Difficulty estimate: easy
Guest challenge by Jesko / rattle.
UPDATE: Challenge binary replaced. Apologies for the inconvenience.
- Identify which encryption algorithm is being used.
- Extract the encrypted data from PE resources.
- Brute-force the last bytes of the serial volume key.
- Generate the key with the serial.
- Decrypt the data and obtain the flag.
So we got a windows binary that uses CryptoAPI from Microsoft first thing to do is to open the binary in IDA a check the start function:
So after creating the key for AES the program will import the key handle following by decrypting the loaded encrypted data from the PE resources as it is explained in the image bellow:
As I explained in the image above if you inspect the sub_11B1146 you will see it’s using the LoadResources function to extract data from the PE executable, this data happens to be the encrypted data. We can extract this data in two ways, either with dynamic analysis or with a tool to extract resources from windows binaries in my case i used wrestool:
$ wrestool --raw -x corebot-640d3c582340e647d72e1dd9418a3fd6 | xxd
Now that we got the encrypted data we need to find a way to decrypt the data, since the key was created with challenge creator volume serial we need to brute force it, since it’s only using the lower bytes of the serial we only need to brute force two bytes.
Time to write a script to bruteforce the serial and decrypt:
Now running the script:
$ python corebot.py
The lower bytes of the serial is 0x25c3 and the respective flag was 35C3_MalwareAuthorKryptoChef.