kao Posted October 13, 2016 Author Posted October 13, 2016 @Levis: hey, long time no see! Congrats on finishing the challenge!
evandrix Posted October 13, 2016 Posted October 13, 2016 @Levis: is it a nightmare because it's tedious, or because it's non-obvious, and requires loads of guessing / trial & error? any parting advice you can give to someone who's just started on #10? thanks
Levis Posted October 13, 2016 Posted October 13, 2016 (edited) @kao: Hello and thanks for cheering me. Actually because I saw in the last year you're the winner, I admire you so much and that moment, it became my inspiration to keep learning, try hard and never give up for whole a year, steping up and down, try and fail many times. Thank you again @evandrix and whoever stuck with #10: All i can say is it requires knowledge about cryptography (i have no idea about this subject, and i have been keeping reading a lot of documents during that time in order to pass the challenge). The code highy obfuscated so must take care on every step, otherwise you will miss something. F12 -> Sources in Chrome or IE would help. Regards Edited October 13, 2016 by Levis 1
evandrix Posted October 13, 2016 Posted October 13, 2016 for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string...
Holy Posted October 13, 2016 Posted October 13, 2016 17 minutes ago, evandrix said: for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string... Have you tried opening it?
evandrix Posted October 13, 2016 Posted October 13, 2016 3 minutes ago, Holy said: Have you tried opening it? yes, it's a 5008 byte file of unintelligible data...
Holy Posted October 13, 2016 Posted October 13, 2016 Just now, evandrix said: yes, it's a 5008 byte file of unintelligible data... Check for decryption key it must be using the wrong one, good decrypted file is a picture.
evandrix Posted October 13, 2016 Posted October 13, 2016 3 minutes ago, Holy said: Check for decryption key it must be using the wrong one, good decrypted file is a picture. oh, i see. okie
evandrix Posted October 14, 2016 Posted October 14, 2016 #10: i see a huge mess of typical web surfing traffic files. is there some clue / hint on how / where to start looking for the rumored .js & .swf's previously mentioned in this forum discussion thread ? is decrypting ssl traffic in wireshark necessary ?
evandrix Posted October 14, 2016 Posted October 14, 2016 #10: I found an md5 hash from the swf, and values from the pcap to fill my js req/resp params, but one of the params in the js is missing - is bruteforce necessary then to find this param? Am I still on track? is the md5 hash in the swf the md5 hash of the flag?
evandrix Posted October 15, 2016 Posted October 15, 2016 (edited) #10: does this level also involve bruteforcing? looks rather intractable... how is the (key for swf) related to (decrypted payload in js - assuming i have found the right decryption key) - assuming they are related? is the final flag (the one ending in @flare-on.com) obtained by putting both together or something? or one is a clue for the other? Edited October 15, 2016 by evandrix
Levis Posted October 15, 2016 Posted October 15, 2016 In this challenge, bruteforcing is not necessary, just follow the network traffic. Which is the first pulled from server, you should deal with it the first 1
quend Posted October 15, 2016 Posted October 15, 2016 On 9/29/2016 at 6:01 PM, kao said: @fasya: Hide contents $ is the hint. So is the geezers reference. Hi, I'm new to this forum, and can't seem to figure out the decoding scheme to use on the data in .text. Tried to copy the decoding scheme used on the fake input checks Spoiler (to get: this is the wrong password). Maybe I'm missing something more in the .data segment?
kao Posted October 17, 2016 Author Posted October 17, 2016 @quend: Spoiler The answer is not in .text or .data segment$. Look at other place$. @evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers.
evandrix Posted October 18, 2016 Posted October 18, 2016 (edited) <redacted> Edited October 18, 2016 by evandrix
evandrix Posted October 18, 2016 Posted October 18, 2016 On 10/17/2016 at 3:37 PM, kao said: @quend: Reveal hidden contents The answer is not in .text or .data segment$. Look at other place$. @evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers. i can't delete my posts...
msr Posted October 18, 2016 Posted October 18, 2016 Hi, regarding #9 (GUI.EXE). This is probably really lame, but here goes: I am using dnSpy and after decrypting layer1 I am able to place a breakpoint on the Layer1.Main() (after it is loaded up). Then I can meet the requirements to get another key and decrypt layer2. But then I place breakpoints all over Layer2 (including Main()), but they never hit. What am I missing here? The method.Invoke seems the same.
kao Posted October 19, 2016 Author Posted October 19, 2016 12 hours ago, msr said: I place breakpoints all over Layer2 (including Main()), but they never hit I had a similar problem and it seems to me that dnSpy is unable to link dumped Layer2 assembly (where you set breakpoints) with the dynamically loaded assembly. I worked around it by unpacking each layer, saving as a new exe file, and then running this new exe under dnSpy.
0ne Posted October 20, 2016 Posted October 20, 2016 #Challenge3 - Unknown, Spoiler I know that the software makes some actions on the command line arguments, but I can not really follow what it is doing. I think the calculations associated with these strings: "RSDS", "yOU MAKE GOOD Arguhments !", and of course the string found in argv [1] And I saw a string named "MD5" probably there use of MD5, but I have not seen references to it in the Import (neither by dynamic loading with LoadLibrary & GetProcAddress. Any tips?
hyper-v Posted October 20, 2016 Posted October 20, 2016 @0ne you need to loop harder, because the values you wrote aren't correct. Also, as I (think) I described some posts behind, the binary has a custom MD5 implementation. But you don't really need that. You just have to know it's hashing some data and outputting a (one-way) 16 byte buffer.
Extreme Coders Posted October 21, 2016 Posted October 21, 2016 Finally completed all challenges. The last one was particularly demoralising and it took a lot of time to get through. A quantum computer should speed up things though 1
quend Posted October 22, 2016 Posted October 22, 2016 Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value
msr Posted October 23, 2016 Posted October 23, 2016 On 10/22/2016 at 0:27 PM, quend said: Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value Once the assembly is loaded, you can set breakpoints on the "helper" class and its first few methods. If you step into (F11) the second method it will dynamically decompile the main program logic and you will be able to debug there (at least that was my experience with this particular binary).
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now