Welcome to the Seventh Flare-On Challenge! This is a simple game. Win it by any means necessary and the victory screen will reveal the flag. Enter the flag here on this site to score and move on to the next level. This challenge is written in Python and is distributed as a runnable EXE and matching source code for your convenience. You can run the source code directly on any Python platform with PyGame if you would prefer. *7zip password: flare
One of our team members developed a Flare-On challenge but accidentally deleted it. We recovered it using extreme digital forensic techniques but it seems to be corrupted. We would fix it but we are too busy solving today’s most important information security threats affecting our global economy. You should be able to get it working again, reverse engineer it, and acquire the flag. *7zip password: flare
Solution
直接執行題目給的 garbage.exe , windows 直接跳錯誤在臉上:
檢查 PE Header 的各種欄位看起來沒什麼問題,但檢查 Section header 會發現,這是一隻由 UPX 壓縮過的程式,同時最後一個 .rsrc 的 size 不對,根據題目敘述,這裡可以合理推斷該地方的數據遺失,直接 xxd garbage.exe 可以看到尾端的 xml 被截斷了所以沒有閉合:
Be the wednesday. Unlike challenge 1, you probably won’t be able to beat this game the old fashioned way. Read the README.txt file, it is very important.
defrigmarole(a): t = '' for i in range(0,len(a),4): t += chr(int(a[i:i+2],16)-int(a[i+2:i+4],16)) return t
deffolderol(): onzo = "9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64".split(".") for idx, i in enumerate(onzo): print(idx,i) print(f"onzo[{idx}] = {rigmarole(i)}")
繼續往下看可以發現,巨集會解密一段 data 然後儲存為 stomp.mp3,寫個 python 模仿他解密,但我們得到的音檔聽起來跟 flag 一點關係也沒有,不過可以注意到這裡也有部分的 data 是完全沒有被使用到的:
decrypt.py
1 2 3 4 5 6
f = open("./T",'r').read().strip() key = [0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee]
kuffle = bytes([(int(f[i:i+2],16) ^ key[(i//4)%len(key)]) for i in range(0,168667*4,4)]) with open("stomp.mp3",'wb') as z: z.write(kuffle)
沒有用到的是 data 的另外一半,以及一些字串 \Microsoft\v.png,FLARE-ON,如果把 data 抽出來,然後假設檔頭是 PNG 的格式,就可以發現 xor 出來的結果是 NO-E,所以可以直接猜 key 就是 "FLARE-ON"[::-1],直接寫腳本解:
flag.py
1 2 3 4 5 6
f = open("./T",'r').read().strip() key = b'FLARE-ON'[::-1]
kuffle = [int(f[i:i+2],16) ^ key[((i-2)//4)%len(key)] for i in range(2,len(f),4)] with open("flag.png",'wb') as z: z.write(bytes(kuffle))
然後就拿到 flag 的圖片了:
5 - TKApp
Discription
Now you can play Flare-On on your watch! As long as you still have an arm left to put a watch on, or emulate the watch’s operating system with sophisticated developer tools.
ExifLib.Standard.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows TKApp.dll: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows Tizen.Wearable.CircularUI.Forms.Renderer.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Tizen.Wearable.CircularUI.Forms.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Xamarin.Forms.Core.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Xamarin.Forms.Platform.Tizen.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Xamarin.Forms.Platform.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Xamarin.Forms.Xaml.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
from Crypto.Cipher import AES from hashlib import sha256 from base64 import *
IV = b'NoSaltOfTheEarth' key = b'the kind of challenges we are gonna make here' cipher = open("Runtime.dll",'rb').read() decryptor = AES.new(sha256(key).digest(),AES.MODE_CBC,iv=IV) f = decryptor.decrypt(cipher) with open("flag.png",'wb') as flag: flag.write(b64decode(f))
6 - codeit
Discription
Reverse engineer this little compiled script to figure out what you need to do to make it give you the flag (as a QR code).