iCTF 2011 Challenge 33

The file contains JPEG image. By removing 0-72ac7 bytes, we can see the image with the answer.

bank account


iCTF 2011 Challenge 30

The file name "reverse2.7z.enc" tells us that the file is an encrypted 7z file. First 8 bytes of reverse2.7z.enc are "4D 4E AE 3F 5D 28 12 93" and one of 7z files are "37 7A BC AF 27 1C 00 03". 4D4EAE3F5D281293 xor 377ABCAF271C0003 is 7A3412907A341290. By XORing reverse2.7z.enc and 7A3412907A3412907A341290..., we can obtain an original 7z file (reverse2.7z).

reverse2.7z contains two files "a" and "b". File "a" is a x86 machine code:

00000000  55                push ebp
00000001  8BEC              mov ebp,esp
00000003  83EC44            sub esp,byte +0x44
00000006  53                push ebx
00000007  56                push esi
00000008  57                push edi
00000009  C745FC00000000    mov dword [ebp-0x4],0x0
00000010  6868120160        push dword 0x60011268
00000015  FF1538A20160      call dword near [dword 0x6001a238]
0000001B  83C404            add esp,byte +0x4
0000001E  C745FC00000000    mov dword [ebp-0x4],0x0
00000025  EB09              jmp short 0x30
00000027  8B45FC            mov eax,[ebp-0x4]
0000002A  83C001            add eax,byte +0x1
0000002D  8945FC            mov [ebp-0x4],eax
00000030  837DFC18          cmp dword [ebp-0x4],byte +0x18
00000034  7339              jnc 0x6f
00000036  8B4508            mov eax,[ebp+0x8]
00000039  0345FC            add eax,[ebp-0x4]
0000003C  0FB600            movzx eax,byte [eax]
0000003F  99                cdq
00000040  B90A000000        mov ecx,0xa
00000045  F7F9              idiv ecx
00000047  83C230            add edx,byte +0x30
0000004A  52                push edx
0000004B  6864120160        push dword 0x60011264
00000050  FF1538A20160      call dword near [dword 0x6001a238]
00000056  83C408            add esp,byte +0x8
00000059  837DFC0C          cmp dword [ebp-0x4],byte +0xc
0000005D  750E              jnz 0x6d
0000005F  6860120160        push dword 0x60011260
00000064  FF1538A20160      call dword near [dword 0x6001a238]
0000006A  83C404            add esp,byte +0x4
0000006D  EBB8              jmp short 0x27
0000006F  5F                pop edi
00000070  5E                pop esi
00000071  5B                pop ebx
00000072  8BE5              mov esp,ebp
00000074  5D                pop ebp
00000075  C3                ret
0000009F  CC                int3
000000A0  55                push ebp
000000A1  8BEC              mov ebp,esp
000000A3  83EC44            sub esp,byte +0x44
000000A6  53                push ebx
000000A7  56                push esi
000000A8  57                push edi
000000A9  C745FC00000000    mov dword [ebp-0x4],0x0
000000B0  C745FC00000000    mov dword [ebp-0x4],0x0
000000B7  EB09              jmp short 0xc2
000000B9  8B45FC            mov eax,[ebp-0x4]
000000BC  83C001            add eax,byte +0x1
000000BF  8945FC            mov [ebp-0x4],eax
000000C2  837DFC18          cmp dword [ebp-0x4],byte +0x18
000000C6  730D              jnc 0xd5
000000C8  8B4508            mov eax,[ebp+0x8]
000000CB  0345FC            add eax,[ebp-0x4]
000000CE  8A4DFC            mov cl,[ebp-0x4]
000000D1  8808              mov [eax],cl
000000D3  EBE4              jmp short 0xb9
000000D5  C745FC00000000    mov dword [ebp-0x4],0x0
000000DC  EB09              jmp short 0xe7
000000DE  8B45FC            mov eax,[ebp-0x4]
000000E1  83C001            add eax,byte +0x1
000000E4  8945FC            mov [ebp-0x4],eax
000000E7  837DFC18          cmp dword [ebp-0x4],byte +0x18
000000EB  7320              jnc 0x10d
000000ED  8B4508            mov eax,[ebp+0x8]
000000F0  0345FC            add eax,[ebp-0x4]
000000F3  0FB608            movzx ecx,byte [eax]
000000F6  8B55FC            mov edx,[ebp-0x4]
000000F9  0FB6045588120160  movzx eax,byte [edx*2+0x60011288]
00000101  33C8              xor ecx,eax
00000103  8B5508            mov edx,[ebp+0x8]
00000106  0355FC            add edx,[ebp-0x4]
00000109  880A              mov [edx],cl
0000010B  EBD1              jmp short 0xde
0000010D  5F                pop edi
0000010E  5E                pop esi
0000010F  5B                pop ebx
00000110  8BE5              mov esp,ebp
00000112  5D                pop ebp
00000113  C3                ret

and file "b" is a memory image. Place "b" at 0x60011260 and call 0x000000a0 and 0x00000000 in this order, then we can get the answer. Note that [dword 0x6001a238] may be printf(). Following python code emulates this code.

a = "1f829d233f5f5c5917f795afec2bc65e" \
  + "11eb33fe35f6f78728aaa032cea92b40" \
  + "5e42cd53e707d28d9801a1e2123754ea".decode("hex")

# 000000a0
b = [ord(x)^i for i,x in enumerate(a[::2])]

# 00000000
c = "".join(str(x%10) for x in b)
print "Bank account: "+c[:13]+"-"+c[13:]

The answer is "1615944358326-32680530047".