Codegate 2013 :: Binary #1 (100 points)

The 1st challenge under the binary category, worthy of 100 points, kicked off with a binary executable given to participants. Through the use of PEiD, the binary was identified to be a “Microsoft Visual C# / Basic .NET” file. Execution of the binary showed it was a simulation program for a door lock.

As no hint was given for the challenge, the next step would be to put the binary through .NET Reflector to decompile and analyse the code. Out of the 13 objects listed in the object browser, 12 were system-related objects. All focus was on the only remaining object “Crack_Test”.

Although Crack_Test contained several methods, there was one particular method that stood out from the rest – void TransFormable(string).

	public void TransFormable(string Data)
	{
	if (Data.Length == 0x10)
	{
	if (this.xorToString(AESCrypt.Encrypt(this.r.Text, KeyValue)) == this.lowkey)
	{
	MessageBox.Show(AESCrypt.Decrypt(this.StringToXOR(this.a.ByteTostring_t(this.c)), KeyValue));
	}
	else
	{
	MessageBox.Show("Do you know ? " + AESCrypt.Decrypt(this.StringToXOR(this.a.ByteTostring_t(this.d)), KeyValue));
	}
	}
	}

view raw codegate2013_binary100_1.c hosted with ❤ by GitHub

As observed in line 5 & 7, if the two strings matched, a message box would be shown with a decrypted string which might be the flag for this challenge. Gathering data and function code used for decryption within TransFormable() became the next step towards the goal. 

	static Crack_Game()
	{
	KeyValue = "9e2ea73295c7201c5ccd044477228527";
	}
	public Crack_Game()
	{
	this.a = new StringCrypt();
	this.lowkey = "@DT$:~zRbD_!qFWQMAtC's[_t:&&YF\x007fWQE ^o-EBAr%(";
	this.c = new byte[] {
	0x3f, 30, 0x39, 0x2f, 20, 0x4e, 50, 0x36, 0x33, 5, 0x25, 0x29, 0x52, 40, 0x45, 30,
	0x2a, 0x38, 0x24, 0x49, 60, 0x44, 0x4f, 0x56, 0x18, 0x49, 0x4c, 0x13, 9, 0x1b, 0x2a, 4,
	0x52, 0x2a, 0x1c, 0x56, 0x4f, 11, 0x11, 0x3f, 0x17, 14, 0x30, 0x40
	};
	this.d = new byte[] {
	0x16, 0x34, 4, 0x48, 40, 0x12, 0x29, 0x16, 0x17, 0x2d, 0x15, 0x1c, 0x2a, 0x3f, 0x17, 0x31,
	0x4b, 0x4c, 0x27, 5, 9, 13, 8, 0x2b, 0x25, 0x3b, 0x2a, 0x2d, 5, 0x30, 10, 0x2f,
	7, 0x2a, 12, 0x29, 20, 0x4f, 0x25, 0x2e, 0x27, 0x1f, 0x1a, 0x40
	};
	this.Shadowkey = string.Empty;
	this.e = null;
	this.a();
	this.r.MaxLength = 0x19;
	}
	public static string Decrypt(string textToDecrypt, string key)
	{
	RijndaelManaged managed = new RijndaelManaged {
	Mode = CipherMode.CBC,
	Padding = PaddingMode.PKCS7,
	KeySize = 0x100,
	BlockSize = 0x100
	};
	byte[] inputBuffer = Convert.FromBase64String(textToDecrypt);
	byte[] bytes = Encoding.UTF8.GetBytes(key);
	byte[] destinationArray = new byte[0x20];
	int length = bytes.Length;
	Array.Copy(bytes, destinationArray, length);
	managed.Key = destinationArray;
	managed.IV = destinationArray;
	byte[] buffer4 = managed.CreateDecryptor().TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
	return Encoding.UTF8.GetString(buffer4);
	}
	public string StringToXOR(string data)
	{
	byte[] bt = new byte[data.Length];
	bt = this.stringTobyte(data);
	for (int i = 0; i < bt.Length; i++)
	{
	bt[i] = (byte) (bt[i] ^ 0x25);
	bt[i] = (byte) (bt[i] ^ 0x58);
	}
	return this.ByteTostring(bt);
	}

view raw codegate2013_binary100_2.c hosted with ❤ by GitHub

With the above information gathered, a simple PHP was written to perform the decryption based on Rijndael cipher.

	<?php
	$c = array(0x3f, 30, 0x39, 0x2f, 20, 0x4e, 50, 0x36, 0x33, 5, 0x25, 0x29, 0x52, 40, 0x45, 30,
	0x2a, 0x38, 0x24, 0x49, 60, 0x44, 0x4f, 0x56, 0x18, 0x49, 0x4c, 0x13, 9, 0x1b, 0x2a, 4,
	0x52, 0x2a, 0x1c, 0x56, 0x4f, 11, 0x11, 0x3f, 0x17, 14, 0x30, 0x40);
	for ( $i = 0; $i < count($c); $i++ )
	$c[$i] = chr($c[$i] ^ 0x25 ^ 0x58);
	$textToDecrypt = utf8_decode(implode("", $c));
	$alg = MCRYPT_RIJNDAEL_256;
	$mode = MCRYPT_MODE_CBC;
	$keyvalue = '9e2ea73295c7201c5ccd044477228527';
	$bytes = utf8_encode($keyvalue);
	$iv = $key = $bytes;
	$flag = mcrypt_decrypt($alg, $key, base64_decode($textToDecrypt),$mode, $iv);
	echo "Flag: " . $flag;
	?>

view raw codegate2013_binary100_3.php hosted with ❤ by GitHub

And the flag was captured! 100 points in the bag!!  Yay!

Cheers,
Braeburn Ladny