Challenge 1

Failure! Failure! Failure!

The challenge is a executable binary named - "I_am_so_happy_you_are_playing_the_flareon_challenge.exe". Upon execution, it prompts up a window asking for a password. If the entered password is wrong, it says - You are Failure.

Maybe the password is somewhere inside the executable binary. We open the binary in binary ninja.

• The file imports the WriteFile and ReadFile WinAPIs. So it might be looking for password in a text file or similar. We need to look deeper. Below is the disassembly of the code.

• We can see that the program is using GetStdHandle to open a handle to std input and output. It Writes out the prompt and waits for input.

• Now the WriteFile and ReadFile WinAPIs that we saw before are being used. WriteFile winapi is used here to write to the stdin. But the ReadFile Winapi takes a 50 byte input from STDIN and saves it in var_8.

• The output of either - "You are success" or "You are failure" depends on the jl instruction. If ECX is less than 0x18, it will jump to the success block, else to the failure block.

Disassembler Output

Decompiler Output

• What the loop does is, it XORs each byte of the memory address 0x402140 which contains the value \x1f\x08\x13\x13\x04"\x0e\x11M\r\x18=\x1b\x11\x1c\x0f\x18P\x12\x13S\x1e\x12\x10 with the value 0x7d.

• If the bytes match then the zero flag will be set, causing the jnz instruction to not branch. If the bytes did not match (i.e. you entered a wrong digit in the password) then the zero flag will not be set, causing the branch to the failure block.

• We will write a small python script to get the correct response -

address = 0x402140
xor_key = 0x7d
length = 50

encrypted = bv.read(address, length)
decrypted = bytes([b ^ xor_key for b in encrypted])

print(f"Decrypted: {decrypted}")
print(f"ASCII: {decrypted.decode('ascii', errors='replace')}")

The correct response to this ctf is - bunny_sl0pe@flare-on.com. We can now test to see if it's correct.

Hurray!! The challenge is complete.