Posts

CTF.ma - Interesting CTF Challenges

A few days ago I noticed that some people created a platform for CTF challenges that turned out to be very interesting, It looks like that the author is attracted to the kernel ring tather than the user land ring, and I exploited that opportunity to learn more about Windows Drivers, which is something you can say I do for the first time.
I suggest you to try those challenges and try to solve them, and I hope that you will enjoy them, specifically the RE challenges.

CTF website: http://www.ctf.ma

rtcore now is in the leaderboard, I will be very excited to see more people enjoying those challenges.

Ahead PDF Password Remover Keygen

Image
A simple keygen for Ahead PDF Password Remover, written in javascript (even paranoids can use it).

Update: fixed a hidden check after clicking the add files button, the application was closing quickly.

Download

Download (non stable)

PS: It did not take much time to crack the first hash, there are many other hashes but cracking just one is enough.


PPS: A Good to listen audio :D.

Received the Labyrenth 2017 prize

Image
This was the first CTF Challenge I ever tried. So those things mean a lot for me.
Thanks to those mp3, mp3, playing them in loop mode make me don't get tired of stepping.



Why should I play Subway Surfers using mouse ? isn't keyboard cool !

Image
Let's assume that someone forced to work under some circumstances, where no internet access will be available to him (not forever but just for a duration like one week), he will probably click Ctrl+F, write subway, Great, he found a game where he can burn his time.

Let's play for 30 min - 1 hour, probably that person will not be able to reach more high score, his hand will hurt.

I want to make the life of this person easier and better by adding keyboard support to that game (the game is for childs or not that is another story, and not important for me).

I want this feature to become built-in, so the end don't want to do anything other than double click the exe.

Great, It looks like that I'm lucky, UnityEngine is used along with Mono, which is a .NET framework-compatible.

Found something interesting in Assembly-CSharp.dll, Game.HandleControls method, we must add arrow keys support there.


So I modified the IL to get something like that


Great, but unfortunately after runn…

Flare-On 2017

Image
08-09-2017 at night I just knew that flare-on started, solved two challenges and fall asleep.

1- The first challenge is quite easy to solve since the rotate is symmetric:

2 - This a little bit tricky since you will reproduce a small decryption algorithm to do reverse the encryption:

09-09-2017 after-noon, started solving challenge 3.

3 - This challenge requires you to find a byte value that is the key to decrypt an x86 code, given a simple hash function, once this code is decrypted and begin running, it will put the flare-on flag on the stack, so we must do 2 things:


Find the byte key:

Send that byte to the local server at 127.0.0.1:2222 and debug
09-09-2017 - 10-09-2017,

4 - It took me more time to figure out that the challenge uses PE files from last year flare-on challenge (2016). Generally, every PE file contain a 8-byte forming a part of the key, each file will have those bytes at offsets 0x400, 0x410, 0420 or 0x430.

The files should be put at the following folder:


Once the files …

010 Editor v7.0.2 (x64) Crack

Image
It's been a long time I did not wrote a blog post, but now I'm releasing a crack for 010 Editor v7.0.2 (x64), I mainly used windbg for this operation because it is a stable debugger even if using it is like pain in the ass.

Please make sure that original assembly without patch (010Editor.exe) SHA1: aacac5f44623b1ae676757dda2fc38bfa54fc795


Download Crack and RegKey here.

Let me now if you have any problem using this.

Walkthrough: Reversing Resource Tuner License Validating Algorithm (part 2)

Image
IV - func4

Now, we've reached the function named func4:


If we take a look at the asm code of func4, we will find the following:

CPU Disasm Address Hex dump Command Comments FFF90BC860PUSHADFFF90BC9 8B45 F8 MOVEAX,DWORD PTR SS:[EBP-8]FFF90BCC50PUSHEAXFFF90BCD 8B90 F0000000 MOVEDX,DWORD PTR DS:[EAX+0F0]FFF90BD3 8B7A 30MOVEDI,DWORD PTR DS:[EDX+30]FFF90BD6 8B72 34MOVESI,DWORD PTR DS:[EDX+34]FFF90BD9 8B0F MOVECX,DWORD PTR DS:[EDI]FFF90BDB 330E XORECX,DWORD PTR DS:[ESI]FFF90BDD 894D E4 MOVDWORD PTR SS:[EBP-1C],ECXFFF90BE0 8B0424 MOVEAX,DWORD PTR SS:[ESP]FFF90BE3 8B88 80000000MOVECX,DWORD PTR DS:[EAX+80]FFF90BE9 8D59 30LEAEBX,[ECX+30]FFF90BEC 8B4B 4C MOVECX,DWORD PTR DS:[EBX+4C]FFF90BEF 8B90 0C010000 MOVEDX,DWORD PTR DS:[EAX+10C]FFF90BF5 81EA FFFFFF7F SUBEDX,7FFFFFFF FFF90BFB 8D34CA LEAESI,[ECX*8+EDX]FFF90BFE 8BB8 10010000MOVEDI,…