Vitor & Tania: My challenges for DEFCON CTF Quals 2019

Tags: #defcon, #ctf, #reversing, #crypto.

This is a quick blog post discussing two of the challenges I wrote for DEFCON CTF Quals 2019 (co-hosted with the OOO team): Vitor and Tania.


Vitor is a multi-stage Android reversing chall, Matryoshka-style.

This app is a classic crackme: it gets a key from the user, and it prints VALID in case it's correct.

There were five stages, each of which would somehow decrypt and load the next one:

Each of these stage would use some specific bytes of the input key, and players could determine the various bytes of the key by checking whether the next stage would decrypt correctly. One could then put all the constraints in Z3, which would then spit out the correct flag.

I've open sourced the service on github. Building this app was a PITA (see, but I take pride in my shellcode that decrypts a ROP payload that decrypts JavaScript. ;-)


Tania was a crypto challenge. It would ship as a binary, and it was quite obvious that it was all about breaking DSA. The bug: DSA was used with nonces that were linearly dependent. The intended solution was based on LLL / CVP (via Babai), see Section 4 of this paper. You can find more details in this nice write-up.

Tania actually had an unintended bug (which made it easier): to make the reference solution faster (I didn't want to frustrate teams with tons of computation), I intentionally made the nonces smaller, but this (unintentionally) opened Tania to biased nonces attack. Oops :-)

Tania also has been open sourced on github.