File : https://drive.google.com/open?id=0B_TlESfLlYGQY05TWmlNSHhXS1k
Unfortunately, we didn't manage to solve this question while at the competition. So to redeem the 'sin' here is the write-up.
We had been given a somewhat raw file (encrypt.bin), which it size around 1GB++ size.
Using '
file' command doesn't give us something good.shahril:ch1$ file encrypt.bin encrypt.bin: data
So back to the basic! View it using any hex editor.
There is a lot of As characters there. If you scroll much further, you will see that there is a lot of chunk of bytes with As characters.
Maybe this file had been xored with an A characters before? This makes sense because if the original file has a lot of zero bytes, and if all of that zero bytes is xor with an 'A' character, the result will always going to be an 'A' character also. This assumption works on a lot of files, but not all (it will not work to the file containing randomly generated bytes).
However, we also have another problem. On the internet, a lot of xor-decoding tools can't handle such a big file in order to xor it back to original file. Most of the tools that I tried will throw a "Memory exhausted"-something like that error before the operation finished. My early assumption is that most of the tool stored the resultant xored bytes into the memory before it writes to the disk.
So, how can we deal with that problem? We write our own decoding program. It shouldn't be that hard.
#include <stdio.h> /* * Thanks Shahriman Caah for the recommendation * that using C is faster for large IO operation */ int main() { char buf[1024]; int bRead, filesize; FILE *fi = fopen("./encrypt.bin", "r"); FILE *fo = fopen("./out.bin", "w"); char xor_key = 'A'; // get filesize fseek(fi, 0, SEEK_END); // seek to end filesize = ftell(fi); fseek(fi, 0, SEEK_SET); // seek back to beginning for(int i = 0; (bRead = fread(buf, sizeof(char), sizeof(buf), fi)) > 0;) { for(int x = 0; x < bRead; x++) buf[x] = buf[x]^xor_key; fwrite(buf, sizeof(char), bRead, fo); i += bRead; printf("\r%.4lf%%", (double)i/filesize*100); } printf("\nAll finished!\n"); return 0; }
Let's look again,
shahril:ch1$ ls bce2a76d4b0804b0cc01cb8f8385b7fb_.7z encrypt.bin xor.py
We have the code, compile & then run it,
shahril:ch1$ gcc xor.c -o xor -O3 shahril:ch1$ time ./xor 100.0000% All finished! real 0m4.309s user 0m1.160s sys 0m0.952s
Take a look again at the 'out.bin' file using Hex editor.
You must be kididng me!!! (pun intended) The header now shows 'KDMV' and it contains some junk data below it!!!
So run the `file` command again,
shahril:ch1$ file out.bin out.bin: VMware4 disk image
It is then obvious now.
With no further ado, load it up using Virtualbox.
While the Virtualbox load it up, this loading wallpaper appears,
What a memory!!
After the desktop appears, there are flag.txt inside it. Could it contain the flag? (tradam-dam-dam)
So finally! We have the final flag `do_you_like_ransomware?`.
Till we meet again. :)
Regards.
