Flare-On 10

[backin]

3 minutes ago, f355 said:

ch13

  Hide contents

so I wrote a reverse shell server-side script, so I can issue commands to the client and receive responses. I found 2 commands one gives life tip, another tells I need to provide password. I am kind of stuck at this point, any pointers would be appreciated..

Also the debugging here is tricky since the executable relaunches itself after every command, so it is hard to debug how commands are processed and responses generated. Any tips for proper debugging? Should I patch the binary so it doesn't terminate itself?

 

Spoiler

Hi! Yes, you are in right direction. You should find out what password you should provide. Try to trace that via x64dbg or ida pro. Look closely to constants put to registers

 

Also i am curious did you managed to deobfucate code - and how)

 

[ChaoticEnigma]

I know there's not much time left, but anyone want to drop a hint for the end of ch13? I think I understand everything in the program, but I just don't see how to work forwards/backwards to identify the right PRNG seed. I have the whole thing pretty well de-obfuscated, and I can run the flag decryption in unicorn. But it doesn't seems practical to brute force. Am I just overlooking something simple? Or is it an Angr problem... then I'll just give up now.

[X0rby]

ch13

 

[ChaoticEnigma]

Saw that on twitter earlier, that's a great explanation. My bad for treating the ROP code as an opaque operation, I wouldn't have thought it would be decrypting and re-encrypting the flag haha. Although the official writeup makes even less sense now.

[pcmcia]

Anyone received a cheap flimsy paper flag, *cough cough* I mean "prize" for their completion of flare-on?  For 2022, I got a pretty heavy medal.  The prize for 2023 was a bit disappointing.