DEV Community: Falme Streamless

[GameDev] Unity3D, C# and String Security (PT-BR)

Falme Streamless — Sat, 14 Jun 2025 05:56:54 +0000

Originalmente esse documento era uma apresentação para uma empresa em que eu trabalhava, mas que nunca tive a chance de apresentar para meus colegas que trabalhavam com a Unity3D (Por ser ~Muito Perigoso~..., não é perigoso).

O nome original da apresentação era Introdução à Segurança da Informação (e por que não colocar senhas dentro do código?). Espero que curtam.

Do que iremos falar?

Eu sou um desenvolvedor de jogos digitais, e em todas as empresa que eu trabalhei é utilizado a Unity3D/C# como Engine principal, então vários exemplos apresentados serão voltados a essa ferramenta.

Nós iremos falar de:

O que é CyberSegurança? (rapidinho)
O que é Compilação e Decompilação
Um simples decompilação e leitura de senhas
O que é o Dotpeek e como usá-lo com a Unity
Unity com IL2CPP (e PlayMaker)
Inevitabilidade e Git
Conclusão
Referências e outros Links

Além disso, esse texto é somente para AUTO DEFESA, muitos/vários/quase todos os jogos e softwares tem um documento que precisa ser aceito dizendo que você não deve abrir o código do jogo (e é o que faremos hoje).

Tem várias empresas que lançam um jogo e no dia seguinte vários assets que seriam só revelados no Dia das Bruxas ou Natal agora estão por toda a internet, fazendo disso um inferno para o marketing do projeto que estava preparando para uma surpresa, mas mais perigoso que isso, pode ter uma chave de API disponivel para os jogadores poderem acessar Rankings de um jogo competitivo, dinheiro dentro do jogo ou algo similar.

Nós estamos aqui para ajudar você a prevenir (mas ainda possível) hackers de acessarem o que eles não devem. No caso desse documento, as strings/chaves/segredos dentro do seu jogo.

Mas primeiro, acho que você é "Só" um desenvolvedor de jogos, então vamos falar de cybersegurança.

O que é CyberSegurança?

A definição de CyberSegurança segue:

"Proteção da informação e sistemas de informação de acessos não autorizados, o uso, vazamento, pertubação, modificação ou destruição a fim de providenciar sua confidencialidade, integridade e disponibilidade."

Tem muitos termos nesse parágrafo, mas nós iremos focar em:

Proteção da informação e sistemas de informação de acessos não autorizados : Onde a informação de um jogo é o valor que não deve ser acessado pelos jogadores.

E para o esclarecimento de alguns termos para esse documento: Confidencialidade, Integridade e Disponibilidade (Conhecido em inglês como C.I.A.)

Onde:

Confidencialidade : É basicamente dar acesso para aqueles que devem acessar aquela informação e impedir o acesso para aqueles que não devem acessar aquela informação
Integridade : Significa que a informação que aquele usuário receber é confiável e que ninguém modificou ela antes ou depois da transação. Isso garante que a informação de quem a recebeu é 100% idêntica a de quem enviou.
Disponibilidade : Isso garante que a informação precisa estar sempre disponível no espaço de tempo requerido, então, por exemplo, um site que acessa o seu jogo deve estar acessível, mas um hacker que faz um DDoS no seu site (fazendo seu site cair) não deveria acontecer baseado no princíprio da Disponibilidade.

Mas a Disponibilidade não significa que a informação deve estar disponível o tempo todo pra sempre, somente precisa estar acessível no tempo que deve.

Então como eram as proteções no passado?

Em torno dos anos 1960 só existiam senhas e proteções físicas, isso significa que o computador (a maioria só acessível nas Universidades) tinham uma sala com uma tranca que o protegia de ser acessado por quem não deveria.

Isso faz com que os ataques sejam na maioria físicos, sempre um acesso pessoal à máquina e não existia a ideia de algo como um Vírus. Mas não demorou muito para isso se tornar uma realidade.

Em torno dos anos 1970 começou o conceito de Antivírus e Proteção Virtual, muito porque a ARPANET tava ganhando força pelos EUA. Mas especialmente porcausa de um cara chamado Bob Thomas que criou o primeiro vírus conhecido: the Creeper.

Bob Thomas criou um programa que se auto-replica e se espalha pela rede de computadores, ele não fazia nada destrutivo, ele só desenhava um texto na tela escrito "I'M THE CREEPER: CATCH ME IF YOU CAN".

A consequência de sua criação faz com que Ray Tomlinson crie um novo programa que elimina o "The creeper", um programa chamado "Reaper".

Com isso, o primeiro vírus (The Creeper) e o primeiro Antivírus (Reaper) foram criados.

Ok, The Creeper era na verdade um Worm, ele se auto-propaga pela rede, mas esses nomes (Vírus, antivírus, worm) não era algo até 1980 onde os computadores pessoais e a internet como conhecemos era algo real.

Com o tempo vírus, worms, antivírus e similares começaram a se tornarem mais complexos. Hoje em dia, informação é mais preciosa que qualquer outra coisa, e precisamos protegê-lo da maneira correta.

HACKERS!?

Hackers pela definição de Wesley Chai:

"Um hacker é um individual que usa a computação, redes e outras habilidades para sobrepor um problema técnico. O termo também se refere a qualquer um que use suas habilidades para ganhar acessos antes não permitidos em redes ou redes para cometer crimes. Um hacker pode, por exemplo, roubar informação para machucar pessoas via roubo de indentidade ou derrubar um sistema e, muitas vezes, manter como sequestro até que colete uma recompensa.

O termo Hacker historicamente tem sido bem divisivo, algumas vezes sendo usado como um termo de admiração por individuais que exibem um nível altissimo de habilidades e criatividades para resolver problemas técnicos. No entanto, o termo também é normalmente aplicado a individuais que usa essas habilidades para usos ilegais e não éticos."

Então, várias palavras, mas precisamos falar sobre algumas palavras usadas no parágrafo anterior:

Hacker, antes do termo cybersegurança ser aplicado, era utilizado para pessoas que são "Gambiarreiras" ou trazem soluções inteligentes para resolver um problema num sistema limitado.

Hackers cometerem crimes é uma frase desatualizada, hoje em dia nós devemos separar em chapéus:

White Hat (Chapéu Branco) : Hacker Ético, não comite crimes
Black Hat (Chapéu Preto) : Usa suas habilidades de hacker para ganhar acessos não autorizados. (normalmente cybercrime)
Gray Hat (Chapéu Cinza) : Usa suas habilidades para seu benefício próprio, talvez um trabalhador de TI de dia e um cybercriminoso durante a noite para seu próprio benefício.

Resumindo, hackers podem ser muito bons em encontrar falhas de segurança em sistemas como na empresa em que trabalha (com a permissão para testar o sistema, obviamente) a achar maneiras de fazê-lo mais seguro. Mas da mesma forma que pode ser positivo, também pode ser destrutivo com cybercrimes, roubo de informações, espiar usuários sem o conhecimento deles, etc.

O que é Compilação e Decompilação?

Quando você, sim Você, o desenvolvedor de jogos, faz um código pra um jogo e precisa lançar ele para o público (fazendo um .exe, por exemplo) você precisa fazer uma compilação do seu código. Para simplificar, nós iremos definir como:

Compilação:
Código C# → Para → Código de Máquina

O código de máquina não é legível para desenvolvedores/humanos. Mas se nós só tivermos o código compilado, e por algum motivo precisarmos lê-lo, o processo de reversão é chamado de Decompilação:

Decompilação
Código de Máquina → Para → Código C# (Legivel para humanos)

Nesse caso, vamos pegar um código legível em C# vindo do programa original. Normalmente uma Decompilação deve ter a possibilidade de recompilar o código para um executável novamente. Esse é o objetivo final.

Uma decompilação simples e leitura de senhas

Quando você passa pelo processo de decompilação, talvez o código resultante não seja o mesmo que o original, mas com certeza age igual ao original. Isso porque no processo de compilação o código (C#) precisa ser convertido em outra linguagem para ser processado em linguagem de máquina, algumas (maioria) das tecnicalidades do C# não estarão presentes e serão adaptadas.

No exemplo abaixo, nós temos um código original que verifica se a senha em uma variável é igual à "S3Cr37"

void Start()
{
   if(pass == "S3Cr37")
   {
      Debug.Log("you have access");
   }
}

e depois de passarmos esse código pelo processo de decompilação, o código se parece com:

void Start()
{
   if(!(this.pass == "S3Cr37"))
      return;

   Debug.Log((object) "you have access");
}

Meio diferente, mas eles fazem a mesma coisa, o código de baixo nível funciona meio "Pulando de uma linha para outra", então o codigo decompilado prefere sair do métido numa falha de verificação (isso explica a chamada do "return;")

Mas não devemos perder o foco, nossa "Senha Secreta" ainda está visível, esse string poderia ser nossa senha secreta, nossa chave de API secreta ou um endereço para uma página.

Então, antes de entender como prevenir, vamos ver como que isso funciona.

O que é o Dotpeek e como usá-lo com a Unity

Nós estaremos usando a Unity como um exemplo para esse exercício, mas se precisar, eu subi o projeto exemplo e o código fonte no GitHub (Mas é tão simples que você pode fazer por conta própria).

Nós vamos criar um projeto Unity com as configurações padrão, adicionar numa cena um script chamado "Secret.cs" com o nosso código secreto. Só isso e fazer uma build para Windows (Desculpe usuários de linux D:, talvez o processo seja parecido de qualquer forma)

Aqui está nossa Build, vamos quebrar esse Secret.cs;

Mas Ei, isso só acontece com amadores, certo?

De maneira alguma, vários jogos grandes que você conhece tem essa tecnicalidade que faz com que seja possível ler o código do jogo, aqui estão alguns exemplos (Não faça nada com esses códigos):

(Tome nota sobre INSIDE, que tem um "+/-", esse é um caso especial, nós iremos falar sobre isso mais pra frente)

O real perigo está no acesso do público/players ao conteúdo secreto dentro do jogo.

Com a build em mãos, agora nós precisados baixar uma ferramenta chamada DotPeek da JetBrains. A ferramenta é um decompilador, para que possamos desmontar as .DLLs da build.

Pequena parada para explicar como as DLLs funcionam com a Unity

Por padrão todos os scripts que você (desenvolvedor) cria na engine, será compilada em um Assembly Definition chamado Assembly-CSharp.dll, lembre-se desse nome, ele vai ser importante no futuro.

Isso faz com que o código da Unity seja estável e separado do código do desenvolvedor. Se você não quiser todo o seu código em uma DLL só, você vai precisar criar uma nova Assembly Definition no seu projeto e o separar numa pasta, mas sua referência AINDA aponta para o Assembly-CSharp.

Ok, fim do intervalo.

Depois de terminar de baixar o DotPeek

Depois de baixar o Dotpeek, você vai precisar saber se a sua build alvo é vulnerável a esse ataque. Pra saber isso, você precisará achar a pasta da build e encontrar o DLL no caminho:

\CaminhoParaBuild\NomeDaBuild\BuildName_Data\Managed\Assembly-CSharp.dll

Se nesse caminho a DLL existir, seu ataque poderá ser feito. Isso acontece porque a Unity deixa como padrão a opção em Player Settings > Other Settings > Configuration > Scripting Backend como Mono.

isso faz com que a build seja muito mais rápida, mas sacrifica outras partes como Performance e Segurança.

Então, chega de falação, abram seu DotPeek, e selecione "File > Open" e selecione seu alvo Assembly-CSharp.dll (Eu disse que isso seria importante):

Depois de carregar o projeto, você vai selecionar o Assembly-CSharp, clique com botão direito do mouse e selecione "Export to Project...", selecione uma pasta e espere o decompilador terminar o trabalho.

Depois de exportar, você terá os arquivos C# do projeto original agora legível para o ser humano (meio diferente, mas legível).

Parabéns, você conseguiu a senha secreta!

Mas espera, como podemos prevenir isso?

Unity com IL2CPP e PlayMaker

Uma maneira de deixar as coisas um pouco mais difícil para quem está abrindo o seu código é mudar a opção do Script Backend para IL2CPP (Intermediate Language To C++) em "Edit > Project Settings > Other Settings > Configuration"

O que ele faz é não colocar seu código diretamente em uma DLL, mas converte seu código C# em uma Linguagem Intermediária (Microsoft Intermediate Language) e depois em C++, para aí então compilar em código de máquina.

Fazendo esse processo, ele não irá criar um Assembly-CSharp.dll

Nenhum problema com isso... certo?

Sim, tem um problema nisso, e é que a String ainda é uma String. Nós vamos achar nossa senha secreta novamente, mas dessa vez vamos usar uns comandos de Bash no Linux.

Com nossos novos arquivos compilados para a build, nós precisamos ir até o arquivo "global-metadata.dat" em

\CaminhoParaBuild\NomeDaBuild\BuildName_Data\il2cpp_data\Metadata\global-metadata.dat

Nós iremos usar o WSL (Windows Subsystem for Linux), que é um Linux dentro do Windows 10/11, se você não tem ele, você pode baixá-lo na Microsoft Store, é de graça.

Com WSL, nós iremos usar esse comando no nosso arquivo global-metadata:

strings global-metadata.dat | grep S3Cr37

Onde:

strings lista todas as strings dentro de um arquivo
grep Destaca/Mostra somente se o argumento foi encontrado
S3Cr37 é o argumento que queremos encontrar

Com isso, nós podemos ver que nossa senha secreta ainda pode ser encontrado na build.

Bem, claro que nós sabíamos antes qual que era o código que queriamos encontrar. Mas se nós soubessemos pelas builds anteriores quais palavras descartar ou se nós usássemos uma wordlist com valores relevantes (http, api, etc...), nós ainda encontraríamos resultados interessantes, incluíndo nosso segredo.

Hora do PlayMaker

Primeiro, eu não estou dizendo que o PlayMaker é mais seguro, é só um fato curioso que faz sentido estar nesse documento.

PlayMaker é uma ferramenta de Script Visual, similar aos Blueprint da Unreal Engine, mas não oficial da Unity. O curioso caso é que o jogo INSIDE usa essa ferramenta, e isso faz com que o codigo do PlayMaker não possa ser convertido diretamente, mas ele é convertido em Assets.

Isso faz com que seja mais difícil de encontrar as informações no código com as técnicas anteriormente usadas.

A conversão do seu código para Asset pode também ser feitas de maneiras diferentes, como:

Usando Scriptable Objects: Onde você pôe a sua chave em um Asset
Usando PlayMaker ou Outro Visual Scripting : Mesmo que o exemplo acima, mas estes influenciam o modo de desenvolvimento do time
Usando Serviços Externos : Ainda usando Scriptable Objects, mas esse faz chamadas para serviços externos, mantendo seus dados/acessos fora do jogo (Nós iremos falar sobre isso mais tarde).

No caso do PlayMaker, o que isso faz é converter o seu Visual Scripting Data em um arquivo resources.assets. Então, se você decidir abrir o arquivo resources.assets com um comando strings no bash (como falamos anteriormente), você só irá receber baboseiras.

Então, É possível de abrí-lo?

Sim... Mais ou Menos... você vai precisar de umas ferramentas mais especializadas para isso, uma que possa te mostrar os Assets dentro de uma Build.

Nós iremos usar uma ferramenta chamada AssetStudio. Ela é de graça e pode ser acessada em seu repositório no Github.

Nesse examplo, nós iremos pegar um projeto com PlayMaker e abrir ele com AssetStudio:

Como mostrado na imagem acima, nós podemos encontrar, abrir e exportar os arquivos PlayMakerAssemblies e PlayMakerFSM para nosso sistema e talvez achar algo útil.

Eu irei parar por aqui sobre o PlayMaker, mas se você quiser saber mais, brinque com ele, faça seu exemplo em um projeto e tente achar algum conteúdo secreto.

Bonus: AssetStudio também é usado para encontrar imagens, sons, músicas, modelos 3D, texturas e qualquer outra coisa que a Unity categorize como um Asset, que pode ser exportado e lido. É assim que muito modelos e informações são encontradas tão rapidamente depois do lançamento de um jogo.

Inevitabilidade e Git

Então... O que aprendemos até agora?

Todas as opções acima foram terríveis
Nenhum código é 100% seguro
O que nós estamos fazendo é só atrasar o hacker em achar a chave secreta.

Tudo isso pode ser resumido no "Teorema do Macaco Infinito" (Escondi a identidade do macaco por segurança):

O teorema diz que um macaco digitando aleatoriamente em um teclado por um intervalo de tempo infinito irá quase certamente criar um texto qualquer escolhido, como por exemplo a obra completa de William Shakespeare.

No nosso caso, o que os hackers tem é tempo, então, com o tempo e paciência, o hacker vai encontrar a sua chave secreta (também vale lembrar que não é só um macaco, se o seu jogo for publicado na steam)

Então como hackers ainda conseguem achar minha chave secreta?

Aqui estão alguns exemplos:

Arquivos GitHub e Bitbucket: Os hackers podem acessar/hackear os arquivos .git em algum momento e ir diretamente ao código fonte, e isso não é impossível, alguns jogos AAA tiveram esse incidente, o exemplo com o Git também tem acesso ao histórico de todos os seus commits, fazendo disso possível outros ataques (talvez?)
Autenticação de Dois Fatores e Métodos de Login Obsoletos: Alguns usuários não tem Autenticação de dois fatores ativo, no Github, na Unity, no Google Play Store, na Steam, e assim vai. Essa autenticação garante que é você mesmo que está acessando. Aqui está um video engraçado do Game Newell pedindo para ser hackeado, mas a Autenticação de Dois Fatores bloqueia os acessos.
Low-Hanging Fruit: Fazer o basico é essencial, mas os hackers amam ir atrás daqueles que nem o basico fazem, porque é fácil de hackear. Então se você não fizer o básico (como mudar para IL2CPP) eles vão usar uma automatização para te achar mais rápido.
Strings e Códigos Encriptados: Fazer uma encriptação é bom para todos, para mandar um email ou manter um dado secreto. Mas tenha certeza de não manter a chave ao lado da gaveta trancada. Tenha certeza que sua encriptação é boa, porque se for somente um ROT13, ele não vai fazer qualquer diferença.

Outras maneiras de fazer ser mais seguro?

Use Serviços Externos como PlayFab: PlayFab é um serviço onde você consegue colocar dados, rankings e codigo remoto, então se você precisar enviar uma pontuação para um jogo competitivo, você pode ter um código remoto que verifica se a pontuação está correta (ou viável) de ser adicionada. Mas mais que isso, verificar se uma transação monetária é legitima, ver os dados de um jogador e se necessário banir ele, etc. Dessa forma, sua chave/serviço não fica no seu jogo, então sua build está a salvo.

Esse conteúdo remoto também pode ser aplicado a conteúdos para eventos/feriados, onde você pode colocar um Asset Bundle (ou Adressables) em um serviço/servidor CDN e lançar quando o tempo chegar (evento de natal, por exemplo), então esse conteúdo e Assets não ficam na sua Build.

Permissões para Leitura e Modificação: Tenha certeza que alguns dados no seu servidor (enviando Requests para um servidor) não podem ser modificados se não devem ser modificados. É facil deixar isso passar, pois não pensamos nisso até o momento que alguém vai lá e remove/modifica os dados, mas tenha certeza que os acessos estão corretos.
Faça o básico e um pouco mais: Eu vejo outras áreas como Desenvolvimento de Software ou Desenvolvimento de Sites sendo bem cautelosos sobre Segurança da Informação (ok, não tanto assim, mas eles fazem o básico), e em desenvolvimento de jogos isso não é nem discutido. E as vezes a solução é tão simples. Então tome cuidado com seus projetos, não deixe nenhum valor secreto que não deve ser lido dentro das suas builds, especialmente se for um jogo online, verifique várias vezes se for necessário.

Conclusão e Recomendações

Vamos recapitular:

Faça builds da Unity com o Script Backend: IL2CPP
Não use strings comprometedoras dentro de scripts
Use proteções recomendadas para Servidores Git (Github, Bitbucket, etc.) com Chaves SSH RSA
Se você precisar registrar um valor, use serviços externos que tem uma camada de autenticação

Outras Recomendações de Segurança fora da Área GameDev

Não abra links ou Emails suspeitos (nem de amigos)
Ative a Autenticação de Dois Fatores em todos os serviços (Steam, Github, Google, etc...)
Use Antivírus (Melhor que nada)
Cheque se sua senha foi vazada (https://haveibeenpwned.com/)
Não use contas pessoais dentro da sua empresa
Mantenha todos os seus softwares atualizados (especialmente o Windows)
Bom senso

Bônus: Isso pode ser útil no Desenvolvimento de Jogos?

Sim! Isso é uma técnica bem comum hoje em dia (Abrir builds e procurar por segredos), você, como um desenvolvedor de jogos, pode usar isso para adicionar segredos nos seus jogos, ou fazer um jogo em que PRECISA abrir o jogo para encontrar pistas. Mas pense nisso como um conteúdo que não é necessário para a Gameplay, só uma piada ou extra para os fãs hardcore.

É possível, e você pode fazer isso também.

Referências (E outros links)

History of CyberSecurity, Avast : https://blog.avast.com/history-of-cybersecurity-avast#the-1950s

A History of Information Security :
https://www.ifsecglobal.com/cyber-security/a-history-of-information-security/

Unity Assembly Definitions : https://docs.unity3d.com/Manual/ScriptCompilationAssemblyDefinitionFiles.html

Dotpeek from Jetbrains : https://www.jetbrains.com/pt-br/decompiler/

The amazing history of programming with Olga Stern : https://www.youtube.com/watch?v=bJWWbql0QIQ

Tutorial Inspecting Unity Exported Assets
https://www.vg-resource.com/thread-31141.html

Jacquard's Loom machine:
https://www.youtube.com/watch?v=MQzpLLhN0fY

How to Be a Hacker:
http://www.catb.org/~esr/faqs/hacker-howto.html

Search Security - What is a Hacker? :
https://searchsecurity.techtarget.com/definition/hacker

Unity AssetStudio :
https://github.com/Perfare/AssetStudio/releases

CyberSecurity vs Information Security:
https://www.simplilearn.com/information-security-vs-cyber-security-article

[Hack] PicoCTF: Low Level Binary Intro - Intro to Debuggers

Falme Streamless — Fri, 16 May 2025 14:00:00 +0000

This PicoCTF Playlist section is called Intro to Debuggers, the challenges will go deeper into how to use the Debugger, specifically GDB, a common debugger and disassembler. After some explanations of how to use the GDB, we can do the challenges.

I am also using a Virtual Machine with Ubuntu to solve these challenges.

GDB baby step 1

Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Disassemble this (file).

So what we need to do is:

Get the file (debugger0_a) to disassemble
Disassemble the main function with GDB
Gather the value of eax register at the end of main function

In summary, we need to gather a assembly dump from the requested file, just like in the previous challenges.

So after downloaded the file, we can disassemble the main function with the following command in shell:

chmod +x ./debugger0_a
gdb ./debugger0_a

and inside gdb:

(gdb) disassemble main

Making these actions, gdb returns with the following dump:

0x0000000000001129 <+0>:    endbr64
0x000000000000112d <+4>:    push   %rbp
0x000000000000112e <+5>:    mov    %rsp,%rbp
0x0000000000001131 <+8>:    mov    %edi,-0x4(%rbp)
0x0000000000001134 <+11>:   mov    %rsi,-0x10(%rbp)
0x0000000000001138 <+15>:   mov    $0x86342,%eax
0x000000000000113d <+20>:   pop    %rbp
0x000000000000113e <+21>:   ret

It's kinda hard for me to read this one, maybe if we change to we are used to, the intel syntax, for that we will:

(gdb) set disassembly-flavor intel
(gdb) disassemble main

and that returns the following dump:

0x0000000000001129 <+0>:    endbr64
0x000000000000112d <+4>:    push   rbp
0x000000000000112e <+5>:    mov    rbp,rsp
0x0000000000001131 <+8>:    mov    DWORD PTR [rbp-0x4],edi
0x0000000000001134 <+11>:   mov    QWORD PTR [rbp-0x10],rsi
0x0000000000001138 <+15>:   mov    eax,0x86342
0x000000000000113d <+20>:   pop    rbp
0x000000000000113e <+21>:   ret

Really better, now, we need to find the final result to EAX register. The funny part is that there's only one command that affects EAX:

0x0000000000001138 <+15>:   mov    eax,0x86342

So, the value of EAX is 0x86342.

But we actually need the decimal value, so we put it in our python script HexToDec.py, then we can have the answer:

python3 HexToDec.py 0x86342

We take the result with picoCTF{value} and we have the flag:

Answer:GDB baby step 1
picoCTF{549698}

GDB baby step 2

Can you figure out what is in the eax register at the end of the main function? Put your answer in the picoCTF flag format: picoCTF{n} where n is the contents of the eax register in the decimal number base. If the answer was 0x11 your flag would be picoCTF{17}. Debug this (file).

The description is the same as the last one, but this time, we are playing with breakpoints and loops in the program. The exercise is to start looking into dynamic analysis.

Static analysis is what we have done before, looking through code to understand what it does. Dynamic analysis study the code through execution and debugging (breakpoints).

Doing the same assembly dump as the previous exercise, we gather this instruction:

0x0000000000401106 <+0>:    endbr64
0x000000000040110a <+4>:    push   rbp
0x000000000040110b <+5>:    mov    rbp,rsp
0x000000000040110e <+8>:    mov    DWORD PTR [rbp-0x14],edi
0x0000000000401111 <+11>:   mov    QWORD PTR [rbp-0x20],rsi
0x0000000000401115 <+15>:   mov    DWORD PTR [rbp-0x4],0x1e0da
0x000000000040111c <+22>:   mov    DWORD PTR [rbp-0xc],0x25f
0x0000000000401123 <+29>:   mov    DWORD PTR [rbp-0x8],0x0
0x000000000040112a <+36>:   jmp    0x401136 <main+48>
0x000000000040112c <+38>:   mov    eax,DWORD PTR [rbp-0x8]
0x000000000040112f <+41>:   add    DWORD PTR [rbp-0x4],eax
0x0000000000401132 <+44>:   add    DWORD PTR [rbp-0x8],0x1
0x0000000000401136 <+48>:   mov    eax,DWORD PTR [rbp-0x8]
0x0000000000401139 <+51>:   cmp    eax,DWORD PTR [rbp-0xc]
0x000000000040113c <+54>:   jl     0x40112c <main+38>
0x000000000040113e <+56>:   mov    eax,DWORD PTR [rbp-0x4]
0x0000000000401141 <+59>:   pop    rbp
0x0000000000401142 <+60>:   ret

We can see 2 problems that we not faced before.

EAX register is being called in multiple places
we have JUMPs in the instruction, indicating a possible loop

The loop can be found as the following pattern:

At main+51 we have a comparison:

0x0000000000401139 <+51>:   cmp    eax,DWORD PTR [rbp-0xc]

If this comparison is less than a value, jump to another line; JL (Jump if Less)
So in this case, we are checking if [rpb-0xc] is less than EAX

If so, we jump to the line main+38, so we go backwards and do it again. That way we find a loop

0x000000000040113c <+54>:   jl     0x40112c <main+38>

So, with that information, we can assure that we will not count every single time that it loops and add a value to EAX.

In fact, we will go to the end of the program, and just read what EAX is, like a good dynamic analysis want us to do.

First, we add a breakpoint to the end of the main function before the return. the main+59 line is a good place to do this. So we go to gdb and do the following:

chmod +x ./debugger0_b
gdb ./debugger0_b

and inside gdb we set up a breakpoint, where it will pause the execution:

(gdb) break *main+59

And run the program normally through the GDB debugger:

(gdb) run

After a little moment, it will stop with the following message:

Breakpoint 1, 0x0000000000401141 in main ()

and now the program is paused as we asked on line main+59 , you can check the address, is the same number. Now we can ask for the value of EAX, that will show the result for the flag in hexadecimal and decimal.

(gdb) info registers eax

We take the result with picoCTF{value} and we have the flag:

Answer:GDB baby step 2
picoCTF{307019}

GDB baby step 3

Now for something a little different. 0x2262c96b is loaded into memory in the main function. Examine byte-wise the memory that the constant is loaded in by using the GDB command x/4xb addr. The flag is the four bytes as they are stored in memory. If you find the bytes 0x11 0x22 0x33 0x44 in the memory location, your flag would be: picoCTF{0x11223344}. Debug this (file).

After a brief explanation about how to read Memory in GDB, the exercise is presented.

We need to find the bytes in the memory address of the file debugger0_c . The tip is the value 0x2262c96b in the main function.

So first of all, we need to disassemble the main function, same as before, resulting in the following assembly code:

0x0000000000401106 <+0>:    endbr64
0x000000000040110a <+4>:    push   rbp
0x000000000040110b <+5>:    mov    rbp,rsp
0x000000000040110e <+8>:    mov    DWORD PTR [rbp-0x14],edi
0x0000000000401111 <+11>:   mov    QWORD PTR [rbp-0x20],rsi
0x0000000000401115 <+15>:   mov    DWORD PTR [rbp-0x4],0x2262c96b
0x000000000040111c <+22>:   mov    eax,DWORD PTR [rbp-0x4]
0x000000000040111f <+25>:   pop    rbp
0x0000000000401120 <+26>:   ret

following this, the value 0x2262c96b is moved (MOV at +15) to the memory address $RBP-0x4.

First some explanations. RBP register is the Register Base Pointer, it point to the base of the Stack Frame, and the addition of the values is through the negative numbering.

So usually we go for something like RBP-0x4 or RBP-0x8, this is adding values from the RBP (Register Base Pointer) to the RSP (Register Stack Pointer).

So we are moving the value 0x2262c96b to the Register Base Pointer position Minus 4.

Add a breakpoint at main+25 and run the program:

(gdb) break *main+25
(gdb) run

And call the values inside RBP-0x4. where x/ is the command to call the memory reading, we want 4 bytes (4) in hexadecimal (x) each with byte-sized (b) resulting the command 4xb .

(gdb) x/4xb $rbp-0x4

Resulting in:

0x7fffffffddbc: 0x6b    0xc9    0x62    0x22

Well, actually the value returned is inverted from the original data 0x2262c96b . It's because we are dealing with Little endian.

We have Big Endian and Small Endian. Will add two images from a video (no longer listed) from C3rb3ru5d3d53c explaining this visually:

Big Endian

Normally "correct" the way we read the hexadecimal values.

Where

M : is the Most Significant Byte
L : is the Least Significant Byte

Little Endian

Normally "inverted" the way we read the hexadecimal values.

So the exercise asked for us to write down the flag as we read them, so, as Little endian is on the screen.

simply an exercise to just read a value in memory and understand Little endian.

We take the result with picoCTF{value} and we have the flag:

Answer:GDB baby step 3
picoCTF{0x6bc96222}

GDB baby step 4

main calls a function that multiplies eax by a constant. The flag for this challenge is that constant in decimal base. If the constant you find is 0x1000, the flag will be picoCTF{4096}. Debug this (file).

This exercise is very simple, is to show that we can call and disassemble many functions, not only main. we need to find a constant number that multiplies with EAX.

So me make the same as the other exercises to disassemble the main function returning the following:

0x000000000040111c <+0>:    endbr64
0x0000000000401120 <+4>:    push   rbp
0x0000000000401121 <+5>:    mov    rbp,rsp
0x0000000000401124 <+8>:    sub    rsp,0x20
0x0000000000401128 <+12>:   mov    DWORD PTR [rbp-0x14],edi
0x000000000040112b <+15>:   mov    QWORD PTR [rbp-0x20],rsi
0x000000000040112f <+19>:   mov    DWORD PTR [rbp-0x4],0x28e
0x0000000000401136 <+26>:   mov    DWORD PTR [rbp-0x8],0x0
0x000000000040113d <+33>:   mov    eax,DWORD PTR [rbp-0x4]
0x0000000000401140 <+36>:   mov    edi,eax
0x0000000000401142 <+38>:   call   0x401106 <func1>
0x0000000000401147 <+43>:   mov    DWORD PTR [rbp-0x8],eax
0x000000000040114a <+46>:   mov    eax,DWORD PTR [rbp-0x4]
0x000000000040114d <+49>:   leave
0x000000000040114e <+50>:   ret

The line main+38 calls another function called "func1". Maybe the multiplication is there. Lets check it out

(gdb) disassemble func1

Returns us the following:

0x0000000000401106 <+0>:    endbr64
0x000000000040110a <+4>:    push   rbp
0x000000000040110b <+5>:    mov    rbp,rsp
0x000000000040110e <+8>:    mov    DWORD PTR [rbp-0x4],edi
0x0000000000401111 <+11>:   mov    eax,DWORD PTR [rbp-0x4]
0x0000000000401114 <+14>:   imul   eax,eax,0x3269
0x000000000040111a <+20>:   pop    rbp
0x000000000040111b <+21>:   ret

At the line func+14 we have a multiplication with EAX, maybe the value 0x3269 is what we need.

But we actually need the decimal value, so we put it in our python script HexToDec.py, then we can have the answer:

python3 HexToDec.py 0x3269

We take the result with picoCTF{value} and we have the flag:

Answer:GDB baby step 4
picoCTF{12905}

ASCII FTW

This program has constructed the flag using hex ascii values. Identify the flag text by disassembling the program. You can download the file from here.

This is the challenge of the module. The mission is to find the flag with GDB in bytes, and then convert to ASCII/String.

First, let's look into the main function:

0x0000555555555169 <+0>:    endbr64
0x000055555555516d <+4>:    push   rbp
0x000055555555516e <+5>:    mov    rbp,rsp
0x0000555555555171 <+8>:    sub    rsp,0x30
0x0000555555555175 <+12>:   mov    rax,QWORD PTR fs:0x28
0x000055555555517e <+21>:   mov    QWORD PTR [rbp-0x8],rax
0x0000555555555182 <+25>:   xor    eax,eax
0x0000555555555184 <+27>:   mov    BYTE PTR [rbp-0x30],0x70
0x0000555555555188 <+31>:   mov    BYTE PTR [rbp-0x2f],0x69
0x000055555555518c <+35>:   mov    BYTE PTR [rbp-0x2e],0x63
0x0000555555555190 <+39>:   mov    BYTE PTR [rbp-0x2d],0x6f
0x0000555555555194 <+43>:   mov    BYTE PTR [rbp-0x2c],0x43
0x0000555555555198 <+47>:   mov    BYTE PTR [rbp-0x2b],0x54
0x000055555555519c <+51>:   mov    BYTE PTR [rbp-0x2a],0x46
0x00005555555551a0 <+55>:   mov    BYTE PTR [rbp-0x29],0x7b
0x00005555555551a4 <+59>:   mov    BYTE PTR [rbp-0x28],0x41
0x00005555555551a8 <+63>:   mov    BYTE PTR [rbp-0x27],0x53
0x00005555555551ac <+67>:   mov    BYTE PTR [rbp-0x26],0x43
0x00005555555551b0 <+71>:   mov    BYTE PTR [rbp-0x25],0x49
0x00005555555551b4 <+75>:   mov    BYTE PTR [rbp-0x24],0x49
0x00005555555551b8 <+79>:   mov    BYTE PTR [rbp-0x23],0x5f
0x00005555555551bc <+83>:   mov    BYTE PTR [rbp-0x22],0x49
0x00005555555551c0 <+87>:   mov    BYTE PTR [rbp-0x21],0x53
0x00005555555551c4 <+91>:   mov    BYTE PTR [rbp-0x20],0x5f
0x00005555555551c8 <+95>:   mov    BYTE PTR [rbp-0x1f],0x45
0x00005555555551cc <+99>:   mov    BYTE PTR [rbp-0x1e],0x41
0x00005555555551d0 <+103>:  mov    BYTE PTR [rbp-0x1d],0x53
0x00005555555551d4 <+107>:  mov    BYTE PTR [rbp-0x1c],0x59
0x00005555555551d8 <+111>:  mov    BYTE PTR [rbp-0x1b],0x5f
0x00005555555551dc <+115>:  mov    BYTE PTR [rbp-0x1a],0x38
0x00005555555551e0 <+119>:  mov    BYTE PTR [rbp-0x19],0x39
0x00005555555551e4 <+123>:  mov    BYTE PTR [rbp-0x18],0x36
0x00005555555551e8 <+127>:  mov    BYTE PTR [rbp-0x17],0x30
0x00005555555551ec <+131>:  mov    BYTE PTR [rbp-0x16],0x46
0x00005555555551f0 <+135>:  mov    BYTE PTR [rbp-0x15],0x30
0x00005555555551f4 <+139>:  mov    BYTE PTR [rbp-0x14],0x41
0x00005555555551f8 <+143>:  mov    BYTE PTR [rbp-0x13],0x46
0x00005555555551fc <+147>:  mov    BYTE PTR [rbp-0x12],0x7d
0x0000555555555200 <+151>:  movzx  eax,BYTE PTR [rbp-0x30]
0x0000555555555204 <+155>:  movsx  eax,al
0x0000555555555207 <+158>:  mov    esi,eax
0x0000555555555209 <+160>:  lea    rdi,[rip+0xdf4]        # 0x555555556004
0x0000555555555210 <+167>:  mov    eax,0x0
0x0000555555555215 <+172>:  call   0x555555555070 <printf@plt>
0x000055555555521a <+177>:  nop
0x000055555555521b <+178>:  mov    rax,QWORD PTR [rbp-0x8]
0x000055555555521f <+182>:  xor    rax,QWORD PTR fs:0x28
0x0000555555555228 <+191>:  je     0x55555555522f <main+198>
0x000055555555522a <+193>:  call   0x555555555060 <__stack_chk_fail@plt>
0x000055555555522f <+198>:  leave
0x0000555555555230 <+199>:  ret

We have many addition of bytes into the memory from main+27 (RBP-0x30) to main+147 (RBP-0x12).

So we can add a breakpoint at somewhere like main+155, just after the values was added to memory.

(gdb) break *main+155
(gdb) run

And then read the memory from the RBP-0x30.

So the question is, how we read and why start from -0x30.

Because this negative position, we are incrementing the values to read, so making the reading start from RBP-0x30 it will goes after to -0x2f, then -0x2e, etc...

and to read the string we will change the type from byte (x) to string (s). Same as the last one we've done, but changing this we got

(gdb) x/1sb $rbp-0x30

Another this is, we usually read a lot of bytes, but in this case we do 1sb, we are reading 1 string. This is kinda weird in a length sense, but this will output each "String" and not "Character" from the memory.

Reading this value from memory we receive directly the flag to put into the answer.

Answer:ASCII FTW
picoCTF{ASCII_IS_EASY_8960F0AF}

[GameDev][Unity3D] Using URP 2D and SpriteMask

Falme Streamless — Fri, 26 Apr 2024 22:35:36 +0000

The Problem: I decided to add URP to a project, to make a specific light in a scene, but because of that the SpriteMask that hides a border is not working anymore.

Solution: Find a shader that replicates the SpriteMask Component.

What is a SpriteMask?

It's very similar to the Photoshop/Illustrator mask, it have a texture that's the image to be shown, and other image that will set the alpha limits to be rendered. With URP2D in Unity this makes not work as expected anymore.

So I've found a shader that make the SpriteMask work in a URP 2D environment. I do now know the original author of the shader, but I decided to store in a github repository, with materials and prefabs, you can find it here : https://github.com/Falme/Unity-URP-2D-SpriteMask/tree/main

[Hack] picoCTF - Mod 26

Falme Streamless — Sun, 21 Apr 2024 16:12:13 +0000

This is a challenge from the picoCTF picoGym, the challenge description follows:

"Cryptography can be easy, do you know what ROT13 is? 
cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_uJdSftmh}"

This is pretty straightforward, we can use a website to decrypt the ROT13 encrypted message.

But in this case, I used a bash script to do this for me. Here's the script:

# Tring to find a flag using ROT13
# Where $1 is cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_uJdSftmh}

echo "== ROT13 =="
echo ""
output=$(echo "$1" | tr 'N-ZA-Mn-za-m' 'A-Za-z')
echo "${output}"

The tr command is a substitution command, in this case, we will make the A to be N, B to be O and so on. This is the meaning of ROT13, it will shift each char 13 places:

It's bidirectional, so no worries of the ordering.

Running the script, the flag is revealed:

Answer:Flag
Flag : picoCTF{next_time_I'll_try_2_rounds_of_rot13_hWqFsgzu}

[Hack] PicoCTF: Low Level Binary Intro - Intro to Assembly

Falme Streamless — Mon, 18 Sep 2023 11:00:00 +0000

This PicoCTF Playlist section is called Intro to Assembly, the challenges will go deeper into assembly values, I've already played with some low level code like IDA and Microcorruption, but maybe it will be fun to revisit some concepts.

Bit-O-Asm-1

The first challenge is pretty simple, we have an assembly dump file, and we need to know what is the value in the EAX.

So, what is an assembly dump?
The files like and executable can be read as low level language, and this can be interpreted like a line by line command. This can be used for reverse engineering, taking these commands and transforming into C++ for example, so the users can understand and re-compile the original code.

With that in mind, the computer also have some registers, that store values for computer calculation, one of them is called EAX, and we need the value stored in them.

Here's the dump file:

<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x4],edi
<+11>:    mov    QWORD PTR [rbp-0x10],rsi
<+15>:    mov    eax,0x30
<+20>:    pop    rbp
<+21>:    ret

The values in assembly works just like a variable in a programming language, so in line <+15> we have

MOV (move the value to)
EAX, 0x30 (from 0x30 to EAX, making EAX = 0x30)

But we actually need the decimal value, so we put it in our python script HexToDec.py, then we can have the answer:

python3 HexToDec.py 0x30

We take the result with picoCTF{value} and we have the flag:

Answer:Bit-O-Asm-1
picoCTF{48}

Bit-O-Asm-2

This one have the same solution and steps as the last one, actually all the challenges in this document have the same steps, with something more to it.

This one should teach that a value can be pointed to another address, in this case we want the value in EAX, but the value is actually a line above, that's because assembly can have relative addresses. The address is RBP(register) -0x4(minus 4 from the register address).

<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x14],edi
<+11>:    mov    QWORD PTR [rbp-0x20],rsi
<+15>:    mov    DWORD PTR [rbp-0x4],0x9fe1a
<+22>:    mov    eax,DWORD PTR [rbp-0x4]
<+25>:    pop    rbp
<+26>:    ret

The solution is the decimal value of 0x9fe1a, so we put it in our python script HexToDec.py, then we can have the answer:

python3 HexToDec.py 0x9fe1a

Answer:Bit-O-Asm-2
picoCTF{654874}

Bit-O-Asm-3

This one teaches us operations, like multiplication and addition in assembly.

<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x14],edi
<+11>:    mov    QWORD PTR [rbp-0x20],rsi
<+15>:    mov    DWORD PTR [rbp-0xc],0x9fe1a
<+22>:    mov    DWORD PTR [rbp-0x8],0x4
<+29>:    mov    eax,DWORD PTR [rbp-0xc]
<+32>:    imul   eax,DWORD PTR [rbp-0x8]
<+36>:    add    eax,0x1f5
<+41>:    mov    DWORD PTR [rbp-0x4],eax
<+44>:    mov    eax,DWORD PTR [rbp-0x4]
<+47>:    pop    rbp
<+48>:    ret

In this case we need to track where the EAX is/was, and can have the last result (because it will be modified through the dump file)

For multiplication and addition for Hex values, we will use python terminal and make the calculations there. Just type python in terminal/cmd and we are set:

At <+29> we have the set of value to EAX, value at address RBP-0xC
At <+15> the value to RBP-0xC is set to 0x9fe1a, making EAX=0x9fe1a
At <+32> the EAX is multiplied by the value at address RBP-0x8
At <+22> the value to RBP-0x8 is set to 0x4, making EAX=0x9fe1a*0x4 = 0x27F868
At <+36> we have the value 0x1f5 added to EAX, making it EAX=0x27F868+0x1f5 = 0x27FA5D

The solution is the decimal value of 0x27FA5D, so we put it in our python script HexToDec.py, then we can have the answer:

python3 HexToDec.py 0x27FA5D

Answer:Bit-O-Asm-3
picoCTF{2619997}

Bit-O-Asm-4

This one teaches us comparisons and branching code (also known as if, elseif, else) and jumps.

<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x14],edi
<+11>:    mov    QWORD PTR [rbp-0x20],rsi
<+15>:    mov    DWORD PTR [rbp-0x4],0x9fe1a
<+22>:    cmp    DWORD PTR [rbp-0x4],0x2710
<+29>:    jle    0x55555555514e <main+37>
<+31>:    sub    DWORD PTR [rbp-0x4],0x65
<+35>:    jmp    0x555555555152 <main+41>
<+37>:    add    DWORD PTR [rbp-0x4],0x65
<+41>:    mov    eax,DWORD PTR [rbp-0x4]
<+44>:    pop    rbp
<+45>:    ret

At the line <+22> it compares(CMP) the values at RBP-0x4 address and 0x2710 and the result will be stored.
At the line <+29> it checks the Compare operation if the result is equal or less of the last values [other way to see is (RBP-0x4) <= 0x2710]. If it's true (if RBP-0x4 is less or equal 0x2710) then jump to the line <+37>, if it does not, then keep going through the line <+31>

This is kinda difficult to explain, but the J in jmp or jle means jump, that's kinda a GOTO another line. And the cmp is a Compare, something like an IF command.

Going step by step:

Line <+22> Compare the RBP-0x4 address and 0x2710 values
Line <+15> Set value at RBP-0x4 address to 0x9fe1a, making the comparison 0x2710 and 0x9fe1a
Line <+29> Compare if 0x9fe1a is equal or less than 0x2710, it is not, the statement is false, so No Jump happens
Line <+31> subtract (SUB) value at RBP-0x4 address by 0x65, making it RBP-0x4=0x9fe1a-0x65 = 0x9FDB5
Line <+35> Jump (jmp) to the line <+41>
Line <+41> Set EAX value as the value at RBP-0x4. So EAX=0x9FDB5

The solution is the decimal value of 0x9FDB5, so we put it in our python script HexToDec.py, then we can have the answer:

python3 HexToDec.py 0x9FDB5

Answer:Bit-O-Asm-4
picoCTF{654773}

[Hack] PicoCTF: Low Level Binary Intro - Warmup

Falme Streamless — Mon, 11 Sep 2023 11:00:00 +0000

I'm coming back to the PicoCTF Playlist challenges, and finishing the Warmup list. So in this text we will go through the challenges and solving them.

ASCII Numbers

For this challenge, I'll need to get a collection of Hexadecimal values and convert it to ASCII characters and reveal the flag. I could convert by hand, but I want to do a python script for that.

First, we need to Trim the Hexadecimal values like "0x30 0x40" to be a list array of only simple hex values like [30,40]. That's the code for that:


import sys

# Text like "0x30 0x40 0x50" convert to array
def TrimHexString(originalString):

    #Split the values to an array
    hexValues = originalString.split()

    # Check if need to trim the 0x from hex text
    for index,val in enumerate(hexValues):
        # If does have 0x, remove it
        if val[:2] == "0x":
            hexValues[index] = val[2:]

    #return final list array
    return hexValues

TrimHexString("0x10 0x20 0x30")

And then taking this list and concatenate to a whole string, like taking from [30,40,50] to "304050". Making possible to call the bytes.fromhex().decode("utf-8") so we can convert the hex to ASCII easily:


# Join all hex arrays to a single string 
def ConcatenateHexList(hexList):
    return "".join(hexList)

And then call everything with the first argument from command line and show the results of conversion with decode("utf-8"):


# Get the first value from command line to trim and join
hexConcatenated = ConcatenateHexList(TrimHexString(sys.argv[1]))

# decode the hex to ascii and show results
result = bytes.fromhex(hexConcatenated).decode("utf-8")
print(result)

and calling the command:

python3 HexToASCII.py "0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x35 0x63 0x31 0x31 0x5f 0x6e 0x30 0x5f 0x71 0x75 0x33 0x35 0x37 0x31 0x30 0x6e 0x35 0x5f 0x31 0x6c 0x6c 0x5f 0x74 0x33 0x31 0x31 0x5f 0x79 0x33 0x5f 0x6e 0x30 0x5f 0x6c 0x31 0x33 0x35 0x5f 0x34 0x34 0x35 0x64 0x34 0x31 0x38 0x30 0x7d"

We get the flag:

Answer:ASCII Numbers
picoCTF{45c11_n0_qu35710n5_1ll_t311_y3_n0_l135_445d4180}

Picker I

This is a random number generator service, this one have a NetCat call from the PicoCTF servers, with that it also provide us a source code (python script).

Accessing the netcat, provides me a possibility to roll a getRandomNumber(), but always return 4. It's really random? We will never know.

Looking through the source file, we can check that the getRandomNumber() is useless, but it also has a method called "win()" which call a file called "flag.txt". Wait, we want that.

calling this method instead getRandomNumber, we receive a bunch of hex values:

Lucky us, we have a script specifically for that, so calling the command:

python3 HexToASCII.py "0x70 0x69 0x63 0x6f 0x43 0x54 0x46 0x7b 0x34 0x5f 0x64 0x31 0x34 0x6d 0x30 0x6e 0x64 0x5f 0x31 0x6e 0x5f 0x37 0x68 0x33 0x5f 0x72 0x30 0x75 0x67 0x68 0x5f 0x36 0x65 0x30 0x34 0x34 0x34 0x30 0x64 0x7d"

We have a result, and the response is our flag:

Answer:Picker I
picoCTF{4_d14m0nd_1n_7h3_r0ugh_6e04440d}

[GameDev] Unity3D, C# and String Security

Falme Streamless — Tue, 15 Aug 2023 11:00:00 +0000

This is originally a presentation to a company that I worked on but never had the chance to present to my co-workers (because it was ~Too Dangerous~..., it's not)

The original name of the presentation was Introduction to CyberSecurity (And why never put passwords inside code) as an introduction to security to the company and my co-workers.

What Will We Talk About?

I am a Unity3D developer and all the companies that I've worked on uses Unity3D/C# as the main Engine, so many examples here will be oriented to that.

So We will talk about:

What Is CyberSecurity (quick one)
What is Compilation and Decompilation
A simple decompilation and password reading
What is Dotpeek and How to use with Unity
Unity with IL2CPP and PlayMaker
Inevitability and Git
Conclusion
References and Other Links

Also, this text is for DEFENSE ONLY, many/most/almost all games and software programs have a document that you sign to use that you should not open the code of the game (that's what we will do today). There are many companies that release a game and in the next day the secret assets for Halloween or Christmas is all over the internet, making a hell for the marketing of the project that was hiding it to be a surprise, but more dangerous than that, having the API key available for players that can access the Ranking of a competitive game, cash or similar.

We are here to help you to prevent (but still possible) hackers to access what they should not. In this document case, the strings/keys/words inside your game.

But first, I guess you are "just" a Game Developer, so let's talk about cybersecurity!

What is CyberSecurity?

The definition of CyberSecurity reads as:

“Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.”

There are many terms is this paragraph, but we will focus on:

Protection of information and information systems from unauthorized access : Where the information of a game is the data that shouldn't be accessed from players

And for knowledge of some aspects of this document: Confidentiality, Integrity and Availability (Most known as C.I.A.)

Where:

Confidentiality : Is basically giving access to those who should access that information and deny the access to those who shouldn't access that information.
Integrity : Means that the information that the user receive is reliable and no one modified it before or after the transaction. This guarantees that the information is 100% the same from the sender to the receiver.
Availability : That guarantee that the information need to be available at the time it is requested, so it needs to keep, for instance, a website on to access your game, a hacker doing a DDoS on your website (website is down) shouldn't happen based on the Availability principle.

But the Availability does not mean that the information need to be at all times available, just when it need and to those who should.

So How Were Protections in the Past?

Around the 1960s, there were only passwords and Physical protections, That means that the computer (accessible mostly on Universities) have a room with a lock on it that protects the computers to be accessed.

This makes things very physical and did not have something like antivirus or even the idea of Virus. But did not take too long to that be a reality.

Around the 1970s, there was the concept of Antivirus and Virtual protection, especially because the ARPANET was taking force around the country of the USA. But specially because a man called Bob Thomas created the first known virus: The Creeper.

Bob Thomas created a program that auto-replicated itself and spread through the network of computers, it did nothing harmful, just printed the text "I'M THE CREEPER: CATCH ME IF YOU CAN" on the screen.

The consequence of this creation, makes Ray Tomlinson to create a new program that eliminate the creeper program called "Reaper".

With that, we had our first virus (Creeper) and antivirus (Reaper).

Ok, The Creeper was actually a Worm, a self-propagate program through the network, but these names (virus, antivirus, worms) was not a thing until 1980s where the personal computers and as we know the internet was around.

With time, virus, worms, antivirus and similar has become more and more complex. Nowadays, information is more valuable than anything, and we need to secure it the proper way.

HACKERS!?

Hackers from the definition written by Wesley Chai:

"A hacker is an individual who uses computer, networking or other skills to overcome a technical problem. The term also refers to anyone who uses their abilities to gain unauthorized access to systems or networks in order to commit crimes. A hacker may, for example, steal information to hurt people via identity theft or bring down a system and, often, hold hostage in order to collect a ransom.

The term hacker has historically been a divisive one, sometimes being used as a term of admiration for individuals who exhibit a high degree of skill and creativity in their approach to technical problems. However, the term is also commonly applied to individuals who use this skill for illegal or unethical purposes."

So, many words, but we need to talk about some of the words used in this:

Hacker, before the cybersecurity term applied, was used for people who tinker code or make some mess that work for a program, or a clever solution for a limited system.

Hacker commit crimes is a misleading phrasing, we should separate in hats:

White Hat : Ethical Hacker, do not commit crime
Black Hat : Uses hacking for unauthorized access (usually cybercrime)
Gray Hat : Uses hacking for his own benefit, maybe some TI worker at day and cybercriminal at night for his own good

Wrapping it up, hackers can be beneficial finding security flaws on your system, your company (with permission to test your system, obviously) and find ways to make it more secure. But the same way can be beneficial, it can be harmful with cybercrime, stealing information, spying on unaware users, etc.

What is Compilation and Decompilation

When you, yes You, the game developer, makes a code for a game and need to release to the public (making an .exe for example) you need to make a compilation of your code. For simplicity, we will define as:

Compilation:
C# Code → To → Machine Code

The machine code is not readable by developers/humans. But if we have only the compiled code, and we need to read it, the process needed is called Decompilation:

Decompilation:
Machine Code → To → C# Code (Human Readable)

For this case, we will only make readable the C# code from the original program. Usually, the Decompilation must have the possibility to recompile the code to an executable again. That's the real goal.

A simple decompilation and password reading

When you pass through the decompilation process, maybe the final code is not the same as the original, but it surely acts like the original one. That's because in the compilation process the code (C#) need to be converted in another language to be processed to machine language, some (mostly) C# features are not present and need to be adapted.

In the example above, we have a original code that check if the password in a variable equals "S3Cr37"

void Start()
{
   if(pass == "S3Cr37")
   {
      Debug.Log("you have access");
   }
}

and after we passed through the process of decompilation, the code is something like:

void Start()
{
   if(!(this.pass == "S3Cr37"))
      return;

   Debug.Log((object) "you have access");
}

Kinda different, but they do the same thing, the low level code works as "Jumping from one line to another" so the decompiled code prefers to exit the method on a failed verification (that explains the return; call);

But we must not miss the point, our "Secret Password" is still visible, this could be your secret password, secret key or Secret Address for a page.

So, before understanding how to prevent, let's see how it works.

What is Dotpeek and How to use with Unity

We are using Unity as an example for this exercise, if you need, I'll be uploading the example project and the source code in the GitHub (But it's so simple you could do it yourself).

We will create a Unity project with the standard configurations, add a script to the default scene called "Secret.cs" with our secret code. Just that and make a Windows build (sorry Linux users D:)

Here's our build, Let's crack this Secret.cs;

But Hey, this is just amateur insecure stuff, right?

Not at all, many big games that you know have this simple insecure thing that make you able to read their code, here are some examples (Do Not do anything with these open codes):

(Take note about INSIDE, that have a +/-, this is a special case, we will talk about it as well)

The real danger is about the secret content that should not be accessible to the public/players.

With the build, now we need to download a tool called DotPeek from JetBrains. The tool is a decompiler, so we can disassemble the .DLLs from the Unity build.

Quick Stop to explain how DLLs works with Unity

For default, all the scripts that you (developer) create in the engine will be compiled in an Assembly Definition called Assembly-CSharp.dll, remember this name, it will be important in the future.

This makes Engine Unity Code stable and separated from the developer code. If you don't want all your code in one DLL, you'll need to create an Assembly Definition in your project to make it separated, but the references STILL points to Assembly-CSharp.

Ok, back to hacking.

After finished downloading DotPeek

After you download Dotpeek, you will need to find out if the target build is compatible to this attack. To know that, you'll need to find the build folder and find a DLL in the path:

\PathToBuild\BuildName\BuildName_Data\Managed\Assembly-CSharp.dll

If this path and DLL exists, your attack can be done. This happens because Unity have a standard option in Player Settings > Other Settings > Configuration > Scripting Backend called Mono

It makes build much faster, but sacrifices part of other things like performance and security.

So, enough talking, open your DotPeek, and select "File > Open" and select your target Assembly-CSharp.dll (I told you this was important):

After loading the project, you'll select the Assembly-CSharp field, right-click and select the Export to Project..., select a folder and wait for the decompiler to finish working.

After exporting, you will have the C# files from the original project to be human-readable (kinda different, but readable).

Congratulations, you got the secret password!

But wait, how can I prevent this?

Unity with IL2CPP and PlayMaker

A way to make things a little difficult for the person who is opening your code is to change the Script Backend to IL2CPP (Intermediate Language To C++) At "Edit > Project Settings > Other Settings > Configuration"

What it does is not put your code directly in to a DLL, but converting your C# code a Intermediate Language (Microsoft Intermediate Language) to C++ and then compiling to machine code.

Making this process, it will not create an Assembly-CSharp.dll

No problem with that?

Yes, there's a problem, and it's that a String is still a String. We will find our secret code again, but now with some Linux Bash commands.

With our new files compiled to the build, we need to go to the file "global-metadata.dat" at

\PathToBuild\BuildName\BuildName_Data\il2cpp_data\Metadata\global-metadata.dat

We will use WSL (Windows Subsystem for Linux), that's a Linux inside your Windows 10/11, if you don't have it, you can download it in the Microsoft Store, it's free.

With WSL, we will use this command to our file global-metadata:

strings global-metadata.dat | grep S3Cr37

Where:

strings lists all strings inside a file
grep Highlight/Only Show if an argument is true/found
S3Cr37 is the argument we want to find

With that, we can see that our Secret Code can be found in our build.

Well, of course we knew beforehand what was the code we need to find. But If we knew from previous builds what words to discard or if we use a wordlist to find relevant values, we can still find some interesting results, including our code.

Time for PlayMaker

First, I'm not saying that PlayMaker is safer, this is just a curiosity that make sense in this document.

PlayMaker is a tool for Visual Scripting, similar to Blueprints for Unreal, but not official for Unity. The curious case is that INSIDE uses it, and this makes their code not convertible to code directly, but converted to Assets.

This makes it harder to find information in the code from the previous techniques that we used.

The conversion of your code to Asset can also be used in different ways like:

Using Scriptable Objects: Where you put your key to an Asset
Using PlayMaker or Other Visual Scripting : Same as above, but this influences your developer team
Using External Services : Still using Scriptable Objects, but this one calls a service outside, keeping your data/access outside the game (We will talk about this one later)

In the case of the PlayMaker, what it does is to convert the visual scripting data into a resources.assets data. So if you decide to open the resources.assets file in a strings bash command (as we talked above) you will only get rubbish.

So, can it be opened?

Yes... Kinda... you'll need some fancy study and tools to do that, what I can tell you is how to show Assets in a build.

We will use a tool called AssetStudio. It's free and can be accessed in a Github repository.

As this example, we will take a project with PlayMaker and open it with AssetStudio:

As shown in the above image, we can find, open and export these PlayMakerAssemblies and PlayMakerFSM files to our system and maybe find something useful. I'll stop here about the PlayMaker, but if you want to know more, play with it, make your PlayMaker example code and try to find some secret content.

Bonus: AssetStudio is also used to find images, sounds, music, models, textures and every other thing that Unity categorize it as an Asset, that can be exported and read. That's how many models and information can be found so fast after a launch of a game.

Inevitability and Git

So... What we learned until now?

All options above was terrible
No code is 100% secure
What we are doing is only delaying the hacker to find the key

This can be resumed with the "Infinite Monkey Theorem" (Hiding the Monkey identity for security):

The theorem says that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type any given text, including the complete works of William Shakespeare.

With our case, what the hackers have is time, so, with time and patience, the hacker will find your hiding key (also it's not only one monkey if your game is published in Steam).

So how the hackers can find my key?

Here are some examples:

GitHub and Bitbucket files: They can access/hack the .git files at some point and going right in the source of your game, and this is not impossible, many games AAA had this incident, the Git example is only because there's also history of all your commits, making possible other attacks (maybe?)
Two-Factor Authentication and Obsolete login methods: Some users don't have Two-Factor Authentication, on GitHub, on Unity, on Google Play Store, on Steam, you name it. This makes sure that the login need your authentication. Here's a funny video of Gabe Newell asking to be hacked, but the Two-Factor Auth blocks it.
Low-Hanging Fruit: Making the basics is essential, but hackers love to go to those who don't do the basics, because it's easier to hack. So if you don't do the simple basics (like change to IL2CPP) they will use an automation code to find you faster.
Encrypted Strings and Code: Making encryption is good for everyone, to send email or to keep an access secret. But make sure to not keep the key de decrypt in the same drawer as the locker and make sure your encryption is good, because if it's just a ROT13 encryption, it will not make a difference.

Any other ways to make it more secure?

Use External Services like PlayFab: PlayFab is a service where you can put data, rankings and actually remote code, so if you need to send a score to a competitive game, you can have remote code to check if this is a correct (or viable) score to be added, but more than that, check if the transaction is legit, looking through data of the player and, if needed, banning them. This way your key/service is not in your game, so your build is safe.

This remote content can also be applied to game events content, where you can put a Asset Bundle (or Addressables) in a CDN server/service and release when the time has come, so the content Assets is not in your build (yet)

Permissions for Reading and Modifying: Make sure that some data in the server (sending requests to a server) cannot be modified if it should not be modified. It's easy to not pay attention to that because we don't think of the day when someone will delete/modify our data, but make sure this is true.
Do the basics and more: I see other fields like Software development or Web Development being so cautious about security (ok, not that much, but they make the basics) and game development make no case about that. And sometimes the solution is so simple. So take care of your project, do not keep any secret that shouldn't be read in your builds, specially if it is online, triple check it.

Conclusion and Recommendations

Let's recap:

Unity Builds with Script Backend as IL2CPP
No compromising strings inside Scripts
Use recommended protection for Git Servers (GitHub, Bitbucket, etc.) with SSH RSA Keys
If you need to register a value, use external services that have an authentication layer

Other Security Recommendations outside GameDev

Do not open suspicious Links or Emails (even from friends)
Activate Two-Factor Authentication for every service (Steam, Github, Google, etc...)
Use Antivirus (better than nothing)
Check if your password had been exposed (https://haveibeenpwned.com/)
Do not use personal accounts inside your company
Keep all softwares programs Up to date (specially Windows)
Common sense

Bonus: Can it be useful in Game Development?

Yes! This is a thing very common nowadays (opening builds and checking for secrets), you, as a game developer, can use this to add secret content in your games, or making a game where you NEED to open the game to find clues. But mostly is a content that is not necessary for the gameplay, just a joke for the hardcore fans.

And you can do it as well.

References (And other links)

History of CyberSecurity, Avast : https://blog.avast.com/history-of-cybersecurity-avast#the-1950s

A History of Information Security :
https://www.ifsecglobal.com/cyber-security/a-history-of-information-security/

Unity Assembly Definitions : https://docs.unity3d.com/Manual/ScriptCompilationAssemblyDefinitionFiles.html

Dotpeek from Jetbrains : https://www.jetbrains.com/pt-br/decompiler/

The amazing history of programming with Olga Stern : https://www.youtube.com/watch?v=bJWWbql0QIQ

Tutorial Inspecting Unity Exported Assets
https://www.vg-resource.com/thread-31141.html

Jacquard's Loom machine:
https://www.youtube.com/watch?v=MQzpLLhN0fY

How to Be a Hacker:
http://www.catb.org/~esr/faqs/hacker-howto.html

Search Security - What is a Hacker? :
https://searchsecurity.techtarget.com/definition/hacker

Unity AssetStudio :
https://github.com/Perfare/AssetStudio/releases

CyberSecurity vs Information Security:
https://www.simplilearn.com/information-security-vs-cyber-security-article

[Hack] CTF Challenge - VulnBegin Flags

Falme Streamless — Sat, 05 Aug 2023 09:00:00 +0000

Sometimes I find very interesting the puzzle of Capture the Flag (CTF), where I can use some of my time to dive into a problem that I have no idea of "How the heck am I going to solve this?". And then, after some hours, in bed, I get up saying "I know!!" and try my new idea, maybe it's right, maybe it's wrong, but it's very satisfying.

This one is about the CTF Challenge Website, more specific the Vuln Begin Challenge, with 9 Flags to be found.

In my case, the website will be relative from time to time (every time a new instance of the CTF challenge), so, for this document I'll refer to the URL as "mymachine.vulnbegin.co.uk/".

So, Here's my journey to find all the flags:

Flag 1

As the website says, "There's not much here!", no effective button, no form, no flags inside the Inspect element, So I need to do alternative ways to find the flags.

Usually I start looking for robots.txt, which maybe have some files or folders paths, usually used to filter these folders to not allow to be found from robots (like the Google search) and keep it secret.

So I looked in mymachine.vulnbegin.co.uk/robots.txt to see if it has some hidden file/path

So, with that info, there's a disallowed folder called /secret_d1rect0y/ . I go to the address and I have found the first flag:

Answer:Flag 1
[^FLAG^2B22E2CB70E218510802B0359488F6A2^FLAG^]

Flag 2

This flag was kinda problematic, I get the idea, but I will address the problem soon.

This one need to find a subdomain in the mymachine.vulnbegin.co.uk, but the subdomain is not easy to be accessed from bruteforce or wordlists.
For that we need to go to the crt.sh to search the Certificates from the vulnbegin.co.uk;

This image show a problem, that the address in the input is http://vulnbegin.co.uk/, but with the http:// or / at the end will not find the certificates that I need, and I wasted a lot of time in this simple string problem.

after changing it to only vulnbegin.co.uk I got the correct results with the subdomain that I was looking for:

With that I found the v64hss83 subdomain, and accessing the page v64hss83.mymachine.vulnbegin.co.uk we access the Flag:

Answer:Flag 2
[^FLAG^047524FE61AE6B5FD1D184994C7322FC^FLAG^]

Flag 3

Finding the subdomains of mymachine.vulnbegin.co.uk/, can be useful, and it's recommended in the useful tools page the FFuF to enumerate the subdomains, for that, I used the command

ffuf \
-w subdomains.txt \
-u http://FUZZ.mymachine.vulnbegin.co.uk

Where:

ffuf calls the application
-w subdomains.txt use a wordlist to scan
-u http://FUZZ.mymachine.vulnbegin.co.uk define the address to enumerate, where FUZZ word is the placeholder to test possible correct values

With that, it returns with a possible subdomain called http://server.mymachine.vulnbegin.co.uk

Checking the page, we find the flag:

Answer:Flag 3
[^FLAG^E858ED9649E57BECE9ACD1A4C60D3446^FLAG^]

Flag 4

The CTFChallenge Useful tools recommends the use of DNSRecon to check information about the mymachine.vulnbegin.co.uk/ DNS. So I run the

dnsrecon \
-d mymachine.vulnbegin.co.uk \
-D ./subdomains.txt \
-t std --xml dnsrecon.xml \
--lifetime 5.0

Where:

dnsrecon calls the application
-d mymachine.vulnbegin.co.uk set the domain to check
-D ./subdomains.txt uses the wordlist subdomains from the Useful tools page and bruteforce for information
-t std call for standard scan
--xml dnsrecon.xml export results to an XML called dnsrecon.xml
--lifetime 5.0 keeps the lifetime of scan to 5.0 seconds

With the scan, it reveals new information about the DNS and with that, the Flag

Answer:Flag 4
[^FLAG^BED649C4DB2DF265BD29419C13D82117^FLAG^]

Flag 5

After Calling the FFuF to find some hidden pages inside the mymachine.vulnbegin.co.uk/* I have found a page called cpadmin:

Checking this page, we can find a login page:

So the first thing to do is to do the basic login test: Put admin/admin in login and password. My surprise is that the result tells me that is an invalid password, but not login, so there's an admin user, I just need to find the correct password:

For that I'll use Hydra to brute force the password, the command

hydra \
-l admin \
-P ~/wordlists/passwords.txt \
mymachine.vulnbegin.co.uk \
http-form-post "/cpadmin/login:username=^USER^&password=^PASS^:Password is invalid" -V

will do the work.

Where:

hydra calls the program for brute force
-l admin set the login fixed as the word 'admin'
-P ~/wordlists/passwords.txt calls a password wordlist to test
http-form-post is the method-form for hydra to attack
/cpadmin/login: is the path to the login page address
username=^USER^&password=^PASS^ is the information body to send to login form requisition, where ^USER^ will be replaced by the user value and ^PASS^ will be replaced by the password value
Password is invalid is the identifier in page to check if the login was successful or not, in this case we are only checking for the password validation, as we know the login value
-V verbose flag, so we can see all the hydra attempts

After some tries, we found our secret password for login:

after inputting the correct password, we will be presented with the Flag:

Answer:Flag 5
[^FLAG^93D7491FB4B054FB5C5AC3E0292BE41C^FLAG^]

Flag 6

After making a login as Admin in the cplogin page, it says that a configuration file was available, so I will use a wordlist to find new content with the session cookie from login.
To do that I'll use FFuF to Fuzz the content of the page with a Cookie Header:

ffuf \
-w ~/wordlists/content.txt \
-u http://mymachine.vulnbegin.co.uk/cpadmin/FUZZ \
-H "Cookie: token=2eff535bd75e77b6c70ba1e4dcb2873"

Where:

ffuf calls the program
-w ~/wordlists/content.txt uses a wordlist called content
http://mymachine.vulnbegin.co.uk/cpadmin/FUZZ is where I want to find new content and FUZZ is the string to be tested
-H "Cookie: token=2eff535bd75e77b6c70ba1e4dcb2873" is the Cookie session to make the page think that I am logged in (actually the session cookie IS the thing that checks if I am logged in)

After making through all the wordlist, we found some pages:

Let's check the env page:

With that we found the Flag and some hint for the next flag

Answer:Flag 6
[^FLAG^F6A691584431F9F2C29A3A2DE85A2210^FLAG^]

Flag 7

The address server.mymachine.vulnbegin.co.uk has returned "Not Authenticated" from some previous flags, maybe with this new Header parameter "X-Token: 492E64385D3779BC5F040E2B19D67742" we can be authenticated in the server subdomain.
So using the command

curl http://server.mymachine.vulnbegin.co.uk/ \
-H "X-Token: 492E64385D3779BC5F040E2B19D67742"

and the new X-Token in the Header we can be Authenticated, and with that a new flag appears:

Answer:Flag 7
[^FLAG^0BDC60CC5E283476E7107C814C18DCCF^FLAG^]

Flag 8

With the X-Token auth value, we can re-scan for new addresses, but now as the Host being the server.
So calling the FFuF again to find content in the page but with 2 values on header, one being the X-Token to authenticate the access -H "X-Token: 492E64385D3779BC5F040E2B19D67742" and the Host as server -H "Host: server.mymachine.vulnbegin.co.uk".

ffuf http://mymachine.vulnbegin.co.uk/user \
-H "X-Token: 492E64385D3779BC5F040E2B19D67742" \
-H "Host: server.mymachine.vulnbegin.co.uk"

With these header values, we find a new access at /user/:

Accessing the /user/ page we find a JSON with the following information:

{"id":27,"endpoint":"/user/27"}

And accessing the /user/27/ page we find another JSON with the following information:

{"id":27,"username":"vulnbegin_website","endpoint":"/user/27/info"}

And accessing the /user/27/info page we find another JSON with the Flag information.

Answer:Flag 8
[^FLAG^7B3A24F3368E71842ED7053CF1E51BB0^FLAG^]

Flag 9

In the last Flag there was ID information in /user/27/info, that means that a user have the identifier in the Database as 27. That reveals that other users may be available for reading information.
The idea is to loop through the users until we find something useful or ideally the Flag.

For that I'll use a loop from bash to gather information with curl:

for i in {0..5}; \
do curl http://mymachine.vulnbegin.co.uk/user/$i/info \
-H "X-Token: 492E64385D3779BC5F040E2B19D67742" \
-H "Host: server.mymachine.vulnbegin.co.uk"; \
done

Where:

for i in {0..5}; make it loop the next action 6 times (starts at zero, finishes at 5)
do defines what action to do (next command will loop)
curl http://mymachine.vulnbegin.co.uk/user/$i/info -H "X-Token: 492E64385D3779BC5F040E2B19D67742" -H "Host: server.mymachine.vulnbegin.co.uk"; The command we saw last time, but now with $i in the place of the user ID, this will change to the loop number (from 0 to 5)
done identifier of finishing the loop command

After looping 6 times, we have our flag at ID 5:

Answer:Flag 9
[^FLAG^3D82BE780F46EE86CE060D23E6E80639^FLAG^]

Conclusion

This was a journey, many of the solutions I've seen before, but the CTF that have a correct sequence to find a flag, and other flag, and another flag... It's kinda motivating to find the next one (I also found 2 flags on VulnLayers, the next free CTF, but I'll not finish it so soon).

The CTF Challenge gives me a feeling of Escape the room games, where I find the solution of a puzzle, but also gives me a hint to what should I look for next.

But in the negative side, if I find the answer of a puzzle in a wrong order, it can be very confusing to finish the CTF/Escape the room as a whole. In the CTFChallenge case, I skipped the Flag 2, and found the result of Flag 3, 4 and 5, this makes the line of thought very hard to follow.

As a lesson, I need to have more patience and make my steps very clear, one foot after another till I reach the end.

[Hack] PicoCTF : GET aHEAD

Falme Streamless — Mon, 24 Jul 2023 09:00:00 +0000

Passing through the picoCTF web challenges, the chosen challenge is called "GET aHEAD", which means that's something about requests of a web page, maybe a GET request, or something in the Header parameters response.

First, let's look at the page:

A simple page that changes the background of the page.
If the user selects Red, the page background-color changes to red.
If the user selects Blue, the page background-color changes to blue.

First let's check the requisition on the Postman, maybe I can find something useful there.

First I did a GET Request, but nothing useful came in the header response. Playing a little with the options, I found the request for HEAD, and then tried to send a standard request:

With only that change, the response headers have the final CTF flag :

Answer:Flag

Flag : picoCTF{r3j3ct_th3_du4l1ty_70bc61c4}

That was a simple flag, to make the user learn that not only exists the GET and POST Request Methods.

[Hack] PicoCTF: Warmed Up

Falme Streamless — Mon, 17 Jul 2023 09:00:00 +0000

I'm starting to tackle the challenges of PicoCTF, a website/platform to test/challenge myself on Capture the Flag puzzles, learning the basics of cybersecurity and maybe make it useful for game development, web development and life in general.

So the first ones are very basic, the objective is to learn along, and for that, I'll be starting with the Playlists.

As it says in the webpage : "Playlists are collections of challenges, sometimes with readings or games, that are curated to help students learn a particular topic."

And I'll start with Low Level Binary Intro, that can be helpful with my current job (Game Development).

The first one is actually a game and a sanity check called "Obedient Cat"

Sanity Check is a simple test to check if everything is happening as expected on the basic level. In this case, I just need to download the flag in a file and read the content inside. There's a flag for this one.

After the sanity check, we reach the main challenge of this post, called "Warmed Up".

This challenge is really easy, just using the DuckDuckGo web search as "0x3D in decimal" should give us the answer. But I know that I'll need to use python in this playlist. So, I'll go further and create a Hexadecimal to Decimal converter in python.

I currently have Python 3.10.8 version. So let's begin.

The idea is to make a Hex string and each char value multiply by 16.

For example: 0xA9D = A*16*16 + 9*16 + D
That's the same as = 10*(16^2) + 9*(16^1) + 13*(16^0) = 2717

So first, I'll make a method to convert the single Hex char to a decimal number:

#List/Dictionary of numbers above 9
#To be called from a loop
associationList = [
            ['A', 10],
            ['B', 11],
            ['C', 12],
            ['D', 13],
            ['E', 14],
            ['F', 15],
        ]

def ToDecimal(hexChar):

    #First try the string/char range of numbers
    #If there's a match of the key, return value
    for item in associationList:
        if item[0] == hexChar.upper():
            return item[1]

    #Try to return a valid number, if not, return -1
    try:
        return int(hexChar)
    except:
        return 0

The Method ToDecimal(char) will make my value 'F' to be converted to 15, but also make my value '6' to be converted to 6 (as an integer)

Now I need to create a method that get the Hex value inputted from the user and convert it to decimal values and sum them.

import sys

def HexToDec():

    #Total Sum after calculations
    total = 0

    #Try to parse the user input, if cannot, show error
    try:
        #Go through all input chars backwards
        for x,char in enumerate(reversed(sys.argv[1])):

            #Multiply the respective position Hexadecimal
            #To the decimal value
            multiplier = ToDecimal(char) * pow(16,x)

            #Sum/Add to the final result
            total += multiplier

        print(total)
    except:
        print("Not valid arguments or missing argument")

HexToDec()

With this code, I can pass the Hexadecimal value through the parameters calling something like : python HexToDec.py 2e87 and it will return me 11911.

But after making many things that does not solve the original problem, let's go back and solve it:

I need to know the value of 0x3D in Decimal, and putting it in the python code it returns me...

> 61

So I just need to append the 61 to the format of CTF Flag picoCTF{61} and:

And that's it, a very super complicated solution to a simple problem.

Here's the final Python File