# Reverse Engineering

Challenge	Link
Read	Here
Too Much	Here
ezpz	Here
CyberDark0x01: ShitComp	Here
CyberDark_0x02: Installer	Here
(Not) Easy	Here
fire in the androiddd	Here

## Read ### Description \- ### Solution Given a pyc file then i just try to decompile it using uncompyle6.

The script looks obfuscated but it is still readable. There is one interesting function and here is the code ```python def lababa(lebula): alalalalalalal = [ 73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68] result = '' for belu in range(len(alalalalalalal)): if lebula[belu] != chr(alalalalalalal[belu] ^ ord(babababa[belu])): return 'bbblalaabalaabbblala' b2a = '' a2b = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94] for bbb in a2b: b2a += chr(bbb ^ 57) else: return b2a ``` It seems like checking function and then return something whether the check function is true or false. So i try to reconstruct the code to showing the return value and checking value ```python def lababa(): alalalalalalal = [ 73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68] result = '' for belu in range(len(alalalalalalal)): b2a = '' a2b = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94] for bbb in a2b: b2a += chr(bbb ^ 57) else: return b2a babababa = 'you-may-need-this-key-1337' alalalalalalal = [73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68] flag = "" for i in range(len(alalalalalalal)): flag += chr(alalalalalalal[i]^ord(babababa[i])) print("darkCON{"+flag+"}") ``` Flag : darkCON{0bfu5c4710ns\_v5\_4n1m4710ns} ## Too Much ### Description \- ### Solution Given ELF 64-bit executable and then i try to decompile it using IDA

It has many function but all functions are identical. The difference is the variables and constant value. So we can get all value and generate the code then get the flag. Get value using gdb scripting ```python #!/usr/bin/python3 static_val=[] class SolverEquation(gdb.Command): def __init__ (self): super (SolverEquation, self).__init__ ("solve-equation",gdb.COMMAND_OBSCURE) def invoke (self, arg, from_tty): address_arr =['0x0000000000001189','0x00000000000011b4','0x00000000000011df','0x000000000000120a','0x0000000000001237','0x0000000000001262','0x000000000000128f','0x00000000000012bc','0x00000000000012e9','0x0000000000001314','0x000000000000133f','0x000000000000136a','0x0000000000001397','0x00000000000013c4','0x00000000000013ef','0x000000000000141a','0x0000000000001447','0x0000000000001472','0x000000000000149d','0x00000000000014c8','0x00000000000014f5','0x0000000000001522','0x000000000000154f','0x000000000000157c','0x00000000000015a7','0x00000000000015d4','0x00000000000015ff','0x000000000000162c','0x0000000000001659','0x0000000000001684','0x00000000000016b1','0x00000000000016de','0x000000000000170b','0x0000000000001736','0x0000000000001763','0x000000000000178e','0x00000000000017b9','0x00000000000017e6','0x0000000000001813','0x000000000000183e','0x0000000000001869','0x0000000000001896','0x00000000000018c1','0x00000000000018ec','0x0000000000001919','0x0000000000001946','0x0000000000001971','0x000000000000199c','0x00000000000019c9','0x00000000000019f6','0x0000000000001a21','0x0000000000001a4e','0x0000000000001a79','0x0000000000001aa4','0x0000000000001ad1','0x0000000000001afe','0x0000000000001b29','0x0000000000001b56','0x0000000000001b81','0x0000000000001bac','0x0000000000001bd9','0x0000000000001c06','0x0000000000001c33','0x0000000000001c60','0x0000000000001c8d','0x0000000000001cba','0x0000000000001ce7','0x0000000000001d14','0x0000000000001d41','0x0000000000001d6e','0x0000000000001d9b','0x0000000000001dc8','0x0000000000001df3','0x0000000000001e20','0x0000000000001e4b','0x0000000000001e78','0x0000000000001ea5','0x0000000000001ed2','0x0000000000001eff','0x0000000000001f2a','0x0000000000001f55','0x0000000000001f82','0x0000000000001fad','0x0000000000001fd8','0x0000000000002003','0x000000000000202e','0x0000000000002059','0x0000000000002084','0x00000000000020b1','0x00000000000020dc','0x0000000000002107','0x0000000000002132','0x000000000000215f','0x000000000000218a','0x00000000000021b5','0x00000000000021e2','0x000000000000220d','0x000000000000223a','0x0000000000002265','0x0000000000002290','0x00000000000022bb','0x00000000000022e6','0x0000000000002313','0x000000000000233e','0x0000000000002369','0x0000000000002394','0x00000000000023bf','0x00000000000023ec','0x0000000000002417','0x0000000000002442','0x000000000000246d','0x000000000000249a','0x00000000000024c5','0x00000000000024f2','0x000000000000251f','0x000000000000254a','0x0000000000002577','0x00000000000025a2','0x00000000000025cf','0x00000000000025fa','0x0000000000002627','0x0000000000002654','0x000000000000267f','0x00000000000026ac','0x00000000000026d7','0x0000000000002702','0x000000000000272f','0x000000000000275c','0x0000000000002787','0x00000000000027b4','0x00000000000027df','0x000000000000280a','0x0000000000002837','0x0000000000002864','0x000000000000288f','0x00000000000028bc','0x00000000000028e7','0x0000000000002914','0x0000000000002941','0x000000000000296c','0x0000000000002997','0x00000000000029c2','0x00000000000029ef','0x0000000000002a1c','0x0000000000002a47','0x0000000000002a72','0x0000000000002a9d','0x0000000000002aca','0x0000000000002af7','0x0000000000002b22','0x0000000000002b4d','0x0000000000002b7a','0x0000000000002ba7','0x0000000000002bd2','0x0000000000002bfd','0x0000000000002c28','0x0000000000002c53','0x0000000000002c7e','0x0000000000002ca9','0x0000000000002cd6','0x0000000000002d01','0x0000000000002d2c','0x0000000000002d59','0x0000000000002d84','0x0000000000002daf','0x0000000000002dda','0x0000000000002e05','0x0000000000002e30','0x0000000000002e5d','0x0000000000002e88','0x0000000000002eb3','0x0000000000002ede','0x0000000000002f0b','0x0000000000002f36','0x0000000000002f61','0x0000000000002f8e','0x0000000000002fb9','0x0000000000002fe4','0x0000000000003011','0x000000000000303e','0x000000000000306b','0x0000000000003098','0x00000000000030c3','0x00000000000030f0','0x000000000000311b','0x0000000000003148','0x0000000000003173','0x000000000000319e','0x00000000000031c9','0x00000000000031f6','0x0000000000003223','0x000000000000324e','0x000000000000327b','0x00000000000032a6','0x00000000000032d3','0x0000000000003300','0x000000000000332b','0x0000000000003358','0x0000000000003383','0x00000000000033ae'] global static_val for i in address_arr: tmp=gdb.execute('x/i '+hex(int(i,16)+35), to_string=True).strip().split(",")[1] static_val.append(int(tmp,16)) print(static_val) def addr2num(addr): try: return int(addr)&0xff # Python 3 except: return long(addr) # Python 2 SolverEquation() ``` Generate the comparison algorithm and get the value using z3 ```python from z3 import * a = [BitVec("x{}".format(i), 8) for i in range(200)] arr=[70, 22, 39, 182, 52, 244, 228, 183, 67, 39, 51, 245, 151, 3, 87, 245, 39, 51, 67, 198, 198, 151, 245, 71, 134, 19, 230, 182, 19, 230, 147, 245, 71, 134, 67, 71, 245, 151, 3, 87, 245, 54, 67, 230, 245, 71, 39, 151, 245, 71, 134, 19, 83, 245, 214, 67, 230, 87, 67, 198, 198, 151, 243, 243, 243, 245, 244, 182, 245, 148, 245, 71, 134, 19, 230, 182, 245, 151, 3, 87, 245, 38, 51, 71, 71, 51, 39, 245, 87, 55, 51, 245, 55, 3, 214, 51, 245, 22, 87, 71, 3, 214, 67, 71, 51, 70, 245, 71, 3, 3, 198, 55, 245, 198, 19, 182, 51, 245, 67, 230, 147, 39, 245, 3, 39, 245, 165, 51, 245, 71, 3, 245, 214, 67, 182, 51, 245, 151, 3, 87, 39, 245, 198, 19, 102, 51, 245, 214, 87, 54, 134, 245, 86, 67, 55, 19, 51, 39, 226, 52, 3, 230, 118, 39, 67, 71, 55, 245, 102, 3, 39, 245, 55, 3, 198, 103, 19, 150, 230, 147, 245, 71, 134, 51, 245, 86, 67, 55, 151, 245, 54, 134, 67, 198, 198, 51, 230, 118, 51, 215] s=Solver() for i in range(200): eval("s.add((16 * a["+str(i)+"]) + (a["+str(i)+"] >> 4) == "+str(arr[i])+")") s.check() model=s.model() flag="" for i in a: flag+=chr(model[i].as_long()) print(flag) ``` Flag : darkCON{4r3\_y0u\_r34lly\_th1nk1n9\_th4t\_y0u\_c4n\_try\_th15\_m4nu4lly???\_Ok\_I\_th1nk\_y0u\_b3tt3r\_us3\_s0m3\_aut0m4t3d\_t00ls\_l1k3\_4n9r\_0r\_Z3\_t0\_m4k3\_y0ur\_l1f3\_much\_e4s13r.C0ngr4ts\_f0r\_s0lv1in9\_th3\_e4sy\_ch4ll3ng3} ## ezpz ### Description \- ### Solution Given apk file and then i try to decompile the apk.

Looking at MainActivity class we know that there is flag checking in YEET\[0].equals(MainActivity.**this**.button.getText().toString()). So the idea is make the application showing flag instead of “Damn…500 times? are u kidding me” with patching the counter and change the string to be shown. ```smali # Original ( MainActivity$1.smali ) const/16 v3, 0x1f4 # Patched ( MainActivity$1.smali ) const/16 v3, 0x0 # Original ( MainActivity$1.smali ) .line 50 :cond_1 iget-object v1, p0, Lcom/application/ezpz/MainActivity$1;->this$0:Lcom/application/ezpz/MainActivity; invoke-virtual {v1}, Lcom/application/ezpz/MainActivity;->getApplicationContext()Landroid/content/Context; move-result-object v1 const-string v3, "Damn...500 times? are u kidding me" invoke-static {v1, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; move-result-object v1 invoke-virtual {v1}, Landroid/widget/Toast;->show()V goto :goto_0 # Patched ( MainActivity$1.smali ) .line 50 :cond_1 iget-object v1, p0, Lcom/application/ezpz/MainActivity$1;->this$0:Lcom/application/ezpz/MainActivity; invoke-virtual {v1}, Lcom/application/ezpz/MainActivity;->getApplicationContext()Landroid/content/Context; move-result-object v1 iget-object v3, p0, Lcom/application/ezpz/MainActivity$1;->val$YEET:[Ljava/lang/String; aget-object v3, v3, v2 invoke-static {v1, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; move-result-object v1 invoke-virtual {v1}, Landroid/widget/Toast;->show()V goto :goto_0 ``` And then we will get the flag when click “CLICK ME” button

## CyberDark0x01: ShitComp ### Description \- ### Solution Given ELF 64-bit and then i try to decompile it using IDA

At first the program will compress our file ( as shown image above )

And then encrypted the compressed data. So the idea is decrypt the data by brute force the algorithm then uncompress the data by reversing the algorithm. ```python from Crypto.Util.number import bytes_to_long as b2l f=open("Installer.shitty","r") plain=f.read() f.close() v4 = "CyberDarkIsACoolGameAndIWannaPlayIt" file = "" for i in range(0,len(plain),3): v8 = ord(v4[i%len(v4)]) v9 = v8 v11 = (v9>>4)&0xff for j in range(0xff+1): v10 = (j^v8)&0xf tmp = v10 | 16 * ( v11 ^ ((j>>4)&0xff)) if(tmp==ord(plain[i])): v8 = ord(v4[(i+2)%len(v4)]) v9 = v8 v11 = (v9>>4)&0xff for k in range(0xff+1): v10 = (k^v8)&0xf tmp2 = v10 | 16 * ( v11 ^ ((k>>4)&0xff)) if(tmp2==ord(plain[i+2])): v8 = ord(v4[(i+1)%len(v4)]) v9 = v8 v11 = (v9>>4)&0xff for l in range(0xff+1): v10 = (l^v8)&0xf tmp3 = v10 | 16 * ( v11 ^ ((l>>4)&0xff)) if(tmp3==ord(plain[i+1])): file+=chr(j)*b2l(chr(l)+chr(k)) break break break file+="\x00"*15 f=open("original","wb") f.write(file) f.close() ``` And then by running original ELF we will get the flag

## CyberDark\_0x02: Installer ### Description \- ### Solution Now we need to work with the original ELF. So i try to decompile it using IDA

We can see there is function that the return value is compared by constant value and determine whether the result is correct key or wrong key.

At first the program check the input ( it must uppercase ) and store the input to variable ( except the “-” ).

After that it call function that generate values and our input will be the index of that value.

And the last is checking our input with comparison algorithm that using manipulation of index of array and array. So the idea is reversing the algorithm to generate the key then submit it to server. But i only got 8 correct key ( the other keys are incorrect because there is one character that are not uppercase ) . So for the 2 other keys i brute force one character and then got the correct uppercase character on that position and submit all keys. ( we can use tmp variable to store the index same as the original code in binary for simplicity ) ```python from pwn import * import string list_char = list(map(ord,string.uppercase)) buf = [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x1, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 0x4, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x5, 0x9a, 0x7, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x9, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x0, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x2, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0xc, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0xb, 0xdb, 0xe0, 0x32, 0x3a, 0xa, 0x49, 0x6, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x8, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x3, 0xf6, 0xe, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1, 0x89, 0xd, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0xf, 0xb0, 0x54, 0xbb, 0x16, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0] off_3560 = [0x2c8, 0x131, 0x185, 0x2ef, 0x2d1, 0x194, 0x2e3, 0x3e8, 0x3cc, 0x276, 0x22c, 0x295, 0x138, 0x21b, 0x252, 0x1b6, 0x263, 0x1f6, 0x3ee, 0x19d, 0x151, 0x379, 0x39a, 0x119, 0x1ef, 0x1ff, 0x2c3, 0x2af, 0x24a, 0x31d, 0x1b8, 0x33d, 0x1b7, 0x206, 0x235, 0x144, 0x396, 0x316, 0x3af, 0x1c2, 0x115, 0x308, 0x301, 0x239, 0x129, 0x1d3, 0x388, 0x3b3, 0x2ed, 0x245, 0x3fd, 0x261, 0x3a4, 0x2e1, 0x143, 0x3dd, 0x16b, 0x3a3, 0x1ac, 0x380, 0x1a5, 0x2cd, 0x2c8, 0x3a1, 0x2c3, 0x253, 0x300, 0x35c, 0x287, 0x2f8, 0x1f5, 0x2cb, 0x246, 0x236, 0x305, 0x231, 0x23e, 0x37e, 0x177, 0x2a6, 0x3c1, 0x3c0, 0x18f, 0x16f, 0x268, 0x2c4, 0x2f8, 0x390, 0x129, 0x14b, 0x1d3, 0x268, 0x310, 0x3e2, 0x167, 0x249, 0x211, 0x21e, 0x16c, 0x157, 0x21e, 0x25f, 0x38f, 0x21f, 0x1db, 0x2ce, 0x1fe, 0x2d8, 0x272, 0x160, 0x36c, 0x14e, 0x3bc, 0x2b1, 0x229, 0x3b4, 0x2c1, 0x358, 0x156, 0x109, 0x1ad, 0x3f6, 0x379, 0x386, 0x1b9, 0x2e8, 0x101, 0x32a, 0x38e, 0x318, 0x2a0, 0x132, 0x337, 0x306, 0x375, 0x160, 0x27f, 0x347, 0x204, 0x188, 0x362, 0x13e, 0x2b6, 0x3f5, 0x31b, 0x33a, 0x2a1, 0x130, 0x2b5, 0x33a, 0x14c, 0x1b4, 0x3a5, 0x1dc, 0x26b, 0x184, 0x159, 0x3fc, 0x12e, 0x2db, 0x27c, 0x38f, 0x1c3, 0x2b7, 0x21f, 0x1c1, 0x20b, 0x150, 0x134, 0x2b8, 0x116, 0x103, 0x3b8, 0x34c, 0x397, 0x369, 0x1b0, 0x18f, 0x133, 0x3d9, 0x176, 0x1fc, 0x322, 0x153, 0x37b, 0x285, 0x3fc, 0x329, 0x3b3, 0x289, 0x3aa, 0x14b, 0x114, 0x189, 0x182, 0x29f, 0x290, 0x239, 0x1ea, 0x276, 0x173, 0x176, 0x19a, 0x3c2, 0x368, 0x335, 0x3c2, 0x2de, 0x190, 0x14c, 0x372, 0x3df, 0x281, 0x1df, 0x226, 0x2fc, 0x126, 0x32b, 0x2bf, 0x27e, 0x1c1, 0x155, 0x355, 0x328, 0x225, 0x384, 0x394, 0x2b0, 0x3ef, 0x108, 0x399, 0x200, 0x1cd, 0x304, 0x2f6, 0x3a6, 0x302, 0x208, 0x267, 0x1d4, 0x271, 0x121, 0x2f0, 0x26f, 0x2f7, 0x2ed, 0x3cf, 0x224, 0x32c, 0x1f1, 0x1aa, 0x1f8, 0x166, 0x205, 0x3fa, 0x105, 0x2f6, 0x2e7, 0x191, 0x3ad, 0x3ae, 0x192, 0x2f4, 0x176, 0x2f5, 0x10e, 0x1f7, 0x3fe, 0x3fd, 0x251, 0x23c, 0x186, 0x2f, 0x295, 0x1f3, 0x281, 0x3cc, 0x2d5, 0x1ca, 0x132, 0x257, 0x36a, 0x313, 0x3c5, 0x176, 0x1f9, 0xd1, 0x19f, 0x32d, 0x20, 0x25e, 0x30e, 0x3b, 0x3eb, 0x287, 0x110, 0x304, 0x2f, 0x1e8, 0x52, 0x2c7, 0x3c4, 0x2c3, 0x83, 0x2e7, 0x162, 0x1b, 0x1ba, 0x359, 0x3c8, 0x16f, 0x3d2, 0x11e, 0x2f, 0x20d, 0x1a, 0x276, 0x140, 0x20, 0x3c7, 0x18b, 0x39c, 0x1b9, 0x255, 0x3cf, 0x329, 0x385, 0x53, 0x396, 0x294, 0x2cd, 0x252, 0x5b, 0x24a, 0x84, 0x353, 0x3ff, 0x333, 0x15c, 0x2d9, 0x21a, 0x27c, 0x1a, 0x16f, 0x187, 0x245, 0x1d7, 0xbe, 0x367, 0x203, 0x2e2, 0x16d, 0x1a3, 0x1ed, 0x2a9, 0x341, 0x32b, 0x2cd, 0x1f4, 0x34b, 0x1cf, 0xbe, 0x147, 0x1df, 0x157, 0x3c6, 0x216, 0x84, 0x196, 0xed, 0x3bf, 0x1b0, 0x3e5, 0x264, 0x1e1, 0x27a, 0x19a, 0x221, 0x222, 0x165, 0x1b, 0x12b, 0x3cc, 0x29a, 0x365, 0x260, 0xb3, 0x3fa, 0x20b, 0x2a3, 0x34c, 0x3a6, 0x12f, 0x236, 0x3f0, 0x1fc, 0x3be, 0x3c9, 0x25c, 0x163, 0x3da, 0x235, 0x0, 0x23e, 0x235, 0x2c0, 0x53, 0x1c7, 0x2e4, 0x250, 0xbe, 0x378, 0x1d6, 0x2a6, 0x258, 0x5b, 0x266, 0xed, 0x1af, 0x158, 0x16b, 0x33d, 0x2da, 0x25a, 0x229, 0x1c0, 0x304, 0x2cb, 0x3b6, 0x310, 0x175, 0xbe, 0x213, 0x1fa, 0x1be, 0x3fe, 0x27a, 0x15c, 0x0, 0x2bb, 0x3e9, 0x39b, 0xa0, 0x192, 0x350, 0x1ad, 0x22b, 0x1cd, 0x6a, 0x13e, 0x20a, 0x343, 0x3be, 0x3a0, 0x2b8, 0x6e, 0x331, 0x0, 0x39f, 0x251, 0x224, 0x30c, 0x37d, 0x28e, 0x1ba, 0x23e, 0x2d3, 0x1e3, 0x137, 0x1e6, 0x220, 0x3e3, 0x274, 0x3ff, 0x3ed, 0x278, 0x1e8, 0x120, 0x33a, 0x215, 0x1da, 0x274, 0x53, 0x288, 0x2aa, 0x2dd, 0x2a5, 0x225, 0xd1, 0x262, 0x2ec, 0x152, 0x392, 0x236, 0x3fe, 0x1bd, 0x145, 0x226, 0x2d6, 0x2fa, 0x0, 0x358, 0x2a2, 0x27c, 0x162, 0x1b2, 0x2f4, 0x15e, 0x214, 0x2cc, 0x2c, 0x2e4, 0x286, 0x3b3, 0x335, 0x316, 0xb2, 0x16a, 0x1d9, 0x34f, 0x6a, 0x35c, 0xed, 0x14, 0x307, 0xfc, 0x11e, 0x382, 0x36e, 0x4a, 0x194, 0x29, 0x388, 0x136, 0x13a, 0x3ad, 0x3d7, 0x29, 0x2fa, 0x18f, 0x2cb, 0x17a, 0x298, 0x141, 0x2bd, 0x105, 0x15c, 0x255, 0xe6, 0x22e, 0x3b, 0x1c9, 0x96, 0x39, 0x3ff, 0x182, 0x11d, 0x5b, 0x38d, 0xbe, 0x13b, 0x249, 0x3bd, 0x3d1, 0x3d, 0x297, 0x23a, 0x159, 0xec, 0x1a7, 0x1d3, 0x2b9, 0xd1, 0x1af, 0x20, 0x3db, 0xd9, 0x19e, 0x222, 0x2c1, 0x20, 0x310, 0x2c2, 0xb1, 0x15b, 0x3bd, 0xe3, 0x12f, 0x101, 0x3e, 0x218, 0xb6, 0x7a, 0x31a, 0x266, 0x9d, 0x202, 0x14f, 0xa7, 0xbe, 0x2b8, 0x3f5, 0x29, 0x2f1, 0x2e9, 0x260, 0x53, 0x2a6, 0x22e, 0x54, 0x84, 0x33b, 0x6e, 0x201, 0x84, 0x35f, 0x6e, 0x348, 0x3a4, 0xb6, 0xe3, 0x2b0, 0x190, 0x6e, 0x174, 0x222, 0x1c, 0xd7, 0x256, 0x309, 0x52, 0x3e0, 0x114, 0x288, 0x3ea, 0x241, 0x32b, 0x13f, 0x273, 0xa9, 0x20b, 0x88, 0x2a, 0xa0, 0x2c4, 0x335, 0x33b, 0xa, 0xe3, 0x39c, 0x230, 0x26b, 0x6e, 0x101, 0xb1, 0xc4, 0x285, 0xe1, 0x12, 0x101, 0x36d, 0x1b, 0x28c, 0x1d6, 0x241, 0x214, 0x340, 0x2ba, 0x39c, 0x18, 0xc0, 0x2db, 0x153, 0x3ef, 0x289, 0x3c7, 0xfc, 0x1f4, 0xbe, 0x182, 0x21c, 0x287, 0x266, 0x1d6, 0x1ad, 0x3d5, 0x9c, 0x6d, 0x3b, 0x156, 0x358, 0x322, 0x3d3, 0x3ac, 0x39a, 0x197, 0x29, 0x14e, 0x1f7, 0x2c, 0x370, 0x2ab, 0x1c6, 0x8b, 0x5c, 0x299, 0x143, 0x0, 0x3d1, 0xc1, 0x136, 0x1b, 0x233, 0xea, 0x206, 0x229, 0x8f, 0x240, 0x1b0, 0x79, 0x1aa, 0x28d, 0x260, 0x1af, 0x347, 0x143, 0x1be, 0x3a3, 0x1e2, 0x382, 0x64, 0x1ba, 0x310, 0x16a, 0x270, 0x29, 0x247, 0x330, 0x65, 0x221, 0xfc, 0x22f, 0xda, 0x29, 0x2ee, 0x2c0, 0x2b1, 0x10c, 0x269, 0xd5, 0xed, 0x32e, 0x34d, 0xcb, 0x202, 0x5c, 0xe6, 0x190, 0x2f1, 0x39c, 0x1d7, 0x1d1, 0xed, 0x17c, 0x3, 0x359, 0xda, 0x217, 0x1c5, 0x1c4, 0x241, 0x2e1, 0x368, 0x3d2, 0x33e, 0x3b0, 0x2ce, 0x17c, 0x371, 0x3af, 0xed, 0x3e8, 0x37, 0x63, 0x31a, 0x10d, 0x2ec, 0x52, 0x26c, 0x2c2, 0x199, 0x2a4, 0x38d, 0x18d, 0xcb, 0x1e2, 0x2a6, 0xff, 0x2a0, 0x244, 0x160, 0x298, 0x1e2, 0x2b9, 0x25b, 0x5a, 0x1a1, 0x326, 0xa3, 0x297, 0x26f, 0x1be, 0x3fe, 0xb0, 0x0, 0x121, 0x394, 0x5b, 0x19a, 0x299, 0xd1, 0x2df, 0x2f8, 0x13c, 0xa0, 0x3a2, 0x352, 0x53, 0x30c, 0x72, 0x1b, 0x334, 0x70, 0x263, 0x5c, 0x352, 0x378, 0x154, 0x20f, 0x20c, 0x1a, 0x139, 0x154, 0x360, 0x3c4, 0x3d0, 0xcf, 0x2f5, 0xd1, 0x22d, 0x3a4, 0xeb, 0x2bd, 0x223, 0x39c, 0x23e, 0xb1, 0x3d7, 0x2ef, 0x148, 0x5a, 0x313, 0xf5, 0x53, 0x350, 0x108, 0x1b9, 0x3a6, 0x9a, 0x34, 0x12a, 0x5a, 0x26f, 0x2df, 0x279, 0x2a9, 0x37d, 0x9f, 0x3f6, 0xfb, 0x20, 0x110, 0x1cc, 0x10d, 0x15a, 0xfc, 0x1b6, 0x3f7, 0xea, 0x9a, 0x36c, 0x21d, 0x1c8, 0x1a0, 0x3b6, 0x212, 0x84, 0x1c0, 0xa0, 0x267, 0x277, 0x2ff, 0x5a, 0x171, 0xe3, 0x2a4, 0x2a9, 0x56, 0xcf, 0x6a, 0x1d4, 0x1a, 0x124, 0xe1, 0x351, 0x1c3, 0x389, 0x303, 0x5a, 0x1c2, 0x32b, 0x22e, 0x2c9, 0x48, 0x5a, 0x3f4, 0x43, 0x6a, 0x31a, 0xb5, 0x3b, 0x375, 0x2a9, 0x3d1, 0x13c, 0x65, 0x201, 0x3a2, 0x1d7, 0x327, 0x8b, 0x22b, 0x2a7, 0x10b, 0x99, 0x218, 0x26c, 0x277, 0x11b, 0x24d, 0x342, 0xef, 0x10b, 0x14b, 0x3a3, 0x3fb, 0x143, 0x4c, 0x2c7, 0xed, 0x169, 0x3a9, 0xd6, 0x325, 0x3fd, 0x9c, 0x56, 0xb3, 0x33e, 0x133, 0x69, 0xf7, 0x1e6, 0x1fa, 0xfc, 0x1b, 0x15c, 0x84, 0x338, 0x57, 0xee, 0x39f, 0xbb, 0xd6, 0x244, 0x238, 0x15d, 0x52, 0x386, 0x26e, 0x119, 0x42, 0xfc, 0x38f, 0x1a5, 0x211, 0x3d, 0x1d3, 0x320, 0x11d, 0x2c, 0x219, 0x28a, 0xb3, 0x25a, 0x33, 0x22a, 0x282, 0x3fd, 0x6d, 0x11, 0xe, 0x3b, 0x257, 0x232, 0x341, 0x3d2, 0x238, 0x6a, 0x1bd, 0x188, 0x184, 0xb0, 0x152, 0x21c, 0xc4, 0x76, 0x1f0, 0x1c, 0x325, 0x1ff, 0x3ca, 0x3e7, 0x12c, 0x1ed, 0x12d, 0x113, 0x56, 0x1d4, 0x111, 0x1e0, 0xb7, 0xda, 0x396, 0x1b4, 0x33a, 0x28b, 0xf3, 0x2d2, 0x16e, 0x18b, 0x331, 0x4b, 0xc5, 0x135, 0x175, 0x271, 0xf4, 0x18e, 0x171, 0x165, 0x300, 0x61, 0x343, 0x14e, 0x71, 0x7c, 0x19a, 0x246, 0x29e, 0xac, 0x2f6, 0x53, 0x2c3, 0x2c4, 0x2da, 0x11c, 0xa6, 0x3e, 0x33e, 0x1df, 0x396, 0xa5, 0xcd, 0x125, 0x147, 0x344, 0x1f2, 0x40, 0x1d2, 0x218, 0x1c4, 0xdc, 0x3ac, 0x38, 0x1ac, 0x305, 0x17e, 0x14e, 0x2b1, 0x91, 0x1c6, 0x37b, 0xce, 0x2b3, 0x37f, 0x383, 0x245, 0x70, 0x25e, 0x1a7, 0x2c9, 0x3b5, 0x3d0, 0x26e, 0x1a2, 0x30f, 0x2da, 0x387, 0x216, 0x15, 0x26c, 0x113, 0xea, 0x3db, 0x146, 0x31, 0x280, 0x3e7, 0x151, 0x78, 0x27f, 0x270, 0x360, 0xd1, 0x255, 0x1b4, 0x12, 0xb0, 0xc, 0x85, 0x2d3, 0x17b, 0x394, 0x140, 0x1c5, 0x3f8, 0x34e, 0xc4, 0x29d, 0xfa, 0x147, 0x1a9, 0x210, 0x152, 0x1f, 0x3ca, 0x44, 0x3d8, 0x31, 0xf7, 0x67, 0x322, 0x373, 0x299, 0x395, 0x1cb, 0x3bd, 0xcc, 0x2d9, 0x8d, 0x2d3, 0x2b6, 0xbb, 0x2f1, 0x25f, 0xd7, 0x3d5, 0x252, 0x32c, 0x265, 0x2cc, 0x120, 0x1c, 0x31c, 0x21d, 0x385, 0x30, 0x57, 0x3b, 0x3b3, 0x1e0, 0xd1, 0x2f, 0x12f, 0x1b6, 0x3da, 0x29d, 0xd6, 0x3f5, 0x1b2, 0x206, 0x11d, 0x353, 0x3fe, 0x2b4, 0xc4, 0x1e7, 0x41, 0x177, 0xd9, 0x2e3, 0x38a, 0x293, 0x20c, 0x2ae, 0x3f6, 0x11d, 0x37a, 0xa7, 0x11b, 0x2b9, 0x1b4, 0xe5, 0x169, 0x328, 0x1e4, 0x313, 0x3f, 0x24d, 0xc2, 0x380, 0x14e, 0x117, 0x2d4, 0x1ff, 0x1a5, 0x6a, 0x10c, 0x304, 0x155, 0x3a3, 0x3da, 0x4d, 0x278, 0x197, 0x0, 0xc3, 0x386, 0x7b, 0x8c, 0x1de, 0x271, 0x3c1, 0x17d, 0x127, 0x1e5, 0xc9, 0x3cb, 0x1f1, 0x16f, 0xb1, 0x213, 0x3c3, 0x20d, 0x308, 0x343, 0x2dd, 0x15, 0x1b6, 0x27, 0x33e, 0x20b, 0x30f, 0xb7, 0x2ec, 0x15d, 0x3b6, 0x272, 0x8d, 0x83, 0x329, 0xb1, 0xcc, 0x26, 0x246, 0x393, 0x3ae, 0xc0, 0x35, 0x18f, 0x2a4, 0x133, 0x2a4, 0x149, 0x202, 0x10, 0x21e, 0x128, 0x375, 0x59, 0x30e, 0x2ff, 0x123, 0x1fb, 0x38b, 0x33a, 0x88, 0x3de, 0x3b5, 0x69, 0x154, 0x200, 0xf8, 0x299, 0x3de, 0x154, 0x3fe, 0x5a, 0x24c, 0x14f, 0x1b5, 0x121, 0x34c, 0x332, 0x18b, 0x1fc, 0x88, 0x2d6, 0x259, 0x307, 0x31f, 0x43, 0x3c9, 0x1df, 0x4e, 0x348, 0x147, 0x2ff, 0x1e1, 0xb, 0x24e, 0x2b2, 0x1b9, 0x119, 0x96, 0x26a, 0x215, 0x2c5, 0x17b, 0x396, 0x51, 0x294, 0x16c, 0x276, 0xca, 0x37a, 0x183, 0x1bf, 0x6f, 0x294, 0x2fe, 0x2f6, 0x17c, 0x39d, 0x1ab, 0x163, 0xfa, 0xcb, 0x3dc, 0x258, 0x2e1, 0x234, 0x33e, 0x4b, 0x3d3, 0x3e6, 0x1ae, 0x229, 0x3eb, 0x217, 0x27a, 0x55, 0x240, 0x17e, 0x5b, 0x159, 0x38e, 0xc1, 0xa7, 0xf3, 0x3a8, 0x119, 0x3f0, 0x7d, 0x176, 0x12e, 0x1a0, 0x385, 0x221, 0x1a8, 0x1ec, 0x2c1, 0x216, 0xa, 0x342, 0x3e1, 0x197, 0x398, 0x1c, 0x1d9, 0x34, 0x90, 0x2e2, 0xa8, 0xdd, 0x6e, 0x1ac, 0x18e, 0x0, 0x321, 0x298, 0x259, 0xb7, 0x3d0, 0x14f, 0x342, 0x39b, 0x131, 0x1a, 0x296, 0x3d3, 0x9, 0x24d, 0x4b, 0x1cd, 0x2c7, 0x3c6, 0x1b9, 0x177, 0x288, 0x153, 0x22, 0x1b7, 0x38a, 0x2ee, 0xb6, 0x2b3, 0x2f0, 0x308, 0x24e, 0x18e, 0x96, 0x131, 0x38e, 0xb7, 0x55, 0x1c8, 0x347, 0x14a, 0x30e, 0x333, 0x17d, 0xcf, 0x183, 0x22, 0x24c, 0x97, 0x189, 0x22f, 0x15e, 0x1fd, 0x323, 0x3e3, 0xc0, 0x256, 0x95, 0x323, 0x2b3, 0x8a, 0xd6, 0x22c, 0x271, 0x1f8, 0x205, 0x11a, 0x1a7, 0xba, 0x3fa, 0x1ac, 0x1c4, 0x37, 0x3bd, 0x1c6, 0x7e, 0x20, 0xdf, 0x177, 0x12b, 0x1be, 0x2fe, 0x32a, 0x1c3, 0x1b1, 0x1c9, 0x2c2, 0x334, 0x1c5, 0x34e, 0x17e, 0x1ff, 0x302, 0xfe, 0x1e7, 0x3de, 0xdb, 0x2d5, 0x157, 0xed, 0x375, 0x252, 0x75, 0x3ae, 0x15c, 0x3c0, 0x309, 0x1f2, 0x48, 0xdb, 0x10e, 0x283, 0x2c0, 0x15f, 0x302, 0x179, 0x160, 0x18f, 0x205, 0x180, 0x7b, 0x2f1, 0x202, 0x92, 0x315, 0x26c, 0x376, 0x3aa, 0x3a2, 0x202, 0x24e, 0x159, 0x58, 0x3c2, 0x1a1, 0xf8, 0x34e, 0x183, 0x1a9, 0x2c1, 0x2a0, 0x1bb, 0x131, 0x336, 0x376, 0x30a, 0x3b, 0x28b, 0x1eb, 0x243, 0x167, 0x10c, 0x12d, 0xd7, 0x1c7, 0x2ad, 0x3fe, 0x195, 0xd6, 0x182, 0x30d, 0x1ad, 0x3a2, 0x6e, 0x20c, 0x65, 0x318, 0x263, 0x1ca, 0x76, 0x35f, 0x70, 0x115, 0x30a, 0x3e5, 0x3a7, 0x23f, 0xde, 0x3b5, 0xe0, 0x3ad, 0xfc, 0x2ca, 0x295, 0x4e, 0x15b, 0x1d8, 0x4f, 0x33f, 0x16d, 0xb1, 0x6a, 0xcf, 0x18e, 0xa5, 0x68, 0x26b, 0xe0, 0xfc, 0x369, 0x8b, 0x23f, 0x20d, 0xf, 0x1, 0x59, 0x1d0, 0x16c, 0x21c, 0x124, 0x236, 0xa2, 0x186, 0x6a, 0x2b8, 0xd3, 0x2a, 0x18d, 0x16e, 0x8b, 0x328, 0x34b, 0x12b, 0x4b, 0x7d, 0x36b, 0x38e, 0x269, 0x204, 0x178, 0x1c7, 0x237, 0x1b0, 0x1a1, 0xa, 0x2f2, 0x141, 0x283, 0x266, 0x134, 0x29, 0x46, 0x252, 0x3e9, 0x374, 0x13e, 0x16a, 0x16f, 0x330, 0xe5, 0x356, 0xdd, 0x1fb, 0x18a, 0x397, 0xa2, 0x1ca, 0x269, 0xd9, 0x4e, 0x295, 0x362, 0x22b, 0x42, 0xbc, 0x2a, 0x2c9, 0x15c, 0x33c, 0xf6, 0x22f, 0x30c, 0xe5, 0x2d5, 0x12e, 0x2d3, 0x34c, 0xb, 0x26a, 0xda, 0x336, 0x154, 0x8d, 0x32f, 0x5a, 0x3f8, 0x6b, 0x2d7, 0xc6, 0x153, 0x1ab, 0x21b, 0x4e, 0x374, 0x131, 0x85, 0x191, 0x354, 0x306, 0x2d7, 0x21b, 0x1ba, 0x346, 0x35f, 0x257, 0x310, 0x44, 0x14b, 0x17f, 0x2b1, 0x30b, 0xd8, 0x346, 0x1e3, 0x8c, 0x250, 0x353, 0x11d, 0x376, 0x3be, 0x22a, 0x1ef, 0x184, 0x22b, 0x311, 0x294, 0x397, 0x73, 0xba, 0x2ef, 0x19e, 0x3d8, 0x1bb, 0x3dd, 0xbd, 0x1e8, 0xa9, 0x94, 0x18e, 0x245, 0x2d1, 0x3b0, 0xb1, 0x1ae, 0x2f7, 0x33b, 0x277, 0x3e7, 0x26b, 0x1f8, 0x335, 0x261, 0x35f, 0x19b, 0x2f3, 0x3a4, 0x11c, 0x3ff, 0x1ca, 0x2b3, 0x3c4, 0x3d2, 0x3b2, 0x162, 0xa9, 0x51, 0x41, 0x75, 0x3ac, 0x13, 0xc1, 0x3d1, 0xe3, 0x217, 0x120, 0x56, 0x1d5, 0x3b5, 0x1a1, 0x377, 0x305, 0x1e7, 0x308, 0x97, 0x112, 0x119, 0x15b, 0x365, 0x219, 0x155, 0x277, 0x314, 0x177, 0x338, 0x221, 0x56, 0x196, 0x15e, 0x12c, 0x303, 0xcd, 0x369, 0x274, 0x22d, 0x2d2, 0x315, 0x28f, 0x2f8, 0x1de, 0x218, 0x2a5, 0xb3, 0x35a, 0x325, 0x11a, 0x26c, 0x166, 0x90, 0x227, 0x3f9, 0xc0, 0x13a, 0x119, 0x2b1, 0x179, 0x22c, 0x29, 0x103, 0x37e, 0x163, 0x3d5, 0x263, 0x53, 0xcb, 0x85, 0x17, 0x295, 0x49, 0x270, 0xf0, 0x32f, 0x23c, 0x62, 0x1fc, 0xca, 0x2a4, 0x315, 0x23e, 0x3d8, 0x37b, 0x200, 0x3f8, 0x213, 0x2cf, 0x352, 0x3f5, 0x22b, 0x39, 0x16, 0x16c, 0x3af, 0xb6, 0x1a5, 0x2aa, 0x38b, 0x12c, 0x2e4, 0x3b, 0x25, 0x3e6, 0x309, 0x119, 0x3fc, 0x2cb, 0x238, 0xbc, 0xd9, 0x2c3, 0x260, 0x142, 0x2b0, 0x23c, 0x12d, 0x3a8, 0x109, 0x4a, 0x22d, 0x212, 0x14c, 0x346, 0x276, 0xf8, 0x205, 0x3e5, 0x185, 0x1f3, 0x36e, 0x93, 0x3e7, 0xdf, 0x33b, 0x2e2, 0x2df, 0x90, 0x2d3, 0x3c, 0x3bd, 0xed, 0x168, 0x370, 0x1aa, 0x9d, 0x183, 0x367, 0x135, 0x9a, 0x178, 0x3a9, 0x179, 0x3fc, 0x211, 0x259, 0x151, 0x73, 0x351, 0x3b1, 0x2bc, 0x308, 0x36c, 0x343, 0x43, 0x3d2, 0xc5, 0x2b9, 0x10d, 0xca, 0x86, 0x1d4, 0x357, 0x356, 0x365, 0x117, 0x1a2, 0x1b3, 0x114, 0x291, 0x14e, 0x199, 0x184, 0x2a8, 0x333, 0x373, 0x140, 0x247, 0x9d, 0x3b, 0x1d2, 0x86, 0x2b8, 0x3b3, 0x271, 0x312, 0x19d, 0x170, 0x2dc, 0x369, 0x39c, 0xb0, 0x3b1, 0x2d, 0x2ce, 0x3b, 0x150, 0x3b8, 0x3ff, 0x314, 0x35b, 0x40, 0x164, 0x2f1, 0x1e0, 0x8f, 0x396, 0x138, 0x2a0, 0xe8, 0x53, 0x39e, 0x173, 0x2e0, 0xa6, 0x3e6, 0xc6, 0x286, 0xf, 0x95, 0xad, 0x10c, 0x115, 0x115, 0x3ea, 0x57, 0x2b6, 0xbb, 0x246, 0x2fa, 0x282, 0x24a, 0x36, 0x4f, 0x115, 0x121, 0x322, 0xff, 0x20d, 0x373, 0xf3, 0x98, 0x101, 0x148, 0x19e, 0xa2, 0x34d, 0x264, 0x30b, 0x1d5, 0x383, 0x389, 0x18c, 0x115, 0x2a4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0] key=[] for v4 in range(len(off_3560)): try: key.append(chr(buf.index(off_3560.index(v4)))+chr(buf.index(off_3560[v4]))+chr(buf.index(off_3560[off_3560[v4+1]]))+chr(buf.index(off_3560[off_3560[off_3560[v4+1]+1]]))+"-"+chr(buf.index(off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]]))+"-"+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]+1]+1]+1]]))) except Exception as e: continue key[2]=key[2].replace("5","Q") key[6]=key[6].replace("\xfd","W") del key[8] r=remote("65.1.92.179",49156) for i in range(len(key)): r.recvuntil("key:") r.sendline(key[i]) print(r.recvline()) r.interactive() ```

## (Not) Easy ### Description \- ### Solution Given PE file and then i try to open it using IDA

Looking at encryption function it seems like modified xxtea encryption so the idea is reconstruct decrypt function by reversing the encryption algorithm. ```python import struct import string key = [0x34, 0x65, 0x33, 0x30, 0x33, 0x37, 0x35, 0x38, 0x37, 0x38, 0x33, 0x37, 0x33, 0x33, 0x33, 0x34] key = struct.unpack('<4I', bytes(key)) enc = [ 0xef, 0xd0, 0x58, 0x66, 0xa2, 0x12, 0x23, 0x7a, 0x3a, 0x8b, 0x31, 0x66, 0x56, 0x40, 0x79, 0x4e, 0xff, 0x12, 0x6b, 0xa0, 0x29, 0xa0, 0xc5, 0x16, 0x47, 0x80, 0xb5, 0xa1, 0xb8, 0x87, 0xaf, 0x92, 0xb2, 0x39, 0xeb, 0x85, 0xd8, 0x3d, 0x10, 0x09, 0xf7, 0x0f, 0x80, 0x69, 0x77, 0x60, 0xd7, 0x2d, 0x24, 0x49, 0xb3, 0xc9, 0xec, 0x23, 0xcb, 0xdc, 0xa6, 0x94, 0x05, 0x49, 0xca, 0xdd, 0x1d, 0xab, 0x5b, 0x36, 0x63, 0xf6, 0x57, 0xe5, 0x42, 0x43, 0x34, 0xdd, 0xd4, 0x56, 0x36, 0xbe, 0x88, 0xdd, 0x3c, 0xdf, 0x1d, 0x2a ] enc = [(bytes(enc[i:i+12])) for i in range(0,len(enc),12)] flag = b"" for block in enc: count = len(block) // 4 data = list(struct.unpack(f'<{count}I', block)) loop = 0x34 // len(data) + 6 t = 2604932717 for i in range(loop-1,-1,-1): tmp = (t >> 2) & 3 for j in range(len(data)-1, -1, -1): prev = data[(j - 1) % len(data)] next = data[(j + 1) % len(data)] data[j] -= (((prev >> 5) ^^ (next << 2)) + ((prev << 4) ^^ (next >> 3))) ^^ ((key[(j & 3) ^^ tmp] ^^ prev) + (t ^^ next)) data[j] = data[j] % 2**32 x = int(str(factorial(0x800 + 10*i*i))[:10]) t = (t - x) % 2^32 flag += struct.pack(f'<{len(data)}I', *data) flag=flag.decode() result="" for i in flag: if(i in string.printable[:-6]): result+=i print(result) ``` Flag : darkCON{4\_L177l3\_crYp70\_4\_d4y\_m4K3S\_R3v3rS3s\_g0\_4W4Y} ## fire in the androiddd ### Description \- ### Solution Given apk file and then i try to decompile it.

Looking at MainActivity that we need internet connection to run this application and there are a method called from data\_receiver class.

From getData method we know that class member ( data ) will store encrypted flag from firebase storage. data\_receiver.data will be used in magic function which is called by doInBackground function from nested class ( loader class in MyReceiver class )

Magic method is called from native library so we need to decompile that library to know what is magic method do

Java_com_application_darkcon_MyReceiver_magic

From the code above we know that our input xored with looper(i) and compared with v4 which is encrypted\_flag . Here is what looper function do

So the idea is getting the encrypted\_flag using frida then run looper function and xor it with encrypted\_flag and get the flag. Here is frida script that i used ```javascript Java.perform(function dump() { function sleep (time) { return new Promise((resolve) => setTimeout(resolve, time)); } var api_key_class = Java.use("com.application.darkcon.data_receiver"); var api_key_instance = api_key_class.$new(); console.log("[+] instance created: " + api_key_instance); console.log("[+] function called : " + api_key_instance.getData()); sleep(5000).then(() => { console.log("[+] data value: " + api_key_instance.data.value); }); }); ```

After that implemented the looper function ```python def looper(n): if (n == 0 or n == 1): return 1 v2 = [0 for i in range(n + 1)] v2[0] = 1 v2[1] = 1 for i in range(2, n + 1): v2[i] = 0 for j in range(i): v2[i] = v2[i] + v2[j] * v2[i-j-1] return v2[n]%2**32 enc = [101,96,112,110,77,101,202,470,1506,4758,16815,58877,208123,742855,2674489,9694735,35357570,129644713,477638735,1767263206,2269153033,2991430638,1288250377,3757197244,1413958429,43422424,2072914473,2325361044,2600037558,3008195127,3276256895,4169229947,300814809,3929270464,2526730686,2527522239,645964816,1351610749,573153031,1347646066,1945953402,3824419424,480774039,2833665279,2366904092,2809807660,3295802436,3644429150,720643560,906311378,992169127,1211139059,1465960990,4269303883,3179939394,4095898594,580984841,3596758568,1063564231,3288906933] flag = "" for i, j in enumerate(enc): flag+=chr(j ^ looper(i)) print(flag) ``` Flag : darkCON{th3\_w31rd\_c0mb1nat10n\_of\_fr1da\_4nd\_c4t4l4n\_ov3rf10w}