Jump to content
Tuts 4 You
Sign in to follow this  
kao

FLARE On Challenge - starts tonight!

Recommended Posts

lazydaemon

Yea solved #4. I guess I will not be able to finish the challenge but anyways, it's fun.


 


@kao I just thought because you mentioned "Mate" and it's actually very popular in germany  :ltongue:


Edited by lazydaemon (see edit history)

Share this post


Link to post
kao

You still got one week left. Plenty of time... ;)


Nah, I just like mate. Coffee makes me jittery.  :sick:


Share this post


Link to post
toomanybananas

@ultrain I'm pretty sure I have the correct style/format of the key since I can trace where it goes until it gets messed with. But I don't see any code that depends on it's value (besides the resulting crypto) except for one seemingly unreachable block of code...


Maybe I'm just overthinking it or delving too deep into the crypto.


 


@kao Unfortunately, all the tips I've found in this thread and on #askflare seem to only be relevant after you've found the correct command line.


Share this post


Link to post
Extreme Coders

@toomanybananas You can perform some sort of taint analysis to get the correct command line.


After all, you have to find how the command line arg influences the running of the program. This is way easier than expected. :)

Share this post


Link to post
toomanybananas

@Extreme Coders that was helpful, I think I have it now and enough hints have been posted that I think I can solve it now.


 


Thanks for all your help everyone!


Share this post


Link to post
atn

Hi everyone.


In #8 challenge, i've got png file but i do not have any idea for next step. Any hint for it?


 


Thanks,


atn


Share this post


Link to post
noregret

I need help again guys. I'm stuck at #6.


 


 


I decompiled the lib (using hexrays) and currently trying to translate into Python (https://bpaste.net/show/6a2553f92721).


 


I am trying to understand what is going on, but failing so far. Should I brute force the alphabet or something? since I don't know what kind of input should I have in order to pass it the checking algorithm. I'm totally lost now.


 


As you can see, i'm using "@flare-on.com" as an input, since it should be found in the key. So i'm trying to find the relevant bytes in that memory area "block". But found nothing that makes sense so far.


 



 


Mayday!


Edited by noregret (see edit history)

Share this post


Link to post
kao

@atn: learn about most common type of image steganography.


 


@noregret: I don't speak Python very well, but it looks like your code is a mix of serial check and some sort of  bruteforcer. It's a mix of apples and oranges, so to speak.


I did 2 things : #1 - implement checking algo in language of my choice, it should work the exact same way as ARM code; #2 - write a bruteforcer. When doing #1 you should gain an understanding how serial check works, and therefore will be able to make #2.


Share this post


Link to post
toomanybananas

@noregret You do not need to brute force #6, the checking algorithm is reversible.


 


I found stepping through the algorithm and calculating by hand made it very clear what the algorithm is doing (but I have a very math-heavy background).


Share this post


Link to post
AcidShout

@noregret You do not need to brute force #6, the checking algorithm is reversible.

 

I found stepping through the algorithm and calculating by hand made it very clear what the algorithm is doing (but I have a very math-heavy background).

Why is everybody talking about math-heavy background?

 

You have two tables, and to generate the key, they just took the e-mail, did *something* to it using one table, then did the totally opposite mathematical operation to it in the checking algorithm, and then they put another table which has the results.

 

You just do the opposite (think: opposite of sum is subtract; easy as that), and done.

 

You don't even need to brute force it, the data is there. Use your IDA-fu to script your way to the glory.

Edited by AcidShout (see edit history)

Share this post


Link to post
atn

@noregret: i've just read your code, i think you miss something, why don't you read code in hexrays again?


@kao: Many thank.


P/S: Sr, my english may be so bad becasuse english isn't my native language. :)


Share this post


Link to post
ultrain

@AcidShout


Can't agree you more.


That challenge is about "prime-factorization"!


One table are all factors.


Share this post


Link to post
noregret

Thanks everyone


 




Why is everybody talking about math-heavy background?


 


You have two tables, and to generate the key, they just took the e-mail, did *something* to it using one table, then did the totally opposite mathematical operation to it in the checking algorithm, and then they put another table which has the results.


 


You just do the opposite (think: opposite of sum is subtract; easy as that), and done.


 


You don't even need to brute force it, the data is there. Use your IDA-fu to script your way to the glory.




 


 


@atn


which part is missing? I mean yes, there are several non-related parts missing (related to C) but which operation are you specifically talking about?


Edited by Loki
Removed spoilers (see edit history)

Share this post


Link to post
atn

Thanks everyone

 

 

 

 

@atn

which part is missing? I mean yes, there are several non-related parts missing (related to C) but which operation are you specifically talking about?

In your Python code, you just read 0x1B28 byte begin at offset 0x2244 but it not enough of data, you need notice memcpy function. And size of data is word, not byte.

Edited by Loki
removed spoilers (see edit history)

Share this post


Link to post
noregret

In your Python code, you just read 0x1B28 byte begin at offset 0x2244 but it not enough of data, you need notice memcpy function. And size of data is word, not byte.

 

I got the data block from 0x2214 to 0x3D3C which is basically 6952 (0x1B28) bytes long. I don't understand what you're saying. And the loop does operate on words, not bytes. I did not get your point

 

Regards

Share this post


Link to post
atn

I got the data block from 0x2214 to 0x3D3C which is basically 6952 (0x1B28) bytes long.

yes, 0x2214. I mistyped the 0x2244.

This data is correct but you need some of data to use in memcmp.

I don't understand what you're saying. And the loop does operate on words, not bytes. I did not get your point

Regards

Notice data type in the loop.

Good luck.!

Edited by atn (see edit history)

Share this post


Link to post
noregret

yes, 0x2214. I mistyped the 0x2244.

This data is correct but you need some of data to use in memcmp.

Notice data type in the loop.

Good luck.!

 

Notice key_word and r_word, they are both words, aren't they?

Share this post


Link to post
atn

Notice key_word and r_word, they are both words, aren't they?

Sorry, i've just read your code again. you're right, i mistake.

But i believe that you miss some of data to compare with data what you're calculate.

Lets follow in memcpy and memcmp function in the hexray code.

Edited by atn (see edit history)

Share this post


Link to post
noregret

Sorry, i've just read your code again. you're right, i mistake.

But i believe that you miss some of data to compare with data what you're calculate.

Lets follow in memcpy and memcmp function in the hexray code.

 

No worries mate!

So from what you mentioned, I guess "dest" and "s" play a role here as well. And you are talking about "dest", right? which contains 92 (0x5C)  bytes of data (mostly nulls and some ints)

Share this post


Link to post
kao

Guys, I'd like to keep this thread "fair play" - no detailed solutions, just little hints if someone gets stuck.


 


Could you please discuss tech details in PMs, or at least hide them using spoiler tags? 


Share this post


Link to post
atn

@noregret: You can try doing something with it. And as @toomanybananas and @AcidShout said, you don't need to bruteforce, just checking algorithm and think about it. :)


@kao: ok men.

Share this post


Link to post
kimbo

You are missing something. Recheck last few messages from AcidShout. And if that doesn't help..

There's a hint hidden in ioctl handler 22e0dc. It will tell you where to look for answer.

 

I'm following that handler on WinDbg but still no luck. Really stuck on #10 :(

 

Any hint would be appreciate!

Share this post


Link to post
kao

@kimbo: Check also comments #34 and #35. And then look at the start of that handler..


Share this post


Link to post
xoreaxeax

I'm pretty much stuck on #6 as well, same as noregret. I've tried to make sense of the code and some things are still not clear to me. Would anyone be able to clear some things up for me via PM?


Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...