October 2Oct 2 Can anyone help me with 4?What i have donne until nowI've patched the M byte to make it run.(it is sufficient? Need other patches?) For What i see the program create some copies with one byte change for each copy. But now i can't understand What to do. Any hint?
October 3Oct 3 Need help regarding ch5, i can see that its a finite state machine but there are so many handlers. Any hints how can i get the states each state function can transition into? Edited October 3Oct 3 by iamwho
October 3Oct 3 6 hours ago, iamwho said:Need help regarding ch5, i can see that its a finite state machine but there are so many handlers. Any hints how can i get the states each state function can transition into?Same here .. I understand all the logic, found where flag is decrypted but I can’t try to automate the branches exploring to find the correct path .. anyone for a real hint about this?
October 3Oct 3 Just now, Bakko said:Can anyone help me with 4?What i have donne until nowI've patched the M byte to make it run.(it is sufficient? Need other patches?) For What i see the program create some copies with one byte change for each copy. But now i can't understand What to do. Any hint?18 hours ago, Bakko said:Can anyone help me with 4?What i have donne until nowI've patched the M byte to make it run.(it is sufficient? Need other patches?) For What i see the program create some copies with one byte change for each copy. But now i can't understand What to do. Any hint?18 hours ago, Bakko said:Can anyone help me with 4?What i have donne until nowI've patched the M byte to make it run.(it is sufficient? Need other patches?) For What i see the program create some copies with one byte change for each copy. But now i can't understand What to do. Any hint?Never mind i managed to solve it
October 4Oct 4 Author @aka7am @iamwho Pay close attention to the things that are checked for in the if statements guarding the goody boy message. What comparisons are being made? How do these relate to the "branching mechanism" you're talking about?
October 5Oct 5 Any tips on ch 8? I have no slight progress.Should I study on how MetaObject structured?
October 5Oct 5 On 10/3/2025 at 3:58 AM, aka7am said:Same here .. I understand all the logic, found where flag is decrypted but I can’t try to automate the branches exploring to find the correct path .. anyone for a real hint about this?Either scripting in your disassembler of choice (BN, Ghidra, IDA), or use something like Capstone.
October 5Oct 5 2 hours ago, iamwho said:Any help for ch6? Kinda stuck on what to do, i have unpacked the py bytecode.Adding to this, i think its some smart contract thing. Although im not very well versed in web3, can anyone point out some learning resources for it?
October 8Oct 8 Quick question about Ch7:What I've done so far:I found out that a connection is established on port 8000. The server responds with an encrypted message that looks something like this: {“ack”: “username@computername”}. Here, username@computername is used as the key for an XOR algorithm with AES S Box. Then another connection is initialized, which sends the collected information about the infected system. This information is encrypted in a different way. I'm stuck here because it's extremely difficult to read. Do I have to work through it, or is there an easier way to solve it?
October 8Oct 8 43 minutes ago, piano96 said:Quick question about Ch7:What I've done so far:I found out that a connection is established on port 8000. The server responds with an encrypted message that looks something like this: {“ack”: “username@computername”}. Here, username@computername is used as the key for an XOR algorithm with AES S Box. Then another connection is initialized, which sends the collected information about the infected system. This information is encrypted in a different way. I'm stuck here because it's extremely difficult to read. Do I have to work through it, or is there an easier way to solve it?I solved it in the hard/long way, not sure if there is an easier one.
October 8Oct 8 36 minutes ago, Torraske said:I solved it in the hard/long way, not sure if there is an easier one.Ok thank you. So at least I‘m on a way that solves the problem?
October 8Oct 8 4 hours ago, piano96 said:Ok thank you. So at least I‘m on a way that solves the problem?Yes 🙂
Thursday at 04:00 PM5 days Any help with ch7, the main function is huge and highly obfuscated. @piano96 did you clean the functions. I also saw that it establishes a connection on port 8000 using x64dbg.Reading the main function is pain with junk
Thursday at 04:11 PM5 days 9 minutes ago, jhinga said:Any help with ch7, the main function is huge and highly obfuscated.@piano96 did you clean the functions. I also saw that it establishes a connection on port 8000 using x64dbg.Reading the main function is pain with junkI did not deobfuscate anything. Ida was not really helpful.
Thursday at 04:18 PM5 days 2 minutes ago, piano96 said:I did not deobfuscate anything. Ida was not really helpful.i cant find where the actual logic is for sockets. I tried debugging it but still cant find it.
Friday at 09:57 AM4 days Anybody a hint for challenge 8? I found the instructions where it compares the calculated value against the expected one but don't have a clue where it comes from. Wrote some deobfuscation scripts but they were not really helpful. Don't know how to proceed
Friday at 04:50 PM4 days First time doing flare-on, any hints on the 3rd challenge? Initially based on the headers I found SNDH and NRO bits suspicious and looked in the direction of various tools that can understand these formats (found a bunch of NRO loaders for Ghidra and IDA, by the way) but then realized it's probably just intended to mislead. I tried to decrypt the pdf with qpdf but according to qpdf --check pdf itself is broken so whatever got decrypted in object 4 probably won't be of much use, right? I suppose I should try manually fixing the pdf structure and then decrypting (and then doing something with the payload in case there're multiple layers of obfuscation), but I'm somewhat at a loss about how one should manually fix a pdf file. Any tips? Or am I on the wrong track?
Friday at 10:40 PM3 days Can somebody please contact me for a sanity-check on challenge 6? I can decrypt my own conversations just fine, but it just won't work on the provided log. 🥲
Sunday at 02:56 AM2 days Edit: Feeling really bad. I already had the answer but forgot to try it the correct way. I thought I had :( Shamefully solved now after too long of getting myself stuckI may need a small nudge on 7 =( At the 99% mark and hit their last wall. I did it statically and dynamically, then recreated the logic in scripts.75% through the PCAP a value changes. I've been in the binary trying to find how it parses that and am just not seeing it, even though I have everything else in the binary marked up. The JSON parsing library they used, the crypto functions, MSVCRT string functions, etc. I even tried bruteforcing ... which got me the third value 🙃, but not the 2nd. What other methodology should I try? Edited Sunday at 05:09 PM2 days by Rurik I suck
Sunday at 07:34 AM2 days On 10/3/2025 at 9:31 PM, Bakko said:Never mind i managed to solve ithi, can you give some hints for CH4, please? I've patched the M byte to make it run and I see it clones 4 copies. What should I do next?
Sunday at 01:35 PM2 days Author On 10/9/2025 at 6:18 PM, jhinga said:i cant find where the actual logic is for sockets. I tried debugging it but still cant find it.A debugger's callstack is your best friend :)On 10/10/2025 at 6:50 PM, revnewb said:itself is broken so whatever got decrypted in object 4 probably won't be of much use, right?You probably want to revisit that reasoningOn 10/11/2025 at 12:40 AM, neko-chan said:Can somebody please contact me for a sanity-check on challenge 6?I can decrypt my own conversations just fine, but it just won't work on the provided log. 🥲Then we must conclude things that come in are not the right input parameters...10 hours ago, Rurik said:I may need a small nudge on 7 =( At the 99% mark and hit their last wall. I did it statically and dynamically, then recreated the logic in scripts.75% through the PCAP a value changes. I've been in the binary trying to find how it parses that and am just not seeing it, even though I have everything else in the binary marked up. The JSON parsing library they used, the crypto functions, MSVCRT string functions, etc. I even tried bruteforcing ... which got me the third value 🙃, but not the 2nd. What other methodology should I try?The same approach should apply for the entire binary. Follow the breadcrumbs, they are sneaky with some of the encryption throughout the protocol...6 hours ago, cycy said:hi, can you give some hints for CH4, please? I've patched the M byte to make it run and I see it clones 4 copies. What should I do next?Are they really 4 exact copies of the binary?
Yesterday at 08:43 AM1 day Anyone available for ch9 tips?Do I need to understand the mathematical operations of the DLLs? Because each DLL does ALOT and there are 10000, so I was wonder whether I should even try.
Create an account or sign in to comment