{"id":415,"date":"2020-11-01T15:47:00","date_gmt":"2020-11-01T15:47:00","guid":{"rendered":"https:\/\/badbit.vc\/?p=415"},"modified":"2020-11-30T19:23:16","modified_gmt":"2020-11-30T19:23:16","slug":"flare-on-7","status":"publish","type":"post","link":"https:\/\/badbit.vc\/index.php\/2020\/11\/01\/flare-on-7\/","title":{"rendered":"Flare-On 7 | Challenge 1"},"content":{"rendered":"\n

This is my first entry for the Flare-On<\/a> challenge. For those who don’t know, Flare-On is a yearly binary based challenge series which is heavily focused on reverse engineering. It usually comprises of ~15 challenges with increasing difficulty level.<\/p>\n\n\n\n

This year, the event had 11 challenges. Due to the nicheness and the difficulty level of the topic, the competition sees comparatively lower participation than other traditional CTF-like events. This year, the total number of participants was 5648 and only 260<\/strong> could complete all the 11 challenges [source<\/a>]. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Due to time constraints, I was able to solve two challenges. Late to the game but following are the writeups for the same.<\/p>\n\n\n\n

\n\n\n\n

Challenge 1 – Fidler<\/h2>\n\n\n\n

Challenge description TLDR<\/em><\/strong> – Pygame based runnable exe. Win the game by any means to reveal the flag.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

After downloading and unzipping the 7z file from the challenge screen, we are presented with an executable file named fidler.exe, two .py files, a message.txt and two folders named fonts and img. The message.txt gave a brief description about the challenge.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Alright, we are supposed to win the game by any means. After taking a quick look in CFF explorer it was evident that it was a x64 PE file.<\/p>\n\n\n\n

Let us execute!<\/strong><\/p>\n\n\n\n

After executing the file – fidler.exe, we are presented with a window which asks us for a password. Trying to put a random string in the text bar doesn’t allow us to proceed further and throws an error screen.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Solution:<\/strong><\/p>\n\n\n\n

Taking a look at the source code under the file fidler.py to understand the program flow, it reveals that in the main function, password_screen() is called and if it returns true then the control is passed to game_screen() or else the control is passed to password_fail_screen().<\/p>\n\n\n\n

Alright, so we are supposed to somehow circumvent the password check here to pass the control to game_screen(). <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I could think of two options here:<\/p>\n\n\n\n

  1. Manipulate the else statement to pass the control to game_screen which means that even if password_screen() function returns false, the game_screen() function would execute which basically is equivalent to passing the control to normal execution even if an incorrect password is entered<\/li>
  2. Try finding out the password from within the program<\/li><\/ol>\n\n\n\n

    Even though the first option seemed easier, I didn’t want to download any dependencies to recompile the python code to convert it to a runnable exe and so I went with the second option.<\/p>\n\n\n\n

    Taking a closer look at password_screen() function, it was clear that the password_check() function was being called which simply returns true if the given user input is same as the key. To find out the key it was just a matter of printing the key.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    As seen above, the key was – ghost<\/strong>. Now that we have the password for entering the game screen, let’s try to enter the obtained key and check out the game. Following is the game screen after entering the key.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    Remember, the goal is to win by any way possible to reveal the flag. Let’s win!<\/p>\n\n\n\n

    As per the game’s rules presented in the game window, we are supposed to earn 100 Billion coins to win which will reveal the flag.
    Clicking the kitty once raises the coin count by one. Obviously, it’s not feasible to click the kitty a 100 Billion times. There was another way – “Buy autoclickers” which would subtract 10 coins from your earned coins and increase the counter at a rate of one coin per second.<\/p>\n\n\n\n

    Okay so we now know the game’s flow.<\/p>\n\n\n\n

    Solution:<\/strong>
    I could think of two possible ways to find the flag.<\/p>\n\n\n\n

    1. We manipulate the autoclicker logic and somehow increase the count of the coin count<\/li>
    2. Figure out how the flag is stored and displayed<\/li><\/ol>\n\n\n\n

      I chose the second way.<\/p>\n\n\n\n

      The goal is to make the game display the victory screen. Taking a look at the source given in the fidler.py file, we can see that the victory_screen() function is called if current_coins > (target_amount – 2^20). Also, the target amount is hardcoded to (2^36) + (2^35) which is equal to 103079215104.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      So our current coin value should be more than 103079215104 – (2^20) in order to pass the control to victory_screen().
      Further, the code reduces 2^20 from current coins until they are >= (target_amount + 2^20) which ultimately boils down to a constant value irrespective of the variable current_coins as far as it satisifies the previous condition and that really doesn’t matter us.<\/p>\n\n\n\n

      Hence, the only mandatory requirement to pass the control to victory_screen() is to have the current_coins amount > (target_amount – 2^20) i.e. > 103078166528<\/strong><\/p>\n\n\n\n

      Therefore, our current_coin value should be any value greater than 103078166528 in order to pass the control to victory_screen() function.<\/p>\n\n\n\n

      Below is the re-written function that passed 103078166529 as our current_value and passed the control as it is to the existing flow of decode_flag() from the fidler.py file.
      On the window at right hand side, we can see two outputs just to confirm the flow.
      1. Where the current_coin value is greater than 103078166528
      2. Where the current_coin value is less than 103078166528<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      And there we have our flag! \ud83d\ude00
      With this one down, I was 1338th<\/em> in the participant pool to complete the challenge.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Since this was level one, it was a simple challenge just to get us going. Flare-On is notoriously known to tremendously increase the difficulty bar with every challenge which will be evident when we will dive into challenge two!<\/p>\n\n\n\n

      Write-Up for challenge two will be up soon. Stay tuned!<\/p>\n\n\n\n

      <\/p>\n","protected":false},"excerpt":{"rendered":"

      This is my first entry for the Flare-On challenge. For those who don’t know, Flare-On is a yearly binary based challenge series which is heavily focused on reverse engineering. It usually comprises of ~15 challenges with increasing difficulty level. This year, the event had 11 challenges. Due to the nicheness and the difficulty level of…<\/p>\n","protected":false},"author":1,"featured_media":418,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[15,13,16,14],"class_list":["post-415","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-write-ups","tag-fireeye","tag-flareon7","tag-malwareanalysis","tag-reverseengineering"],"_links":{"self":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/comments?post=415"}],"version-history":[{"count":26,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/415\/revisions"}],"predecessor-version":[{"id":460,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/415\/revisions\/460"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media\/418"}],"wp:attachment":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media?parent=415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/categories?post=415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/tags?post=415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}