-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlevel21.ts
More file actions
31 lines (29 loc) · 5.15 KB
/
level21.ts
File metadata and controls
31 lines (29 loc) · 5.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import { Level } from './types';
export const level21: Level = {
id: 21,
title: "XOR Cryptography: The Key Reconstruction",
description: "Encrypted C2 (Command & Control) communication channel uses 4-byte XOR key for packet encryption. Real-world malware (Zeus, Emotet, Cobalt Strike) use XOR for network traffic obfuscation. Software license validation systems (V8 Protector, Themida) use multi-byte XOR constraints. Network protocols (some VPN implementations) use XOR layers. Your scenario: Intercepted encrypted traffic reveals four XOR constraints that validate encryption key. Each constraint checks one byte of 4-byte key against known plaintext-ciphertext pair. Constraint 1: KEY_BYTE_0 ^ 0x41 must equal 0x13. Constraint 2: KEY_BYTE_1 ^ 0x2F must equal 0x64. Constraint 3: KEY_BYTE_2 ^ 0x19 must equal 0x67. Constraint 4: KEY_BYTE_3 ^ 0xDA must equal 0x76. XOR is reversible cipher: if A ^ B = C, then C ^ B = A (self-inverse property). This property makes XOR weak for encryption but common in obfuscation. Real-world examples: Malware uses XOR for strings/config obfuscation (avoids signature detection). Network traffic uses XOR as first-layer encoding before encryption. Game save files use XOR for simple anti-tamper. License keys use XOR checksums for validation. Your task: Solve all four constraints to reconstruct full encryption key. Use XOR reversibility property: calculate KEY_BYTE_0 = 0x13 ^ 0x41, KEY_BYTE_1 = 0x64 ^ 0x2F, KEY_BYTE_2 = 0x67 ^ 0x19, KEY_BYTE_3 = 0x76 ^ 0xDA. All four bytes must be correct atomically - partial key rejected (key validator checks all bytes simultaneously). Techniques: Memory Scanner (locate byte slots, calculate XOR results), Hex Editor (set individual key bytes), hybrid approach. Educational concepts: XOR cryptography, reversible ciphers, multi-byte keys, constraint solving, known-plaintext attacks. This mirrors real cryptanalysis: given ciphertext and known plaintext, derive encryption key through XOR properties. Understand XOR weakness. Reconstruct the key. Decrypt the channel.",
requiredSkill: "Multi-Byte XOR Key Reconstruction & Constraint Cryptanalysis",
objective: (s) => {
const byte0Valid = s.health === 0x52; // KEY_BYTE_0: 0x13 ^ 0x41 = 0x52
const byte1Valid = s.ammo === 0x4B; // KEY_BYTE_1: 0x64 ^ 0x2F = 0x4B
const byte2Valid = s.score === 0x7E; // KEY_BYTE_2: 0x67 ^ 0x19 = 0x7E
const byte3Valid = s.sortValue1 === 0xAC; // KEY_BYTE_3: 0x76 ^ 0xDA = 0xAC
return byte0Valid && byte1Valid && byte2Valid && byte3Valid;
},
hint: "Four bytes. Four constraints. One key. Use XOR reversibility: if A ^ B = C, then C ^ B = A. KEY_BYTE_0 = 0x13 ^ 0x41 = 0x52 (82), KEY_BYTE_1 = 0x64 ^ 0x2F = 0x4B (75), KEY_BYTE_2 = 0x67 ^ 0x19 = 0x7E (126), KEY_BYTE_3 = 0x76 ^ 0xDA = 0xAC (172). Reconstruct the encryption key.",
tutorPersona: "The Cryptanalyst: XOR is the mirror cipher - reversible, self-inverse, weak alone but common in obfuscation. Real malware uses XOR for traffic encryption because fast, simple, looks random to untrained eye. Zeus banking trojan XORs C2 packets. Emotet XORs embedded strings. Cobalt Strike beacons use XOR encoding. Why? XOR with wrong key produces garbage - hides structure. But XOR is vulnerable to known-plaintext attack. If you know plaintext and ciphertext, derive key trivially: KEY = PLAINTEXT ^ CIPHERTEXT. Your scenario: Four XOR constraints validate encryption key used for C2 channel. Each constraint is known-plaintext pair. Constraint 1: KEY_BYTE_0 XORed with 0x41 produces 0x13. Solve: KEY_BYTE_0 = 0x13 ^ 0x41 = 0x52 (82 decimal). XOR property: (A ^ B) ^ B = A. Constraint 2: KEY_BYTE_1 ^ 0x2F = 0x64. Solve: KEY_BYTE_1 = 0x64 ^ 0x2F = 0x4B (75 decimal). Constraint 3: KEY_BYTE_2 ^ 0x19 = 0x67. Solve: KEY_BYTE_2 = 0x67 ^ 0x19 = 0x7E (126 decimal). Constraint 4: KEY_BYTE_3 ^ 0xDA = 0x76. Solve: KEY_BYTE_3 = 0x76 ^ 0xDA = 0xAC (172 decimal). In real cryptanalysis: capture encrypted packet, identify protocol markers (magic bytes, headers), XOR known plaintext with ciphertext to extract key. Multi-byte keys work same way - derive each byte independently via known pairs. Key validator checks all four bytes atomically. Partial key fails. This is how analysts break XOR obfuscation in malware configs, game save encryption, weak VPN protocols. XOR alone is not secure encryption - use for obfuscation only. Modern malware layers XOR with AES/RSA for real security. Your task: Apply known-plaintext attack. Calculate four key bytes using XOR reversibility. Set all four correctly. Key reconstruction complete.",
memoryLayout: [
{ key: 'health', label: 'KEY_BYTE_0', type: 'byte', offset: 0x10 },
{ key: 'ammo', label: 'KEY_BYTE_1', type: 'byte', offset: 0x1C },
{ key: 'score', label: 'KEY_BYTE_2', type: 'byte', offset: 0x50 },
{ key: 'sortValue1', label: 'KEY_BYTE_3', type: 'byte', offset: 0xA0 }
],
initialState: {
health: 100, // Repurposed as KEY_BYTE_0 but needs >0 to prevent BSOD (should be 0x52 = 82)
ammo: 0, // KEY_BYTE_1 (should be 0x4B = 75)
score: 0, // KEY_BYTE_2 (should be 0x7E = 126)
sortValue1: 0 // KEY_BYTE_3 (should be 0xAC = 172)
},
platforms: [{ id: 'p1', x: 0, y: 280, width: 800, height: 40, type: 'static' }]
};