binary

For this challenge, we were given a file which contained what looked to be some sort of obfuscated code. One of us used "Windows Script Decoder" on it, and the output it gave was obfuscated javascript. We loaded the script in firefox and used firebug to set a break point at the end of the script and observed that there was a variable "CodeGate_JavaScriptEncode_Key" set to "120a151156120a163t111163120lea163u162e!". We were stuck on this for a while until we realized that this was a mix of octal and ascii, and the key turned out to be "PainPastIsPleasure!"

There was a suspiciously long function at 0x401130. We analyzed it and discovered that it would get the current time stampt and check it against two values. If the time stamp was earlier than 1109462399 and later than 1109376000, the check would succeed.

So we set the time to 26 Feb 2005 12:00 EST, and the program gave us the key.

Key: http://forensic-proof.com/archives/552

At 0x1000270a, there are 3 routines that XORs some array of data with the “securitycodegate” array.

1st routine XORs 16byte of data with “security”. (with mod 8)
2nd routine XORs 8 byte of data with “code” (with mod 4)
3rd routine XORs 23byte of data with “gate” (with mod 4).

The result of 3rd routine was the key.

t = [4, 0, 89, 21, 18, 3, 89, 85, 86, 83, 71, 81, 82, 87, 67, 93, 94, 81, 69, 87, 84, 85, 65]
u = "gate".unpack('C*')
arr = []
t.length.times {|x| arr << (t[x]^u[x%4])}
puts arr.pack('C*')

Key: ca-pub-0123456789012345

There is a PE format Binary file.

We noticed that there was a piece of unreachable code.

The Q8 is given as a Zip file, which unzip to a Mac App called catKeyVerifyTool.

We were given a binary in this challenge. The hexdump of the binary looks like this: