The challenge was:

We implemented aes in hardware and saved a lot of memory. Feel free to use our online aes encryption service to secure your data.

nc 188.40.18.66 2786

Download code here.

As the challenge’s name promissed, provided code shows us the implementation details of AES-128 in hardware are hidden, all communications with hardware will go thru the SPI protocol.

Connected to the service, it provided us some commands to play with:

C:\Users>nc 188.40.18.66 2786
Welcome to the online AES encryption service
help
encrypt    - Encrypt with AES
flag       - Encrypt flag
getkey     - Set AES key
help       - show this help
setkey     - Set AES key

Basically we could set the key, encrypt a message and request the service to show us the key.

I thought about a naive solution: we could call for flag then getkey and finally decrypt the cipher with that key to get flag. But it wasn’t that easy at all, I tried and got the point that getkey didn’t give us the key we wanted, instead it made some changes before sent us the key.

How could we know about what has been changed?

Nice, I setkey with key = ‘\x00’*16, tried to encrypt a message then getkey gave me:

C:\Users>nc 188.40.18.66 2786
Welcome to the online AES encryption service
setkey 00000000000000000000000000000000
encrypt 41414141
3c3bead93ed0b5b757436a945ea72fec
getkey
b4ef5bcb3e92e21123e951cf6f8f188e

The service used AES-128 mode ECB. I googled the string b4ef5bcb3e92e21123e951cf6f8f188e, first result told me this is the 10th round key of the Rijndael key expansion. Cool!, getkey really gave us this sh!t.

After some discussions with crazyboy, k9 and pdah, I started to think about key recovery. The idea was to inverse back to the original key from 10th round key of the Rinjdael key expansion. crazyboy and k9 also confirmed there was no place for race condition in this challenge, so I was pretty sure about the key recovery solution should work.

I found an easy-to-understand implementation of AES here:

http://appro.mit.jyu.fi/web-sovellukset/luennot/web2py/viikkotehtava/gluon/contrib/aes.py

Focusing on the expand_key function, I ended up with below code to recover the original key after played 8 hours with this challenge.

#! /usr/bin/env python
from Crypto.Cipher import AES

# Rijndael S-box
sbox =  [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67,
  0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59,
  0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7,
  0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1,
  0x71, 0xd8, 0x31, 0x15, 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05,
  0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83,
  0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29,
  0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
  0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa,
  0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c,
  0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc,
  0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec,
  0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19,
  0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee,
  0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49,
  0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
  0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4,
  0xea, 0x65, 0x7a, 0xae, 0x08, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6,
  0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70,
  0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9,
  0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e,
  0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1,
  0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0,
  0x54, 0xbb, 0x16]

# Rijndael Rcon
rcon = [0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36,
  0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97,
  0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72,
  0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66,
  0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
  0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d,
  0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
  0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61,
  0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
  0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
  0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc,
  0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5,
  0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a,
  0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d,
  0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c,
  0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
  0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4,
  0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
  0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08,
  0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
  0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d,
  0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2,
  0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74,
  0xe8, 0xcb]

def xor(a, b):
  if len(a) != len(b):
    print 'Error in XOR'
    return ''
  return ''.join([chr(ord(x) ^ ord(y)) for x, y in zip(a, b)])

def main():
  c = '236043aba4e8b6934338c65726757c56607404af8fb36d5052663a318df43ff8908cd11f2880fdc45000da3a7a86db8b'.decode('hex')
  round10 = 'fb1891432f909a5b92e9ae5631509ece'.decode('hex')

  key = round10
  for i in range(10, 0, -1):
    history_key = key[:4]
    key = '{2}{1}{0}'.format(xor(key[-4:], key[-8:-4]), xor(key[-8:-4], key[-12:-8]), xor(key[-12:-8], key[-16:-12]))

    tmp = chr(sbox[ord(key[-3])] ^ rcon[i] ^ ord(history_key[0]))
    tmp += chr(sbox[ord(key[-2])] ^ ord(history_key[1]))
    tmp += chr(sbox[ord(key[-1])] ^ ord(history_key[2]))
    tmp += chr(sbox[ord(key[-4])] ^ ord(history_key[3]))
    key = tmp + key

  print key.encode('hex')

  # Time to Capture the Flag :)
  cipher = AES.new(key, AES.MODE_ECB)
  print cipher.decrypt(c)

if __name__ == '__main__':
  main()

Output:

abc85a0d526cba2f537152e402ee1890
The flag is 31C3_0748a7b8be603056aa9c391e !

Thanks my team-mates and 31C3CTF crews for a great challenge! :)