == 0)
          exit(EXIT_FAILURE);
        /* prepare rot13 shellcode */
        shellcode1 = mmap(
          NULL,
          SHELLCODE_SIZE,
          PROT_READ|PROT_WRITE|PROT_EXEC,
          MAP_ANON|MAP_PRIVATE,
          -1,0);
        memcpy(shellcode1, (response_data+png_offset), SHELLCODE_SIZE);
        uint64_t(*sc1)(uint64_t) = (uint64_t(*)(uint64_t))shellcode1;
        png_offset2 = sc1(0);
        munmap(shellcode1, SHELLCODE_SIZE);
        /* prepare cipher shellcode */
        shellcode2 = mmap(
          NULL,
          SHELLCODE_SIZE,
          PROT_READ|PROT_WRITE|PROT_EXEC,
          MAP_ANON|MAP_PRIVATE,
          -1,0);
        memcpy(
          shellcode2,
          (response_data+png_offset+png_offset2),
          SHELLCODE_SIZE);
        uint64_t(*sc2)(uint64_t) = (uint64_t(*)(uint64_t))shellcode2;
        flag_integer = sc2(0);
        munmap(shellcode2, SHELLCODE_SIZE);
        munmap(response_data, MAX_MMAP_SIZE);
        VERIFY = bswap_64(flag_integer);

        __asm__(
          "movq $0x2000004, %%rax \n\t"
          "movq $1, %%rdi \n\t"
          "movq %1, %%rsi \n\t"
          "movl $24, %%edx \n\t"
          "syscall \n\t"
          : "=g"(ret)
          : "g"(&flag_text));

        __asm__(
          "movq $0x2000003, %%rax \n\t"
          "movq $0, %%rdi \n\t"
          "movq %1, %%rsi \n\t"
          "movl $30, %%edx \n\t"
          "syscall \n\t"
          : "=g"(ret)
          : "g"(&key));

        for (int i= 7; i >= 0; i--)
          A = A << 8 | (uint64_t)key[i];
        for (int i= 15; i >= 8; i--)
          B = (B << 8) | (uint64_t)key[i];
        for (int i= 23; i >= 16; i--)
          C = (C << 8) | (uint64_t)key[i];
        for (int i= 27; i >= 24; i--)
          D = (D << 8) | (uint32_t)key[i];

        VERIFYA = A ^ B;
        VERIFYB = B ^ C;
        VERIFYC = C ^ D;
        VERIFYD = D ^ SEED;

        if (VERIFY_INTA == VERIFYA && \
            VERIFY_INTB == VERIFYB && \
            VERIFY_INTC == VERIFYC && \
            VERIFYD == VERIFY)
        {
          for (int i= 3, j= 0; i < FINAL_FLAG_LEN-1; i++, j++)
          {
            final_flag[i] = key[j];
          }
          final_flag[FINAL_FLAG_LEN] = '\n';
          printf("\n%s\n", final_flag);
          printf("\nCongratulations!!\n");
          printf("Created by @malwareunicorn\n");
        }
        else
        {
          printf("\nDOH!! try harder :( \n");
        }

        exit(EXIT_SUCCESS);
    }