So we solved the frist document and then they give us this…Document #2 (hash: ACCDF64EB1E96BE5A7C5F23DB6A74B88869E4F6C3B46D41F80B3063BF79AD05E)

So again, run it through FileId tool and get the VBA code out (using the XML or JSON output options).

1
2
3
4
5
6
7
8
Sub AutoOpen()
'
' crackme Macro
'
'
UserForm1.Show
End Sub

and

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Private Sub button_Click()
x = suchcrypto(key.Text, "General Vidal")
If x = "171,184,42,184,88,26,47,154,20,219,203,130,52,19,180,214,156,94,186,74,30,248,119,235,139,130,175,141,179,197,8,204,252," Then
MsgBox "Wow. Good Job! Such crack."
Else
MsgBox "U can do. Try harder..."
End If
End Sub
Function suchcrypto(sMessage, strKey)
Dim kLen, x, y, i, j, temp
Dim s(256), k(256)
kLen = Len(strKey)
For i = 0 To 255
s(i) = i
k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
Next
j = 0
For i = 0 To 255
j = (j + k(i) + s(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
Next
x = 0
y = 0
For i = 1 To 3072
x = (x + 1) Mod 256
y = (y + s(x)) Mod 256
temp = s(x)
s(x) = s(y)
s(y) = temp
Next
For i = 1 To Len(sMessage)
x = (x + 1) Mod 256
y = (y + s(x)) Mod 256
temp = s(x)
s(x) = s(y)
s(y) = temp
suchcrypto = suchcrypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
Next
End Function

ok, so we show a form, get user input and then run the “button_Click“ subroutine…but look, we know what the answer should be when we read the IF statement. So basic algebra here…we know one of the two inputs, we have the function, and we know the output….we can brute force…

ugh, brute forcing…and in VBA…ok if I have to…sigh. In retrospect, I can think of several other ways to attack this “crypto” other than brute forcing, but that’s what I did in the moment.

1
2
3
4
5
6
7
8
9
10
Sub BruteEnForcer()
ans = "171,184,42,184,88,26,47,154,20,219,203,130,52,19,180,214,156,94,186,74,30,248,119,235,139,130,175,141,179,197,8,204,252,"
k = "General Vidal"
msg = ""
Do
Loop Until suchcrypto(msg, k) = ans
End Sub

ok, so now we have a simple logic/programming problem. We know what the result will be, but how can we figure out what the msg variable should be. How do we know when we are even close…are we going to iterate over all possible typable strings until we find a match? No, well we could, but no just no. You’ll notice there are a bunch of comma’s in the ‘answer’ string and based on the ‘decyption’ code it appends a comma after iterating over each letter in the message. So lets make that answer an array and go character by character until we get matches. I’m also going to limit it to alphanumeric characters, unless that doesn’t work. I would post by brute forcing code that I used, but I didn’t save it…so here’s some code that might work:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Sub BruteEnForcer()
ans = "171,184,42,184,88,26,47,154,20,219,203,130,52,19,180,214,156,94,186,74,30,248,119,235,139,130,175,141,179,197,8,204,252,"
k = "General Vidal"
ansArry = Split(ans, ",")
msg = ""
leng = 1
Do
For i = 32 To 126
tmpMsg = msg + Chr(i)
tmp = Split(suchcrypto(tmpMsg, k), ",")
If tmp(leng) = ansArry(leng) Then
msg = tmpMsg
leng = leng + 1
Exit For
End If
Next i
Loop Until suchcrypto(msg, k) = ans
MsgBox msg
End Sub

which when run gives us the following output:

1
PAN{L4$t_Night_@f@iry_Vizited_M3}

gee that looks like it might be it…

BOOM

and we move on to doc #3

Comments