Sunday, September 22, 2013

CSAW CTF 2013 :: Bikinibonanza (150 points)

For this puzzle we are given a .net executable.

This is how it looks like when executed...


First thought: enter the correct key and hit on submit for the flag to be shown...
Lets fire up reflector to decompile this .net executable

There are several eval_?? functions when decompiled. The trick to figure out which eval_?? the statements are pointing to is to click on it in reflector, the program will direct you to the correct eval_?? function.

In one of the eval_?? function, we can see that it is doing some comparison work. The comparison might be the key to solving the puzzle. Let us copy this portion and write our own code...

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;

namespace test
{
    class Program
    {
        static int getkey(int num2, int num1)
        {
            return (new int[] {
                2, 3, 5, 7, 11, 13, 0x11, 0x13, 0x17, 0x1d, 0x1f, 0x25, 0x29, 0x2b, 0x2f, 0x35,
                0x3b, 0x3d, 0x43, 0x47, 0x49, 0x4f, 0x53, 0x59, 0x61, 0x65, 0x67, 0x6b, 0x6d, 0x71
             }[num1] ^ num2);
        }


        static void generate(string text1, int num1, ref string textRef1)
        {
            int num2 = 0;
            if (0 < text1.Length)
            {
                do
                {
                    char ch = text1[num2];
                    int num = 1;
                    if (1 < num1)
                    {
                        do
                        {
                            ch = Convert.ToChar(getkey(Convert.ToInt32(ch), num));
                            num++;
                        }
                        while (num < num1);
                    }
                    textRef1 = textRef1 + ch;
                    num2++;
                }
                while (num2 < text1.Length);

                Console.WriteLine(replacing(textRef1));
                Console.WriteLine(replacing(textRef1));
            }
        }

        static string replacing(string text1)
        {
            byte[] bytes = Encoding.ASCII.GetBytes(text1);
            return BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(bytes)).Replace("-", "");
        }
        static void Main(string[] args)
        {
            String strB = null;
            DateTime now = DateTime.Now;
            string str2 = string.Format("{0}", now.Hour + 1);
            string str = "NeEd_MoRe_Bawlz";
            Console.WriteLine(str2);

            Console.WriteLine(str);
         
            generate(str, Convert.ToInt32(str2), ref strB);
        }


    }
}

on executing the above code we got this BEBF06D90D6F9652476D244470C66BEC

Throw this key into the application and we get the flag!


key(0920303251BABE89911ECEAD17FEBF30)

Always lazing
NoirD3vil...

No comments:

Post a Comment