Jump to content
Tuts 4 You

Flare On 6

kao

By kao
in Reverse Engineering Articles

 Share

Recommended Posts

muppet

muppet

Posted
Posted

Although wopr related this is more of a generic question.
 

Spoiler

 

I have the following dis.dis() output

147         128 LOAD_NAME               18 (getattr)
            130 LOAD_NAME               17 (g)
            132 LOAD_NAME               13 (ho)
            134 LOAD_NAME               14 (a)
            136 CALL_FUNCTION            1
            138 CALL_FUNCTION            2
            140 STORE_NAME              19 (aa)

If I understand dis.dis() correctly this means, when I reach 136:

getattr( g, ho( a ) )

 

136 -> Call, argc=1 -> call ho with 1 arg (a)

138-> Call, argc=2 -> call getattr with 2 args (g, retval from ho(a))

But ho takes a tuple so this is not working. What am I thinking wrong about this ?

 

 

  • Replies 188
  • Created
  • Last Reply

Top Posters In This Topic

  • Extreme Coders

    26

  • muppet

    23

  • kao

    19

  • scorpion77

    14

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kao
kao

@GautamGreat: I cannot promise to make full write-ups this year, but if I make some, I'll post a link here.

Extreme Coders
Extreme Coders

@bandit  

kao
kao

@Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/ Some of his solutions make me green with envy.  Great job!  

Posted Images

SP2EIO

SP2EIO

Posted
Posted

I also need a little push in the right direction on the wopr challenge.

Spoiler

I have managed to convert back the pyboot02_cleanup file to python code (hexediting the first few bytes to be valid, then convering the pyc to py with uncompyl6).

There are some weird functions with random names, but the interesting bit is 


for i in range(256):
    try:
        print(lzma.decompress(fire(eye(__doc__.encode()), bytes([i]) + BOUNCE)))
    except Exception:
        pass

However the lzma decompression fails every time with "lzma.LZMAError: Input format not supported by decoder"

I have saved all 256 results from the 


fire(eye(__doc__.encode()), bytes([i]) + BOUNCE)

function in its own separate file, none seems to be valid LZMA tho, and running the file command on them just returns "data".

I tried to understand the LZMA file format but information about it is pretty scarce and when i found some, i didn't understand anything from it 😂

What's missing from these files, why aren't they valid?

 

new_witch

new_witch

Posted
Posted

Hello guys, can you guys give me a hint on reloadered.

I tried to put it in Ghidra like it said and receive an exception:

Address must be in range 0x00 and 0xFFFFFFFF ....

I think it may be related to exception handling but i have not found anything yet ..

kao

kao

Posted
  • Author
Posted

@xikhud: perhaps the joke was lost in translation.. :)Just don't put it in Ghidra, there are other tools that work properly.

 

new_witch

new_witch

Posted
Posted
10 minutes ago, kao said:

@xikhud: perhaps the joke was lost in translation.. :)Just don't put it in Ghidra, there are other tools that work properly.

 

Yes, but I mean, I just try to put in Ghidra to see what happen, because I think that is a hint they give to reversers.

 

Spoiler

When I see the "encrypted flag" in IDA, I try to xor its last 13 characters with "@flare-on.com" but I got a non-printable string, so I think I miss something ~~

 

Extreme Coders

Extreme Coders

Posted
Posted

@xikhud You need to check the entire stack trace, not just the exception message in Ghidra.

new_witch

new_witch

Posted
Posted
2 minutes ago, Extreme Coders said:

@xikhud You need to check the entire stack trace, not just the exception message in Ghidra.

Thank you, I will have a look !!

Extreme Coders

Extreme Coders

Posted
Posted

@SP2EIO

1 hour ago, SP2EIO said:

However the lzma decompression fails every time with "lzma.LZMAError: Input format not supported by decoder"

What's missing from these files, why aren't they valid?

Spoiler

__doc__ is not correct. The correct __doc__ was lost during decompilation.

 

 

muppet

muppet

Posted
Posted

Wopr again 😞
 

Spoiler

 

I have managed to extract the file and decompress it.

I have done solver part.

I can enter a bytearray of my solved values straight into python to match against h and it is correct after the hashing part.

But my solution is not printable so how can I enter it to the program ?😕

Is there more than one solution to password in wopr ?

 

 

kao

kao

Posted
  • Author
Posted

@muppet:

Spoiler

AFAIK, there's a single solution and it's printable. Perhaps you forgot the other xor?

 

muppet

muppet

Posted
Posted (edited)

@kao
 

Spoiler

 

Sorry my browser is messed up the keyboard is only half working inside it.

I have a function that generates h.

The functino is called.. wrong() 😕 So I duno.

Then outside that function is a list of 16 bytes called xor. Which is applied on h.

 

Then my input is passed through the long list of b = x1^x2^x....... etc.

I have a solution.

I've tried with and without the extra xor.

I am not getting a printable solution.

Can I DM you my solution ? I guess you've solved it ?

EDIT: Are we talking about the same thing as being printable ?

I am talking about the launch code. Which is not printable.

BUT. I have been able to patch the .py so that I always set the launch code to my list of solved values.

This did unlock the simulation. But my launch code is not printable.

 

 

Edited by muppet
Add extra thought.
Guest remes

Guest remes

Posted
Posted (edited)

Hello,

I feel rather stupid already needing a hint at the second level. However, here we are.
After disassembling and debugging the binary it appears that the "default" message is read and decoded from the data section of the exe.
Two questions:

  1. Is there a "quick" way to solve this challenge (i.e. am I missing something obvious)?
  2. Did you find the correct decoding path by trial and error or is the decoding scheme something known/popular?

*edit: To be a little more detailed: The function that deals with the decoding (shifting/or/and, etc) has multiple paths. Currently I am unsure if I am really required to patch the data section to identify the correct pattern. Somehow I think that this might be "too much work" for level 2. Rabbit hole?

Thanks

Edited by remes
SP2EIO

SP2EIO

Posted
Posted
31 minutes ago, remes said:

Hello,

I feel rather stupid already needing a hint at the second level. However, here we are.
After disassembling and debugging the binary it appears that the "default" message is read and decoded from the data section of the exe.
Two questions:

  1. Is there a "quick" way to solve this challenge (i.e. am I missing something obvious)?
  2. Did you find the correct decoding path by trial and error or is the decoding scheme something known/popular?

*edit: To be a little more detailed: The function that deals with the decoding (shifting/or/and, etc) has multiple paths. Currently I am unsure if I am really required to patch the data section to identify the correct pattern. Somehow I think that this might be "too much work" for level 2. Rabbit hole?

Thanks

The solution is a one liner. I was also in the same shoes, I was heavily overthinking it. My suggestion is, since the whole program is like 3 functions: Decompile the program, and implement it in the language of your choice, and just mess around with the code. The solution will be obvious in like 10 minutes.

Guest remes

Guest remes

Posted
Posted
1 minute ago, SP2EIO said:

The solution is a one liner. I was also in the same shoes, I was heavily overthinking it. My suggestion is, since the whole program is like 3 functions: Decompile the program, and implement it in the language of your choice, and just mess around with the code. The solution will be obvious in like 10 minutes.

I suspected it to be something like this. Thanks for the hint SP2EIO :)

j0hn19

j0hn19

Posted
Posted (edited)
3 hours ago, muppet said:

Wopr again 😞
 

  Hide contents

 

I have managed to extract the file and decompress it.

I have done solver part.

I can enter a bytearray of my solved values straight into python to match against h and it is correct after the hashing part.

But my solution is not printable so how can I enter it to the program ?😕

Is there more than one solution to password in wopr ?

 

 

Hi @muppet,

Spoiler

I am wondering how you can solve the matrix to get back x => launch_code from b. Could you give me a hint?

Pay attention to `wrong()` method, it will give you a different result when it runs inside an exe wrapper.

 

Edited by j0hn19
j0hn19

j0hn19

Posted
Posted
3 hours ago, remes said:

Hello,

I feel rather stupid already needing a hint at the second level. However, here we are.
After disassembling and debugging the binary it appears that the "default" message is read and decoded from the data section of the exe.
Two questions:

  1. Is there a "quick" way to solve this challenge (i.e. am I missing something obvious)?
  2. Did you find the correct decoding path by trial and error or is the decoding scheme something known/popular?

*edit: To be a little more detailed: The function that deals with the decoding (shifting/or/and, etc) has multiple paths. Currently I am unsure if I am really required to patch the data section to identify the correct pattern. Somehow I think that this might be "too much work" for level 2. Rabbit hole?

Thanks

Hi @remes

Spoiler

For your future reference, before reversing anything, you should inspect the exe file first by using PEid, peview, PE detective, rabin2, ... With the right tool, you can find what you need in a second.

 

bandit

bandit

Posted
Posted (edited)

@muppet, @j0hn19:

1 hour ago, j0hn19 said:

Hi @muppet,

  Hide contents

I am wondering how you can solve the matrix to get back x => launch_code from b. Could you give me a hint?

Pay attention to `wrong()` method, it will give you a different result when it runs inside an exe wrapper.

 

 

Spoiler

The function wrong() is named to just throw you off. Ignore the name.

You need to make sure you have the right values of h calculated by wrong().

In order to find the correct value of "h" from wrong(), analyze what the wrong() function is trying to do.

E.g. What is the "trust" variable, what is the "computer" variable, what is the significance of parsing an int/dword value ("=I") from position 60 in "computer" an so on.

If you have the correct value of "h" generated from [ the "wrong()" function + the extra xor] then use something like z3 to solve the big-a$$ xor equations: https://pypi.org/project/z3-solver/

 

 

Edited by bandit
j0hn19

j0hn19

Posted
Posted
2 minutes ago, bandit said:

@muppet, @j0hn19:

 

  Hide contents

The function wrong() is named to just throw you off. Ignore the name.

You need to make sure you have the right values of h calculated by wrong().

In order to find the correct value of "h" from wrong(), analyze what the wrong() function is trying to do.

E.g. What is the "trust" variable, what is the "computer" variable, what is the significance of parsing an int/dword value ("=I") from position 60 in "computer".

If you have the correct value of "h" generated from [ the "wrong()" function + the extra xor] then use something like z3 to solve the big-a$$ xor equations: https://pypi.org/project/z3-solver/

 

 

Thank you very much @bandit, I'll give it a try.

muppet

muppet

Posted
Posted

@bandit
 

Spoiler

 

Thanks.

I've been digging in the wrong() information and what it is doing for the past hour.

I think I understand what it does.

Question is. Is there any way to inject Python code into the running script to dump h from there or would the best approach be to just dump the area being md5summed ?

 

 

bandit

bandit

Posted
Posted

@muppet:

6 hours ago, muppet said:

@bandit
 

  Reveal hidden contents

 

Thanks.

I've been digging in the wrong() information and what it is doing for the past hour.

I think I understand what it does.

Question is. Is there any way to inject Python code into the running script to dump h from there or would the best approach be to just dump the area being md5summed ?

 

 

Spoiler

Is the function generating the hash based on the process or the binary(exe)??

Also, you won't need to inject anything here.

You can create your own function to read it(the binary or process or whatever) to generate the hash yourself.

Make sure you generate the hash just like the wrong() function does. For that you need to figure out what the wrong() function does and if there are any tricks involved.

E.g. How does the function generate the hash? Is it the whole binary/process or a specific region that is hashed? Is the binary or process (whatever it is) modified before the hash is generated? etc etc.

 

 

adicto

adicto

Posted
Posted

Challenge 11, got me beat. 

 

Spoiler

I can see the jump lists, and the encryption part. but have no idea how to reverse the 2nd argument. Can anyone point me to the right direction? would highly appreciate it. two more levels, 6 days left. don't know if I can beat it in time lol

 

muppet

muppet

Posted
Posted

Ok wopr is broken. I have injected code into the running program to have it print out the value h that it believes should be the correct one.
 

Spoiler

 

I take this value and enter into solver.

The value of h returned does not generate printable input for the solution.

Since it is broken anyway I will just post it here.

https://imgur.com/a/YRLHXXs

I'm thinking there is truth to the rumors that this can't be solved on certain versions of Win.

Anyone else had problems with this one ?


 

 

misanthropik1

misanthropik1

Posted
Posted

@muppet

37 minutes ago, muppet said:

Ok wopr is broken. I have injected code into the running program to have it print out the value h that it believes should be the correct one.
 

  Reveal hidden contents

 

I take this value and enter into solver.

The value of h returned does not generate printable input for the solution.

Since it is broken anyway I will just post it here.

https://imgur.com/a/YRLHXXs

I'm thinking there is truth to the rumors that this can't be solved on certain versions of Win.

Anyone else had problems with this one ?

 

 

 

 

 

I solved it using Win10.

Spoiler

Try another approach. I used WinDBG to get the correct values.

 

Extreme Coders

Extreme Coders

Posted
Posted

@muppet

Spoiler

I solved it in WIndows 7. I don't think using different versions of Windows is the issue here.
From your imgur screenshot, you haven't injected code in the correct way. You need to inject code in the original executable, not in the decompiled code.
Also, there are other ways to solve  but I myself have solved using injection since that was fastest way.

 

 

muppet

muppet

Posted
Posted

@Extreme Coders

Spoiler

But I injected the code in the memory of the running wopr.exe at the time when it was supposed to be calling the real wrong() function. I just replaced the question for entering password with printing the h value instead.

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...