[No cON Name Facebook CTF Quals 2013] Writeups

ACCESS LEVEL 1

Open crypto.js file, copy the parameter of eval() function and execute it in firebug, we will get:

[js]function simpleHash(str) {
var i, hash = 0;
for (i = 0; i < str.length; i++) { hash += (str[i].charCodeAt() * (i + 1)) } return Math.abs(hash) % 31337 } function ascii_one(foo) { foo = foo.charAt(0); var i; for (i = 0; i < 256; ++i) { var hex_i = i.toString(16); if (hex_i.length == 1) hex_i = "0" + hex_i; hex_i = "%" + hex_i; hex_i = unescape(hex_i); if (hex_i == foo) break } return i } function numerical_value(str) { var i, a = 0, b; for (i = 0; i < str.length; ++i) { b = ascii_one(str.charAt(i)); a += b * (i + 1) } return a } function encrypt(form) { var res; res = numerical_value(form.password.value); res = res * (3 + 1 + 3 + 3 + 7); res = res >>> 6;
res = res / 4;
res = res ^ 4153;
if (res != 0) {
alert(‘Invalid password!’)
} else {
alert(‘Correct password :)’)
}
form.key.value = numerical_value(form.password.value);
form.verification.value = “yes” + simpleHash(form.password.value);
return true
}
[/js]

So, to get the goodboy, we must find a number res such that:

((((res * (3 + 1 + 3 + 3 + 7)) >>> 6) / 4) ^ 4153) == 0

We will run the following command in firebug to get res:

((4153 * 4) << 6) / (3 + 1 + 3 + 3 + 7);

It returns res = 62539.294117647056, and 62540 is the value we are looking for. Because the function numberical_value() is very simple, and we can modify every unit of the return value, so we can easily get the valid input to make numberical_value() returns 62540. For example:

AAAAAAAAABAAAAAAAAAuAAAAAAAAAAAAAAAAAAAAAAA

Flag:

Congrats! you passed the level! Here is the key:
23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8

ACCESS LEVEL 2

After installing and running the .apk file in BlueStacks, we noticed that every time we click on the button, a random image is displayed on the screen.

We can easily see that they are part of a complete QRCode image, so we try to see all of it by extracting the .apk with WinRAR and go to “resraw” folder.

This folder contains 17 images, and one of them is just a troll picture, so we have 16 image, with the same size: 97×97 pixels. 16 = 4*4, so the size of complete QRCode sshould be 388×388 (388 = 97*4). Using Photoshop, set grid size to 97×97, we can easily arrange all 16 images and get the complete QRCode:

Scan it will give us flag:

788f5ff85d370646d4caa9af0a103b338dbe4c4bb9ccbd816b585c69de96d9da

ACCESS LEVEL 3

This challenge requires us to enter each character of the password, if entered correctly, a sign ‘*‘ is displayed, otherwise the program will exit immediately.

Open it in IDA, follow the string “Type to win, only what I want to read…” and we will be here:

[asm].text:00000000004010F3 call getch
.text:00000000004010F8 movsx eax, al
.text:00000000004010FB mov [rbp+var_4], eax
.text:00000000004010FE mov eax, [rbp+var_8]
.text:0000000000401101 cdqe
.text:0000000000401103 mov eax, dword ptr facebookctf_rocks[rax*4]
.text:000000000040110A cmp eax, [rbp+var_4]
.text:000000000040110D jnz short badboy
[/asm]

Very simple! It reads a char from the user, compare it with another hardcoded char, if they differ, then we get badboy. var_8 is a counting variable, which will be increased here:

[asm].text:000000000040114A add [rbp+var_8], 1
.text:000000000040114E
.text:000000000040114E loc_40114E:
.text:000000000040114E cmp [rbp+var_8], 9
.text:0000000000401152 jle short loc_4010F3
[/asm]

Seeing the line at 0x40114E, we know that the length of password is 9, and we can easily get it by reading the value of facebookctf_rocks:

[asm].data:00000000006033A0 public facebookctf_rocks
.data:00000000006033A0 facebookctf_rocks db 20h, 3 dup(0), 53h, 3 dup(0), 55h, 3 dup(0), 52h, 3 dup(0), 50h, 3 dup(0)
.data:00000000006033A0 db 52h, 3 dup(0), 49h, 3 dup(0), 53h, 3 dup(0), 45h, 3 dup(0), 21h, 3 dup(0)
.data:00000000006033A0 _data ends
[/asm]

So it must be “x20x53x55x52x50x52x49x53x45x21”, or “ SURPRISE!” in plain text.

Just enter this password and we’ll get flag:

-> Congratulations! The key is:
| 9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *