A quick and dirty solution to MalwareTech's Ransomware CTF

I will not go into details in assembly here as it is very straightforward. When we look at the "encrypting" function, we see its a simple XOR cipher with repeating key of length 32 (mod 0x20).
IDA_-_ransomware1_exe_idb__ransomware1_exe_bin___Users_sputnik_Downloads_ransomware1_exe_idb

The trick here is getting the key. Along with the encrypted flag, we have default Windows wallpapers encrypted by the same key.
2__sputnik_F5ayqZjIFtDNiQBFUlDhswMNqx3oCyLu____Downloads_EncryptedFiles_Pictures_Sample_Pictures__zsh_

The thing about XOR is that if you do <enc file> XOR <plaintext> you get the repeating key.

Let's code the solution in Python:

from hashlib import md5

img_plain = bytearray(open("Koala.jpg", 'rb').read(4096))
img_enc = bytearray(open("Koala.jpg_encrypted", 'rb').read(4096))

key = []
for i in range(0, 32):
	key.append(img_plain[i] ^ img_enc[i])

flag = bytearray(open("flag.txt_encrypted", 'rb').read())

for i in range(0, len(flag)):
	flag[i] ^= (key[i % 32])

print("".join(map(chr, flag)))

m = md5()
m.update(flag)

print("EXPECTED MD5: 2C2D014C02EB65DEA8AE56304B8226C2 = {}".format(m.hexdigest()))

3__sputnik_F5ayqZjIFtDNiQBFUlDhswMNqx3oCyLu____Downloads_ransomware1_EncryptedFiles_Documents_ransomware1__zsh_

Git URL: here