HackIt 2016: L4bR4t-France Reverse 375 writeup

Hello,

In this task we were given a shared library “SecretLabXLib.so” and a zip file containing encrypted and plain jpeg files.

Here is task description:

There was some photos of unknown experiment taken in a secret lab-X for they internal archive. After that the device from which the shot was made, immediately load crypto-trigger, whose function – to ensure the confidentiality of image data (this is exactly how it should be in a super-secret laboratories?).

It is known that, due to some floating code errors, the trigger has not completed his work and not all the photos was encrypted.

We managed to get a binary, which has something to do with that crypto-trigger software.

And now we have a good chance to find out what secrets hides laboratory-X.

The first step I did is printing the symbol table of the shared library to figure out what functions are exported.

By running objdump -T I got mangled symbols name. De-mangling can be done using nm -C.

SuperSecretLabCryptor2000 class exports all methods requested to perform encryption/decryption.

It is obvious that CBC is used as mode of operation.

Still need to figure out what Cryptographic algorithm, Key length, IV and Key were used.

Before to go deeper in analysis, I would to like to mention at this level that the shared object is a white-box cryptography implementation.

How ? CryptFile method takes as argument only filename, no encryption key is specified. The key is instantiated at runtime.

What is white-box cryptography?

In few words, white-box cryptography is aimed at protecting secret keys from being disclosed in a software implementation.

The main idea is to rewrite a key-instantiated version so that all information related to the key is “hidden”.

More details in this paper: http://joye.site88.net/papers/Joy08whitebox.pdf

What encryption algorithm is implemented ?

By getting a look at substitution box (SBox) you can determine that it is related to AES.

What is the Key length ?

Can be determined by looking at CryptFile(char*) method disassembly. The key length is passed as argument to key_setup method.

The key length is 256 bits.

What are the initialization vector (IV) and the Key ?

To make life easier for me I chose to use the library to extract the (IV, Key) rather than reversing the key_init, iv_init and setup_key functions.

Following is general overview of the encryption process.

The constructor does the following operations:

-Initializes a timestamp attribute through time function.
-Initializes key attribute through init_key method. The timestamp attribute is used here to add randomness to resulted key.
-Initializes the IV attribute using init_iv method. IV depends on initialized Key (xoring with first 16 bytes of key).

CryptFile method reads the provdied file and calls key_setup method. key_setup takes the initialized key and the key length as argument and generates the final key to be used in encryption.

The content encryption is done by invoking encrypt_cbc method which takes as argument, respectively, input buffer, buffer length, output buffer, key, key length and iv.

Finally the result is written back to the file.

To perform encryption, I wrote the following C code. It is based on the provided library. It simulates SuperSecretLabCryptor2000 object creation and calls the CryptFile method.

I did it with C not with C++ ! This is ugly but for sure there is a way to import a C++ class from a shared object and use it with no header file provided.

The code also prints out the Key and IV.

But stop ! how can you get the correct key to decrypt the pictures ? In other words, what is the value of the correct timestamp used to generate the correct key and iv ?

I assumed that the timestamp used to encrypt the files is simply the last modification time of the encrypted file !

By runnuing:

All encrypted files have the same last modification time. Using 1469990552 in my C code does not give a valid (Key, IV) !

By opening a plain picture with a hex editor I noticed that there is Fri, 17 Jun 2016 04:01:17 as creation date in exif metadtas in addition to XCryptoPicture as software.

Running the the code with this timestamp gave the same encrypted header as the other encrypted pictures. It is the good one !

The correct Key and IV are printed also.

Finally put all together in one python script.

Now we are able to decrypt the jpeg files and see the flag.

flag: h4ck1t{CrYp70_3xxP3R1m3N75_VV0n7_4LVV4Y5_3ND_VV3ll}

Cheers 😀