Flare-On 7 2020 Challenge #1: Fidler

Eviatar Gerzi
3 min readOct 29, 2020

--

We received the application binary file together with the python source code.

Tools to use:

  • notepad++

When you start the application, you get:

While checking the code infidler.py, we see that it first call to password_screen():

code from fidler.py

Which will return True if it password_check will return True:

code from password_screen() in fidler.py

Checking it and we can see that our input is being checked against the key:

To find the key we can just copy the code inside python:

>>> altered_key = 'hiptu'
>>> key = ''.join([chr(ord(x) - 1) for x in altered_key])
>>> print(key)
ghost

We moved to the second stage:

There are two ways to solve it, you can just play and get the flag:

Use the mouse scroll to make the coins move faster.

But if you want to bypass it and understand what happens, we can go straight a head to the function game_screen() in filder.py because it call to the victory_screen function and we need to understand how to get to this function:

To get the victory_screen we need that our current_coins will be between the following limits:

target_amount - 2**20 < current_coins < target_amount + 2**20
# target_amount = (2**36) + (2**35) = 103079215104
103078166528 < current_coins < 103080263680

We will pick up a number between these limits: 103078166529.

The math calculation int(103078166529 / 10**8) will convert it to 1030 which will pass as the token to victory_screen(..) which will call the decode_flag() function:

def decode_flag(frob):
last_value = frob
encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,
1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
decoded_flag = []
for i in range(len(encoded_flag)):
c = encoded_flag[i]
val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
decoded_flag.append(val)
last_value = c
return ''.join([chr(x) for x in decoded_flag])

It will print the flag:

>>> decode_flag(1030)
'idle_with_kitty@flare-on.com'

Of course we can also bypass all these stages and just try to call the decode_flag() function with a random number:

>>> decode_flag(1)
dle_with_kitty@flare-on.com'

It easy to complete it, we need to have “i” in the beginning.

flag: idle_with_kitty@flare-on.com

--

--

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)