Ransomware
- CTF: BambooCTF 2021
- Category: Reverse
- Writeups
Given
| File | Content | Note |
|---|---|---|
| Upload.zip | ||
| -> | flag.enc | Encrypted PNG |
| -> | task.pyc | Compiled python code |
Analysis
Using uncompyle6 to decompile task.pyc gives you the following file:
(lambda data, key, iv: if len(data) != 0:
(lambda key, iv, data, AES: open('flag.enc', 'wb').write(AES.new(key, AES.MODE_CBC, iv).encrypt(lambda x: x + b'\x00' * (16 - len(x) % 16)(data))))(data[key:key + 16], data[iv:iv + 16], open('flag.png', 'rb').read(), __import__('Crypto.Cipher.AES').Cipher.AES) # Avoid dead code: lambda fn: __import__('os').remove(fn)('task.py'))(__import__('requests').get('https://ctf.bamboofox.tw/rules').text.encode(), 99, 153)Implementation
Reimplementing it in python code with the inFile swapped for the outFile and the encrypt swapped with the decrypt:
outerdata = requests.get('https://ctf.bamboofox.tw/rules').text.encode()
outerkey = 99
outerIV = 153
innerkey = outerdata[outerkey:outerkey + 16]
innerIV = outerdata[outerIV:outerIV + 16]
inFile = open('flag.enc', 'rb').read()
realInFile = lambda x: x + b'\x00' * (16 - len(x) % 16)
outFile = open('flag.png', 'wb')
outFile.write(AES.new(innerkey, AES.MODE_CBC, innerIV).decrypt(inFile))Looking at the decrypted flag.png:
Opening the File in HXD and looking for the PNG ending tag IEND we see that it appears twice, first at 0xC566A, then again at 0x125611.
Copying the bytes from after the first IEND til after the second IEND and saving as a new file give us:
