Jump to content
Tuts 4 You

FLARE On Challenge - starts tonight!


Recommended Posts

Take easy KAO.

Your health is more important than a place on a contest.

Get some rest.

;)

@kao: You should take some rest during your period.
Link to post
  • Replies 124
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    29

  • Extreme Coders

    19

  • noregret

    11

  • atn

    10

Top Posters In This Topic

Popular Posts

After 27 hours of reversing, I've done it again! https://twitter.com/nickharbour/status/626765867519508480 Now I need to get some sleep.

@moderators: sorry, could not find a better place to post it.

Since he's too shy to write a post here - here are AcidShout's solutions: http://acidshout.github.io/

Extreme Coders

The final challenge has been solved after a long period (sorry, no pun intended).


 


The last couple of challenges were more of a guessing game.


Edited by Extreme Coders (see edit history)
  • Like 2
Link to post
Extreme Coders

The biggest possible hint is that @kao solved it under a mere 27 hours.


 


That should give an idea where to look into and where to not waste one's time.


Link to post

Finished the challanges aswell.


 




The biggest possible hint is that @kao solved it under a mere 27 hours.


 


That should give an idea where to look into and where to not waste one's time.




 


i think the last one was kind of anti-cheat, because some calculations there would still take few hours, at least on my computer :)


Link to post

Oooookay, I'm kinda stuck on #10...


(you were right, kao/EC, it's not that much related to reversing lol)


 


I've found the secret message that tells you to try a specific *something*, but when trying that, it passes a pointer to a buffer full of NULLs and it decrypts to garbage.


 


I've also tried sequentially running the decryption functions so the passed buffer is not filled with zeroes, but it still decrypts to garbage.


 


Any pointers? (pun not intended)


Edited by AcidShout (see edit history)
Link to post

@dudewat: I'm pleasantly surprised how many great reversers are here! Congrats! :thumbs:


As for #11: required calculations took just few minutes on my i5-2500K. Maybe I cheated..


 


@AcidShout: You have already solved 95% of it. :) IDA knows everything...


  • Like 1
Link to post

I must be missing something on #c10.  I've got the driver, and know what the ioctls do.  I don't see a secret message tho?  I don't see anything that I havn't reversed?!


 


This one seems a bit silly, or I'm missing something obvious.


Link to post

You are missing something. Recheck last few messages from AcidShout. And if that doesn't help..

There's a hint hidden in ioctl handler 22e0dc. It will tell you where to look for answer.

Link to post

Well, now I'm exactly where AcidShout was.  Hrmmm... :/

double-check and triple-check the spoiler hint @kao gave you.

 

there's a hidden (string) message in it; you just need to "extract" it.

 

 

EDIT: just found the key for #11 (or that's what I think :P)

Let's hope the decryption doesn't take too long...

Edited by AcidShout (see edit history)
Link to post

double-check and triple-check the spoiler hint @kao gave you.

 

there's a hidden (string) message in it; you just need to "extract" it.

 

 

EDIT: just found the key for #11 (or that's what I think :P)

Let's hope the decryption doesn't take too long...

No I had extracted that, I was stuck in the *something*, but I got through that.  It really had nothing to do with reversing tho.

Link to post
Extreme Coders

@some0ne: Actually you never need the hint. I did not find that during my re session.


Just have a look in the data section and use your intuition.  :)


Link to post

Hello guys,


 


Can I get some hints regarding challenge 4?


 


Here is what I have done/found out.


 


The exe crashes by default, so I fixed its PE header.


When executed, it prints "2 + 2 = 5". No idea what that means.


After dynamic/static analysis, it takes an integer arg and gets its MD5 (and compares it to a random decoded b64 string), then it randomly chooses b64 strings and XOR them with each other (16bytes with 24bytes). So i brute forced the b64 strings (using cartesian product) by XORing them with each others. AND... I got nothing..


 


I noticed that numbers from 0x7 to 0x37 are being passed to a location before getting the b64 string then number 5 is replaced with them.. no idea what that does actually.


Any hints?


Link to post

@noregret: Carefully read the email you got from FLARE.



Fix the stuff you broke during unpacking and then get back to analysis.



Link to post

kao,


 


The email? you mean "Always be sure to run the challenge on the command line to confirm that it is actually doing what you think it's doing.? I already do that on all apps anyways.


 


I forgot to mention that I did all the above *after* unpacking. When packed, it printed "2 + 2 = 4" which to me, is the same as "2 + 2 = 5" xD


 


You said something broke after unpacking, and I agree since the file execution changed after it. So I changed all occurances of 5 to 4 just for testing, that also didn't work out.


Link to post

You broke more than just one number during unpacking. :)


 


Don't trust any static UPX unpacker. Instead use the dynamic approach and you should get a properly working unpacked file to analyze.


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...