Ph0wn 2023 - Light weight but heavy duty
Pico le Croco, in need of securing his luxurious jacuzzi installation, enlisted the services of a renowned cryptographer, who goes by the name Lars Bogdanov, or something along those lines. Can you crack the algorithm designed to protect the jacuzzi’s remote control?
Bonus for 1st solve: 50
Ghidra was not able to directly find the main function but hopefully radare2 does:
Now let’s open it in Ghidra:
The first two checks are checks of the number of arguments and check on the size of the second argument. For example for the second
if we have
sVar1 * 0x7477 - 0x6569 == 0x97ef % 0x10001. Thus we can recover the value of
sVar1 with Sage:
Meaning that the parameter need to be 40 bytes long.
Then, the loop preforms an operation with the function
FUN_000105f8 on block of 8 bytes until it reach the end of the input. When we looked at the function it seems to be a Cryptography operation. We got back to the description of the challenge and it appears that if you search for “Bogdanov, Lars cipher” you quickly find that the block cipher PRESENT. Then we confirmed that the function implement the PRESENT cipher by remarking that it does 31 rounds, it uses the same PRESENT Sbox and it loads a key of 10 bytes.
At the end of the block encryption the result is compared with a value in the code at address
0x113b4. The value can be recovered in radare2:
It it matches, the program displays the string "\nWell done!\n\n".
The key is pass as the third parameter of the function and is a pointer on the function
main itself. It is a nice anti-debug trick because if you insert a breakpoint on main you would have a wrong decryption. We can easily recover the key:
Since we have the encrypted value and the key we can decrypt everything in Sage:
Then we got the flag.
Another description and a solution of this challenge are available in the Ph0wn Mag Issue #1