Flare On 6

[Extreme Coders]

@_fuso_

Spoiler

The encryption algorithm used is slightly modified from the standard one specially the key size.
The hint is there to speed up bruteforce but you can also solve without the hint(the png viewer I used didn't support animated gifs which I came to realize only after it was done).

 

Edited September 18, 2019 by Extreme Coders
Minor confusion

[_fuso_]

@Extreme Coders

Spoiler

 

Can you be more specific? I noticed that there are few modifications in encryption, but i thought that i solve them, because without that mods i wouldn't be able to decode the xxxxxxx_0000.gif.mugatu.

Do i have to bruteforce the best.gif with encoder/decoder which i have?

 

Edited September 18, 2019 by _fuso_

[Extreme Coders]

@_fuso_

Spoiler

Yes, you have to bruteforce best.gif with the same decoder as for xxxxxxx_0000.gif.Mugatu

 

[muppet]

I notice that, even though I've turned off ASLR in windows defender. And I have also set the MoveImages DWORD in regedit.

Wopr still moves around in memory.

While I can work around that it would be much nicer to have it know its place!

How do I really turn off ASLR and make it work ?

By now I've been through every suggestion I've found and nothing seems to work.

EDIT:

I guess I could disable DLL characteristics to opt out of ASLR. But I'm hoping for a way that doesn't have me modify the original EXE.

 

Edited September 19, 2019 by muppet
Add extra thought.

[Extreme Coders]

@muppet

Spoiler

I don't think you need to disable ASLR for this.
Its possible to modify the executed source code in memory such that by itself it prints out all the values you need. But you need to make the modifications at the right time before its compiled to bytecode.

 

[muppet]

1 minute ago, Extreme Coders said:

@muppet

  Hide contents

I don't think you need to disable ASLR for this.
Its possible to modify the executed source code in memory such that by itself it prints out all the values you need. But you need to make the modifications at the right time before its compiled to bytecode.

 

Spoiler

 

Thanks.

Atm I have not found the values yet.

But I like to move my comments over to a separate program as well as my script of breakpoints break at every startup.

I tried patching the .exe to set ASLR as not supported but it got caught by wopr and broke.

Would be nice if breakpoints could be at same location at every run so I can be less careful because restarts are not as costly 🙂

 

 

[kao]

@muppet: I don't remember Wopr giving me any grief due to ASLR, so I can't give you a hint specific for it. Few suggestions that are not challenge-specific:

1) VMware has snapshots. Make one when program loads and if you make a mistake just revert.

2) Depending on a debugger you use.. Olly has a BreakpointManager plugin that keeps breakpoints working even with ASLR.

[muppet]

1 minute ago, kao said:

@muppet: I don't remember Wopr giving me any grief due to ASLR, so I can't give you a hint specific for it. Few suggestions that are not challenge-specific:

1) VMware has snapshots. Make one when program loads and if you make a mistake just revert.

2) Depending on a debugger you use.. Olly has a BreakpointManager plugin that keeps breakpoints working even with ASLR.

 

Thanks.

I'm using snapshots to recover where I left of but today I accidentally doubleclicked when restoring. Apparently the "shutdown" button appears in same location as start was. So I restored and a moment later I had shutdown the machine again losing my saved progress. And with it every breakpoint I had.

I use hyperv since it is included in win10 but I guess it is the same. Or would you be able to give any general opinions on why vmware would be more suitable ?

Well. I did not checkpoint per se but I press the save button when I shutdown for the night. Which is a one shot checkpoint erased when you restore.

 

I use x64dbg. Perhaps it also has aslr breakpoint plugin. I'll check it out! Thanks!

[kao]

Well, that hurts..

In VMware there is a difference between "paused the VM" and "made a snapshot". First one behaves like you described, 2nd one doesn't. From quick google search, it's the same in Hyper-V..

VMware - just a personal preference and X years of daily use at work..

X64dbg should keep breakpoints even when ASLR is at play. Or at least it does in my one tiny unscientific test. Are you sure it's ASLR that's causing the issue?

[muppet]

27 minutes ago, kao said:

Well, that hurts..

In VMware there is a difference between "paused the VM" and "made a snapshot". First one behaves like you described, 2nd one doesn't. From quick google search, it's the same in Hyper-V..

VMware - just a personal preference and X years of daily use at work..

X64dbg should keep breakpoints even when ASLR is at play. Or at least it does in my one tiny unscientific test. Are you sure it's ASLR that's causing the issue?

Yes. HyperV also has checkpoints that save memory. Unless you toggle th emachine to use production checkpoints.

So I guess is same as vmware. I like how hyperv is included already but I dont like that you cant access random usb devices from inside the VMs.

X64dbg perhaps can handle them.

But at this point with a reboot I had in my script "bp addr" where the addr had changed. So I get an error related to the addr being out of bounds and could not set bp.

Luckily it is just the first 2 hex that are different so it can quite easily be changed and apply same script again.

 

Perhaps I could change addr to be something relative to base. That would solve everything inside x64dbg. But I find x64dbg a bit lacking in documentation and features. I usually spend hours trying to do something that should be really simple because there is not really support for it. Just yesterday I had to use 2 undocumented commands I found in source because there was no other way 😕

[zerocool]

Can someone help me with the bmphide challenge? 

Spoiler

I want to be able to debug with dnspy, I understand the jit is messing up the something IncrementMaxStack function 
I'm not sure what that piece of code is doing
can someone clarify it for me?
 

			if (flag2)
			{
				// flag = false so it won't get here
				intPtr2 = Marshal.AllocHGlobal(16);
				ulong* ptr2 = (ulong*)((void*)intPtr2);
				*ptr2 = 18446744073709533256UL;
				ptr2[1] = 10416984890032521215UL;
				A.VirtualProtect(intPtr2, 12u, 64u, out flNewProtect);
				Marshal.WriteIntPtr(intPtr2, 2, val);
			}
			else
			{
				// Allocates 8 bytes
				intPtr2 = Marshal.AllocHGlobal(8);
				// Writing 10439625411221520312UL to intPtr2?
				ulong* ptr3 = (ulong*)((void*)intPtr2);
				*ptr3 = 10439625411221520312UL;
				A.VirtualProtect(intPtr2, 7u, 64u, out flNewProtect);
				// Write getJit to intPtr2??
				Marshal.WriteIntPtr(intPtr2, 1, val);
			}

I read the comment of @Extreme Coders about remove the call to compileMethod  but  I didn't find it :<

 

Edited September 19, 2019 by zerocool

[scorpion77]

@zerocool

Spoiler

 

Getting the file encoded into image.bmp is straight forward if you read the code that encodes it into the pixels. for the decryption part, if you are able to debug inside dnspy, first step into all the calls made by "h" that will surprise you.. Next study "IncrementMaxStack" to see how it affects a certain method call made in "h" and how "g"'s runtime behavior is modified. When you piece these together you have the information to do the decryption or bruteforce

 

 

 

[muppet]

23 minutes ago, zerocool said:

Can someone help me with the bmphide challenge? 

  Hide contents

I want to be able to debug with dnspy, I understand the jit is messing up the something IncrementMaxStack function 
I'm not sure what that piece of code is doing
can someone clarify it for me?
 

			if (flag2)
			{
				// flag = false so it won't get here
				intPtr2 = Marshal.AllocHGlobal(16);
				ulong* ptr2 = (ulong*)((void*)intPtr2);
				*ptr2 = 18446744073709533256UL;
				ptr2[1] = 10416984890032521215UL;
				A.VirtualProtect(intPtr2, 12u, 64u, out flNewProtect);
				Marshal.WriteIntPtr(intPtr2, 2, val);
			}
			else
			{
				// Allocates 8 bytes
				intPtr2 = Marshal.AllocHGlobal(8);
				// Writing 10439625411221520312UL to intPtr2?
				ulong* ptr3 = (ulong*)((void*)intPtr2);
				*ptr3 = 10439625411221520312UL;
				A.VirtualProtect(intPtr2, 7u, 64u, out flNewProtect);
				// Write getJit to intPtr2??
				Marshal.WriteIntPtr(intPtr2, 1, val);
			}

I read the comment of @Extreme Coders about remove the call to compileMethod  but  I didn't find it :<

 

 

Spoiler

 

This was some excellent reading on that topic.

It was sent to me by @Extreme Coders when I asked that very same question and wanted to know more.

https://ubbecode.wordpress.com/2014/05/12/how-does-sjithook-work/

In the end I chose another approach (brute) to solve bmphide because I probably had some rounding error in my python and couldnt be bothered solving it right now.

 

 

[muppet]

I could use a push in the right direction in wopr.

Spoiler

I found where the code is readfromstring() and a couple of steps later inserted into evalcode().

I dumped the string into readfromstring() to disk and there is even a long story about a bird knocking on a door.

But this is still in binary and I do not know which tool to use to unpack/decompile it. pyi-archive_viewer says it is not an archive. Uncompyle6 says it is not a .pyc file.

 

 

[zerocool]

Thanks @muppet and @scorpion77!

Please tell me if I understand the flow right:

Spoiler

			A.getJit getJit = (A.getJit)Marshal.GetDelegateForFunctionPointer(A.GetProcAddress(lib, new string((sbyte*)ptr)), typeof(A.getJit));
			IntPtr intPtr = *getJit();
			IntPtr val = *(IntPtr*)((void*)intPtr);

intPtr will contain the pointer to the vtable
and val will contain the pointer to the compilemethod

if (flag2)
			{
				....
			}
			else
			{
				intPtr2 = Marshal.AllocHGlobal(8);
				ulong* ptr3 = (ulong*)((void*)intPtr2);
				*ptr3 = 10439625411221520312UL;
				A.VirtualProtect(intPtr2, 7u, 64u, out flNewProtect);
				Marshal.WriteIntPtr(intPtr2, 1, val);
			}

after this part the pointer to intPtr2 will contain the address of the pCompileMethod

			A.originalDelegate = (A.locateNativeCallingConvention)Marshal.GetDelegateForFunctionPointer(intPtr2, typeof(A.locateNativeCallingConvention));
			A.handler = new A.locateNativeCallingConvention(A.IncrementMaxStack);
			RuntimeHelpers.PrepareDelegate(A.originalDelegate);
			RuntimeHelpers.PrepareDelegate(A.handler);
			A.VirtualProtect(intPtr, (uint)IntPtr.Size, 64u, out flNewProtect);
			Marshal.WriteIntPtr(intPtr, Marshal.GetFunctionPointerForDelegate<A.locateNativeCallingConvention>(A.handler));
			A.VirtualProtect(intPtr, (uint)IntPtr.Size, flNewProtect, out flNewProtect);

and after this part the hooked to compiledmethod is set and it will call to IncrementMaxStack instead

Am I right? or I miss something?

Thanks

 

[muppet]

@zerocool

Spoiler

It will not call a function "instead". But it will call the hooked function first and then call the original function.

Some values are being changed in the ILcode before being compiled to native code in the hook.

 

[bandit]

@muppet:

5 hours ago, muppet said:

I could use a push in the right direction in wopr.

  Reveal hidden contents

 

I found where the code is readfromstring() and a couple of steps later inserted into evalcode().

I dumped the string into readfromstring() to disk and there is even a long story about a bird knocking on a door.

But this is still in binary and I do not know which tool to use to unpack/decompile it. pyi-archive_viewer says it is not an archive. Uncompyle6 says it is not a .pyc file.

 

 

 

Spoiler

Download python_exe_unpacker from
https://github.com/countercept/python-exe-unpacker

run > python_exe_unpack.py wopr.exe

From the unpack directory look at "pyiboot02_cleanup"

This is a python bytecode file and can be disassembled using the "dis" library in python.

Analyze the disassembly generated by the dis library.

This should take you in the right direction.

 

[ydb]

i'm trying to figure out what the correct getPassword value is on challenge 3, i see that the decryption is based on retrieving the password, and that the f (food), p (play), and c (clean) values are used to determine how many times the password segments are repeated.  any pointers would be awesome

Edited September 19, 2019 by ydb

[muppet]

@bandit
 

Spoiler

 

That is the file with the bird knocking on a door. I found it as a string and dumped from memory but this method was way easier!

Is it damaged in some way? Because I can not run uncompyle6 or dis.dis() on it. Well. dis.dis() kind of works but crashes out due to a tuple index out of range error.

Uncompyle6 complains about wrong file magic. Do I need to fixup the magic ? I tried taking the magic from the other 3 files and inserting here but it did not work. The other 3 did uncompyle perfectly though.

I've tried another unpacker as well and it did give the same errors on pyiboot02_clean when running dis.dis() on it. So I'm hoping it is at least not an error that only exist for me.

I feel like I'm stuck on some non challenge part again like extracting the python files was as easy as downloading a script but I spent so long in x32dbg reversing everything.

Is there anything else I should know about this to help out ?

 

 

[muppet]

@ydb
 

Spoiler

 

There are more functions that reference f,p,c stats.

In the end an excel sheet helps out.

 

 

[horderxa]

I need some guidance with the #12 challenge :
 

Spoiler

So i have these 9 dll's files but idont where to start with them can anyone can give me a little push im really lost 

 

Edited September 19, 2019 by horderxa

[muppet]

41 minutes ago, muppet said:

@bandit
 

  Reveal hidden contents

 

That is the file with the bird knocking on a door. I found it as a string and dumped from memory but this method was way easier!

Is it damaged in some way? Because I can not run uncompyle6 or dis.dis() on it. Well. dis.dis() kind of works but crashes out due to a tuple index out of range error.

Uncompyle6 complains about wrong file magic. Do I need to fixup the magic ? I tried taking the magic from the other 3 files and inserting here but it did not work. The other 3 did uncompyle perfectly though.

I've tried another unpacker as well and it did give the same errors on pyiboot02_clean when running dis.dis() on it. So I'm hoping it is at least not an error that only exist for me.

I feel like I'm stuck on some non challenge part again like extracting the python files was as easy as downloading a script but I spent so long in x32dbg reversing everything.

Is there anything else I should know about this to help out ?

 

 

Nvm. I think I've got it disassembled correctly now.

Here starts the challenge

[bandit]

@muppet:  have fun!

[j0hn19]

Hi,

In the wopr challenge, I got something like

Spoiler

Array b is known

x[0]  = b[1] ^ b[2] ^ b[5] ^ b[7] ^ b[10] ^ b[11] ^ b[12]

x[1]  = b[1] ^ b[2] ^ b[4] ^ b[6] ^ b[7]  ^ b[8]  ^ b[14] ^ b[15]

x[2]  = b[0] ^ b[2] ^ b[7] ^ b[8] ^ b[11] ^ b[13] ^ b[14]

....

 

Is there any way the get back the array x?

 

Thank you!

Edited September 20, 2019 by j0hn19

[misanthropik1]

@j0hn19

1 hour ago, j0hn19 said:

Hi,

In the wopr challenge, I got something like

  Reveal hidden contents

Array b is known

x[0]  = b[1] ^ b[2] ^ b[5] ^ b[7] ^ b[10] ^ b[11] ^ b[12]

x[1]  = b[1] ^ b[2] ^ b[4] ^ b[6] ^ b[7]  ^ b[8]  ^ b[14] ^ b[15]

x[2]  = b[0] ^ b[2] ^ b[7] ^ b[8] ^ b[11] ^ b[13] ^ b[14]

....

 

Is there any way the get back the array x?

 

Thank you!

Spoiler

You have to solve the system of equations with linear algebra either by hand or with the help of a tool/libraries help.

 

Edited September 20, 2019 by misanthropik1
Added spoiler