Jump to content
Tuts 4 You

Flare On 6

kao

By kao
in Reverse Engineering Articles

 Share

Recommended Posts

Geordeaux

Geordeaux

Posted
Posted
3 hours ago, misanthropik1 said:

@Geordeaux

  Hide contents

If you have the correct values, the values then equate to certain functionality of the application.

 

Hey thanks! I have got the bear dancing! But there is just one problem... the text flag is so pixelation that I cant read it. Can you recommend the emulator you used? I'm using bluestack but it isn't very good

  • Replies 188
  • Created
  • Last Reply

Top Posters In This Topic

  • Extreme Coders

    26

  • muppet

    23

  • kao

    19

  • scorpion77

    14

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kao
kao

@GautamGreat: I cannot promise to make full write-ups this year, but if I make some, I'll post a link here.

Extreme Coders
Extreme Coders

@bandit  

kao
kao

@Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/ Some of his solutions make me green with envy.  Great job!  

Posted Images

SP2EIO

SP2EIO

Posted
Posted

@misanthropik1

9 hours ago, misanthropik1 said:

@SP2EIO

  Reveal hidden contents

You have to patch the binary to even get it running. Even then, I had to do one portion statically to figure our all of the changes. Then I just wrote a decryptor.

 

Strange, i can run the original exe just fine without patching. Its just that when i copypaste everything into visual studio, I get exceptions, which i'm only able to solve by commenting out the part that writes to memory of Program.e function. However if I do this, and I run it with some dummy images, then run the dummys with the original bmphide.exe, I get different results. I have even tried patching the function in ildasm, then reassembling the binary with ilasm, but It still crashes on me.

misanthropik1

misanthropik1

Posted
Posted (edited)

@SP2EIO

1 hour ago, SP2EIO said:

@misanthropik1

Strange, i can run the original exe just fine without patching. Its just that when i copypaste everything into visual studio, I get exceptions, which i'm only able to solve by commenting out the part that writes to memory of Program.e function. However if I do this, and I run it with some dummy images, then run the dummys with the original bmphide.exe, I get different results. I have even tried patching the function in ildasm, then reassembling the binary with ilasm, but It still crashes on me.

 

Sorry I misspoke. It needs to be patched in order to debug. For .NET I use dnSpy.

Edited by misanthropik1
Spelling
_fuso_

_fuso_

Posted
Posted

Hello,

Can someone give me a hints in snake task?

I grabbed specific amount of apples and game resets itself.

Can you give me some hint or tools you used to get the flag?

What should i look for?

I think i found some code that could be related with flag (lot of XOR's) but i am blind with this code. No clue how to get to it or what conditions should be fulfilled.

Thank you very much for help...i am so tired with this stage..

 

kao

kao

Posted
  • Author
Posted

@_fuso_:

Spoiler


1 hour ago, _fuso_ said:

I grabbed specific amount of apples and game resets itself.

You have to do that X times. Or you can just jump to the right place and avoid playing the game (which is what I did).. :)

 

 

_fuso_

_fuso_

Posted
Posted
1 hour ago, kao said:

@_fuso_:

  Reveal hidden contents

 

You have to do that X times. Or you can just jump to the right place and avoid playing the game (which is what I did).. :)

 

 

@kao: Thank you very much for hint. It really helped me.

Geordeaux

Geordeaux

Posted
Posted

Could someone explain the method for DNSchess? I cant get past the first move, I've tried every possible move but it always resigns and I cant seem to deduce anything from the pcap

Extreme Coders

Extreme Coders

Posted
Posted

@Geordeaux

Spoiler

It's a client-server game. You make a move and in response DeepFLARE queries the server to know which move it should make. If it doesn't receive a reply or if the reply isn't what it expects it gonna resign. The pcap contains that traffic,

 

akkaldama

akkaldama

Posted
Posted

Hi,

Any pointers for reloaderd.

Spoiler

Got the rick-rolled key from exe, since it is not a valid key i felt there is something related to exception handling? also the binary is unable to load in 32dbg

Regards

Extreme Coders

Extreme Coders

Posted
Posted

@akkaldama

Spoiler

If you try loading the binary in Ghidra, as the challenge description says, it would thrown an error. The error message is a good hint about what this challenge is about.
Alternatively check what code is executed before main. It does load in x32dbg.

 

Geordeaux

Geordeaux

Posted
Posted
26 minutes ago, Extreme Coders said:

@Geordeaux

  Hide contents

It's a client-server game. You make a move and in response DeepFLARE queries the server to know which move it should make. If it doesn't receive a reply or if the reply isn't what it expects it gonna resign. The pcap contains that traffic,

 

Okay, so is there a particular tool that I should be using besides wire shark? and do I actually have to set up the client server? thanks for getting back to me

scorpion77

scorpion77

Posted
Posted

@Geordeaux

Study the function getNextMove carefully. From that you will understand what IP addresses are valid for the challenge to generate the key. You dont need  DNS for this. I too started off that way thinking I have to setup DNS and actually play the board, but after understading getNextMove and using the pcap I could solve this.Cheers

moly

moly

Posted
Posted
On 9/14/2019 at 12:26 PM, misanthropik1 said:

@SP2EIO

 

Sorry I misspoke. It needs to be patched in order to debug. For .NET I use dnSpy.

 

@misanthropik1 @Extreme Coders Can you share a hint on what needs to be patched in order to be able to debug in dnSpy, please? I figured out statically what functions are interchanged using the checksum, but I'm missing the other modification that uses MetadataToken, alreay 3 days at the same spot. :(

Extreme Coders

Extreme Coders

Posted
Posted

@moly

Spoiler

Hi, In order to debug in dnSpy you need to remove the compileMethod hook. Removing the hook just involves removing the call to the method which sets up the hook.
But before you remove the hook check what modifications to the IL it wants to do at run-time. Once you make the necessary changes to the IL you can totally remove the hook and save it as a new assembly.

 

moly

moly

Posted
Posted
1 hour ago, Extreme Coders said:

@moly

  Hide contents

Hi, In order to debug in dnSpy you need to remove the compileMethod hook. Removing the hook just involves removing the call to the method which sets up the hook.
But before you remove the hook check what modifications to the IL it wants to do at run-time. Once you make the necessary changes to the IL you can totally remove the hook and save it as a new assembly.

 

@Extreme Coders Thank you!

moly

moly

Posted
Posted (edited)
On 9/5/2019 at 7:59 AM, Extreme Coders said:

@scorpion77

  Hide contents

Didn't goes that long. May be a minute or so. If you see gibberish it likely means you are not taking into account the "changes" made to the IL at runtime.

 

@Extreme Coders I guess you parallelized the execution, right? Did I extract too much data from the original bmp 🤔

Edited by moly
Figured it out
Extreme Coders

Extreme Coders

Posted
Posted

@moly Nope. Didn't need to parallelize.

16 minutes ago, moly said:

Did I extract too much data from the original bmp

Not sure what you mean by that but as others have said, the best way to test for correctness of your method work is to work on your own sample image.

moly

moly

Posted
Posted
26 minutes ago, Extreme Coders said:

@moly Nope. Didn't need to parallelize.

Not sure what you mean by that but as others have said, the best way to test for correctness of your method work is to work on your own sample image.

Yeah, sorry, I later realized that nothing has to be parallelized. I am just to tired and anxious. Thank you!

scorpion77

scorpion77

Posted
Posted
On 9/5/2019 at 11:29 AM, Extreme Coders said:

@scorpion77

  Hide contents

Didn't goes that long. May be a minute or so. If you see gibberish it likely means you are not taking into account the "changes" made to the IL at runtime.

 

@ExtremeCoders And @kao - Could you please confirm if the encrypted content that I extracted from the image has the following bytes in the beginning " 68 C3 AE 5D 3C 16 CF 16". It only makes sense to move onto the second stage of decryption  if the content I extracted from the pixels are correct!

muppet

muppet

Posted
Posted

I'm here for the discussion on bmphide. I feel I understand what is going on. I've extracted the data through my own python code.

I tried to approach the encryption by python as well but halfways through implementation I got wrong results.

ILCode patching 😕

So I think I found where the patches are being made from but my experience with dotnet tools is lacking.

What tool can I use to patch (and immediately decompile to see the change) to see whats going on ?

I can't even get dnspy to show me the bytes behind each ILCode and even less patch them.

I tried changing in hex editor but dnspy then does not reload my changes and I have to delete the binary and reload it which becomes pretty tedious.

 

Atm I can solve this challenge by using the bmphide.exe as medium for trying out the oracle (subprocess.Popen from python). But it is too slow to call it about a maximum of 2e6*0xff times.

So far using this technique I've solved the first 16 bytes of the original message.

But now I want to implement and understand whats going on better.

So I want to patch bmphide.exe and decompile changes.

Any tips ?

Extreme Coders

Extreme Coders

Posted
Posted
8 hours ago, scorpion77 said:

Could you please confirm if the encrypted content that I extracted from the image has the following bytes in the beginning " 68 C3 AE 5D 3C 16 CF 16"

@scorpion77 Yes it does.

@muppet

Spoiler

The changes made to the IL are to the operands of the instructions (not the opcodes themselves). So you can use "Edit IL Instructions..." to make the necessary changes.

 

muppet

muppet

Posted
Posted (edited)
35 minutes ago, Extreme Coders said:

@scorpion77 Yes it does.

@muppet

  Hide contents

The changes made to the IL are to the operands of the instructions (not the opcodes themselves). So you can use "Edit IL Instructions..." to make the necessary changes.

 

@scorpion77

I can also confirm the byte sequence above. I have a 2mb file.

@Extreme Coders

Spoiler

 

Thanks. I believe that the function I am looking at has LDC.I4 (opcode 0x20) and the values for these are being modified.

There is also another place that changes addresses to CALL opcodes and patches some constants.

So I should be able to change those in ILedit mode ?

Oh.. Seems I can click the values and change them actually 🙂

 

I'm also curious about what the 0x68C3AE.... decrypts to. Looking at the output from using bmphide.exe as oracle it is nonsense data.

Basically I inserted a "Console.Writeline("{0}", BitConverter.ToString( data2 ));" in Main() to have my input printed out as encrypted data.

I then iterate through input data until the output matches the 0x68C3... above. Very slow but least I'm getting something that way.

But is the data really supposed to be jibberish when I look at what input data generated that ciphertext ?

 

 

Edited by muppet
spoiler

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...