I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).
Here’s the write-up for the challenge at day 16, in which we will unroll snakes.
Rolling in the Ophideep Part :
For the Day 16 Hackvent challenge, we were given the following instructions :
The linked resource is a .pyc file , which is a bytecode python program. It’s fairly straightforward to decompile it - I’ve used uncompyle - to get a readable source code :
By looking at the source, I can tell there is a ‘gift’ - which is in fact a qr-ball - encrypted in the base64 string called ‘wrappedPresent’ using AES and we have to find the correct password, consisting of ‘pins’ (i.e. numbers). There is a bunch of conditions the pins have to follow, which will help us limit the password search space.
Spiraling Into the Center Part :
The first two conditions tells us we are looking for a combination of four 6-digits numbers. However, that still leaves a good 10e24 combinations, which is not easy to bruteforce.
This instruction is much more interesting :
We know now every bit over 16 for each of the pins. Now our search space is “only” 4*16=64 bits.
In order to restrict the key space, I’ve focused initially on pin 0 an pin 1, called resp. ‘x’ and ‘y’ :
And I use only the valid (x,y) tuplet to check for the rest of the conditions :
I’ve got only two working quadruplets : (251210,130385,424242,565581) and (251214,130389,424242,565581), one of them which decrypt the attached qr-ball.