Advent of malware writeup

Just wanted to post some quick notes on the challenges at https://ctf.malwarespace.org/ ; I only had time to go over the first two challenges unfortunately.

Sanity

First challenge, we have a crypto operation that takes our flag bytes and decrypts it.

Our main function:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  int v5; // [rsp+0h] [rbp-10h] BYREF
  int i; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v7; // [rsp+8h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  puts("\n[ ~~~~ Just checking if you are worthy ~~~~ ]\n");
  printf("Enter seed: ");
  __isoc23_scanf("%d", &v5);
  srand(v5 % 8602863);
  printf("flag: ");
  for ( i = 0; i <= 54; ++i )
  {
    v3 = operation(flag[i]);
    putchar(v3);
  }
  putchar(10);
  return 0;
}

Some assembly for it:

loc_12E0:
mov     eax, [rbp+var_C]
cdqe
lea     rdx, _ZL4flag   ; flag
movzx   eax, byte ptr [rax+rdx]
movsx   eax, al
mov     edi, eax        ; char
call    _Z9operationc   ; operation(char)
mov     edi, eax        ; c
call    _putchar
add     [rbp+var_C], 1

The "operation" function is a couple of shifts and a xor:

__int64 __fastcall operation(char a1)
{
  int v1; // eax

  v1 = rand();
  return ((unsigned __int8)(((unsigned int)(v1 >> 31) >> 24) + v1) - ((unsigned int)(v1 >> 31) >> 24)) ^ a1;
}

The above is equivalent to (rand() % 256) ^ a1)

We can grab the encrypted flag from the binary by going to _ZL4flag 's address. The seed generated with random() is modulated with 8602863. The flag is 55 characters. We can: Reimplement glibc's random() and just bruteforce the flag (or use the binary directly to do that).

from tqdm import tqdm

enc_hex = "63623426c549bdf3edd3c2cc1dc4a4642cde5024a8b5857b5aed9d63aacd06bcbe074a10ff736b4cf7bb97b9f7d79cae52323cd04d567b"
enc = [int(enc_hex[i:i+2], 16) for i in range(0, len(enc_hex), 2)]
assert len(enc) == 55

def get_keys(seed, num=55):
    MOD = 2147483647
    if seed == 0:
        seed = 1
    r = [0] * (344 + num)
    word = seed
    r[0] = word
    for i in range(1, 31):
        word = (16807 * word) % MOD
        r[i] = word
    for i in range(31, 34):
        r[i] = r[i - 31]
    for i in range(34, 344 + num):
        r[i] = (r[i - 31] + r[i - 3]) & 0xFFFFFFFF
    keys = []
    for i in range(344, 344 + num):
        val = r[i] >> 1
        key = val & 0xFF
        keys.append(key)
    return keys

for mod_seed in tqdm(range(8602863)):
    keys = get_keys(mod_seed)
    good = True
    plain = []
    for j in range(55):
        p = enc[j] ^ keys[j]
        if not (32 <= p <= 126):
            good = False
            break
        plain.append(chr(p))
    if good:
        print(f"Found correct seed: {mod_seed}")
        print("Flag: " + "".join(plain))
        break
else:
    print("No matching seed found.")

Running the above:

C:\Users\Someone\Downloads\adventofmalware\sanity>python3 solver2.py
  9%|██████▍                                                                | 778702/8602863 [02:01<33:35, 3881.40it/s]Found correct seed: 778921
Flag: th1s_fl4g_is_just_2_check_u_are_worthy@malwarespace.com
  9%|██████▍                                                                | 778921/8602863 [02:01<20:18, 6420.41it/s]

Warmup

This one is a JS challenge:

Opening index.html ,we get:

So we need to input a 32 letter word to get the flag. Looking at the index.js file: The main validation function is:

function simple_hash(str) {
    let hash = 0;
    let nonce = 1337;
    for (let i = 0; i < str.length; i++) {
        hash = (hash << 6) - hash + str.charCodeAt(i);
        hash = hash & hash;
    }
    return hash * nonce;
}

We can print targetword from the dev console:

targetWord
Array(32) [ 102949, 86905, 101612, 116319, 86905, 109634, 92253, 110971, 106960, 86905, … ]
​
0: 102949
​
1: 86905
​
2: 101612
​
3: 116319
​
4: 86905
​
5: 109634
​
6: 92253
​
7: 110971
​
8: 106960
​
9: 86905
​
10: 89579
​
11: 92253
​
12: 89579
​
13: 96264
​
14: 109634
​
15: 97601
​
16: 110971
​
17: 112308
​
18: 102949
​
19: 86905
​
20: 110971
​
21: 110971
​
22: 104286
​
23: 105623
​
24: 116319
​
25: 93590
​
26: 101612
​
27: 86905
​
28: 100275
​
29: 92253
​
30: 110971
​
31: 117656
​
length: 32

So one hash per letter. Finally, when we have allCorrect set to true, the game xors the encrypted flag with the letters from targetWord

let bytes = [0x3a,0x72,0x20,0x34,0x71,0x3f,0x76,0x0c,0x62,0x1e,0x2e,0x71,0x2f,0x3f,0x66,0x3b,0x60,0x0b,0x3e,0x31,0x67,0x30,0x7d,0x10,0x2f,0x2b,0x2d,0x32,0x14,0x26,0x27,0x3e];
for (let i = 0; i < bytes.length; i++) {
    xor.push(bytes[i] ^ guess.charCodeAt(i));
}

Since we know the target hashes for each position, we can pre-calculate the hash for every letter from A to Z and match them.

function simple_hash(str) {
    let hash = 0;
    let nonce = 1337;
    for (let i = 0; i < str.length; i++) {
        hash = (hash << 6) - hash + str.charCodeAt(i);
        hash = hash & hash;
    }
    return hash * nonce;
} 

const lookup = {};
for (let i = 65; i <= 90; i++) {
    const char = String.fromCharCode(i);
    lookup[simple_hash(char)] = char;
}

const solvedWord = targetWord.map(h => lookup[h]).join(''); 

The above outputs "MALWARESPACECHRISTMASSNOWFLAKESX" for the targetword. We can now either type that in the html page or just run the xor encryption in the console like so:

const key = "MALWARESPACECHRISTMASSNOWFLAKESX";
const encrypted = [0x3a,0x72,0x20,0x34,0x71,0x3f,0x76,0x0c,0x62,0x1e,0x2e,0x71,0x2f,0x3f,0x66,0x3b,0x60,0x0b,0x3e,0x31,0x67,0x30,0x7d,0x10,0x2f,0x2b,0x2d,0x32,0x14,0x26,0x27,0x3e];

const flag = encrypted.map((byte, i) => 
    String.fromCharCode(byte ^ key.charCodeAt(i))
).join('');

console.log(`Flag: ${flag}@malwarespace.com`);

We then get: w3lc0m3_2_m4lw4r3_sp4c3_xmas_ctf@malwarespace.com