Announcement‎ > ‎

March 2011 PlaidCTF 2011 Write up - Fun with Numb3rs [Reversing] (100 points)

posted Apr 25, 2011, 8:13 AM by Anthony Lai   [ updated Apr 25, 2011, 9:10 AM ]
(From Darkfloyd and AlanH0)

Description
Category: Reversing

Uh oh..
This door is protected with number scroll authenticator. There's "powered by .NETv4" sign.

Find out the combination and get the key!


It means if we set a correct values for all scrollbar, we will get the key. At the beginning, I put it in IDA Pro, and found out there is a if-then case for displaying the message. However, for better understanI simply reverse the .exe file with .NET reflector (http://reflector.red-gate.com/download.aspx?TreatAsUpdate=1). You need to ensure .NET framework 4.0 is installed and the .NET reflector is no longer free (i.e. only 14-day trial) and find out that there is a condition of balancing two formula, it could display two different message boxes. 

We simply write a simply python to bruteforce those variables. The source code is shown as below:

def formula1(a,b,c):
return ((a + (c*b) - c) + (a*a) * c) - b
def formula2(x,y,z):
return ((z * (34*y + 2*x)) + 7488)
#(a + (c*b) - c) + (a*a) * c) == (z * (34y + 2x)) + 7488) && (x > 77))

for a in range(0,256):
for b in range(0,256):
for c in range(0,256):
v1 = formula1(a,b,c)
v2 = formula2(a,b,c)
if (v1 == v2):
   print str(a) + " " + str(b) + " " + str(c)
 

Finally, we have got the values of variables (89,233,144) and, we exchange the value position and got the key. 
ċ
ctf2.py
(0k)
Anthony Lai,
Apr 25, 2011, 8:16 AM
ċ
d573190633309f8a930bccbd199a16a4564c35fb.exe.zip
(5k)
Anthony Lai,
Apr 25, 2011, 8:16 AM
Comments