Jump to content
Tuts 4 You

Recommended Posts

NeoNCoding
3 minutes ago, ForlaxPy said:

is the flarebear apk broken ? Or my emulator just sux lol

your emulator suck

Share this post


Link to post
Extreme Coders

@Bython

 

Spoiler

Maybe there's a problem with your decryption logic. In short, bmphide does two things:

1. Encrypts the source file
2. Encodes the encrypted data in the image

Getting past #2 is fairly easy.
For #1, I brute-forced the original data rather than trying to write a decryptor.

 

Share this post


Link to post
Extreme Coders

@Bython

 

Spoiler

Yes. the decoded data is a bmp too. You should also try a different image viewer. Maybe the extra data at the end of the bmp is causing the viewer to fail.

 

Share this post


Link to post
Extreme Coders

@Bython

Spoiler

The standard viewer on Win 7. Didn't need to figure out the size of the bmp. Let it run on the entire data. There are some junk bytes after the end of the decoded bmp but it does open in the Windows image viewer proper.

 

Share this post


Link to post
nicogalan

I'm stuck at the 2nd :D

cant find where to check, I can see it always changes the addresses on restart :D

 

Share this post


Link to post
kao

@nicogalan: that's a Windows security feature called ASLR, you can disable it..

Share this post


Link to post
nicogalan
11 hours ago, kao said:

@nicogalan: that's a Windows security feature called ASLR, you can disable it..

Thanks, is this a part of the challenge?

Share this post


Link to post
scorpion77

Hi folks, here is what I tried for challenge 5
        Windows 8 64 bit with directx 11 - I can launch 4k.exe and see the rotating "A" but I get the error message "failure creating process" inside pixwin.exe from DirectX 9 SDK
        Windows 10 64 bit with directx 11 - I can launch 4k.exe and see the rotating "A" but I get the error message "failure creating process" inside pixwin.exe from DirectX 9 SDK
        Windows XP SP 3 32 bit with directx 9 - When I launch 4k.exe I can an error popup and same problem as above when launching inside pixwin from directx 9 sdk
        Windows 10 32 bit with directx 11  - When I launch 4k.exe I can an error popup and same problem as above when launching inside pixwin from directx 9 sdk


I have never done directx app analysis and I was wondering if the combination above that I used is correct. Are there any other better tools to analyze this file?
Is the above approach even the right one??

Thanks

 

Share this post


Link to post
Extreme Coders

@scorpion77 Worked for me on Windows 7 SP1 32 bit on a VirtualBox VM. Didn't use pixwin however.

From the docs of pix,

Quote
  • PIX only supports capturing D3D12 content, not D3D11 or 11on12.
  • PIX only supports 64 bit apps (both UWP and Win32).  PIX does not support x86 apps.

So its highly unlikely that it would support a DX9 app and that too a 32 bit one.

Share this post


Link to post
scorpion77

Thank you ExtremeCoders. I stopped going down that path after the trials. Using NinjaRipper I have a bunch of "Mesh_XXXX.rip" files and using XnView. But I am just finding my around in the dark. Never done any kind of DirectX before :)

 

Share this post


Link to post
scorpion77

And finally the right tools!!! Like someone mentioned on twitter. The flag was looking straight at me :D Thank you folks

 

Share this post


Link to post
bandit

Any hints for ch #8 (snake)?

Spoiler

I'm having trouble understanding the NES disassembly. Although i think the challenge involves disassembling the PPU to understand the key rendering algo.

 

Share this post


Link to post
Extreme Coders

@bandit

Spoiler

Its a typical snake game. The intended way is to play out all the levels unless you figure out some other way. Can be done without understanding the disassembly.

 

  • Like 2

Share this post


Link to post
scorpion77
On 8/23/2019 at 5:50 PM, Extreme Coders said:

@Bython

@Extreme Coders

  Hide contents

Maybe there's a problem with your decryption logic. In short, bmphide does two things:

1. Encrypts the source file
2. Encodes the encrypted data in the image

Getting past #2 is fairly easy.
For #1, I brute-forced the original data rather than trying to write a decryptor.

 

How long did the brute force take you? I encoded my own text into "image.bmp" and I am able to extract the encrypted content and then  decrypt it to the original form. Next when I try to extract the content that is already embedded as part of the challenge and try to decrypt it, the decryption (actually a brute force) goes on and while inspecting the data I only see gibberish, I dont see the BMP header!! Is this expected.

.

Share this post


Link to post
Extreme Coders

@scorpion77

Spoiler

Didn't goes that long. May be a minute or so. If you see gibberish it likely means you are not taking into account the "changes" made to the IL at runtime.

 

Share this post


Link to post
kao

@scorpion77

1 hour ago, scorpion77 said:

I encoded my own text into "image.bmp" and I am able to extract the encrypted content and then  decrypt it to the original form.

Quick test - can you encode 2 different texts into 2 different images and then extract and decrypt them? 

 

I took a different way from ExtremeCoders to solve it. If you're stuck, maybe trying another method will help:

Spoiler

1) write your own implementation of bmphide. You might need to extract (or bruteforce) some values for that. Or not. Depends on how much you analyzed the IL code.
2) hide your own payload into your own bitmap twice. Once using original bmphide, once using your own tool.
3) the images must match. If they don't, you don't really know how bmphide works. Go back and try again.
4) now you know how encryption function works. Write the decryption function. There is no bruteforce involved in this step.
5) big success.

 

Share this post


Link to post
misanthropik1

Looking for some guidance with vv_max. 

Spoiler

So I have gone through the binary and I can see the op codes being used. I have a few questions. Are the opcodes generally consistent in formatting, i.e. [op] [dest] [src1] [src2]. Also, are those magic values just a red herring? What approach did you guys take to solving. I am in the process of just using the ARV2 intrinsics in c, but it seems like much.   

Thanks

Edited by misanthropik1
Grammar (see edit history)

Share this post


Link to post
Extreme Coders

@misanthropik1

Spoiler

Not all opcodes have that format.  Converting it to C intrinsic is one way to solve the problem. It may also be possible to identify what's going on just by testing with various inputs and check what is being compared to what.

 

Share this post


Link to post
kao

@misanthropik1:

Spoiler

 

54 minutes ago, Extreme Coders said:

It may also be possible to identify what's going on just by testing with various inputs and check what is being compared to what.

+1 to that! :) 

Or you could even bruteforce the correct answer..

  • Like 1

Share this post


Link to post
bandit

@kao:

Spoiler

Is it really worth brute forcing though? (With argv[2] being 0x20 bytes in length?)

 

Share this post


Link to post
kao

@bandit 

Spoiler

you can bruteforce it few bytes at a time. So it's actually quite fast.

 

Share this post


Link to post
SP2EIO

Hey guys i need  some help regarding bmphide.

Spoiler

What I do know is that the code uses hooks and modifies something runtime. However I can't seem to be able to debug it to see which function does it modify. Dnspy debugger fails, even if paste all the code manually into VS, i am constantly running into runtime exceptions. Could anyone give me a hint how to understand/debug/decrypt this whole hooking process? Thanks

 

Share this post


Link to post
Geordeaux

hey guys, Im stuck at the end of challenge 3. I have all the numbers but I cant get it dance? can someone explain the method?

Share this post


Link to post
misanthropik1

@SP2EIO

Spoiler

You have to patch the binary to even get it running. Even then, I had to do one portion statically to figure our all of the changes. Then I just wrote a decryptor.

 

Share this post


Link to post
misanthropik1

@Geordeaux

1 hour ago, Geordeaux said:

hey guys, Im stuck at the end of challenge 3. I have all the numbers but I cant get it dance? can someone explain the method?

Spoiler

If you have the correct values, the values then equate to certain functionality of the application.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...