25
Apr
2011

pCTF 2011 – Mission 6 – Fun with Numb3rs

Another quick pCTF 2011 write-up. This is a windows Application made using .NET. Upon launching you get 3 sliders with a range of 0-255 and a button. Goal is to find the correct permutation for the 3 sliders. When you enter the wrong slider values you will get a nice failed message.

When decompiling the application using ILspy we find the following relevant code bits:

private byte[] Field_00 = new byte[] {
    20, 0x16, 100, 0x17, 0x15, 0x63, 100, 0x67, 0x18, 0x18, 0x19, 0x60, 0x19, 0x67, 0x10, 0x15,
    0x10, 0x18, 0x16, 0x11, 0x62, 0x67, 0x67, 0x10, 0x17, 0x12, 0x67, 0x18, 0x11, 0x63, 0x60, 0x12
};

private byte[] Field_01 = new byte[] {
    0x61, 0x5d, 0x40, 0x40, 0x4b, 0x13, 0x12, 0x6b, 0x5d, 0x47, 0x12, 0x54, 0x53, 0x5b, 0x5e, 0x57,
    0x56, 0x12, 0x4a, 0x62, 0x12, 0x12, 0x66, 0x40, 0x4b, 0x12, 0x73, 0x55, 0x53, 0x5b, 0x5c, 0x13
};

private void checkButton_Click(object A_0, EventArgs A_1)
{
    int value = this.valueBar1.Value;
    int value2 = this.valueBar2.Value;
    int value3 = this.valueBar3.Value;
    int num = this.valueBar2.Value * this.valueBar3.Value;
    int num2 = value * 3;
    if (value + num - value2 + value * value * value2 - value3 == value2 * (value3 * 34 + (num2 - value)) + 7488 && value > 77)
    {
        MessageBox.Show(this.Method_05(value, value2, value3, (byte[])this.Field_00.Clone(), num, num2));
        return;
    }
    MessageBox.Show(this.Method_06(value, value2, value3, (byte[])this.Field_00.Clone(), num, num2));
}

So in essence we need to pass some math evaluation in order to trigger the code that displays the OK string. Both the OK and FAIL strings are XOR-encoded to not give away anything.

Quick ‘n dirty bruteforce tool:

<?
    for($v1=0; $v1 <= 0xff; $v1++) {
        for($v2=0; $v2 <= 0xff; $v2++) {
            for($v3=0; $v3 <= 0xff; $v3++) {
                $num = $v2 * $v3;
                $num2 = $v1 * 3;

                if (
                    $v1 + $num - $v2 + $v1 * $v1 * $v2 - $v3 == 
                    $v2 * ($v3 * 34 + ($num2 - $v1)) + 7488 && $v1 > 77
                )
                    die("GOT IT: $v1,$v2,$v3\n");

            }
        }
    }
?>
blasty@mekboek$ time php brute.php 
GOT IT: 89,144,233

real 0m2.586s
user 0m2.549s
sys 0m0.024s

Comments are closed.