FLARE On Challenge (2015) #5

This challenge is an easy one. It contains two files, one is a Windows Portable Executable file and another one is a PCAP file. Let’s look at the PCAP file at first:

In the PCAP file we can see a series of HTTP traffics, each of them only POST 4 characters to a localhost server and the server will response with “1”:

There is no more information we can find from the PCAP file, so let’s move to the executable.

The functionality of the executable file whose name is sender is really simple. Firstly, it will read some data from a file named key.txt:

Next, the data read from the key.txt will be encrypted by a function located at address 0x00401250:

The encryption algorithm is easy to understand: it adds the string “flarebearstare” to the data read from key.txt byte by byte.

After the encryption, the encrypted data will be encoded by Base64 algorithm with a custom character set:

And finally, the data will be split into 4 bytes strings and send out to the server:

So our task is easy, just assemble the 4 bytes strings in the PCAP file and then do a reverse calculation on the assembled string, the following Python script can help with the reversing:

import string
import base64

def base64_decode(s):
    table = string.maketrans(
      string.lowercase + string.uppercase + string.digits + "+/",
      string.uppercase + string.lowercase + string.digits + "+/"
    s = s.translate(table)
    return base64.b64decode(s)

enc_data = 'UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DpxKTxAJ9xuZW=='
key_str = 'flarebearstare'
key_len = len(key_str)

b64_str = base64_decode(enc_data)
out_str = ''
i = 0

for ch in b64_str:
    out_str += chr((ord(ch) - ord(key_str[i % key_len])) & 0xff)
    i += 1

print out_str

And the answer is:

This entry was posted in CTF and tagged , , , . Bookmark the permalink.