Project Sekai - ❌-reverse-modern_software_protections

Project Sekai

🔒 WolvCTF 2023 / ❌-reverse-modern_software_protections

modern_software_protections - 500 points

Category: Reverse Description: Web stuff can't be that complicated, right? An Appimage is provided for Linux Support and a Zip file is provided for Windows support. Link to Windows Portable Zip: here Link to Linux Executable: here This challenge is authored and sponsored by Caesar Creek Software. Files: No files. Tags: Wade#3516

Sutx pinned a message to this channel. 03/17/2023 1:39 PM

@TheBadGod wants to collaborate

electron

14:33

compiled js

1.61 KB

is that everything extracted from appimage?

no, but i think it's the only relevant thing

14:45

given its name

14:46

I mean also node_modules, but those are just bytenode and toastify-js

true

https://swarm.ptsecurity.com/how-we-bypassed-bytenode-and-decompiled-node-js-bytecode-in-ghidra/

How we bypassed bytenode and decompiled Node.js bytecode in Ghidra

I build robots for fun. Rick Sanchez It’s common knowledge that in 2019 the NSA decided to open source its reverse engineering framework known as Ghidra. Due to its versatility, it quickly became popular among security researchers. This article is one of many to come dedicated to covering the technical details of the ghidra_nodejs plugin for […...

14:47

trying if i somehow get their plugin to work

14:47

but will have to set up ghidra dev env

is it cocos2d?

14:47

or some other

probably just nodejs bytecode

14:48

wait, they have a release

14:48

https://github.com/PositiveTechnologies/ghidra_nodejs/releases/tag/v1.0

Release Initial release · PositiveTechnologies/ghidra_nodejs

Subj.

14:48

time to download a ghidra version with log4j lol

1

maybe we can already infer much from the string

QcVt
Buffer
JkUHBtvRirfhKdSW3LSYsX9Ed0o2KrDaDSnvOb1Y
base64
alloc
Qcr9
equals
fill
1D20
CDVB
LDQK
UDaTK7S4
checkFlag
evalmachine.<anonymous>
exports

TheBadGod

no, but i think it's the only relevant thing

yeah right i decompiled it and checked too, only the flag_check is relevant

17:23

it's surprisingly short, trying to find tools to decompile it

@Violin wants to collaborate

damn i really dont want to dl another ghidra with that but it seems essential to solve

ok back to this after that annoying hardware

@4n0nym4u5 wants to collaborate

TheBadGod

time to download a ghidra version with log4j lol

what does this mean, not any ghidra version will work with the plugin?

the one build they have available is for ghidra 9.2.2 and i didn't manage to disassemble the jsc with it

00:39

building should work for any 9.x version (because of api changes you might need to change stuff for 10.x)

oh

00:39

so you tried to use that plugin but didnt dis?

yeah, tried both V8 32-bit and V8 64-bit bytecode

00:39

and it was just garbage

there's some tool for mozillia but i tried and didnt work too

https://github.com/Salt-Mc/ghidra_nodejs this fork claims to work with ghidra 10?

GitHub - Salt-Mc/ghidra_nodejs: GHIDRA plugin to parse, disassemble...

GHIDRA plugin to parse, disassemble and decompile NodeJS Bytenode (JSC) binaries - GitHub - Salt-Mc/ghidra_nodejs: GHIDRA plugin to parse, disassemble and decompile NodeJS Bytenode (JSC) binaries

seems it claims

00:42

there's another way but i didnt figure out how to call C++ function yet and idk if that spidermonkey will work https://github.com/rolandoam/spidermonkey/blob/master/js/src/jsapi.cpp#LL7045C2-L7047C74

Image attachment

@crazyman ai wants to collaborate

@joezid wants to collaborate

@afterworld wants to collaborate

ok i installed ghidra 9.2.2 and that extension

18:02

but how to load that jsc

Image attachment

18:02

its raw binary

18:03

this one?

Image attachment

18:05

nah doesnt work, only loads raw data

i remember that

18:09

N1CTF have a challenge that seems like it

jsc?

but at least author open the js source code

18:09

yeah

18:09

V8 bytecode

dont know how to decompile jsc now

18:09

plugin doesnt work

18:09

and wu about it?

TheBadGod

and it was just garbage

oh ok ig same thing, not sure if its node version issue or what but yeah decompiler doesnt work

https://github.com/Mas0nShi/v8-bytecode-interpreter

GitHub - Mas0nShi/v8-bytecode-interpreter: A mini bytecode Interpre...

A mini bytecode Interpreter for v8. Contribute to Mas0nShi/v8-bytecode-interpreter development by creating an account on GitHub.

18:12

Here's the author's repo I'm not sure if it's useful

hmm

18:14

it seems doesnt intake jsc

18:14

?

18:15

I DM'd this author on twitter

18:15

ask how to jsc -> disassemble or js

crazyman ai

https://github.com/Mas0nShi/v8-bytecode-interpreter

https://github.com/Mas0nShi/v8-bytecode-interpreter/blob/master/example/dist/for2.txt it seems to input this

it's jsc is V8 bytecode

18:21

..........

yeah

18:21

but it can't be input to this prog

@crazyman ai

Image attachment

18:44

rip

18:44

this is from Mas0n

yeah

https://github.com/Nu1LCTF/n1ctf-2022/tree/main/Re/Desktop-Apps found similar chall

n1ctf-2022/Re/Desktop-Apps at main · Nu1LCTF/n1ctf-2022

Official repository containing files related to N1CTF 2022 - n1ctf-2022/Re/Desktop-Apps at main · Nu1LCTF/n1ctf-2022

07:23

well, n1ctf author send this to me and said it could be solved following this

07:25

We get the version information from the game:

electron version: 22.0.0-alpha.3 v8 version: 10.8.79-electron.0

07:25

need to get similar thing in this one

07:27

lol too complicated chall

https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/

Creating a Ghidra processor module in SLEIGH using V8 bytecode as a...

Last year our team had to analyze V8 bytecode. Back then, there were no tools in place to decompile such code and facilitate convenient navigation over it. We decided to try writing a processor module for the Ghidra framework. Thanks to the features of the language used to describe the output instructions, we obtained not […]

07:29

https://swarm.ptsecurity.com/decompiling-node-js-in-ghidra/

Decompiling Node.js in Ghidra

Have you ever wanted to find out how a program you often use, a game you play a lot, or the firmware of some realtime device actually works? If so, what you need is a disassembler. Better still, a decompiler. While things are pretty clear with x86–x64, Java, and Python, as there are plenty of […]

07:30

But I'm sure there's not enough time

yeah

sahuang

https://github.com/Nu1LCTF/n1ctf-2022/tree/main/Re/Desktop-Apps found similar chall

i think this will work

sahuang

We get the version information from the game:

electron version: 22.0.0-alpha.3 v8 version: 10.8.79-electron.0

in my memory of checking the N1ctf (edited)

almost same concept

07:31

but no time

we can got them from the app

07:31

in some xml

and need to compile d8 and write functions to get

yeah

07:32

peepoo

07:33

I suddenly found that the inverse vector is very large this weekend since I was checking b01lers and he had some virtual machine pwn challenges

07:33

XD

07:34

wish thebadgod will solved it within 5h

crazyman ai

I suddenly found that the inverse vector is very large this weekend since I was checking b01lers and he had some virtual machine pwn challenges

u win b01?

no

07:35

maple beacon win

oh ok

Image attachment

oh

mostly players of mine work on an local ctf

07:35

XD

ic

hope i solved the two vm pwn before it ends

how many pts for 3rd

it have an bad guessey cipher other is okay

07:37

Image attachment

looks close

yeah

07:38

XD

07:38

i will check two vm pwn first

07:38

hope i can solved it

07:38

alreay can write code

maple bacon clear all

07:49

XD

07:49

so strong

nice

07:51

the rev are too hard to clear in this one but i think we have a good lead so its hard to catchup peepoo

peepoo

sahuang

the rev are too hard to clear in this one but i think we have a good lead so its hard to catchup peepoo

peepoo

not much time

i think it's time to do some other things

64r2 is most annoying

07:55

spent half day

07:56

hint is guessy

lol

08:38

Image attachment

LOL

08:39

https://wolvctf.io/teams/739 ??

08:39

u solved 64r2?

not me

08:51

i not play with it

i'm still fucking of b01lers

are they discussing this ctf in qq group or someone playing himself

someone playing himself

08:51

XD

08:52

not open group and docs

08:52

lol

11.0.226.16-electron.0

10:58

export PATH=`pwd`/depot_tools:"$PATH"
gclient sync 
fetch v8
git pull origin
gclient sync
git checkout 10.8.79

10:58

wtf is this

10:59

ok

10:59

downloaded depot

lol doanloading v8 source took so long

11:12

prob no time for this, will upsolve

ok it needs to also patch sanity check, too much work, prob not gonna do it

Exported 143 message(s)