Rating:

We need to automate the config decryption for ten binaries. The decryption function is slightly different from Phase 2: a bit of reversing is needed. Good news: all the binaries use the same decryption function! ^^'

```
from Crypto.Cipher import ARC4
from pwn import *
from base64 import b64decode
import re

def rc4_decrypt2(key,ct):
dec = list(ct[1:])
cipher = ARC4.new(key)
tmp = cipher.decrypt(key[:16]) + ct[1:]
for i in range(0x31):
tmp2 = cipher.decrypt(tmp[i:i+16])
j,k = 0,0
while(k < 16):
j ^= tmp2[k]
k += 1
dec[i] ^= j
return bytes(dec).decode().rstrip('\x00')

FILE = "malware_phase3"

r = remote("chals.damctf.xyz", 32153)
r.sendlineafter("Ready? Set? GO! (press enter to continue)","")
for i in range(10):
print(r.recvline())
r.recvline()
BIN = b64decode(r.recvline())
f = open(FILE,"wb")
f.write(BIN)
f.close()

elf = ELF(FILE)
ro = elf.get_section_by_name(".rodata").data()
data = elf.get_section_by_name(".data").data()

key = ro[0x10:0x30]
config = {}
for i in range(10):
offset = 0x20+i*0x32
ct = data[offset:offset+0x32]
pt = rc4_decrypt2(key,ct)
config[pt[:4]] = pt[4:]
print(config)

question = r.recvline()
print(question)
k = re.findall("'(.{4})'",question)[0]
if k not in config.keys():
print("\tkey is "+k)
exit()
r.sendline(config[k])
r.recvline()

r.interactive()
r.close()
```