PlaidCTF 2011 – 06 – Fun with Numb3rs – 100 pts

This is my writeup for the sixth challenge in the PlaidCTF 2011 competition. The information for the challenge was:

“Uh oh..
This door is protected with number scroll authenticator. There’s “powered by .NETv4″ sign.
Find out the combination and get the key!”

The application interface consists of three horisontal scrollbars that can be set to values between 0 and 255. Since this was a .NET executable I was able to use a tool called .NET Reflector to decompile it back to its C# source code representation. After examining the decompiled source a bit I found this function, that is obviously responsible for controlling whether the scrollbar numbers are correct or not:

As you can see, the i and j scrollbars can be set to any value between 0 and 255 but h must be above 0x4d (e.g 78-255). This gives us 256*256*(256-78) = 11665408 combinations to test. With a small C-program I can find the correct combination in the blink of an eye.

When using this combination I get the following code:

And with that, the challenge is solved. :)