NSA ICPC Challenge 2021

Contests/ NSA ICPC Challenge 2021/ Problems/ File Recovery
Log in
Hide

Problem H
File Recovery

/problems/nsachallenge21.final/file/statement/en/img-0001.jpg

If you’ve completed the steps up until this point, you have all the components required to decrypt each of the original files. Your last step is to put it all together to decrypt the original ransomware files. You have been provided 4 ransomware-encrypted files (attached to this problem). Using what you have learned and what you have programmed along the way, create a program that will run against the four files to recover the company’s original files. Once you have done this, you will need to find a few pieces of data hidden amongst the company data and solve the last problem described below.

As a reminder, you’ve created functions to solve the following:

  • Decode modified Base64 encoded ASCII text

  • Parse a TLV encoded data structure containing important metadata about each file

  • Exhaust over a weak keyspace and find a key to use as input with a stream cipher

  • Decrypt a variable-length datastream with the modified RC4 stream cipher

  • Use the “key_hash” to look up the actual key used as input into a block cipher

  • Implement a block cipher, using various encryption modes Utilize the version number to determine the mode using the following table:

    VERSION

    MODE

    1.0

    ECB

    1.2

    CTR

    2.0

    CBC

Where to begin?

To begin, look at your data! Open each of your files - where is the encrypted data?

Steganography

Steganography is the practice of concealing a message within another message. The carrier file is the file containing the concealed message. In this case the carrier file is the same ransomware image, and the encrypted file data is the concealed message. It appears based on the report, the encrypted data is appended to the end of the jpeg image. Opening up the files in a HEX editor or analyzing the bytes will make it very clear where the encrypted data starts. There is even a header on the data! The header is:

\[ {\tt LOCKED\_ DATA:} \]


Remove this data from the ransomware files to begin.

Keep It Going

You have all the information you need to complete this challenge. Take a look back through the previous problems to remember key ways to recognize various data types and try to match those to what you see in the data. If you need to decrypt any data, it will be apparent when you did it correctly - either by an obvious header string or by other identifying features.

In some of the individual routines you’ve created, your inputs and outputs were in HEX format. In the actual ransomware files, you will have to analyze the data at each step and update your files to handle raw binary data or HEX data as appropriate.

When you have completed all of the steps in the correct order, you should have a set of 4 decrypted files.

Final Steps!

Examine the decrypted files. You are looking for $4$ HEX encoded $32$ bit values labeled “KEY_part_1”, “KEY_part_2”, “KEY_part_3”, and “KEY_part_4”. Concatenate the $4$ key parts to form the final KEY and decrypt the final input using your block cipher in CBC mode with the following IV:

\[ IV: {\tt 0xA64FCAD1B76F93E9} \]

Your final solution will be code that takes the final KEY and IV and decrypts the final input.

Input

A single line of HEX encoded data that you need to decrypt to match the output.

Output

A single block of data in the form of RAW bytes.

Sample Input 1 Sample Output 1 
432670691e0936621c8b0fe13d055aa9

FINISHED
Attachments
1a912f8b-3153-4dcf-be9a-cfacfaad477a.jpg 1bbaa413-88eb-4d51-a281-848572441005.jpg 2eb2f1dc-23fe-41ae-9247-4104d7d4471b.jpg aa7aae04-d7c8-40c4-afe9-d2c02592f4ad.jpg
Hide

Please log in to submit a solution to this problem

Log in