Flare-On 7 2020 Challenge #1: Fidler

We received the application binary file together with the python source code.

Tools to use:

  • notepad++

When you start the application, you get:

While checking the code infidler.py, we see that it first call to password_screen():

code from fidler.py

Which will return True if it password_check will return True:

code from password_screen() in fidler.py

Checking it and we can see that our input is being checked against the key:

To find the key we can just copy the code inside python:

>>> altered_key = 'hiptu'
>>> key = ''.join([chr(ord(x) - 1) for x in altered_key])
>>> print(key)
ghost

We moved to the second stage:

There are two ways to solve it, you can just play and get the flag:

Use the mouse scroll to make the coins move faster.

But if you want to bypass it and understand what happens, we can go straight a head to the function game_screen() in filder.py because it call to the victory_screen function and we need to understand how to get to this function:

To get the victory_screen we need that our current_coins will be between the following limits:

target_amount - 2**20 < current_coins < target_amount + 2**20
# target_amount = (2**36) + (2**35) = 103079215104
103078166528 < current_coins < 103080263680

We will pick up a number between these limits: 103078166529.

The math calculation int(103078166529 / 10**8) will convert it to 1030 which will pass as the token to victory_screen(..) which will call the decode_flag() function:

def decode_flag(frob):
last_value = frob
encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,
1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
decoded_flag = []
for i in range(len(encoded_flag)):
c = encoded_flag[i]
val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
decoded_flag.append(val)
last_value = c
return ''.join([chr(x) for x in decoded_flag])

It will print the flag:

>>> decode_flag(1030)
'idle_with_kitty@flare-on.com'

Of course we can also bypass all these stages and just try to call the decode_flag() function with a random number:

>>> decode_flag(1)
dle_with_kitty@flare-on.com'

It easy to complete it, we need to have “i” in the beginning.

flag: idle_with_kitty@flare-on.com

--

--

--

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

6 ways to dramatically increase your software development team’s productivity

Manage, Optimize, & Secure Your Core Business Applications with IBM Cloud Pak for Multicloud…

Flutter Music App Development

Flutter — Know Updated Material Buttons — ElevatedButton

Triplan — Social Travel Flutter

10 Surefire Tips to Transform From Novice Coder to Exceptional Programmer

Tricks and tips to become an expert programmer

Really, what is Hopkins statistic?

ASCII and UTF-16

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eviatar Gerzi

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

More from Medium

Day 9 of #66DaysOfDataChallenge

📖 Learning English in Taiwan

Excel tutorial

First OHSINT challenge writeup