2 minutes
FDCA Xmas 2024 Day 10 - The Jotun Lockdown
Challenge Description
Danish (original)
Jætterne har forvoldt kaos i Asgaard ved at hacke en vigtig server og krypteret essentielle filer med deres ransomware. De kræver løsepenge for at frigive dem, men heldigvis har de lavet fejl i deres kode, som gør den langt fra uigennemtrængelig.
Under undersøgelsen blev både ransomware-programmet og en krypteret fil fundet.
Advarsel: Ransomware-programmet er live-malware og kan udføre skadelige handlinger. Undersøg det kun i et sikkert og isoleret miljø, eksempelvis en virtuel maskine uden netværksforbindelse.
English (from chatgpt)
The giants have caused chaos in Asgard by hacking an important server and encrypting essential files with their ransomware. They are demanding a ransom to release them, but fortunately, they made mistakes in their code, making it far from impenetrable.
During the investigation, both the ransomware program and an encrypted file were found.
Warning: The ransomware program is live malware and can perform harmful actions. Only examine it in a secure and isolated environment, such as a virtual machine without a network connection.
File
We are also given the following file:
Password: infected
Solution
Unzipping the file we get an exe and the encrypted file:
$ unzip Ragnarok.zip
Archive: Ragnarok.zip
[Ragnarok.zip] Ragnarok/flag.txt.ragnarok password:
extracting: Ragnarok/flag.txt.ragnarok
inflating: Ragnarok/Ragnarok.exe
Using cutter I found the following code section in fcn.00401160
:
for (var_20h = 0; (uint32_t)var_20h < var_14h; var_20h = var_20h + 1) {
*(char *)(var_18h + var_20h) =
(char)(((int32_t)*(char *)(var_18h + var_20h)
+ (int32_t)"Jotunheim"[(uint32_t)var_20h % 9]
) % 0x100);
}
So doing the inverse gives us the flag:
with open('flag.txt.ragnarok', 'rb') as fp:
encflag = fp.read()
decflag = b''
for i, c in enumerate(encflag):
decflag += ((c - b'Jotunheim'[i % 9]) % 0x100).to_bytes(1, 'big')
print(decflag)
$ python solve.py
b'FDCA{n0_r4ns0m_4_j07un}'