Sebastian's Blog

software developer. security enthusiast.

HACKVent 2019

HV19.12 back to basic

Sebastian

The zip file contained a executable named BackToBasic.exe. The program takes a flag and tells us if the flag is wrong or right.

As this was written in VisualBasic I used VB Decompiler to decompile the executable to basic code.

Private Sub Text1_Change() '401F80
  Dim Me As Me
  Dim var_4C As Variant
  loc_00402072: var_48 = Text1.Text
  loc_004020A6: var_34 = var_48
  loc_00402228: var_ret_7 = (Mid(var_34, 1, 1) = &H401B20) And (Mid(var_34, 2, 1) = &H401B28) And (Mid(var_34, 3, 1) = &H401B30) And (Mid(var_34, 4, 1) = &H401B38)
  loc_00402235: var_1C0 = CBool(var_ret_7)
  loc_00402280: If var_1C0 <> 0 Then GoTo loc_004024B2
  loc_004022A2: var_5C = Len(var_34)
  loc_004022B9: If (var_5C = 33) = 0 Then GoTo loc_00402486
  loc_0040230D: var_ret_8 = Len(var_34) - 1
  loc_0040232D: For var_24 = 6 To var_ret_8 Step 1
  loc_00402339: 
  loc_0040233B: If var_1D4 <> 0 Then GoTo loc_0040240B
  loc_00402375: var_154 = Asc(CStr(Mid(var_34, CLng(var_24), 1)))
  loc_00402391: call Xor(var_7C, var_15C, var_24, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)
  loc_00402398: var_ret_A = CLng(Xor(var_7C, var_15C, var_24, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))
  loc_004023C5: var_44 = var_44 + Chr(var_ret_A)
  loc_00402400: Next var_24
  loc_00402406: GoTo loc_00402339
  loc_0040240B: 'Referenced from: 0040233B
  loc_00402433: If (var_44 = "6klzic<=bPBtdvff'yFI = 0 Then GoTo loc_00402477
  loc_00402456: Label1.Caption = "Status: correct"
  loc_00402477: 'Referenced from: 00402433
  loc_00402481: GoTo loc_00402574
  loc_00402486: 'Referenced from: 004022B9
  loc_004024A7: Label1C.aption = "Status: wrong"
  loc_004024AE: If var_4C >= 0 Then GoTo loc_004024EB
  loc_004024B0: GoTo loc_004024DC
  loc_004024B2: 'Referenced from: 00402280
  loc_004024D3: Label1.Caption = "Status: wrong"
  loc_004024DA: If var_4C >= 0 Then GoTo loc_004024EB
  loc_004024DC: 'Referenced from: 004024B0
  loc_004024E5: var_4C = CheckObj(var_4C, global_00401B9C, 84)
  loc_004024EB: 'Referenced from: 004024AE
  loc_004024F4: GoTo loc_00402479
  loc_00402573: Exit Sub
  loc_00402574: 'Referenced from: 00402481
End Sub

After some reading through the lines I found that the user input is compared with a string generated by xoring the string 6klzic<=bPBtdvff’yFI~on//N with rising numbers starting from 6 going to 32. I wrote the following python script to do this:

data = "6klzic<=bPBtdvff'yFI~on//N"

for i in range(32, -5):
    c = i + 6
    at_pos = ord(data[i])
    at_pos = at_pos ^ c
    print(chr(at_pos), end ='')

This gives us 0ldsch00l_Revers1ng_Sess10n. So the flag is HV19{0ldsch00l_Revers1ng_Sess10n}.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top