Vitor & Tania: My challenges for DEFCON CTF Quals 2019
This is a quick blog post discussing two of the challenges I wrote for DEFCON CTF Quals 2019 (co-hosted with the OOO team): Vitor and Tania.
Vitor
Vitor is a multi-stage Android reversing chall, Matryoshka-style.
This app is a classic crackme: it gets a key from the user, and it prints VALID in case it's correct.
There were five stages, each of which would somehow decrypt and load the next one:
- Stage 1: "traditional" Android app, which would decrypt, load, and execute:
- Stage 2: DEX / Dalvik bytecode, which would decrypt, load, and execute:
- Stage 3: shared object (x86) file, which would decrypt, load, and execute:
- Stage 4: ROP payload, which would decrypt, load, and execute:
- Stage 5: Javascript, which would interact with Stage 1 via
@JavascriptInterface.
Each of these stage would use some specific bytes of the input key, and players could determine the various bytes of the key by checking whether the next stage would decrypt correctly. One could then put all the constraints in Z3, which would then spit out the correct flag.
I've open sourced the service on github. Building this app was a PITA (see build.sh), but I take pride in my shellcode that decrypts a ROP payload that decrypts JavaScript. ;-)
Tania
Tania was a crypto challenge. It would ship as a binary, and it was quite obvious that it was all about breaking DSA. The bug: DSA was used with nonces that were linearly dependent. The intended solution was based on LLL / CVP (via Babai), see Section 4 of this paper. You can find more details in this nice write-up.
Tania actually had an unintended bug (which made it easier): to make the reference solution faster (I didn't want to frustrate teams with tons of computation), I intentionally made the nonces smaller, but this (unintentionally) opened Tania to biased nonces attack. Oops :-)
Tania also has been open sourced on github.