xor

For this challenge, we saw that the string "COD" appeared a few times in the binary. After playing with this value, we found that the file was XOR'd with "CODE". After XORing, the output was a png file that had text on it, "HoyTomoSojuOKerosene?", which was the key.

Key: HoyTomoSojuOKerosene?

Net200 had two hints about covert channels and XOR. We developed a stream XOR cipher and tried all the strings we saw in Wireshark as the key. ‘127.0.0.1’ ended up being the key and it decrypted the covert channel ICMP reply packets’ data to:

0000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010   00 00 00 00 02 00 00 00 00 00 00 00 52 53 43 0e  ............RSC.
0020   1f 7b 43 4b 43 42 1d 59 1e 56 4f 44 4b 1e 42 5d  .{CKCB.Y.VODK.B]
0030   5b 58 1e 5a 48 5a 3b                             [X.ZHZ;
 
5253430e1f7b434b43421d591e564f444b1e425d5b581e5a485a3b

At 0x1000270a, there are 3 routines that XORs some array of data with the “securitycodegate” array.

1st routine XORs 16byte of data with “security”. (with mod 8)
2nd routine XORs 8 byte of data with “code” (with mod 4)
3rd routine XORs 23byte of data with “gate” (with mod 4).

The result of 3rd routine was the key.

t = [4, 0, 89, 21, 18, 3, 89, 85, 86, 83, 71, 81, 82, 87, 67, 93, 94, 81, 69, 87, 84, 85, 65]
u = "gate".unpack('C*')
arr = []
t.length.times {|x| arr << (t[x]^u[x%4])}
puts arr.pack('C*')

Key: ca-pub-0123456789012345

The challenge is given in the form URL
  somesite/xor.php?plaintxt=