Jump to content
Tuts 4 You
rand0m

Flare On 4

Rate this topic

Recommended Posts

quend

@SmilingWolfthanks for offering - I actually figured it out. Initially i was trying to use an instruction count  side channel but it won't work for #11 - had to do it the hard way lol 

Share this post


Link to post
Share on other sites
reversing4fun

Can someone help me with level 5? I got the letters, reordered and did rot13 but I don't know what should I do with the result. Do I need to use it as a key to decrypt something?

Share this post


Link to post
Share on other sites
Rurik
5 minutes ago, reversing4fun said:

Can someone help me with level 5? I got the letters, reordered and did rot13 but I don't know what should I do with the result. Do I need to use it as a key to decrypt something?

IIRC, if you check the input bounds, it'll take either a coordinate or a 16-byte string.

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
reversing4fun

Thanks. I noticed that call before but decided to check it later. Then I forgot it. :/

Share this post


Link to post
Share on other sites
VirtualPuppet
7 hours ago, grau said:

Got stuck on challenge 4. Can't decrypt with key.bin

If you look at the code, you'll find the initial key (which a xor-encryption is performed on). The key for the xor-encryption is based on the key.bin file. The key.bin file is generated from a function that checks the "%USERPROFILE%\flareon2016challenge"-folder (if it exists) and then iterates the files in it, and compares the timestamp in the Optional Header of the file, and based on the timestamp, will read an offset of data from the file and write it to the key.bin file. Now, if you download all the files from the 2016 challenge and compare their Timestamps (I used CFF Explorer), you will find the necessary files. I wrote this function to parse them and print the flag:

void flare_on_4()
{
    std::function<const char*(const char*)> get_code_base = [](const char* input) -> const char*
    {
        return input + PIMAGE_NT_HEADERS(input + PIMAGE_DOS_HEADER(input)->e_lfanew)->OptionalHeader.BaseOfCode;
    };
	    unsigned char key[] = 
    {
        0x37, 0xE7, 0xD8, 0xBE, 0x7A, 0x53, 0x30, 0x25,
        0xBB, 0x38, 0x57, 0x26, 0x97, 0x26, 0x6F, 0x50,
        0xF4, 0x75, 0x67, 0xBF, 0xB0, 0xEF, 0xA5, 0x7A,
        0x65, 0xAE, 0xAB, 0x66, 0x73, 0xA0, 0xA3, 0xA1,
        0x00
    };
	    unsigned char xor_key[32];
    memset(xor_key, 0, sizeof(xor_key));
	    const char* input_1 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\1.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
    const char* input_2 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\2.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
    const char* input_3 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\3.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
    const char* input_4 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\4.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
	    if (input_1)
        memcpy(xor_key, get_code_base(input_1), 8);
	    if (input_2)
        memcpy(xor_key + 8, get_code_base(input_2) + 0x10, 8);
	    if (input_3)
        memcpy(xor_key + 16, get_code_base(input_3) + 0x20, 8);
    
    if (input_4)
        memcpy(xor_key + 24, get_code_base(input_4) + 0x30, 8);
    
    for (int i = 0; i < 32; i++)
        key[i] ^= xor_key[i];
	    /* bl457_fr0m_th3_p457@flare-on.com */
    std::cout << key << std::endl;
}

Share this post


Link to post
Share on other sites
kao

@VirtualPuppet: please do not spoil the fun for others and do not post full solutions. The challenge is still ongoing.

  • Thanks 1

Share this post


Link to post
Share on other sites
SmilingWolf

@VirtualPuppet if not removing the whole code (which would still be advisable) at least delete the final flag from the comments, so whoever comes across your post on this public board has to make the minimum effort of finding the right executables...

Share this post


Link to post
Share on other sites
VirtualPuppet
Just now, SmilingWolf said:

@VirtualPuppet if not removing the whole code (which would still be advisable) at least delete the final flag from the comments, so whoever comes across your post on this public board has to make the minimum effort of finding the right executables...

You cannot edit posts after a certain amount of time has passed.

Share this post


Link to post
Share on other sites
Rurik

11 is starting to hurt. It's hard to know where to start, or to identify what you're actually looking at.

Spoiler

Appears like an 8-bit processor taking a huge list of instructions in semi-sequential order. Feels like an instance of manually tracing 1132 separate loops, but doesn't seem like the VM instance from last year. This is wholly new technique?

 

Edited by Rurik (see edit history)

Share this post


Link to post
Share on other sites
kao

@Rurik :

Spoiler

it's a simple VM with very trivial commands. Get over it and start tracing.. Find where entered password is stored and how the bytes are used. It's easy from there.

 

Share this post


Link to post
Share on other sites
grau

Getting Missing entry: EntryPoint error for Challenge 6 (package.dll). I am on Windows 8.1 x64.  

entrypoint.png

Share this post


Link to post
Share on other sites
Rurik

@grau There are other ways of calling exports instead of using their names...

Share this post


Link to post
Share on other sites
grau
40 minutes ago, Rurik said:

@grau Thank you. Found it. 

Share this post


Link to post
Share on other sites
Adrian_12

can anyone help me with pewpewboat challenge?? Am just a beginner

Share this post


Link to post
Share on other sites
akkaldama

@Adrian_12

Just check how the map for each level is stored in the binary, how to decrypt it, how to find the ships. Then follow those hints by crystalboy and rurik.

Regards,

akkaldama

Share this post


Link to post
Share on other sites
opc0d3

Guys, what kind of tools did you use to finish a CTF like that ?
Did anyone used radare2 as DBG? (linux)

I'm a noob entering in the CTF world.. And I saw a TONS of tools they used and sometimes I wonder why.

I mean, in point of view we need a disassembler and a DBG with a good scripting behind. 

Anyway.. Just a noob question.. :)

 

Share this post


Link to post
Share on other sites
kienmanowar
4 hours ago, opc0d3 said:

Guys, what kind of tools did you use to finish a CTF like that ?
Did anyone used radare2 as DBG? (linux)

I'm a noob entering in the CTF world.. And I saw a TONS of tools they used and sometimes I wonder why.

I mean, in point of view we need a disassembler and a DBG with a good scripting behind. 

Anyway.. Just a noob question.. :)

 

I think it depends on the target that you work around ... But many experts in here always use the IDA Pro first!

Regards,

  • Like 1

Share this post


Link to post
Share on other sites
kimbo
On 9/17/2017 at 7:45 PM, quend said:

@SmilingWolfthanks for offering - I actually figured it out. Initially i was trying to use an instruction count  side channel but it won't work for #11 - had to do it the hard way lol 

I'm really stuck on 11 too. Tried to trace the stored password bytes, but it seems only a constant subtraction? Also tried many bytes possibilities but I dont see any readable words. :blink:

  • Like 1

Share this post


Link to post
Share on other sites
akkaldama

Any help on lvl7?. Reached the "follow along" by bruteforceing, got the hex bytes from Kevin by applying the base64 -like string as the key but the hex bytes seems to be garbage.

Regards, akkaldama

Share this post


Link to post
Share on other sites
kao

@akkaldama: Kevin will gladly RC4-decrypt anything you throw at him. You need to give a correct encrypted key to him.

Spoiler

The answer you're looking for is not in the powershell.

@kimbo: there are no readable words. You need to supply correct flag and then the program will print a good boy message.

19 hours ago, kimbo said:

it seems only a constant subtraction?

Yes. That's a very special computer with only one instruction. :) Maybe you can solve it by using a constraint solver, I don't know. For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#.

  • Thanks 1

Share this post


Link to post
Share on other sites
satoshi
14 hours ago, kao said:

@akkaldama: Kevin will gladly RC4-decrypt anything you throw at him. You need to give a correct encrypted key to him.

  Reveal hidden contents

The answer you're looking for is not in the powershell.

@kimbo: there are no readable words. You need to supply correct flag and then the program will print a good boy message.

Yes. That's a very special computer with only one instruction. :) Maybe you can solve it by using a constraint solver, I don't know. For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#.

I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools?

Share this post


Link to post
Share on other sites
ilya01
2 hours ago, satoshi said:

I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools?

Yes, this is possible.

See on api functions.:)

Share this post


Link to post
Share on other sites
satoshi
1 hour ago, ilya01 said:

Yes, this is possible.

See on api functions.:)

I'll give those API functions a look then and see if I can get a bit further. Thank you!

Share this post


Link to post
Share on other sites
Rurik
10 hours ago, satoshi said:

I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools?

@satoshi The organizer gave a good hint on Twitter: 

Spoiler

Take a look at the "REST APIs" like mentioned above, and the way this program deals with rand().

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...