You did a very good job until now. To be sure no one is going to be trapped again, could you find a way to protect the whole company?

To do so, you can use the binary located on the website of part 2, our expert told us that is was safe to run.

Note: you need to solve part 2 before attempting this part

Edit: Microsoft flagged the old binary as a malware, please redownload the new version (the old version won’t give you the correct flag)

A binary is given, and by opening it we can see a popup that says that all our files have been encrypted.

The binary is packed with upx, and by unpacking it, then the binary does not work anymore. Also, two versions of the binary have been released.

The first one wrongly says randomly that we solved the challenge, and that if we modified the binary then the flag is wrong, and then it just prints INSA{} (an empty flag).
The second always says that our files have been encryped.

By disassembling the binary we can notice that this operation is performed by using a function that checks if the computer is immune.
Also, by looking at the network traffic we can see that there is a simple encryption scheme: the server says to the client how to transpose the letters of the alphabet.

An example of (decrypted) communication is the following:
client: CRYPT0R_SEED:72
server: CRYPT0R:ABCDEFGHIJKLMNOPQRSTUVWXYZ (this sequence is actually permutated in a real example)
client: CRYPT0R_ACK
client: CRYPT0R:GET_VICTIM_ID>{some_random_uuid}
server: CRYPT0R:VICTIM_ID_IS>xxxx
where xxxx are four bytes

By reversing the binary we can notice that when the integer represented by xxxx is != 0 and < 25, then something different happens. The problem is that IDA is not able to correctly decompile it.
In fact, the code does something like jmp some_constant + 8 * xxxx/20

To solve the challenge we did the following:

  • wrote a custom server that will try and increment the xxxx value every time
  • redirected the program connections to our custom server with a DNS sinkhole
  • started the binary 144 times

At the 144th time (xxxx="\x90\x00\x00\x00") we got the flag: INSA{wTf_LN3d@7UMus$2xRL9K_LOL_n}