Tuesday, September 7, 2021

Flare-On 2021 & Flare-On 2020 Challenge 1

My colleague said he saw that the Flare-On Challenge was coming up soon.  I've attempted a couple challenges here or there for this one in past years, but haven't really given it much of an attempt.  I wouldn't say I'm the best at reverse engineering.  I've tinkered with a couple things, but not really deep dived into it.  Here's the link:  https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html.

Today, I saw that Flare-On had some challenges from last year and solved the first one in about 10 minutes.  It was easy to me.  I remember a couple short years ago, this would be a challenge.  I didn't read any write-ups, and I don't recommend doing so unless you get stuck.  Try them, then read write-ups.  You might surprise yourself.

Flare-On 2020 - Challenge 1

Welcome to the Seventh Flare-On Challenge!

This is a simple game. Win it by any means necessary and the victory screen will reveal the flag. Enter the flag here on this site to score and move on to the next level.

This challenge is written in Python and is distributed as a runnable EXE and matching source code for your convenience. You can run the source code directly on any Python platform with PyGame if you would prefer.

I didn't run the game at all.  I went straight to the source code and found this function:

def decode_flag(frob):
    last_value = frob
     encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072,
    1095, 1090, 1027, 1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
    decoded_flag = []
    for i in range(len(encoded_flag)):
        c = encoded_flag[i]
        val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
        decoded_flag.append(val)
        last_value = c
   return ''.join([chr(x) for x in decoded_flag])

Noticed that all the characters were just encoded as numbers and that they were all four digits.  So I made it guess some.

def decode_flag(frob):
    last_value = frob
    encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072,            1095, 1090, 1027, 1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
    decoded_flag = []
    for i in range(len(encoded_flag)):
        c = encoded_flag[i]
        val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
        decoded_flag.append(val)
        last_value = c
    return ''.join([chr(x) for x in decoded_flag])

for last_value in range(1025,1200):
    print last_value
    print decode_flag(last_value)
    decoded_flag = []

The token that is sent by the game for the value of last_value is 1030.  The first flag is idle_with_kitty@flare-on.com.

I can see the next challenge is packed.  I haven't really messed with a packer that I can remember.  Looks like UPX.  I'll give it a shot.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)