#rev

dice is you level 4 : done with a little bit of thinking
dice is you level 5:

lmao

what happened to the teletubbies

Looks like they formed a black metal band

the teletubbies have had enough of kmh's tyranny

why the first four levels is kinda the same but the last one isn't and it doesn't give a hint on how to?? of dice is you. like what?????????????????

oh we were gonna have all 5 levels be a direct copy but were worried about copyright infringement

maybe it is as easy as the other 4 but we are all dumb 🤔

the 5th one is the actual challenge i think

the rest are just warmup

it does seem like something is missing when i look at it

I thought 5 was the easy one

(disclaimer: i know basically nothing about the challenge)

it would be hard to call it a "reversing" challenge if it didn't make you reverse engineer the game

still doesn't make sense but ok

👀

lost in your eyes blooded

finally solved it, was a pain in the ass 😅

to be more clear, it's not possible to solve without understanding the game code

:oooooo lost in your eyes solve

🆗🍎🍵

so where is the noob stuff at cuz i know this cant be it. lol

rip i spent a few hours on lost in your eyes yesterday

babymix should be easiest

procedural should also be easier although no solves yet 😠

lol

am i missing some software to open that file??

@oblique zephyr am i missing some software to open that file??

it's mentioned in the description

Hello, can I pm an <@&805956149504770088> about Dice is you? 😄

that'd be harry

@oblique zephyr also don't ping all organizers for a specific challenge

Yup, sorry 😅

admin for guess_the_vuln ?

@sly quartz

dm me

@manic heron

tfw you beat dice is you but no flag 😢

.

yeah it was a cheese solve...

Do you need to 'break' dice for level 5 solve?

no, it's possible to break it and "win" but you wont get the flag that way

That explains the 'win' but not actually win... Thanks

😅 I won but do't get flag. Any hints?

figure out how the game works

can't believe you expect me to reverse for a re challenge 😠

The first 4 levels kinda made me forget it's a re challenge 😛

I think I got a flag for babymix but the website won't accept it

but the program says it's correct

same

did you wrap it with dice{} ?

yup

pm me

can I ask something about dice-is-you?

pm me

ok

Can I ask something about dice is you too

pm me

Did you use any kind of script to generate that material or did you do it all by hand 😬

for procedural?

Yeah, just curious as its crazy complex

by hand 😎

I hope someone solves it soon

@sly quartz can I ask something about guess the vuln

just dm

gotit

the write ups will be published on this server ?

admin for babymix

<@&805956149504770088>

dm me

please don't ping all the organizers

@oblique zephyr for dice-is-you

Hey @oblique zephyr is offline can anyone else give me a hint for level 4?

wtmoo

just think harder

level 4 isn't even rev

Thanks, I guess?😂

Yeah Idek what rev means. Im just winging it.

Can I get an admin to check babymix for me

he's asleep so dm me

Just got a quick question for dice is you, what does "sice" mean?

sice is what you do to deets

huh?

My procedural solver stack overflows

o cool how much rep does it have

babymix hurts me

"sice" is east-coast US slang, in this case it means "win"

Thanks! I kinda thought it meant something like that.

sice is slang?

Dang

idk if it's slang but it's definitely regional language, I'm from chicago and I had never heard it before meeting east-coast people

its nova slang

try using a bigger stack ;p

I finished Dice is you and didn't get the flag, I'm very disappointed 😢

.

dice is you hurts my brain

It’s so buggy

intentional bugs to increase the difficulty of reverse engineering

yeah, the undo bug was an accident and I was planning to turn it into a separate pwn challenge but ran out of time

smh harry literally leeking

sice is not east coast slang it's poortho slang

TRUE

sice me deets

unclear answers

what is deets 🤔

deets are things that are siced

what happens when you sice the deets

deets are siced

^^

how does one obtain deets

ok

so what is sice?

what you do to deets

🤔

can you only sice deets

or can you sice other things

who is mr. deet sicer

I am not sure if you can sice other things

but I know you can do other things to deets

o sice is actual slang

poortho wasn't lying

i just checked urban dictionary

maybe poortho added the urban dictionary entry

deets is also actual slang

or yea, poortho just added them

No sice is from th

Tj

I just siced it

what isn't from tj

#1 high school

wtmoo

"commonly used in the DC MD & VA area (DMV)"

omg the DMV

pennsylvanians not welcome

😠

@sly quartz you don't like pennsylvania?

it's got the appalachians, snow, probably otherthings

construction too

yeah idk only been once

but I wouldn't mind living up there

(lambda _:_(_))((lambda _,__='': _(_,__+'why no lambda solve >:(\n')))

I just figured out how lost 👀 work

I HATE YOU SO MUCH @sly quartz

Lol

😡

lmao

lmao

working on it!

😉

author of "rev/Guess the Vuln" is here ?

asleep

@sly quartz

ok

I think there is uninteneded bug

hmm can you dm me anyways lol

@oblique zephyr Does flag match format on lambda

yeah, flag is normal format, the program expects you to entire the entire flag including dice{ and }

at level 5 on game you need the become a check ?

How to open babymix file?

./babymix on linux

It says permission denied

then probably sudo ./babymix

no

chmod +x it

sudo doesn't even work here

😏

youre right about that, thought trying to execute a nonexecutable would give another error

for Dice is you: What just is the goal of lvl 5? its like going from sort of maze in lvl 4 to a ... Math? Checkers? I have absolutely no IDEA what the goal is this time around

it's almost as if you have to reverse engineer the goal

That'll be above my skill level then. A shame. I was getting all kinds of weird stuff happening but nothing was working.
Probably a some bugs I found.

Lol beating all the levels was pretty easy just because "z" is really buggy, but you sadly don't get the flag that way

Aye. I was thinking it had something to do with it, but that illusion was dispelled in lvl 4 already.

?

You can bug your way through every level

"z" is bonkers

even the main menu is breakable and you can escape the box

I first thought that was like the real objective

"you found the secret level"

🙂

I think I know how to beat level 5 the intended way though

I don't have the slightest Idea. I mistook it for a puzzle i could somehow solve, but i don't have any real technical knowledge. reverse engineering is just something i can't do.

diceisyou when real levels released??? @oblique zephyr ?

if anything, im already admire how the game mechanics are implemented

thank inspiration you are tkoa

May I ask a question about the challenge procedural?

chall author is asleep rn but you can dm @oblique zephyr and he should answer when he wakes up

thank you 🙂

where is the noob stuff??

there isnt any

i already looked

unless i just holy suck at it all

glad not to be alone then

There isn't any noob stuff, Even the misc 1 requiers a bit of searching 🙂

Lambda makes some very nice patterns if you add debug statements and zoom out

so this ctf is a lie then it said noob stuff would be here lol wow. what a way for me to start this

there are a handful of easy challenges!

there definitely is noob stuff

look at babier csp to start

idk guys wheres my caesar cipher

admim for re babymix, please?

wheres my baby kernel heap pwn

dm @toxic locust

show me these so called noob task

@true finch

the webs are pretty good for beginners, give those a go maybe

sanity

Babyrop

Babymix

Babier csp

none of those has a how. so you already have to know how to start it

yes. you have to figure out how to solve the challenge

but the baby challenges (especially babier csp) can be solved with a little bit of research

sanity check

nevermind you dont get it because your not a noob

You can definitely solve babymix by googling a bit, even if you don't know much.

I am still a noob at reversing but I did it. You just have to look around, google for keywords etc.

We solved it even though we knew next to nothing on the vuln
Research did it all

babymix is a good noob challenge

i already got the hint for that one but it requires something that i have to signup for just to access it. i dont sign up for things am only going to use once then delete it. now they have my email forever bugging me no sir

You don't need to sign up for anything to solve babymix

Except the CTF itself I guess

do you want to work through babier csp together 🙂

sure

if am not tripping the fie is only one that can be read by something special right???

not trying to give it away if i can

dm aplet and you guys can walk through

wonder how many dms from people who haven't solved he is going to get

does anyone want to walk through the forest together 🙂
it's a nice thing to do when feeling frustrated

There are multiple tools that work, some free some not free. Just google for the topic and related terms. Watch some videos, etc.

all of ctf is just guided googling tbh

lol

i still dont know what to look for??

site:ctftime.org ftw

quick question can these ctf be done on windows?? or do i need a special machine??

most problems can be done on windows

is it better to use Linux off the jump or????

and for the problems that do require linux almost all of them can be done on wsl (windows subsystem for linux)

just use whatever operating system you're most comfortable with

I believe I have the correct flag for babymix, but it's telling me it's wrong

Dm

Hi will the writeups be published here , thanks

ctftime.org

@woven sapphire i have full rop chain in babyrop, but it works only locally, your server give me no response when i am calling dir

Got EOF while reading in interactive

you crashed

tfw sudo python

josh is the admin, not me 😔

tfw #rev

joshdabosh is the author for babyrop, direct any questions to him

1. babyrop isnt a rev chall
2. fizzbuzz isnt the author

1. tux is a penguin
2. hi tux

@digital zephyr

just put me in every challenge description next year

o right you're in the challenge description

consider asking your question in #pwn

josh literally throwing

ok fizzbuzz

dicectf 2021:

"just put me in every challenge description next year" - FizzBuzz101

it is 2021

🤔 I just beat level 5 of dice is you but I didn't get a flag

.

Ah, I see

ono

hello, I am trying to solve re-babymix, I am sure its for noob but I am a noob too, so do you have a educational content that can help me to train myself

dm

Hey @sly quartz . We just finished lost_in_your_eyes and god damn, this is probably my favourite RE challenge ever. Good job designing that beast!

ty

agreed. sooo much fun compared to all the yet another statically linked c++/rust binary challs

Re channel? What about the REEEEEEE channel?

got you covered

Hello, we have issues with rev\procedural, but admin is sleeping. Can i dm anyone?

I can try to help

I can fail to help

I'm awake, pm me

sorry, forgot to switch status

dm me if you have questions

our team member already talking with you, thanks

👍

When write ups will be available?

still 1 hour left!

Anyone can release writeups after the CTF ends; organizers may or may not do so as well

I am tired already

If they wont, then fuck them😋

wtmoo

wtf

lmao

i agree

xD

Okay I'll start working on sanity check writeup 👍

Why would you make CTF and dont release write up if there is no any

hey thats my job

for the challenge

one way to guarantee writeups is to make your own!

(re adult csp)

hoy

https://ginkoid.is-inside.me/SbHzTh8y.png

is this leek

yes

what if my screen is really wide

and it's actually super long

:hyperthonk:

I dont want to solve somebody's morbid fantasy tasks

what

shame

what

perhaps CTF is not for you then?

so true queen

uh

are you using a translator

i feel like something is being lost here

so true

tbf aplet is a self-proclaimed masochist

LMFAO

@heavy drum 🤔

🤔

here just for u canvas

only for one sentence

there's a flag hidden here: 5b0efa5dd715b0541b40c9fcbc6a5fc29a58c83ec4bfa01e2a326280a679d06c

if you solve i'll venmo you $20

inb4 /dev/urandom

im on windows there's no urandom

nah it's /dev/random

this is a fantasy chal because if you solve you will have surpassed the god of guess god

ok tark

unless neptunia counts as guess god

not random bytes ™️

I'm on windows too

https://ginkoid.is-inside.me/OVhw7YZA.png 🙂

what is

that url

ginkoid.

is inside me

wat

I've been using this for every screenshot

how did nobody notice

i have not been here

willwam do you have a problem with that, huh?

no

quintec?

i dont

i think its kinda nifty

ok that's what i thought

epic

can ginkoid be inside me

wtmoo

ok I did this as a meme partly, but it is genuinely faster than imgur so I just never switched back

👉 👈

wait what it was ironic?!?

Why do people use their custom domains and not just snipping tool 🤔

^

I can share 100mb

sometimes the image is too big for discord

with link

^

my monitor kinda massive

chonk

Smh just deepfry it

also custom urls are fun https://brown.ee/15YLOeo7.png

also sometimes I want to share screen recordings

and those are way over 8mb

usually

o i should set that up

just streamable

yea I use sharex

it's nice to have everything in one place

🙂

rip sharex

Lol, take your $20 and give it to the orphans. If you're doing these kinds of tasks, I'm starting to question your adequacy

wtmoo

wtmoo

@somber ravine

you're right. he's just doing it to hide his imposter syndrome.

👀

true

ptom you didn't even write any challs smh

stop, my imposter syndrom is kicking in

maybe i should get a sharex domain

hey no afk shaming!

I uh

offered moral support 🙂

me too

i talked to people

because apparently no one else wanted to

cough @woven cargo

sounds about right

🦥

lmao ginkoid is inside me

🙂

sharex vs greenshot

should i switch

flameshot

to sharex

sharex good

sharex 🙏

flameshot is p good

windows shift s 💀

can win shift s do screen recording????

maim 🙏

maim pepega

maim is the best

maim is like scrot but the name is less sus

no which is the only reason i am considering using sharex

YIKES LMAO

escrotum is like scrot but the name is more sus

wait escrotum does recordings hmmmmm

I wonder if you can repeatedly maim for screen recording

probably terrible for performance

no you can't

literally no way that works

wynaut

https://ginkoid.is-inside.me/eP0A71sP.mp4

sharex so good

wait that circle is so perfect

omg panda how did you draw that

idk

omg panda

guess I'm just a god

your hand must be so steady

#rev btw

wtmoo

you should use ur drawing table to click the ui

this is re

then put ur drawing tablet away

how to re that circle

then try to close xournal

how was it done

lol

I hate that bug so much

gtk :notlikemeowcry:

https://ginkoid.is-inside.me/tRTt9FGB.mp4

W

I use syncthing 👀

I have a $5 vps

that I use so sync and backup

omg

What's the lambda flag? 😂

post writeups for any of them ty

dice{Al0nz0_Churc4}

not dice{Ml0nz}

oh no

lol

we were so close

https://cdn.discordapp.com/attachments/226177449531015169/807726085457313872/DeepinScreenshot_select-area_20210206133453.png
fun from lost in your eyes

what was the "Guess the Vuln" challenge flag?

nice blender challenge

I really wanna see a writeup to procedural

n0w_m4ke_a_d0nut!! for blender

I had a z3 solver that sort of worked but it ran out of memory if i had all the iterations and layers on

for procedural I pulled everything out to psuedocode

an then i generated every single valid path per the 7 things

Did you have to recognise some kind of algo?

dice{obviously_just_brainf_in_header_in_options} for guess

anyone got a writeup for the dice-is-you

Bruh just bruteforce it

and then I tried each one in each of the flag checker outputs

I want one for Dice is you, I was so freaking close but couldn't figure out how to bruteforce quickly enough the 25 positions

and I narrowed down the possible paths to those that didn't ovelrap + generated valid ascii

and that gave me about 40k possible flags, and then I just looked at them

what was the intended solution? I used a simple timing side channel p = chr(ord('0') + i) + '{j}' , but it wasn't very reliable

I realized that ~{} checks if the value is 0 and times out if it does

so I created a table of how each letter could be 0, then brute force each one

hey, does anyone have a writeup for the babymix?

so 00000kkkkkkkkkkkk~{} times out because d is the first character, but 00000kkkkkkkkkkk~{} doesn't

you could also extract knwon character

there's probably a better way

decompile in ghidra, solve it using z3

I just I knew what worked

but at the end ... ~{} was the way

yeah I want to see the z3 part

the blender one was annoying because I kept getting results that were technically valid but not printable results

thanks!

did you guys appreciate these reroutes

I spent a good 5 minutes organizing these :3

Was the intended method to just brute the connections?

import angr
import claripy

flag_len = 22

proj = angr.Project(
    'babymix', 
    main_opts = {'base_addr': 0x0}, 
    load_options = {'auto_load_libs': False}
)

flag = claripy.BVS('flag', 8 * flag_len)

state = proj.factory.entry_state(stdin = flag) 

for i in range(flag_len):
    state.solver.add(flag.get_byte(i) >= 33)
    state.solver.add(flag.get_byte(i) <= 126)

sm = proj.factory.simulation_manager(state)

sm.explore(find=lambda s: b'Correct' in s.posix.dumps(1))

print(sm.found[0].posix.dumps(0))
print(sm.found[0].posix.dumps(1))```
simple babymix solution using angr

yeah i solved it with angr too

I just solved it in z3

Can you send your solver? Mine runs out of memory

Yes you

We got this dice{Ml0nzz_Cmurcs} almost the same 🙃

I can once I make it not super ugly

Is mine

If I reduced the iterations in Memes and turned off a couple of inner layers it seemed to finish

oh nice, i didn't know about z3 :/ tried to write my own solver but it didn't work lol

I had problems with setting Meme1 to 667 so I had to run it on 640

@deep fox you can chuck all the equations into an array and add that to z3

for procedural, each connection was doing x^a mod N then x^b mod N and it just so happened that there were perfect keypairs (a,b) that were valid RSA keypairs with a modulus of 667

as it turns out there were also ways to solve with mismatched keypairs, need to do more math testing next time ...

Is there a dice is you writeup?

lol looking at lost in your 👀 writeups I'm kinda sad I didn't get to do this chall

source code for dice is you when @oblique zephyr

I liked making it

btw my tooling for lost in your eyes was

google sheets

pepega

thonk

I'll release later today probably ;p

sice

the challenge reminded me of befunge a lot

here is some of the bound checking

o hm it does kinda look like befunge

guess I'm an esolang writer now

did you actually not have befunge in mind when you wrote this lmao?

no

but also there are only so many ways you can make a 2d vm

inb4 hbcht vm

4d vm coming soon

also here's some unholy code from my input

well its diff than befunge in that you like registers more than stacks

4d is twice the d of 2d

clearly

i copied a befunge interpreter i wrote a few years ago as a basis

Was it possible to solve dice is you without modifications to the game? I couldn't pass all the checks in "_flag_rules"

we actually had 2 interpreters since not_really wrote his own tooling too lol

for some reason the maze solving code is harder than the actual maze program

yes

you had to solve it that way for it to give you the correct flag

How did you get all the ">>" lighten up

what was your solver?

someone post the video

basically my sol involved just sticking the coordinates in the input section since the valid opcodes (due to being in an enum) are actually quite small

which means

the coordinates are valid opcodes

lmao

why didn't yo ujust

stick the entire grid into code

hm true I could've

like a very obvious ploy

now that's a juicer

but this is also pretty fun

you even made it like super easy

to do that

yeah I gave a lot of space

to be nice

I didn't want to have

esoteric 2d vm golf

yeah we just copied the grid and read from it

r4-r5 even was the registers that pointed to the top left of the grid

can see in that image i posted earlier

mby I should've had esoteric 2d vm golf

Ok, not enough code "research" from my side D:

yeah basically did same here

I did this to make it easier to read the coordinates

LMAO

but eh, dice is you code was pretty readable after transformations

is that ghidra?

ghidra can wasm now?

yeah I was gonna say

no thats

I had a lot of empty space leftover

like a lot

wasm2c

the only wasm plugin I know is outdated

or something liek that

yeah that plugin is broken also

oh, wasm2c actually works?

well you get code like that above

wasm2c then compiled without linking and decompiled with ghidra (to reduce garbage and repetitions)

it probably works better in this case because dice is you was written in C ;p

make sure to do it with -O3 or -Os

rust wasm 👀

what is this

I did diceisyou with only wasm2wat and wasm-decompile

also thanks @oblique zephyr for not stripping

that sounds weird but okay

:thonk:

lol

weird that lambda was solved less than e.g. liye

yeah imo lambda and procedural were both easier than dice is you

here's my version of that code

tfw some people thought that lost in your eyes was a 256*256 long linear vm

and that certain instructions just made you jump 256 opcodes

next time do a 3d vm

TRUE

lmao

hey

tooling for a 3d vm would be

painful

there was that ctf a while back

use blender :^)

code it in blender python

hardest part was getting trolled by disassembler offsets

maybe when I get my holograph projector in the mail I'll make a 3d vm

yes

where it looked like that

some ctf that converted each cell of some befunge like code and jitt'd it into assembly

originally my conditional jump did not check for direction modifiers in the opposite direction

so stuff like ?<. was allowed

but then I'm like

what if some guy

finds a way to jump the wall

and that somehow prints a smiley face

so then I decided to add the check

lmao that's what I was thinking lmao

it's probably not possible but I don't wanna risk it

yeah i would have tried to jumped the wall lol

i thought about it

I wrapped the smiley face printing in exits as well

so maybe I should've gotten rid of the check

because honestly

finding a way to jump the wall

with a smiley face printing mechanism wrapped in exits

you kinda deserve the flag

yugge calling it the "death box"

I approve of this name

i call it

the sandbox

my emulator 🙂 (green is PC, red is memory that was written)

this sol is closer to what I had

I even had stepping, continuing and breakpoints implemented 🙂

store the coordinates in an array then loop through and find it

wow, that's quite complex

I was too lazy and just did a plain lookup

yeah my code got a bit complicated

overall this challenge was really fun to write

wow a lot of the symbols you chose to represent the opcodes kinda matches mines pretty closely, except for a few of the more esoteric ones

tbh dice is you was simple if you just plugged firefox's debugger and added a BP on _check (or something similar) and then blackboxed everything

yes, I noticed 😄

especially the capital letters

how are you debugging wasm in firefox

F12

6d vm when

dang you guys went for the single letters

way to actively harm readability

you can add breakpoints, watch variables etc, and in this challenge you had symbols (i.e. function names)

ok mr semicolon man

is this something new? I still don't see an option to do that

wasm tooling is getting too good ;p need to write harder challs

nah, it's pretty old AFAIR

sourcelessrustwasmrev

it was simple cause then my disassembler/assembler was just a few lines long

ono

maybe you just can't find it ;P

this is at most what I see

Anyone tried using ghidra for decompiling wasm?

I couldn’t get it working

.

i really wanted to write a plugin to decompile wasm but sadly no time 😦

Ah yes, I used wasm2c as well, with some tuning

that the right place. just F5 while having the dev tools open

saw ghidra_wasm repo but couldn’t find a guide to compile it 🤣

yeah no it's also broken

it doesn't compile

it breaks with loading wasm files

basically broken and useless piece of junk

🤔 why don't they just say that

you expect people to go like "my code is trash"

I just ran wasm-decompile and then threw the input into closure compiler to get rid of the useless variables

doesn't look too bad

last time I used wasm-decompile

tfw I put "don't fuzz the challenge" in guess the vuln's description and people still fuzz it

I guess the title is too tantalizing

i thought I still had to do a lot of fixing stuff

so i just did wasm2c -> gcc -> idapro

dang what are these esoteric wasm workflows

compiling to decompile

ig gcc optimization is nice

^^^

if it works it works

yeah ... the problem with wasm-decompile is it still generates A LOT of tmp vars

and it doesn't compile back into gcc to clean up some of that

hence closure...

yeah hmm maybe that might work

have you looked into https://github.com/facebook/prepack

problem is

i don't even know what the language that wasm-decomp generates that could parse and optimize this

just remove the type after the variable and it looks mostly like javascript

also if you ever read the wasm language specs

it reads almost like an academic paper

if you ever read the haskell language specs it reads exactly like an academic paper

if you ever read the risc-v specs it looks exactly like an academic paper

the wasm spec is actually super clear though

really nice spec imo

actually for riscv not so much

err not as much as wasm specs

yeah it is clear, because it's super duper specific

Chrome can debug wasm with symbols too

dice is you but stripped

hmm sounds like "dice is two" for next year...

oNo

   di
   ce

di is you
ce
   
   two

https://cdn.discordapp.com/attachments/780905590313975808/807913710471217173/unknown.png

dice if you vm???

TRUE

people have made some scary things in baba is you

brute force approach worked for the lines with partial info, but not after that ^^

is there a concise "this is what the rule is"?

like can you derive the rule just from observing relationships between the symbols? or do you have to RE it out

each symbol had a number representation. for each line, it put those numbers into a function and checked if it was equal to 0

42 * (a & 255) + 1337 * (b & 255) + (c & 255) + ((c & 255) ^ (d & 255)) + ((e & 255) << 1) & 255 == 0

i see

there are many possible solutions for a set of 5 characters

how do you figure out which of those is the correct one (i.e. fits into the grid?)

baba is you is turing complete

how do you figure out that part with RE

just gave the conditions to z3 and it figured it out

z3 op

literal magic

hahaha cool

I solved all the rev challs I did with z3

which ones did you do

how did you figure out this part like RE wise

dice is you, guess the vuln, procedural, in your eyes

my approach was wabt/wasm2c -> gcc an object file -> decompile

#rev message this is code function from wasm-decompile

again, not the best method but it works for me

anyone solved lost in your eyes?

i see thanks. how did you gcc it after wasm2c. I got a bunch of failed external symbols.

#writeups message

https://klatz.co/ctf-blog/boilerctf-alien-tech

ctrl f gcc

it's pretty messy tho

kind of a pain to read

gcc -c

Dang I tried that

wasm-decompile looks interesting

gonna take a look, thanks [[nope]]

did you guys all just brute it, or did you guys use z3 too?

Was babymix possible with angr

My solve script couldn't find a state that worked

#rev message

i wrote code to brute but runtime was too long

• python to codegen wasm for map state
• refresh page in selenium, fake key presses
• take screenshot

Source for dice-is-you: https://github.com/hgarrereyn/dice-is-you

@soft dune z3 can offer multiple solutions

you had to print out all of them i think there was 2 and it was the 2nd one lol

I set BitVec in z3 to 7bit to just get the ascii one

I don't know how to analyze correctly in wasm file

I found flag_rules in c using wasm2c, but no xref.

so I can't find argv

What is the language implemented in lost in your eyes?

I thought it was something like befunge or piet, but they are both stack based...

it's a custom virtual machine

Ah, that is very cool. Thanks!

does anyone have a writeup for Procedural

.

solved version of procedural

see file above for a solved state

thx

only missing a lambda writeup now, hope one will be released

Lost in your Eyes is a great challenge. Props for designing that one!

guys can someone explain babymix challenge i read writeups but understand nothing. i want to know what is the general idea to solve that challenge. i decompile it and trying to solve it using linear equation solver and bruteforce but it did'nt work but in the writeups they did some scripting and solving it easily but i don't understand any thing any help?

my lost in your eyes solution

https://daydun.com/ctf/dice/vm/

I copied the decompiled conditions from ghidra into a .py file and then used Z3py to find the solution. I made param_1 a list of 23 z3.BitVec(16)s. Then I made a system of equations and added all the previously mentioned conditions. I also added conditions for the inputs to have values < 128 (because they need to be ASCII). Finally, I called the solve function and printed the model, which gave me the flag. The script ran pretty much instantaneously.

That is very cool. Good job!

@oblique zephyr Are you going to do a writeup on the lambda challenge?

Yeah I'll probably release source and a writeup tomorrow or the next day. I want to give teams a chance to do their own first. I think some teams did some interesting stuff with black box analysis

Great, we tried that too by counting the number of taken branches in one of the instruction. But our flag was off be 4 chars

ah yeah, I saw your flag, very close ;p

Props on the code, it's very readable :)

how was I supposed to notice this? legit question

any detailed writeup for dice_is_you? I still have no idea about what is the effective way to reverse wasm

This is the python script I used to solve babymix.

I usually don't reverse wasm because tooling is crap, I instead just use Firefox's debugger and look at code/values dynamically (I did the same in dice_is_you)

@oblique zephyr Ever tried to make a re challenge for your OCRaaP? https://github.com/hgarrereyn/OCRaaP

there were so many locals, whats the workflow?

I thought z3 didnt handle XOR's - TIL

you need bitvec for xor

ints do not handle xor

Yeah, I used 16 bit bitvecs because the regular addition might overflow 8 bits. Increasing the size of the bitvecs should not really be a problem, as you have constraints limiting the input values, so the time it takes z3 to find a solution should not be impacted much.

i used angr for the problem but added some of the constraints by hand

idk why it wasnt finding the right one straight up

And the pro tip: Automate the extraction of the constraints. Took me hours to figure out that i had a typo with t[0x10] and t[10] ...

in this case you had symbols, so you could easily pinpoint interesting functions. then you only looks at the locals which are used, e.g. add function arguments to the watchlist and stop on it a few times to inspect them

how would you do that? sorry if the question is stupid, im still getting into reverse

simplest would just be copy-pasting the disassembly and use some regex to reformat it into something that z3 can work with.

uh aight

Ghidra has a huge API for Scripts, that could probably be used as well.

i'll look into it

+1, this is what I did

@oblique zephyr Hey! In your z3 solution for the level 5 of dice is you, I see you have assigned numeric values to the symbols. How are we supposed to find them (looking at the wasm, I was able to find the ids of the tiled used in the spawn_entity function, but they don't seem to match) ? Are these values arbitrary?

get_code_value has the table

Hmm I had a look at this function but didn't understand what its argument was 😕

it was an entity pointer https://github.com/hgarrereyn/dice-is-you/blob/master/src/rules.c#L151

Oh ok I see and the entity's type is the same as the one passed to spawn_entity

Makes sense

yeah spawn_entity gave you the values.

I should be writing and posting my writeup by end of the night.

https://github.com/IrisSec/irissec.github.io/blob/master/_posts/2021-02-08-diceisyou.md here's my diceisyou writeup, still working on others

That's a good question. I thought the fact that all of the A values were ascending prime numbers might hint a bit. But the alternative was to simply write a solver for all paths and get the solution that way. In retrospect, there were several unintended solutions which I didn't like but I think most teams added the constraint that the final flag should be ascii

Funnily enough, this was actually originally built for a ctf that didn't end up running and then I decided to release it anyways.

nice writeup! you guys solved this crazy fast as well

I thought about it but I didn't really knew how to even approach it. When I noticed I also needed to fill the dots I just gave up given it was well above my "paygrade" as a rev noob

re

My write-up for dice is you, I was lazy and got the blocks values by inserting break points on code: https://thegoonies.github.io/2021/02/08/dicectf-2021-rev-dice-is-you/

Nice write-up

Debugmen's writeup https://debugmen.github.io/ctf-writeup/2021/02/08/diceisyou.html

Still no full writeup for procedural 🥺

https://github.com/IrisSec/irissec.github.io/blob/master/_posts/2021-02-09-procedural.md here's how I did procedural

^

Damn, nice one

oh wow you solved the whole thing without reversing the modular exponentiation part. I didn't think z3 would actually be that good

so I guess this means you can do modular exponentiation with bitvecs if you just unroll the loop... the more you know...

Still no lambda writeup? 😭

https://x0r19x91.gitlab.io/post/ctf/2021/dicectf/lambda/

Oh shweet

Thanks

⚛️

can I not put dicecraft into full screen

for rev/taxes challenge yes or no are the flag ?

I'm not sure if seamless fullscreen works but you can maximize the window

if I maximize the window (at least on windows) it doesn't update the game screen size

can you try manually dragging the window size

fullscreen does not cause the resize event

well I can't because it keeps trying to grab the mouse

press escape

I mean it regrabs the mouse when trying to resize

turns it into tiny window

hmm let me investigate

also dragging the window causes you to fall through the map

yes, unfortunately there are some collision bugs, you can press F to fly to recover if you fall through the ground

@novel lynx I was able to maximize on windows by doing the following:

• launch the game
• press escape to unlock mouse
• double click the top window bar
• click back in the game

can you see if this works?

nah it still looks like this

what version of windows?

Windows 10, version 21H2

this is a windows moment

@novel lynx can you open a ticket

ok

yay

🎲

I'm really curious what it was but I can just decompile and diff 🙂

hey no reverse engineering our proprietary game 😠

oh yeah good point, my bad

Copyright DiceGang LLC. Do not distribute.

do you mean bitwise and 🤣

harry never makes mistakes

🙂

oof, you are right

oh chute I saw this but forgot to say

rip

it's ok

we can make the pdf parsing harder by updating the pdfs to scribble over "logical" and write "bitwise" over it in comic sans

probably would be easiest to print them out and use whiteout

yeah and then scan them

we keep blaming irs boomers

I thought these were written by drs though?

quantum challenge 👀

who can I pm for hyperlink

#create-ticket

is Taxes description just for fun right? XD

there ain't jokes here

The Taxes description is just math right? no need to look up online calculators, right?

Also why is the rev/universal resources in japanese? Do we need to learn japanese to do the challenge?

Because ptr-yudai chose to write up their solution in Japanese

You'll notice that there are in fact two write-ups linked

hey uhh

where's your terms of service?

if you're asking, you're definitely not in accordance...

you know i have the right to sue dicegang LLC in a federal court of diceland

Jokes on you, DiceGang LLC is registered in Wyoming, not Diceland

dammit

well I can still sue for defamation/libel

:notlikeduck:

The truth is the ultimate defense against libel

Purge channel, quick!

https://tenor.com/view/fail-faliure-emoji-discord-flushed-gif-20547117

!bean @fringe portal disrespecting organizer omegalul

✅ hyper#4353 (313105201311645710) was beaned. Reason: disrespecting organizer omegalul

can someone help me get the game running on windows

Sounds like you need to install vc redistributable or something

😭

ah, I had this issue

you'll probably need some vc redistributables

im switching to linux

ffs

and for ucrtbased.dll I had to copy it out of my vs installation

windows is just bad

rebooting

true

i had to install visual studio

I think it's the windows 10 sdk?

unsure

I didn't want to mention it because it wasn't really important

but minimizing the game now crashes it

lmao

looks like harry’s not getting sleep 😔

oh yeah this is the debug version of ucrtbase

might wanna build in release mode

the chal author not you mob

im just on linucks now

probably the better choice

I'm just too lazy to switch oses

all it takes for me is a reboot

thank god

I meant I'm too lazy to reboot lol

taxes is unsolvable

false 🙂

definitely unsolvable

unsolvable as in hard

or unsolvable as in actually broken

see☝️

ono

guess I'll make a ticket

harry is sleeping rn

ono

Lmfao

so

taxes

is hard

very hard

and im starting to think that ive wasted the last hour of my life doing taxes

an hour? try 5 hours

if only there was TurboTax for the DRS

Can we have the Diceland IRS streamline taxes pls?

Please write to your local Diceland representative about your legislative request.