### FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

The challenge is about selecting correct coordinates on to the map and advancing to the next stage to get flag.

As we advance to next stage, the game print some metadata.

After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage.

import binascii

key = 0x3B1EE5F6B3D99FF7 #initial key to decrypt metadata.

offset = 0x50E0 #offset of metadata in binary

f = open('pewpewboat.exe','rb')

for i in range(0,11):

stage = i

v = ((i << 3) + i) << 6

f.seek(offset + v)

mask = '0x'

temp = '0x'

res = []

metadata = []

for i in range(0,0x240):

key = ((key * 0x41c64e6d) + 0x3039) & 0xFFFFFFFFFFFFFFFF

c = binascii.hexlify(f.read(1))

c = int(c,16)

c = c ^ (key & 0xFF)

metadata.append(chr(c))

c = "0x%02X" % c

res.append(c[2::])

#print("".join(metadata))

for i in range(7,-1,-1):

mask = mask + res[i]

for i in range(len(res)-1,15,-1):

temp = temp + res[i]

#print("mask",mask) #used in key calculation for next round metadata

mask = int(mask,16)

key = int(temp,16)

count = 0

cord = []

for i in range(0x41,0x49):

for j in range(0x31,0x39):

prevcount = count

row = i - 0x41

col = j - 0x31

var38 = 1 << (((row*8) + col) & 0xFF)

count = (count | var38)

var48 = count

var4C = 0

prevvar4C = 0

while True:

temp = var48 & 1

if temp != 0:

var4C = var4C + 1

var48 = (var48 >> 1) & 0xFFFFFFFF

if var48 == 0:

break

if (count & mask) > prevcount: #remove later

v1 = (j * 0x593) & 0xFFFFFFFF

v2 = (i * 0x1E01) & 0xFFFFFFFF

res_add = v1 + v2

v3 = ((j * i) + res_add + 0x14A1)

key = key + v3

cord.append(chr(i)+chr(j))

print("========= Stage " + str(stage) + " Cordinates =========")

print("Cordinates : " + str(cord))

if stage == 10:

print("Metadata: " + "".join(metadata))

print("===================================================")

print('')

f.close()

Below are the coordinates produced by above script.For clarity i have printed metadata of last stage.

Coordinates provided at each stage on the map forms a character.

0 cord - B4 B5 B6 B7 C4 D4 E4 E5 E6 E7 F4 G4 -

1 cord - B4 B8 C4 C8 D4 D8 E4 E5 E6 E7 E8 F4 F8 G4 G8 -

2 cord - A2 A3 A4 A5 A6 A7 B1 B8 C1 D1 E1 E5 E6 E7 E8 F1 F8 G1 G8 H2 H3 H4 H5 H6 H7 -

3 cord - D5 D8 E5 E8 F5 F8 G5 G8 H5 H6 H7 H8 -

4 cord - B4 B5 B6 B7 B8 C7 D6 E5 F4 F5 F6 F7 F8 -

5 cord - A1 A2 A3 B1 B4 C1 C2 C3 D1 D3 E1 E4 -

6 cord - D5 D6 D7 E5 F5 F6 F7 G5 H5 H6 H7 -

7 cord - B2 B3 B4 B5 B6 C4 D4 E4 F1 F4 G2 G3 -

8 cord - D3 D7 E3 E7 F3 F7 G4 G6 H5 -

9 cord - D3 D4 E2 E5 F2 F5 G2 G5 H3 H4 -

"

Applying operation to letters from each stage "

Key word

As we advance to next stage, the game print some metadata.

After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage.

import binascii

key = 0x3B1EE5F6B3D99FF7 #initial key to decrypt metadata.

offset = 0x50E0 #offset of metadata in binary

f = open('pewpewboat.exe','rb')

for i in range(0,11):

stage = i

v = ((i << 3) + i) << 6

f.seek(offset + v)

mask = '0x'

temp = '0x'

res = []

metadata = []

for i in range(0,0x240):

key = ((key * 0x41c64e6d) + 0x3039) & 0xFFFFFFFFFFFFFFFF

c = binascii.hexlify(f.read(1))

c = int(c,16)

c = c ^ (key & 0xFF)

metadata.append(chr(c))

c = "0x%02X" % c

res.append(c[2::])

#print("".join(metadata))

for i in range(7,-1,-1):

mask = mask + res[i]

for i in range(len(res)-1,15,-1):

temp = temp + res[i]

#print("mask",mask) #used in key calculation for next round metadata

mask = int(mask,16)

key = int(temp,16)

count = 0

cord = []

for i in range(0x41,0x49):

for j in range(0x31,0x39):

prevcount = count

row = i - 0x41

col = j - 0x31

var38 = 1 << (((row*8) + col) & 0xFF)

count = (count | var38)

var48 = count

var4C = 0

prevvar4C = 0

while True:

temp = var48 & 1

if temp != 0:

var4C = var4C + 1

var48 = (var48 >> 1) & 0xFFFFFFFF

if var48 == 0:

break

if (count & mask) > prevcount: #remove later

v1 = (j * 0x593) & 0xFFFFFFFF

v2 = (i * 0x1E01) & 0xFFFFFFFF

res_add = v1 + v2

v3 = ((j * i) + res_add + 0x14A1)

key = key + v3

cord.append(chr(i)+chr(j))

print("========= Stage " + str(stage) + " Cordinates =========")

print("Cordinates : " + str(cord))

if stage == 10:

print("Metadata: " + "".join(metadata))

print("===================================================")

print('')

f.close()

Below are the coordinates produced by above script.For clarity i have printed metadata of last stage.

Coordinates provided at each stage on the map forms a character.

0 cord - B4 B5 B6 B7 C4 D4 E4 E5 E6 E7 F4 G4 -

**O**1 cord - B4 B8 C4 C8 D4 D8 E4 E5 E6 E7 E8 F4 F8 G4 G8 -

**H**2 cord - A2 A3 A4 A5 A6 A7 B1 B8 C1 D1 E1 E5 E6 E7 E8 F1 F8 G1 G8 H2 H3 H4 H5 H6 H7 -

**G**3 cord - D5 D8 E5 E8 F5 F8 G5 G8 H5 H6 H7 H8 -

**U**4 cord - B4 B5 B6 B7 B8 C7 D6 E5 F4 F5 F6 F7 F8 -

**Z**5 cord - A1 A2 A3 B1 B4 C1 C2 C3 D1 D3 E1 E4 -

**R**6 cord - D5 D6 D7 E5 F5 F6 F7 G5 H5 H6 H7 -

**E**7 cord - B2 B3 B4 B5 B6 C4 D4 E4 F1 F4 G2 G3 -

**J**8 cord - D3 D7 E3 E7 F3 F7 G4 G6 H5 -

**V**9 cord - D3 D4 E2 E5 F2 F5 G2 G5 H3 H4 -

**O****Below is the instruction provided in stage 10 metadata to get the flag.**

"

*"***Aye! You found some letters did ya? To find what you're looking for, you'll want to re-order them: 9, 1, 2, 7, 3, 5, 6, 5, 8, 0, 2, 3, 5, 6, 1, 4. Next you let 13 ROT in the sea! THE FINAL SECRET CAN BE FOUND WITH ONLY THE UPPER CASE**Applying operation to letters from each stage "

**OHGJURERVFGUREHZ"**we get below key word.Key word

**: BUTWHEREISTHERUM****Providing the keyword when game starts gives the flag.**

## Comments

## Post a Comment