Flare-On 7 2020 Challenge #1: Fidler

Image for post
Image for post

We received the application binary file together with the python source code.

Tools to use:

  • notepad++

When you start the application, you get:

Image for post
Image for post

While checking the code infidler.py, we see that it first call to password_screen():

code from fidler.py

Which will return True if it password_check will return True:

Image for post
Image for post
code from password_screen() in fidler.py

Checking it and we can see that our input is being checked against the key:

Image for post
Image for post

To find the key we can just copy the code inside python:

>>> altered_key = 'hiptu'
>>> key = ''.join([chr(ord(x) - 1) for x in altered_key])
>>> print(key)
ghost

We moved to the second stage:

Image for post
Image for post

There are two ways to solve it, you can just play and get the flag:

Image for post
Image for post

Use the mouse scroll to make the coins move faster.

But if you want to bypass it and understand what happens, we can go straight a head to the function game_screen() in filder.py because it call to the victory_screen function and we need to understand how to get to this function:

Image for post
Image for post

To get the victory_screen we need that our current_coins will be between the following limits:

target_amount - 2**20 < current_coins < target_amount + 2**20
# target_amount = (2**36) + (2**35) = 103079215104
103078166528 < current_coins < 103080263680

We will pick up a number between these limits: 103078166529.

The math calculation int(103078166529 / 10**8) will convert it to 1030 which will pass as the token to victory_screen(..) which will call the decode_flag() function:

def decode_flag(frob):
last_value = frob
encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,
1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
decoded_flag = []
for i in range(len(encoded_flag)):
c = encoded_flag[i]
val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
decoded_flag.append(val)
last_value = c
return ''.join([chr(x) for x in decoded_flag])

It will print the flag:

>>> decode_flag(1030)
'idle_with_kitty@flare-on.com'

Of course we can also bypass all these stages and just try to call the decode_flag() function with a random number:

>>> decode_flag(1)
dle_with_kitty@flare-on.com'

It easy to complete it, we need to have “i” in the beginning.

flag: idle_with_kitty@flare-on.com

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store