rev-basic-9
Level 3 reversing challenge on Dreamhack.io
The Challenge
https://dreamhack.io/wargame/challenges/23
This was an interesting challenge
We are given a Windows executable file. It asks for the flag in plaintext, encrypts it, and compares the new value to a constant (the encrypted value of the flag).
Main logic
Checking logic
The editchar function
We can easily find the constants needed for the encryption function using IDA:
Getting the constants
The length of the flag value which we enter must be a multiple of 8. The encryption function works on chunks of 8 characters.
The editchar function can be simplified to:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
void editchar(uint8_t b[8]) {
uint8_t v2 = b[0];
char key[16];
strcpy(key, "I_am_KEY");
for (int i = 0; i < 16; i++) {
for (int j = 0; j < 8; j++) {
uint8_t idx = (j + 1) & 7;
uint8_t next = b[idx];
uint8_t s = SBOX[(uint8_t)(key[j] ^ v2)];
v2 = ror8(next + s, 5);
b[idx] = v2;
}
}
}
There are 16 rounds of some forward transformation working on the plaintext to encrypt it. We use the first character’s value to modify the second character, then the second character’s value to modify the third character.
Surprisingly my LLM buddies were unable to help me reverse this function, so I had to reverse it myself.
We need to decrypt the encrypted flag value backwards. Note that we should start decrypting from position 0 on the array, as we start encrypting from position 1.
My final decryption function was:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
void reverse(uint8_t b[8]) {
char key[16];
strcpy(key, "I_am_KEY");
for (int i = 0; i < 16; i++) {
for (int j = 8; j != 0; j--) {
uint8_t prev_idx = (j - 1) & 7;
uint8_t this_idx = j & 7;
uint8_t v2 = b[prev_idx];
uint8_t new_v2 = b[this_idx];
uint8_t next_plus_s = rol8(new_v2, 5);
uint8_t s = SBOX[(uint8_t)(key[prev_idx] ^ v2)];
uint8_t next = next_plus_s - s;
b[this_idx] = next;
}
}
}
Solved!