Flareon2018 [1-3]

Baby first!

Problem 1 Minesweeper Championship Registration

JD-GUI

1
2
3
4
5
if (response.equals("GoldenTicket2018@flare-on.com")) {
JOptionPane.showMessageDialog(null, "Welcome to the Minesweeper Championship 2018!\nPlease enter the following code to the ctfd.flare-on.com website to compete:\n\n" + response, "Success!", -1);
} else {
JOptionPane.showMessageDialog(null, "Incorrect invitation code. Please try again next year.", "Failure", 0);
}

-> GoldenTicket2018@flare-on.com

Problem 2 Ultimate Minesweeper

dnSpy -> Three points

Decryption:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace test
{
class Program
{
public static string GetKey(uint guess1, uint guess2, uint guess3)
{
//revealedCells.Sort();
Random random = new Random(Convert.ToInt32(guess1 << 20 | guess2 << 10 | guess3));
byte[] array = new byte[32];
byte[] array2 = new byte[]
{
245,
75,
65,
142,
68,
71,
100,
185,
74,
127,
62,
130,
231,
129,
254,
243,
28,
58,
103,
179,
60,
91,
195,
215,
102,
145,
154,
27,
57,
231,
241,
86
};
random.NextBytes(array);
uint num = 0u;
while ((ulong)num < (ulong)((long)array2.Length))
{
byte[] array3 = array2;
uint num2 = num;
array3[num2] = (byte)((int)array3[num2] ^ (int)array[num]);
num += 1u;
}
return Encoding.ASCII.GetString(array2);
}

static void check_flag(string a)
{
bool bIsValid = true;
foreach (char c in a)
{
if (c < 32 || c > 126)
{
bIsValid = false;
break;
}
}
if (bIsValid)
{
Console.WriteLine("Flaggy!");
Console.WriteLine(a);
Console.ReadLine();
}
}

static void Main(string[] args)
{
uint[] key = { 20 * 30 + 7, 7 * 30 + 28, 28 * 30 + 24 };
for (int i = 0; i < 3; i++)
{
for (int j = 0; j < 3; j++)
{
for (int k = 0; k < 3; k++)
{
Console.WriteLine(GetKey(key[i], key[j], key[k]));
}
}
}

Console.ReadLine();
}
}
}

Problem 3 FLEGGO

Of course there are other ways to solve this problem in seconds. This script is just for warm up : )

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
import os

buf = ''

def decrypt_string(file_path):
with open(file_path, 'r') as f: #'1BpnGjHOT7h5vvZsV4vISSb60Xj3pX5G.exe'
buf = f.read()

res = buf[0x2A00:0x2a00+0x8150]
image_name = [chr(ord(i) ^ 0x85) for i in res[0xD0:0xD0+32]]
image_name = ''.join([image_name[i] for i in range(0, len(image_name), 2)])[:-4]
print image_name

word = [chr(ord(i) ^ 0x1A) for i in res[0xF0:0xF0+0xA0]][0]
return word, image_name

def decrypt_res(file_path, word, image_name):
edi = []
k = 0

for i in range(0x100):
edi.append(chr(i))

with open(file_path) as f:
buf = f.read()

res = buf[0x2AB0:0x2AB0+0x8150]

i = 0
while ord(res[i]) != 0:
i += 2

key1 = i >> 1

for j in range(0x100):
t = (ord(res[2*(j%key1) + 1]) << 1) + ord(res[2*(j%key1) + 0])
k = (ord(edi[j]) + k + t) % 0x100
tmp = edi[k]
edi[k] = edi[j]
edi[j] = tmp

length = (ord(buf[0x2AFD]) << 8) + ord(buf[0x2AFC]) #0x47ed
to_write = buf[0x2B00:]
i = 0
j = 0
png = []
f = 0

while length >= 0:
i = (i + 1) % 256
p = ord(edi[i])
k = (j + p) % 256

tmp = edi[i]
edi[i] = edi[k]
edi[k] = tmp

j = (ord(edi[k]) + ord(edi[i])) & 0xFF

al = ord(edi[j])
al ^= ord(to_write[f])

j = k

f += 1
png.append(chr(al))
length -= 1

print hexdump(png)[:0x400]
with open(word + '@' + image_name + '.png', 'w+') as file:
file.write(''.join(png))


for filename in os.listdir('FLEGGO'):
if filename.endswith('.exe'):
print filename
file_path = 'FLEGGO/'+filename
word, image_name = decrypt_string(file_path)
decrypt_res(file_path, word, image_name)

-> mor3_awes0m3_th4n_an_awes0me_p0ssum@flare-on.com