For challenge #9:
 

Spoiler

I've identified the symmetric cipher used as probably being ChaCha20 and other basic usage.  The other values in the encrypted file also seem to be relevant but I'm not sure how everything ties together.  Two of the byte arrays seem to be always constant, the second is used for the asymmetric stuff and the fourth might be an encrypted key?  It's difficult to single-step through all the mathematical operations and make sense of everything. 

I can link some similarities between the value used to generate unk_404020 and the second byte array like the last N or so bytes being the same, but not sure how I could use that to extract the key from the 1024-bit value.

 

1 hour ago, upx said:

For challenge #9:

Spoiler

1 hour ago, upx said:

I've identified the symmetric cipher used as probably being ChaCha20 and other basic usage.  The other values in the encrypted file also seem to be relevant but I'm not sure how everything ties together.  Two of the byte arrays seem to be always constant, the second is used for the asymmetric stuff and the fourth might be an encrypted key?  It's difficult to single-step through all the mathematical operations and make sense of everything.

All the ciphers are standard, nothing custom.
There's a reason why one of the byte arrays is seemingly constant. The challenge would have been unsolvable otherwise if everything was implemented properly.

 

Edited November 3, 20222 yr by Extreme Coders

I'm stuck on Ch#10.  Can someone give me a hand?

 

Spoiler

I got my system 6 OS running on the emulator.  I can run the password program.  I want to debug the program.  However, I can't seem to get the debugger to work.  I got a very basic debugger prompt.  I can only view memory via the "DM <memory location>" command.  That's it.  I can't seem to get "IL <address>" to show disassembly.  I know there's a better version of Macsbug (Maxbug?), but I can't seem to install it on my system 6.  Can someone give me nudge?  Or am I going down the wrong rabbit hole.

 

@pcmcia

Spoiler

Probably not wrong to debug it,  but it can be solved comfortably statically. Make sure to also explore the binary well with the included resource-program, and unfortunately there is a little bit of  guesswork involved - unless I missed something!

 

1 hour ago, deepzero said:

@pcmcia

  Reveal hidden contents

Probably not wrong to debug it,  but it can be solved comfortably statically. Make sure to also explore the binary well with the included resource-program, and unfortunately there is a little bit of  guesswork involved - unless I missed something!

 

@deepzeroThanks!

Spoiler

I have raw bytes and I have the algorithm that decodes these raw bytes to flag.  But I'm missing the password.  I guess I need some help with the "guess-work".  Any hints?

 

@pcmcia: read carefully what Deepzero said earlier.

5 minutes ago, kao said:

@pcmcia: read carefully what Deepzero said earlier.

Spoiler

I did go through every section of the binary.  I tried every song name by Nena and/or David Riley from 1983.  No luck.    Am I going down the wrong path again?

 

@pcmcia

Spoiler

Hint: You already know what the flag ends with.

 

51 minutes ago, Extreme Coders said:

@pcmcia

  Reveal hidden contents

Hint: You already know what the flag ends with.

 

@Extreme CodersThanks!  I got it now. 

Spoiler

That was one of the first things I tried, but my eye didn't recognized it because it wasn't in english.

 

a

Edited November 7, 20222 yr by DoIReviewMods

Spoiler

I've relabeled all the code and identified the procedure for encrypting the key and so on.  Everything is as I would expect however, nothing really strikes out as anything that would be vulnerable.  Another thing is if I try to decrypt the example ciphertext using P and Q from the test case (which should be constant) it doesn't match what it should be. 

Neither does the values of P and Q I get are able to decrypt the actual ciphertext despite all the values matching and math working out in the debugger.

For Challenge #9 again

Spoiler

 

 

For Ch 9, it's all about the cryptography concept. Once you identified the algorithm, the university lecture notes helps me revise the concepts and aided me in the analysis.

It's over. Thank you guys! Especially @Washi and @kao. I hope I will have a chance to work again in next year.

Some of my more silly ones.

I felt bad about 10 and 11, and then realized everyone else did shortcuts as well

https://www.ghettoforensics.com/2022/11/flare-on-9-worst-writeups.html

I just pushed my own writeups: https://washi1337.github.io/ctf-writeups/writeups/flare-on/2022/

Challenge 1-9 should be all complete. I haven't done writeups for challenge 10 and 11 yet, as I do feel I cheesed them a bit and don't really have proper notes on them. If there is some demand for it I can write them at a later point in time.

47 minutes ago, Washi said:

I haven't done writeups for challenge 10 and 11 yet, as I do feel I cheesed them a bit and don't really have proper notes on them.

Pretty please!  As you can see in Rurik's writeups above, pretty much everyone did that...

Just for fun, check out my exotic solution for #5 in form of a superhacky bruteforce script ... cuts down required reversing to a minimum.

runtime is about 30 min ...

import ida_dbg, ida_bytes

def onerun(msec):
    ida_dbg.run_to(0x006C1064)
    ida_dbg.wait_for_next_event(ida_dbg.WFNE_SUSP, -1)
    eax = ida_dbg.get_reg_val("eax")
    #print("eax: ", eax)
    ida_dbg.step_over()
    ida_dbg.wait_for_next_event(ida_dbg.WFNE_SUSP, -1)
    #eax = 0xbcfc90
    ida_dbg.write_dbg_memory(eax, bytes.fromhex("E6 07 06 00 02 00 0E 00 12 00 0E 00 24 00 00 00"))
    idaapi.put_word(eax + 14, msec)
    systime = idaapi.get_bytes(eax, 16)
    ida_dbg.run_to(0x006C3DDF)
    ida_dbg.wait_for_next_event(ida_dbg.WFNE_SUSP, -1)
    eax = ida_dbg.get_reg_val("eax")
    deax = idaapi.get_dword(eax)
    #print(hex(deax))
    strl = ida_bytes.get_max_strlit_length(deax, ida_nalt.STRTYPE_C_16)
    ss = ida_bytes.get_strlit_contents(deax, strl, ida_nalt.STRTYPE_C_16)
    ss = ss.decode("ascii")
    ida_dbg.exit_process()
    ida_dbg.wait_for_next_event(ida_dbg.WFNE_SUSP, -1)
    print(str(ss))
    if ss == "ydN8BXq16RE=":
        print("hit!", msec)
        return True
    return False

for i in range(1001):
    if onerun(i):
        break

 

For ch-2, opened it in cerbero profiler, found two images, performed an online image diff, got the flag. It was a little difficult to read the flag from diff'd image but entered the flag correctly after 5-10 attempts..