CSAW 2012 – Reversing 300
$ file r300.exe r300.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Let’s open the binary in Reflector again.
private static void Main(string[] args)
{
Console.WriteLine("Do you really just run random binaries given to you in challenges?");
Console.ReadLine();
Environment.Exit(0);
MD5CryptoServiceProvider provider = new MD5CryptoServiceProvider();
AesCryptoServiceProvider provider2 = new AesCryptoServiceProvider();
foreach (string str in Directory.EnumerateDirectories(target))
{
if (Enumerable.SequenceEqual<byte>(provider.ComputeHash(Encoding.UTF8.GetBytes(str.Replace(target, ""))), marker))
{
byte[] rgbKey = provider.ComputeHash(Encoding.UTF8.GetBytes("sneakyprefix" + str.Replace(target, "")));
byte[] bytes = provider2.CreateDecryptor(rgbKey, new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }).TransformFinalBlock(data, 0, data.Length);
Console.Write(Encoding.UTF7.GetString(bytes));
}
}
Console.ReadLine();
}
An easy way to display the key is to patch out the Environment.Exit(0) statement. But I did it the hard way. 🙂
First all directories in ‘target’ are enumerated and its hash compared to ‘marker’.
From Reflector:
# marker = new byte[] { 0xff, 0x97, 0xa9, 0xfd, 0xed, 0xe0, 0x9e, 0xaf, 110, 0x1c, 0x8e, 0xc9, 0xf6, 0xa6, 0x1d, 0xd5 };
# target = @"C:\Program Files\";
The following python code snippet reveals that “Intel” is the string we’re looking for.
for d in os.listdir("C:\Program Files"):
print d, hexlify(md5sum(d))
This gives us the key for the AES decryption: md5sum(“sneakyprefix” + “Intel”).
The IV for the decryption: { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }.
And decrypting the ciphertext with AES using found key and IV reveals the key: 6a6c4d43668404041e67f0a6dc0fe243
team pong 
Leave a comment