quend Posted September 17, 2017 Posted September 17, 2017 @SmilingWolfthanks for offering - I actually figured it out. Initially i was trying to use an instruction count side channel but it won't work for #11 - had to do it the hard way lol
reversing4fun Posted September 17, 2017 Posted September 17, 2017 Can someone help me with level 5? I got the letters, reordered and did rot13 but I don't know what should I do with the result. Do I need to use it as a key to decrypt something?
Rurik Posted September 17, 2017 Posted September 17, 2017 5 minutes ago, reversing4fun said: Can someone help me with level 5? I got the letters, reordered and did rot13 but I don't know what should I do with the result. Do I need to use it as a key to decrypt something? IIRC, if you check the input bounds, it'll take either a coordinate or a 16-byte string. 1 1
reversing4fun Posted September 17, 2017 Posted September 17, 2017 Thanks. I noticed that call before but decided to check it later. Then I forgot it. :/
VirtualPuppet Posted September 17, 2017 Posted September 17, 2017 7 hours ago, grau said: Got stuck on challenge 4. Can't decrypt with key.bin If you look at the code, you'll find the initial key (which a xor-encryption is performed on). The key for the xor-encryption is based on the key.bin file. The key.bin file is generated from a function that checks the "%USERPROFILE%\flareon2016challenge"-folder (if it exists) and then iterates the files in it, and compares the timestamp in the Optional Header of the file, and based on the timestamp, will read an offset of data from the file and write it to the key.bin file. Now, if you download all the files from the 2016 challenge and compare their Timestamps (I used CFF Explorer), you will find the necessary files. I wrote this function to parse them and print the flag: void flare_on_4() { std::function<const char*(const char*)> get_code_base = [](const char* input) -> const char* { return input + PIMAGE_NT_HEADERS(input + PIMAGE_DOS_HEADER(input)->e_lfanew)->OptionalHeader.BaseOfCode; }; unsigned char key[] = { 0x37, 0xE7, 0xD8, 0xBE, 0x7A, 0x53, 0x30, 0x25, 0xBB, 0x38, 0x57, 0x26, 0x97, 0x26, 0x6F, 0x50, 0xF4, 0x75, 0x67, 0xBF, 0xB0, 0xEF, 0xA5, 0x7A, 0x65, 0xAE, 0xAB, 0x66, 0x73, 0xA0, 0xA3, 0xA1, 0x00 }; unsigned char xor_key[32]; memset(xor_key, 0, sizeof(xor_key)); const char* input_1 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\1.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)); const char* input_2 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\2.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)); const char* input_3 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\3.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)); const char* input_4 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\4.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)); if (input_1) memcpy(xor_key, get_code_base(input_1), 8); if (input_2) memcpy(xor_key + 8, get_code_base(input_2) + 0x10, 8); if (input_3) memcpy(xor_key + 16, get_code_base(input_3) + 0x20, 8); if (input_4) memcpy(xor_key + 24, get_code_base(input_4) + 0x30, 8); for (int i = 0; i < 32; i++) key[i] ^= xor_key[i]; /* bl457_fr0m_th3_p457@flare-on.com */ std::cout << key << std::endl; }
kao Posted September 17, 2017 Posted September 17, 2017 @VirtualPuppet: please do not spoil the fun for others and do not post full solutions. The challenge is still ongoing. 1
SmilingWolf Posted September 18, 2017 Posted September 18, 2017 @VirtualPuppet if not removing the whole code (which would still be advisable) at least delete the final flag from the comments, so whoever comes across your post on this public board has to make the minimum effort of finding the right executables...
VirtualPuppet Posted September 18, 2017 Posted September 18, 2017 Just now, SmilingWolf said: @VirtualPuppet if not removing the whole code (which would still be advisable) at least delete the final flag from the comments, so whoever comes across your post on this public board has to make the minimum effort of finding the right executables... You cannot edit posts after a certain amount of time has passed.
Rurik Posted September 23, 2017 Posted September 23, 2017 (edited) 11 is starting to hurt. It's hard to know where to start, or to identify what you're actually looking at. Spoiler Appears like an 8-bit processor taking a huge list of instructions in semi-sequential order. Feels like an instance of manually tracing 1132 separate loops, but doesn't seem like the VM instance from last year. This is wholly new technique? Edited September 23, 2017 by Rurik
kao Posted September 23, 2017 Posted September 23, 2017 @Rurik : Spoiler it's a simple VM with very trivial commands. Get over it and start tracing.. Find where entered password is stored and how the bytes are used. It's easy from there.
grau Posted September 24, 2017 Posted September 24, 2017 Getting Missing entry: EntryPoint error for Challenge 6 (package.dll). I am on Windows 8.1 x64.
Rurik Posted September 24, 2017 Posted September 24, 2017 @grau There are other ways of calling exports instead of using their names...
grau Posted September 24, 2017 Posted September 24, 2017 40 minutes ago, Rurik said: @grau Thank you. Found it.
Adrian_12 Posted September 27, 2017 Posted September 27, 2017 can anyone help me with pewpewboat challenge?? Am just a beginner
akkaldama Posted September 27, 2017 Posted September 27, 2017 @Adrian_12 Just check how the map for each level is stored in the binary, how to decrypt it, how to find the ships. Then follow those hints by crystalboy and rurik. Regards, akkaldama
opc0d3 Posted September 28, 2017 Posted September 28, 2017 Guys, what kind of tools did you use to finish a CTF like that ? Did anyone used radare2 as DBG? (linux) I'm a noob entering in the CTF world.. And I saw a TONS of tools they used and sometimes I wonder why. I mean, in point of view we need a disassembler and a DBG with a good scripting behind. Anyway.. Just a noob question..
kienmanowar Posted September 29, 2017 Posted September 29, 2017 4 hours ago, opc0d3 said: Guys, what kind of tools did you use to finish a CTF like that ? Did anyone used radare2 as DBG? (linux) I'm a noob entering in the CTF world.. And I saw a TONS of tools they used and sometimes I wonder why. I mean, in point of view we need a disassembler and a DBG with a good scripting behind. Anyway.. Just a noob question.. I think it depends on the target that you work around ... But many experts in here always use the IDA Pro first! Regards, 1
kimbo Posted October 1, 2017 Posted October 1, 2017 On 9/17/2017 at 7:45 PM, quend said: @SmilingWolfthanks for offering - I actually figured it out. Initially i was trying to use an instruction count side channel but it won't work for #11 - had to do it the hard way lol I'm really stuck on 11 too. Tried to trace the stored password bytes, but it seems only a constant subtraction? Also tried many bytes possibilities but I dont see any readable words.
akkaldama Posted October 2, 2017 Posted October 2, 2017 Any help on lvl7?. Reached the "follow along" by bruteforceing, got the hex bytes from Kevin by applying the base64 -like string as the key but the hex bytes seems to be garbage. Regards, akkaldama
kao Posted October 2, 2017 Posted October 2, 2017 @akkaldama: Kevin will gladly RC4-decrypt anything you throw at him. You need to give a correct encrypted key to him. Spoiler The answer you're looking for is not in the powershell. @kimbo: there are no readable words. You need to supply correct flag and then the program will print a good boy message. 19 hours ago, kimbo said: it seems only a constant subtraction? Yes. That's a very special computer with only one instruction. Maybe you can solve it by using a constraint solver, I don't know. For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#. 1
satoshi Posted October 3, 2017 Posted October 3, 2017 14 hours ago, kao said: @akkaldama: Kevin will gladly RC4-decrypt anything you throw at him. You need to give a correct encrypted key to him. Reveal hidden contents The answer you're looking for is not in the powershell. @kimbo: there are no readable words. You need to supply correct flag and then the program will print a good boy message. Yes. That's a very special computer with only one instruction. Maybe you can solve it by using a constraint solver, I don't know. For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#. I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools?
satoshi Posted October 3, 2017 Posted October 3, 2017 1 hour ago, ilya01 said: Yes, this is possible. See on api functions.:) I'll give those API functions a look then and see if I can get a bit further. Thank you!
Rurik Posted October 3, 2017 Posted October 3, 2017 10 hours ago, satoshi said: I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools? @satoshi The organizer gave a good hint on Twitter: Spoiler Take a look at the "REST APIs" like mentioned above, and the way this program deals with rand().
kimbo Posted October 3, 2017 Posted October 3, 2017 On 10/2/2017 at 5:52 PM, kao said: there are no readable words. You need to supply correct flag and then the program will print a good boy message. Thanks a lot for the suggestions @kao, hopefully I can continue tracing it and solve the challenge, not sure if I can make it with this short time though. On 10/2/2017 at 5:52 PM, kao said: For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#. Yup, can't denied you are a very good reverser with awesome skill
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now