October 13, 20168 yr @Levis: is it a nightmare because it's tedious, or because it's non-obvious, and requires loads of guessing / trial & error? any parting advice you can give to someone who's just started on #10? thanks
October 13, 20168 yr @kao: Hello and thanks for cheering me. Actually because I saw in the last year you're the winner, I admire you so much and that moment, it became my inspiration to keep learning, try hard and never give up for whole a year, steping up and down, try and fail many times. Thank you again @evandrix and whoever stuck with #10: All i can say is it requires knowledge about cryptography (i have no idea about this subject, and i have been keeping reading a lot of documents during that time in order to pass the challenge). The code highy obfuscated so must take care on every step, otherwise you will miss something. F12 -> Sources in Chrome or IE would help. Regards Edited October 13, 20168 yr by Levis
October 13, 20168 yr for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string...
October 13, 20168 yr 17 minutes ago, evandrix said: for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string... Have you tried opening it?
October 13, 20168 yr 3 minutes ago, Holy said: Have you tried opening it? yes, it's a 5008 byte file of unintelligible data...
October 13, 20168 yr Just now, evandrix said: yes, it's a 5008 byte file of unintelligible data... Check for decryption key it must be using the wrong one, good decrypted file is a picture.
October 13, 20168 yr 3 minutes ago, Holy said: Check for decryption key it must be using the wrong one, good decrypted file is a picture. oh, i see. okie
October 14, 20168 yr #10: i see a huge mess of typical web surfing traffic files. is there some clue / hint on how / where to start looking for the rumored .js & .swf's previously mentioned in this forum discussion thread ? is decrypting ssl traffic in wireshark necessary ?
October 14, 20168 yr #10: I found an md5 hash from the swf, and values from the pcap to fill my js req/resp params, but one of the params in the js is missing - is bruteforce necessary then to find this param? Am I still on track? is the md5 hash in the swf the md5 hash of the flag?
October 15, 20168 yr #10: does this level also involve bruteforcing? looks rather intractable... how is the (key for swf) related to (decrypted payload in js - assuming i have found the right decryption key) - assuming they are related? is the final flag (the one ending in @flare-on.com) obtained by putting both together or something? or one is a clue for the other? Edited October 15, 20168 yr by evandrix
October 15, 20168 yr In this challenge, bruteforcing is not necessary, just follow the network traffic. Which is the first pulled from server, you should deal with it the first
October 15, 20168 yr On 9/29/2016 at 6:01 PM, kao said: @fasya: Hide contents $ is the hint. So is the geezers reference. Hi, I'm new to this forum, and can't seem to figure out the decoding scheme to use on the data in .text. Tried to copy the decoding scheme used on the fake input checks Spoiler (to get: this is the wrong password). Maybe I'm missing something more in the .data segment?
October 17, 20168 yr Author @quend: Spoiler The answer is not in .text or .data segment$. Look at other place$. @evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers.
October 18, 20168 yr On 10/17/2016 at 3:37 PM, kao said: @quend: Reveal hidden contents The answer is not in .text or .data segment$. Look at other place$. @evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers. i can't delete my posts...
October 18, 20168 yr Hi, regarding #9 (GUI.EXE). This is probably really lame, but here goes: I am using dnSpy and after decrypting layer1 I am able to place a breakpoint on the Layer1.Main() (after it is loaded up). Then I can meet the requirements to get another key and decrypt layer2. But then I place breakpoints all over Layer2 (including Main()), but they never hit. What am I missing here? The method.Invoke seems the same.
October 19, 20168 yr Author 12 hours ago, msr said: I place breakpoints all over Layer2 (including Main()), but they never hit I had a similar problem and it seems to me that dnSpy is unable to link dumped Layer2 assembly (where you set breakpoints) with the dynamically loaded assembly. I worked around it by unpacking each layer, saving as a new exe file, and then running this new exe under dnSpy.
October 20, 20168 yr #Challenge3 - Unknown, Spoiler I know that the software makes some actions on the command line arguments, but I can not really follow what it is doing. I think the calculations associated with these strings: "RSDS", "yOU MAKE GOOD Arguhments !", and of course the string found in argv [1] And I saw a string named "MD5" probably there use of MD5, but I have not seen references to it in the Import (neither by dynamic loading with LoadLibrary & GetProcAddress. Any tips?
October 20, 20168 yr @0ne you need to loop harder, because the values you wrote aren't correct. Also, as I (think) I described some posts behind, the binary has a custom MD5 implementation. But you don't really need that. You just have to know it's hashing some data and outputting a (one-way) 16 byte buffer.
October 21, 20168 yr Finally completed all challenges. The last one was particularly demoralising and it took a lot of time to get through. A quantum computer should speed up things though
October 22, 20168 yr Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value
October 23, 20168 yr On 10/22/2016 at 0:27 PM, quend said: Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value Once the assembly is loaded, you can set breakpoints on the "helper" class and its first few methods. If you step into (F11) the second method it will dynamically decompile the main program logic and you will be able to debug there (at least that was my experience with this particular binary).
Create an account or sign in to comment