2014 Flare On Challenge 1

You can download the challenge from here: http://www.flare-on.com/files/C1.exe

As we run the application we get this.

View post on imgur.com

When we click on decode the we get this encrypted string.

View post on imgur.com


I opened in Exeinfo PE and we can notice this application is written using the .NET framework.

View post on imgur.com

I used the tool ILSpy to decompile the CIL code. If we check the code for the btnDecode we can see the logic for this encryption algorithm.

View post on imgur.com

[code language=”csharp”]

// XXXXXXXXXXXXXXX.Form1
private void btnDecode_Click(object sender, EventArgs e)
{
this.pbRoge.Image = Resources.bob_roge;
byte[] dat_secret = Resources.dat_secret;
string text = "";
for (int i = 0; i < dat_secret.Length; i++)
{
byte b = dat_secret[i];
text += (char)((b >> 4 | ((int)b << 4 & 240)) ^ 41);
}
text += "\0";
string text2 = "";
for (int j = 0; j < text.Length; j += 2)
{
text2 += text[j + 1];
text2 += text[j];
}
string text3 = "";
for (int k = 0; k < text2.Length; k++)
{
char arg_B6_0 = text2[k];
text3 += (char)((byte)text2[k] ^ 102);
}
this.lbl_title.Text = text3;
}
[/code]

We can see that a file called “dat_secret” is being read from the resources section of the program. Let’s save it.

View post on imgur.com

The contents of that file is being encrypted into 3 stages. I wrote this simple C program including the first stage and here’s the solution 🙂

[code language=”c”]
#include <stdio.h>
/*
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: https://osandamalith.wordpress.com
*/
int main() {

FILE *fpIn;
int in = 0;

fpIn = fopen("rev_challenge_1.dat_secret.encode", "rb");

for (size_t i = 0; fscanf(fpIn, "%c", &in) != EOF; ++i)
fprintf(stdout, "%c", (in >> 4 | (in << 4 & 240)) ^ 41);

fclose(fpIn);

return 0;
}
[/code]

View post on imgur.com

Leave a Reply