{ ASIS CTF 2017 } - Crypto - Unbreakable - 200

-

ASIS CTF 2017 Quals Writeup: Unbreakable

Unbreakable
193
We think this challenge is unbreakable, even for you? Try it now!
For this challenge we are given an executable and an encoded flag. When we run an executable it gives an error:
$ ./unbreakable
error, input not found
Let’s run it with strace:
$ strace ./unbreakable
...
open("key", O_RDONLY)                   = -1 ENOENT (No such file or directory)
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
write(1, "error, input not found\n", 23error, input not found
) = 23
exit_group(1)                           = ?
+++ exited with 1 +++
So it needs a key file. When we supply one it encodes it and puts the output into flag.enc - so the key is not an encryption key, it’s the plaintext that gets encoded. Our job is to reverse the process and decode flag.enc we are supplied.
Reversing the executable in Snowman gives some scary looking encryption code. But before we jump into reversing let’s experiment with encoding a little bit. Supplying key composed of different character combinations produces some interesting results:
keyflag.enc
A4D 16
AA4D 16 16 4D
AAA4D 16 16 4D 4D 16
B2E 4D
BB2E 4D 4D 2E
BBB2E 4D 4D 2E 2E 4D
AABB4D 16 16 4D 2E 4D 4D 2E
Things are not that scary any more. We can see that:
  • Every character is encoded as a 2-byte sequence
  • Every character is encoded independently of others
  • The 2-byte sequence is reversed depending on whether the position is odd or even
So what we can do now is simply build a key file with a full range of bytes, encode it, and use the result as the translation table to reverse the original flag.enc:
from subprocess import call

tab = b""

# build a translation table for full range of bytes, 
# with each byte used twice (to account for odd and even positions)
for x in range(0x100):
 tab += chr(x)*2
 
open("key","wb").write(tab)

call(["./unbreakable"])

conv = open("flag.enc","rb").read()

# build a dictionary out of encoded values
dict = {}
for x in range(0x100):
 dict[conv[x*4:x*4+2]] = x
 dict[conv[x*4+2:x*4+4]] = x
 
puzzle = open("flag.enc.orig","rb").read()

# use the dictionary to decode the flag
out = b""
for x in range(len(puzzle)/2):
 out += chr(dict[puzzle[x*2:x*2+2]])
 
open("flag.dec","wb").write(out)
Once the flag file is recovered it turns out that it is a PNG image. The image contains the flag - ASIS{Ju5t_C0py_And_paSte_on_Sc0rebo4rd!!}.
flag.png

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Excel 4.0 macro Trojan Downloader

-
Image
Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c Sample Download Link:  beta.VirusBay.io Application Name: Microsoft Excel File Type: xls VirusTotal Score: 29/60 I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis. OLEVBA.py First thing I did analysis of VBA macro source code in excel file using OLETools. Command >  OLEVBA.py -a The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is  FBpKzqF.exe Document Property: XLM macro has been used in this file which is hidden. Steps To Make Macros Sheet Visible Step 1 I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide… And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is  SODXOFScMLy . Step 2 Along with this need to unblock the excel ...
Lire la suite

TROJAN AGENT TESLA – MALWARE ANALYSIS

-
Image
Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information. Browser Information: When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine. Below are the tables getting created. Tables created: meta logins sqlite_sequence stats compromised_credentials found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords. database table  logins  stores all browser related information. Below are the table columns. Apart from this, malware also look for all different types of ...
Lire la suite

{ UIUCT#2017 } - REV 350P - ARE WE OUT OF THE WOODS YET?

-
It looks like this python script was run through a custom packer. It's just Python*, which means it must be easy to reverse, right? *v3 .6 .1 : 69 c0db5 https: //www.youtube.com/watch?v=y8qQsXpcZXA You are presented with the file  packed.py  that contains the following code: import marshal, zlib, base64, itertools def xor_strings (_left, _k) : out = b'' for l, r in zip(_left, itertools.cycle(_k)): out += (l ^ ord(r)).to_bytes( 1 , byteorder= 'big' ) return out def YET_eval_code (p1, p2) : YET_code = marshal.loads(zlib.decompress(xor_strings(base64.b64decode(p2), p1))) eval(YET_code) YET_eval_code( "YET" , b'IdkZDw77+o1N7Di7tKvNdbcGSyxAHBQCMDw12oRMcF9ROnVSwvKV+QF5+XW7ro70gu6ab7p1grlxNvbOLDMNXJpNfMagxOrwCrApxe8WxToZJ7Fo1LSzaO87HkVHachzv7ItMwuLq4nI5KBzqkyYmZaLf6NnIUN7OjslBoVvqbufNX+mk6G33qpKTDwzrwa5znSK1ARqs3rO2ayzgCgJFhtzrHHI5AvrFfqYL9brp6R76oobxtoLPuobrJa/qtJ9aEzLRviUqpozgaGn9b3hZzzJ1FgKoTprUzpjRKSqP...
Lire la suite