nahamcon22.md
No OneTemporary
Actions

Size

7 KB

Subscribers

None

nahamcon22.md
View Options

	### babyrev

	main problem about this chall is that the second check after name check for `bossbaby` is in a function that manually stack allocs

	so i spent like a good 30 mins reversing the alloc part without realizing thats completely unrelated to the challenge lmfao

	the real computation is in `0x1209` - which IDA seems to have trouble matching since it think `0x1208` is a valid function so i had to undefine and define again to check

	then after that its just copying from the decompilation and stitching into a solve script

	speaking of which:
	```c
	#include <stdio.h>
	#include <stdlib.h>

	int main()
	{
	int dword_4020[] = {0x66, 0x0D9, 0x188, 0x341, 0x7C0, 0x6F9, 0x18A4, 0x95, 0x10A,
	0x1D5, 0x37C, 0x3A9, 0x7B0, 0x1969, 0x127, 0x1A3, 0x1C4, 0x2B9,
	0x754, 0x889, 0x0F50, 0x1F0, 0x254, 0x2D9, 0x558, 0x571, 0x924,
	0x1019, 0x342, 0x3AD, 0x508, 0x6E9, 0x0A30, 0x10E1, 0x1284,
	0x500, 0x5D2, 0x74D};

	char flag[38];

	long ptr = (long) malloc(38*4);

	for(int i = 0; i < 38; i++) {

	for(char c = 32; c < 127; c++) {

	(int )(4 * i + ptr) = (c << ((char)i % 7)) + i * i; //from sub_1209, after fixing offset

	if ( dword_4020[i] == (int )(ptr + 4 * i) ) //from sub_12AD comparison
	flag[i] = c;

	}
	}

	printf("%s\n", flag);
	return 0;
	}
	```

	### a wild ride

	another gpx problem eyy (maplectf nostalgia alr at this point kekw)

	this time we have to deal with gpx in a encrypted zip instead of fishing out from pcap though, but the zip uses zipcrypto which is really weak

	so https://github.com/kimci86/bkcrack to the rescue using xml header as plaintext for the attack

	and after 5 secs we got the password `crackme` lmao wouldve got it using hashcat anyway

	then its just merging the gpx and using the same gpx visualizing site i used in maplectf (https://www.gpsvisualizer.com/) to get the flag lmao (had to squint at the handwriting tho lmfao)

	merge script:
	```py
	import os

	all = ['<?xml version="1.0" encoding="UTF-8"?>\n',
	'<gpx xmlns="http://www.topografix.com/GPX/1/1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd" version="1.1" creator="gpx.py -- https://github.com/tkrajina/gpxpy">\n',
	#' <trk>\n'
	]

	for f in os.listdir('.'):
	if '.gpx' in f:
	with open(f, 'r') as gpx:
	all += gpx.readlines()[2:-1]

	all += [
	#' </trk>\n',
	'</gpx>\n']

	with open('merged.gpx', 'w') as merge:
	merge.writelines(all)
	```

	### usb drive

	shortcut .lnk file, hidden tinyurl.com url

	for some reason its inyurl.com though but its trivial to guess its tinyurl

	leads us to a google drive, looks like base64 encoded but nope

	then [@Robert](https://maplebacon.org/authors/Nneonneo/) came in and said its base32 coz of the `===` and full uppercase and dang it actually is base32 lmao

	turns out to be a PE dll that prints the flag, but i dont wanna risk running it so i just rewrote the program with decompiled code:
	```c
	#include <stdio.h>
	#include <stdint.h>

	int main()
	{
	char Text[50];

	char byte_100020C0[] = { 0xD3, 0, 0, 0, 0xE9, 0, 0, 0, 0xF0, 0, 0, 0, 0x0B,
	0, 0, 0, 0x98, 0, 0, 0, 0x56, 0, 0, 0, 0x8A, 0, 0, 0,
	0x16, 0, 0, 0, 0xFE, 0, 0, 0, 0x6E, 0, 0, 0, 0xBB,
	0, 0, 0, 0x22, 0, 0, 0, 0x0C, 0, 0, 0, 0x20, 0, 0, 0,
	0x94, 0, 0, 0, 0x38, 0, 0, 0, 0x35, 0, 0, 0, 0x10, 0, 0, 0,
	0xF7, 0, 0, 0, 0x5D, 0, 0, 0, 0xA8, 0, 0, 0, 0xD9,
	0, 0, 0, 0x91, 0, 0, 0, 0x6D, 0, 0, 0, 0x28, 0, 0, 0,
	8, 0, 0, 0, 0x69, 0, 0, 0, 0x9B, 0, 0, 0, 0xAB, 0, 0, 0,
	0x16, 0, 0, 0, 0x64, 0, 0, 0, 0xA4, 0, 0, 0, 0x4B, 0, 0, 0,
	0x6E, 0, 0, 0, 0x0C, 0, 0, 0, 0xA8, 0, 0, 0, 0xD2,
	0, 0, 0, 0xFC, 0, 0, 0, 0xA6, 0, 0, 0, 0xBD, 0, 0, 0,
	0x84, 0, 0, 0, 0xC6, 0, 0, 0, 0xBD, 0, 0, 0, 0xBF,
	0, 0, 0, 0xC7, 0, 0, 0, 5, 0, 0, 0, 0xE6, 0, 0, 0,
	0xC0, 0, 0, 0, 0x9C, 0, 0, 0, 0x75, 0, 0, 0, 7, 0, 0, 0,
	0xC6, 0, 0, 0, 0x3A, 0, 0, 0, 0x33, 0, 0, 0, 0x7C, 0, 0, 0,
	0xD5, 0, 0, 0, 0xE2, 0, 0, 0, 0xAA, 0, 0, 0, 0xDC,
	0, 0, 0, 0xD8, 0, 0, 0, 0xB3, 0, 0, 0, 0xCB, 0, 0, 0,
	0x92, 0, 0, 0, 0xDE, 0, 0, 0, 8, 0, 0, 0, 0x0B, 0, 0, 0,
	0x4B, 0, 0, 0, 0xE6, 0, 0, 0, 0xA1, 0, 0, 0, 0x64,
	0, 0, 0, 0xDF, 0, 0, 0, 0xF5, 0, 0, 0};

	__int128 v3[10];
	__int128 v6[10];

	int v3p[] = {51, 38};
	int v6p[] = {87, 91};

	v3[0] = (__int128 )&byte_100020C0[160];
	v3[1] = (__int128 )&byte_100020C0[80];
	v3[2] = (__int128 )&byte_100020C0[256];
	v3[3] = (__int128 )&byte_100020C0[240];
	v3[4] = (__int128 )&byte_100020C0[272];
	v3[5] = (__int128 )&byte_100020C0[192];
	v3[6] = (__int128 )&byte_100020C0[64];
	v3[7] = (__int128 )&byte_100020C0[16];
	v3[8] = (__int128 )&byte_100020C0[96];
	v3[9] = (__int128 )v3p;
	v6[0] = (__int128 )&byte_100020C0[224];
	v6[1] = (__int128 )&byte_100020C0[0];
	v6[2] = (__int128 )&byte_100020C0[208];
	v6[3] = (__int128 )&byte_100020C0[144];
	v6[4] = (__int128 )&byte_100020C0[176];
	v6[5] = (__int128 )&byte_100020C0[112];
	v6[6] = (__int128 )&byte_100020C0[48];
	v6[7] = (__int128 )&byte_100020C0[32];
	v6[8] = (__int128 )&byte_100020C0[128];
	v6[9] = (__int128 )v6p;

	int v1 = 0;
	do
	{
	Text[v1] = ((char )v3 + 4 * v1) ^ ((char )v6 + 4 * v1);
	Text[v1 + 1] = ((char )v3 + 4 * v1 + 4) ^ ((char )v6 + 4 * v1 + 4);
	v1 += 2;
	}
	while ( v1 < 0x26 );
	printf("%s\n", Text);
	}
	```

	### free nitro

	eyy a open source:tm: C# exe love it (edit: turns out it actually is open source LMFAO https://github.com/qwqdanchun/DcRat)

	not much obfuscation, `cry` is the main class we wanna look at - other stuff just does the unpacking and loading

	from there we can see that they use xml-like format to store hex encoded strings as the payload and plain numbers for the password - libarr is decrypted by xoring with pass1, and filearr is decrypted by xoring pass2

	yields us a gzipped payload, which we can unzip and find another C# exe which is the RAT itself

	funnily enough the salt used for their encryption is `DcRatByqwqdanchun`, which we can search online and find that its actually an active malware and has tools for decrypting their settings data https://github.com/jeFF0Falltrades/Tutorials/blob/master/asyncrat_config_parser (even tho its trivial to copy code from their encryption class to decrypt it ourselves but eyy saves us time)

	run that and we get the flag "hidden" in the settings lol

	also "REMOVED FOR SAFETY" thanks organizers

	### brain melt

	open in IDA, we see `_MEIPASS2` - searching up shows that this is a pyinstaller

	find tool for unpacking pyinstaller (https://github.com/extremecoders-re/pyinstxtractor), and we get a ton of pyc files

	decompyle3 and uncompyle6 doesnt work since its python 3.9, but pycdc worked (partially - reraise is not implemented, so i spent 30 mins reversing it before realizing the flag was already visible in the portion that was decompiled lmao but hey i did make the whole file decompiled at the end)

	run `deobfuscate` after extracting both `deobfuscate` and `decrypt` out from the py file and we obtain the flag

File Metadata

Mime Type: text/x-c
Expires: Mon, Aug 4, 9:21 PM (20 h, 13 m)
Storage Engine: local-disk
Storage Format: Raw Data
Storage Handle: 5e/6f/ec2894ce8d1544a61b53c4375aa1

nahamcon22.mdNo OneTemporaryActions

nahamcon22.mdView Options

File Metadata

Event Timeline

nahamcon22.md
No OneTemporary
Actions

nahamcon22.md
View Options