Skip to main content

Day 3: Intercept

challenge description
We managed to covertly spy on some of the elves' communications, as well as obtain partial code
for their experimental encryption algorithm. Can you find where they're planning their next meeting?

Exploring

A pcap file with some TCP hex data is available as well as an asm file with their supposedly secure encryption algorithm.

intercept.asm
    .text
.globl state
.bss
.type state, @object
.size state, 1
state:
.zero 1
.text
.globl do_encrypt
.typ do_encrypt, @function
do_encrypt:
push rbp
mov rbp, rsp
mov eax, edi
mov BYTE PTR [rbp-4], al
movzx eax, BYTE PTR state[rip]
add eax, 19
xor BYTE PTR [rbp-4], al
movzx eax, BYTE PTR state[rip]
add eax, 55
mov BYTE PTR state[rip], al
movzx eax, BYTE PTR [rbp-4]
pop rbp
ret

To put it simply, here's some the details:

  1. Move 1 byte input (eax) into stack (rbp - 4)
  2. Move state into eax. State starts off as 0 (zero)
  3. add 19 to eax
  4. xor input byte with al byte, store in stack
  5. move the state into eax
  6. add 55 to eax
  7. move al to the state
  8. return stack value

We can build a simple python script to reverse the hex. Extract the hex payload into a file first.

with open('payload.txt') as f:
data = [line.strip() for line in f]

counter = 0
def decode(d, state):
out = ""
for i in range(0, len(d), 2):
out += chr(int(d[i:i+2], 16) ^ (( state + 19 ) % 256))
state = ( state + 55 ) % 256
print(bytes(out, 'utf-8'))
return state

for i in range(0, len(data)):
counter = decode(data[i], counter)

Output decrpyted

Flag

HTB{pl41nt3xt_4sm?wh4t_n3xt_s0urc3_c0d3?}