Jump to content











Photo

If anyone is up for a challenge


  • Please log in to reply
73 replies to this topic

#1 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2013 - 08:44 AM

I have a nice one. :smiling9:

 

Maybe :unsure:, cannot say if it can be of interest to any member of the Team Reboot (or to any other member of the reboot.pro board).

 

Holmes.Sherlock is officially excluded :w00t: :ph34r: from taking part to this challenge (since he already knows the topic and has in his hands a possible solution ;)).

 

The challenge is the following:

  1. get here http://blog.didierst...ith-utilmanexe/ the C++ source code of a very simple program
  2. compile it/rewrite it in any way/programming language you see fit in order to make it into the smallest possible .exe that  will be able to do the same thing, i.e. execute a call to CreateProcess/CreateProcessA and open a cmd prompt on the WinSta0\\Winlogon desktop (or find *any* other way, with or without calling an external function, to obtain the same result).
  3. the program should run on *any* Windows XP regardless of SP level the program should run on XP SP 2 ONLY and if needed be easily adaptable to other SP versions by changing  the Ordinal with which function(s) are called. 
  4. if by design, luck, or whatever other reason, the executable runs on more operating systems and SP levels without changes it will be a plus, but still the scope is to make the smallest PE.
  5. it is strictly forbidden, ad will cause the non acceptability of the solution the use of calling functions by Name, as it is now compulsory to call them by Ordinal (joakim made me do it ;)) Hey, pssst, come closer: If you manage to make the PE smaller calling the function by name I will change Rules again to make the solution valid. :whistling:
  6. in order to further clear the scope of the challenge and to simplify, the proposed solution will be tested on XP SP2 and on XP SP2 ONLY, and if it works, points will be assigned along the formula P=512-L where P represents Points and L the length in bytes of the proposed solution.

The scope of the challenge is to make the SMALLEST sized 32-bit PE executable capable of obtaining the desired result.

 

Hint: We are talking here of bytes, NOT Kbytes.

 

No strict time limits, but a "reasonable" timeframe would be 1 month from now, i.e. submissions (if any :dubbio:) won't be accepted past September 19, 2013. 

 

Have fun, both if you take the challenge or if you don't :).

 

:cheers:

Wonko

 

Note:

Rules amended to clarify matters by re-phrasing point 3 and adding points 4, 5 and 6 on 19th August 2013.


  • Brito likes this

#2 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 18 August 2013 - 09:34 AM

Let me emphasize

 

Hint: We are talking here of bytes, NOT Kbytes.

 

No strict time limits, but a "reasonable" timeframe would be 1 month from now, i.e. submissions (if any :dubbio:) won't be accepted past September 19, 2013. 



#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 18 August 2013 - 10:02 AM

Is it correct to assume 32-bit executable?



#4 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 18 August 2013 - 10:03 AM

Is it correct to assume 32-bit executable?

 

Yes, it is.



#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 18 August 2013 - 10:51 AM

@Wonko

 

I think we shouldn't allow UPX or similar, isn't it?



#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2013 - 11:14 AM

@joakim

Yes, my bad :blush:, 32 bit PE executable on XP (no matter Service Pack level), the more later operating systems,  Vista :ph34r:, 7, etc. NT based OS, the better, as well as if it works on earlier NT systems (2K, NT4) there may be additional "points" awarded.

 

 

@Wonko

 

I think we shouldn't allow UPX or similar, isn't it?

Why not?

AFAICT in this scenario compression would make the executable bigger.  :unsure:

 

If someone can come up with a self-extracting exe smaller than the smallest "plain" one, that's fine with me. :)

 

:cheers:

Wonko



#7 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 18 August 2013 - 11:16 AM

Why not?

AFAICT in this scenario compression would make the executable bigger.  :unsure:

 

If someone can come up with a self-extracting exe smaller than the smallest "plain" one, that's fine with me. :)

 

Yeah, the stub itself will be larger than the size of the executable.

 

 

I added 32-bit in the original post to avoid further confusion. Hope you won't mind.



#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2013 - 11:32 AM

Yeah, the stub itself will be larger than the size of the executable.

But maybe someone can invent a "ad-hoc" self-decompressing STUB - even "limited" - that can do that, I would put no limits to fantasy and possible approaches.
 

The motto should be (IMHO):

  • Adapt
  • Improvise
  • Overcome

;)

 
 

I added 32-bit in the original post to avoid further confusion. Hope you won't mind.

Naah, you did the right thing, though of course now it seems like joakim hasn't read properly the first post  :w00t: :ph34r:.

 

:cheers:

Wonko



#9 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 18 August 2013 - 11:35 AM

But maybe someone can invent a "ad-hoc" self-decompressing STUB - even "limited" - that can do that, I would put no limits to fantasy and possible approaches.

 

Jules Verne....and WTS  :loleverybody:



#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2013 - 11:40 AM

Jules Verne....and WTS  :loleverybody:

Sure :), JFYI:

Anything one man can imagine, other men can make real.


The chance which now seems lost may present itself at the last moment.


[we see that] science is eminently perfectible, and that each theory has constantly to give way to a fresh one.


:cheers:
Wonko

#11 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 18 August 2013 - 11:43 AM

Or even this...

 

http://www.whydontyo...ts-in-2012.html



#12 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 18 August 2013 - 08:01 PM

My current contribution is 440 bytes: http://www.mediafire...ujk32vmymd5ikbk

 

Works on 32-bit nt5.x, also on nt6.x I's assume but with some restrictions.

 

Drawback is that it is heavily version dependent as the import is fixed by ordinal value. However, a small adjustment will make it work on any version, by changing the ordinal value for the imported function (CreateProcessA in kernel32.dll). Specifically you will need to look up the correct ordinal in a PE editor and then correct the values at offset 0x198 and 0x1a0. The attached version is tested on english XP SP2 32-bit.

 

It can probably be reduced way more, by optimizing it. Also, making it version independent can be done by fixing the imports table to not use ordinal, but instead the name. Maybe some other time..



#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 18 August 2013 - 09:20 PM

And another one at 407 bytes: http://www.mediafire...9c5p80bbyuk9d2q

 

Still with the drawbacks as mentioned in previous post.



#14 saddlejib

saddlejib

    Frequent Member

  • Advanced user
  • 270 posts
  •  
    United Kingdom

Posted 18 August 2013 - 09:45 PM

And another one at 407 bytes: http://www.mediafire...9c5p80bbyuk9d2q

 

Still with the drawbacks as mentioned in previous post.

 Sleeping Dogs spring to mind and Gauntlets.

 

Gauntlets wiki,

To "throw down the gauntlet" is to issue a challenge. A gauntlet-wearing knight would challenge a fellow knight or enemy to a duel by throwing one of his gauntlets on the ground. The opponent would pick up the gauntlet to accept the challenge. The phrase is associated particularly with the action of the King's Champion, which officer's role was from mediæval times to act as champion for the King at his coronation, in the unlikely event that someone challenged the new King's title to the throne.

 

Let sleeping dogs lie.Prov. Do not instigate trouble.; Leave something alone if it might cause trouble.

Ref: Joakim.



#15 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 18 August 2013 - 10:35 PM

So I fixed the imports table which now uses name instead of ordinal; http://www.mediafire...ii579bne5knckcv

 

It is 422 bytes. The addition of bytes is equivalent to function name length + null terminator. It may be possible to move it inside the header to save these bytes, but not sure.

 

This also means, that in theory, it should be OS version independent for 32-bit nt5.x. But I have only tested it on 32-bit english XP SP2. May work on 32-bit nt6.x, but have not been tested there. Session separation is a challenge that will require more bytes to handle for nt6.x though.


  • saddlejib likes this

#16 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 19 August 2013 - 08:22 AM

Should it be run on WinSta0\\Winlogon desktop without the utilman.exe trick?



#17 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 19 August 2013 - 09:00 AM

Should it be run on WinSta0\\Winlogon desktop without the utilman.exe trick?

 

It has to be a standalone executable, no way connected to utilman/osk/narrator.



#18 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 August 2013 - 09:13 AM

Should it be run on WinSta0\\Winlogon desktop without the utilman.exe trick?

I don't understand fully the question.

 

It must be *something* that can be executed in the "normal" desktop (Winsta0\\Default) and that when executed will open a CMD prompt on the Winsta0\\Winlogon, just like the "original" source, though, as said the given source is just a reference, the same app should however be capable of being renamed to utilman.exe (or osk.exe or magnify.exe) and invoked - like the reference through WinKey-U.

 

The use - if needed - of something "external" like powerprompt:

http://www.grubletra...app=PowerPrompt

to elevate privileges on the Winsta0\Default is of course allowed.

 

@Joakim

Very good work (and very fast) to get to 407 bytes. :thumbsup:

But there are still ample margins for size reduction.

 

A further hint (if needed):

http://www.phreedom....esearch/tinype/

 

At least this is what I used (and abused) to get to my solution, IMHO one of the most useful pages/articles I have read in a lot of time, very detailed, still easy enough to follow for a non-expert. Kudos to the Author Alexander Sotirov :worship:

 

 

:cheers:

Wonko


  • omniplex likes this

#19 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 19 August 2013 - 12:28 PM

 

A further hint (if needed):

http://www.phreedom....esearch/tinype/

 

At least this is what I used (and abused) to get to my solution, IMHO one of the most useful pages/articles I have read in a lot of time, very detailed, still easy enough to follow for a non-expert. Kudos to the Author Alexander Sotirov :worship:

 

 

:cheers:

Wonko

So, do you care to provide a hint at what your solution is in terms of bytes for a simpel cmd. Or even better, a link to the executable itself.



#20 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 19 August 2013 - 12:46 PM

Just mentioning that my solution works on 32-bit nt6.x as well (Windows 7 SP1 to be exact). However, running as a wow64 process on 64-bit (Windows 7), seems not possible in its current form.

 

The task clearly need to be separated for architecture of target. A x64 executable will require more bytes than for a x86 executable anyway.

 

My earlier comment about session separation as a challenge is false, as it (in terms of a utilman equivalent trick) is not necessary to start processes into different sessions. It is from Winlogon into Winlogon, and thus it just works without much fuzz I guess..

 

Changing to another api can also aid in reducing the size further, as CreateProcess takes way too much codes.

 

Would still be fun to see other solutions to compare with.



#21 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 19 August 2013 - 01:33 PM

356 bytes: http://www.mediafire...cdb3p3d7m86xdaq

 

Edit: Which seems to work on any 32-bit Windows version.



#22 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 August 2013 - 01:48 PM

So, do you care to provide a hint at what your solution is in terms of bytes for a simpel cmd. Or even better, a link to the executable itself.

Well, providing the executable (due to it's extreme simplicity) would be equivalent to provide the source code (and thus the solution), as disassembling a handful of bytes should be trivial.

I don't want to somehow influence anyone, the general idea of the challenge is to allow the most ample possible degree of freedom and fantasy.

 

The "solution" I have has been tested by me only on Windows XP SP2, and - I believe - by Holmes.Sherlock on his XP SP3 system, I have no way to test on other OS (and it is actually not the scope of the challenge, as well as 64 bit support, which may however be the object of a "next" one) though I reckon it to be able to work on *any* 32 bit NT based system.

 

 

However I can provide you with a few numbers (or steps) I went through AFAICR:

  • around 45 Kb <- one C++ compiler
  • around 5 Kb <- another C++ compiler
  • within 1.5 Kb <- another C compiler
  • within 1 Kb <- started using NASM instead
  • within 512 bytes
  • within 400 bytes <- this is where you are now :thumbsup:,  and you got there VERY fast :worship:
  • 288 bytes <- I have been stuck on this for some time  :frusty:
  • 228 bytes <- current minimal size :smiling9:

 

:cheers:

Wonko



#23 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 19 August 2013 - 02:04 PM

Instead I could ask:

  1. Does it use an import directory?
  2. If so, does it use ordinal or name?
  3. If not, how does it detect the memory location of whatever function it is using?
  4. What function(s) does it use?


#24 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 August 2013 - 02:12 PM

 

Instead I could ask:

  1. Does it use an import directory?
  2. If so, does it use ordinal or name?
  3. If not, how does it detect the memory location of whatever function it is using?
  4. What function(s) does it use?

 

Sure, you could :).

 

Some answers can be given alright:

1. Yes, it uses an import directory

2. Ordinal

3. N/A

4. This cannot be replied without "influencing" IMHO

 

:cheers:

Wonko



#25 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 19 August 2013 - 03:33 PM

Sure, you could :).

 

Some answers can be given alright:

1. Yes, it uses an import directory

2. Ordinal

3. N/A

4. This cannot be replied without "influencing" IMHO

 

:cheers:

Wonko

Based on the provided answer on 2, it is evident that the solution is OS version dependent. It may work on different versions, but must be considered as luck if it does. Have you tried modifying the imports directory to change over to names?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users