CSAW 2012 – Reversing 200
$ md5sum CSAWQualificationEasy.exe 38a74f4fa2c4844f5efa3604517348ac CSAWQualificationEasy.exe
$ file CSAWQualificationEasy.exe CSAWQualificationEasy.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
It is a .NET assembly. Let’s go fetch Reflector and open the executable in it.
Again, symbols are not stripped and the en/crypt routine is easily spotted. It seems the key is XOR-ed with 0xFF.
This python program will give the key (the bytes array is copied from Reflector):
bytes=\ ''' 0xab, 0x97, 0x9a, 0xdf, 0x94, 0x9a, 0x86, 0xdf, 150, 140, 0xdf, 0xc6, 0x9c, 0xcf, 0xc6, 0x99, 0xc7, 0xcb, 0xce, 0xc9, 0x9e, 0xcd, 0xcd, 0xcf, 0xc9, 0xcd, 0xcd, 0xce, 0x9a, 0xca, 0xcf, 0x9d, 0xc6, 0xc7, 0x9a, 0xcc, 0xcb, 0xc9, 0xcf, 0xcb, 200, 0x9d, 200'''.split(',') r='' for b in bytes: b = b.strip() if b.find('x') != -1: b = int(b,16) else: b=int(b) r += chr(b ^ 0xff) print r
Key: 9c09f8416a2206221e50b98e346047b7
Leave a comment