PicoCTF - keygenme-py - Reverse

Looking at the keygenme-trial.py

Instead of running the script right away, it is best practice to read the source code, right?

username_trial = "GOUGH"
bUsername_trial = b"GOUGH"

key_part_static1_trial = "picoCTF{1n_7h3_|<3y_of_"
key_part_dynamic1_trial = "xxxxxxxx"
key_part_static2_trial = "}"
key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial

This will be obvious later, next of course the flag! Or here it is called the key. It is comprised of two static parts, and a dynamic part:

key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial

Great… maybe we can have a look at how the dynamic part is generated?
Dynamic key

To check the validity of the dynamic key, the following function is used :

def check_key(key, username_trial):

    global key_full_template_trial

    if len(key) != len(key_full_template_trial):
        return False
    else:
        # Check static base key part --v
        i = 0
        for c in key_part_static1_trial:
            if key[i] != c:
                return False

            i += 1

First, check if the key is even long enough! After that check if we have the 1st static part correct (we can copy and paste, right?). Now the iterator i is at our dynamic part, and here is the if tree that checks our dynamic key:
These are the our varibles.

       # TODO : test performance on toolbox container
       # Check dynamic part --v
       if key[i] != hashlib.sha256(username_trial).hexdigest()[4]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[5]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[3]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[6]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[2]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[7]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[1]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[8]:
           return False



       return True

This is how our licence key checked. we have a bunch of indexes: 4,5,3,6,2,7,1,8. How do we use these? Well first a sha256 hash of the username is ‘GOUGH’ calculated and then we pick the corresponding character. This is pretty easy to script.

#! /usr/bin/env/ python3
import hashlib

key_part_static1_trial = "picoCTF{1n_7h3_|<3y_of_"
key_part_dynamic1_trial = "xxxxxxxx"
key_part_static2_trial = "}"
key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial

username = b"GOUGH"
potential_dynamic_key = ""
Indexes = [4,5,3,6,2,7,1,8]

for I in Indexes:
	potential_dynamic_key += hashlib.sha256(username).hexdigest()[I]

key = key_part_static1_trial + potential_dynamic_key + key_part_static2_trial
print(key)