This is a continuation of my previous post on the NSA Codebreaker Challenge 2015, and covers the second task in the challenge.
Through SIGINT we have collected a new message file - this one appears to have been sent to a field operative in the terrorist organization that is of particular interest. A key file for this invidiual was collected previously and should still be valid. We believe that this message may contain actionable intelligence, so please report back with the message contents as soon as possible. This task will require you to figure out how to bypass the access controls built into the program that limit which recipient can decode each message.
A quick run of the program shows what we’re up against –
user@host:~/nsa_codebreaker_2015/task_2$ ./secret-messenger --reveal --action tier2_msg.txt --symbol tier2_key.pem Invalid (failed check 4)
The error message gives us a starting point in IDA. We can search for the error message and begin by looking at the surrounding code.
We can then tell IDA to follow the program flow back to the jump that led here.
Looking at the check before the jump, we see that a value in memory is getting rotated 8 bits and compared to 0x6962. If the comparision fails, the jump is taken and the error message displayed.
There are several ways this could potentially be circumvented. For now, we’ll take the easy option and simply patch the program binary to eliminate the offending jump.
After saving the modified binary, we run it and we get our message
user@host:~/nsa_codebreaker_2015/task_2$ ./secret-messenger --reveal --action tier2_msg.txt --symbol tier2_key.pem *****SIGNATURE IS VALID***** Message: Our plans have been set into motion - Member number 392 is ready to carry out his tasking, and in 2 weeks time the window of opportunity will be open. If it is necessary to abort the action, the authentication code to use is hw8qviacbj6xkus6wsel. *****SIGNATURE IS VALID*****
which completes the goal for Task 2.