I worked on this one up until close to the time the competition closed. I learned so much new stuff - new programming environment, new debuggers and tools, new languages that were compiled and such that my brain was mush. I did get to a little bit of valuable info, and will revisit to complete, I hope. Here's the only really relevant data I managed to obtain:
Took a look at strings and theres a bunch that goes on with sub_100001ee0 involving the base64 string, abracadabra and such.
100002b90 is an important procedure where the first test is done. It takes two arguments
I did a test with the string 0123456789ABCDEF, figured out some logic and broke at 100002c7d and 100002d00 to catch the values in eax. Here's what I got:
Looking at C-strings in Hopper:
which decodes as:
Running the code in Hopper, found a bit of interesting stuff:
arg0 (stored in r14 for this procedure) is my entered string, base64 encoded
arg1 (stored in r12 for this procedure) looks like it will be a mask
Another round occurs, and here's the result.
So, it looks likely that there's going to be an XOR against abracadabra and the av2vex8pocs4id2 keys. Trouble is, I kept trying to run code in the debugger instead of experimenting with the data I already had. I worked way too hard trying to get to
0000000100002ca9 call sub_1000045c0 or
0000000100002cbb call sub_1000045c0
Brain fries here :( Cried uncle, only 1 hour left.
What I should have done was realize that I was beating my head against a wall, stop doing that and try another method. I knew I had a base64 string and two keys. I knew I couldn't see a way of getting to those lines: I figured out the conditions required and it didn't look possible, but I kept trying. Yet I persisted on the failing path until I couldn't think any more.
I was so close! I knew it was going to be a couple of xors, had the keys and the string to work on. 10 minutes with a clear head:
# This expects two strings and xors each of the longer string (sIn) with a rotating key (sXor)
sOut = ''
for i in range(0,len(sIn)):
sOut += (chr(ord(sIn[i])^ord(sXor[i%len(sXor)])))
a = 'LyY8TiwwJighJzRSNycvJyU3LzQ1GTc0JlA2ACcGBTcuUSc3JBkZLSoaS1EzUwotBwsDDTQbEiY3Mw0SNDcZVjcLKywjCTpKPApWTw=='.decode('base64')
k1 = 'abracadabra'
k2 = 'av9vex8pocs4id2'
b = xorstrings(a,k1)
c = xorstrings(b.decode('base64'),k2)