Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


DEFKTHON CTF: Reversing 100


Hackers are Here


This write-up is made by the HacknamStyle CTF team.

First we want to know the type of file we are dealing with. On Linux file 100.exe returns that it's a .NET assembly. If you open it in IDA you will also be told it's a .NET program. For a bit of background, there's also TrID to identify file types, PROTECTiON iD to detect binary packets, the older PEiD, etc.

I used IDA to view the .NET intermediate language instructions, and JetBrains dotPeek to disassemble the code. After removing all useless code dotPeek shows the following:

private void pictureBox1_Click(object sender, EventArgs e)
    int num1 = (int) MessageBox.Show([...]);
    int num2 = 1337;
    int num3 = 0;
    int num4 = int.Parse(string.Concat(new object[4]
      (object) "121299999999999999999999999999999999999B0wB4me4iamr",
      (object) num3,
      (object) num3,
      (object) "t99999999999999999999999999999999999999"
    string str = (string) (object) num2 + (object) num4.ToString();
    for (int index = 0; index <= num4; ++index)
      num4 = num4 + (num2 ^ 1337) + num2 * 2000 / 1337 / 1337 / 24;
  catch { }

public void Usehint() { }

private void InitializeComponent()
  this.label1.Location = new Point(701, 242);
  this.label1.Text = "      key is md5(sha1)";

We see the hint key is md5(sha1), which is not visible when running the program because the position of the label is outside the window. So we need to find a key and calculate the MD5 and SHA1 hash of it. Though the Usehint() function appears empty, in IDA we can see that it actually loads a string but does nothing with it:

.method public hidebysig instance void Usehint() // CODE XREF: pictureBox1_Click
  .maxstack 1
  .locals init (string V0)
  ldstr    "get_key_from_hint"

So the last place to look for this hint is the horribly coded pictureBox1_Click function. Do we somehow have to fix this function and run it? Because now it throws exceptions. Staring at it a bit longer, the string constructed by the program contains B0wB4me4iamr00t. This is the key. I know, it doesn’t make much sense…

The solution becomes:

$ echo -n "B0wB4me4iamr00t" | sha1sum
9df54a6411ed678cdc925b26794052a882830c25  -
echo -n "9df54a6411ed678cdc925b26794052a882830c25" | md5sum

The solution is 58b4d49e5489be09fc409e4c0b5e66ad.

Other write-ups and resources