[Reverse] 35C3 - corebot


Solves: 97

https://35c3ctf.ccc.ac/uploads/corebot-640d3c582340e647d72e1dd9418a3fd6

Difficulty estimate: easy

Guest challenge by Jesko / rattle.

UPDATE: Challenge binary replaced. Apologies for the inconvenience.

Solution

  • Identify which encryption algorithm is being used.
  • Extract the encrypted data from PE resources.
  • Brute-force the last bytes of the serial volume key.
  • Generate the key with the serial.
  • Decrypt the data and obtain the flag.

Walkthrough

So we got a windows binary that uses CryptoAPI from Microsoft first thing to do is to open the binary in IDA a check the start function:

So after creating the key for AES the program will import the key handle following by decrypting the loaded encrypted data from the PE resources as it is explained in the image bellow:

As I explained in the image above if you inspect the sub_11B1146 you will see it’s using the LoadResources function to extract data from the PE executable, this data happens to be the encrypted data. We can extract this data in two ways, either with dynamic analysis or with a tool to extract resources from windows binaries in my case I used wrestool:

1
2
3
$ wrestool --raw -x corebot-640d3c582340e647d72e1dd9418a3fd6 | xxd
00000000: 1029 b845 9d2a ab93 fe89 fb82 9342 a18c .).E.*.......B..
00000010: 2e90 6300 0611 8064 b821 c29f 35e7 7ef2 ..c....d.!..5.~.

Now that we got the encrypted data we need to find a way to decrypt the data, since the key was created with challenge creator volume serial we need to brute force it, since it’s only using the lower bytes of the serial we only need to brute force two bytes.

Time to write a script to bruteforce the serial and decrypt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import base64
import hashlib
import sys
from Crypto import Random
from Crypto.Cipher import AES

def decrypt_ecb_cipher(ciphertext, key):
cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
return plaintext

for i in xrange(0xffff+1):
v5 = 0x10
v4 = i
key = ''
while True:
key = chr(((v4 & 0xffff) & 0xff)) + chr(((v4 & 0xffff) & 0xff00) >> 8) + key;
v4 ^= ((v4 & 0xffff) >> 4) ^ ((v4 & 0xffff) << 11) ^ ((v4 & 0xffff) << 7)
v5 -= 1
if v5 == 0:
break
ciphertext = "\x10\x29\xb8\x45\x9d\x2a\xab\x93\xfe\x89\xfb\x82\x93\x42\xa1\x8c\x2e\x90\x63\x00\x06\x11\x80\x64\xb8\x21\xc2\x9f\x35\xe7\x7e\xf2"
message = decrypt_ecb_cipher(ciphertext, key)

if message[:4] == '35C3':
sys.stdout.write(message)
print hex(i)
break

Now running the script:

1
2
3
$ python corebot.py
35C3_MalwareAuthorKryptoChef
0x25c3

The lower bytes of the serial is 0x25c3 and the respective flag was 35C3_MalwareAuthorKryptoChef.