# Writeup for Wargames.my 2020

# Category: Cryptography — Long Crypto Guessing

In the question, we are given nc `address`

and the `python source code`

for the server.

Reading through the code, the code give **first 3 random number** to the user then the user need to **enter (guess/predict)** the next number(remainder of divide by 10000) that the server generated correctly for **1000 times** consecutively.

In PRNG(pseudo random generator) class it generate a random `a`

, `b`

and given `p`

value, also it has `state`

value initialize through object creation. After that function `next`

is to create calculate the next number using the number before. Therefore, the function is a type of linear function. This specific generator are called Linear Congruential Generator(LCG)

In here, the server will **generate random number** that will become the **seeds** of the PRNG object, then it will generate next **3 number** and print to users Since it is type of linear function.

Therefore **seeds** is `state`

or first term of the equation, we are gonna call it T:

Then it will generate next 3 term:

In LCG it has 3 integer:

`p`

is given in the source code `11760071327054544317`

, So we need to find `a`

and `b`

to predict/solve the next number. Since we have **2 equation** and 2 unknown `a`

and `b`

, we can solve the equation. Here are detail explaination of finding the missing `Multiplier`

and `Increment`

, also contains different ways to crack LCG. Once we find out the `a`

and `b`

, we can find out next number using script below.

By implement some of his code to find `a`

and `b`

then we write the script to answer 1000 consecutive number correctly until it return a flag.

# Category: Mobile — SpeedyQuizy

Given APK file `SpeedyQuizy.apk`

Using online apk decompiler, we can decompile the file.

Inside source code `StartQuiz.java`

, below some snippet of the code

We know that it used `socket`

to connect to the server, therefore we can just use `nc`

in terminal to the server `www2.wargames.my`

with port `8080`

. In terminal we `nc www2.wargames.my 8080`

Typing `ok`

will lead to question

But the question are **randomly** select from a **set of question**. Therefore we need to **fetch** some of the question so we can create script to answer it.

Using script below we can fetch some of the question. Credits to H0j3n

Below is list of some of the question

Script below will automatically answer the question:

# Category: Steganography — Nuisance

Given file `nuisance.arc`

Open file using HxD to look for signature file, Quick Google of `.arc`

file type signature found `41 72 43 01`

which is a **FreeArc** compress file.

Download FreeArc software, In the software we cannot extract the file due to it is **corrupted**. But the software has the ability to **repair** the damaged achive.

After repairing and extract, we still cannot open `flag.palm`

file. So, we did a quick google on `.palm`

file and found some information and it says that the file is an **image** file of `Palm OS Bitmap Image`

that can be open with application **ImageDisk**. Download ImageDisk and open the file using it:

# Category: Miscellaneous — Defuse The Bomb!

Given file `bomb.zip`

. The file is a Zip bomb which contain file that have multiple time been compress. Open it using `Winrar`

We can see that **one** of the zip is contains file `size`

and `CRC32`

that is different, so we just click it to reveal another of the same situation. so we just click all zip file that is different until it reach to flag.txt

The we just extract the `flag.txt`

file, but the file is `2GB`

. So cannot open with any normal text editor, but HxD can open it, then scroll down to find the flag.

# Scoreboard

Thank you, Wargames.my for the competition & the questions and thank you my team H0j3n.