Jump to content

Third annual Flare-On reverse engineering contest


kao

Recommended Posts

ReverseUrApp
7 hours ago, kao said:

Most likely you overlooked one byte somewhere.. :)

 

Koa, how many hours should the first challenge take, An is there something similar with a write up to follow? I aspire to be as good as you guys one day. It's rather disappointing that I can't get past the first one. I see the function that's taking user input to create the hash, then compare to stored has. But I can't see a easy way to reverse the hash generation to find the original value of the stored key. 

Link to comment

* for the best guys it took 5-10 minutes. But don't be discouraged if it takes much longer for you-this challenge is hard from the very beginning.

* that's not hash, that's a well-known encoding method (but uses custom alphabet). Once you figure out what method it is, you'll be able to make your own decoder.

how many characters this alphabet has?

Link to comment
ReverseUrApp
19 minutes ago, kao said:

* for the best guys it took 5-10 minutes. But don't be discouraged if it takes much longer for you-this challenge is hard from the very beginning.

* that's not hash, that's a well-known encoding method (but uses custom alphabet). Once you figure out what method it is, you'll be able to make your own decoder.

 

  Hide contents

how many characters this alphabet has?

 

I don't have enough experience with this. My method involved trying hash identifiers, decoding with base64, Nothing seemed to work. Now I have a new tool in the shed for the future. On to challenge 2. 

Thanks, being self employed 8 years now. You'd think I'd of get into RE years ago, having software leaked is never fun lol.

Link to comment

Hello guys.Can anybody help me with the decision of the 3rd assignment. I rewrote the job C and checked for correctness. I tried to pick an argument symbols are checked in the latter part of the algorithm. I'm having trouble understanding how to reverse the generation algorithm "checklist" to find out which way up the program to create. Since it is necessary to know the length of the argument with which to run the program, I expect that this length 26. (According to the number of constants stored in the program). Please give me a hint if possible. Thank you.

Spoiler

 

Link to comment

The brute charset consists of printable ASCII chars. But that's the smallest of your problems. :)See Extreme Coders comment:

You need to figure out correct path first
  • Like 1
Link to comment
5 hours ago, Eskalina said:

Hello guys.Can anybody help me with the decision of the 3rd assignment. I rewrote the job C and checked for correctness. I tried to pick an argument symbols are checked in the latter part of the algorithm. I'm having trouble understanding how to reverse the generation algorithm "checklist" to find out which way up the program to create. Since it is necessary to know the length of the argument with which to run the program, I expect that this length 26. (According to the number of constants stored in the program). Please give me a hint if possible. Thank you.

  Reveal hidden contents

 

Small unrelated hint: why don't you make a DLL, then load it into the process, and use its functions, instead of rewriting all the algorithms inside your code?
In fact, there are many ways of calling a binary's functions in order to avoid having to rewrite them yourself. Here are a few off the top of my head:

Spoiler

// Definition
auto imp_md5 = (void(__cdecl*)(void*, void*, size_t)) 0x402D10;
auto imp_RC4_Init = (void*(__fastcall*)(void*, void*, void*, int)) 0x401120;
auto imp_RC4_Crypt = (void*(__thiscall*)(void* state, void* data, size_t len)) 0x401230;

// Usage
imp_md5(md5_hash, rc4_key, 16);
imp_RC4_Init(state, rc4_key, rc4_key, 16);
imp_RC4_Crypt(state, hashTable, 104);
Spoiler

// IDA has to know everything about the function(s) before you call it(them)
.text:00402D10                             ; int __cdecl md5(void *, void *, size_t)
.text:00402D10                             md5             proc near
  
KernelBase.dll:74B0F002 ; int __stdcall kernelbase_VirtualAlloc(int a1, int a2, int a3, int a4)
KernelBase.dll:74B0F002 kernelbase_VirtualAlloc proc near       ; DATA XREF: kernel32.dll:off_76130908o

// Usage (Python)
Python>mem = Appcall.kernelbase_VirtualAlloc(0, 16, 0x3000, 64)
Python>hex(mem)
0x1c0000L
Python>hex(Appcall.md5(mem, 0x402B3C, 16))
0x1c0000L

// Memory contents
DE 62 47 24
9F 23 88 F4
F4 C0 A0 41
96 6F 95 72

 

Apart from this, you can always try debugging the program, running the call, adjusting the stack and the arguments, and changing EIP (but this usually doesn't work / is too complex for what it does). Tricks like these greatly speed you up, and allow you to focus on the challenge instead of on the implementation details.

Also, does anybody else find this year's challenges excessively guessing-based? I thought it was a reversing challenge, not a guessing game. It's annoying because I was expecting a good set of reversing challenges but instead I got to write brute forcers.

  • Like 2
Link to comment
1 hour ago, hyper-v said:

Also, does anybody else find this year's challenges excessively guessing-based?

Lol, you should have tried last year, it was even worse! :D Unfortunately that's kinda trademark of FLARE.. :(

 

Link to comment

Hi Hyper-v, which version of IDA do you have? i do this question to y because my IDA doesn't recognize the name of those functions. Probably y have a better FLIRT signature than mine.:D

And of course agree width y about the general approach vs this challenge, coz this challenge is 'special'. As Kao and Extreme Coder said, there 's some 'extra' info inside the binary. Bye bye

 

  • Like 1
Link to comment

@kao @hyper-v @Gyver75 I solved this task, thank you. Many thanks. I understand why this "special" task, I've seen it many times but did not pay attention. I'm really grateful to you, you're cool. I love you guys:wub:

Link to comment
6 hours ago, Gyver75 said:

Hi Hyper-v, which version of IDA do you have? i do this question to y because my IDA doesn't recognize the name of those functions. Probably y have a better FLIRT signature than mine.:D

And of course agree width y about the general approach vs this challenge, coz this challenge is 'special'. As Kao and Extreme Coder said, there 's some 'extra' info inside the binary. Bye bye

 

It wasn't my IDA what recognized the functions, it was me, I named them. (MD5 and RC4; for the kernelbase functions there's another thing you can do, but I'm not sure if you were referring to this, I could explain it if you want)

Apart from that, you have to specify the type: put the cursor on the name and press Y, then put the type, like:

int __cdecl some_func(int arg1, int arg2, char* arg3)

(else IDA will not know *how* to call the function from Appcall)

Also, I didn't use signatures or anything like that, I just saw the big function with lots of constants and ROL4 so I assumed it was MD5 (I might be wrong, but it doesn't matter, the idea is that it is a hash function). Over time you get used to this and recognize most popular hashes / snippets by just looking at them.

Edited by hyper-v
Link to comment

#7 is frustrating. The logic is straight forward, I see the final set of data, and the lookup, but not how to solve without an impossible brute force.

Link to comment
Extreme Coders

Yes, it is only solvable by brute force. To make it feasible you would need to predict some pieces of data.
There's a hint hidden in plain sight which should help you in guessing.

I am on the final challenge and it looks like a real deal breaker.

 

Link to comment
2 hours ago, kao said:

@Rurik - it just looks impossible, it ain't. As I said earlier:

@Extreme Coders: same here. I'm not into digital dumpster-diving, so I take no pleasure in digging through 20MB PCAP.. ;)

 

I can't wait for all the writeups and the opinions/criticism on how is this even remotely RE related. It's not even funny.

Link to comment

@Extreme Coders @kao, thanks. After half a day of brute forcing the answer came out.

Working from the back forward, you really only have to brute three blocks. I'd agree that the hint is in plain sight, but you wouldn't know it was a hint until you were done. At the very least, a good one to practice patching bytes.

Link to comment
Extreme Coders

@Rurik Definitely so. May be I was lucky and used the so called hint to make educated guesses, the answer came out in minutes instead of hours.

For #10, I am stuck on the first part where you would need to get the key to decrypt the embedded swf. A bruteforce seems infeasible, and the shuffling in the keystream generator makes it difficult to invert.

Edited by Extreme Coders
  • Like 1
Link to comment
4 hours ago, Extreme Coders said:

@Rurik Definitely so. May be I was lucky and used the so called hint to make educated guesses, the answer came out in minutes instead of hours.

For #10, I am stuck on the first part where you would need to get the key to decrypt the embedded swf. A bruteforce seems infeasible, and the shuffling in the keystream generator makes it difficult to invert.

Same here, going the obfuscated javascript way after some layers seems to also need bruteforcing and is not feasible, so really stuck too.

Link to comment
8 hours ago, Extreme Coders said:

@Rurik Definitely so. May be I was lucky and used the so called hint to make educated guesses, the answer came out in minutes instead of hours.

For #10, I am stuck on the first part where you would need to get the key to decrypt the embedded swf. A bruteforce seems infeasible, and the shuffling in the keystream generator makes it difficult to invert.

You don't need to bruteforce the first key for the SWF, you have to get it from the obfuscated javascript.

 

4 hours ago, Holy said:

Same here, going the obfuscated javascript way after some layers seems to also need bruteforcing and is not feasible, so really stuck too.

It can be bruteforced but will take couple of hours to be done.

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...