![BelkaCTF#6 - [18] Financial Institution(Hard, 829)](/_next/image?url=https%3A%2F%2Fwww.notion.so%2Fimage%2Fhttps%253A%252F%252Fbelkasoft.com%252Fbelkactf6%252Fassets%252Fimg%252Fpanels%252F17_f3b137c26e840a4d1b96f0733f3a7b48.png%3Ftable%3Dblock%26id%3De83a33dc-5113-4258-9f26-0da9c7f0ff04%26cache%3Dv2&w=3840&q=75)
d2n0s4ur
I shuffled into the Chief's office, slumping slightly. He seemed to notice but didn't acknowledge it.
—Bad news, Chief.
—Lay it on me.
—I couldn't decrypt the talks with Chase, there seems to be some unconventional encryption going on.
—Not good. He's the right hand to the boss, he would know the ins and outs of gang's cash flow.
Q. Which offshore financial institution did the gang bank with?
Format: Provide its SWIFT code.
Solve
Used Tool
- Autopsy
- BelkaSoftX
- Python
By checking Notes and chat artifact, you can see that the encryption was held with Apple shortcuts.
And I can find the shortcuts information file.
location: private\var\mobile\Library\Shortcuts\Shortcuts.sqlite
It tell us that the shortcut was shared with icloud link.
I found a shortcut cache from this location.
location: private\var\mobile\Containers\Data\Application\D5B11F5D-8111-4F46-80AE-F50D6447F5EB\Library\Caches\com.apple.shortcuts\Cache.db
you can see the shortcut hash, and two shortcut’s url is
At the Decrypt Module, the code is like this.
var key="key"; var hexEncodedText="data"; var sum = 0; for (let i = 0; i < key.length; i++) { sum += key.charCodeAt(i); } a = sum % 137; a = 2*a + 1; b = sum % 89 + 1 let decodedText = ''; let modInverseA = 0; for (let i = 0; i < 256; i++) { if ((a * i) % 256 === 1) { modInverseA = i; break; } } let encodedText = ''; for (let i = 0; i < hexEncodedText.length; i += 2) { let charCode = parseInt(hexEncodedText.substr(i, 2), 16); encodedText += String.fromCharCode(charCode); } for (let i = 0; i < encodedText.length; i++) { var tt = encodedText.charCodeAt(i) - b; if (tt < 0){ tt+=256; } let charCode = (modInverseA * tt) % 256; decodedText += String.fromCharCode(charCode); } document.body.textContent = encodeURIComponent(decodedText);
At the Key validation, the possibility of key is only 137 * 89 = 12193.
So I made a Brute force code with python.
enc_msg = '1965dc82eda62f00eddc82ed77a60bed4ca670ed1d000b82a62f2441414c6fedbb242fcaed4f24b80003ed320ba6a6ca0089ed2bdce7000bedbb242fca6fed441212a6702ff9ed4f24b80003ed32a62f827041f9dc2feeeda2000be7dc120082edfc2f126fed441212a6702ff9ed4f70b89b000b03ed8c159e27b039c24bd45d6feda27efc9719ed32a6890003ed322b07bb3d444b3d6fedbb242fcaed4489890b00828203edb05dedc677778265a60b00edbb41e78981ed3d242f24b824ed32dcf94c81ed3d242f24b824' dec_msg = '' key= 0 def decrypt(enc_msg, key): dec_msg = '' a = key % 137 a = 2 * a + 1 b = key % 89 + 1 modInverseA = 0 for i in range(0, 256): if ((a* i) % 256 == 1): modInverseA = i break; for i in range(0, len(enc_msg), 2): char_code = int(enc_msg[i:i+2], 16) char_code = (char_code - b) if (char_code < 0): char_code = char_code + 256 char_code = (char_code * modInverseA) % 256 dec_msg += chr(char_code) if (char_code > 127): return # print (dec_msg) print ('try key', key, dec_msg) for k in range(0, 12194): decrypt(enc_msg, k)
And own of the data says that
This one is for you personally. Bank Name: Crooked River Bank. Account Name: Consulting Services Inc. Account Number: 9876543210. SWIFT Code: CRVBPA2P. Bank Address: 50 Offshore Blvd, Panama City, Panama
So the Swift code is CRVBPA2P
Answer: CRVBPA2P