Flare-on Challenges

Posting this here. Some of the write-ups are incomplete but I don't really have time to finish this draft. Hope you enjoy the content nevertheless.

Chall 1

In script.js:

const CORRECT_GUESS = 57;
let rightGuessString = WORDS[CORRECT_GUESS];
let flag = rightGuessString + '@flare-on.com';

In words.js at offset 57 (index starts at 0): flareonisallaboutcats

Chall2

Coords are displayed in window title (4,31) in screenshot below:

Coords go from (0,0) ~ to (740,640) -> 0x2e4 ,0x280

Actually when we look in code: 0x2e5 is max

In WinMain; Lumina gives us the Window Register class method

We use RegisterClassExW to register the window class using it's handle; We also have lpfnWndProc which will be the Window's callback; basically the function that will handle all events in the window. A cleartext code example can be found here: https://learn.microsoft.com/en-us/windows/win32/intl/registering-window-classes

I called it window_main_func as this is basically the function we're interested in;

There's a couple of snprintf_s that are used to create the buffer displayed in the title of the window. SetWindowTextA is then called to display this buffer.

We have 10 attempts:

A couple of compares to FLA and REON strings:

Offset below:

We can find x and y by solving:

0x52414C46 % x = 0x9d

0x6E4F2D45 % y = 0x5e

However, it's faster to break on the right offset and change the value of the remainder. This will trigger the image decryption function and we get:

w1nN3r_W!NneR_cHick3n_d1nNer@flare-on.com

Chall 3

sdl_setup

gimme flag pls? loaded in memory for out strcmp

SDL eventlistener loop

hit_flag

UDLR init

UDLR sequence

strcmp + decrypt_flag

flaggy_flag

Chall4

argument length comparison

defo a key

loopy_loop

decompyled loopy_loop

cyberchef recipe

flagy_flag

Chall 5

We see a xor with 0x45

xor with 0x45

We decode that to POST