Tags: re
Rating:
We are given with X-MAS_kernel_crackme.sys driver and challenge.exe client.
Client code:
Let's look at the driver code:
We are interested in read and write major functions. write copies usermode buffer into driver's buffer. read does input processing and returns buffer to user.
This switch has 130 cases. Every case function changes choise variable.
Here is example of some case functions:
IDA has very useful plugin called findcrypt that scans binary for known crypto signatures. This time findcrypt found AES RijnDael constants.
We also find that this constants are used in some functions in that giant switch case statement:
So we can assume that we are dealing with obfuscated AES implementation. Looking closely at read major function we can see aes expand key function and the key, that is passed to it.
Solution:
from Crypto.Cipher import AES
from binascii import unhexlify
key = '4B 61 50 64 53 67 56 6B 58 70 32 73 35 76 38 79'.replace(' ', '')
flag = 'F2 63 69 4F F5 CB FB F4 98 19 C2 FD 39 ED F9 CC 5D EC D9 EC 66 A5 30 D1 82 46 7D A9 FD 5B 3C BF 1C 3D BD 70 26 00 6A 43 C4 0A 47 4C B7 56 2D 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'.replace(' ', '') # from client
aes = AES.new(unhexlify(key), AES.MODE_ECB)
flag = aes.decrypt(unhexlify(flag))
print flag
>>> 'X-MAS{060b192f0063cc9ab6361c2329687506f50321d8}\x00Nj\xfc;=TUj\x8c\xe7\x1bYZ+\xb1'
