Hi Every Body , This Is 0xMrRobot
From Time To Time , I Get Into Some CTFs To Practice More And Develop My Skills In Reverse Engineering..
It Pleases Me To Get Into CyCtf Finals CTF 2023 And Got The 7th Place And Solve 1 OF 3 Reverse Engineering Challenges , And This Is My Write Up For This Challenge… ❤
Challenge Name : https://drive.google.com/file/d/1bK0vxsnPiOuPlE_YmR48ljxklGZ_GJ19/view?usp=sharingAfter Download The Challenge , Let’s Try To Run It :
As We See , We Must Pass Arguments To The Exe To Run , And This Arguments Must Be :
1- (-e) For Encode , (-d) For Decode
2- The Value Which You Want To Decode Or Encode
Now Let’s Pass Those Args And See What Will Happen :
After Seeing , The Exe Do Some Encoding Algorithms On “1111” And Give Me The Output : ” JLT?OTT?LXJ?JLT?OTT?LXJ?JLT?OTT?LXJ?JLT?OTT?LXJ?++”
Let’s Try Some Chars Not Numbers And See What Will Happen :
Okay , Now The Output Differed From The Previous Output , And I Noticed Somethings :
- The Exe Encode With Two Different Algorithms (One For Chars And Another For Numbers)
- The Exe Just Encode , And Didn’t Do The Decoding Algorithms
- In The Chars Encoding, Each Char Encoded In Three Char And The Separator Between Each Encoded Char Is “?”
- In The Numbers Encoding, Each Number Encoded In 9 “Without Separators” Char And The Separator Between Each Encoded Number Is “?”
- After Doing The Encoding Algorithms On Numbers Or Chars , The Exe File End The Encoded Value With “++”
And I Notice File Called ‘enc.r31’ , And After Open It , I See This Encoded Value :
“LTT?Taa?LTT?TOO?cUU?aUT?OXc?ecc?@cUU?ecc?@cUU?aTQ?OeT?LLe?TeQ?LLe?OTe?ccX?QaQ?aTQ?TQQ?LLe?TeQ?LLe?aTQ?UJL?OOX?OeT?OTe?ccX?QaQ?aTQ?UJL?OOX?OeT?aTQ?TeQ?LLe?TeQ?LLe?TJL?Taa?aTQ?ecc?OTe?ccX?QaQ?TJL?UJL?OOX?OeT?TQJ?OOX?Jcc?eXc?LLe?TeQ?LLe?aTQ?OTe?ccX?QaQ?JLT?OTT?LXJ?OeT?LLe?TeQ?LLe?aTQ?JLT?OTT?LXJ?OTX?aTQ?TQQ?Taa?aTQ?caU?JLT?OTT?LXJ?cUU?LLe?TeQ?LLe?acX?++”
It Looks Like Our Encoded Flag !! , And After Trying To Decode It With The Exe File , Nothing Happen.. :
To Determine This Is Our Flag Our Not , Let’s Encode The Flag Format And Start Compare The Result With Our Encrypted Value :
Now After Comparing The Flag Format With The Encrypted Value , We See That The Encrypted Value Is Our Flag
So Now We Want To Decode This Value Manually Because The Exe Only Encode ..
So After We Understand The Encoding Algorithm , We Can Reverse This Algorithms And Make Python Script To Decode This Value
My Solution In This Case Is :
- I Will Take The Encrypted Value In Variable
- Then I Will Pass To The Exe All Chars And All Numbers And Make A Dict Will Be Like {The_Plain_Text:The_Encoded_Value}
- And Then Start Two Nasted Loops , First One Walk On Three Blocks In The Encrypted Flag “Each Block Is Three Chars” And The Separator Between Each Block Is “?” , And Compare The Three Blocks With The Encrypted Value In The Dict “Only The Numbers” And If The Condition Is True , Then Replace The Encrypted Value With This Number , And If Not True , Then Turn To Next Number And So On
- And The Next Loop Is To Do The Same Thing But Only In One Block “ For Chars” And This Loop Done After The Previous One To Ensure That The Encrypted Value Is Refer To Char Not To Char , Because The Encrypted Number 3 Blocks Is In Real Are Three Encrypted Chars Blocks , Each Block Refer To Char , I Must Ensure There Is No Match Between Three Blocks “Next To Others” With Number , If I Ensure From That , Then , Each Block Will Be For Encrypted Char So The Second Loop Will Handel It In This Case
- After That Print The Decrypted Flag !!
So After This Deep Understanding For This Encoding Algorithms And How To Break And Reverse It , Now Let’s Apply This Logic With Python Script To Decrypt The Encrypted Flag .. :
import threading
from string import printable
import os
Enc_Flag = "LTT?Taa?LTT?TOO?cUU?aUT?OXc?ecc?@cUU?ecc?@cUU?aTQ?OeT?LLe?TeQ?LLe?OTe?ccX?QaQ?aTQ?TQQ?LLe?TeQ?LLe?aTQ?UJL?OOX?OeT?OTe?ccX?QaQ?aTQ?UJL?OOX?OeT?aTQ?TeQ?LLe?TeQ?LLe?TJL?Taa?aTQ?ecc?OTe?ccX?QaQ?TJL?UJL?OOX?OeT?TQJ?OOX?Jcc?eXc?LLe?TeQ?LLe?aTQ?OTe?ccX?QaQ?JLT?OTT?LXJ?OeT?LLe?TeQ?LLe?aTQ?JLT?OTT?LXJ?OTX?aTQ?TQQ?Taa?aTQ?caU?JLT?OTT?LXJ?cUU?LLe?TeQ?LLe?acX?"
def thread1():
for ch in printable:
os.system(f"r31encode.exe -e {ch} >> Dict.txt")
def thread2():
map = dict()
with open("Dict.txt", 'r', encoding="utf-8") as f:
for i in f:
key = i[0]
pair = i[2:].rstrip('\n').rstrip('++')
map[pair] = key
for key, value in map.items():
print(key, value)
print(100 * "-")
def thread3():
with open("Dict.txt", "r") as file:
lines = file.readlines()
with open("Modified_Dict.txt", "w") as output_file:
for line in lines:
if "Plain text" in line:
plain_text = line.split(":")[-1].strip()
elif "Encrypted value" in line:
encrypted_value = line.split(":")[-1].strip()
output_file.write(f"{plain_text} : {encrypted_value}\n")
def thread4():
with open("Modified_Dict.txt", "r") as file:
content = file.readlines()
my_dict = {}
for line in content:
if ':' in line:
key, value = map(str.strip, line.split(':'))
value = value.replace("++", "")
my_dict[key] = value
print("Final And Clear Output Has Been Converted To Dict , And Its Value Is : ")
print(my_dict)
print(100 * "-")
def thread5():
print (f" Our Encrypted Flag Is : " + Enc_Flag)
print(100 * "-")
t1 = threading.Thread(target=thread1)
t2 = threading.Thread(target=thread2)
t3 = threading.Thread(target=thread3)
t4 = threading.Thread(target=thread4)
t5 = threading.Thread(target=thread5)
t1.start()
t1.join()
t2.start()
t2.join()
t3.start()
t3.join()
t4.start()
t4.join()
t5.start()
t1.join()
t2.join()
t3.join()
t4.join()
t5.join()In This Script , I Write It With Threads Concept To Speed Its Execution , This Script Will Pass All Chars And Numbers To The Exe File , And Then Save The Out Put In “Dict.txt” Then Take The Dict.txt And Start Edit It To Be Clear , Then Take The Modifed_Dict.txt And Make A Python Dict With It
Then We Have The Python Dict And The Enc Flag , The Final Thing , Is Wlak On The Flow Which Has Been Explained Previously , And Start To Replace The Enc_Values In Enc_Flag With The Chars And Numbers From The Dict
For That , I Start To Search About Online Website To Help Me In Highlighting And Replacement Operations , But I Didn’t Find , So I Create A Small Website To Do This :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Text Highlighter</title>
<style>
#text1, #text2 {
width: 45%;
float: left;
margin: 10px;
}
.highlight {
background-color: yellow;
}
</style>
</head>
<body>
<div id="text1" contenteditable="true" onmouseup="highlightText()">
<!-- Your text for the first section goes here -->
This is text 1. Select me!
</div>
<div id="text2" contenteditable="true">
<!-- Your text for the second section goes here -->
This is text 2.
</div>
<script>
function escapeRegExp(string) {
return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}
function highlightText() {
const text1 = escapeRegExp(window.getSelection().toString().trim());
const text2 = document.getElementById('text2').innerText;
const highlightedText2 = text2.replace(new RegExp(text1, 'g'), '<span class="highlight">$&</span>');
document.getElementById('text2').innerHTML = highlightedText2;
}
</script>
</body>
</html>And Then Use It To Highlight And Replace To Get Our Flag !!!
And After Finch , You Will Get Your Flag !!
I Hope You Benefit From This Write Up , And Wait Another Write ups Soon And Don’t Forget To Follow Me!!!
Happy Reversing ❤❤
