# dummyper - AeroCTF 2021

tl;dr

• The dump has some encrypted functions
• The encrypted bytes are being xorred with a 32 byte key
• Find the xor_key in the dump
• Use xor_key offset to find the offset of AES_key and iv
• AES_CBC decrypt to find flag

Challenge Points: 454
Challenge Solves: 18
Solved by: silverf3lix, Freakston, fug1t1v3

## Initial Analysis

We Opened the binary dump using ida and found that 2 functions(sub_13a9,sub_1691) were encrypted.

On further analysis we found that the function sub_172A was xorring the bytes from offset 13a9 to 0x13a9+895 with 32 bytes.

Also, the function sub_188B was dumping all sections of ELF and HEAP which means that the 32 bytes are there in the dump.

## Recovering the original bytes

Since, Function prologue starts with endbr64; push rbp; mov rbp, rsp so we have the 8 bytes of the key.We then took the next 24 bytes in dump and xorred the encrypted bytes using IDAPython.

After this we defined the functions and got the binary.

## Analysing the recovered bytes

We see that in one of the recovered functions our flag is being read and also srand() is being called and the seed is the timestamp which should be there in the dump.

It was also encrypting our flag using AES and the key and IV used to encrypt and the function doing this had one extra function which was calling memset() being called multiple times that was done to fill the heap with random bytes and all of this info is stored in the heap dump.

As you can see First some random bytes are stored then the space for key is set then random bytes again then iv and random bytes again and then aes and key and iv is read and then the random bytes after all this the next memset called is for xor_key.Also, before all this memset our memset(flag,128) is also done and the starting point where it start writing this is 0x5060.

## Final Steps

So, using the offset of xor_key we can bruteforce the offset of timestamp.

In this script we are bruteforcing the timestamp until the last sum is 0x4ba74 and that is the offset for xor_key.We are also finding the respective AES_key and iv.And CT is from 0x5060 to 0x5060+0x80.We then using ghex extracted the AES_key ,iv and the CT.
Now, the only thing left to do AES_CBC decrypt.

Flag:Aero{d37fd6db2f8d562422aaf2a83dc62043}