Jump to content

Flare-On 7


Recommended Posts

  • 2 weeks later...

Yea I did get an e-mail in late November but the tracking code was missing, so I don't even know where it went:

Screenshot_20200813_000249.png.1eed3b1a10b18fef5ad58ed1a1d9b84d.png

Tried already a few times to contact nickharbour but can't seem to get him to read my messages. At this point I don't think I'll ever receive it. Maybe this year I have more luck  😅

  • Like 1
Link to comment
  • 4 weeks later...

After burning hours on challenge #2, does anybody have a hint or can confirm that I am on the right track:

After fixing the binary, it still does not "work". Taking a look at the code hows 3 interesting functions. Stuff is being manipulated by heavy pointer usage? I tried rebuild the relevant code parts but after a few iterations it crashes. Does this sound familiar to anyone or am I completely off track?

w.

Link to comment

scanning the "garbage.exe" file shows it's packed with UPX 3.94, several fields in the "Data directories" have invalid values, and the Import directory is also missing

The Imports are missing from the .rsrc section, you can fix some stuff by hand and manipulate it to force stub to unpack UPX1, but it won't resolve the imports correctly

the dumped section contains several suspicious strings and a "covid19sucks" message, a quick look at the dumped section in IDA shows some xor functions at the main

function, I'm not a big fan of those challenges but I think kao can shed more light since he solved 9 challenges on first day :D

Link to comment

They have considerable skill placing this challenge at times where i absolutely cant spare the time to participate... :D

I just solved the first two though - little hint: Wine seems more allowing with corrupted exe files, it's relatively easy to fix it up to a point where Wine will eat it. ;)

 

Link to comment
Spoiler

1. Used some unpacker tool to unpack this file
2.Used CFF explorer to fix the corrupted pe file
3.Run the exe and get the key

 

Here is how I solved it

 

Edited by akkaldama
Link to comment

Im trying challenge 4. I have a decent idea of how to solve if only I had access to MS Office. But I can't run the scripts due to I lack MS Office.

Any suggestions for other ways of running the scripts ?

 

Link to comment

you may have to wait until the end of the match, no one will be posting info during the match for the sake of honest competition.

you can find several downloads of office on the web if it's needed to solve the challenge

Good Luck

Link to comment

Well. My idea of how to solve was correct. I was just lacking a copy of office. I can't see that as cheating to ask if any alternatives to pirating office exist.

Now I pirated office and I'm on to challenge #5.

Link to comment

Retail copy of MS Office offers a 30 day trial before mandatory activation. That's not piracy. :)

In one of the next challenges, you'll also need pretty new build of Windows 10. Again, there are evaluation copies available.

 

Link to comment

I feel pretty stupid for asking for a hint again. This time, it's ch3. Feel free to DM me if somebody wants to avoid spoilers.

I can control pretty much everything, score, highscore, obstacles, etc. I know how many points I need and I can win the game, winner screen appears but no flag is displayed. So I think there might be more "tamper" protection? Did anybody else have this problem?

Link to comment

Does anyone have any hints for 6/codeit? I deobfuscated the autoit script, but I'm not sure how to get the hash for decryption (or if this is even required)

Edit: Solved 🙂

Edited by noweileen
Link to comment
4 hours ago, kraxgrr said:

So challenge #8 I get CoCreateInstance() fails.

Is this part of the challenge or my setup is bad ?

That's your setup. It should just run cleanly on a standard Windows 10 system.

Link to comment
2 hours ago, Rurik said:

That's your setup. It should just run cleanly on a standard Windows 10 system.

Thanks. I managed to get it working by turning on "virtual machine platform". Only "WSL" was not enough.

Link to comment

Hello,

Can someone give me a little tip for CodeIT. I deobfuscated code and i understand how the app works ( more or less)

Spoiler

 

1. Do i need to focus on bruteforce the hash stuff somehow (search for any weakspot)? I think it is not possible. AES / SHA256 etc inside.

2. Should i focus on the picture stuff and name?

 

Thanks for any help. Cheers.

Edited by ECX
Link to comment
46 minutes ago, ECX said:

Hello,

Can someone give me a little tip for CodeIT. I deobfuscated code and i understand how the app works ( more or less)

  Reveal hidden contents

 

1. Do i need to focus on bruteforce the hash stuff somehow (search for any weakspot)? I think it is not possible. AES / SHA256 etc inside.

2. Should i focus on the picture stuff and name?

 

Thanks for any help. Cheers.

Spoiler

Focus on the function that used the computer name

 

  • Thanks 1
Link to comment
8 hours ago, Futex said:
  Hide contents

Focus on the function that used the computer name

 

Spoiler

 

I work with this task 3-4 days and my brain is going to explode :) I have rewritten the code related with pc-name generation and manipulation. At this moment i would like to try bruteforcing the computer name. Is it good direction?

What i found is : take pcname-> lowercase it->perform manipulation of pcname with picture = output. Take output->sha256. use this sha256 to decrypt data. If contains magic string in front and at the end do manipulation with data in QRCode data-> Convert QR to Bitmap. Probably after that manipulation there will be encoded flag in the QRCode bitmap.

ps. Is it possible to get PCname from the picture? (like reverse it )

 

Can you give me more tips. Thank you. 

 

Link to comment

don't brute-force it, and forget about the crypto function, it's all in the function which does the shifting

A pseudo code would look like


 

Local $flxmdchrqd = DllStructCreate("struct;byte[54];byte[" & $flvburiuyd - 54 & "];endstruct", DllStructGetPtr($flnfufvect))

Local $Counter = 1

;first Loop >>

For $dummy = 1 To DllStructGetSize($lowerCompName)

    Local $flydtvgpnc = 0

    ;second loop

    For $LoopCounter = 6 To 0 Step -1

        $flydtvgpnc += BitShift(BitAND(Number(DllStructGetData($flxmdchrqd, 2, $Counter)), 1), -1 * $LoopCounter)
        
        $Counter += 1

    Next

    ConsoleWrite("ASCII >> " & $flydtvgpnc & @CRLF)

Next

 

Watch for that ASCII value

 

 

 

Edited by Kurapica
  • Thanks 1
Link to comment

So anyway. #9. Crackstaller. I hate it. 😞

I have found an entry for a certain CLSID that contains an empty entry for FLAG and PASSWORD.

I've extracted several files.

Reversing around these functions I found that the only place this is written is where they are actually set to NULL so there is nothing to get.

Yet I see people announcing they have passed it.

Any hint for what I should look for or do next ?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...