Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Hi Folks, doing the flareon CTF first time and am stuck at challenge 5. I see a lot of calls especially the first one which sets up something like a jump table of function ptrs. my input string is fed into these and finally before the printf call 4 parameters are passed into the function sub_401880. Only input buffer argument is in my control and it contains some kind of hash of my original input. I cant understand what kind of hash is generated and tracing through sub_401880 is not helping me. I come to understand the functions in the jump table are important for my input string. Should I focus too much on function call before the final printf? Would studying the jump table be enough? Could you please share some hints or clues that will help me progress.

 

  • Replies 92
  • Views 37.4k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • You can try last year's challenges to prepare for this year...  http://flare-on.com/files/2015_FLAREOn_Challenges.zip  

  • Small unrelated hint: why don't you make a DLL, then load it into the process, and use its functions, instead of rewriting all the algorithms inside your code? In fact, there are many ways of callin

  • You don't need to bruteforce the first key for the SWF, you have to get it from the obfuscated javascript.   It can be bruteforced but will take couple of hours to be done.

  • Author

@scorpion77: sub_402EE0 and sub_401880 are certain industry-standard hash & encryption algorithms. ;) Don't try to attack those and focus on other parts.

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

3 minutes ago, msr said:

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

Did you get past the obfuscated Javascript without bruteforcing? I don't see any other way to get past it.
 

Spoiler

I also tried to reduce the bruteforcing range without success. Is this the right way to go or should I look for a hint somewhere else in the PCAP?

 

@msr You would need to find x and y. JPEXS can debug the p-code but it isn't needed. Look in the options, it can deobfuscate.

@Mr. J Bruteforcing is not an option. The algorithm implemented is a rip off from some popular exploit kit, with a little bit of search you should be able to find it.

I love how i could solve chal #9 with grep - i only wish i had thought of it earlier

For those struggling with .NET debuggers: remember that IL code gets JIT'd into native code, which you can (in my experience) debug in a quite straightforward way with a normal (read: no VM mumbo jumbo) debugger.

WinDbg and !name2ee are your best friends.

agree on the windbg point there : D

And just when i thought i was done with #10 ...

I don't see how to recover x and y for level 10? Should i be looking in the pcap? Or is it more of a brute forcing problem?

Never mind i figured it out... not a very impressive ending to the chal

  • Author

Still can't figure out x and y in #10... Does it have something to do with the picture? :unsure: 

Any hints?

@kao Hint: reuse of same rc4 key to encrypt multiple files. You have got plaintext, corresponding ciphertext and another piece of ciphertext encrypted with the same key.

Anyone can upload the challenges somewhere; thx.

22 hours ago, Hypnz said:

Anyone can upload the challenges somewhere; thx.

Flare team has published all binary: http://flare-on.com/files/Flare-On3_Challenges.zip (pwd: flare)

Regards

Thanks a lot my friend.

  • The title was changed to Flare-On 3

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.