Flare-On 10

[f355]

nm solved

 

Edited October 10, 2023 by f355
solved

[cybercat]

Can someone give me a hint about CH3:

Spoiler

"How to get proper opcodes?" How should i know which one should i put ? I see that i need to rebuild the code with password but is there any good approach to predict the correct opcodes?" 

Now i am in the shellcode but it is still crashing. i know that chars from the password have to be put into shellcode, but how to guess/calculate them.?

Thanks for any help

Edited October 10, 2023 by cybercat

[Kolombo]

1 hour ago, cybercat said:

Can someone give me a hint about CH3:

  Hide contents

"How to get proper opcodes?" How should i know which one should i put ? I see that i need to rebuild the code with password but is there any good approach to predict the correct opcodes?" 

Now i am in the shellcode but it is still crashing. i know that chars from the password have to be put into shellcode, but how to guess/calculate them.?

Thanks for any help

Don't need to guess, look around. This task is only about analyze and coding at the end.

Spoiler

the file is big...

 

Edited October 10, 2023 by Kolombo

[cybercat]

Thanks Kolombo for reply

I am still confused. Do i need to 'fix' the shellcode? Or i can 'pass' it somehow?. Is it important to solve the task? What am i missing?  Maybe my questions are too direct, but i am so tired with this task.

 

[DimitarSerg]

Also got stuck with ch3.. received 174216 bytes file with high entropy, encrypted, obviously. 

[Kolombo]

1 hour ago, cybercat said:

Thanks Kolombo for reply

I am still confused. Do i need to 'fix' the shellcode? Or i can 'pass' it somehow?. Is it important to solve the task? What am i missing?  Maybe my questions are too direct, but i am so tired with this task.

 

I'm sorry, I think im confused. Are we talking about mypassion? If yes, then

 

Spoiler

Yeah, you have to fix. I've bruted using python (for loop + capstone) and checked adequacy of the byte at certain position. Actually the 2nd one will be easier than the first. Maybe you enough powerfull just to guess ... Up to you)

I'm not completely finished this task, just enough to get the flag.  You will see at the end, it is not necessary 100% done.

 

[ADDED LATER] Not all bytes bruted, some of them are logical.

 

Edited October 10, 2023 by Kolombo

[mmmm]

any help regarding ch5 would be super appreciated, thanks so much in advance!

Spoiler

i think i've found the algorithm the challenge hints at, i can see some well-known properties to recognise it, but i can't seem to find a way to get data in to "fix" the last bit. is there something i'm still not getting?

@test you're a godsend ty

Edited October 11, 2023 by marshy

[test]

6 hours ago, marshy said:

any help regarding ch5 would be super appreciated, thanks so much in advance!

  Hide contents

i think i've found the algorithm the challenge hints at, i can see some well-known properties to recognise it, but i can't seem to find a way to get data in to "fix" the last bit. is there something i'm still not getting?

 

Spoiler

There is another "hint" near the hint with the algorithm what data should be decrypted. Then you can just patch it in memory

 

Can anyone help me with ch6? Thanks in advance

Spoiler

I've found the "checksum" stuff and the salsa20 stuff and understood how the initial state is build for salsa20 with the flare-norocks!!! constant. But I can't figure out how to adjust the input. 

 

[Kolombo]

@test

Spoiler

You need a key. There is no other way to solve.

 

[test]

28 minutes ago, Kolombo said:

@test

  Reveal hidden contents

You need a key. There is no other way to solve.

 

Spoiler

Do I have to reconstruct the whole executable or is it enough to look at the code section?

 

[Kolombo]

1 hour ago, test said:

  Hide contents

Do I have to reconstruct the whole executable or is it enough to look at the code section?

 

Spoiler

There is nothing to reconstruct 🙂 You just need to find a "thing" and then you WOW! You see just a part of the picture. BTW, I didn't know that Salsa is there and solved it.. 🙂

Maybe you need to read the task again. The key words is there.

Edited October 11, 2023 by Kolombo

[test]

On 10/11/2023 at 11:27 AM, Kolombo said:

  Reveal hidden contents

There is nothing to reconstruct 🙂 You just need to find a "thing" and then you WOW! You see just a part of the picture. BTW, I didn't know that Salsa is there and solved it.. 🙂

Maybe you need to read the task again. The key words is there.

Spoiler

I have analyzed the DOS program and got the Mario message and tried to patch the program so that the key is written into the file. But unfortunately I get a different key any time and I don't know what I'm missing?

 

[Kolombo]

10 minutes ago, test said:

  Hide contents

I have analyzed the DOS program and got the Mario message and tried to patch the program so that the key is written into the file. But unfortunately I get a different key any time and I don't know what I'm missing?

 

Spoiler

U need to answer the question: "how the key is generated?"

 

[jbb]

Any hints for the 10th challenge?

[f355]

need help with ch5

Spoiler

I see the binary reads from named pipe. Should I pass it a key or something else? Or is named pipe just a decoy?

Also is it important from where I launch the binary? Should it be under the public directory?

 

Edited October 14, 2023 by f355

[Kolombo]

3 hours ago, f355 said:

need help with ch5

  Hide contents

I see the binary reads from named pipe. Should I pass it a key or something else? Or is named pipe just a decoy?

Also is it important from where I launch the binary? Should it be under the public directory?

 

Spoiler

Mmm.. I thought the pipe is used for giving command for the 2nd stage. However, I can't say more, cuz I solved this task by guessing 🙂 As far as I remember the only thing the pipe is used to show you another hint message.

 

[Kolombo]

7 hours ago, jbb said:

Any hints for the 10th challenge?

Just started 🙂

[pcmcia]

I need a nudge for ch#6.  

Spoiler

I know how the game works.  I got the mario message and got the game to change itself.  However, I don't know what and where uses that change.  I have been looking through the code in the higher memory locations that handles the music.  I cant seem to find anything uses the new bytes.  Am I looking in the right place?

 

[kao]

@pcmcia:

Spoiler

4 hours ago, pcmcia said:

Am I looking in the right place?

If you didn't find anything there, most likely it's the wrong place to look.

Take a step back and look at the whole file again.

[pcmcia]

35 minutes ago, kao said:

@pcmcia:

  Hide contents

 

If you didn't find anything there, most likely it's the wrong place to look.

Take a step back and look at the whole file again.

Thanks, I guess?  I got the flag, but can I just say WTFBBQ?!?!?!?  I have no idea what happened or how it worked.  Apparently, I was sitting on this flag for multi-days without knowing.  I didn't know binaries can work like that.  Oh well, I guess I'll move on to the next challenge and figure this out later.

[Kolombo]

6 hours ago, pcmcia said:

I need a nudge for ch#6.  

  Hide contents

I know how the game works.  I got the mario message and got the game to change itself.  However, I don't know what and where uses that change.  I have been looking through the code in the higher memory locations that handles the music.  I cant seem to find anything uses the new bytes.  Am I looking in the right place?

 

Spoiler

You have to win. And do 1 more thing. It is a game, bro 🙂 What does you usually do in the game?)

 

Edited October 17, 2023 by Kolombo

[UnskilledGarbage]

sanity check on ch3 please (mypassion)

Spoiler

on the step when I get html decrypted, there is also some shellcode gets decrypted. there is a check for key and to pass that the key must begin with "ob5cUre". I assume that is a complete key and there is not anything appended to it. but is seems that is not correct, shellcode is decrypted as garbage. wat? the encrypted shellcode is not affected by user input, so it should not be corrupted on the way. the only possible reason I see, is a wrong key. but how so? since it passes the check, and there is no additional info provided anywhere.. guessing begins?)  html and it's image do not seem to contain the flag either. it is not a problem with crypto apis, cyberchef gives exactly same result for those inputs.

what am I missing? it drives me crazy..

 

[Kolombo]

22 hours ago, UnskilledGarbage said:

sanity check on ch3 please (mypassion)

  Hide contents

on the step when I get html decrypted, there is also some shellcode gets decrypted. there is a check for key and to pass that the key must begin with "ob5cUre". I assume that is a complete key and there is not anything appended to it. but is seems that is not correct, shellcode is decrypted as garbage. wat? the encrypted shellcode is not affected by user input, so it should not be corrupted on the way. the only possible reason I see, is a wrong key. but how so? since it passes the check, and there is no additional info provided anywhere.. guessing begins?)  html and it's image do not seem to contain the flag either. it is not a problem with crypto apis, cyberchef gives exactly same result for those inputs.

what am I missing? it drives me crazy..

 

Spoiler

What I remember is you don't need to decrypt HTML correctly to solve this task, cuz I did but the decryption was wrong. And the last part of the key "n.com" was also wrong in my case. I'm for sure made a mistake somewhere, but anyway got a part before "@". It printed to console I think.

 

[UnskilledGarbage]

1 hour ago, Kolombo said:

  Reveal hidden contents

What I remember is you don't need to decrypt HTML correctly to solve this task, cuz I did but the decryption was wrong. And the last part of the key "n.com" was also wrong in my case. I'm for sure made a mistake somewhere, but anyway got a part before "@". It printed to console I think.

 

Spoiler

the only thing that is printed to console on that step is "RUECK....RWESEN" but it does not seem to be the correct flag. (sure with @ appended). that isn't it is it?

did you decrypt and run correctly the shellcode part of size 0x3C0 that should be decrypted with "ob5cUre" key? (the one that runs after checking the html's checksum). I am getting a garbage from that.  I guess that shellcode drops/runs html and prints (?) the flag.. but does it really?

 

[Canlex]

On 10/17/2023 at 5:17 PM, UnskilledGarbage said:

sanity check on ch3 please (mypassion)

  Hide contents

on the step when I get html decrypted, there is also some shellcode gets decrypted. there is a check for key and to pass that the key must begin with "ob5cUre". I assume that is a complete key and there is not anything appended to it. but is seems that is not correct, shellcode is decrypted as garbage. wat? the encrypted shellcode is not affected by user input, so it should not be corrupted on the way. the only possible reason I see, is a wrong key. but how so? since it passes the check, and there is no additional info provided anywhere.. guessing begins?)  html and it's image do not seem to contain the flag either. it is not a problem with crypto apis, cyberchef gives exactly same result for those inputs.

what am I missing? it drives me crazy..

 

Spoiler

I also had this "issue". Your "ob5cUre" is wrong, you might say "this is what the debugger accepts, but really almost the entire string is built from an earlier part or sub-level if you will. so check where it derives "ob5cUre" from and then double check what in your input generated that string. this is trivial to do with a debugger.