with Gnat.Sha1;
with Ada.Text_IO;
use Ada.Text_Io;
procedure Win3 is
C : GNAT.SHA1.Context;
Result : String (1 .. 40);
Input : String (1 .. 20);
Target : String := "372942df2712824505d8171f4f0bcb14153d39ba";
Try : String := "ZYXWVUTSRQPABCDEFGHIJKLMNO0123456789";
Index : Integer;
begin
for I in Try'range loop
for J in Try'range loop
Put_Line(Try(I)&Try(J));
for K in Try'range loop
for L in Try'range loop
for M in Try'range loop
for N in Try'range loop
C := Gnat.Sha1.Initial_Context;
Gnat.Sha1.Update(C,Try(I)&Try(J)&Try(K)&Try(L)&Try(M)&
Try(N));
Result := Gnat.Sha1.Digest(C);
-- FIRST HASH DONE, NOW SCRAMBLE
for Count in 0..19 loop
Index := Count*7 mod 20;
Input(Count+1) := Character'Val(Integer'Value(
"16#"&Result(Index*2+1)&Result(Index*2+2)&
"#"));
end loop;
C := Gnat.Sha1.Initial_Context;
Gnat.Sha1.Update(C,Input);
Result := Gnat.Sha1.Digest(C);
if Result=Target then
Put_Line(Try(I)&Try(J)&Try(K)&Try(L)&Try(M)&Try(N));
Skip_Line;
end if;
end loop;
end loop;
end loop;
end loop;
end loop;
end loop;
end Win3;
key{PWF41L}
Write up by albntomat0
Thursday, October 24, 2013
Hack.lu CTF 2013 : FluxArchiv[Part1] 400
So we have this program that creates an encrypted archive. We also have an archive that we are supposed to get the password for. Analysis of the program shows that, in order to check a password, it takes the sha1 hash of the password, scrambles it, hashes it again, and compares it to a location stored in the archive (beginning at 12 bytes in). We found the value stored in memory, and brute forced the entire thing using the following Ada program.
No comments:
Post a Comment