LabyREnth Capture the Flag (CTF) Challenge

[lazydaemon]

Do I have to bruteforce the key for challenge 6 (the shellcode challenge)?

[Downpour]

@lazydaemon Bruteforce with restrictions which makes it easier I would say.

[Extreme Coders]

Hints about the challenges have been posted on their official site.

http://researchcenter.paloaltonetworks.com/2016/08/labyrenth-capture-the-flag-ctf-hints/

[Rurik]

On 8/10/2016 at 3:55 PM, m0rphiz3 said:

i am talking about the shellcode one, algo is *c4, 11 len key, in which 5 are constants..

Four are constants, not five.

[lazydaemon]

Yes, only four constants. I already calculated 4billion keys but still no valid one. I think, something is wrong with my code.

[Rurik]

Since everyone is bruteforcing that one, let's reduce the keyspace a tad.
fs[30] should be 0x01

That should cut it in half

[m0rphiz3]

4 are constants, but one is a debugger check, which if debugger increments the constant, so it is also a constant

[lazydaemon]

Yes you're right. I think it must be 0x00 which means the process is not being debugged. You sure about 0x01 Rurik?

I changed a little bit of my code and the key space is now 803520 keys long.

Can anybody confirm this?

I still can't find the correct key. 

Spoiler

Maybe my RC4 implementation is wrong.

 

Edited August 12, 2016 by lazydaemon

[Extreme Coders]

@lazydaemon There are 5 constants including dbg flag which should be zero.  
Maybe you have missed out some keys. My keyspace was 1571328 keys long and that was found after taking into account of the possible values as per MSDN.
In the end size of the keyspace didn't matter as it took just a few seconds to brute.

I ripped out the encryption algo from the binary, so implementation did not matter.

[lazydaemon]

Ok, I solved it. Made a couple of really stupid mistakes in my code ;-)