Jump to content
Tuts 4 You

FLARE On Challenge - starts tonight!


Recommended Posts

You mean other operations are broke? or just some numbers were replaced? because I replaced all occurences of 5 (around 52 occurence). Is there something else? because without replacing anything, debugging the app is fine, without any issues. I just had to overwrite a register (comparing between random decoded b64 str and the argv[1] md5 hash) in order to continue the flow without exiting.


 


So I just want to know if I'm going throught the right path, since if I am, I didn't find anything in the first place xD


Link to post
  • Replies 124
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    29

  • Extreme Coders

    19

  • noregret

    11

  • atn

    10

Top Posters In This Topic

Popular Posts

After 27 hours of reversing, I've done it again! https://twitter.com/nickharbour/status/626765867519508480 Now I need to get some sleep.

@moderators: sorry, could not find a better place to post it.

Since he's too shy to write a post here - here are AcidShout's solutions: http://acidshout.github.io/

You're on the wrong path.  The file you unpacked is not the target you are looking for.  Like @kao said, don't trust static unpackers, they can be tricked.


Link to post

Any hints for the last one?


I think I got the input value but I'm not able to figure out the shortcut.


Running it with the correct input is also taking a lot of time :(


 


Thanks!

Link to post

Running it with the correct input is also taking a lot of time :(

Yes, that's expected.

Solution is similar to #10 - force something to happen.

Link to post

Yes, that's expected.

Solution is similar to #10 - force something to happen.

Is it? For me, the thing that I had to force just took a minute, if not less, and it decrypted properly.

Link to post

@AcidShout - I assume that by "got the input value" bandit means correct command-line. With just that, the challenge will run for days before producing correct answer.

Link to post

Can anyone give any hints or pointers for #6 ? ARM is killing me, I thought I had this statically but my script is giving me too many options, I think I am missing something ! 


Link to post
Extreme Coders

@kao: Thanks :)


 


@fc4921:


You would need to re implement the whole checking routine in C. This is the easiest.


With Hex Rays at your disposal you can always cheat. ;)


 


Some other ideas:


1. Rip out the ARM instructions, which does not involve C translation.


but then you would need an ARM device/emulator with an assembler to bruteforce. 


 


2.Use an arm to llvm IR converter (something like mcsema but for arm).


Once you have your IR, you can use an x86 backend to get a native executable, which you are more conversed with.


Alternatively, you can use emscripten for getting a javascript output instead, if your javascript-fu is strong.


Edited by Extreme Coders (see edit history)
Link to post

@fc492, I agree with Extreme Coders. 


Use hex rays: This will help you understand whats happening and you won't have to worry about the platforms.


imho, implementing in c is the best way to solve it.

Link to post

Done :)


 


Did #c11 have some anti-debug that I missed?  If I run my patched version on command line it works, but it fails in IDA.  *boggle*


Link to post
Extreme Coders

@pateohom: There ain't any anti-debug on #11.


 


For more hints on these challenges, you can search on Twitter using the AskFlare hashtag.


The challenge organizers have answered questions there.


 


Link to post

@pateohom: There ain't any anti-debug on #11.

 

 

I didn't think so.  Not sure why it wasn't working in IDA.  Oh well, like I said, its done anyways. :)

Link to post

Can somebody give me a hint for #10?


I think I looked at this for too long and probably can't see the obvious:


* I am looking at the driver and extracted a hint that indicated that I should try something specific.


* When looking there, after decryption, I only see garbage.


I didn't get the hints given here so far - probably I am missing something obvious.


Link to post

Done :)

 

Did #c11 have some anti-debug that I missed?  If I run my patched version on command line it works, but it fails in IDA.  *boggle*

Why are you asking if you patched it?

 

For me, it just ran with no problems; no patches needed. I used Olly, but still...

 

@pateohom: There ain't any anti-debug on #11.

 

For more hints on these challenges, you can search on Twitter using the AskFlare hashtag.

The challenge organizers have answered questions there.

They gave you quite a few hints, yeah.

There's even function offsets (!), so it makes it waaaaaay easier :P

 

Can somebody give me a hint for #10?

I think I looked at this for too long and probably can't see the obvious:

* I am looking at the driver and extracted a hint that indicated that I should try something specific.

* When looking there, after decryption, I only see garbage.

I didn't get the hints given here so far - probably I am missing something obvious.

There's a few hints on this topic, just go back a few pages and you'll see :P

Link to post

@kao: Thanks :)

 

@fc4921:

You would need to re implement the whole checking routine in C. This is the easiest.

With Hex Rays at your disposal you can always cheat. ;)

 

Some other ideas:

1. Rip out the ARM instructions, which does not involve C translation.

but then you would need an ARM device/emulator with an assembler to bruteforce. 

 

2.Use an arm to llvm IR converter (something like mcsema but for arm).

Once you have your IR, you can use an x86 backend to get a native executable, which you are more conversed with.

Alternatively, you can use emscripten for getting a javascript output instead, if your javascript-fu is strong.

 

Thanks for the tips. LLVM IR - is the most interesting of these to me, I don't know much about it but this could be a good excuse to dive in and learn. 

 

@fc492, I agree with Extreme Coders. 

Use hex rays: This will help you understand whats happening and you won't have to worry about the platforms.

imho, implementing in c is the best way to solve it.

 

No access to Hexrays for me, I tried Snowman but that was a little confusing. I have a python implementation but know I am missing something (probably obvious) through not being familiar with ARM.

 

Thanks all for the hints. 

Link to post

Wow, impressive work by all who have completed the challenge.


 


I'm currently stuck in #5, would anyone spare a hint? I've extracted the base64 encoded string from the packet capture but haven't been able to figure out the key. Looks like each byte of the key is added to an encryption key (14 characters long) which is used by the base64 encoding somehow, which is where I might be actually stuck.


Link to post
toomanybananas

Does anyone have any hints on the last one regarding the correct command line value? I think I know what crypto the program uses but I still have no idea what to put as the command line argument.


 


Unless I managed to randomly guess it, which might have happened (one of the functions takes a long time with other keys but takes less than a second with the key I picked for testing).


Link to post

All done, though very late.. according to above~


Away back to work for 3 weeks during the challenge.


 


This FlareOn2015 looks more like CTF as the official page said..


 


@toomanybananas


if you haven't found where the value use, it means you give the wrong style 


Link to post

Stuck at #4. Successfully unpacked the file but now I don't know what to do. But I'm still thinking ;-)


 


Good Joob Kao btw..


Are you from germany?


Link to post

@toomanybananas: there are quite a few hints here and in Twitter Q&A session that Extreme Coders mentioned earlier.


@lazydaemon: No. But you guessed the continent right. :)


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...