TinyBeacon enables an easy setup of VHF and UHF beacons, through a simple and compact design, using a credit card-size PCB, at a low cost, and with easy installation close to the antenna. The PLL system is disciplined by GPS, allowing digital modes like WSPR and PI4, which require good clock stability and time synchronization. The system integrates a DC-DC regulator that accepts flexible power between 10 and 15 volts, with a common QRP output power of 5W. The reference design is provided for 50, 144, 220 and 432 MHz, but the circuit could be adapted to other bands.
My last paper presents designs and calculations for a set of slot antennas centered on the amateur microwave bands. Special attention has been given to ease of construction, using simple supply materials available in standard sizes in the construction industry. Also, the traditional calculation formulas, which are only valid with a perfect waveguide, have been extended using iterative simulation and optimization to apply to common materials, while maintaining good performance.
The second challenge for the ebCTF teaser was very easy too, and solved by a very large number of participants. For this crypto challenge named CRY100, the Zip file provided was self-contained and it can be started offline (available here ).
After unpacking, the README file drop a password, useful to decrypt the first encrypted message, but not the second. So, we have to decrypt this second message without additional help, but the answer is not very far :) Indeed, watching the code gives interesting details, and the most important one should be about the ciphering function, where a XOR is simply used. Another interesting point was about the input key, hashed many time before to be used on the XOR function.
The context given with the previous decrypted message illustrate a perfect case of plaintext attack : With the previous decrypted message, we can bet than the second ciphered message have the same header. Since the ciphering function was a simple XOR, we only have to take the first bloc of the ciphered text and XOR it with the clear text bloc to get the key. Of course, it’s not the original text key, but the computed key. For sure we cannot deduce easily the initial text key (hash = one way-function), but we don’t need to know this key, deciphering the second message is good enough :)
Well, adding only 2 lines of code allows to retrieve the computed key and get the content of the ciphered message.
In the application code:
And finally, the result:
Thanks again Eindbazen!
Last week-end, I played some hours to the ebCTF teaser. The first challenges (100 points) were very easy, but funny in the same time. BIN100 was a console application for Windows, containing a tiny dice game. The goal was to get the right sequence of dices to win the game. I’m pretty sure that it was possible to beat the game in different ways, but I choose an easy one, using IDA to understand the internals and force the destiny :)
Playing the game in a usual way shows some interesting strings, for example : “You rolled a three! Good!”, and I simply chose to search “Good” in IDA to locate some interesting blocs of code.
The first hit was without appeal and you can see on the screenshot below the conditional jump before the printed result. So, I nopped all the five calls to complete the sequence, directly on the binary file. By chance, there is no internal check (ex. hash check on the code) and the program gave me the flag without any more question.
The funny joke appear during the last dice roll, the next screenshot speaks for itself :)
The last PlaidCTF was full of very interesting challenges. Giga was one of them in the crypto thread. The source code of the application was provided and it reveal an RSA cryptosystem. Each time you connect the server, it generate a new key and encrypt the flag with it, after you can send any strings and get the encrypted result.
A quick look into the code shows extra effort on the random function, to insert a vulnerability. The quality of the generated random is degraded and partially reused beetween sessions. So, we can guess a faulty key generation, and a possible attack is about common factor. A good reading is available here.
The source code provided is self-contained and I started to debug my attack locally, simulating the same conditions :
In a second time, the code was adapted to connect the real server :
And finally, the original source code of the challenge (available on other place, but given here to be self-contained)
I decided to replace my old website by this new blog, focuses on CTF security challenges. No rocket science here, only my tiny experiments and some lines of code. Feel free to send me an email if you have questions or if you want exchange on some ctf problems. Thank you for your visit and good reading.