\n
![\"ayy\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2016\/05\/ayy.png\")
<\/a><\/p>\nUse a hex editor on each value being pushed to the stack to get the answer: windows_bug_or_feature? I also threw in some anti-debugger code just for kicks. <\/p>\n
challenge 4 – java applet with exe inside. Use java decompiler against the jar file, you’ll see “String heytherejoe = “4D5A900003000000040000”, followed by a string to bytes method. Recall that 4D 5A is the hex code for MZ. This is an exe file packed with upx, just run and get answer: c4tus_C0n2016<\/p>\n
Challenge 5 – 2 PDF files with exploits inside. Both lead to either a message box or a download + run of http:\/\/hda.io\/muzac\/flag_5.mp3 which is SANIC.mp3, flag is at the end, which is my voice saying “hacksonic” so accept either “hacksonic” or “hack sonic”
\nPassword for the zip is infected<\/p>\n
Challenge 6 – python exe file with built in game and flag.
\nYou can use CheatEngine to obtain the score needed, or just decompile with either EasyPythonDecompiler or unfrozen. Optionally you could obtain a pointer to the decompiled code with a debugger, but that’s overkill. <\/p>\n
The flag is EasyPythonDecompiler_rocks<\/p>\n
Challenge 7 – .net challenge with obfuscator involved. Use de4dot against the binary.
\nYou should see code like this:<\/p>\n
<\/p>\n
static<\/span> void<\/span> NothingToSeeHere()\r\n {\r\n var<\/span> resourcelist_reference = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames();\r\n var<\/span> assembly = Assembly.GetExecutingAssembly();\r\n var<\/span> resourceName = "CactusCon_Reverse_Challenge_Main.Spraypaintingmyeyes.jpg"<\/span>;\r\n\r\n using<\/span> (Stream stream = assembly.GetManifestResourceStream(resourceName))\r\n {\r\n MemoryStream ms = new<\/span> MemoryStream();\r\n stream.CopyTo(ms);\r\n byte<\/span>[] hashforme = ms.ToArray();\r\n\r\n SHA1 shalol = SHA1.Create();\r\n byte<\/span>[] hio = shalol.ComputeHash(hashforme);\r\n string<\/span> text2 = ""<\/span>;\r\n for<\/span> (int<\/span> j = 0; j < hio.Length; j++)\r\n {\r\n text2 += string<\/span>.Format("{0:X2}"<\/span>, hio[j] ^ 2);\r\n }\r\n MessageBox.Show("Good job, the flag is "<\/span> + text2);\r\n }\r\n }\r\n<\/pre>\n<\/div>\nThe answer is the SHA1 hash of ‘Spraypaintingmyeyes.jpg’, xor’d by 2, or AB875A4DD1AEDC4FB5961981818472D366B06941
\nThe others were just thrown in to confuse the shit out everyone. <\/p>\n
Challenge 8 – Macro code that needs to be deobfuscated. Can be done with vbscript, notepad, and text-replace. Here’s the function used to decode:<\/p>\n
<\/p>\n
\nPrivate<\/span> Function<\/span> DecryptStringFunc(argument)\r\n Dim<\/span> hb1, count, kv1\r\n argument = StrReverse(argument)\r\n For<\/span> count = 1 To<\/span> Len(argument)\r\n hb1 = Mid(argument, count, 1)\r\n kv1 = kv1 & Chr(Asc(hb1) - 1)\r\n Next<\/span>\r\n DecryptStringFunc = kv1\r\nEnd<\/span> Function<\/span>\r\n<\/pre>\n<\/div>\nFlag is midcitystylespace.com.au<\/p>\n
Challenge 9 is an snes rom with some hidden data inside. Zip archive is broken. Included is the rom and emulator.<\/p>\n
I broke the pkzip header. It needs to be repaired to work.
\nSee https:\/\/users.cs.jmu.edu\/buchhofp\/forensics\/formats\/pkzip.html<\/p>\n
ie; replace
\n<\/p>\n
\n77 68 61 74 67 6F 65 73 68 65 72 65 3F 3F 3F 00 2B A7 86 48 6B 1B\r\n<\/pre>\n<\/div>\nwith<\/p>\n
<\/p>\n
\nFF FF FF FF FF FF 50 4B 03 04 14 00 00 00 08 00 2B A7 86 48 6B 1B\r\n<\/pre>\n<\/div>\nThe cheater’s way is to use 7zip which ignores headers and looks for other structures and you’ll find the flag in jpeg form. The flag is ‘snes_butthead’.<\/p>\n
Final challenge is this:
\nZip file with password not provided. Crack it and you’ll see (4skJ0e)
\nInside is a broken exe file (PE chars replaced with JO) so fix with a hex editor.
\nExe uses custom exception handlers, SSE, MMX instructions, fibonacci sequences, and must be patched to get through. The password is in 2 parts, encrypted xor style. This is the flag –
\nmikudayo-fumifumi<\/p>\n
Fastest way to beat this is with a debugger and setting the EIP to 0040116e and single stepping, seeing the 2 strings pushed onto the stack and the 2 xor keys. Easy peasy.<\/p>\n
![\"easy_way\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2016\/05\/easy_way-300x168.png\")
<\/a><\/p>\nI look forward to making more next year.<\/p>\n
Happy cracking!<\/p>\n