@@Wilker_uwu it's marketing. Commit a lot of mistakes and create a after sales market for support plans and update plans and off course extended warranty plans...
The important thing about doing unit testing is that it forces you to break down your code into small units that can run standalone. How would you apply this to all the nested for loops that depend on each other?
I used a simpler approach (in my opinion); I patched the function that prints the cells and inverted the behavior. I modified the "if" conditions so that all cells were revealed by default instead of hidden. Your solution is more elegant though!
I used dnSpy. By the way, a colleague of mine was in your team at DEFCON and I asked him to bring me back some LiveOverflow goodies, and you gave him like dozens of stickers, thanks a lot :) maybe next time I can see you in person.
I don't know why but I decided to do this in python. I had gotten the result similar to how you did, but no matter the combinations (where I started the count for rows and columns), I couldn't get it to work. I imported ctypes, attempted to run my found cells into a generate key function I converted from C# to python, and even fruitlessly trying to rewrite all of the logic of the game into python. Turns out, I am better at programming than I am counting. I saw your video, saw that I got the same coordinates as you, and tried again, this time counting carefully. CTFs are really hard man.
Fireboltofdeath apparently you don’t know what obfuscation is. -_-. There was no obfuscation in this video period. It’s decompilations, reverse engineering. There was no obfuscated function names. Everything was plain visible as day. If it was obfuscated, it’ll be hard and challenging to read it.
Fireboltofdeath that just shows you both don’t know nothing. That’s sad. Go continue with your daily life and don’t bother mines. I am a software engineer.
@@xorxpert Obscure: not clearly expressed or easily understood. The function names were obfuscated, because they had names to mislead the user that doesn't do what the name implies. And, I'm a programmer also, so I really don't care. Obfuscation isn't only making your code hard to read,.
I used dnSpy which acts kind of like IDE so you can patch, run, etc dotnet. I looked up the data structure that contained the minefield matrix. Looked up the positions of the no-bomb cells. But counting the tiny row colmns was tough. Also not knowing if the colms are 0-based or 1-based index added to the trouble, so I patched the exe to not exit the game on bomb reveal. Then clicked open all the cells in the vicinity of the empty cells untill I found the right one. Then in another window I open the non-patched exe. Aligned the two fields to see where the empty-cells are. :P I was happy with my approach untill I saw yours. I loved that you could do it statically and still make it look so easy. Waiting for more videos
Lol, I burst out laughing at the end. Atleast you caught it in the end before a youtube comment could ruin your day. Thanks for the video liveoverflow. I loved this one!
In the allocate memory class, you could create a string containing the flags and then just Messagebox.Show all the flags :) I did it like this in dnspy, displays all the flags: private void AllocateMemory(MineField mf) { // Initialize our string containing the flags information string flags = ""; for (uint num = 0u; num < MainForm.VALLOC_NODE_LIMIT; num += 1u) { for (uint num2 = 0u; num2 < MainForm.VALLOC_NODE_LIMIT; num2 += 1u) { bool flag = true; uint r = num + 1u; uint c = num2 + 1u; if (this.VALLOC_TYPES.Contains(this.DeriveVallocType(r, c))) { flag = false; // Save the flag x,y coordinate in the string flags += string.Format("({0}, {1}) ", c, r); } mf.GarbageCollect[(int)num2, (int)num] = flag; } } // Display our flags string MessageBox.Show(flags); }
When you showed the brute force code, I immediately said to myself, "but wait, where is the copy from constants back to array2?... uh, if you say so?" D'OH! :D
I didn't figure the RNG thing. Thanks for the video. I solved it the same way haha :) I just inserted the row and col I found from debugging to the input. (Click randomly and change the index calculation). I also tried to find the real safe slots but was too lazy :)
1:48 finally something i understand! 2:50 finally some c#/ .net $#!t that i know. this is going to be my episode! :D then this happens: 7:07 like wuuuuuut? XD im still 2 fuckin' young i guess lol.. :D
What is basically happening is that the program is using a random integer as an XOR decryption key to an array of bytes, which contains the flag. Although, a seed is set, determined by cell values which are the same every time the program is started. That's what makes this weak. If you can find the cell values somehow, you can determine the seed, which then allows you to get the XOR key by generating random numbers using the seed and running an XOR decrypt operation on the array bytes.
it is easy to understand how programming works, it's like learning to play the piano or your favorite competitive game: //i say that if you press(aButton), you get... press(Button aButton) { //the note played by this button which is the note of this button. return notePlayed = note[aButton]; } //then you define that the keyword "response" is the response of pressing this button on this position. response = press(thisButton[onThisPosition]); it is really easy to understand stuff by looking at simple mechanics, but the fun is about finding out what you can do with combinations and sequences of those mechanics used here.
Great videos, I really enjoyed flare-on challenges and am happy to see you covering them. I do think, however, that you should revisit this problem with one of the simpler approaches for people still learning. anything that can edit a .net binary could be used to easily solve this problem. I actually ended up using Cheat engine for this as i was familiar with the tool. that said i loved seeing a more static approach to this problem, though i cant say i would want to do it myself.
@@LiveOverflow Cheat Engine has a .net dissembler built into it. (or at least can pull the symbols and function names out) from there i searched for the function that triggered when i clicked on one of the tiles and found that they were all set to either 0 or 1, however the function to close the program only ran when it got a click event. So i changed all the values to positive and saw where the correct tiles were. took a picture with the snipping tool and then clicked them and got the flag. Honestly its a kinda weird way to do it and www.reddit.com/r/ReverseEngineering/ posted some much more efficient ways to do it but it was a lot of fun regardless. Also, i post a lot of criticism, but i love your work. Keep it up :) .
Huh, nice bruteforce approach, I hadn't even thought about that :D Just found all this stuff about cells with no bombs (done that using calculator... I'm too dumb to copypaste the code, yep xD) Looking forward to see you working on next challenges, I'm so excited :)
CTF 1: Open the disclosed program and copy some text CTF 2: literally run your brain around this significantly larger program for 10 hours just to realize that had you not of made one small mistake early on, you would of been done hours ago.
"Many of the challenges are based on Windows, which is not really my world" but LiveOverflow.. in your Google CTF 2019 qualifier video, you used Windows to run minetest! perhaps... having some problems, with hardware-accelerated 3d rendering, on your unspecified non-Windows platform? ;)
You'd also run into a bug in the brute force if the sorted array contained multiples of the same number. You assume the next number is greater, but it can be greater or equal than.
Dn Spy, or .net reflector would have been a much easier tool to use. You did not even have to brute force the key, that's the over complicated way to do it. Nice for content though, good stuff.
I’m feeling a bit like a dumb dumb since I really only know BASICS of C++, have only gone more in depth into front end languages. What language were you coding in for your own Bruteforce/your application to print out the results?
we copied the recompiled C# code, and we just added some loops for the bruteforce around it. so in this case we used C#, because that was our target ;)
Pretty sure my coworkers wrote those function names.
This video is an exact representation of a programmer's life. Comitting mistakes, realizing where was the mistake 2 days later...
committing and commiting lots of mistakes
@@Wilker_uwu it's marketing. Commit a lot of mistakes and create a after sales market for support plans and update plans and off course extended warranty plans...
@@TremereTT this is why FOSS is important
And this, children, is why you always write unit tests.
This is so true. Save my life every day.
And why you really should run those unit tests to make sure they fail.
The important thing about doing unit testing is that it forces you to break down your code into small units that can run standalone. How would you apply this to all the nested for loops that depend on each other?
And go functional to avoid nested if statements
He uses 7-Zip instead of WinRAR. Best UA-camr ever.
WinRAR can open 7z nowadays?
Yep.
WinRAR should be used only to compress RAR. In all other use cases it sucks a big one
Izarc
@@ac130kz i use winrar all my life, no problems so far and its fast
I used a simpler approach (in my opinion); I patched the function that prints the cells and inverted the behavior. I modified the "if" conditions so that all cells were revealed by default instead of hidden. Your solution is more elegant though!
Thought about that too! What did you use to modify the code?
@@LiveOverflow dnSpy probably
I used dnSpy. By the way, a colleague of mine was in your team at DEFCON and I asked him to bring me back some LiveOverflow goodies, and you gave him like dozens of stickers, thanks a lot :) maybe next time I can see you in person.
Wait, wait, wait... thete are liveoverflow stickers???
@LiveOverflow you can also use Reflexil plugin for ILSpy to manipulate IL code
I think it'd pretty funny how flare-on's website has no working https
Same here xD
LetsEncrypt.org
It’s probably intentional so that a future flag can be extracted from their website or something
@@GalaxyCatz hmm didn't think about that
@@GalaxyCatz in that case they could have added a challange.flare-on.com domain without ssl.
I don't know why but I decided to do this in python. I had gotten the result similar to how you did, but no matter the combinations (where I started the count for rows and columns), I couldn't get it to work. I imported ctypes, attempted to run my found cells into a generate key function I converted from C# to python, and even fruitlessly trying to rewrite all of the logic of the game into python.
Turns out, I am better at programming than I am counting. I saw your video, saw that I got the same coordinates as you, and tried again, this time counting carefully. CTFs are really hard man.
Oof, I hate when I make a silly mistake and end up with a convoluted work around. At least you learned more about the challenge
yeah, keep trying was the key here. this bug could've been found by someone else working as a team, that's why team work is so important
"I'm so dumb" hey man, dont be so hard on yourself. You're doing amazing :)
You're not dumb. You're a human being. And the fact that you saw it at all means you're smart.
actually met some of the lead fire-eye people, and they are so cool and get to do amazing stuff in terms of RE
The first challenge had obfuscated function names?! I would have been stuck on that. You rock!
@@xorxpert I don't think you know what obfuscation is.
Fireboltofdeath apparently you don’t know what obfuscation is. -_-. There was no obfuscation in this video period. It’s decompilations, reverse engineering. There was no obfuscated function names. Everything was plain visible as day. If it was obfuscated, it’ll be hard and challenging to read it.
Fireboltofdeath that just shows you both don’t know nothing. That’s sad. Go continue with your daily life and don’t bother mines. I am a software engineer.
@@xorxpert
Obscure: not clearly expressed or easily understood.
The function names were obfuscated, because they had names to mislead the user that doesn't do what the name implies.
And, I'm a programmer also, so I really don't care. Obfuscation isn't only making your code hard to read,.
obfuscate verb
ob·fus·cate | \ˈäb-fə-ˌskāt;
äb-ˈfə-ˌskāt, əb-\
obfuscated; obfuscating
Definition of obfuscate
2 : CONFUSE:
obfuscate the reader.
Thumbs up for leaving the bug in there! Greatly underlines the constant try and error of hacking!
My god, im so glad that i found your channel.
Awesome job man, keep these videos coming.
I used dnSpy which acts kind of like IDE so you can patch, run, etc dotnet.
I looked up the data structure that contained the minefield matrix. Looked up the positions of the no-bomb cells. But counting the tiny row colmns was tough. Also not knowing if the colms are 0-based or 1-based index added to the trouble, so I patched the exe to not exit the game on bomb reveal. Then clicked open all the cells in the vicinity of the empty cells untill I found the right one. Then in another window I open the non-patched exe. Aligned the two fields to see where the empty-cells are. :P
I was happy with my approach untill I saw yours.
I loved that you could do it statically and still make it look so easy. Waiting for more videos
I've had a harder time reading c++ and binary. I usually write C#. Thank you for this video!
Nice solution for the second challenge, I just inverted the condition that decides what image is displayed on the field so i could see all bombs.
Holy fuck, that went from 0 to 100000 real quick, i can't even imagine what the third challenge will be like.
Great vid as always!
ILSpy : The "IL" stands for "Intermediate Language", cf. "Intermediate Representation" (just love ur videos btw, hevin so much fun hackin on ur hax)
That ending is one reason why I prefer langs where things are immutable by default :^)
What kind of reason that may make some one press dislike for such great video ?
Lol, I burst out laughing at the end. Atleast you caught it in the end before a youtube comment could ruin your day. Thanks for the video liveoverflow. I loved this one!
3:38 The InitializeComponent initializes those ughh..... components! Hahahahaha
i don't even understand what you say , but i love to watch this videos xD
I dont like Fridays cause its gonna be weekend, i like them cause i get high quality content to watch!
In the allocate memory class, you could create a string containing the flags and then just Messagebox.Show all the flags :)
I did it like this in dnspy, displays all the flags:
private void AllocateMemory(MineField mf)
{
// Initialize our string containing the flags information
string flags = "";
for (uint num = 0u; num < MainForm.VALLOC_NODE_LIMIT; num += 1u)
{
for (uint num2 = 0u; num2 < MainForm.VALLOC_NODE_LIMIT; num2 += 1u)
{
bool flag = true;
uint r = num + 1u;
uint c = num2 + 1u;
if (this.VALLOC_TYPES.Contains(this.DeriveVallocType(r, c)))
{
flag = false;
// Save the flag x,y coordinate in the string
flags += string.Format("({0}, {1}) ", c, r);
}
mf.GarbageCollect[(int)num2, (int)num] = flag;
}
}
// Display our flags string
MessageBox.Show(flags);
}
Quality content as always and this one is hilarious!
Jesus Christ you’re good as fuck, and these vids are so needed.
Why no patreon or BTC donations? Whatever I can do to make sure you keep this up.
When you showed the brute force code, I immediately said to myself, "but wait, where is the copy from constants back to array2?... uh, if you say so?"
D'OH! :D
Man i strive to be as smart as you one day. Keep up the amazing videos!
This. Is. High quality!
Like always another great video
I didn't figure the RNG thing. Thanks for the video.
I solved it the same way haha :) I just inserted the row and col I found from debugging to the input. (Click randomly and change the index calculation). I also tried to find the real safe slots but was too lazy :)
Actually the video end up being quite exciting even for a standard user
I love doing windows reversing, I wish I knew this was happening!
holy shit, 1st time I understand and saw your mistake init array outside the loop. That a big step, lol
Wish I could do anything of that, but I'm just an electrician knowing the basics
windows "NOT MY WORLD" same here. thats i reverse elf binaries and use rader2 for reversing mostly everything :)
Love listening to stuff I know absolutely nothing about xD
The "Ohhhhhhhh" was extensively cute.
very good ! For me as a beginner this was really helpfull and I understood all of it , thanks!
Vert nice drawing of the Eevee evolution ^.^
These are boss, slow learner these help so much.
1:48 finally something i understand! 2:50 finally some c#/ .net $#!t that i know. this is going to be my episode! :D then this happens: 7:07
like wuuuuuut? XD im still 2 fuckin' young i guess lol.. :D
What is basically happening is that the program is using a random integer as an XOR decryption key to an array of bytes, which contains the flag.
Although, a seed is set, determined by cell values which are the same every time the program is started. That's what makes this weak. If you can find the cell values somehow, you can determine the seed, which then allows you to get the XOR key by generating random numbers using the seed and running an XOR decrypt operation on the array bytes.
If you are over 12 years old I doubt you are too young
You know this man has been in the game for a while if he uses ILspy
Brain.exe has stopped working
it is easy to understand how programming works, it's like learning to play the piano or your favorite competitive game:
//i say that if you press(aButton), you get...
press(Button aButton) {
//the note played by this button which is the note of this button.
return notePlayed = note[aButton];
}
//then you define that the keyword "response" is the response of pressing this button on this position.
response = press(thisButton[onThisPosition]);
it is really easy to understand stuff by looking at simple mechanics, but the fun is about finding out what you can do with combinations and sequences of those mechanics used here.
@@Wilker_uwu You just Made his Entire OS go offline he is not responding.
System Error;
@@asandax6 throw new Error(string? message) || throw new RuntimeError(String? msg) ?
@@Wilker_uwu Ok I wrote Error String on a piece of paper and I threw it 😁. Now I am Grounded thanks to the message hitting my Mom🙁. So uh thanks.
@@asandax6 what? XD
If you think you are dumb what's left for the rest of us?! lol. Thanks for sharing!
the 1st channel to which i pressed bell icon
Great videos, I really enjoyed flare-on challenges and am happy to see you covering them. I do think, however, that you should revisit this problem with one of the simpler approaches for people still learning. anything that can edit a .net binary could be used to easily solve this problem. I actually ended up using Cheat engine for this as i was familiar with the tool. that said i loved seeing a more static approach to this problem, though i cant say i would want to do it myself.
How did you approach this with Cheat Engine?
@@LiveOverflow Cheat Engine has a .net dissembler built into it. (or at least can pull the symbols and function names out) from there i searched for the function that triggered when i clicked on one of the tiles and found that they were all set to either 0 or 1, however the function to close the program only ran when it got a click event. So i changed all the values to positive and saw where the correct tiles were. took a picture with the snipping tool and then clicked them and got the flag.
Honestly its a kinda weird way to do it and www.reddit.com/r/ReverseEngineering/ posted some much more efficient ways to do it but it was a lot of fun regardless.
Also, i post a lot of criticism, but i love your work. Keep it up :) .
@@270jonp you should've shared a video doing that, but that's too late now :) regardless great work
Huh, nice bruteforce approach, I hadn't even thought about that :D Just found all this stuff about cells with no bombs (done that using calculator... I'm too dumb to copypaste the code, yep xD)
Looking forward to see you working on next challenges, I'm so excited :)
hahahahaha that ending man, all too familiar
Great video, thanks !
degga du bist so toll
I can RE better than anyone you know. I RE so well you cant ever get to me... Its the worst but kinda the best. comforting in a way.
Very good video!
WOW I wish I could do that thatlooks like so much fun
12:07 is priceless!
12:10 Man, if you are dumb, then I am bubbling mad comparing to you. Awesome vids!
Hi!
For .NET i recommend DnSpy, it's Open Source of Github.
Mind blowing..!!
You need a rubber duck!
Now I believe that even pros can make trivial mistakes.
CTF 1: Open the disclosed program and copy some text
CTF 2: literally run your brain around this significantly larger program for 10 hours just to realize that had you not of made one small mistake early on, you would of been done hours ago.
Always debug the first few loop cycles ..and watch the state of variables
interesting for sure, cool video
Great channel.. keep up
awesome content!
4:04 "...also, the other pictures do not have a flag" *shows a picture of a flag* ;)
Smashed the like
what an alien!!!
"Many of the challenges are based on Windows, which is not really my world"
but LiveOverflow.. in your Google CTF 2019 qualifier video, you used Windows to run minetest!
perhaps... having some problems, with hardware-accelerated 3d rendering, on your unspecified non-Windows platform? ;)
749 likes so far, 0 dislikes, what an absolute record
You'd also run into a bug in the brute force if the sorted array contained multiples of the same number. You assume the next number is greater, but it can be greater or equal than.
Doesn't that imply the same cell is there twice? I thought it must be greater than, and that there'd be no duplicates.
@@Flare03l Yeah that may be true, didn't examine it too closely/attempt the challenge myself. So I may be wrong in there being a bug :).
@@EugeneKolo there is no bug, for exactly the reason flare stated. But in another program it might have been an issue.
That just shows me how far im away of being an good dev. Just the slightest obfuscation shreddes me
watched this a couple times, just realized that the cell number grid example he drew i missing 20
5:20
need more flareon ctf :3
Sometimes its just one line of code that screws the hole program.. nice video!
I took VALLOC_NODE_LIMIT to mean the maximal amount of nodes allocated in the vertical.
"only 4 billion options"
*it took me one f-ing year to fix a typo*
I find CSharp really similar to java with a hint of c++.
Dn Spy, or .net reflector would have been a much easier tool to use. You did not even have to brute force the key, that's the over complicated way to do it. Nice for content though, good stuff.
"Give me a second..." any time i ear this message... my brain in automatic mode has the right response... NO RESPONSE AT ALL.
I always define variables const if they are not suppose to change. So I have never encountered this kind of things after I switch to python XD.
the second one would have been easier with dnspy. you can edit the code with it
How about the rest of the flag...are you gonna do a walkthrough video for that?
you use a wacom tablet? Cool every thing else not really XD
just kidding keep doing what your doing man
Hi, I'd like to Start With ctfs But cant find a easy one to Start With. Do you have an idea? Thank you!
"Produces the same random values", despite being technically correct, sounds like an oxymoron tbh
Why use ilspy instead of the better dnspy?
"It's only 32 bit so it's not too big, you go from -2bil to 2bil *OnLy 4 biLliOn oPtiOns* " Yes. Not that much
I’m feeling a bit like a dumb dumb since I really only know BASICS of C++, have only gone more in depth into front end languages. What language were you coding in for your own Bruteforce/your application to print out the results?
we copied the recompiled C# code, and we just added some loops for the bruteforce around it. so in this case we used C#, because that was our target ;)
LiveOverflow ah, thanks!
1:04
what is that song?
Bro great video as always but if you are under windows and you need to reverse .net file , please use DnSpy next time :)
it gets confusing when u dont know certain concepts or tools ... ill hav to learn a lot
I literally did the same thing and made the same mistake :o
My dll file coded in c++, what can i do to get all c++ code ?
is it possible to decompile c++ native code?
Ich will Flamara kuscheln
UwU
und die Leute in den Kommentaren verwirren. XD