prsecurity.org

malwaretech ransomware ctf

A quick and dirty solution to MalwareTech’s Ransomware CTF

I will not go into details in assembly here as it is very straightforward. When we look at the “encrypting” function, we see its a simple XOR cipher with repeating key of length 32 (mod 0x20).

sdfsdfsdf

The trick here is getting the key. Along with the encrypted flag, we have default Windows wallpapers encrypted by the same key.

sdfsdf

The thing about XOR is that if you do <enc file> XOR <plaintext> you get the repeating key.

Let’s code the solution in Python:

from hashlib import md5

img_plain = bytearray(open("Koala.jpg", 'rb').read(4096))
img_enc = bytearray(open("Koala.jpg_encrypted", 'rb').read(4096))

key = []
for i in range(0, 32):
	key.append(img_plain[i] ^ img_enc[i])

flag = bytearray(open("flag.txt_encrypted", 'rb').read())

for i in range(0, len(flag)):
	flag[i] ^= (key[i % 32])

print("".join(map(chr, flag)))

m = md5()
m.update(flag)

print("EXPECTED MD5: 2C2D014C02EB65DEA8AE56304B8226C2 = {}".format(m.hexdigest()))

sdfsdf

Git URL: here