App 17!

by **cyberdrain** on Tue Nov 18, 2014 5:56 pm ([msg=85143]see Re: App 17![/msg])

QtDevl wrote:I'm sorry but unfortunately I don't have the imagination to write a challenge
I'm more intrigued to solve them

Alright then, at least I tried.

by **-Ninjex-** on Wed Nov 19, 2014 1:46 am ([msg=85161]see Re: App 17![/msg])

cyberdrain wrote:QtDevl, if you have the time, could you dev up some binary exploitation missions? Sounds like you know what you're talking about and HTS could use some binary exploitation missions imho.

Can we keep stuff like this in pm?

Is this application working correctly?

Ive used Olly and successfully decipher my username into HTS-serial numbers, I tested the serial on the application 17, it says to enter that password on HTS, when I tried to enter the password on HTS - it says the password is invalid? what is going on??

let me know who to PM with my answer

-- Fri Dec 04, 2015 12:11 pm --

ilanman123 wrote:
QtDevl wrote:
ilanman123 wrote:Hi.
Like a number of people before me, the app says the password is correct but I can't submit it to HTS.
The password I got is HTS-142C-1A2A-2120-0118-0D13

As with programming 9, you must remember the server handles all the binary calculations as 64 bit integers, not 32 bit.
For example, your code is correct for the app, but for the server your code would really be
HTS-142C-1A2A-2120-2705-160E

MODS: if this is a spoiler delete, but since he got a correct code, i presume this is ok.

LATE EDIT:
Since I was asked as to why this happens, I'll explain it here.
The application was compiled for 32 bit, and it uses 32bit integers, which means all bitwise operations are done ON 32 bits( NOTE that compiling for 64 bits does not guarantee 64bit integers or unless you specifically use them ).
As me and mzungudo have found out for programming 9, the server on the other hand is 64 bits, so all integers are 64 bits, which means bitwise operations can AND WILL overflow to 64 bits if necessary.
Now, this wouldn't be a problem normally, but NightQuest ( app17 creator ) made a small mistake.
The app does a LEFT SHIFT x positions ( x position varies, if you've done this you'll know which one it is ), sometimes x can be more than 32, which is a problem as in c a left shift of more than int size ( 32 in this case ) bits IS UNDEFINED BEHAVIOUR.
The server on the other hand has 64 bit integers and can do shifts up to and including 64 bits.
So if you've made a keygen for this and want to submit your code, you should use 64 bit integers and you should be fine, the easiest way would be if you know php to convert your code to php and use a 64 bit server.Obviously the app won't accept the code, but the site will.
Fixing this can be easy or hard depending on which road you take, the app could have some sanity checks so bitwise operations don't overflow, the server could force 32bit integers or cut out extra bits when they overflow.
About 2 years ago me and mzungudo have proposed a fix but apparently it wasn't put online.

Thank you for explaining why this happens. This problem exists for more than 2 years, I wonder why they still haven't fixed it.

I saw this quote.. this made me realize if I wrote the php code and execute the php code on windows 10 64 bit will give me a 64 bit serial as a result instead of 32bit?

by **Leeky** on Tue Apr 18, 2017 5:02 am ([msg=93613]see Re: App 17![/msg])

It's seems like noone posted anything here for a while, so I don't think I will find help but anyways:

I analyzed the whole assembly code and wrote a key-gen for it.
The application says I should test my stuff on the site ,but the site won't accept it.

After reading through this post I saw that the server checks my key with a 64bit generated key,
so I tried to adjust my key-gen and I was able to get the same results as in the post that mentioned it.
But still the site won't accept it.

Edit: Was just too dumb to try to write the non numeric hex characters uppercased

Yea, case sensitivity is pretty big from what I've seen so far.

Nice though, good catch.

Well, I finally decided to take a look at this one.
Quick question for those who love annoying questions from my lazy-ass self: Is this fella completable using (only) gdb?

Erm, already got my answer, thanks

by **tabacci** on Wed Jan 16, 2019 1:22 pm ([msg=97118]see Re: App 17![/msg])

Thank you all for the hints!

After App17 accepted my password but HTS site did not, I followed the adviсe to migrate keygen to php and run on x64 server.

I tested my keygen php on x86 machine and it worked, but on x64 machine php shows
Fatal error: Uncaught ArithmeticError: Bit shift by negative number.

I guess the problem is in "<<" operator that I used.
If my guess is true what would you use instead of "<<" in keygen code?

Is this broken? Ive downloaded the windows version of the application 17 and ran it, Prompts for Username and I enter it, it spits out my password which is usable on the site but no congratulations message.