PAN LabyREnth CTF – Windows #6

Sample: 3968259859f056853fc7efd2b858b3fcf0d7147a9c7f40049e5c2e131718a1d7 (PW: infected)

file Ambrosius.exe
Ambrosius.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

In this challenge, you have to find the correct key to encrypt the flag. The flag is encrypted with RC4 and can be found in an encrypted form within the binary. Unfortunately I did not take many screenshots and I also destroyed my annotated version in IDA but I think my python code will most probably tell you everything you need.

The key is structured as follows:


The first four bytes are constant: “b00!”.
The 5th byte is the month returned by GetLocalTime + 0x2d.
The 6th byte is the day returned by GetLocalTime + 0x5e.
The 7th byte is the minute returned by GetLocalTime + 0x42.
The 8th byte is the major version return by GetVersion + 0x3f.
The 9th byte the minor version returned by GetVersion + 0x3f
The 10th byte is the status byte in the PEB (fs:[30]) if the process is being debugged or not.
The 11th byte is the value in ah returned by GetUserDefaultUILanguage.

With this information it is no problem to write a bruteforce script and crack the key. You just need to google a bit to find the restrictions in majorversion, minorversion, UserDefaultUILanguage.

For the majorversion, I chose the values {5, 6, 10}.
For the minorversion, I chose the values {0, 1, 2 ,3}.
For the UserDefaultUILanguage, I wrote a little helper script to filter out the possible languages.

I’ve downloaded all the possible local identifier from MSDN and looked for those who end with 0x00. Finally, I only had 6 possible identifiers.

While reversing the code, you could see that after decrypting, the first 3 bytes of the result are checked against the values ‘P’, ‘A’, and ‘N’ which makes sense since you are expecting a flag like the ones before starting with “PAN{“. This will also help for the bruteforce script to identify the correct key. For the script I implemented the RC4 from wikipedia.

Finally, here is the code. It will take a couple of minutes to crack the key.

Key: b00!9kLA@jf
3051382 Keys checked


This is also be the last write up since the challenge ended before I could solve Challenge 7 and since there are also a lot of write ups available I’m no longer motivated to solve #7 on my own.

This entry was posted in Reverse Engineering and tagged , . Bookmark the permalink.