keygenme-py [picoCTF]
category : Reverse Engineering
we only get one python file keygenme-trial.py
when running the program , and it ask for the license key and some other options , when we enter the license key , it then call the check_key() function [see below] , which has some conditional statement
def check_key(key, username_trial):global key_full_template_trialif len(key) != len(key_full_template_trial): return False
else:# Check static base key part --vi = 0for c in key_part_static1_trial:if key[i] != c: return False
i += 1# TODO : test performance on toolbox container# Check dynamic part --vif key[i] != hashlib.sha256(username_trial).hexdigest()[4]: return Falseelse: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[5]: return Falseelse: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[3]: return Falseelse: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[6]: return Falseelse: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[2]: return False
else: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[7]: return Falseelse: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[1]: return Falseelse: i += 1if key[i] != hashlib.sha256(username_trial).hexdigest()[8]: return Falsereturn True
by doing the manual analysis of code we can say that the license key is made up of
static part + dynamic part + static part
the dynamic part is what we have to enter to complete the key.
so we can find the dynamic part form the conditional statements of check_key () function.
after code analysis we can say dynamic part of our key is the value at position 45362786 of the string generated by by hashlib.sha256(b"GOUGH").hexdigest()
dynamic part = f911a461
so by combings the two static parts and one dynamic part we get the flag
“picoCTF{1n_7h3_|< 3y_of_”+ “f911a461” + “}”
you can use the below python script also to generate the flag
import hashlib# got the global variable from the kegenme-trailbUsername_trial = b"GOUGH"key_part_static1_trial = "picoCTF{1n_7h3_|<3y_of_"key_part_dynamic1_trial = "xxxxxxxx"key_part_static2_trial = "}"key_part_dynamic1_trial=""s=hashlib.sha256(bUsername_trial).hexdigest()l=[4,5,3,6,2,7,8,6]for i in l:
key_part_dynamic1_trial+=s[i]flag = key_part_static1_trial+ key_part_dynamic1_trial+ key_part_static2_trialprint()print(flag)
now this is the flag as well as key for fernet (we can also confirm this because the value of flag is 32 and 32 should be length of key for fernet)
now this key(flag) is pass to decrypt method of fernet , which then decrypt the full_version code and the decrypted file (which is actually python code) is now written to keygenme.py in current working directory.
thank you for reading !!!
THANK YOU FOR READING MY WRITE UP !! 👊👊
please support me by following me on medium : https://surya-dev.medium.com/
you guys can subscribe me 🙌on YouTube : i post walkthrough and other ethical hacking related videos there.
