Flare On 6

[Geordeaux]

3 hours ago, misanthropik1 said:

@Geordeaux

  Hide contents

If you have the correct values, the values then equate to certain functionality of the application.

 

Hey thanks! I have got the bear dancing! But there is just one problem... the text flag is so pixelation that I cant read it. Can you recommend the emulator you used? I'm using bluestack but it isn't very good

[kao]

@Geordeaux: Android Studio. It's big (700MB+) and you only need the emulator part - but I don't think you can download that separately.

[SP2EIO]

@misanthropik1

9 hours ago, misanthropik1 said:

@SP2EIO

  Reveal hidden contents

You have to patch the binary to even get it running. Even then, I had to do one portion statically to figure our all of the changes. Then I just wrote a decryptor.

 

Strange, i can run the original exe just fine without patching. Its just that when i copypaste everything into visual studio, I get exceptions, which i'm only able to solve by commenting out the part that writes to memory of Program.e function. However if I do this, and I run it with some dummy images, then run the dummys with the original bmphide.exe, I get different results. I have even tried patching the function in ildasm, then reassembling the binary with ilasm, but It still crashes on me.

[misanthropik1]

@SP2EIO

1 hour ago, SP2EIO said:

@misanthropik1

Strange, i can run the original exe just fine without patching. Its just that when i copypaste everything into visual studio, I get exceptions, which i'm only able to solve by commenting out the part that writes to memory of Program.e function. However if I do this, and I run it with some dummy images, then run the dummys with the original bmphide.exe, I get different results. I have even tried patching the function in ildasm, then reassembling the binary with ilasm, but It still crashes on me.

 

Sorry I misspoke. It needs to be patched in order to debug. For .NET I use dnSpy.

Edited September 14, 2019 by misanthropik1
Spelling

[_fuso_]

Hello,

Can someone give me a hints in snake task?

I grabbed specific amount of apples and game resets itself.

Can you give me some hint or tools you used to get the flag?

What should i look for?

I think i found some code that could be related with flag (lot of XOR's) but i am blind with this code. No clue how to get to it or what conditions should be fulfilled.

Thank you very much for help...i am so tired with this stage..

 

[kao]

@_fuso_:

Spoiler

1 hour ago, _fuso_ said:

I grabbed specific amount of apples and game resets itself.

You have to do that X times. Or you can just jump to the right place and avoid playing the game (which is what I did)..

 

 

[_fuso_]

1 hour ago, kao said:

@_fuso_:

  Reveal hidden contents

 

You have to do that X times. Or you can just jump to the right place and avoid playing the game (which is what I did)..

 

 

@kao: Thank you very much for hint. It really helped me.

[Geordeaux]

Could someone explain the method for DNSchess? I cant get past the first move, I've tried every possible move but it always resigns and I cant seem to deduce anything from the pcap

[Extreme Coders]

@Geordeaux

Spoiler

It's a client-server game. You make a move and in response DeepFLARE queries the server to know which move it should make. If it doesn't receive a reply or if the reply isn't what it expects it gonna resign. The pcap contains that traffic,

 

[akkaldama]

Hi,

Any pointers for reloaderd.

Spoiler

Got the rick-rolled key from exe, since it is not a valid key i felt there is something related to exception handling? also the binary is unable to load in 32dbg

Regards

[Extreme Coders]

@akkaldama

Spoiler

If you try loading the binary in Ghidra, as the challenge description says, it would thrown an error. The error message is a good hint about what this challenge is about.
Alternatively check what code is executed before main. It does load in x32dbg.

 

[Geordeaux]

26 minutes ago, Extreme Coders said:

@Geordeaux

  Hide contents

It's a client-server game. You make a move and in response DeepFLARE queries the server to know which move it should make. If it doesn't receive a reply or if the reply isn't what it expects it gonna resign. The pcap contains that traffic,

 

Okay, so is there a particular tool that I should be using besides wire shark? and do I actually have to set up the client server? thanks for getting back to me

[akkaldama]

@Extreme Coders

Will check it, thanks.

 

@Geordeaux

Spoiler

No need to setup server to solve the challenge, If you actually want to debug it, https://www.tecmint.com/setup-local-dns-using-etc-hosts-file-in-linux/

Regards

Edited September 15, 2019 by akkaldama

[Geordeaux]

1 minute ago, akkaldama said:

@Extreme Coders

Will check it, thanks.

 

@Geordeaux

  Hide contents

If you actually want to debug it, https://www.tecmint.com/setup-local-dns-using-etc-hosts-file-in-linux/

Regards

Awesome thank you I will have a go!

[scorpion77]

@Geordeaux

Study the function getNextMove carefully. From that you will understand what IP addresses are valid for the challenge to generate the key. You dont need  DNS for this. I too started off that way thinking I have to setup DNS and actually play the board, but after understading getNextMove and using the pcap I could solve this.Cheers

[moly]

On 9/14/2019 at 12:26 PM, misanthropik1 said:

@SP2EIO

 

Sorry I misspoke. It needs to be patched in order to debug. For .NET I use dnSpy.

 

@misanthropik1 @Extreme Coders Can you share a hint on what needs to be patched in order to be able to debug in dnSpy, please? I figured out statically what functions are interchanged using the checksum, but I'm missing the other modification that uses MetadataToken, alreay 3 days at the same spot. :(

[Extreme Coders]

@moly

Spoiler

Hi, In order to debug in dnSpy you need to remove the compileMethod hook. Removing the hook just involves removing the call to the method which sets up the hook.
But before you remove the hook check what modifications to the IL it wants to do at run-time. Once you make the necessary changes to the IL you can totally remove the hook and save it as a new assembly.

 

[moly]

1 hour ago, Extreme Coders said:

@moly

  Hide contents

Hi, In order to debug in dnSpy you need to remove the compileMethod hook. Removing the hook just involves removing the call to the method which sets up the hook.
But before you remove the hook check what modifications to the IL it wants to do at run-time. Once you make the necessary changes to the IL you can totally remove the hook and save it as a new assembly.

 

@Extreme Coders Thank you!

[moly]

On 9/5/2019 at 7:59 AM, Extreme Coders said:

@scorpion77

  Hide contents

Didn't goes that long. May be a minute or so. If you see gibberish it likely means you are not taking into account the "changes" made to the IL at runtime.

 

@Extreme Coders I guess you parallelized the execution, right? Did I extract too much data from the original bmp 🤔

Edited September 15, 2019 by moly
Figured it out

[Extreme Coders]

@moly Nope. Didn't need to parallelize.

16 minutes ago, moly said:

Did I extract too much data from the original bmp

Not sure what you mean by that but as others have said, the best way to test for correctness of your method work is to work on your own sample image.

[moly]

26 minutes ago, Extreme Coders said:

@moly Nope. Didn't need to parallelize.

Not sure what you mean by that but as others have said, the best way to test for correctness of your method work is to work on your own sample image.

Yeah, sorry, I later realized that nothing has to be parallelized. I am just to tired and anxious. Thank you!

[scorpion77]

On 9/5/2019 at 11:29 AM, Extreme Coders said:

@scorpion77

  Hide contents

Didn't goes that long. May be a minute or so. If you see gibberish it likely means you are not taking into account the "changes" made to the IL at runtime.

 

@ExtremeCoders And @kao - Could you please confirm if the encrypted content that I extracted from the image has the following bytes in the beginning " 68 C3 AE 5D 3C 16 CF 16". It only makes sense to move onto the second stage of decryption  if the content I extracted from the pixels are correct!

[muppet]

I'm here for the discussion on bmphide. I feel I understand what is going on. I've extracted the data through my own python code.

I tried to approach the encryption by python as well but halfways through implementation I got wrong results.

ILCode patching 😕

So I think I found where the patches are being made from but my experience with dotnet tools is lacking.

What tool can I use to patch (and immediately decompile to see the change) to see whats going on ?

I can't even get dnspy to show me the bytes behind each ILCode and even less patch them.

I tried changing in hex editor but dnspy then does not reload my changes and I have to delete the binary and reload it which becomes pretty tedious.

 

Atm I can solve this challenge by using the bmphide.exe as medium for trying out the oracle (subprocess.Popen from python). But it is too slow to call it about a maximum of 2e6*0xff times.

So far using this technique I've solved the first 16 bytes of the original message.

But now I want to implement and understand whats going on better.

So I want to patch bmphide.exe and decompile changes.

Any tips ?

[Extreme Coders]

8 hours ago, scorpion77 said:

Could you please confirm if the encrypted content that I extracted from the image has the following bytes in the beginning " 68 C3 AE 5D 3C 16 CF 16"

@scorpion77 Yes it does.

@muppet

Spoiler

The changes made to the IL are to the operands of the instructions (not the opcodes themselves). So you can use "Edit IL Instructions..." to make the necessary changes.

 

[muppet]

35 minutes ago, Extreme Coders said:

@scorpion77 Yes it does.

@muppet

  Hide contents

The changes made to the IL are to the operands of the instructions (not the opcodes themselves). So you can use "Edit IL Instructions..." to make the necessary changes.

 

@scorpion77

I can also confirm the byte sequence above. I have a 2mb file.

@Extreme Coders

Spoiler

 

Thanks. I believe that the function I am looking at has LDC.I4 (opcode 0x20) and the values for these are being modified.

There is also another place that changes addresses to CALL opcodes and patches some constants.

So I should be able to change those in ILedit mode ?

Oh.. Seems I can click the values and change them actually 🙂

 

I'm also curious about what the 0x68C3AE.... decrypts to. Looking at the output from using bmphide.exe as oracle it is nonsense data.

Basically I inserted a "Console.Writeline("{0}", BitConverter.ToString( data2 ));" in Main() to have my input printed out as encrypted data.

I then iterate through input data until the output matches the 0x68C3... above. Very slow but least I'm getting something that way.

But is the data really supposed to be jibberish when I look at what input data generated that ciphertext ?

 

 

Edited September 16, 2019 by muppet
spoiler