Tags: crypto re
Rating:
Category: category
Someone encrypted my homework with this rude script. HELP!
For this challenge, we are given a zip file containing ransomware.pyc and youfool!.exe.
We begin by trying to analyze youfool!.exe, but it seems to be completely garbled nonsense. Based on the name, we can probably assume ransomware.pyc is what was used to encrypt youfool!.exe. If we run
uncompyle6 ransomware.pyc
and clean up the output a bit, we get:
import string
from random import *
import itertools
def caesar_cipher(buf, password):
password = password * (len(buf) / len(password) + 1)
return ('').join((chr(ord(x) ^ ord(y)) for x, y in itertools.izip(buf, password)))
f = open('./FlagDCTF.pdf', 'r')
buf = f.read()
f.close()
allchar = string.ascii_letters + string.punctuation + string.digits
password = ('').join((choice(allchar) for i in range(randint(60, 60))))
buf = caesar_cipher(buf, password)
f = open('./youfool!.exe', 'w')
buf = f.write(buf)
f.close()
It looks like the code is taking a file FlagDCTF.pdf, XORs it with a 60 character key which consists of only string.ascii_letters + string.punctuation + string.digits, and then writes the output to youfool!.exe. Now that we know the file is being XORed, we try to decrpyt it with xortool:
xortool -l 60 -o 'youfool!.exe'
Unfortunately, xortool was unable to decrypt it perfectly. However, we find there were four potential keys which have almost semi-decrypted pdf files, which is close to what we are looking for. So we just pick any one of the four keys and try to manually fix it from there. I chose to use:
:P-@u\x1aL"Y1K$[X)fg[|".45Yq9i>eV)<0C:(\'q4n\x02[hGd\x2fEeX+\xbc7,2O"+:[w
It looks like although we specified printable chars only, xortool included some unprintable characters in the key, so we have to manually find the incorrect characters. I write a quick script, and use it in conjunction with CyberChef to make it easier to visualize.
From there, we look to see if there is any plaintext which is spelled incorrectly. A couple lines into the file, we find:
<< /Ty.e /XRef jLengt! 50 /Filter /FlateDecode /DecodePa ms << /Co.umns 4 /.redic=or 12 >>
There are a couple obvious misspelled words like Ty.e, Lengt!, Co.umns, .redic=or, which should be Type, Length, Columns, and Predictor. Next we find the indexes of the misspelled characters with their corresponding characters in the key and switch it out with the correct character. We can easily find the correct character by XORing the corresponding byte in the original file with the letter it should be. A few mins later and we get:
:P-@uSL"Y1K$[X)fg[|".45Yq9i>eV)<0C:('q4nP[hGd/EeX+E7,2O"+:[2
We then export the file by clicking on the Save button, and we get flag.pdf.
Flag: DCTF{d915b5e076215c3efb92e5844ac20d0620d19b15d427e207fae6a3b894f91333}
