Third annual Flare-On reverse engineering contest

[kao]

Quote

 

On Sept. 23, 2016, the FireEye Labs Advanced Reverse Engineering (FLARE) team will be hosting its third annual Flare-On reverse engineering contest with a designated start time of 8pm ET. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts and security professionals. The contest will run for six full weeks, ending Nov. 4, 2016, at 8pm ET.

A total of 10 exquisitely crafted challenges stand between you and a famed prize that serves as a badge of honor.

 

Last year was fun!  

 

Source: https://www.fireeye.com/blog/threat-research/2016/09/_announcing_the_thir.html

Challenge site: http://www.flare-on.com/

 

Edited September 14, 2016 by kao
2x broken formatting

[crystalboy]

Can't wait to start!  Never attempt this CTF...

Who knows, maybe someone this year will stole you the first place? XD

 

[kao]

You can try last year's challenges to prepare for this year...  http://flare-on.com/files/2015_FLAREOn_Challenges.zip

 

[Loki]

Last year was good fun - I just wish I had more time to spare to do these things

[kao]

It was fun until Level 7 which is Linux binary. I don't like Linux.

Edited September 24, 2016 by kao

[akkaldama]

Could anyone please point me to how to get the decryption key for challenge 2?

I am new to the cryptography.

 

Regards,

akkaldama

[kao]

It's really not about cryptography. All you need to know about cryptography is that AES is a symmetric algorithm - the same key is used for both encryption and decryption.

You analyze the program, figure out how it generates encryption keys and how it encrypts files. Then somehow make a program that does the opposite and decrypts files instead.

 

[Gyver75]

Or simply patch the file DudeLocker.exe ... in DudeUnlocker.exe  .

[Guest greenbite]

For the 3rd challenge, I have reverse engineered the entire executable including the custom hash back to plain C code, but I still do not get the objective ?? 
Do we need to print the good boy message which depends on the path and the arguments ??

Best regards.

 

[kao]

Yes. Flag is in the arguments.

[Guest greenbite]

Thank you for the help. 
Looks difficult for me as both the argument and path are variable. if find out atleast one of them, the other one could be bruteforced.

[kao]

Without giving any further hints - your statement is wrong. Pay attention to details.

[ktlq1412]

What 's hint lv5 (smokestack) ? :(. I don't think solution to decrypt :'(

[fasya]

 

8 minutes ago, ktlq1412 said:

What 's hint lv5 (smokestack) ? :(. I don't think solution to decrypt :'(

No you don't have to bruteforce anything. Your input is being checked with the valid input but in a twisted way, look closer for it.

 

Any hint for level #8? I have no clue what to do

[ktlq1412]

7 hours ago, fasya said:

 

Edited September 28, 2016 by ktlq1412

[madskillz]

Hi @kao ,

I cannot go past the first one itself. 

Well without disclosing any info's any related RE tut to follow which will help learn to RE challenge1 ?

Regards

[akkaldama]

@madskillz,

It is a very baseic hashing with custom key. 

 

Regards,

akkaldama.

[kao]

@fasya: There are some data in .text segment and plenty of unused imports and stuff in .data segment. I would guess you need to decode that somehow.

EDIT: there are some hint$ in .data segment. (No, I haven't solved it yet. But now I know where to look).

Edited September 29, 2016 by kao

[fasya]

@kao yes I noticed that unused imports and I guess that these will be used by the encrypted code when it gets decrypted.

Any more info about the hints in the .data segment? I cant find anything catchy.

Thanks Kao.

[kao]

@fasya:

Spoiler

$ is the hint. So is the geezers reference.

[ReverseUrApp]

On 9/28/2016 at 3:45 PM, madskillz said:

Hi @kao ,

I cannot go past the first one itself. 

Well without disclosing any info's any related RE tut to follow which will help learn to RE challenge1 ?

Regards

Makes me feel better, I don't even know what it's wanting from me.. Hoping to atleast get through a few of these lol. 

[rektbyflare]

Can someone point me in #3? I reversed it, I re-wrote it in VS just to make sure I understand it at 100%, and I do...

But there is no way to beat the challenge without knowing that one secret word, which I assume you have to guess (because the hint the binary gives you, does not work, in any form whatsoever), and I suck at guessing. I tried all the possible combinations, but nope, nothing.

[Extreme Coders]

@rektbyflare Look at the binary closely  You must be overlooking something.

[ktlq1412]

Has the Lv7  antidebug ?

[kao]

@ktlq1412: why do you think that? I didn't notice any antidebug.