«

»

Sep
21

hack.lu CTF 2011 Simplexor (200)

Category: crypto

To get a better security we deceided to encrypt our most secret document with the secure xor-algorithm. Unfortunately we lost the key. Now we are sad. Can you help us recovering the key?

Download

Summary: recovering multibyte xor-key, using autocorrelation

As the text says – the file was xored so we should use my xortool or Cryptool or whatever else.

First, we’ll decode base64:

$ base64 -d simplexor.txt >ciphertext.bin

Now, let’s try xortool:

$ xortool ciphertext.bin 
Probable key lengths:
   2:   4.9 %
   4:   7.3 %
   6:   4.8 %
   8:   9.5 %
  10:   4.8 %
  12:   7.1 %
  14:   4.9 %
  16:   14.1 %
  18:   4.8 %
  20:   7.1 %
  22:   4.9 %
  24:   9.2 %
  26:   4.8 %
  28:   7.0 %
  30:   4.8 %
Key-length can be 4*n
Most possible char is needed to guess the key!

Ok, we see that 16 is the most possible length of the key. By checking it we get pretty key but a wasty output:

$ xortool ciphertext.bin -c 20
Probable key lengths:
...
1 possible key(s) of length 16:
WklF6e5TEc5XmEG8

$ xxd xortool_out/0_WklF6e5TEc5XmEG8 | head
0000000: 2e72 4b08 367f 3e03 1646 4700 6054 7f32  .rK.6.>..FG.`T.2
0000010: 2e38 512f 6320 7435 2020 2020 2020 2020  .8Q/c t5        
0000020: 2d04 2020 200f 5623 0829 2d10 2f65 450d  -.   .V#.)-./eE.

The problem is that key looks to be longer. xortool by default tries only values, smaller than 32. We should force it to, say, 257:

$ xortool ciphertext.bin -m 257 -c 20
...
Key-length can be 4*n
1 possible key(s) of length 64:
WvhnPry60NRl41weWY7IueaAEc5XmEG8ZOlF6JCWmj8hbvmYkkwFox5Tz1HLvdKl

We see, it choose 64 from 257, which means we are on the right way. Let’s check output:

$ head xortool_out/0_*
.oO Phrack 49 Oo.

                          Volume Seven, Issue Forty-Nine
                                     
                                  File 14 of 16

                      BugTraq, r00t, and Underground.Org
                                   bring you

                     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Here it is! Obviously we should try xor key as flag.

The flag: WvhnPry60NRl41weWY7IueaAEc5XmEG8ZOlF6JCWmj8hbvmYkkwFox5Tz1HLvdKl

4 comments

  1. magnus says:

    Nice online-Cracker: https://chris.dod.net/xor/xor.php

  2. FlUxIuS says:

    Instead of xortools, you have also an online tool using the default kappa of ASCII standart, alpha and delta thresold : http://chris.dod.net/xor/xor.php

    But fails a little bit guessing the key lenght ^^.

    ==> I know… this one sounds a bit too lazy…

    Congratz! =)

  3. hellman says:

    thx for the link guys!

  4. Write-up CTF Hack.lu 2011 : « SimpleXOR » | Hat Hacker says:

    […] pouvez aussi jeter un œil au Writeup de Leet More qui a résolu ce CTF à l’aide de XORtool: Lien. SimpleXor […]

Leave a Reply to Write-up CTF Hack.lu 2011 : « SimpleXOR » | Hat Hacker Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>