Jump to content

Third annual Flare-On reverse engineering contest


Recommended Posts

@Levis: is it a nightmare because it's tedious, or because it's non-obvious, and requires loads of guessing / trial & error?

any parting advice you can give to someone who's just started on #10?


Link to comment

@kao: Hello and thanks for cheering me. Actually because I saw in the last year you're the winner, I admire you so much and that moment, it became my inspiration to keep learning, try hard and never give up for whole a year, steping up and down, try and fail many times. Thank you again :D

@evandrix and whoever stuck with #10: All i can say is it requires knowledge about cryptography (i have no idea about this subject, and i have been keeping reading a lot of documents during that time in order to pass the challenge). The code highy obfuscated so must take care on every step, otherwise you will miss something. F12 -> Sources in Chrome or IE would help.


Edited by Levis
  • Like 1
Link to comment
17 minutes ago, evandrix said:

for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string...

Have you tried opening it?

Link to comment
Just now, evandrix said:

yes, it's a 5008 byte file of unintelligible data...

Check for decryption key it must be using the wrong one, good decrypted file is a picture.

Link to comment

#10: i see a huge mess of typical web surfing traffic files.

is there some clue / hint on how / where to start looking for the rumored .js & .swf's previously mentioned in this forum discussion thread ?

is decrypting ssl traffic in wireshark necessary ?

Link to comment

#10: I found an md5 hash from the swf, and values from the pcap to fill my js req/resp params, but one of the params in the js is missing - is bruteforce necessary then to find this param?

Am I still on track?

is the md5 hash in the swf the md5 hash of the flag?

Link to comment
#10: does this level also involve bruteforcing? looks rather intractable...
how is the (key for swf) related to (decrypted payload in js - assuming i have found the right decryption key)  - assuming they are related?
is the final flag (the one ending in @flare-on.com) obtained by putting both together or something? or one is a clue for the other?
Edited by evandrix
Link to comment

In this challenge, bruteforcing is not necessary, just follow the network traffic. Which is the first pulled from server, you should deal with it the first

  • Like 1
Link to comment
On 9/29/2016 at 6:01 PM, kao said:


  Hide contents

$ is the hint. So is the geezers reference.

Hi, I'm new to this forum, and can't seem to figure out the decoding scheme to use on the data in .text. Tried to copy the decoding scheme used on the fake input checks


(to get:  this is the wrong password).

Maybe I'm missing something more in the .data segment?

Link to comment
On 10/17/2016 at 3:37 PM, kao said:


  Reveal hidden contents

The answer is not in .text or .data segment$.
Look at other place$.


@evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers. :) 


i can't delete my posts...

Link to comment


regarding #9 (GUI.EXE). This is probably really lame, but here goes:

I am using dnSpy and after decrypting layer1 I am able to place a breakpoint on the Layer1.Main() (after it is loaded up). Then I can meet the requirements to get another key and decrypt layer2.

But then I place breakpoints all over Layer2 (including Main()), but they never hit. What am I missing here? The method.Invoke seems the same.

Link to comment
12 hours ago, msr said:

I place breakpoints all over Layer2 (including Main()), but they never hit

I had a similar problem and it seems to me that dnSpy is unable to link dumped Layer2 assembly (where you set breakpoints) with the dynamically loaded assembly. I worked around it by unpacking each layer, saving as a new exe file, and then running this new exe under dnSpy. 

Link to comment

#Challenge3 - Unknown, 




I know that the software makes some actions on the command line arguments, but I can not really follow what it is doing.
I think the calculations associated with these strings:
"RSDS", "yOU MAKE GOOD Arguhments !", and of course the string found in argv [1]
And I saw a string named "MD5" probably there use of MD5, but I have not seen references to it in the Import (neither by dynamic loading with LoadLibrary & GetProcAddress.

Any tips?



Link to comment

@0ne you need to loop harder, because the values you wrote aren't correct. Also, as I (think) I described some posts behind, the binary has a custom MD5 implementation. But you don't really need that. You just have to know it's hashing some data and outputting a (one-way) 16 byte buffer.

Link to comment
Extreme Coders

Finally completed all challenges.
The last one was particularly demoralising and it took a lot of time to get through. A  quantum computer should speed up things though ;) 


  • Like 1
Link to comment

Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value


Link to comment
On 10/22/2016 at 0:27 PM, quend said:

Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value


Once the assembly is loaded, you can set breakpoints on the "helper" class and its first few methods. If you step into (F11) the second method it will dynamically decompile the main program logic and you will be able to debug there (at least that was my experience with this particular binary). 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...