CSAW 2012 – Reversing 200
$ md5sum CSAWQualificationEasy.exe 38a74f4fa2c4844f5efa3604517348ac CSAWQualificationEasy.exe
$ file CSAWQualificationEasy.exe CSAWQualificationEasy.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
It is a .NET assembly. Let’s go fetch Reflector and open the executable in it.
Again, symbols are not stripped and the en/crypt routine is easily spotted. It seems the key is XOR-ed with 0xFF.
This python program will give the key (the bytes array is copied from Reflector):
bytes=\
''' 0xab, 0x97, 0x9a, 0xdf, 0x94, 0x9a, 0x86, 0xdf, 150, 140, 0xdf, 0xc6, 0x9c, 0xcf, 0xc6, 0x99,
0xc7, 0xcb, 0xce, 0xc9, 0x9e, 0xcd, 0xcd, 0xcf, 0xc9, 0xcd, 0xcd, 0xce, 0x9a, 0xca, 0xcf, 0x9d,
0xc6, 0xc7, 0x9a, 0xcc, 0xcb, 0xc9, 0xcf, 0xcb, 200, 0x9d, 200'''.split(',')
r=''
for b in bytes:
b = b.strip()
if b.find('x') != -1:
b = int(b,16)
else:
b=int(b)
r += chr(b ^ 0xff)
print r
Key: 9c09f8416a2206221e50b98e346047b7
team pong 
Leave a comment