FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

The challenge is about selecting correct coordinates on to the map and advancing to the next stage to get flag.


As we advance to next stage, the game print some metadata.

After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage.

import binascii

key = 0x3B1EE5F6B3D99FF7                #initial key to decrypt metadata.
offset = 0x50E0                         #offset of metadata in binary
f = open('pewpewboat.exe','rb')
for i in range(0,11):
    stage = i
    v = ((i << 3) + i) << 6
    f.seek(offset + v)
    mask = '0x'
    temp = '0x'
    res = []
    metadata = []
    for i in range(0,0x240):
        key = ((key * 0x41c64e6d) + 0x3039) & 0xFFFFFFFFFFFFFFFF
        c = binascii.hexlify(f.read(1))
        c = int(c,16)
        c = c ^ (key & 0xFF)
        metadata.append(chr(c))
        c = "0x%02X" % c
        res.append(c[2::])
    #print("".join(metadata))
    for i in range(7,-1,-1):
        mask = mask + res[i]
    for i in range(len(res)-1,15,-1):
        temp = temp + res[i]                
    #print("mask",mask)                      #used in key calculation for next round metadata
    mask =  int(mask,16)
    key = int(temp,16)
    count = 0
    cord = []
    for i in range(0x41,0x49):
        for j in range(0x31,0x39):
            prevcount = count
            row = i - 0x41
            col = j - 0x31
            var38 = 1 << (((row*8) + col) & 0xFF)
            count = (count | var38)
            var48 = count
            var4C = 0
            prevvar4C = 0
            while True:
                temp = var48 & 1
                if temp != 0:
                    var4C = var4C + 1
                var48 = (var48 >> 1) & 0xFFFFFFFF
                if var48 == 0:
                    break
            if (count & mask) > prevcount: #remove later
                v1 = (j * 0x593) & 0xFFFFFFFF
                v2 = (i * 0x1E01) & 0xFFFFFFFF
                res_add = v1 + v2
                v3 = ((j * i) + res_add + 0x14A1)
                key = key + v3
                cord.append(chr(i)+chr(j))
    print("========= Stage " + str(stage) + " Cordinates =========")
    print("Cordinates : " + str(cord))
    if stage == 10:
        print("Metadata: " + "".join(metadata))
    print("===================================================")
    print('')
f.close()

Below are the coordinates produced by above script.For clarity i have printed metadata of last stage.

Coordinates provided at each stage on the map forms a character.

0 cord - B4 B5 B6 B7 C4 D4 E4 E5 E6 E7 F4 G4 - O
1 cord - B4 B8 C4 C8 D4 D8 E4 E5 E6 E7 E8 F4 F8 G4 G8 - H
2 cord - A2 A3 A4 A5 A6 A7 B1 B8 C1 D1 E1 E5 E6 E7 E8 F1 F8 G1 G8 H2 H3 H4 H5 H6 H7 - G
3 cord - D5 D8 E5 E8 F5 F8 G5 G8 H5 H6 H7 H8 - U
4 cord - B4 B5 B6 B7 B8 C7 D6 E5 F4 F5 F6 F7 F8 - Z
5 cord - A1 A2 A3 B1 B4 C1 C2 C3 D1 D3 E1 E4 - R
6 cord - D5 D6 D7 E5 F5 F6 F7 G5 H5 H6 H7 - E
7 cord - B2 B3 B4 B5 B6 C4 D4 E4 F1 F4 G2 G3 - J
8 cord - D3 D7 E3 E7 F3 F7 G4 G6 H5 - V
9 cord - D3 D4 E2 E5 F2 F5 G2 G5 H3 H4 - O

Below is the instruction provided in stage 10 metadata to get the flag.

"Aye! You found some letters did ya? To find what you're looking for, you'll want to re-order them: 9, 1, 2, 7, 3, 5, 6, 5, 8, 0, 2, 3, 5, 6, 1, 4. Next you let 13 ROT in the sea! THE FINAL SECRET CAN BE FOUND WITH ONLY THE UPPER CASE"

Applying operation to letters from each stage "OHGJURERVFGUREHZ" we get below key word.

Key word : BUTWHEREISTHERUM

Providing the keyword when game starts gives the flag.

Comments

Popular posts from this blog

VIrtual Machine Detection Techniques

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge

Debugging MBR : IDA Pro and Bochs Emulator

Analyzing ATM Malwares

PaloAlto CTF 2017 : Binary Challenge 2

FireEye FLARE CTF 2017 : APK Challenge 8

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow

Samsung CTF : Chicken or Egg Reversing Challenge