Vlad Korolev

Developer

CodeBreaker2018 walkthrough, Task 2 Secrets

January 04, 2019

Let’s look at Task 2 before doing Task 1. It’s much quicker and easier task, and it will give us some warm up practice in reverse engineering before we dive into much more involved Task 1.

screen

In this task we are asked to extract secret key from the binaries left over by the ransomware. To solve this we need to use some reverse engineering tools.

The organizers of recommend IDAPro or Binary Ninja. IDAPro is indeed an excellent tool, unfortunately to get the full functionality you have to buy a the full version which is quite pricey. I never used the Binary Ninja, looks like a good tool, but also costs some money.

To keep this open to widest number of people I opted for the Free tools. The Dissasembler.io and Radare

First one is a web application, you don’t need anything to install, second one is an open source tool which is package with many distributions. For example on Mac you can use excellent Homebrew package manager to install it.

brew install radare2

Radare will come handy for the Task 1. In this task we’ll stick with Dissasembler.io.

Ok, let’s go.

  1. Download libclient_crypt.so
  2. Open Dissasembler.io in your browser
  3. Click on start disassembling button that looks like this button
  4. Once the app loads, upload your libclient_crypt.so file.
  5. After a short time you file will be disassembled and you’ll see the screen like this screen with the symbols pane on the left and code pane on the right.
  6. Scroll symbols pane all the way down screen
  7. Most functions names are self explanatory, except for the one that just called func_00001930, this looks suspicious. Click on it’s name to see the code code
  8. These MOVB instructions look interesting. Looks like this function is writing a sequence of byte values to a memory location.
  9. So what’s can we say about these bytes? We see that they values range between 0x30 and 0x59. Which covers digits 0 and uppercase letters.
  10. Let’s refresh our memory about Base32 encoding here and here.
  11. We see that’s most common form of Base32 encoding uses uppercase letters A-Z and numbers 0-9.
  12. So, most likely this is what we want.
  13. Let’s convert this hex values to their ASCII representation to get the string CAYPFE6MG2DJT4EB5RIZLIAYFJAUGL3L
  14. Let’s submit it to the challenge
  15. Voila! yay

Additional reading materials

If you want to find out more about the way we identified our suspect function so quick. Check out these reading materials.

Ok, let’s move on to Task 1

Share This Post

Comments powered by Talkyard.