ktlq1412 Posted October 2, 2016 Posted October 2, 2016 I find the bytes array, but it is not correct :3
kao Posted October 2, 2016 Author Posted October 2, 2016 Most likely you overlooked one byte somewhere..
ktlq1412 Posted October 2, 2016 Posted October 2, 2016 1 minute ago, kao said: Most likely you overlooked one byte somewhere.. I will try to check. Thank
shawneg Posted October 2, 2016 Posted October 2, 2016 can someone point me to the right key size \ charset for challenge 10?
ReverseUrApp Posted October 2, 2016 Posted October 2, 2016 7 hours ago, kao said: Most likely you overlooked one byte somewhere.. Koa, how many hours should the first challenge take, An is there something similar with a write up to follow? I aspire to be as good as you guys one day. It's rather disappointing that I can't get past the first one. I see the function that's taking user input to create the hash, then compare to stored has. But I can't see a easy way to reverse the hash generation to find the original value of the stored key.
kao Posted October 2, 2016 Author Posted October 2, 2016 * for the best guys it took 5-10 minutes. But don't be discouraged if it takes much longer for you-this challenge is hard from the very beginning. * that's not hash, that's a well-known encoding method (but uses custom alphabet). Once you figure out what method it is, you'll be able to make your own decoder. how many characters this alphabet has?
ReverseUrApp Posted October 2, 2016 Posted October 2, 2016 19 minutes ago, kao said: * for the best guys it took 5-10 minutes. But don't be discouraged if it takes much longer for you-this challenge is hard from the very beginning. * that's not hash, that's a well-known encoding method (but uses custom alphabet). Once you figure out what method it is, you'll be able to make your own decoder. Hide contents how many characters this alphabet has? I don't have enough experience with this. My method involved trying hash identifiers, decoding with base64, Nothing seemed to work. Now I have a new tool in the shed for the future. On to challenge 2. Thanks, being self employed 8 years now. You'd think I'd of get into RE years ago, having software leaked is never fun lol.
Eskalina Posted October 8, 2016 Posted October 8, 2016 Hello guys.Can anybody help me with the decision of the 3rd assignment. I rewrote the job C and checked for correctness. I tried to pick an argument symbols are checked in the latter part of the algorithm. I'm having trouble understanding how to reverse the generation algorithm "checklist" to find out which way up the program to create. Since it is necessary to know the length of the argument with which to run the program, I expect that this length 26. (According to the number of constants stored in the program). Please give me a hint if possible. Thank you. Spoiler md5.cpp md5.h Unknown_Solve.cpp
kao Posted October 8, 2016 Author Posted October 8, 2016 The brute charset consists of printable ASCII chars. But that's the smallest of your problems. See Extreme Coders comment: You need to figure out correct path first 1
hyper-v Posted October 8, 2016 Posted October 8, 2016 5 hours ago, Eskalina said: Hello guys.Can anybody help me with the decision of the 3rd assignment. I rewrote the job C and checked for correctness. I tried to pick an argument symbols are checked in the latter part of the algorithm. I'm having trouble understanding how to reverse the generation algorithm "checklist" to find out which way up the program to create. Since it is necessary to know the length of the argument with which to run the program, I expect that this length 26. (According to the number of constants stored in the program). Please give me a hint if possible. Thank you. Reveal hidden contents md5.cpp md5.h Unknown_Solve.cpp Small unrelated hint: why don't you make a DLL, then load it into the process, and use its functions, instead of rewriting all the algorithms inside your code? In fact, there are many ways of calling a binary's functions in order to avoid having to rewrite them yourself. Here are a few off the top of my head: Spoiler // Definition auto imp_md5 = (void(__cdecl*)(void*, void*, size_t)) 0x402D10; auto imp_RC4_Init = (void*(__fastcall*)(void*, void*, void*, int)) 0x401120; auto imp_RC4_Crypt = (void*(__thiscall*)(void* state, void* data, size_t len)) 0x401230; // Usage imp_md5(md5_hash, rc4_key, 16); imp_RC4_Init(state, rc4_key, rc4_key, 16); imp_RC4_Crypt(state, hashTable, 104); Spoiler // IDA has to know everything about the function(s) before you call it(them) .text:00402D10 ; int __cdecl md5(void *, void *, size_t) .text:00402D10 md5 proc near KernelBase.dll:74B0F002 ; int __stdcall kernelbase_VirtualAlloc(int a1, int a2, int a3, int a4) KernelBase.dll:74B0F002 kernelbase_VirtualAlloc proc near ; DATA XREF: kernel32.dll:off_76130908o // Usage (Python) Python>mem = Appcall.kernelbase_VirtualAlloc(0, 16, 0x3000, 64) Python>hex(mem) 0x1c0000L Python>hex(Appcall.md5(mem, 0x402B3C, 16)) 0x1c0000L // Memory contents DE 62 47 24 9F 23 88 F4 F4 C0 A0 41 96 6F 95 72 Apart from this, you can always try debugging the program, running the call, adjusting the stack and the arguments, and changing EIP (but this usually doesn't work / is too complex for what it does). Tricks like these greatly speed you up, and allow you to focus on the challenge instead of on the implementation details. Also, does anybody else find this year's challenges excessively guessing-based? I thought it was a reversing challenge, not a guessing game. It's annoying because I was expecting a good set of reversing challenges but instead I got to write brute forcers. 2
kao Posted October 8, 2016 Author Posted October 8, 2016 1 hour ago, hyper-v said: Also, does anybody else find this year's challenges excessively guessing-based? Lol, you should have tried last year, it was even worse! Unfortunately that's kinda trademark of FLARE..
Gyver75 Posted October 9, 2016 Posted October 9, 2016 Hi Hyper-v, which version of IDA do you have? i do this question to y because my IDA doesn't recognize the name of those functions. Probably y have a better FLIRT signature than mine. And of course agree width y about the general approach vs this challenge, coz this challenge is 'special'. As Kao and Extreme Coder said, there 's some 'extra' info inside the binary. Bye bye 1
Eskalina Posted October 9, 2016 Posted October 9, 2016 @kao @hyper-v @Gyver75 I solved this task, thank you. Many thanks. I understand why this "special" task, I've seen it many times but did not pay attention. I'm really grateful to you, you're cool. I love you guys
hyper-v Posted October 9, 2016 Posted October 9, 2016 (edited) 6 hours ago, Gyver75 said: Hi Hyper-v, which version of IDA do you have? i do this question to y because my IDA doesn't recognize the name of those functions. Probably y have a better FLIRT signature than mine. And of course agree width y about the general approach vs this challenge, coz this challenge is 'special'. As Kao and Extreme Coder said, there 's some 'extra' info inside the binary. Bye bye It wasn't my IDA what recognized the functions, it was me, I named them. (MD5 and RC4; for the kernelbase functions there's another thing you can do, but I'm not sure if you were referring to this, I could explain it if you want) Apart from that, you have to specify the type: put the cursor on the name and press Y, then put the type, like: int __cdecl some_func(int arg1, int arg2, char* arg3) (else IDA will not know *how* to call the function from Appcall) Also, I didn't use signatures or anything like that, I just saw the big function with lots of constants and ROL4 so I assumed it was MD5 (I might be wrong, but it doesn't matter, the idea is that it is a hash function). Over time you get used to this and recognize most popular hashes / snippets by just looking at them. Edited October 9, 2016 by hyper-v
Rurik Posted October 10, 2016 Posted October 10, 2016 #7 is frustrating. The logic is straight forward, I see the final set of data, and the lookup, but not how to solve without an impossible brute force.
Extreme Coders Posted October 10, 2016 Posted October 10, 2016 Yes, it is only solvable by brute force. To make it feasible you would need to predict some pieces of data. There's a hint hidden in plain sight which should help you in guessing. I am on the final challenge and it looks like a real deal breaker.
kao Posted October 10, 2016 Author Posted October 10, 2016 @Rurik - it just looks impossible, it ain't. As I said earlier: @Extreme Coders: same here. I'm not into digital dumpster-diving, so I take no pleasure in digging through 20MB PCAP.. 1
hyper-v Posted October 10, 2016 Posted October 10, 2016 2 hours ago, kao said: @Rurik - it just looks impossible, it ain't. As I said earlier: @Extreme Coders: same here. I'm not into digital dumpster-diving, so I take no pleasure in digging through 20MB PCAP.. I can't wait for all the writeups and the opinions/criticism on how is this even remotely RE related. It's not even funny.
Rurik Posted October 11, 2016 Posted October 11, 2016 @Extreme Coders @kao, thanks. After half a day of brute forcing the answer came out. Working from the back forward, you really only have to brute three blocks. I'd agree that the hint is in plain sight, but you wouldn't know it was a hint until you were done. At the very least, a good one to practice patching bytes.
Extreme Coders Posted October 11, 2016 Posted October 11, 2016 (edited) @Rurik Definitely so. May be I was lucky and used the so called hint to make educated guesses, the answer came out in minutes instead of hours. For #10, I am stuck on the first part where you would need to get the key to decrypt the embedded swf. A bruteforce seems infeasible, and the shuffling in the keystream generator makes it difficult to invert. Edited October 11, 2016 by Extreme Coders 1
Holy Posted October 11, 2016 Posted October 11, 2016 4 hours ago, Extreme Coders said: @Rurik Definitely so. May be I was lucky and used the so called hint to make educated guesses, the answer came out in minutes instead of hours. For #10, I am stuck on the first part where you would need to get the key to decrypt the embedded swf. A bruteforce seems infeasible, and the shuffling in the keystream generator makes it difficult to invert. Same here, going the obfuscated javascript way after some layers seems to also need bruteforcing and is not feasible, so really stuck too.
fasya Posted October 11, 2016 Posted October 11, 2016 8 hours ago, Extreme Coders said: @Rurik Definitely so. May be I was lucky and used the so called hint to make educated guesses, the answer came out in minutes instead of hours. For #10, I am stuck on the first part where you would need to get the key to decrypt the embedded swf. A bruteforce seems infeasible, and the shuffling in the keystream generator makes it difficult to invert. You don't need to bruteforce the first key for the SWF, you have to get it from the obfuscated javascript. 4 hours ago, Holy said: Same here, going the obfuscated javascript way after some layers seems to also need bruteforcing and is not feasible, so really stuck too. It can be bruteforced but will take couple of hours to be done. 2
Levis Posted October 13, 2016 Posted October 13, 2016 Just finished up today. Level 10 was really a nightmare, alongside with 5th and 8th (personally i think)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now