3 minutes ago, ForlaxPy said:

is the flarebear apk broken ? Or my emulator just sux lol

your emulator suck

@Bython

 

Spoiler

Maybe there's a problem with your decryption logic. In short, bmphide does two things:

1. Encrypts the source file
2. Encodes the encrypted data in the image

Getting past #2 is fairly easy.
For #1, I brute-forced the original data rather than trying to write a decryptor.

 

@Bython

 

Spoiler

Yes. the decoded data is a bmp too. You should also try a different image viewer. Maybe the extra data at the end of the bmp is causing the viewer to fail.

 

@Bython

Spoiler

The standard viewer on Win 7. Didn't need to figure out the size of the bmp. Let it run on the entire data. There are some junk bytes after the end of the decoded bmp but it does open in the Windows image viewer proper.

 

I'm stuck at the 2nd

cant find where to check, I can see it always changes the addresses on restart

 

@nicogalan: that's a Windows security feature called ASLR, you can disable it..

11 hours ago, kao said:

@nicogalan: that's a Windows security feature called ASLR, you can disable it..

Thanks, is this a part of the challenge?

Hi folks, here is what I tried for challenge 5
        Windows 8 64 bit with directx 11 - I can launch 4k.exe and see the rotating "A" but I get the error message "failure creating process" inside pixwin.exe from DirectX 9 SDK
        Windows 10 64 bit with directx 11 - I can launch 4k.exe and see the rotating "A" but I get the error message "failure creating process" inside pixwin.exe from DirectX 9 SDK
        Windows XP SP 3 32 bit with directx 9 - When I launch 4k.exe I can an error popup and same problem as above when launching inside pixwin from directx 9 sdk
        Windows 10 32 bit with directx 11  - When I launch 4k.exe I can an error popup and same problem as above when launching inside pixwin from directx 9 sdk

I have never done directx app analysis and I was wondering if the combination above that I used is correct. Are there any other better tools to analyze this file?
Is the above approach even the right one??

Thanks

 

@scorpion77 Worked for me on Windows 7 SP1 32 bit on a VirtualBox VM. Didn't use pixwin however.

From the docs of pix,

Quote

• PIX only supports capturing D3D12 content, not D3D11 or 11on12.
• PIX only supports 64 bit apps (both UWP and Win32).  PIX does not support x86 apps.

So its highly unlikely that it would support a DX9 app and that too a 32 bit one.

Thank you ExtremeCoders. I stopped going down that path after the trials. Using NinjaRipper I have a bunch of "Mesh_XXXX.rip" files and using XnView. But I am just finding my around in the dark. Never done any kind of DirectX before

 

And finally the right tools!!! Like someone mentioned on twitter. The flag was looking straight at me Thank you folks

 

Any hints for ch #8 (snake)?

Spoiler

I'm having trouble understanding the NES disassembly. Although i think the challenge involves disassembling the PPU to understand the key rendering algo.

 

@bandit

Spoiler

Its a typical snake game. The intended way is to play out all the levels unless you figure out some other way. Can be done without understanding the disassembly.

 

On 8/23/2019 at 5:50 PM, Extreme Coders said:

@Bython

@Extreme Coders

  Hide contents

Maybe there's a problem with your decryption logic. In short, bmphide does two things:

1. Encrypts the source file
2. Encodes the encrypted data in the image

Getting past #2 is fairly easy.
For #1, I brute-forced the original data rather than trying to write a decryptor.

 

How long did the brute force take you? I encoded my own text into "image.bmp" and I am able to extract the encrypted content and then  decrypt it to the original form. Next when I try to extract the content that is already embedded as part of the challenge and try to decrypt it, the decryption (actually a brute force) goes on and while inspecting the data I only see gibberish, I dont see the BMP header!! Is this expected.

.

@scorpion77

Spoiler

Didn't goes that long. May be a minute or so. If you see gibberish it likely means you are not taking into account the "changes" made to the IL at runtime.

 

@scorpion77: 

1 hour ago, scorpion77 said:

I encoded my own text into "image.bmp" and I am able to extract the encrypted content and then  decrypt it to the original form.

Quick test - can you encode 2 different texts into 2 different images and then extract and decrypt them? 

 

I took a different way from ExtremeCoders to solve it. If you're stuck, maybe trying another method will help:

Spoiler

1) write your own implementation of bmphide. You might need to extract (or bruteforce) some values for that. Or not. Depends on how much you analyzed the IL code.
2) hide your own payload into your own bitmap twice. Once using original bmphide, once using your own tool.
3) the images must match. If they don't, you don't really know how bmphide works. Go back and try again.
4) now you know how encryption function works. Write the decryption function. There is no bruteforce involved in this step.
5) big success.

 

Looking for some guidance with vv_max. 

Spoiler

So I have gone through the binary and I can see the op codes being used. I have a few questions. Are the opcodes generally consistent in formatting, i.e. [op] [dest] [src1] [src2]. Also, are those magic values just a red herring? What approach did you guys take to solving. I am in the process of just using the ARV2 intrinsics in c, but it seems like much.   

Thanks

Edited September 10, 20195 yr by misanthropik1
Grammar

@misanthropik1

Spoiler

Not all opcodes have that format.  Converting it to C intrinsic is one way to solve the problem. It may also be possible to identify what's going on just by testing with various inputs and check what is being compared to what.

 

@misanthropik1:

Spoiler

 

54 minutes ago, Extreme Coders said:

It may also be possible to identify what's going on just by testing with various inputs and check what is being compared to what.

+1 to that!  

Or you could even bruteforce the correct answer..

@kao:

Spoiler

Is it really worth brute forcing though? (With argv[2] being 0x20 bytes in length?)

 

@bandit 

Spoiler

you can bruteforce it few bytes at a time. So it's actually quite fast.

 

Hey guys i need  some help regarding bmphide.

Spoiler

What I do know is that the code uses hooks and modifies something runtime. However I can't seem to be able to debug it to see which function does it modify. Dnspy debugger fails, even if paste all the code manually into VS, i am constantly running into runtime exceptions. Could anyone give me a hint how to understand/debug/decrypt this whole hooking process? Thanks

 

hey guys, Im stuck at the end of challenge 3. I have all the numbers but I cant get it dance? can someone explain the method?

@SP2EIO

Spoiler

You have to patch the binary to even get it running. Even then, I had to do one portion statically to figure our all of the changes. Then I just wrote a decryptor.

 

@Geordeaux

1 hour ago, Geordeaux said:

hey guys, Im stuck at the end of challenge 3. I have all the numbers but I cant get it dance? can someone explain the method?

Spoiler

If you have the correct values, the values then equate to certain functionality of the application.