Jump to content
Tuts 4 You

Flare-On 10

Washi

By Washi
in Reverse Engineering Articles

 Share

Recommended Posts

f355

f355

Posted
Posted (edited)

nm solved

 

Edited by f355
solved
  • Replies 104
  • Created
  • Last Reply

Top Posters In This Topic

  • Kolombo

    31

  • test

    10

  • pcmcia

    9

  • kao

    7

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Kurapica
Kurapica
kao
kao

My primary machine actually decided to die on me today... And since I'm "old sk3wl CTFer", I don't have all my infra in the cloud.    

Kolombo
Kolombo

Oh.... I've solved #ch10, that was crazy. The most difficult task in this year. However, I haven't seen 11,12,13 yet... 🙂 Only 1 advice: take a bag of the RedBull and be patient

Posted Images

cybercat

cybercat

Posted
Posted (edited)

Can someone give me a hint about CH3:

Spoiler

"How to get proper opcodes?" How should i know which one should i put ? I see that i need to rebuild the code with password but is there any good approach to predict the correct opcodes?" 

Now i am in the shellcode but it is still crashing. i know that chars from the password have to be put into shellcode, but how to guess/calculate them.?

Thanks for any help

Edited by cybercat
Kolombo

Kolombo

Posted
Posted (edited)
1 hour ago, cybercat said:

Can someone give me a hint about CH3:

  Hide contents

"How to get proper opcodes?" How should i know which one should i put ? I see that i need to rebuild the code with password but is there any good approach to predict the correct opcodes?" 

Now i am in the shellcode but it is still crashing. i know that chars from the password have to be put into shellcode, but how to guess/calculate them.?

Thanks for any help

Don't need to guess, look around. This task is only about analyze and coding at the end.

Spoiler

the file is big...

 

Edited by Kolombo
cybercat

cybercat

Posted
Posted

Thanks Kolombo for reply

I am still confused. Do i need to 'fix' the shellcode? Or i can 'pass' it somehow?. Is it important to solve the task? What am i missing? :) Maybe my questions are too direct, but i am so tired with this task.

 

DimitarSerg

DimitarSerg

Posted
Posted

Also got stuck with ch3.. received 174216 bytes file with high entropy, encrypted, obviously. 

Kolombo

Kolombo

Posted
Posted (edited)
1 hour ago, cybercat said:

Thanks Kolombo for reply

I am still confused. Do i need to 'fix' the shellcode? Or i can 'pass' it somehow?. Is it important to solve the task? What am i missing? :) Maybe my questions are too direct, but i am so tired with this task.

 

I'm sorry, I think im confused. Are we talking about mypassion? If yes, then

 

Spoiler

Yeah, you have to fix. I've bruted using python (for loop + capstone) and checked adequacy of the byte at certain position. Actually the 2nd one will be easier than the first. Maybe you enough powerfull just to guess ... Up to you)

I'm not completely finished this task, just enough to get the flag.  You will see at the end, it is not necessary 100% done.

 

[ADDED LATER] Not all bytes bruted, some of them are logical.

 

Edited by Kolombo
mmmm

mmmm

Posted
Posted (edited)

any help regarding ch5 would be super appreciated, thanks so much in advance!

Spoiler

i think i've found the algorithm the challenge hints at, i can see some well-known properties to recognise it, but i can't seem to find a way to get data in to "fix" the last bit. is there something i'm still not getting?

@test you're a godsend ty

Edited by marshy
test

test

Posted
Posted
6 hours ago, marshy said:

any help regarding ch5 would be super appreciated, thanks so much in advance!

  Hide contents

i think i've found the algorithm the challenge hints at, i can see some well-known properties to recognise it, but i can't seem to find a way to get data in to "fix" the last bit. is there something i'm still not getting?

 

Spoiler

There is another "hint" near the hint with the algorithm what data should be decrypted. Then you can just patch it in memory

 

Can anyone help me with ch6? Thanks in advance

Spoiler

I've found the "checksum" stuff and the salsa20 stuff and understood how the initial state is build for salsa20 with the flare-norocks!!! constant. But I can't figure out how to adjust the input. 

 

Kolombo

Kolombo

Posted
Posted

@test

Spoiler

You need a key. There is no other way to solve.

 

test

test

Posted
Posted
28 minutes ago, Kolombo said:

@test

  Reveal hidden contents

You need a key. There is no other way to solve.

 

Spoiler

Do I have to reconstruct the whole executable or is it enough to look at the code section?

 

Kolombo

Kolombo

Posted
Posted (edited)
1 hour ago, test said:
  Hide contents

Do I have to reconstruct the whole executable or is it enough to look at the code section?

 

Spoiler

There is nothing to reconstruct 🙂 You just need to find a "thing" and then you WOW! You see just a part of the picture. BTW, I didn't know that Salsa is there and solved it.. 🙂

Maybe you need to read the task again. The key words is there.

Edited by Kolombo
test

test

Posted
Posted
On 10/11/2023 at 11:27 AM, Kolombo said:
  Reveal hidden contents

There is nothing to reconstruct 🙂 You just need to find a "thing" and then you WOW! You see just a part of the picture. BTW, I didn't know that Salsa is there and solved it.. 🙂

Maybe you need to read the task again. The key words is there.

Spoiler

I have analyzed the DOS program and got the Mario message and tried to patch the program so that the key is written into the file. But unfortunately I get a different key any time and I don't know what I'm missing?

 

Kolombo

Kolombo

Posted
Posted
10 minutes ago, test said:
  Hide contents

I have analyzed the DOS program and got the Mario message and tried to patch the program so that the key is written into the file. But unfortunately I get a different key any time and I don't know what I'm missing?

 

Spoiler

U need to answer the question: "how the key is generated?"

 

jbb

jbb

Posted
Posted

Any hints for the 10th challenge?

f355

f355

Posted
Posted (edited)

need help with ch5

Spoiler

I see the binary reads from named pipe. Should I pass it a key or something else? Or is named pipe just a decoy?

Also is it important from where I launch the binary? Should it be under the public directory?

 

Edited by f355
Kolombo

Kolombo

Posted
Posted
3 hours ago, f355 said:

need help with ch5

  Hide contents

I see the binary reads from named pipe. Should I pass it a key or something else? Or is named pipe just a decoy?

Also is it important from where I launch the binary? Should it be under the public directory?

 

Spoiler

Mmm.. I thought the pipe is used for giving command for the 2nd stage. However, I can't say more, cuz I solved this task by guessing 🙂 As far as I remember the only thing the pipe is used to show you another hint message.

 

Kolombo

Kolombo

Posted
Posted
7 hours ago, jbb said:

Any hints for the 10th challenge?

Just started 🙂

pcmcia

pcmcia

Posted
Posted

I need a nudge for ch#6.  

Spoiler

I know how the game works.  I got the mario message and got the game to change itself.  However, I don't know what and where uses that change.  I have been looking through the code in the higher memory locations that handles the music.  I cant seem to find anything uses the new bytes.  Am I looking in the right place?

 

kao

kao

Posted
Posted

@pcmcia:

Spoiler


4 hours ago, pcmcia said:

Am I looking in the right place?

If you didn't find anything there, most likely it's the wrong place to look. :)

Take a step back and look at the whole file again.

pcmcia

pcmcia

Posted
Posted
35 minutes ago, kao said:

@pcmcia:

  Hide contents

 

If you didn't find anything there, most likely it's the wrong place to look. :)

Take a step back and look at the whole file again.

Thanks, I guess?  I got the flag, but can I just say WTFBBQ?!?!?!?  I have no idea what happened or how it worked.  Apparently, I was sitting on this flag for multi-days without knowing.  I didn't know binaries can work like that.  Oh well, I guess I'll move on to the next challenge and figure this out later.

Kolombo

Kolombo

Posted
Posted (edited)
6 hours ago, pcmcia said:

I need a nudge for ch#6.  

  Hide contents

I know how the game works.  I got the mario message and got the game to change itself.  However, I don't know what and where uses that change.  I have been looking through the code in the higher memory locations that handles the music.  I cant seem to find anything uses the new bytes.  Am I looking in the right place?

 

Spoiler

You have to win. And do 1 more thing. It is a game, bro 🙂 What does you usually do in the game?)

 

Edited by Kolombo
UnskilledGarbage

UnskilledGarbage

Posted
Posted

sanity check on ch3 please (mypassion)

Spoiler

on the step when I get html decrypted, there is also some shellcode gets decrypted. there is a check for key and to pass that the key must begin with "ob5cUre". I assume that is a complete key and there is not anything appended to it. but is seems that is not correct, shellcode is decrypted as garbage. wat? the encrypted shellcode is not affected by user input, so it should not be corrupted on the way. the only possible reason I see, is a wrong key. but how so? since it passes the check, and there is no additional info provided anywhere.. guessing begins?)  html and it's image do not seem to contain the flag either. it is not a problem with crypto apis, cyberchef gives exactly same result for those inputs.

what am I missing? it drives me crazy..

 

Kolombo

Kolombo

Posted
Posted
22 hours ago, UnskilledGarbage said:

sanity check on ch3 please (mypassion)

  Hide contents

on the step when I get html decrypted, there is also some shellcode gets decrypted. there is a check for key and to pass that the key must begin with "ob5cUre". I assume that is a complete key and there is not anything appended to it. but is seems that is not correct, shellcode is decrypted as garbage. wat? the encrypted shellcode is not affected by user input, so it should not be corrupted on the way. the only possible reason I see, is a wrong key. but how so? since it passes the check, and there is no additional info provided anywhere.. guessing begins?)  html and it's image do not seem to contain the flag either. it is not a problem with crypto apis, cyberchef gives exactly same result for those inputs.

what am I missing? it drives me crazy..

 

Spoiler

What I remember is you don't need to decrypt HTML correctly to solve this task, cuz I did but the decryption was wrong. And the last part of the key "n.com" was also wrong in my case. I'm for sure made a mistake somewhere, but anyway got a part before "@". It printed to console I think.

 

  • Like 1
UnskilledGarbage

UnskilledGarbage

Posted
Posted
1 hour ago, Kolombo said:
  Reveal hidden contents

What I remember is you don't need to decrypt HTML correctly to solve this task, cuz I did but the decryption was wrong. And the last part of the key "n.com" was also wrong in my case. I'm for sure made a mistake somewhere, but anyway got a part before "@". It printed to console I think.

 

Spoiler

the only thing that is printed to console on that step is "RUECK....RWESEN" but it does not seem to be the correct flag. (sure with @ appended). that isn't it is it?

did you decrypt and run correctly the shellcode part of size 0x3C0 that should be decrypted with "ob5cUre" key? (the one that runs after checking the html's checksum). I am getting a garbage from that.  I guess that shellcode drops/runs html and prints (?) the flag.. but does it really?

 

Canlex

Canlex

Posted
Posted
On 10/17/2023 at 5:17 PM, UnskilledGarbage said:

sanity check on ch3 please (mypassion)

  Hide contents

on the step when I get html decrypted, there is also some shellcode gets decrypted. there is a check for key and to pass that the key must begin with "ob5cUre". I assume that is a complete key and there is not anything appended to it. but is seems that is not correct, shellcode is decrypted as garbage. wat? the encrypted shellcode is not affected by user input, so it should not be corrupted on the way. the only possible reason I see, is a wrong key. but how so? since it passes the check, and there is no additional info provided anywhere.. guessing begins?)  html and it's image do not seem to contain the flag either. it is not a problem with crypto apis, cyberchef gives exactly same result for those inputs.

what am I missing? it drives me crazy..

 

Spoiler

I also had this "issue". Your "ob5cUre" is wrong, you might say "this is what the debugger accepts, but really almost the entire string is built from an earlier part or sub-level if you will. so check where it derives "ob5cUre" from and then double check what in your input generated that string. this is trivial to do with a debugger. 

 

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...