Hi guys, I am also stuck on ch5. I was able to decrypt the shellcode, however, I can't find any paths that lead me to discover the inputs for the shellcode and the filename. Feel free to DM if you can help me. 

Anyone who can give a nudge on how to proceed with the start of ch5? Found the initial piece but am unable to get anythin usefull out of it.

Hi guys, I just started #7 and it looks like a really big mess.

Spoiler

For starters, did you IDA guys manage to create or find signature files for the .NET system libraries and the BouncyCastle library? Without these the job seems really difficult...

 

anyone give me a hint on where to go in ch4, pls. I'm stuck with strings.exe

anyone can give me some details hint ch2, i'm been stuck here for a long time:((

Is anyone working on #9?

does challenge 8 still work correctly?

Spoiler

I get error "missing trie node" where I think I shouldn't have.
also I do not see the second methodid in the evm code and because of that (I guess) I get error "Error happened while trying to execute a function ...".
is it my wrong action or it is not supposed to be like that?
rpc url from official documentation is used

nvm, got it. weird challenge

Edited October 18, 2024Oct 18 by cl4whands
upd

Any hints for ch 6? 

Spoiler

I feel like I have lifted most of the assembly, and IDA is now able to produce somewhat meaningful outputs. But the math operations are chained together within each chunk and I guess I don't have the prerequisite math knowledge. Are there theorems in discrete math or cryptoanalysis that deal with this specific challenge I have to look for? Thank you! ^.^

May I have some hints on Ch9?

[Update]
I solved it!
 

Spoiler

Hint: make sure you fully understand the challenge code and chop stuff up before feeding things into Z3. If you feel like Z3 is taking too long to output anything, check your setup.

 

Edited October 23, 2024Oct 23 by T2P16
Solved the challenge and no longer need a hint.

Any hints on 9? 

Spoiler

I tried z3 and its too slow

 

Any tips on traffic interception for ch7, please?

Spoiler

Tried scapy and while packet rewriting (for 127.0.0.1) is happening, the server doesn't receive the rewritten packet.

 

20 hours ago, xdbruh1234 said:

Any hints on 9? 

  Hide contents

I tried z3 and its too slow

 

I also need some hints on 9? 

Spoiler

I think I know how they do the calculations, but I have no idea how to reverse it.

 

need a sanity check on ch7 please:

 

Spoiler

I understand that it's the xxx-bit thing and the attack to use is probably PH, but it's not a standard configuration right? the thing to be factored has to be extracted from memory right?

 

Spoiler

On 10/15/2024 at 4:57 PM, troplhers said:

did you IDA guys manage to create or find signature files for the .NET system libraries and the BouncyCastle library? Without these the job seems really difficult...

This will make your life a lot easier, yes.

I also am desperate for a nudge on #7:
 

Spoiler

I know the handshake protocol and it's (public) parameters. The value of interest is relatively small, but not small enough to be justified to be brute-forced as part of Flare-On? Or should I rather focus on what actually generates the value?

 

EDIT: solved it. Same thing for me as for one of the previous comments: Had the stuff at hand, just had to piece it together.

Edited October 22, 2024Oct 22 by oompa

On 10/21/2024 at 6:32 PM, oompa said:

  Reveal hidden contents

This will make your life a lot easier, yes.

I also am desperate for a nudge on #7:
 

  Reveal hidden contents

I know the handshake protocol and it's (public) parameters. The value of interest is relatively small, but not small enough to be justified to be brute-forced as part of Flare-On? Or should I rather focus on what actually generates the value?

 

EDIT: solved it. Same thing for me as for one of the previous comments: Had the stuff at hand, just had to piece it together.

Hi there, would appreciate some help on this challenge. I am not very sure what I got in hand.

On 10/20/2024 at 12:18 PM, Peter said:

Any tips on traffic interception for ch7, please?

  Reveal hidden contents

Tried scapy and while packet rewriting (for 127.0.0.1) is happening, the server doesn't receive the rewritten packet.

 

why you would do this?

On 10/21/2024 at 5:32 PM, oompa said:

  Reveal hidden contents

This will make your life a lot easier, yes.

I also am desperate for a nudge on #7:
 

  Reveal hidden contents

I know the handshake protocol and it's (public) parameters. The value of interest is relatively small, but not small enough to be justified to be brute-forced as part of Flare-On? Or should I rather focus on what actually generates the value?

 

EDIT: solved it. Same thing for me as for one of the previous comments: Had the stuff at hand, just had to piece it together.

could you please give a hint?

 

Spoiler

we are supposed to find in memory the n (order) of the curve?

 

Spoiler

Quote

we are supposed to find in memory the n (order) of the curve?

No, you can compute the order with the parameters that are available

Spoiler

Quote

Hi there, would appreciate some help on this challenge. I am not very sure what I got in hand.

For me, it was helpful to understand what protocols are used for encrypting the traffic. For starters, it will be most helpful to get symbols for the cryptography library involved.

 

4 hours ago, oompa said:

  Hide contents

No, you can compute the order with the parameters that are available

  Hide contents

For me, it was helpful to understand what protocols are used for encrypting the traffic. For starters, it will be most helpful to get symbols for the cryptography library involved.

 

I did try that, but not sure how to get those symbols. Any help with that?

I could also use a hint for #7:

Spoiler

I have gotten the symbols, I understand the protocol, I have the public parameters, but haven't found a viable attack. I've tried PH and MOV, but they do not seem feasible. How advanced cryptographic knowledge does it require?

@Sawyer555

Spoiler

I used the following articles as inspiration get the symbols:

https://hacklido.com/blog/855-reverse-engineering-of-natively-compiled-net-applications

https://harfanglab.io/insidethelab/reverse-engineering-ida-pro-aot-net/

 

Hello,

Regarding CH5,

I have a question about this docker file.

Do i need to load it into docker or podman? This tar file? I am asking because i cannot run it in docker or podman.

The question is does anybody manage to run it in docker? Or it is not necessary at all.

Thank you for any help. 

 

10 minutes ago, cybercat said:

Hello,

Regarding CH5,

I have a question about this docker file.

Do i need to load it into docker or podman? This tar file? I am asking because i cannot run it in docker or podman.

The question is does anybody manage to run it in docker? Or it is not necessary at all.

Thank you for any help. 

 

It's not a packed container image iirc, it's just an archive you can unpack

29 minutes ago, oompa said:

It's not a packed container image iirc, it's just an archive you can unpack

Hmm... i never worked with docker, so i assumed that this TAR file is a docker "image" that i can import. Because Podman imported it, but i cannot run it. Also metadata looks like it is somehow related with docker. That's why i try to load it into docker to run it somehow and check what is going on in the working environment.

So the answer to my question is: "you don't have to run it "?

24 minutes ago, cybercat said:

So the answer to my question is: "you don't have to run it "?

No, you don't

May I have a hint for #8?

Spoiler

I currently have what looks like fairly large Base64-encoded data but I'm not sure if I'm looking at a red herring. The decoded data's entropy is quite high and nothing in the contract(s) stand out to me suggesting me what the next step should be.

I have the final stage but it isn't clear what values I am meant to replace the placeholders with.

I'm assuming the URL is the same and that the address is the same one retrieved from the earlier stages. I tried modifying the block value but doing this does not seem to retrieve any data back.

edit: solved it manually instead

Edited October 26, 2024Oct 26 by eatcreche
solved

Any nudges for 9 

Spoiler

I think I understand how control flow and obfuscation works and that I need to discover the underlying constraints. I don't know how to lift the assembly to make it easier to uncover faster. it's too slow to go through manually so would appreciate tips on how to approach.