@@Wilker_uwu it's marketing. Commit a lot of mistakes and create a after sales market for support plans and update plans and off course extended warranty plans...
The important thing about doing unit testing is that it forces you to break down your code into small units that can run standalone. How would you apply this to all the nested for loops that depend on each other?
I used a simpler approach (in my opinion); I patched the function that prints the cells and inverted the behavior. I modified the "if" conditions so that all cells were revealed by default instead of hidden. Your solution is more elegant though!
I used dnSpy. By the way, a colleague of mine was in your team at DEFCON and I asked him to bring me back some LiveOverflow goodies, and you gave him like dozens of stickers, thanks a lot :) maybe next time I can see you in person.
I don't know why but I decided to do this in python. I had gotten the result similar to how you did, but no matter the combinations (where I started the count for rows and columns), I couldn't get it to work. I imported ctypes, attempted to run my found cells into a generate key function I converted from C# to python, and even fruitlessly trying to rewrite all of the logic of the game into python. Turns out, I am better at programming than I am counting. I saw your video, saw that I got the same coordinates as you, and tried again, this time counting carefully. CTFs are really hard man.
Lol, I burst out laughing at the end. Atleast you caught it in the end before a youtube comment could ruin your day. Thanks for the video liveoverflow. I loved this one!
Fireboltofdeath apparently you don’t know what obfuscation is. -_-. There was no obfuscation in this video period. It’s decompilations, reverse engineering. There was no obfuscated function names. Everything was plain visible as day. If it was obfuscated, it’ll be hard and challenging to read it.
Fireboltofdeath that just shows you both don’t know nothing. That’s sad. Go continue with your daily life and don’t bother mines. I am a software engineer.
@@xorxpert Obscure: not clearly expressed or easily understood. The function names were obfuscated, because they had names to mislead the user that doesn't do what the name implies. And, I'm a programmer also, so I really don't care. Obfuscation isn't only making your code hard to read,.
I used dnSpy which acts kind of like IDE so you can patch, run, etc dotnet. I looked up the data structure that contained the minefield matrix. Looked up the positions of the no-bomb cells. But counting the tiny row colmns was tough. Also not knowing if the colms are 0-based or 1-based index added to the trouble, so I patched the exe to not exit the game on bomb reveal. Then clicked open all the cells in the vicinity of the empty cells untill I found the right one. Then in another window I open the non-patched exe. Aligned the two fields to see where the empty-cells are. :P I was happy with my approach untill I saw yours. I loved that you could do it statically and still make it look so easy. Waiting for more videos
I didn't figure the RNG thing. Thanks for the video. I solved it the same way haha :) I just inserted the row and col I found from debugging to the input. (Click randomly and change the index calculation). I also tried to find the real safe slots but was too lazy :)
Great videos, I really enjoyed flare-on challenges and am happy to see you covering them. I do think, however, that you should revisit this problem with one of the simpler approaches for people still learning. anything that can edit a .net binary could be used to easily solve this problem. I actually ended up using Cheat engine for this as i was familiar with the tool. that said i loved seeing a more static approach to this problem, though i cant say i would want to do it myself.
@@LiveOverflow Cheat Engine has a .net dissembler built into it. (or at least can pull the symbols and function names out) from there i searched for the function that triggered when i clicked on one of the tiles and found that they were all set to either 0 or 1, however the function to close the program only ran when it got a click event. So i changed all the values to positive and saw where the correct tiles were. took a picture with the snipping tool and then clicked them and got the flag. Honestly its a kinda weird way to do it and www.reddit.com/r/ReverseEngineering/ posted some much more efficient ways to do it but it was a lot of fun regardless. Also, i post a lot of criticism, but i love your work. Keep it up :) .
When you showed the brute force code, I immediately said to myself, "but wait, where is the copy from constants back to array2?... uh, if you say so?" D'OH! :D
In the allocate memory class, you could create a string containing the flags and then just Messagebox.Show all the flags :) I did it like this in dnspy, displays all the flags: private void AllocateMemory(MineField mf) { // Initialize our string containing the flags information string flags = ""; for (uint num = 0u; num < MainForm.VALLOC_NODE_LIMIT; num += 1u) { for (uint num2 = 0u; num2 < MainForm.VALLOC_NODE_LIMIT; num2 += 1u) { bool flag = true; uint r = num + 1u; uint c = num2 + 1u; if (this.VALLOC_TYPES.Contains(this.DeriveVallocType(r, c))) { flag = false; // Save the flag x,y coordinate in the string flags += string.Format("({0}, {1}) ", c, r); } mf.GarbageCollect[(int)num2, (int)num] = flag; } } // Display our flags string MessageBox.Show(flags); }
Huh, nice bruteforce approach, I hadn't even thought about that :D Just found all this stuff about cells with no bombs (done that using calculator... I'm too dumb to copypaste the code, yep xD) Looking forward to see you working on next challenges, I'm so excited :)
it is easy to understand how programming works, it's like learning to play the piano or your favorite competitive game: //i say that if you press(aButton), you get... press(Button aButton) { //the note played by this button which is the note of this button. return notePlayed = note[aButton]; } //then you define that the keyword "response" is the response of pressing this button on this position. response = press(thisButton[onThisPosition]); it is really easy to understand stuff by looking at simple mechanics, but the fun is about finding out what you can do with combinations and sequences of those mechanics used here.
1:48 finally something i understand! 2:50 finally some c#/ .net $#!t that i know. this is going to be my episode! :D then this happens: 7:07 like wuuuuuut? XD im still 2 fuckin' young i guess lol.. :D
What is basically happening is that the program is using a random integer as an XOR decryption key to an array of bytes, which contains the flag. Although, a seed is set, determined by cell values which are the same every time the program is started. That's what makes this weak. If you can find the cell values somehow, you can determine the seed, which then allows you to get the XOR key by generating random numbers using the seed and running an XOR decrypt operation on the array bytes.
I’m feeling a bit like a dumb dumb since I really only know BASICS of C++, have only gone more in depth into front end languages. What language were you coding in for your own Bruteforce/your application to print out the results?
we copied the recompiled C# code, and we just added some loops for the bruteforce around it. so in this case we used C#, because that was our target ;)
CTF 1: Open the disclosed program and copy some text CTF 2: literally run your brain around this significantly larger program for 10 hours just to realize that had you not of made one small mistake early on, you would of been done hours ago.
hey bro... i tried one of wesite you suggest to open before, its "w3challs.com" i have a problem on registering and login to that website... after i registered it said "registered succesfull", but there's no notification in my email, and also i tried to login to that website but always says "login/pass Error"... and after that, i tried to click "forget password feature, and i input my email address which i used to register, but the website said "your email has not been registered"... i really confused with this problem, i thought maybe i'ts some kind a test, i tried to connect to the irc channel using xchat and hexchat.. but the connection always denied. could you help me with this kind of problem i have? thanks .
how come it is possible to de-compile the jar executable into java code, I thought it was only possible to find the binary assembly code using something like gdb. Sorry I am a noob, pls don't roast me
"Many of the challenges are based on Windows, which is not really my world" but LiveOverflow.. in your Google CTF 2019 qualifier video, you used Windows to run minetest! perhaps... having some problems, with hardware-accelerated 3d rendering, on your unspecified non-Windows platform? ;)
Dn Spy, or .net reflector would have been a much easier tool to use. You did not even have to brute force the key, that's the over complicated way to do it. Nice for content though, good stuff.
You'd also run into a bug in the brute force if the sorted array contained multiples of the same number. You assume the next number is greater, but it can be greater or equal than.
Pretty sure my coworkers wrote those function names.
This video is an exact representation of a programmer's life. Comitting mistakes, realizing where was the mistake 2 days later...
committing and commiting lots of mistakes
@@Wilker_uwu it's marketing. Commit a lot of mistakes and create a after sales market for support plans and update plans and off course extended warranty plans...
@@TremereTT this is why FOSS is important
And this, children, is why you always write unit tests.
This is so true. Save my life every day.
And why you really should run those unit tests to make sure they fail.
The important thing about doing unit testing is that it forces you to break down your code into small units that can run standalone. How would you apply this to all the nested for loops that depend on each other?
And go functional to avoid nested if statements
He uses 7-Zip instead of WinRAR. Best TH-camr ever.
WinRAR can open 7z nowadays?
Yep.
WinRAR should be used only to compress RAR. In all other use cases it sucks a big one
Izarc
@@ac130kz i use winrar all my life, no problems so far and its fast
I used a simpler approach (in my opinion); I patched the function that prints the cells and inverted the behavior. I modified the "if" conditions so that all cells were revealed by default instead of hidden. Your solution is more elegant though!
Thought about that too! What did you use to modify the code?
@@LiveOverflow dnSpy probably
I used dnSpy. By the way, a colleague of mine was in your team at DEFCON and I asked him to bring me back some LiveOverflow goodies, and you gave him like dozens of stickers, thanks a lot :) maybe next time I can see you in person.
Wait, wait, wait... thete are liveoverflow stickers???
@LiveOverflow you can also use Reflexil plugin for ILSpy to manipulate IL code
I think it'd pretty funny how flare-on's website has no working https
Same here xD
LetsEncrypt.org
It’s probably intentional so that a future flag can be extracted from their website or something
@@GalaxyCatz hmm didn't think about that
@@GalaxyCatz in that case they could have added a challange.flare-on.com domain without ssl.
Oof, I hate when I make a silly mistake and end up with a convoluted work around. At least you learned more about the challenge
yeah, keep trying was the key here. this bug could've been found by someone else working as a team, that's why team work is so important
I don't know why but I decided to do this in python. I had gotten the result similar to how you did, but no matter the combinations (where I started the count for rows and columns), I couldn't get it to work. I imported ctypes, attempted to run my found cells into a generate key function I converted from C# to python, and even fruitlessly trying to rewrite all of the logic of the game into python.
Turns out, I am better at programming than I am counting. I saw your video, saw that I got the same coordinates as you, and tried again, this time counting carefully. CTFs are really hard man.
"I'm so dumb" hey man, dont be so hard on yourself. You're doing amazing :)
Lol, I burst out laughing at the end. Atleast you caught it in the end before a youtube comment could ruin your day. Thanks for the video liveoverflow. I loved this one!
Thumbs up for leaving the bug in there! Greatly underlines the constant try and error of hacking!
You're not dumb. You're a human being. And the fact that you saw it at all means you're smart.
My god, im so glad that i found your channel.
Awesome job man, keep these videos coming.
actually met some of the lead fire-eye people, and they are so cool and get to do amazing stuff in terms of RE
The first challenge had obfuscated function names?! I would have been stuck on that. You rock!
@@xorxpert I don't think you know what obfuscation is.
Fireboltofdeath apparently you don’t know what obfuscation is. -_-. There was no obfuscation in this video period. It’s decompilations, reverse engineering. There was no obfuscated function names. Everything was plain visible as day. If it was obfuscated, it’ll be hard and challenging to read it.
Fireboltofdeath that just shows you both don’t know nothing. That’s sad. Go continue with your daily life and don’t bother mines. I am a software engineer.
@@xorxpert
Obscure: not clearly expressed or easily understood.
The function names were obfuscated, because they had names to mislead the user that doesn't do what the name implies.
And, I'm a programmer also, so I really don't care. Obfuscation isn't only making your code hard to read,.
obfuscate verb
ob·fus·cate | \ˈäb-fə-ˌskāt;
äb-ˈfə-ˌskāt, əb-\
obfuscated; obfuscating
Definition of obfuscate
2 : CONFUSE:
obfuscate the reader.
ILSpy : The "IL" stands for "Intermediate Language", cf. "Intermediate Representation" (just love ur videos btw, hevin so much fun hackin on ur hax)
i don't even understand what you say , but i love to watch this videos xD
I used dnSpy which acts kind of like IDE so you can patch, run, etc dotnet.
I looked up the data structure that contained the minefield matrix. Looked up the positions of the no-bomb cells. But counting the tiny row colmns was tough. Also not knowing if the colms are 0-based or 1-based index added to the trouble, so I patched the exe to not exit the game on bomb reveal. Then clicked open all the cells in the vicinity of the empty cells untill I found the right one. Then in another window I open the non-patched exe. Aligned the two fields to see where the empty-cells are. :P
I was happy with my approach untill I saw yours.
I loved that you could do it statically and still make it look so easy. Waiting for more videos
3:38 The InitializeComponent initializes those ughh..... components! Hahahahaha
I've had a harder time reading c++ and binary. I usually write C#. Thank you for this video!
Man i strive to be as smart as you one day. Keep up the amazing videos!
Jesus Christ you’re good as fuck, and these vids are so needed.
Why no patreon or BTC donations? Whatever I can do to make sure you keep this up.
Quality content as always and this one is hilarious!
Nice solution for the second challenge, I just inverted the condition that decides what image is displayed on the field so i could see all bombs.
Great vid as always!
Holy fuck, that went from 0 to 100000 real quick, i can't even imagine what the third challenge will be like.
What kind of reason that may make some one press dislike for such great video ?
very good ! For me as a beginner this was really helpfull and I understood all of it , thanks!
I dont like Fridays cause its gonna be weekend, i like them cause i get high quality content to watch!
Like always another great video
That ending is one reason why I prefer langs where things are immutable by default :^)
I didn't figure the RNG thing. Thanks for the video.
I solved it the same way haha :) I just inserted the row and col I found from debugging to the input. (Click randomly and change the index calculation). I also tried to find the real safe slots but was too lazy :)
Great videos, I really enjoyed flare-on challenges and am happy to see you covering them. I do think, however, that you should revisit this problem with one of the simpler approaches for people still learning. anything that can edit a .net binary could be used to easily solve this problem. I actually ended up using Cheat engine for this as i was familiar with the tool. that said i loved seeing a more static approach to this problem, though i cant say i would want to do it myself.
How did you approach this with Cheat Engine?
@@LiveOverflow Cheat Engine has a .net dissembler built into it. (or at least can pull the symbols and function names out) from there i searched for the function that triggered when i clicked on one of the tiles and found that they were all set to either 0 or 1, however the function to close the program only ran when it got a click event. So i changed all the values to positive and saw where the correct tiles were. took a picture with the snipping tool and then clicked them and got the flag.
Honestly its a kinda weird way to do it and www.reddit.com/r/ReverseEngineering/ posted some much more efficient ways to do it but it was a lot of fun regardless.
Also, i post a lot of criticism, but i love your work. Keep it up :) .
@@270jonp you should've shared a video doing that, but that's too late now :) regardless great work
Love listening to stuff I know absolutely nothing about xD
This. Is. High quality!
When you showed the brute force code, I immediately said to myself, "but wait, where is the copy from constants back to array2?... uh, if you say so?"
D'OH! :D
holy shit, 1st time I understand and saw your mistake init array outside the loop. That a big step, lol
I love doing windows reversing, I wish I knew this was happening!
In the allocate memory class, you could create a string containing the flags and then just Messagebox.Show all the flags :)
I did it like this in dnspy, displays all the flags:
private void AllocateMemory(MineField mf)
{
// Initialize our string containing the flags information
string flags = "";
for (uint num = 0u; num < MainForm.VALLOC_NODE_LIMIT; num += 1u)
{
for (uint num2 = 0u; num2 < MainForm.VALLOC_NODE_LIMIT; num2 += 1u)
{
bool flag = true;
uint r = num + 1u;
uint c = num2 + 1u;
if (this.VALLOC_TYPES.Contains(this.DeriveVallocType(r, c)))
{
flag = false;
// Save the flag x,y coordinate in the string
flags += string.Format("({0}, {1}) ", c, r);
}
mf.GarbageCollect[(int)num2, (int)num] = flag;
}
}
// Display our flags string
MessageBox.Show(flags);
}
These are boss, slow learner these help so much.
the 1st channel to which i pressed bell icon
The "Ohhhhhhhh" was extensively cute.
hahahahaha that ending man, all too familiar
If you think you are dumb what's left for the rest of us?! lol. Thanks for sharing!
Actually the video end up being quite exciting even for a standard user
Vert nice drawing of the Eevee evolution ^.^
Huh, nice bruteforce approach, I hadn't even thought about that :D Just found all this stuff about cells with no bombs (done that using calculator... I'm too dumb to copypaste the code, yep xD)
Looking forward to see you working on next challenges, I'm so excited :)
Brain.exe has stopped working
it is easy to understand how programming works, it's like learning to play the piano or your favorite competitive game:
//i say that if you press(aButton), you get...
press(Button aButton) {
//the note played by this button which is the note of this button.
return notePlayed = note[aButton];
}
//then you define that the keyword "response" is the response of pressing this button on this position.
response = press(thisButton[onThisPosition]);
it is really easy to understand stuff by looking at simple mechanics, but the fun is about finding out what you can do with combinations and sequences of those mechanics used here.
@@Wilker_uwu You just Made his Entire OS go offline he is not responding.
System Error;
@@asandax6 throw new Error(string? message) || throw new RuntimeError(String? msg) ?
@@Wilker_uwu Ok I wrote Error String on a piece of paper and I threw it 😁. Now I am Grounded thanks to the message hitting my Mom🙁. So uh thanks.
@@asandax6 what? XD
Great video, thanks !
Wish I could do anything of that, but I'm just an electrician knowing the basics
WOW I wish I could do that thatlooks like so much fun
1:48 finally something i understand! 2:50 finally some c#/ .net $#!t that i know. this is going to be my episode! :D then this happens: 7:07
like wuuuuuut? XD im still 2 fuckin' young i guess lol.. :D
What is basically happening is that the program is using a random integer as an XOR decryption key to an array of bytes, which contains the flag.
Although, a seed is set, determined by cell values which are the same every time the program is started. That's what makes this weak. If you can find the cell values somehow, you can determine the seed, which then allows you to get the XOR key by generating random numbers using the seed and running an XOR decrypt operation on the array bytes.
If you are over 12 years old I doubt you are too young
You know this man has been in the game for a while if he uses ILspy
1:04
what is that song?
Very good video!
degga du bist so toll
Hi!
For .NET i recommend DnSpy, it's Open Source of Github.
windows "NOT MY WORLD" same here. thats i reverse elf binaries and use rader2 for reversing mostly everything :)
I’m feeling a bit like a dumb dumb since I really only know BASICS of C++, have only gone more in depth into front end languages. What language were you coding in for your own Bruteforce/your application to print out the results?
we copied the recompiled C# code, and we just added some loops for the bruteforce around it. so in this case we used C#, because that was our target ;)
LiveOverflow ah, thanks!
Great channel.. keep up
12:10 Man, if you are dumb, then I am bubbling mad comparing to you. Awesome vids!
interesting for sure, cool video
12:07 is priceless!
I can RE better than anyone you know. I RE so well you cant ever get to me... Its the worst but kinda the best. comforting in a way.
Hi at 5:25 you messed up the drawing of the rows and columns last row has
21/22/21/22/23 it should be
20/21/22/23/24
Hi, I'd like to Start With ctfs But cant find a easy one to Start With. Do you have an idea? Thank you!
4:04 "...also, the other pictures do not have a flag" *shows a picture of a flag* ;)
You need a rubber duck!
Now I believe that even pros can make trivial mistakes.
Why use ilspy instead of the better dnspy?
CTF 1: Open the disclosed program and copy some text
CTF 2: literally run your brain around this significantly larger program for 10 hours just to realize that had you not of made one small mistake early on, you would of been done hours ago.
My dll file coded in c++, what can i do to get all c++ code ?
awesome content!
hey bro... i tried one of wesite you suggest to open before, its "w3challs.com" i have a problem on registering and login to that website... after i registered it said "registered succesfull", but there's no notification in my email, and also i tried to login to that website but always says "login/pass Error"... and after that, i tried to click "forget password feature, and i input my email address which i used to register, but the website said "your email has not been registered"... i really confused with this problem, i thought maybe i'ts some kind a test, i tried to connect to the irc channel using xchat and hexchat.. but the connection always denied. could you help me with this kind of problem i have? thanks .
Always debug the first few loop cycles ..and watch the state of variables
watched this a couple times, just realized that the cell number grid example he drew i missing 20
5:20
How about the rest of the flag...are you gonna do a walkthrough video for that?
how come it is possible to de-compile the jar executable into java code, I thought it was only possible to find the binary assembly code using something like gdb.
Sorry I am a noob, pls don't roast me
Java is not compiled to assembly code. Java is compiled to java bytecode (which runs in the Java VM). And that bytecode is a lot easier to decompile
0:50 I tried to do cd O* and that failed. I just stared at it going "Why the f**k did that not work?!"
I've searched for malware source code in deeper web and found some. How to know if those code are a malware?
Read the source code?
Mind blowing..!!
need more flareon ctf :3
is it possible to decompile c++ native code?
"Many of the challenges are based on Windows, which is not really my world"
but LiveOverflow.. in your Google CTF 2019 qualifier video, you used Windows to run minetest!
perhaps... having some problems, with hardware-accelerated 3d rendering, on your unspecified non-Windows platform? ;)
"only 4 billion options"
*it took me one f-ing year to fix a typo*
I took VALLOC_NODE_LIMIT to mean the maximal amount of nodes allocated in the vertical.
Smashed the like
what an alien!!!
where i can learn stuff like this
I always define variables const if they are not suppose to change. So I have never encountered this kind of things after I switch to python XD.
Dn Spy, or .net reflector would have been a much easier tool to use. You did not even have to brute force the key, that's the over complicated way to do it. Nice for content though, good stuff.
Lmao I love that ending
you use a wacom tablet? Cool every thing else not really XD
just kidding keep doing what your doing man
You'd also run into a bug in the brute force if the sorted array contained multiples of the same number. You assume the next number is greater, but it can be greater or equal than.
Doesn't that imply the same cell is there twice? I thought it must be greater than, and that there'd be no duplicates.
@@Flare03l Yeah that may be true, didn't examine it too closely/attempt the challenge myself. So I may be wrong in there being a bug :).
@@EugeneKolo there is no bug, for exactly the reason flare stated. But in another program it might have been an issue.
5:18 Last row of matrix completely wrong, literally unwatchable smh my head
what the fuck why is that there LIVEOVERFLOW EXPLAINE
the second one would have been easier with dnspy. you can edit the code with it
I find CSharp really similar to java with a hint of c++.
"Produces the same random values", despite being technically correct, sounds like an oxymoron tbh
That just shows me how far im away of being an good dev. Just the slightest obfuscation shreddes me