Skip to content

CSAW CTF: Reversing 300

October 1, 2012

Binary available at http://repo.shell-storm.org/CTF/CSAW-2012/Reversing/300/.

Yet another .NET binary. Run it and it’s similar to Reversing 200: prints a line, read a line and exits. Decompiling using ILSpy and we get main. It’s too long so I’ll post only relevant bits here.

private static void Main(string[] args)
{
    Console.WriteLine("Do you really just run random binaries given to you in challenges?");
    Console.ReadLine();
    Environment.Exit(0);
    MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider();
    AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider();
    foreach (string current in Directory.EnumerateDirectories(Program.target))
    {
        byte[] first = mD5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes(current.Replace(Program.target, "")));
        if (first.SequenceEqual(Program.marker))
        {
            byte[] rgbKey = mD5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("sneakyprefix" + current.Replace(Program.target, "")));
            ICryptoTransform cryptoTransform = aesCryptoServiceProvider.CreateDecryptor(rgbKey, new byte[]... //Truncated to save space
            byte[] bytes = cryptoTransform.TransformFinalBlock(Program.data, 0, Program.data.Length);
            Console.Write(Encoding.UTF7.GetString(bytes));
        }
    }
}

The program creates an MD5 object, AES object and start iterating over all directories the target directory C:\Program Files. It computes the MD5 hash of each child directory’s name and then checks if it equals marker. If it equals, then “sneakyprefix” is prefixed to the directory name and used as the key for the encryption that follows.

After playing with marker, I realize that it is an MD5 sum and so I search the online databases of MD5 sums to find that it is the hash of “Intel”. So, the program checks if there is a directory named “Intel” in the target and if so, it proceeds with the decryption. I quickly modify the .NET code, removing references to the target directories and run it in compilify(loved it a lot-my favourite handy .NET compiler) and voila I get the flag

That was pretty easy, wasn't it? \key{6a6c4d43668404041e67f0a6dc0fe243}
Advertisements

From → CTF/BIOS

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: