BalalaikaCr3w - RuCTF Quals 2014

MD5 (crypto 100)

Dor1s — Thu, 20 Mar 2014 19:17:29 +0000

Category:

crypto

Event:

RuCTF Quals 2014

Classic Hash Length Extension Attack.

Is is doing like wrote here and here.

The easiest way to perfofm hash-length-extension attack is using HashPump.

Download it, build it and then write a little script to bruteforce secret's length and find the flag:

#!/usr/bin/python
from subprocess import *
import commands
import socket

def horosho(s):
	i = s.find('\\x')
	res = s[0:i]
	while i != -1:
		n = int(s[i+2:i+4], 16)
		res += chr(n)
		s = s[i + 4:]
		i = s.find('\\x')
	res += s
	return res



digest = 'b34c39b9e83f0e965cf392831b3d71b8'
data = '\'do test connection\''
addData = 'give'
length = 5

for length in xrange(1, 257, 1):
	print length
	args = '-s ' + digest + ' --data ' + data + ' -a ' + addData + ' -k ' + str(length) + ' > file'
	output = commands.getstatusoutput('./hashpump ' + args)
	payload = open('file', 'rb').read()
	payload = payload[:-1]
	payload = payload[0:32] + ' ' + payload[33:]
	payload = horosho(payload)
	s = socket.create_connection(('python27.quals.ructf.org', 12337))
	s.send(payload)
	answer = s.recv(1000)
	print answer
	if answer.find('Wrong signature') == -1:
		break

And when right length of the secret is found we get this:

15

Message accepted! The answer is RUCTF_CryptoIsFunAndEasy

spy offers | Nike SB

PIN (reverse 400)

Dil4rd — Wed, 19 Mar 2014 12:35:35 +0000

Category:

reverse

Event:

RuCTF Quals 2014

The task was to reverse file main. This is an executable for MS DOS.

Fortunately, this binary isn't packed and it's logic can be easily understand without dynamic analysis. After few minutes of analysis is becames obvius that this executable set hook for interupt int9 (keyboard handler) and for every input character makes some changes with global variable byte_178. If this variables equals 0x14 then we get success message.

First of all let's take a look at the begging of main function:

There you can see that new int9 handler is function at address loc_103. New int9 handler has nothing intrestin: it takes input key code, increment pointer to input key code and set key code there. It's worth noting that new int9 handler uses it's own local buffer which I called keyboard_buffer and pointer to recently added key code in that buffer (I called it recived_cur_elem_offset).

After setting new int9 handler main function goes to loop at address loc_38E and leave it only when new key code has been added. Let's see what happens when new key is pressed (code of pressed key is in al registger):

So this binary exits when key PgDn pressed and does nothing if pressed any key except keys belong to numbers (key codes can be found there: http://msdn.microsoft.com/en-us/library/aa299374(v=vs.60).aspx). So PIN checking algorithm is the next:

arr_byte_179 = [28, 15, 44, 16, 10, 25, 48, 46, 23, 14, 3, 27, 31, 33, 40, 39, 18, 45, 34, 21, 31, 22, 39, 49, 17, 32, 45, 33, 41, 21, 4, 22, 35, 32, 21, 19, 29, 41, 49, 40, 22, 39, 18, 47, 34, 27, 19, 1, 32, 29, 30, 44, 24, 0, 38, 26, 25, 14, 37, 9, 46, 26, 14, 13, 11, 5, 37, 10, 24, 44, 44, 14, 23, 38, 16, 20, 6, 0, 8, 9, 0, 37, 48, 44, 23, 6, 46, 9, 10, 16, 14, 30, 24, 10, 13, 28, 5, 15, 48, 12, 14, 28, 0, 25, 15, 16, 48, 9, 12, 38, 23, 24, 7, 15, 26, 10, 30, 13, 12, 9, 37, 10, 23, 38, 44, 28, 13, 0, 26, 15, 9, 5, 38, 44, 24, 15, 48, 23, 37, 8, 25, 16, 30, 24, 28, 37, 10, 8, 38, 12, 46, 10, 24, 28, 48, 37, 0, 23, 13, 8, 12, 9, 48, 44, 38, 24, 8, 26, 28, 15, 39, 36, 29, 3, 34, 19, 27, 40, 47, 22, 31, 47, 40, 2, 22, 27, 21, 3, 32, 1, 21, 39, 41, 4, 3, 40, 47, 22, 31, 18, 9, 6, 48, 7, 26, 5, 13, 12, 10, 8, 27, 19, 29, 41, 49, 3, 31, 47, 40, 39, 21, 1, 32, 18, 19, 3, 27, 4, 35, 39, 16, 38, 0, 9, 13, 30, 48, 26, 44, 5, 16, 9, 37, 44, 15, 23, 14, 28, 48, 0, 6, 13, 26, 0, 12, 23, 15, 5, 14, 48, 5, 15, 16, 13, 14, 23, 46, 24, 48, 10, 31, 29, 40, 39, 35, 21, 47, 32, 22, 33, 37, 16, 8, 48, 30, 46, 23, 38, 9, 13, 47, 34, 49, 17, 32, 31, 41, 1, 18, 19, 14, 37, 10, 12, 38, 15, 48, 5, 9, 13, 4, 27, 22, 45, 2, 33, 17, 47, 35, 32, 18, 1, 49, 34, 2, 29, 27, 3, 31, 4, 22, 32, 29, 45, 34, 3, 39, 27, 21, 47, 3, 41, 35, 31, 19, 18, 40, 1, 22, 27, 22, 31, 29, 49, 21, 19, 47, 18, 40, 1, 41, 19, 29, 40, 35, 18, 22, 42, 45, 39, 44, 24, 25, 0, 46, 26, 28, 16, 9, 8, 9, 15, 13, 26, 25, 16, 6, 23, 10, 5, 3, 1, 35, 4, 17, 34, 22, 47, 45, 19, 39, 22, 29, 27, 32, 35, 41, 1, 2, 17, 21, 3, 27, 31, 33, 40, 22, 39, 34, 17, 43, 33, 32, 18, 31, 4, 41, 45, 22, 3, 4, 42, 40, 27, 47, 21, 9, 45, 1, 3, 13, 30, 23, 37, 14, 10, 12, 6, 9, 28, 3, 4, 34, 32, 31, 49, 22, 2, 19, 1, 23, 44, 13, 10, 30, 9, 0, 8, 14, 5, 33, 19, 39, 3, 35, 4, 1, 27, 31, 17, 38, 6, 46, 37, 28, 5, 25, 26, 8, 9, 41, 33, 32, 18, 21, 45, 34, 27, 19, 4]

key_format = '1234567890'

def to_keycodes(key_str):
	if key_str not in key_format:
		print("Invalid key format (only numbers)!")
		return None
	return key_format.index(key_str)+2

def check_key(key):
	glob_byte_178 = 0x16
	for el in key:
		glob_byte_178 = arr_byte_179[glob_byte_178*10 + to_keycodes(el) - 2]
		if glob_byte_178==0x14:
			print("Success! Your key is '"+key+"'")
			return
	print("No...")

The algorithm is quite easy and the only bad news is that array at address 179 isn't a substitution and can't be easily reversed. So we have graph and should find there the way from 0x16 to 0x14. Before searching for some fast algorithm I started simples brute via next algorithm:

import sys

arr_byte_179 = [28, 15, 44, 16, 10, 25, 48, 46, 23, 14, 3, 27, 31, 33, 40, 39, 18, 45, 34, 21, 31, 22, 39, 49, 17, 32, 45, 33, 41, 21, 4, 22, 35, 32, 21, 19, 29, 41, 49, 40, 22, 39, 18, 47, 34, 27, 19, 1, 32, 29, 30, 44, 24, 0, 38, 26, 25, 14, 37, 9, 46, 26, 14, 13, 11, 5, 37, 10, 24, 44, 44, 14, 23, 38, 16, 20, 6, 0, 8, 9, 0, 37, 48, 44, 23, 6, 46, 9, 10, 16, 14, 30, 24, 10, 13, 28, 5, 15, 48, 12, 14, 28, 0, 25, 15, 16, 48, 9, 12, 38, 23, 24, 7, 15, 26, 10, 30, 13, 12, 9, 37, 10, 23, 38, 44, 28, 13, 0, 26, 15, 9, 5, 38, 44, 24, 15, 48, 23, 37, 8, 25, 16, 30, 24, 28, 37, 10, 8, 38, 12, 46, 10, 24, 28, 48, 37, 0, 23, 13, 8, 12, 9, 48, 44, 38, 24, 8, 26, 28, 15, 39, 36, 29, 3, 34, 19, 27, 40, 47, 22, 31, 47, 40, 2, 22, 27, 21, 3, 32, 1, 21, 39, 41, 4, 3, 40, 47, 22, 31, 18, 9, 6, 48, 7, 26, 5, 13, 12, 10, 8, 27, 19, 29, 41, 49, 3, 31, 47, 40, 39, 21, 1, 32, 18, 19, 3, 27, 4, 35, 39, 16, 38, 0, 9, 13, 30, 48, 26, 44, 5, 16, 9, 37, 44, 15, 23, 14, 28, 48, 0, 6, 13, 26, 0, 12, 23, 15, 5, 14, 48, 5, 15, 16, 13, 14, 23, 46, 24, 48, 10, 31, 29, 40, 39, 35, 21, 47, 32, 22, 33, 37, 16, 8, 48, 30, 46, 23, 38, 9, 13, 47, 34, 49, 17, 32, 31, 41, 1, 18, 19, 14, 37, 10, 12, 38, 15, 48, 5, 9, 13, 4, 27, 22, 45, 2, 33, 17, 47, 35, 32, 18, 1, 49, 34, 2, 29, 27, 3, 31, 4, 22, 32, 29, 45, 34, 3, 39, 27, 21, 47, 3, 41, 35, 31, 19, 18, 40, 1, 22, 27, 22, 31, 29, 49, 21, 19, 47, 18, 40, 1, 41, 19, 29, 40, 35, 18, 22, 42, 45, 39, 44, 24, 25, 0, 46, 26, 28, 16, 9, 8, 9, 15, 13, 26, 25, 16, 6, 23, 10, 5, 3, 1, 35, 4, 17, 34, 22, 47, 45, 19, 39, 22, 29, 27, 32, 35, 41, 1, 2, 17, 21, 3, 27, 31, 33, 40, 22, 39, 34, 17, 43, 33, 32, 18, 31, 4, 41, 45, 22, 3, 4, 42, 40, 27, 47, 21, 9, 45, 1, 3, 13, 30, 23, 37, 14, 10, 12, 6, 9, 28, 3, 4, 34, 32, 31, 49, 22, 2, 19, 1, 23, 44, 13, 10, 30, 9, 0, 8, 14, 5, 33, 19, 39, 3, 35, 4, 1, 27, 31, 17, 38, 6, 46, 37, 28, 5, 25, 26, 8, 9, 41, 33, 32, 18, 21, 45, 34, 27, 19, 4]
key_format = '1234567890'

def from_keycodes(keycode):
	if keycode>=2 and keycode<=0xB:
		return key_format[keycode-2]
	else:
		print("Invalid key format (only numbers)!")
		return None

def all_ind_of_el(arr,el):
	ind_arr =[]
	for i in range(len(arr)):
		if arr[i]==el:
			ind_arr.append(i)
	return ind_arr

def excract_prev_states(dw_val):
	res_arr = []
	ells_id = all_ind_of_el(arr_byte_179,dw_val)
	for cur_id  in ells_id:
		loc_val = cur_id + 2
		cur_keycode = (loc_val % 10)
		if cur_keycode==0 or cur_keycode==1:
			cur_keycode = cur_keycode + 10
		prev_dwVal = int((loc_val - cur_keycode)/10)
		res_arr.append([cur_keycode,prev_dwVal])
	return res_arr

MAX_DEPTH = 15
pin = ''
def looper(start_elem,depth):
	global pin
	depth = depth+1
	if depth>MAX_DEPTH:
		return False
	for tt in excract_prev_states(start_elem):
		if tt[1]==0x16 or looper(tt[1], depth)==True:
			print(str(depth)+"\t:\t"+str(tt[1])+"\t:\t"+from_keycodes(tt[0]))
			pin = pin + from_keycodes(tt[0])
			return True
	return False

looper(0x14,0)
print("You pin is "+ pin)

And it has suddenly found a pin "052817506537536". I've entered it in form as flag and recived "Wrong!". So I've started to search an error in my code.. and found more 'valid' pins: "887452817506536", "27452817506536". But there was no flag among them;(

Few minutes later organizers have published hint that the length of pin is 11 symbols. So I've changed MAX_DEPTH to 11 and run next code:

MAX_DEPTH = 11
pin = ''
def looper(start_elem,depth,curpath):
	global pin
	depth = depth+1
	if depth>MAX_DEPTH:
		return False
	curpath = curpath + [start_elem]
	for tt in excract_prev_states(start_elem):
		if tt[1] in curpath:
			continue
		if tt[1]==0x16 or looper(tt[1], depth,curpath)==True:
			print(str(depth)+"\t: "+str(tt[1])+"\t: "+from_keycodes(tt[0]))
			pin = pin + from_keycodes(tt[0])
			return True
	return False

mypath = []
looper(0x14,0,mypath)
print("You pin is "+ pin)

Just in minute I've got the flag: 05281792536.

jordan Sneakers | Sneakers

No harm (reverse 200)

Dil4rd — Tue, 18 Mar 2014 14:19:30 +0000

Category:

reverse

Event:

RuCTF Quals 2014

The task was to find MD5 of the biggets file from the file HARM.DAT, which is the part of game Harm0597 for MS DOS.

First of all let's ask Google to find this game and easily find URL to download it: ftp://78.46.52.48/pub/mags/harm/harm0597.zip

File HARM.DAT has an obvious structure:

struct _FILE_HEADER {
    char magic[32];
    __int32 numSubFiles;
    _PACKED_FILE_HEADER packedFileList[]; 
} FILE_HEADER, *PFILE_HEADER;   // sizeof(_FILE_HEADER) = 32 + 4 + numSubFiles*sizeof(_PACKED_FILE_HEADER)

struct _PACKED_FILE_HEADER {
    char fileNameA[12];
    unsigned char fileType;
    unsigned __int32 fileRealSize;
    unsigned __int32 fileDataOffset;
} PACKED_FILE_HEADE, *PPACKED_FILE_HEADE;  // sizeof(_PACKED_FILE_HEADER) = 12 + 1 + 4 + 4

So we can easily find the biggest file: it's file with name "TRX-DRNK.RUS".

But sum of all _PACKED_FILE_HEADER.fileRealSize is much bigger that file size. This means that some files are compressed.
According to the next info we can make assumption that files with type = 3 are compressed.

	fileId = 21
	fileName = TECHINFO.RUS
	fileType = 0x3
	fileDataOffset = 0xd6d0
	fileDataSize = 0x5000

	fileId = 22
	fileName = YEP.BINO.RUS
	fileType = 0x1
	fileDataOffset = 0xdcca
	fileDataSize = 0x2d0

	fileId = 23
	fileName = NO.BINNO.RUS
	fileType = 0x1
	fileDataOffset = 0xdf9a
	fileDataSize = 0x330

Fortunately, first 2 bytes of compressed files are the size of compressed data. So data of compressed files has the next format:

struct _PACKED_FILE_COMPRESSED_DATA {
    unsigned __int16 dataSize;
    unsigned char    data[];    
} PACKED_FILE_COMPRESSED_DATA, *PPACKED_FILE_COMPRESSED_DATA;   //sizeof(_PACKED_FILE_COMPRESSED_DATA) = 4 + dataSize

Now we can dump file "TRX-DRNK.RUS" and... find nothing ;(

The problem is that I don't know the compression algorithm and this file has non-standard structure (or it's a raw data). Anyway this is my script for parsing HARM.DAT file, just in case.

Now let's start RE HARM.EXE. If you open it in IDA you will find that it's most likely packed..

And packed by pklite! So let's unpack it!

The things we need for that are:

DosBox -- MS Dos emulator (URL: http://www.dosbox.com/download.php?main=1)
PkLite unpacker (we can take program UNP from http://sta.c64.org/dosprg.html)
DosBox debugger (just in case) (can be foud there: http://www.vogons.org/viewtopic.php?t=7323)

And...

the easiest unpacking ever ;)

Now open unpacked file in IDA and start reversing. Using IDA, debugger and script higher we can find that

function sub_1417E returns id of the packed file with given name (call it get_file_id_by_name);
function sub_1422C takes packed file id and address of buffer for uncompressed data (call it get_file_data_by_id).

Here is a part of main function (called PROGRAM in DOS)

Now let's start debugging unpacked program, stop at the beginning and make next changes:

1) set size of newly allocated memory at cs:2428 via "sm cs:2429 ff ff" (allocate memory block of size 0xFFFF)

2) set breakpoint at address cs:2430 (right after call for memory allocation to gather allocated memory address)

3) change file name offset at cs:2469 via "sm cs:246a 9f 22" (cs:229F points to string "TRX-DRNK.RUS")

4) at address cs:2474 set the code

les di,[3176]
push es
push di
call <newSeg8Value>:028C

via "sm cs:2474 c4 3e 76 31 06 57 9a 8c 02 <newSeg8Value.LowByte> <newSeg8Value.HighByte>", where newSeg8Value is the value of seg08 from IDA (0x0608 in my case)

5) set breakpoint at address cs:247F (right after call decompression function to dump decompressed data)

6) continue normal execution, at breapoint 1 remember address of allocated memory ({dx:ax}) and at breakpoint 2 make memory dump via "memdump <allocSeg>:<allocLinAddr> f8a0" (memdump 1e94:0000 f8a0)

Now you can find memory dump in DosBox's folder, convert it to binary data and find it's MD5 which will be the flag: 8C0C4C5F223D9B3822A51EEA0CABD524.

The only reason to make all changes in binary right before execution are relocations. When I've set the number of relocations to 0, my DosBox have crashed.. so I decided that the way above is better that try to guest the reason of DosBox's crash or searching for new DOS emulator:)

Running Sneakers Store | Patike – Nike Air Jordan, Premium, Retro Klasici, Sneakers , Iicf

Cat's eyes (stego 100)

briskly — Mon, 17 Mar 2014 19:05:43 +0000

Category:

stego

Event:

RuCTF Quals 2014

This task is the most simple stego task in this ctf. We have the GIF with 8 frames, all of them have little color difference in the first 3 lines. All we need just to build differences image. After some analysis we decided that it is binary encoded ASCII text. And we decoded it.

from PIL import Image
from PIL.ImageChops import difference
from numpy import asarray


images = []
for i in range(1, 9):
    images.append(Image.open("%s.png" % i))

dif = asarray(difference(images[0], images[0])).tolist()
for i in images[1:]:
    curImage = difference(images[0], i)
    for i, raw in enumerate(asarray(curImage)):
        for j, color in enumerate(raw):
            if color != 0:
                dif[i][j] = 1

binString = ""
for i in range(0, 3):
    for pixel in dif[i]:
        if pixel == 0:
            binString += "0"
        else:
            binString += "1"
answer = ""
for i in range(0, 1000, 8):
    el = int(binString[i:i+8], 2)
    if el == 0:
        break
    answer += chr(el)
print answer

The answer is RUCTF_e4dd9f5cee307b322c3a27abe66e3df9.

best shoes | Sneakers

Secret String (ppc 300)

briskly — Mon, 17 Mar 2014 18:37:14 +0000

Category:

ppc

Event:

RuCTF Quals 2014

As we can see from the task, the talk is about DNA replication, as said my friends from team, we should find the most popular string in the given file.

First of all, I should say, that I'm using python. In the start I just tried to build index where keys are string that can be found in file and values are there frequency. But that didn't work. Because in python index always saved in the RAM, and for my counting, I should have more than 16GB (I think something like 32 or 64). That numbers is reachable, but I guessed that it should be better solution.

So there is two solutions:

First I think just install some datebase with indexies that could use disk for storage. But in this case you should do more admin stuff I think.

Second: I wrote variant just for lulz, with no math calculation and it worked:

At the begiging script builds index reading stings from random places. For me 10 000 000 strings was enough. After that I just take 10 00 most popular string, and count there frequency only:

from collections import defaultdict
from operator import itemgetter
from random import randint
index = defaultdict(int)

with open("word2") as f:
    s = f.read()
    for i in xrange(10000000):
        j = randint(0, len(s))
        index[s[j:j+32]] += 1

    index = dict(sorted(index.iteritems(), key=itemgetter(1), reverse=True)[:10000])
    for i, el in enumerate(s):
        try:
            curS = s[i:i+32]
        except:
            break
        if i % 100000 == 0:
            print i
        if curS in index:
            index[curS] += 1

print max(index.iteritems(), key=itemgetter(1))

The answer is GGAACAAGTTACATGGGCCGAATGCTATTGTC, and it could be found 64 times in the file. Script works for 120 second.

latest Nike release | Best Running Shoes for Men 2021 , Buyer's Guide , Worldarchitecturefestival

Secret host (forensics 100)

azrael — Mon, 17 Mar 2014 13:32:59 +0000

Category:

forensics

Event:

RuCTF Quals 2014

Here we need to find something hidden on host http://10.100.0.1/ using given openvpn configs and dump.

We connected to VPN with given configs but system is required to authenticate. After using strings on dump we got login and password SuperPuperRoot / VeryStrongSecret. So we have authenticated in VPN and went on http://10.100.0.1/. There is we got a page with this source code:

<html>
<body>
	<h1>It works!</h1>
	<p>This is the default web page for this server.</p>
	<p>The web server software is running but no content has been added, yet.</p>
	<p style="color: white">Your secret information is RUCTF_29793ced32a8c89481c83827cf24647a</p>
</body>
</html>

Flag is RUCTF_29793ced32a8c89481c83827cf24647a.

latest Nike Sneakers | Zapatillas de running Nike - Mujer

Attachments:

openvpn.5df2789228a89cdcd1ff58e3e650df0f.7z

es (web 200)

azrael — Mon, 17 Mar 2014 12:49:02 +0000

Category:

web

Event:

RuCTF Quals 2014

There is service raised at http://w2.quals.ructf.org/.

There is the authorization form and another form with strange functional on page. Also there is registration link.

At first we registered a new user with 1 / 1 as login / password. We saw that server set cookie:

Cookie: mojolicious=eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9--b844d3ef12af172ffebe4271f93d0548b92f637d

First part before "--" is base64-encoded user session information:

'eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9' == base64('{"name":"1","expires":1395062798}')

Second part after "--" is hash_hmac with sha1 of first part with a secret. We found secret in page source code:

<!-- secret: ructf -->

So we assumed that we need got admin's cookie. We replaced our nickname to 'admin' and generated new cookie with help of http://www.freeformatter.com/hmac-generator.html:

part1 = base64('{"name":"admin","expires":1395062798}')
part2 = hash_hmac('sha1', part1, 'ructf')

Result:

part1 + '--' + part2 ==
'eyJuYW1lIjoiYWRtaW4iLCJleHBpcmVzIjoxMzk1MDYyNzk4fQ==--f0b9d2795f0e8de1abafede4ea2aae54282e09a9'

So we logged in with new admin cookie and saw a message 'Hi, admin!'. Then we went to http://w2.quals.ructf.org/list and got flag 054ad7a734437d6853383ad919526dc5 by following http://w2.quals.ructf.org/very/super/secret/flag link.

Asics footwear | Air Jordan Sneakers

Arcfour (reverse 500)

Dil4rd — Mon, 17 Mar 2014 12:32:10 +0000

Category:

reverse

Event:

RuCTF Quals 2014

In reverse category this task was the easiest one, except Harm (reverse 10), of course:)

The task was to reverse x86 PE executable. There was 2 ways to solve this task: the easiest one and little more complicated. But let's start with their commom part.

The file seems to be packed by UPX, so start debugging! After unpacking by upx we can find that OEP is at address 0x6d28, but there is a very strange code:

And the address 0x15c3 seems to be the real OEP. So set breakpoint at address 0x4015c3 and dump image using PeTools and ImpREC (my dump avaliable here). Now just open dumped file in IDA.

The first way. If we try to decompile dumped file then we will see next:

So, the lenght of key is 32 bytes. Now let's find where does it checked:

Go to address 0x4011CD, jump little higher to address 0x4010d0 and create a function there. After decompilation of this function we can see that pArgv1 passed to function at address 0x401000, which looks like RC4. After that it compare pArgv1 with local buffer.

signed int __stdcall sub_4010D0()
{
  int v0; // eax@0
  char v1; // cl@1
  unsigned int v2; // eax@1
  signed int v3; // eax@3
  int v5; // [sp+4h] [bp-44h]@1
  char v6; // [sp+8h] [bp-40h]@1
  char pCryptedFlag[32]; // [sp+Ch] [bp-3Ch]@1
  char v8; // [sp+2Ch] [bp-1Ch]@1
  char pMaskedKey[11]; // [sp+30h] [bp-18h]@1
  char v10; // [sp+3Bh] [bp-Dh]@1
  int v11; // [sp+3Ch] [bp-Ch]@1
  int *v12; // [sp+40h] [bp-8h]@1
  char xorMaskConstant; // [sp+47h] [bp-1h]@1

  pCryptedFlag[22] = 69;
  pCryptedFlag[26] = 69;
  LOBYTE(v0) = -123;
  pCryptedFlag[0] = -54;
  pCryptedFlag[1] = -56;
  pCryptedFlag[2] = -57;
  pCryptedFlag[3] = 3;
  pCryptedFlag[4] = -4;
  pCryptedFlag[5] = 16;
  pCryptedFlag[6] = 40;
  pCryptedFlag[7] = 31;
  pCryptedFlag[8] = 122;
  pCryptedFlag[9] = 127;
  pCryptedFlag[10] = -116;
  pCryptedFlag[11] = -108;
  pCryptedFlag[12] = 46;
  pCryptedFlag[13] = -7;
  pCryptedFlag[14] = 105;
  pCryptedFlag[15] = 36;
  pCryptedFlag[16] = -97;
  pCryptedFlag[17] = 125;
  pCryptedFlag[18] = 39;
  pCryptedFlag[19] = -63;
  pCryptedFlag[20] = -60;
  pCryptedFlag[21] = 9;
  pCryptedFlag[23] = 127;
  pCryptedFlag[24] = 117;
  pCryptedFlag[25] = -18;
  pCryptedFlag[27] = -105;
  pCryptedFlag[28] = -115;
  pCryptedFlag[29] = -81;
  pCryptedFlag[30] = 121;
  pCryptedFlag[31] = 31;
  v8 = 0;
  pMaskedKey[0] = -122;
  pMaskedKey[1] = -34;
  pMaskedKey[2] = -102;
  pMaskedKey[3] = -8;
  pMaskedKey[4] = -33;
  pMaskedKey[5] = -11;
  pMaskedKey[6] = -123;
  pMaskedKey[7] = -23;
  pMaskedKey[8] = -35;
  pMaskedKey[9] = -123;
  pMaskedKey[10] = -17;
  v10 = 0;
  v11 = v0;
  v12 = &v5;
  xorMaskConstant = v6;
  v1 = v6;
  v2 = 0;
  do
  {
    pMaskedKey[v2] ^= v1;
    ++v2;
  }
  while ( v2 < 0xB );
  rc4Crypt(pMaskedKey, pArgv1);
  v3 = 0;
  while ( *(&pCryptedFlag[v3] + pArgv1 - pCryptedFlag) == pCryptedFlag[v3] )
  {
    ++v3;
    if ( v3 >= 32 )
      return 1;
  }
  return 0;
}

Because RC4_encrypt = RC4_decrypt we can just pass to function at address 0x401000 local buffer pCryptedFlag and recive the flag!.. But what about the encryption key? If you are using OllyDbg with Phantom plugin (or any other debugger or plugin which prevent setting flag PEB.BeingDebugged) then there is no reason to worry, the buffer will be successfully decrypted :)

Otherwise we can brute the value of xorMaskConstant (because all elements in array pMaskedKey are bigger then 128 (the higher bit is set), then the range is [128,255]). The code for brutting:

def KSA(key):
    keylength = len(key)
    S = range(256)
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % keylength]) % 256
        S[i], S[j] = S[j], S[i]  # swap
    return S

def PRGA(S):
    i = 0
    j = 0
    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  # swap
        K = S[(S[i] + S[j]) % 256]
        yield K

def RC4(key):
    S = KSA(key)
    return PRGA(S)


if __name__ == '__main__':
    CONST = 0xB6
    rc4_key_arr = [0x86, 0xDE, 154, 248, 223, 245, 133, 233, 221, 133, 239]
    flag_arr = [0xCA, 0xC8, 0xC7, 3,0xFC, 0x10, 0x28, 0x1F, 0x7A, 0x7F, 0x8C, 0x94, 0x2E, 0xF9, 0x69, 0x24, 0x9F, 0x7D, 0x27, 0xC1, 0xC4, 9,0x45,0x7F, 0x75, 0xEE, 0x45, 0x97, 0x8D, 0xAF, 0x79, 0x1F]

    for CONST in range(128,256):
        rc4_key = [el^CONST for el in rc4_key_arr]
        rc4_key_stream = RC4(rc4_key)
        flag = ''.join([chr(fl_el^rc4_key_stream.next()) for fl_el in flag_arr])
        if "RUCTF" in flag:
            print(hex(CONST)+" : "+''.join([chr(el) for el in rc4_key]) +" : "+flag)

Anyway you recive the flag: RUCTF_408f971883ccf6180eab2b3cf5

The second way. In my opinion the only intersting task in RE, I've solved during RuCTF Quals 2014 was PIN (revese 400). So the only reason why I have written this writeup is the orgnanizer's condition for participants of RuCTF Final 2014: we should give them writeups of all tasks we have solved. To make this writeup a bit more intresting I decided to write a full control flow of this executable, so let's start.

As it's shown higher IDA's Hex-Rays failed right after comparison of the lenght of input argument with 32. Let's see asm code

As you can see this instruction has been added there by post UPX and pre OEP code. Ok, so the developer wants to generate an exception and we should search for exception header.

Because this binary requires DLL msvcr90.dll which is standart CRT (C run-time) lib from Visual C++ 2008 Redistributable package we know two facts: 1) it's most likely use SEH & CRT's _try/_catch technique and 2) this executable has been developed in VS 2008:)

As you know, in CRT_try/_catch blocks passes to CRT's SEH handlers (usually _except_handler3 or _except_handler4) as aurguments (for more information you can see Igor Skochinsky's article "Compiler Internals: Exceptions and RTTI" from RECon 2012, avliable here). At the begging of _main function we can see next:

This means that there is only one _try/_catch block in _main function. Let's go to address 0x4012ac:

Ok, we have found where does function at address 0x4010d0 (as you remember, it checks input argument) called from. Now let's take a look into this function. Because we have already discussed everything except receiving of constant xorMaskConstant only this part of this function will be examined:

According to image higher we can see that local buffer pMaskedKey xored with constant PEB.BeingDebugged, which normally equal to 1 if debugger is active and 0 otherwise. But how it has happened that it equal to 0xB6?

The answer if TLS (thread local storage) callbacks.

As you know, these functions aimed to initialization of some C++ clases and runs before execution of code at EP. And I our case everything it does is just add to PEB.BeingDebugged 0xB6.

So variable xorMaskConstant should be equal to 0xB6, RC4 excryption key is "0h,NiC3_k3Y" and the flag is RUCTF_408f971883ccf6180eab2b3cf5.

Buy Kicks | adidas sold 1 million dollars today Enflame Release Date - raw amber nmd laces

Get the message (recon 300)

azrael — Mon, 17 Mar 2014 11:01:12 +0000

Category:

recon

Event:

RuCTF Quals 2014

In this task somebody is telegraphing Olimpiada strange messages with secret password and we need to find that.

We found on Olimpiada's VK.com avatar image her phone number +37255933368 and allusion to the fact that we must use Telegram Messenger. Because of a lot of login requests Telegram started to discard connections. Organizers published message that she "...don't like telegram messenger any more!(( Good old sms rulezzz!"

So we found a service to read sms from public phones and read her messages. We got flag RUCTF_THE_MOST_SECRET_PA$$_3V3R from one of them.

affiliate tracking url | Vans Shoes That Change Color in the Sun: UV Era Ink Stacked & More – Pochta News

Guess the flag (vuln 100)

azrael — Mon, 17 Mar 2014 10:34:41 +0000

Category:

pwn

Event:

RuCTF Quals 2014

There is given service raised at vuln1.quals.ructf.org:16712 and it's ELF 32-bit executable source file.

At first I tried to reverse executable but i'm not a reverse-engeneering-guy so i got nothing :)

Because of task's cost is 100 and I thought than it can't be difficult I connect to vuln1.quals.ructf.org:16712 and started to brute inputs. And I was surprised that after several attempts I got flag RUCTF_f4205156a73b7bd143ab06e7722e3c81f72b8429 with "\" as input string :)

Nike shoes | Nike for Men

Attachments:

guess.zip