Tags: reversing 

Rating:

KeyBruteForce.cpp

Flag : INTENT{crypt0s_ar3_the_w0rst_but_d4amn_u_g00000d}
```
#include "FlagData.h"
#include <iostream>
#include <Windows.h>

DWORD __cdecl sub_4015B0(BYTE* pbData, DWORD dwDataLen, BYTE* a3)
{
DWORD LastError; // esi
DWORD v5; // esi
DWORD v6; // esi
DWORD pdwDataLen; // [esp+4h] [ebp-Ch] BYREF
HCRYPTPROV phProv; // [esp+8h] [ebp-8h] BYREF
HCRYPTHASH phHash; // [esp+Ch] [ebp-4h] BYREF

LastError = 0;
phProv = 0;
phHash = 0;
pdwDataLen = 20;
if (!CryptAcquireContextW(&phProv, 0, 0, 1u, 0xF0000000))
return GetLastError();
if (CryptCreateHash(phProv, 0x8004u, 0, 0, &phHash))
{
if (CryptHashData(phHash, pbData, dwDataLen, 0))
{
if (!CryptGetHashParam(phHash, 2u, a3, &pdwDataLen, 0))
LastError = GetLastError();
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return LastError;
}
else
{
v6 = GetLastError();
CryptReleaseContext(phProv, 0);
CryptDestroyHash(phHash);
return v6;
}
}
else
{
v5 = GetLastError();
CryptReleaseContext(phProv, 0);
return v5;
}
}

BOOL EncryptionData(BYTE * v33, BYTE * tmp, char * num)
{
BYTE pbData[48] = { 0x08, 0x02, 0x00, 0x00,
0x10, 0x66, 0x00, 0x00,
0x20, 0x00, 0x00, 0x00};

void* v10;
memcpy(&pbData[12], v33, 20);
memcpy(&pbData[32], tmp, 16);
for (int i = 0; i < 48; i++)
printf("%02X ", pbData[i]);
puts("");
DWORD pdwDataLen = sizeof(FlagData);
DWORD Size = sizeof(FlagData);
HCRYPTPROV phProv = 0;
HCRYPTKEY phKey = 0;
unsigned char String1[16] = {
0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
0x33, 0x30, 0x30, 0x37
};
if (CryptAcquireContextA(&phProv, 0, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0xF0000000))
{
if (!CryptImportKey(phProv, pbData, 0x30, 0, 1, &phKey))
CryptReleaseContext(phProv, 0);
if (CryptSetKeyParam(phKey, 1, String1, 0))
{
v10 = calloc(pdwDataLen, 1);
if (v10) {
memcpy(v10, FlagData, pdwDataLen);
char Filename[20] = "output_dec.bin";
strcat_s(Filename, num);
CryptDecrypt(phKey, 0, TRUE, CRYPT_DECRYPT_RSA_NO_PADDING_CHECK, (BYTE*)v10, &pdwDataLen);

std::string findstr("INTENT");
std::string haystack((BYTE *)v10, (BYTE *)v10 + pdwDataLen);
std::size_t n = haystack.find(findstr);
if (n != std::string::npos)
{
HANDLE hHnd2 = CreateFile(Filename, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
DWORD NumberOfBytesWritten2;
WriteFile(hHnd2, v10, pdwDataLen, &NumberOfBytesWritten2, 0);
CloseHandle(hHnd2);
return TRUE;
}
}
}
}

return FALSE;
}

int main()
{
BYTE v33[20] = { 0, };
BYTE tmp[16] = { 0xB9, 0xBA, 0xBB, 0xBC, 0xBD, 0xBE, 0xBF, 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0x00, 0x00, 0x00, 0x00 };

for (int i = 0; i <= (0xFF * 5); i++)
{
char num[5];
char Buffer[512] = "YouTakeTheRedPillYouStayInWonderlandAndIShowYouHowDeepTheRabbitHoleGoes0mgisthebestg5642f1266749---";
sprintf_s(num, "%d", i);
strcat_s(Buffer, num);
printf("%s\n", Buffer);
sub_4015B0((BYTE*)Buffer, strlen(Buffer), v33);
if (EncryptionData(v33, tmp, num))
break;
}
system("pause");
}
```