Given a pyc file then i just try to decompile it using uncompyle6.
The script looks obfuscated but it is still readable. There is one interesting function and here is the code
It seems like checking function and then return something whether the check function is true or false. So i try to reconstruct the code to showing the return value and checking value
Flag : darkCON{0bfu5c4710ns_v5_4n1m4710ns}
Too Much
Description
-
Solution
Given ELF 64-bit executable and then i try to decompile it using IDA
It has many function but all functions are identical. The difference is the variables and constant value. So we can get all value and generate the code then get the flag.
Get value using gdb scripting
Generate the comparison algorithm and get the value using z3
Flag : darkCON{4r3_y0u_r34lly_th1nk1n9_th4t_y0u_c4n_try_th15_m4nu4lly???_Ok_I_th1nk_y0u_b3tt3r_us3_s0m3_aut0m4t3d_t00ls_l1k3_4n9r_0r_Z3_t0_m4k3_y0ur_l1f3_much_e4s13r.C0ngr4ts_f0r_s0lv1in9_th3_e4sy_ch4ll3ng3}
ezpz
Description
-
Solution
Given apk file and then i try to decompile the apk.
Looking at MainActivity class we know that there is flag checking in YEET[0].equals(MainActivity.this.button.getText().toString()). So the idea is make the application showing flag instead of βDamnβ¦500 times? are u kidding meβ with patching the counter and change the string to be shown.
And then we will get the flag when click βCLICK MEβ button
CyberDark0x01: ShitComp
Description
-
Solution
Given ELF 64-bit and then i try to decompile it using IDA
sub_1410
At first the program will compress our file ( as shown image above )
sub_13A0
And then encrypted the compressed data. So the idea is decrypt the data by brute force the algorithm then uncompress the data by reversing the algorithm.
And then by running original ELF we will get the flag
CyberDark_0x02: Installer
Description
-
Solution
Now we need to work with the original ELF. So i try to decompile it using IDA
sub_1BD0
We can see there is function that the return value is compared by constant value and determine whether the result is correct key or wrong key.
sub_1AB0
At first the program check the input ( it must uppercase ) and store the input to variable ( except the β-β ).
sub_19A0
After that it call function that generate values and our input will be the index of that value.
sub_1A20
And the last is checking our input with comparison algorithm that using manipulation of index of array and array. So the idea is reversing the algorithm to generate the key then submit it to server. But i only got 8 correct key ( the other keys are incorrect because there is one character that are not uppercase ) . So for the 2 other keys i brute force one character and then got the correct uppercase character on that position and submit all keys.
( we can use tmp variable to store the index same as the original code in binary for simplicity )
(Not) Easy
Description
-
Solution
Given PE file and then i try to open it using IDA
sub_40189D
Looking at encryption function it seems like modified xxtea encryption so the idea is reconstruct decrypt function by reversing the encryption algorithm.
Flag : darkCON{4_L177l3_crYp70_4_d4y_m4K3S_R3v3rS3s_g0_4W4Y}
fire in the androiddd
Description
-
Solution
Given apk file and then i try to decompile it.
MainActivity
Looking at MainActivity that we need internet connection to run this application and there are a method called from data_receiver class.
data_receiver
From getData method we know that class member ( data ) will store encrypted flag from firebase storage. data_receiver.data will be used in magic function which is called by doInBackground function from nested class ( loader class in MyReceiver class )
MyReceiver
Magic method is called from native library so we need to decompile that library to know what is magic method do
Java_com_application_darkcon_MyReceiver_magic
From the code above we know that our input xored with looper(i) and compared with v4 which is encrypted_flag . Here is what looper function do
looper
So the idea is getting the encrypted_flag using frida then run looper function and xor it with encrypted_flag and get the flag. Here is frida script that i used
After that implemented the looper function
Flag : darkCON{th3_w31rd_c0mb1nat10n_of_fr1da_4nd_c4t4l4n_ov3rf10w}
Java.perform(function dump() {
function sleep (time) {
return new Promise((resolve) => setTimeout(resolve, time));
}
var api_key_class = Java.use("com.application.darkcon.data_receiver");
var api_key_instance = api_key_class.$new();
console.log("[+] instance created: " + api_key_instance);
console.log("[+] function called : " + api_key_instance.getData());
sleep(5000).then(() => {
console.log("[+] data value: " + api_key_instance.data.value);
});
});
def looper(n):
if (n == 0 or n == 1):
return 1
v2 = [0 for i in range(n + 1)]
v2[0] = 1
v2[1] = 1
for i in range(2, n + 1):
v2[i] = 0
for j in range(i):
v2[i] = v2[i] + v2[j] * v2[i-j-1]
return v2[n]%2**32
enc = [101,96,112,110,77,101,202,470,1506,4758,16815,58877,208123,742855,2674489,9694735,35357570,129644713,477638735,1767263206,2269153033,2991430638,1288250377,3757197244,1413958429,43422424,2072914473,2325361044,2600037558,3008195127,3276256895,4169229947,300814809,3929270464,2526730686,2527522239,645964816,1351610749,573153031,1347646066,1945953402,3824419424,480774039,2833665279,2366904092,2809807660,3295802436,3644429150,720643560,906311378,992169127,1211139059,1465960990,4269303883,3179939394,4095898594,580984841,3596758568,1063564231,3288906933]
flag = ""
for i, j in enumerate(enc):
flag+=chr(j ^ looper(i))
print(flag)
