You can download a CTF.hdd file from the website, open it with winHex, and you can know that it is a file in exFAT format.
Checked it with binwalk and found that the file contains two zip files, extracted using foremost. One archive requires a password to decompress, and the other one finds the Password.txt file after decompression. Indicates that the password of another compressed package is related to checksum.
You can see how the checksum is calculated by looking at the exFAT file system format. For exFAT file system format, please refer to exFAT file system format
The C# code given in the text is rewritten into python code to calculate the checksum value. The calculation result is 0x81c6fa94.
# -*- coding:utf8 -*-
file = open('/root/Downloads/CTF.hdd', 'rb')
content = file.read()
checksum = 0
for i in range(0, 11*512):
if i == 106 or i == 107 or i == 112:
continue
checksum = (((checksum << 31) & int('0xFFFFFFFF', 16)) | (checksum >> 1))+content[i]
print(hex(checksum))
The password obtained by using 81c6fa94 to calculate the MD5 value is wrong. Check out other people's WriteUp. Because it is related to the endian storage of the file. The correct sequence is 94FAC681.
The correct password is calculated as C9737665D39274F6C5A256B943748068.
Decompress to get Key.txt.flag as CTF{ExFat-Checksum}