RSS

CSAW CTF 2012: Reversing 3

This entry was posted on Oct 02 2012

Here the challenge was to get the key out of a binary called CSAWQualification.exe for 300 points.

We used the same ILSpy decompiler that we used to solve one previous challenge. Following was the output from the decompiler:

// CSAWQualification.Program
private static void Main(string[] args)
{
Console.WriteLine("Do you really just run random binaries given to
you in challenges?");
Console.ReadLine();
Environment.Exit(0);
MD5CryptoServiceProvider mD5CryptoServiceProvider = new
MD5CryptoServiceProvider();
AesCryptoServiceProvider aesCryptoServiceProvider = new
AesCryptoServiceProvider();
foreach (string current in Directory.EnumerateDirectories(Program.target))
{
byte[] first =
mD5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes(current.Replace(Program.target,
"")));
if (first.SequenceEqual(Program.marker))
{
byte[] rgbKey =
mD5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("sneakyprefix"
+ current.Replace(Program.target, "")));
ICryptoTransform cryptoTransform =
aesCryptoServiceProvider.CreateDecryptor(rgbKey, new byte[]
{
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15
});
byte[] bytes = cryptoTransform.TransformFinalBlock(Program.data, 0,
Program.data.Length);
Console.Write(Encoding.UTF7.GetString(bytes));
}
}
Console.ReadLine();
}

// CSAWQualification.Program
static Program()
{
// Note: this type is marked as 'beforefieldinit'.
Program.data = new byte[]
{
15,
83,
222,
204,
130,
169,
253,
55,
165,
229,
219,
240,
206,
78,
102,
131,
243,
100,
115,
102,
231,
76,
235,
175,
2,
193,
249,
172,
174,
172,
227,
120,
67,
118,
87,
221,
124,
97,
202,
124,
191,
209,
164,
8,
61,
224,
193,
83,
13,
137,
114,
140,
42,
65,
247,
237,
202,
71,
66,
38,
58,
205,
158,
199,
246,
205,
178,
248,
21,
55,
82,
239,
36,
107,
104,
230,
193,
63,
157,
178,
224,
48,
198,
4,
66,
221,
12,
211,
215,
103,
209,
14,
117,
139,
111,
162
};
Program.marker = new byte[]
{
255,
151,
169,
253,
237,
224,
158,
175,
110,
28,
142,
201,
246,
166,
29,
213
};
Program.target = "C:\\Program Files\\";
}

We noticed that because of lines like Environment.Exit(0), program was exiting prematurely.  We were somehow forced to install Visual Studio this time.  :-P Then we commented out the “culprit” lines of code, recompiled it to get the output.

Post a Comment