Challenge: Brute and Smart

0x00pf · November 10, 2016, 4:56pm

#Goal
Find the password and get enlightened by the secret message.

No hints for this one. I will provide hints in the unlikely case that nobody solves this in the next 24h.

The Challenge

As usual, get the binary paste the text below in a file and get the binary with:

cat data | base64 -d | gunzip > the_challenge

H4sIAFR/JFgAA+1Yf2wTVRx//TFWEa4FURpBLWOJG0KlCDh+acs6djUbYRsDHBtH1962k/aOXK/8
MItIGgiHLKmJGk2Mmhj9x4gjEIRpWHUiPzKiMxqHEFGDUn7ECFM3RXd+3927bj2owegf/tFv9u77
3uc+3x/v+97r2retomqZ2WRCupjRIwiPNpq96thL8KcdGQpgZagAnrcjm8otQKPFm6Wd5KUzQ3Kp
T2w3BlrarqFp+/os7chij/SspK0hKa8xebN0MWHr2kp0zfdSuBDdutj+AfdmguNOgmaBVrm8HiWu
feef9emjkWfHH+lKp8qDb+57fnq9J3UYF6JrMpDq6O1XbBCVfmbeGsqFaPkC3fFyMfYz8BYtn2sB
ptrZN3bgjSOnLV7UjSuQ9sLTo3RhnidFyz+k7weATpxU8OgCLfdd24v1YN/H/nHDSBsnfhuKr+oa
B+ZHrmYcDcKjqwQe4ATCpGPQXVRwdLwLxWccGQYaBinsfEdKcnabR+hfe1LpwwincXmK6qtrLHZt
sXohpfSr0NcicPBIMuB+Nd2xcthGy3duBu/pX4cVhZaPpR+D1z8n63xyn+eE54zvEN4dl10v+QaH
6NBntOnabvMcq32X1W4/ONF+MEUrH9jf+dDU419wQj7efrobh4RoPlBy/9qeZOfiA8j+biogn7QX
0EvaFUXZZB/sX5F2AuFx2UYnjis9nejil/Ai2Wm6+AnWh5BjPepJJuvkIfk6nbjiUEsBRbQW08f8
xeqWSG9TIzwAUOIjx9oeHyyib2Ug0avU0/IvdTQYyoM1VfK3uO7nAvIptRsY/CIg9waUU4HBzwMd
/mJFml1deiWw4OimaZeLd1egMkt8YpV8iZZ/xFXGexeKPJ5WegJKb/WO8/GznjMNNMyrydfoa+rp
nH7xPpyv58TlCfaDVrsfHhQUxF+aihfSC/rilzypngpeYkXXisByV8l8V5hr5aRYqWuhC/nZkBDm
+Fa32z0WtcEArRYFvhUzx6INjasnNJVXBWz33l2+orFmXU3tykbf0lVrGhun1jY0TG5oYny1q6p9
i7S9jcX0ZC0ybXGYpowrtCVhmacirZXBqlZigo9yJMzmCoocKPxuMT4ffyrKAHm/01xNOROWSuo1
h+q3EZoE9mNGnSdsJ0ELAz4z45emXEHK4QPncwF6DtpGeI95aCnl6DD7KeceSwXl2mn1UyWJgkpq
tnklVeKnXD7KCYSllA3H64V2AOzu+ZdnPi95yUte8pKXvOQlL3n5v4hrikXVFPwqw1JZXr7QVVLf
HOel+INVHB8UBddc93z3Q7M8cRWcV6qNEXLHtkalYDNoSdR0m97jBYl1t/Jxd3Oci4RncWHkltgt
EnKLQjgoBZGbbWNaxGCURW5t3ByLIXdIiEZZXvpP5jUFGv5dbybjkfsAbVxs4FsNYzcauYvA0k7s
24l9kzmbb7SfS+znkDH+Za5pbbzOwDcZ9GLS18OUkfUpI4G+Mdgb7yWWEXsSbtQ9ijZ2GPhG+yqC
6fZDxH7oFu1rSPzZBly3n2HAjfOfMCr2aCkigRty2I8eG5ZIFe8dmn6R1BHfD4xHI/k7ib4tR/z+
yZruNQQ0xv87sQBb34/ZuDmzz7JxS2b/ZOPWzL7Ixgsy652Nj8msYzZ+4w0Yno8VXVWMeGEO3JkD
d+XAS3Pg+LwUQR3eJ/PVf3s/DG0aPo0OLX/9vC2BNhH4Bwz1WU78XDdn402EP4nwZxI8hPCeK0A/
kfro+6GN8P8w+MGfUg7AzxrwPSTPIYOfF3Lk8zrBjfm/TXCrAd+fw/97JM8k8V9J8G6CG+MOkPz1
+9z7CP474XtJXP3TGF8FF92kDmNMN5/XXTnwIpPm37i+pSYtn/MGvk/FryrGfVtN/OjnZYDgtcTP
V8RPEcHDOfKRcuBPmbT9oJ8jfb9tz5HPLoLbHNl4B/E/jsxX/3/ySo64e034zJhRvwHfn4N/mMzX
yO8m9THuHxSa7XGHECuKvMBEhFBQ4gQegFiEZTdiLYnwB50oGw1FMdIMSuMjholwzSGGD/KCygeg
pSUSj7UxMSnM8ZoTFI21enSqyAbD0I/zXAvHhpnY1lgoGIkwnvnNnAQ4y2/iRIFHLZK4FZLZ0MJF
WDTifrPISSzSSdGN2O1WIc5IInYmwQQ4fgMTZMIcK6nhhOYn2JDEBFuDHB+TmFYMIkguKEpkZohk
JLXhDhMW2C2QSUucz4TXJo6TE0VBNKYOOHxXIS6jEObG2WVVRYiD94zvUBQxrPqNB6Ye1mKMWocs
S3iF1OQYhhcgH9JX56kV5i/MbuBHpBkAAA==

oaktree · November 10, 2016, 11:44pm

I’m ASM-illiterate (@dtm’s words) and I’m still trying to do this!

dtm · November 11, 2016, 1:17pm

I’ve reversed it but I’m not yet sure how to undo the operation with a guaranteed key… and I can’t be bothered writing a script to brute force it.

0x00pf · November 11, 2016, 4:15pm

Well, the title of the challenge was a hint in a sense. Once you have reversed the program, you get enough intel to try a quite selective brute force attack.

In a while I will release a crucial hint to solve the challenge very quickly.

0x00pf · November 11, 2016, 4:32pm

This is the first hint.

By now, you should have figure out that the program has encrypted the target string using XOR encryption and that the key is not stored in the code at all. You need to find the key by brute forcing the password. Here it goes the hint:

If P is the plain text, C is the crypted text and K is the key, then:

P xor K = C
and
P xor C = K

Therefore, if you have the plain text (or part of it) then you can know the key (or part of it).

dtm · November 12, 2016, 1:54am

Okay, I finally decided to make a brute-forcing script so here it is:

#!/usr/bin/perl -w

# this is the encoded string, it's cut off and I'm too lazy to reopen my VM so figure it out yourself LOL
my @arr = ( 0x6b, 0x5c, 0x57, 0x11, 0x5d, 0x43, 0x4c, 0x49, 0x08, 0x1e, 0x1a, 0x43, 0x50, 0x5c, 0x51, 0x5e, 0x51, 0x52, 0x54, 0x5c, 0x41, 0x42, 0$
my @pins = ();

# brute forcing all possible pins
for (my $pin = 111111; $pin < 999999; $pin++) {
        my $result = 0;
        my @pin_array = split //, $pin;
        # this is the algorithm used to decode the encoded string
        for (my $i = 0; $i < 40; $i++) {
                my $digit = ord $pin_array[$i % 6];
                $result += ($digit ^ $arr[$i]) * $digit;
        }
        push @pins, $pin if ($result == 203552);
}

# brute forcing the correct pin
foreach my $pin (@pins) {
        my $output = `echo $pin | ./dump_nosleep`;
        print $pin, "\n" unless ($output =~ /wrong pin/i);
}

I assumed that sleep was there to slow down brute-forcing, but what can you against a reverse engineer?

0x00pf · November 12, 2016, 11:16am

Very good @dtm. This was actually a pretty smart approach. And kudos for using Perl
Did you actually got enlightened by the hidden message ?

I will publish the write up in a while with all the details in a while

dtm · November 12, 2016, 12:13pm

Thanks, and yeah, Perl wooooooooooo!! Though I’m still very new to it.

As for the message… Sure… Sure thing.

Oh yeah, thanks for another challenge.

pry0cc · November 12, 2016, 1:17pm

DTM has written a script? SHOCK HORROR .

system · January 21, 2018, 12:41am

This topic was automatically closed after 30 days. New replies are no longer allowed.