Sunday, January 19, 2014

GhostInTheShellCode Write-Up Dogecrypt


We were provided with a file encrypted in vim. The hint given was: "Solveable in <5m. Much attack very wamerican-small". wamerican-small is a debian package whose info can be found here. It was evident that brute force had to be applied. Now, to decrypt the files using a key, I found the following perl program online at perlmonks.
use Inline C;

my $password = ;
chomp($password);
my $file = "lol";

open F, $file or die $!;
my $data = do{ local $/;  };
close F;

decode( $data, $password );
print "After:\n$data\n";

__END__
__C__
typedef unsigned int  ULG;

void decode( SV* str, char *passwd ) 
{
    ULG s,t,v,crc_32_tab[256],keys[3],temp;
    STRLEN rawlen;
    int decrypted = 0;
    char *file, *data;
    char *magic = "VimCrypt~01!\0";
#define ROTOR(a) { \
    keys[0] = CRC32(keys[0], a); keys[1] += keys[0] & 0xff; \
    keys[1] = keys[1] * 134775813L + 1; \
    keys[2] = CRC32(keys[2], (int)(keys[1] >> 24)); \
}
#define CRC32(c, b) (crc_32_tab[((int)(c) ^ (b)) & 0xff] ^ ((c) >> 8))

    file = (char*)SvPV(str, rawlen);
    if ( rawlen == 0 ) return;  /* we got a null string */
    
    while ( *magic != '\0' ) {
        if ( *(magic++) != *(file++) ) return; /* did not find magic header */
    }
    
    for (t=0; t<256 data-blogger-escaped-for="" data-blogger-escaped-s="" data-blogger-escaped-t="" data-blogger-escaped-v="(v">> 1) ^ ((v & 1) * (ULG)0xedb88320L);
        crc_32_tab[t] = v;
    }
    
    keys[0] = 305419896L; keys[1] = 591751049L; keys[2] = 878082192L;
    
    while (*passwd != '\0') ROTOR(*(passwd++));
    
    data = file;
    while( *file != '\0' ) {
        temp = 0xffff & (keys[2] | 2);
        *file ^= (int)(((temp * (temp ^ 1)) >> 8) & 0xff);
        ROTOR(*(file++));
        decrypted++;
    }

    sv_setpvn( str, data, decrypted ); /* modify the passed SV with decrypt */
}

Applying dictionary attack:
$ while read line ; do echo $line ; echo $line | perl fish.pl  ; done < /usr/share/dict/american-english-small

Grabbing the key, with a little bit of guess-work
[Wani@Linux brute]$ cd out; strings *   | grep -i ctf
GCTf
$BgcTf
CTfJ
ctFe
OcTF
                                                        very much ctf
-CTF
>cTF
NCtf
[Wani@Linux out]$ grep "very much ctf" *
parliament:                                                        very much ctf
[Wani@Linux out]$  cat parliament
After:
The key is: ShibeSuchDictionaryAttacksWow



                                  wow

                                                        very much ctf

                                                                      most key




                            such flag


                                         so much shellcode





                                                        wow

[Wani@Linux out]$ 

No comments: