LabyREnth threat4 (yara1)

[vient]

Lool, really really lucky.

The intended solution was that you again have appended data in each file, 3 different in 6 files. After messing with it a bit you get XOR key 0x26 and decrypted texts:

icbx2A/Ozsb7if/bu-e62BvGzsbO1Mb-zxr/yRq6ywLGihz72A/73g/J1Bm61Qy63g7D2Mb/1AnJzgv-igr73geIdqDv2Q/IzMbO0gu63gvH2gL73gu6yAvG1R262AvK1gf9zsb/ywnCiciEk8i62gfD28bR0xrCihrCzsbA0xjN3caLm8b84xr/2NCnc6Ok2BvGzsb/1An5zgX9idC6zwT9xQrJyKOk4KOkica6ica6icbN3hjD1A3No6Okcq-nc6-jcsrA0xjN3caXihG6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C65qOkcq-jjhn/yQXIzcaXihG6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C65qOkcq-jjhrC0xj-idO64MaEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8bXdqCjcq-jdqC6ica6ica6ignJ1ArD3g/J19Cnc6-jcte61Qy63g7/1qOk5qaaROTXOR\x00\x00\r\n
vRjD3gu6ysbzqvjbihjP1gu63gW6zgvOzwnOigfG1cbQyxjDyxrD1QTNigXAihrC0xm6zwT91Qr/zcb-yxr7l6OkvxnD1A263g7/ihr/1xbGyxr/igj/1gXRihj/2gL7yQu6zwf90ca8k8C8ihb70xi63Q/O0cbO0gu6zA/M2Rq6mti6yB/OzxmUdqCncBjP1gu6zwT9xQrJyMaUigvIyPX-1QmncBGnc8a6ica6ica62RrM0wTB2NCnc6-jdqCjcq--zA/M2Rq6psbVicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEihOnc6-jcsrNzwnJ1Aq6psbVicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEihOnc6-jcsrO0g/MzcaXihG6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C6k8C65qOkcq-jcqOkica6ica6icb91QT-0xrD1QSUdqCjcq-LigXAihrCzwOncBOaROTXOR\x00\x00\r\n
if3M0xr/ige6wufsqsbM3wL/ihrJigr/3gv93cb71gK63AfM0wfO0wXI2MbJz8bO0g/NigvIyQX-zwq6zgfOysSnc/vN0wTBihrCzsbOzwPK1gfOzsb8zwLJ3MbMzxbGywn/igv7yQ66i8CEi8bKyw/Mih3D3g663g7/igzD2BnOideMigjT3gvNo6OkdqDM3wL/igvIyPX-1Qm6o8b/1An5zgX9dqDVdqC6ica6ica6ihnO2A/IzRmUdqCjcqOkcq-jjgzD2BnOidO64MaEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8bXdqCjcq--2Qv91QT-idO64MaEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8aEk8bXdqCjcq--3g7D2Aq6psbVicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEicCEihOnc6-jcq-nc8a6ica6ica6yQXIzg/O0wXIo6Okcq-jmsbJz8bO0gvHdqDXROTXOR\x00\x00\r\n

Next, it looks like base64 but decrypts to nonsense. There is ROTXOR in end of each text, after a waaay long thinking and trying you get that you actually need to rotate base64 alphabet by XOR key (also need to replace + with -). Code:

print(base64.b64decode(enc.replace('-', '+').translate(str.maketrans(alph, alph[0x26:] + alph[:0x26]))).decode())

gets you this text:

Write a YARA rule to detect all variations of this encoded data.
Using the template below replace each "**" pair with the first 12 bytes:

rule enc_doc : enc_doc
{
        strings:

                        $first = { ** ** ** ** ** ** ** ** ** ** ** ** }
                        $second = { ** ** ** ** ** ** ** ** ** ** ** ** }
                        $third = { ** ** ** ** ** ** ** ** ** ** ** ** }

        condition:
                        1 of them
}

So after filling the rule like this:

rule enc_doc : enc_doc
{
        strings:

                        $first = { 50 74 4C 62 15 41 53 10 5F 55 44 5C }
                        $second = { 4F 40 15 6B 16 5E 54 09 4F 41 43 10 }
                        $third = { 4F 45 44 5E 14 67 09 69 5C 55 44 11 }

        condition:
                        1 of them
}

you get the answer.

After all, your solution is horribly wrong and still you got the answer, very lucky :) And the challenge itself is broken very hard, my rule didn't work when I swapped two strings in it.

[grocid]

Lucky — yes. But still, it solved the problem… that is not what I call horribly wrong… maybe unintended :-)

Problems were two sets should be separated (I’m guessing they used yara in the background on the server) can be solved by a sufficient number of random queries, so guessing is a strong method.

[vient]

So it means they didn't even check how these sets were created by your rule cause the intended one and yours produce completely different output in the meaning of match/not match.

[grocid]

Yeah... anyways, thanks for providing your solution. I will make a reference in the write-up.