Hacker-Blog A Jekyll Blog Theme For Hackers https://moshedo.github.io SomeHacker someone@somewebsite.somedomain https://ashishchaudhary.in/hacker-blog bsidestlv <h2 id="dungeon">Dungeon</h2> <p><strong>Name:</strong> <em>Dungeon</em> <br /> <strong>Description:</strong> Enter the Dungeon to find the Pixelated Flag! It has been broken to 3 pieces, can you find them all? <br /> <strong>Category:</strong> Reverse Engineering</p> <p><strong>Author: Liam Troper</strong></p> <p>This one was quite defecault but after amount of time &amp; effort I finally did that.</p> <p>when unzipping the challenge a huge amount of code is revealed it was pretty large and I even didn’t know were to start while there is a readme in this folder which showed a title and a link to a site</p> <p><strong>Shattered Pixel Dungeon</strong> and the link <a href="https://shatteredpixel.com/shatteredpd/">Shattered Pixel Dungeon</a> so I enter to the site and downloaded the code from GitHub.</p> <p>thinking of this as a patch analysis so <code class="language-plaintext highlighter-rouge">diff</code> command for the rescue</p> <div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>➜ Dungeon git:<span class="o">(</span>master<span class="o">)</span> ✗ diff <span class="nt">-r</span> shattered-pixel-dungeon differ Only <span class="k">in </span>shattered-pixel-dungeon: .git Only <span class="k">in </span>differ: .gradle Only <span class="k">in </span>differ: .idea Only <span class="k">in </span>differ: ClickMeToPlay.jar Only <span class="k">in </span>differ: ClickMeToPlay.jar.cache Only <span class="k">in </span>differ/SPD-classes: build diff <span class="nt">--color</span> <span class="nt">-r</span> shattered-pixel-dungeon/build.gradle differ/build.gradle 16,17c16,17 &lt; appName <span class="o">=</span> <span class="s1">'Shattered Pixel Dungeon'</span> &lt; appPackageName <span class="o">=</span> <span class="s1">'com.shatteredpixel.shatteredpixeldungeon'</span> <span class="nt">---</span> <span class="o">&gt;</span> appName <span class="o">=</span> <span class="s1">'BSides Shattered Pixel Dungeon'</span> <span class="o">&gt;</span> appPackageName <span class="o">=</span> <span class="s1">'com.bsides.bsidesshatteredpixeldungeon'</span> Only <span class="k">in </span>differ/core: .gradle Only <span class="k">in </span>differ/core: build diff <span class="nt">--color</span> <span class="nt">-r</span> shattered-pixel-dungeon/core/src/main/assets/messages/journal/journal.properties differ/core/src/main/assets/messages/journal/journal.properties 8,9c8,9 &lt; journal.document.adventurers_guide.identifying.title<span class="o">=</span>Identifying Items &lt; journal.document.adventurers_guide.identifying.body<span class="o">=</span>You won<span class="s1">'t know all of the properties of some items when you first find them.\n\nThe colors of potions and symbols on scrolls are different in each dungeon. Unidentified equipment can be upgraded or enchanted if you'</span>re lucky, or it might be cursed!<span class="se">\n\n</span>Scrolls of identify, upgrade, or remove curse are very useful <span class="k">if </span>you want to reduce the risk of using unidentified equipment.<span class="se">\n\n</span><span class="o">(</span>You can find a list of all the items you<span class="s1">'ve identified in the items tab of your journal) --- &gt; journal.document.adventurers_guide.identifying.title=Identifying Items And Flags (BSides Edition) &gt; journal.document.adventurers_guide.identifying.body=You won'</span>t know all of the properties of some items when you first find them.<span class="se">\n\n</span>The colors of potions and symbols on scrolls are different <span class="k">in </span>each dungeon. Unidentified equipment can be upgraded or enchanted <span class="k">if </span>you<span class="s1">'re lucky, or it might be cursed!\n\nScrolls of identify, upgrade, or remove curse are very useful if you want to reduce the risk of using unidentified equipment.\n\n(You can find a list of all the items you'</span>ve identified <span class="k">in </span>the items tab of your journal<span class="o">)</span><span class="se">\n\n</span><span class="o">(</span>H30n<span class="o">)</span> Binary files shattered-pixel-dungeon/core/src/main/assets/sprites/items.png and differ/core/src/main/assets/sprites/items.png differ diff <span class="nt">--color</span> <span class="nt">-r</span> shattered-pixel-dungeon/core/src/main/java/com/shatteredpixel/shatteredpixeldungeon/Dungeon.java differ/core/src/main/java/com/shatteredpixel/shatteredpixeldungeon/Dungeon.java 220c220,246 &lt; <span class="nt">---</span> <span class="o">&gt;</span> <span class="o">&gt;</span> <span class="o">&gt;</span> public static String customDecrypt<span class="o">(</span>char[] encText, String key<span class="o">)</span> <span class="o">{</span> <span class="o">&gt;</span> StringBuilder result <span class="o">=</span> new StringBuilder<span class="o">()</span><span class="p">;</span> <span class="o">&gt;</span> int keyIndex <span class="o">=</span> 0<span class="p">;</span> <span class="o">&gt;</span> int keyLength <span class="o">=</span> key.length<span class="o">()</span><span class="p">;</span> <span class="o">&gt;</span> <span class="o">&gt;</span> <span class="k">for</span> <span class="o">(</span>int i <span class="o">=</span> 0<span class="p">;</span> i &lt; encText.length<span class="p">;</span> i++<span class="o">)</span> <span class="o">{</span> <span class="o">&gt;</span> char encChar <span class="o">=</span> encText[i]<span class="p">;</span> <span class="o">&gt;</span> int k <span class="o">=</span> key.charAt<span class="o">(</span>keyIndex<span class="o">)</span><span class="p">;</span> <span class="o">&gt;</span> char decChar <span class="o">=</span> <span class="o">(</span>char<span class="o">)</span> <span class="o">(((</span>encChar - i<span class="o">)</span> ^ k<span class="o">)</span> - i % 256<span class="o">)</span><span class="p">;</span> <span class="o">&gt;</span> result.append<span class="o">(</span>decChar<span class="o">)</span><span class="p">;</span> <span class="o">&gt;</span> keyIndex <span class="o">=</span> <span class="o">(</span>keyIndex + 1<span class="o">)</span> % keyLength<span class="p">;</span> <span class="o">&gt;</span> <span class="o">}</span> <span class="o">&gt;</span> <span class="o">&gt;</span> <span class="k">return </span>result.toString<span class="o">()</span><span class="p">;</span> <span class="o">&gt;</span> <span class="o">}</span> <span class="o">&gt;</span> <span class="o">&gt;</span> public static void main<span class="o">(</span>String[] args<span class="o">)</span> <span class="o">{</span> <span class="o">&gt;</span> char[] encText <span class="o">=</span> <span class="o">{</span><span class="s1">'3'</span>, <span class="s1">''</span>, <span class="s1">'*'</span>, <span class="s1">'b'</span>, <span class="s1">'/'</span>, <span class="s1">'K'</span>, <span class="s1">'h'</span>, <span class="s1">'\\'</span>, <span class="s1">'Ñ'</span>, <span class="s1">'b'</span>, <span class="s1">')'</span>, <span class="s1">'b'</span>, <span class="s1">'8'</span>, <span class="s1">'S'</span>, <span class="s1">'/'</span>, <span class="s1">''</span><span class="o">}</span><span class="p">;</span> <span class="o">&gt;</span> String ky <span class="o">=</span> <span class="s2">"items + journal + key"</span><span class="p">;</span> <span class="o">&gt;</span> <span class="o">&gt;</span> String decryptedText <span class="o">=</span> customDecrypt<span class="o">(</span>encText, ky<span class="o">)</span><span class="p">;</span> <span class="o">&gt;</span> System.out.println<span class="o">(</span><span class="s2">"Decrypted: "</span> + decryptedText<span class="o">)</span><span class="p">;</span> <span class="o">&gt;</span> <span class="o">}</span> <span class="o">&gt;</span> <span class="o">&gt;</span> diff <span class="nt">--color</span> <span class="nt">-r</span> shattered-pixel-dungeon/core/src/main/java/com/shatteredpixel/shatteredpixeldungeon/items/keys/SkeletonKey.java differ/core/src/main/java/com/shatteredpixel/shatteredpixeldungeon/items/keys/SkeletonKey.java 36c36,38 &lt; <span class="nt">---</span> <span class="o">&gt;</span> <span class="o">&gt;</span> private static String k3 <span class="o">=</span> <span class="s2">"U1ci"</span><span class="p">;</span> <span class="o">&gt;</span> Only <span class="k">in </span>differ/desktop: .gradle Only <span class="k">in </span>differ/desktop: build Only <span class="k">in </span>differ/ios: robovm.properties Only <span class="k">in </span>differ: local.properties Only <span class="k">in </span>differ/services: build Only <span class="k">in </span>differ/services/news/shatteredNews: build Only <span class="k">in </span>differ/services/updates/githubUpdates: build </code></pre></div></div> <p>There is a decrypt function <code class="language-plaintext highlighter-rouge">customDecrypt(char[] encText, String key)</code> while running it in a java env with <code class="language-plaintext highlighter-rouge">String ky = "items + journal + key";</code> we get Gibberish</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Decrypted: ZpK/TaCn?-`6?B </code></pre></div></div> <p>So sure this isn’t correct checking <code class="language-plaintext highlighter-rouge">items.png</code> in HexDump didn’t reveal much but sure it has some changes after checking carefully the differences between both images we found the change</p> <p><img src="https://raw.githubusercontent.com/mosheDO/mosheH4x0r/master/assets/2024-06-26/2024-06-26-125211.png" alt="" /></p> <p>so we can see <code class="language-plaintext highlighter-rouge">P4N7</code> but the image is called <code class="language-plaintext highlighter-rouge">items.png</code> and the key is <code class="language-plaintext highlighter-rouge">String ky = "items + journal + key";</code> so we got items now we need <code class="language-plaintext highlighter-rouge">journal</code> and <code class="language-plaintext highlighter-rouge">key</code> both of them is in the <code class="language-plaintext highlighter-rouge">diff</code> output</p> <div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="se">\n\n</span><span class="o">(</span>H30n<span class="o">)</span> <span class="o">&gt;</span> private static String k3 <span class="o">=</span> <span class="s2">"U1ci"</span><span class="p">;</span> </code></pre></div></div> <p>combing them all we get <code class="language-plaintext highlighter-rouge">String ky = "P4N7H30nU1ci";</code> after running this we get this <code class="language-plaintext highlighter-rouge">c0de_pL4?_r3pea7</code></p> <p><img src="https://raw.githubusercontent.com/mosheDO/mosheH4x0r/master/assets/2024-06-26/2024-06-26-125745.png" alt="" /></p> <p>the question mark doesn’t fit so we change it to <code class="language-plaintext highlighter-rouge">y</code> <code class="language-plaintext highlighter-rouge">c0de_pL4y_r3pea7</code> adding the prefix and we got the flag</p> <p><code class="language-plaintext highlighter-rouge">BSidesTLV2024{c0de_pL4y_r3pea7}</code></p> Wed, 26 Jun 2024 00:00:00 +0000 https://moshedo.github.io//bsidestlvctf https://moshedo.github.io/bsidestlvctf N0PSctf <h2 id="reverse-me">Reverse Me</h2> <p><strong>Name:</strong> <em>Reverse Me</em> <br /> <strong>Description:</strong> Don’t complain if you can’t see me, because I have to be reversed to make me run 🙃<br /> <strong>Category:</strong> Reverse</p> <p><strong>Author: Simone Aonzo</strong></p> <p>This is how the <strong>Reverse Me</strong> challenge was solved the that was included were called <code class="language-plaintext highlighter-rouge">img.jpg</code> why image file in a reversing challenge but lets check.</p> <p>if we tried to see the image windows viewer can’t show this.</p> <div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>✗ strings img.jpg ... atador. inif. txet. ces.tlp. tog.tlp. tini. tlp.aler. nyd.aler. 5.2.2_CBILG 43.2_CBILG 4.2_CBILG liaf_khc_kcats__ tixe ... </code></pre></div></div> <p>We can see some strings are related to elf files so checking with HexDump</p> <div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>✗ xxd img.jpg 00003870: 0000 0000 0000 1310 0000 0001 003e 0003 .............&gt;.. 00003880: 0000 0000 0000 0000 0001 0102 464c 457f ............FLE. </code></pre></div></div> <p>It seems an <code class="language-plaintext highlighter-rouge">elf</code> file that was reversed and now the description was clear</p> <p>So now we need to reverse the bytes:</p> <p><code class="language-plaintext highlighter-rouge">✗ emit img.jpg | /home/ubuntu/.local/bin/rev | dump img.elf</code></p> <p>so we opened the file in IDA, and I was struggling to find the correct code on how to find what was the flag, but the function <code class="language-plaintext highlighter-rouge">sub_401460</code> was receiving argv from user</p> <p><img src="https://raw.githubusercontent.com/mosheDO/mosheH4x0r/master/assets/2023-06-02/2024-06-02-140710.png" alt="" /></p> <p>the <code class="language-plaintext highlighter-rouge">decrypt_me_flag</code> seems like it calculate and print the flag, so I wasn’t sure so I tried to make the func <code class="language-plaintext highlighter-rouge">sub_401460</code> to return true by satisfying the 4 equation that we can see here:</p> <p><img src="https://raw.githubusercontent.com/mosheDO/mosheH4x0r/master/assets/2023-06-02/2024-06-02-140850.png" alt="" /></p> <p>In order to decrypt equations there is a tool by microsoft named z3:</p> <pre><code class="language-ipython">In [1]: from z3 import * ...: ...: # Define variables ...: arg_1, arg_2, arg_3, arg_4 = Ints('arg_1 arg_2 arg_3 arg_4') ...: ...: # Define the equations ...: eq1 = 3 * arg_4 + arg_3 + 4 * arg_2 - 10 * arg_1 == 28 ...: eq2 = And(9 * arg_2 - 8 * arg_1 + 6 * arg_3 - 2 * arg_4 == 72, arg_4 - 3 * arg_2 - 2 * arg_1 - 8 * arg_3 == 29) ...: eq3 = arg_3 + 5 * arg_1 + 7 * arg_2 - 6 * arg_4 == 88 ...: ...: # Create solver ...: solver = Solver() ...: ...: # Add equations to the solver ...: solver.add(eq1) ...: solver.add(eq2) ...: solver.add(eq3) ...: ...: # Check satisfiability and get the result ...: if solver.check() == sat: ...: model = solver.model() ...: print("arg_1 =", model[arg_1]) ...: print("arg_2 =", model[arg_2]) ...: print("arg_3 =", model[arg_3]) ...: print("arg_4 =", model[arg_4]) ...: else: ...: print("No solution exists.") ...: arg_1 = -3 arg_2 = 8 arg_3 = -7 arg_4 = -9 </code></pre> <p>and we got the results it was strange to see that some of the values were negative so I tried to force z3 to print only positive but the result was unsat so I tried to run the challenge with those result hopefully it will work and it does:</p> <div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>➜ tmp git:<span class="o">(</span>master<span class="o">)</span> ✗ ./img.elf_patched <span class="nt">-3</span> 8 <span class="nt">-7</span> <span class="nt">-9</span> N0PS<span class="o">{</span>r1CKUNr0111N6<span class="o">}</span> </code></pre></div></div> <h2 id="meaningful-noise">Meaningful Noise</h2> <p><strong>Name:</strong> Meaningful Noise <br /> <strong>Description:</strong> iz dat a qRcOdE?<br /> <strong>Category:</strong> Misc</p> <p><strong>Author: algorab</strong></p> <p>we get an image that looks like that</p> <p><img src="https://raw.githubusercontent.com/mosheDO/mosheH4x0r/master/assets/2023-06-02/pxls.png" alt="" /></p> <p>I used this script to get a sense of what the image pixels are:</p> <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">PIL</span> <span class="kn">import</span> <span class="n">Image</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="n">im</span> <span class="o">=</span> <span class="n">Image</span><span class="p">.</span><span class="nb">open</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="n">bands</span> <span class="o">=</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">im</span><span class="p">.</span><span class="n">getbands</span><span class="p">())</span> <span class="n">width</span><span class="p">,</span> <span class="n">height</span> <span class="o">=</span> <span class="n">im</span><span class="p">.</span><span class="n">size</span> <span class="n">pre</span><span class="o">=</span><span class="s">''</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">height</span><span class="p">):</span> <span class="k">for</span> <span class="n">w</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">width</span><span class="p">):</span> <span class="n">pixels</span> <span class="o">=</span> <span class="n">im</span><span class="p">.</span><span class="n">getpixel</span><span class="p">((</span><span class="n">w</span><span class="p">,</span><span class="n">h</span><span class="p">))</span> <span class="k">if</span> <span class="n">bands</span><span class="o">==</span><span class="s">'RGBA'</span><span class="p">:</span> <span class="n">r</span><span class="p">,</span><span class="n">g</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="n">a</span> <span class="o">=</span> <span class="n">pixels</span> <span class="k">print</span> <span class="p">(</span><span class="n">r</span><span class="p">,</span><span class="n">g</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="n">a</span><span class="p">)</span> <span class="k">elif</span> <span class="n">bands</span><span class="o">==</span><span class="s">'RGB'</span><span class="p">:</span> <span class="n">r</span><span class="p">,</span><span class="n">g</span><span class="p">,</span><span class="n">b</span> <span class="o">=</span> <span class="n">pixels</span> <span class="k">print</span> <span class="p">(</span><span class="n">r</span><span class="p">,</span><span class="n">g</span><span class="p">,</span><span class="n">b</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">print</span> <span class="p">(</span><span class="n">pixels</span><span class="p">)</span> <span class="k">print</span> </code></pre></div></div> <p>we got only <code class="language-plaintext highlighter-rouge">0</code> and <code class="language-plaintext highlighter-rouge">255</code>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>➜ Meaningful Noise ✗ python3 pixels.py pxls.png | sort | uniq 0 255 </code></pre></div></div> <p>so I tried to change the 255 to 1 (IDK why; just tried) and I put the input in CyberChef to try if we can extract something from that</p> <p>and indeed it was:</p> <p><img src="https://raw.githubusercontent.com/mosheDO/mosheH4x0r/master/assets/2023-06-02/2024-06-02-170713.png" alt="" /></p> Sun, 02 Jun 2024 00:00:00 +0000 https://moshedo.github.io//N0PSctf https://moshedo.github.io/N0PSctf