UTPHAX'16 Challenge 9 Write-Up

I did not screenshot the question but it says
Given $y = md5($x.strrev($x).$x*$x^$x.($x%$x)+9*4/$x)
Find $x if $y = 43a87a86ea9aee0255325e2865d6b503
also it said something about rockyou which is a dictionary used for cracking password, can download here

i just used php script that availble on the net and modified the md5() part, here the script

r0x@b0x:~$ php md5.php 43a87a86ea9aee0255325e2865d6b503
Match found! 0.00250270100394 = 43a87a86ea9aee0255325e2865d6b503
Found in 28.564929008484 seconds

[Writeup] Wargames.my 2016 - Challenge 15

Another frustration, 500 points should been a sweet victory at the end. If I had enough time to play that day.....

so we get a zip file which contains this

how about we open that README.md which has something info about this file
Mori-Dark
=========

An HTML5 minimalistic super-responsive portfolio and blog template.

CSS-only hexagon hive gallery!

http://mori-dark.s3-website.eu-central-1.amazonaws.com/


open index.html on browser and we get some pr0n stuff, haha


WARNING HERE! This write up is a long step to get the answer, there is always a shortcut to get the flag quickly

so how about we get the original template and compare the difference between each file
and I found something on index.html

because it is javascript, why dont we use Malzilla to investigate later about this.
open up Malzilla and paste the index.html and click find object, select object that highlight the shellcode and then double-click to send to the decoder.


At decoder I use override eval() to get the unescape script first
then we can decode the unescape by using document write like this, and try run on malzilla and we get some gibberish, but is it?



some google-fu I found out that the string was vbscript.encode using tools called screnc
and it can be decoded, so we save the encoded text to file and decode using scrdec.exe

scrdec.exe encoded.vbe decoded.vbs

and we get the decoded sourcecode. It looks like a dropper, so we take the long hex string and paste to hex editor and we can see the MZ header, so it is a PE file. Also I noticed some UPX header in the file.

Try running it, we get a warning by Nafiez. I lol'ed at this

Unpack it with upx -d get something strange. Then I remembered flare-on challenge last year, that implemented this. more here

so we just debug the file without upx -d it.

try running it and we get the bendera! but I didn't get the chance to verified it, hope the flag is correct.

flag: nafiezawesome

*yup this guys awesome,I have met him twice i think and this is the first time I completely answered his question. I still remembered pandame.exe....

nice challenge, which I learn how to use new tools like srcdec and malzilla but still frustrating coz cannot solve on that day.

[Writeup] Wargames.my 2016 - Challenge 1

Unlucky for me because i didn't manage to solve this during the competition, what a waste of 200 point :( 
anyway, here are some poc, thanks to aspan for pointing me that the checking is at pg_receive.php




some poc script

some poc video
here

[Writeup] iHack2016 - RE 400

RE400
macam biasa cari flag dlm binary
first check packed ke tak, so guna peid kita tahu dia tak packed

btw, binary ni aku patch je
XOR AL,23
ROR AL,5

to

ROL AL,5
XOR AL,25

aku amek memory dump as input, pastu set breakpoint kat
CMP AL,BYTE PTR DS:[ECX+11C728]

F9 all the way

masuk ollydbg; right-click > search for > all referenced string > cari string "Enter the password:"
letak breakpoint ikut kesesuaian, contoh seperti dibawah




so kita dapat algo (input xor 23 ror 5) = FA 5A 32 8A 32 E3 52 82 40 BA 5A 32 48 52 5A 12 02 42 70 42 32 D2 FA

reversekan jadi
FA 5A 32 8A 32 E3 52 82 40 BA 5A 32 48 52 5A 12 02 42 70 42 32 D2 FA
rol 5
xor 23

so dapat
7c 68 65 72 65 5f 69 73 2b 74 68 65 2a 69 68 61 63 6b 2d 6b 65 79 7c

convet hex dapat flag
flag : |here_is+the*ihack-key|

some c codes just for poc

[Writeup] iHack2016 - Forensic 200

Forensic200
Soalan dia kalau tak silap "what is the operating system that mobius used?"

masukkan dalam hex editor, check file sig for PNG, find the trailer, and we see another PNG header

so copy balik, dapat gambar baru

flag:mebius_use_macos
Page 2 of 4