predat0r Posted October 6, 2022 Posted October 6, 2022 On 10/3/2022 at 2:30 PM, Aeri said: Hide contents Patching may not be the right approach. Bruteforcing is definitively not the right approach. Maybe what you've patched is acting as a way to check if the password is correct ... Take the time to understand what you've patched. It's here for a reason. The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else.
deepzero Posted October 6, 2022 Posted October 6, 2022 @loossyfocus on the first communication. the challenge can be solved offline.
w00she Posted October 6, 2022 Posted October 6, 2022 3 hours ago, predat0r said: The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else. I'm looking at challenge 4 too, I didn't know how to solve challenge 3 because I was just trying to get the flag without understanding ... but once you 'relax' and take time , you'll be able to make progress, I know it's boring to proceed step by step but this is the way..so Tomorrow maybe I'll see what I can do because am tired now and can't focus :p Good Luck
predat0r Posted October 6, 2022 Posted October 6, 2022 1 hour ago, w00she said: I'm looking at challenge 4 too, I didn't know how to solve challenge 3 because I was just trying to get the flag without understanding ... but once you 'relax' and take time , you'll be able to make progress, I know it's boring to proceed step by step but this is the way..so Tomorrow maybe I'll see what I can do because am tired now and can't focus 😛 Good Luck Yes, I did it already 1
btmc Posted October 7, 2022 Posted October 7, 2022 (edited) Is anyone will to offer some guidance for challenge 8? Spoiler I've figured out how to decrypt the flared_* functions but I don't know how to resolve the tokens. When I try to extract the flared_* bytecode dynamically all the tokens are wrong... Edited October 8, 2022 by btmc
Rurik Posted October 8, 2022 Posted October 8, 2022 (edited) [Edit] Removing post. Challenge 5 is very straight forward and I struggled with one aspect. But it was all because I kept confusing the conversion of the data. Py3 makes that a PITA Edited October 8, 2022 by Rurik
er3zoid Posted October 8, 2022 Posted October 8, 2022 (edited) . Edited October 11, 2022 by er3zoid solved
Rishi Posted October 9, 2022 Posted October 9, 2022 (edited) Please help with challenge 5 struggling from many hours, below are the steps i did. Spoiler 1. patched initial time, to make the executable work for communication 2. created fake C2 and sent response which i got from shared pcap file 3. even i changed the request also just to simulate that the request and response are accurate as its shown in the pcap. The executable is not decrypting the data and on 2nd communication the application is getting crashed. Edited October 9, 2022 by Rishi
kao Posted October 9, 2022 Posted October 9, 2022 @Rishi: could you please use spoiler tags? Spoiler 1 hour ago, Rishi said: even i changed the request also Do you know why your request was not matching the pcap?
Rishi Posted October 9, 2022 Posted October 9, 2022 3 hours ago, kao said: @Rishi: could you please use spoiler tags? Hide contents Do you know why your request was not matching the pcap? no trying to figure it out using ghidra, however i seems like lost
adicto Posted October 9, 2022 Posted October 9, 2022 For challenge 8 Spoiler do we have to do something else for the decrypted functions? forexample, in flared_38, one of the instructions is like this FLARE02.flare_03((string)/*Error near IL_0037: Stack underflow*/) which doesnt make sense and will error out. Looks like its trying to cast something into string but the actual variable is lost.
cybercat Posted October 9, 2022 Posted October 9, 2022 Hello everyone, I am stuck with CH7. Can someone point me in right direction... is something wrong with my setup? Spoiler I have script, but it does not work correctly...i have problems with the BigInts. Do i need to have specific version or setting to be able to debug it correctly? What tool do you use? My problem is that code does not looping inside main because of problems with Integers. I mean those messages. Thank you for suggestions.
kao Posted October 9, 2022 Posted October 9, 2022 @adicto: Spoiler that most likely means you did not decrypt the function correctly.
bucketsort Posted October 9, 2022 Posted October 9, 2022 Any hint on how to get the DynamicMethods in ch 8 dumped in a way that they can be disassembled/decompiled? There are so many tools out there, but nothing seems to fit the bill.
adicto Posted October 10, 2022 Posted October 10, 2022 10 hours ago, kao said: @adicto: Hide contents that most likely means you did not decrypt the function correctly. @kao Spoiler I didn't actually decrypt but got it from the setcode bytes, would that give me the wrong bytes?
Pon Posted October 10, 2022 Posted October 10, 2022 @Rishi I have a question about challenge 5 Spoiler How did you patch the initial time to the correct time? (i can patch it to skip stuff but the decryption wont work) I've managed to find the minutes & milliseconds & seconds for the rand seed, but not the specific date needed to stop the sleep. Tried to reproduce the code using python but it doesn't seem to work
kao Posted October 11, 2022 Posted October 11, 2022 (edited) @Pon: see https://forum.tuts4you.com/topic/43724-flare-on-9/?do=findComment&comment=213123 Edited October 11, 2022 by kao
Canlex Posted October 11, 2022 Posted October 11, 2022 (edited) Spoiler . Edited October 11, 2022 by Canlex remove
er3zoid Posted October 11, 2022 Posted October 11, 2022 Spoiler would anyone be kind enough to suggest tools to translate raw bytes to IL code for ch8? I've looked into mono.cecil but it requires a lot of other stuff on top of the actual bytes that think i don't have access to.
loossy Posted October 12, 2022 Posted October 12, 2022 I have a question about ch07. Spoiler I figured out how the switch statement of javascript is executed. However, there are too many formulas and the amount of change in the values is not constant. It seems like it would take too much time to implement the code as it is. Is there any way to efficiently analyze or reduce these formulas? Are there any websites I can refer to?
cybercat Posted October 12, 2022 Posted October 12, 2022 About CH7... Guys can you tell me is Z3 is a good direction to solve this task?
Extreme Coders Posted October 12, 2022 Posted October 12, 2022 (edited) 27 minutes ago, loossy said: I have a question about ch07. Spoiler Once you unflatten the execution flow (i.e. removing the switch case) you would be left only with the calculations in a linear form in the proper order. Plus for easier analysis you can always inject your own JS to be run in the context of the provided node runtime to get the above execution order . @er3zoid Spoiler There's AsmResolver and dnlib but reading disassembly of raw cil bytes wont make much sense without resolving the token references. For a manual approach you can always use dnspy to construct a method out of the IL bytes and disassemble/decompile in place. Edited October 12, 2022 by Extreme Coders 1
AeroX2 Posted October 12, 2022 Posted October 12, 2022 Also working on ch8 and would appreciate any assistance. Spoiler I've decoded a bunch of the flare_* functions and I'm following the execution of the program but I haven't found the network functions and I'm getting really lost and I think I need a slight hint.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now