Hackvent 2019: Day 18

20 Dec 2019
CTF: Hackvent 2019
Link to challenge:
Date Completed: 19 December 2019


HV19.18 Dance with me

Resource mirror:


In our zip file we get a dance binary that we discover is an arm binary. After some digging around we find out that it is in fact a DEB and written for iOS. We attempt to run the code in an emulator like QEMU but unfortunately don’t have much luck with getting the emulator to work. Instead we rely on static analysis.

We use IDA’s ARM decompiler to give us the Objective C code belonging to the binary. As I didn’t have the required IDA plugin I go this from BlindHero (thanks!).

This was the code:

It takes a while to analyse this code to learn what cipher is actually being used.
Through many clues we learn its a stream cipher and the appropriately named Salsa20 cipher.
At this point its reasonable to assume we need to decrypt our encrypted flag  096CD446EBC8E04D2FDE299BE44F322863F7A37C18763554EEE4C99C3FAD15 which is just hex data using the Salsa20 algorithm and some key and nonce. We are looking for a 128 bit or 256 bit key and 64 bit nonce. We can see four arguments passed to the dance method. The first is the result and the second is simply the input length used to check against loop guards. The last two arguments are our key and nonce. We take the longer length argument &v11 as our nonce.

We use IDA to easily fetch the key as raw data:

As it turns out only the upper (first) 32 bytes of this key are used.
Our nonce is the number  -5678246756302764783 which we convert to hex as  \xB1\x32\xD0\xA8\xE7\x8F\x45\x11.  However, we are using little endian ordering so we reverse the order of bytes to  \x11\x45\x8F\xE7\xA8\xD0\x32\xB1.

Finally we can write a python script to decode our Salsa20 encoded string. We simply use a template from online:

Running this prints out our daily flag!

Flag:  HV19{Danc1ng_Salsa_in_ass3mbly}

No Comments

Posted in Hackvent 2019


Leave a Reply