Flare On 6

[AeroX2]

@Zulu - I don't think you can debug a precompiled Android application could be wrong but I don't think that is the correct way of solving the challenge.
I personally used https://github.com/rajivvishwa/apk2java to decompile the code, (reread the question)
Sometimes I also use APKTool to get the Bakismali and modify it from there (its kindof a pain because you have to understand bakismali and you have to sign the app) but to answer your question, I don't think you can debug it directly.
 

Spoiler

@noweileen - One of the functions is a string compare, you should be able to see what is returned from your server and what it is expecting. Use a debugger like x32dbg and step through the functions to see what exactly is happening.
About the "padding", I don't think there was anything too special about it, just an extra step to throw off people, I guess.

Ch10 ^

Also if anyone has some hints about Challenge 12 - Help, it would be greatly appreciated (been stuck on it for about a week now), there seems to be quite a number of pitfalls and I haven't found a clear path yet.

Edited September 26, 2019 by AeroX2

[SP2EIO]

13 hours ago, noweileen said:

@SP2EIO wopr

  Reveal hidden contents

https://github.com/Z3Prover/z3

 

Thank you, I've managed to solve the challenge with it :)

[noweileen]

@AeroX2

Challenge 10 - Mugatu

Spoiler

I think I pass the string compare test you're referring to (looks for a specific string xored with 4D), but I think it's writing the second part of the response to the mailslot?

 

[AeroX2]

Challenge 10 - Mugatu

I don't quite remember the full flow of the program but after that check you should start to see the program, 

Spoiler

Scanning the harddrive for something. The mailslot is for interprocess communications, it is for transferring information from one part of a process to another part of the process.

So...where else have you seen that mailslot string?

 

Edited September 26, 2019 by AeroX2

[adicto]

On 9/26/2019 at 1:35 PM, AeroX2 said:

@Zulu - I don't think you can debug a precompiled Android application could be wrong but I don't think that is the correct way of solving the challenge.
I personally used https://github.com/rajivvishwa/apk2java to decompile the code, (reread the question)
Sometimes I also use APKTool to get the Bakismali and modify it from there (its kindof a pain because you have to understand bakismali and you have to sign the app) but to answer your question, I don't think you can debug it directly.
 

  Hide contents

@noweileen - One of the functions is a string compare, you should be able to see what is returned from your server and what it is expecting. Use a debugger like x32dbg and step through the functions to see what exactly is happening.
About the "padding", I don't think there was anything too special about it, just an extra step to throw off people, I guess.

Ch10 ^

Also if anyone has some hints about Challenge 12 - Help, it would be greatly appreciated (been stuck on it for about a week now), there seems to be quite a number of pitfalls and I haven't found a clear path yet.

Thats actually how I did it. I know i made ithard for myself. Had to learn smali. There is plugin in android studio to debug smali codes

[muppet]

Any chance that those of you who finished the challenge early on could do a little write up ?

I'm continuing the challenge even if it is over and trying to learn.

Basically my problem is I'm solving things too slow. I need to get faster and would very much love to have some tips and advice for how to approach these problems.

Today I use x32dbg to breakpoint and step my way through most challenges (also binary ninja disassembler) but it is taking too much time.

I see on the leaderboard that someone solved the whole challenge in about one day. And some names I recognize from here solved the challenge in about 6-7 days.

What tools are you using and what tips for someone who wants to improve ?

Thanks! 🙂

[NOP]

Here are a couple...

😀

Spoiler

HERE and HERE

 

[kao]

Write-up of write-ups: https://medium.com/@remco_verhoef/flareon6-write-up-of-write-ups-6ead20914ef0

While I don't agree with the blog author on certain things, it's a good overview of challenges and collection of links to other solutions.

 

[GautamGreat]

18 minutes ago, kao said:

Write-up of write-ups: https://medium.com/@remco_verhoef/flareon6-write-up-of-write-ups-6ead20914ef0

While I don't agree with the blog author on certain things, it's a good overview of challenges and collection of links to other solutions.

 

How you solved challenge BMP HIDE ? I'm always interested in your unique solutions like last time you solved challenge magic with a C# solver.

[kao]

@GautamGreat: I cannot promise to make full write-ups this year, but if I make some, I'll post a link here.

[kao]

@Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/

Some of his solutions make me green with envy.  Great job!

 

[Washi]

12 hours ago, kao said:

@Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/

Some of his solutions make me green with envy.  Great job!

 

Oof now you're putting the pressure on. I haven't finished all  of them yet (9, 10, 12) !

I am the one that is green with envy, since you were able to solve the entire thing in just a few days hah, whereas I had insane trouble with the last one. I even gave up for a few weeks, then tried again 3 days prior the deadline. Oh well, maybe I'll get there quicker as well next year

 

[Loki]

Enjoyed reading through - thanks for taking the time to document. Always fun to see how people approach the same problem

[Kurapica]

@Washi

Excellent work, I enjoyed reading your solutions