Flare-On 7 2020 Challenge #1: Fidler
We received the application binary file together with the python source code.
Tools to use:
- notepad++
When you start the application, you get:
While checking the code infidler.py, we see that it first call to password_screen():
Which will return True if it password_check will return True:
Checking it and we can see that our input is being checked against the key:
To find the key we can just copy the code inside python:
>>> altered_key = 'hiptu'
>>> key = ''.join([chr(ord(x) - 1) for x in altered_key])
>>> print(key)
ghostWe moved to the second stage:
There are two ways to solve it, you can just play and get the flag:
Use the mouse scroll to make the coins move faster.
But if you want to bypass it and understand what happens, we can go straight a head to the function game_screen() in filder.py because it call to the victory_screen function and we need to understand how to get to this function:
To get the victory_screen we need that our current_coins will be between the following limits:
target_amount - 2**20 < current_coins < target_amount + 2**20
# target_amount = (2**36) + (2**35) = 103079215104
103078166528 < current_coins < 103080263680We will pick up a number between these limits: 103078166529.
The math calculation int(103078166529 / 10**8) will convert it to 1030 which will pass as the token to victory_screen(..) which will call the decode_flag() function:
def decode_flag(frob):
last_value = frob
encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,
1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
decoded_flag = []
for i in range(len(encoded_flag)):
c = encoded_flag[i]
val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
decoded_flag.append(val)
last_value = c
return ''.join([chr(x) for x in decoded_flag])It will print the flag:
>>> decode_flag(1030)
'idle_with_kitty@flare-on.com'Of course we can also bypass all these stages and just try to call the decode_flag() function with a random number:
>>> decode_flag(1)
'Ѯdle_with_kitty@flare-on.com'It easy to complete it, we need to have “i” in the beginning.
flag: idle_with_kitty@flare-on.com