Writeup for Wargames.my 2020

5 min readDec 6, 2020

Category: Cryptography — Long Crypto Guessing

In the question, we are given nc address and the python source code for the server.

Reading through the code, the code give first 3 random number to the user then the user need to enter (guess/predict) the next number(remainder of divide by 10000) that the server generated correctly for 1000 times consecutively.

In PRNG(pseudo random generator) class it generate a random a, b and given p value, also it has state value initialize through object creation. After that function next is to create calculate the next number using the number before. Therefore, the function is a type of linear function. This specific generator are called Linear Congruential Generator(LCG)

In here, the server will generate random number that will become the seeds of the PRNG object, then it will generate next 3 number and print to users Since it is type of linear function.

Therefore seeds is state or first term of the equation, we are gonna call it T:

Then it will generate next 3 term:

In LCG it has 3 integer:

p is given in the source code 11760071327054544317, So we need to find a and b to predict/solve the next number. Since we have 2 equation and 2 unknown a and b, we can solve the equation. Here are detail explaination of finding the missing Multiplier and Increment, also contains different ways to crack LCG. Once we find out the a and b, we can find out next number using script below.

By implement some of his code to find a and b then we write the script to answer 1000 consecutive number correctly until it return a flag.

Category: Mobile — SpeedyQuizy

Given APK file SpeedyQuizy.apk

Using online apk decompiler, we can decompile the file.

Inside source code StartQuiz.java, below some snippet of the code

We know that it used socket to connect to the server, therefore we can just use nc in terminal to the server www2.wargames.my with port 8080. In terminal we nc www2.wargames.my 8080

Typing ok will lead to question

But the question are randomly select from a set of question. Therefore we need to fetch some of the question so we can create script to answer it.

Using script below we can fetch some of the question. Credits to H0j3n

Below is list of some of the question

Script below will automatically answer the question:

Category: Steganography — Nuisance

Given file nuisance.arc

Open file using HxD to look for signature file, Quick Google of .arc file type signature found 41 72 43 01 which is a FreeArc compress file.

Download FreeArc software, In the software we cannot extract the file due to it is corrupted. But the software has the ability to repair the damaged achive.

After repairing and extract, we still cannot open flag.palm file. So, we did a quick google on .palm file and found some information and it says that the file is an image file of Palm OS Bitmap Image that can be open with application ImageDisk. Download ImageDisk and open the file using it:

Category: Miscellaneous — Defuse The Bomb!

Given file bomb.zip. The file is a Zip bomb which contain file that have multiple time been compress. Open it using Winrar

We can see that one of the zip is contains file size and CRC32 that is different, so we just click it to reveal another of the same situation. so we just click all zip file that is different until it reach to flag.txt

The we just extract the flag.txt file, but the file is 2GB. So cannot open with any normal text editor, but HxD can open it, then scroll down to find the flag.