Read

Reverse Engineering – 406pts

Description

Reading is the best way to solve a challenge

Solution

Here we have a compiled python application. The first thing we need to do is decompile it with uncompyle6 read.pyc > read.py. Now we have the obfuscated source for the application.

After some cleanup we can find the following function.

def check(input):
    static_value = [
     73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
    result = ''
    for idx in range(len(static_value)):
        if input[idx] != chr(static_value[idx] ^ ord(key[idx])):
            return 'bbblalaabalaabbblala'
        result = ''
        result_val = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94]
        for curr_val in result_val:
            result += chr(curr_val ^ 57)
        else:
            return result

Here we can see that the entered value is compared to static_value XOR:ed by the key value. The value for key is declared in another function and initialized with the value 'you-may-need-this-key-1337'. All we have to do is XOR each value in the static_value array with each character in the key variable to get the flag.

#!/usr/bin/env python3

static_value = [73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
key = 'you-may-need-this-key-1337'
result = ''

for idx in range(len(static_value)):
    result += chr(static_value[idx] ^ ord(key[idx]))

print('darkCON{' + result + '}')

When we run this script we get the flag.

darkCON{0bfu5c4710ns_v5_4n1m4710ns}

ezpz

Reverse Engineering – 470pts

Description

Some easy android for ya 🙂

Solution

Here we have an Adroid APK, Lets start by decompiling it and take a look at the MainActivity class. 

public class MainActivity extends AppCompatActivity {
   EditText button;
   Button editText;
   int flag_counter = 0;

   protected void onCreate(Bundle var1) {
      super.onCreate(var1);
      this.setContentView(2131427356);
      this.editText = (Button)this.findViewById(2131231042);
      this.button = (EditText)this.findViewById(2131230881);
      if (!(new uselessClass()).flagCheckerxD(this)) {
         Toast.makeText(this.getApplicationContext(), "Ya need internet connection for the flag", 0).show();
      }

      String[] var2 = (new whyAmIHere()).isThisWhatUWant();
      this.editText.setOnClickListener(new 1(this, this, var2));
   }
}

Here we can see some setup for the UI. The interesting part is the last two lines where an OnClickListener is initialized. We can see that value is set by calling the isThisWhatUWant method on the whyAmIHere class. Lets take a look at that.

public class whyAmIHere {
   public String[] isThisWhatUWant() {
      String[] var1 = new String[]{""};
      FirebaseFirestore.getInstance().collection("A_Collection_Is_A_Set_Of_Data").get().addOnSuccessListener(new 2(this, var1)).addOnFailureListener(new 1(this, var1));
      return var1;
   }
}

So it gets a collection from an firestore instance. Time to find out what data is fetched. Lets open the APK in debug mode with Android Studio.

When the app has started we can take a look at the Databases view and locate the remote_documents entry.

Here we find the collection used in the isThisWhatUWant method. Converting the contents from hex we get the following data.

darkCON{d3bug_m5g_1n_pr0duct10n_1s_b4d}