Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

On 10/3/2022 at 2:30 PM, Aeri said:
  Hide contents

Patching may not be the right approach. Bruteforcing is definitively not the right approach. Maybe what you've patched is acting as a way to check if the password is correct ... Take the time to understand what you've patched. It's here for a reason.

 

The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else.

  • Replies 117
  • Views 36.7k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Some of my more silly ones. I felt bad about 10 and 11, and then realized everyone else did shortcuts as well https://www.ghettoforensics.com/2022/11/flare-on-9-worst-writeups.html

  • I just pushed my own writeups: https://washi1337.github.io/ctf-writeups/writeups/flare-on/2022/ Challenge 1-9 should be all complete. I haven't done writeups for challenge 10 and 11 yet, as I do

  • Just for fun, check out my exotic solution for #5 in form of a superhacky bruteforce script ... cuts down required reversing to a minimum. runtime is about 30 min ... import ida_dbg, ida_byte

@loossyfocus on the first communication. the challenge can be solved offline.

3 hours ago, predat0r said:

The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else.

I'm looking at challenge 4 too, I didn't know how to solve challenge 3 because I was just trying to get the flag without understanding ... but once you 'relax' and take time , you'll be able to make progress, I know it's boring to proceed step by step but this is the way..so Tomorrow maybe I'll see what I can do because am tired now and can't focus :p
Good Luck

1 hour ago, w00she said:

I'm looking at challenge 4 too, I didn't know how to solve challenge 3 because I was just trying to get the flag without understanding ... but once you 'relax' and take time , you'll be able to make progress, I know it's boring to proceed step by step but this is the way..so Tomorrow maybe I'll see what I can do because am tired now and can't focus 😛
Good Luck

Yes, I did it already :)

Is anyone will to offer some guidance for challenge 8?

Spoiler

I've figured out how to decrypt the flared_* functions but I don't know how to resolve the tokens. When I try to extract the flared_* bytecode dynamically all the tokens are wrong...

 

Edited by btmc

[Edit] Removing post.

Challenge 5 is very straight forward and I struggled with one aspect. But it was all because I kept confusing the conversion of the data. Py3 makes that a PITA :)

Edited by Rurik

.

Edited by er3zoid
solved

Please help with challenge 5 struggling from many hours, below are the steps i did.

Spoiler

1. patched initial time, to make the executable work for communication

2. created fake C2 and sent response which i got from shared pcap file

3. even i changed the request also just to simulate that the request and response are accurate as its shown in the pcap.

The executable is not decrypting the data :( and on 2nd communication the application is getting crashed.

 

Edited by Rishi

@Rishi: could you please use spoiler tags? :)

Spoiler


1 hour ago, Rishi said:

even i changed the request also

Do you know why your request was not matching the pcap? 

 

3 hours ago, kao said:

@Rishi: could you please use spoiler tags? :)

  Hide contents

 

 

Do you know why your request was not matching the pcap? 

 

 

no trying to figure it out using ghidra, however i seems like lost

For challenge 8

Spoiler

do we have to do something else for the decrypted functions?
forexample, in flared_38, one of the instructions is like this

FLARE02.flare_03((string)/*Error near IL_0037: Stack underflow*/)

which doesnt make sense and will error out. Looks like its trying to cast something into string but the actual variable is lost.

 

Hello everyone,

I am stuck with CH7.

Can someone point me in right direction... is something wrong with my setup?

Spoiler

I have script, but it does not work correctly...i have problems with the BigInts. Do i need to have specific version or setting to be able to debug it correctly?

What tool do you use? My problem is that code does not looping inside main because of problems with Integers. I mean those messages.

Thank you for suggestions.

 

@adicto:

Spoiler

that most likely means you did not decrypt the function correctly.

 

Any hint on how to get the DynamicMethods in ch 8 dumped in a way that they can be disassembled/decompiled? There are so many tools out there, but nothing seems to fit the bill. 

10 hours ago, kao said:

@adicto:

  Hide contents

that most likely means you did not decrypt the function correctly.

 

@kao

 

Spoiler

I didn't actually decrypt but got it from the setcode bytes, would that give me the wrong bytes?

 

@adicto yes. 

@kaothanks!

@Rishi I have a question about challenge 5

Spoiler

How did you patch the initial time to the correct time? (i can patch it to skip stuff but the decryption wont work)
I've managed to find the minutes & milliseconds & seconds for the rand seed, but not the specific date needed to stop the sleep.
Tried to reproduce the code using python but it doesn't seem to work

 

Spoiler

.

 

Edited by Canlex
remove

Spoiler

would anyone be kind enough to suggest tools to translate raw bytes to IL code for ch8? I've looked into mono.cecil but it requires a lot of other stuff on top of the actual bytes that think i don't have access to.

 

I have a question about ch07.

 

Spoiler

I figured out how the switch statement of javascript is executed.
However, there are too many formulas and the amount of change in the values is not constant.
It seems like it would take too much time to implement the code as it is.

Is there any way to efficiently analyze or reduce these formulas?
Are there any websites I can refer to?

 

About CH7... Guys can you tell me is Z3 is a good direction to solve this task?

27 minutes ago, loossy said:

I have a question about ch07.

Spoiler

Once you unflatten the execution flow (i.e. removing the switch case) you would be left only with the calculations in a linear form in the proper order.
Plus for easier analysis you can always inject your own JS to be run in the context of the provided node runtime to get the above execution order :) .

 

@er3zoid

Spoiler

There's AsmResolver and dnlib but reading disassembly of raw cil bytes wont make much sense without resolving the token references.
For a manual approach you can always use dnspy to construct a method out of the IL bytes and disassemble/decompile in place.

 

Edited by Extreme Coders

Also working on ch8 and would appreciate any assistance.

Spoiler

I've decoded a bunch of the flare_* functions and I'm following the execution of the program but I haven't found the network functions and I'm getting really lost and I think I need a slight hint.

 

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.