Jump to content
Tuts 4 You
Sign in to follow this  
kao

FLARE On Challenge - starts tonight!

Recommended Posts

noregret

You mean other operations are broke? or just some numbers were replaced? because I replaced all occurences of 5 (around 52 occurence). Is there something else? because without replacing anything, debugging the app is fine, without any issues. I just had to overwrite a register (comparing between random decoded b64 str and the argv[1] md5 hash) in order to continue the flow without exiting.


 


So I just want to know if I'm going throught the right path, since if I am, I didn't find anything in the first place xD


Share this post


Link to post
pateohom

You're on the wrong path.  The file you unpacked is not the target you are looking for.  Like @kao said, don't trust static unpackers, they can be tricked.


Share this post


Link to post
noregret

Ah, so the whole unpacking was incorrect.


 


Thanks!


Share this post


Link to post
bandit

Any hints for the last one?


I think I got the input value but I'm not able to figure out the shortcut.


Running it with the correct input is also taking a lot of time :(


 


Thanks!

Share this post


Link to post
kao

Running it with the correct input is also taking a lot of time :(

Yes, that's expected.

Solution is similar to #10 - force something to happen.

Share this post


Link to post
AcidShout

Yes, that's expected.

Solution is similar to #10 - force something to happen.

Is it? For me, the thing that I had to force just took a minute, if not less, and it decrypted properly.

Share this post


Link to post
kao

@AcidShout - I assume that by "got the input value" bandit means correct command-line. With just that, the challenge will run for days before producing correct answer.

Share this post


Link to post
bandit

@kao, that's right. I might have the correct cmd line arg.


Share this post


Link to post
fc4921

Can anyone give any hints or pointers for #6 ? ARM is killing me, I thought I had this statically but my script is giving me too many options, I think I am missing something ! 


Share this post


Link to post
kao

@fc4921: hopefully Extreme Coders will answer that. :)

Share this post


Link to post
Extreme Coders

@kao: Thanks :)


 


@fc4921:


You would need to re implement the whole checking routine in C. This is the easiest.


With Hex Rays at your disposal you can always cheat. ;)


 


Some other ideas:


1. Rip out the ARM instructions, which does not involve C translation.


but then you would need an ARM device/emulator with an assembler to bruteforce. 


 


2.Use an arm to llvm IR converter (something like mcsema but for arm).


Once you have your IR, you can use an x86 backend to get a native executable, which you are more conversed with.


Alternatively, you can use emscripten for getting a javascript output instead, if your javascript-fu is strong.


Edited by Extreme Coders (see edit history)

Share this post


Link to post
bandit

@fc492, I agree with Extreme Coders. 


Use hex rays: This will help you understand whats happening and you won't have to worry about the platforms.


imho, implementing in c is the best way to solve it.

Share this post


Link to post
pateohom

Done :)


 


Did #c11 have some anti-debug that I missed?  If I run my patched version on command line it works, but it fails in IDA.  *boggle*


Share this post


Link to post
Extreme Coders

@pateohom: There ain't any anti-debug on #11.


 


For more hints on these challenges, you can search on Twitter using the AskFlare hashtag.


The challenge organizers have answered questions there.


 


Share this post


Link to post
pateohom

@pateohom: There ain't any anti-debug on #11.

 

 

I didn't think so.  Not sure why it wasn't working in IDA.  Oh well, like I said, its done anyways. :)

Share this post


Link to post
tinasky

Can somebody give me a hint for #10?


I think I looked at this for too long and probably can't see the obvious:


* I am looking at the driver and extracted a hint that indicated that I should try something specific.


* When looking there, after decryption, I only see garbage.


I didn't get the hints given here so far - probably I am missing something obvious.


Share this post


Link to post
AcidShout

Done :)

 

Did #c11 have some anti-debug that I missed?  If I run my patched version on command line it works, but it fails in IDA.  *boggle*

Why are you asking if you patched it?

 

For me, it just ran with no problems; no patches needed. I used Olly, but still...

 

@pateohom: There ain't any anti-debug on #11.

 

For more hints on these challenges, you can search on Twitter using the AskFlare hashtag.

The challenge organizers have answered questions there.

They gave you quite a few hints, yeah.

There's even function offsets (!), so it makes it waaaaaay easier :P

 

Can somebody give me a hint for #10?

I think I looked at this for too long and probably can't see the obvious:

* I am looking at the driver and extracted a hint that indicated that I should try something specific.

* When looking there, after decryption, I only see garbage.

I didn't get the hints given here so far - probably I am missing something obvious.

There's a few hints on this topic, just go back a few pages and you'll see :P

Share this post


Link to post
pateohom

Why are you asking if you patched it?

 

 

Idle curiosity about why it failed, and I haven't had time to go back and debug it?

Share this post


Link to post
fc4921

@kao: Thanks :)

 

@fc4921:

You would need to re implement the whole checking routine in C. This is the easiest.

With Hex Rays at your disposal you can always cheat. ;)

 

Some other ideas:

1. Rip out the ARM instructions, which does not involve C translation.

but then you would need an ARM device/emulator with an assembler to bruteforce. 

 

2.Use an arm to llvm IR converter (something like mcsema but for arm).

Once you have your IR, you can use an x86 backend to get a native executable, which you are more conversed with.

Alternatively, you can use emscripten for getting a javascript output instead, if your javascript-fu is strong.

 

Thanks for the tips. LLVM IR - is the most interesting of these to me, I don't know much about it but this could be a good excuse to dive in and learn. 

 

@fc492, I agree with Extreme Coders. 

Use hex rays: This will help you understand whats happening and you won't have to worry about the platforms.

imho, implementing in c is the best way to solve it.

 

No access to Hexrays for me, I tried Snowman but that was a little confusing. I have a python implementation but know I am missing something (probably obvious) through not being familiar with ARM.

 

Thanks all for the hints. 

Share this post


Link to post
xoreaxeax

Wow, impressive work by all who have completed the challenge.


 


I'm currently stuck in #5, would anyone spare a hint? I've extracted the base64 encoded string from the packet capture but haven't been able to figure out the key. Looks like each byte of the key is added to an encryption key (14 characters long) which is used by the base64 encoding somehow, which is where I might be actually stuck.


Share this post


Link to post
xoreaxeax

Disregard my previous post, just solved it :)


Share this post


Link to post
toomanybananas

Does anyone have any hints on the last one regarding the correct command line value? I think I know what crypto the program uses but I still have no idea what to put as the command line argument.


 


Unless I managed to randomly guess it, which might have happened (one of the functions takes a long time with other keys but takes less than a second with the key I picked for testing).


Share this post


Link to post
ultrain

All done, though very late.. according to above~


Away back to work for 3 weeks during the challenge.


 


This FlareOn2015 looks more like CTF as the official page said..


 


@toomanybananas


if you haven't found where the value use, it means you give the wrong style 


Share this post


Link to post
lazydaemon

Stuck at #4. Successfully unpacked the file but now I don't know what to do. But I'm still thinking ;-)


 


Good Joob Kao btw..


Are you from germany?


Share this post


Link to post
kao

@toomanybananas: there are quite a few hints here and in Twitter Q&A session that Extreme Coders mentioned earlier.


@lazydaemon: No. But you guessed the continent right. :)


Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...