2014 Flare On Challenge 1

You can download the challenge from here: http://www.flare-on.com/files/C1.exe

As we run the application we get this.

When we click on decode the we get this encrypted string.

I opened in Exeinfo PE and we can notice this application is written using the .NET framework.

I used the tool ILSpy to decompile the CIL code. If we check the code for the btnDecode we can see the logic for this encryption algorithm.


// XXXXXXXXXXXXXXX.Form1
private void btnDecode_Click(object sender, EventArgs e)
{
	this.pbRoge.Image = Resources.bob_roge;
	byte[] dat_secret = Resources.dat_secret;
	string text = "";
	for (int i = 0; i < dat_secret.Length; i++)
	{
		byte b = dat_secret[i];
		text += (char)((b >> 4 | ((int)b << 4 & 240)) ^ 41);
	}
	text += "\0";
	string text2 = "";
	for (int j = 0; j < text.Length; j += 2)
	{
		text2 += text[j + 1];
		text2 += text[j];
	}
	string text3 = "";
	for (int k = 0; k < text2.Length; k++)
	{
		char arg_B6_0 = text2[k];
		text3 += (char)((byte)text2[k] ^ 102);
	}
	this.lbl_title.Text = text3;
}

We can see that a file called “dat_secret” is being read from the resources section of the program. Let’s save it.

The contents of that file is being encrypted into 3 stages. I wrote this simple C program including the first stage and here’s the solution 🙂

#include <stdio.h>
/*
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website: https://osandamalith.wordpress.com
 */
int main() {
 
  FILE *fpIn;
  int in = 0;
 
  fpIn = fopen("rev_challenge_1.dat_secret.encode", "rb");
 
  for (size_t i = 0; fscanf(fpIn, "%c", &in) != EOF; ++i) 
  fprintf(stdout, "%c", (in >> 4 | (in << 4 & 240)) ^ 41);   
  
  fclose(fpIn);
  
  return 0;
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s