The Journey of #100DaysOfSecurity (@webchick)

#Day08 of #100DaysOfSecurity

Today, let’s head into our first Reverse Engineering challenge with crackme.py.

If you execute this program you’ll see that it’s quite simple and tells you the bigger of two numbers:

That’s all well and good, but how do we find the flag…?

Hint

Peek inside the crackme.py file, and you will find an interesting surprise. :slight_smile:

# Hiding this really important number in an obscure piece of code is brilliant!

# AND it's encrypted!

# We want our biggest client to know his information is safe with us.

bezos_cc_secret = "A:4@r%uL`M-^M0c0AbcM-MFE07b34c`_6N"

Seems suspicious. All that’s left to do is decode it, right?

Walkthrough

Remember learning about ROT-13 back on Day 1? Well here, if the decode_secret() function is to be believed, we appear to be using ROT-47, which is the same deal, except moving ahead 47 places instead of 13.

How is that possible, when the alphabet itself only has 26 letters? Because here, we’re using a special alphabet:

# Reference alphabet
alphabet = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"+ \
            "[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"

Now. You could painstakingly do the work of taking each character in Bezos’s secret credit card number and counting 47 places ahead in the above string. Or, use an online tool like CyberChef.

Or, you could be super lazy, like me, and just toss the following near the bottom of the file:

decode_secret(bezos_cc_secret)

…and let our good friend Python do the hard work for you. :wink:

3 Likes