NCN2k15 CTF "CivilWar" writeup

In the past NCN2k15, all CTF participants received these files: a png image and a ogg sound. Listening that sound it's easily to advert that this is encoded data. Also the image is like a real WWII crypt order.

As the order said, this probably is an encoded RTTY, morse or hellschreiber. Maybe enigma crypted, because that was the WWII standard.

The first step is to convert the ogg file to a standard wav. Next, open it in Signals Analyzer

The image shows amplitude pulses, like morse but faster that a human can handle ;-)

A good ear immediately recognize it as an Hellschreiber signal but this is not fun and now we will to analyze it as a unknown signal.

All pulses seems to be in blocks of four bits, good synchronized and spaced. Also we don't see any sync signal, probably is a OOK mode based on a perfect sender timing. If we remember all those known OOK modes, the Hellschreiber is very similar. In the upper image we can see how to demodulate it, basically it is an matrix of pixels based on the amplitude value.

The fill order is from A (7 to 1), next B, etc. Here are a very good explanation.

Demodulate this file manually is a very tedious work for this we will use the fldigi.


Also we have the crib from the recovered document.

The enigma machine don't have space bar, and some operators used the X char as a space (others simply didn't spaced the words)

Searching for "enigma solver" shows this web page as the first result. This page does some type of black magic and have a very good result without crib.

This result is not valid because the crib is not equal ( but i must review the code and "take ideas" for my enigma-solver :p )

Now my awesome hacky-5minute-tool! (please don't review the code... is a complete mess!)

Another tools works too! for example, i'd based on this paper and code

We use the crib (X as spaces)

The "enigma-solver" program feeds from "dict/current.txt" for spell checking and give a "rank" according to number of words in the dictionary. The first message seems valid.

Sorry German girls, but my german skillz are awful.

The code is "ORRMBASDHEEEHNQSHOLJVNFF" but this is not a valid key... the last process is a MD5 and TADA!

P.D: Guys, i'm so sorry about the downtime in the CTF day... in my country all electric suppliers are a fucking piece of shit. :(