Joel Eriksson
Vulnerability researcher, exploit developer and reverse-engineer. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen)

PlaidCTF 2011 – 06 – Fun with Numb3rs – 100 pts

This is my writeup for the sixth challenge in the PlaidCTF 2011 competition. The information for the challenge was:

“Uh oh..
This door is protected with number scroll authenticator. There’s “powered by .NETv4″ sign.
Find out the combination and get the key!”

The application interface consists of three horisontal scrollbars that can be set to values between 0 and 255. Since this was a .NET executable I was able to use a tool called .NET Reflector to decompile it back to its C# source code representation. After examining the decompiled source a bit I found this function, that is obviously responsible for controlling whether the scrollbar numbers are correct or not:

private void a(object A_0, EventArgs A_1)
   int num = this.h.Value;
   int num2 = this.j.Value;
   int num3 = this.i.Value;
   int num4 = this.j.Value * this.i.Value;
   int num5 = num * 3;
   if ((((((num + num4) - num2) + ((num * num) * num2)) - num3) == ((num2 * ((num3 * 0x22) + (num5 - num))) + 0x1d40)) && (num > 0x4d))
      MessageBox.Show(this.b(num, num2, num3, (byte[]) this.a.Clone(), num4, num5));
      MessageBox.Show(this.a(num, num2, num3, (byte[]) this.a.Clone(), num4, num5));

As you can see, the i and j scrollbars can be set to any value between 0 and 255 but h must be above 0x4d (e.g 78-255). This gives us 256*256*(256-78) = 11665408 combinations to test. With a small C-program I can find the correct combination in the blink of an eye.

je@isis:~/ctf/PlaidCTF-2011/06-Fun_with_Numb3rs/solution$ cat > get_combo.c

int main(void)
	int i, j, h;

	for (i = 0; i < 256; i++)
		for (j = 0; j < 256; j++)
			for (h = 78; h < 256; h++)
				if ((((((h+j*i)-j)+((h*h)*j))-i)==((j*((i*0x22)+(h*3-h)))+0x1d40)))
					printf("(%d,%d,%d)\n", h, j, i);

	return 0;
je@isis:~/ctf/PlaidCTF-2011/06-Fun_with_Numb3rs/solution$ ./get_combo

When using this combination I get the following code:

And with that, the challenge is solved. :)