Third annual Flare-On reverse engineering contest

[kao]

@Levis: hey, long time no see!  Congrats on finishing the challenge!

 

[evandrix]

@Levis: is it a nightmare because it's tedious, or because it's non-obvious, and requires loads of guessing / trial & error?

any parting advice you can give to someone who's just started on #10?

thanks

[Levis]

@kao: Hello and thanks for cheering me. Actually because I saw in the last year you're the winner, I admire you so much and that moment, it became my inspiration to keep learning, try hard and never give up for whole a year, steping up and down, try and fail many times. Thank you again

@evandrix and whoever stuck with #10: All i can say is it requires knowledge about cryptography (i have no idea about this subject, and i have been keeping reading a lot of documents during that time in order to pass the challenge). The code highy obfuscated so must take care on every step, otherwise you will miss something. F12 -> Sources in Chrome or IE would help.

Regards

Edited October 13, 2016 by Levis

[evandrix]

for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string...

[Holy]

17 minutes ago, evandrix said:

for #9, without revealing more details than necessary, why is `share6` a file? I'm expecting a 64 hex char string...

Have you tried opening it?

[evandrix]

3 minutes ago, Holy said:

Have you tried opening it?

yes, it's a 5008 byte file of unintelligible data...

[Holy]

Just now, evandrix said:

yes, it's a 5008 byte file of unintelligible data...

Check for decryption key it must be using the wrong one, good decrypted file is a picture.

[evandrix]

3 minutes ago, Holy said:

Check for decryption key it must be using the wrong one, good decrypted file is a picture.

oh, i see. okie

[evandrix]

#10: i see a huge mess of typical web surfing traffic files.

is there some clue / hint on how / where to start looking for the rumored .js & .swf's previously mentioned in this forum discussion thread ?

is decrypting ssl traffic in wireshark necessary ?

[evandrix]

nvm, i_knew_you_were_trouble

[evandrix]

#10: I found an md5 hash from the swf, and values from the pcap to fill my js req/resp params, but one of the params in the js is missing - is bruteforce necessary then to find this param?

Am I still on track?

is the md5 hash in the swf the md5 hash of the flag?

[evandrix]

#10: does this level also involve bruteforcing? looks rather intractable...

 

how is the (key for swf) related to (decrypted payload in js - assuming i have found the right decryption key)  - assuming they are related?

is the final flag (the one ending in @flare-on.com) obtained by putting both together or something? or one is a clue for the other?

Edited October 15, 2016 by evandrix

[Levis]

In this challenge, bruteforcing is not necessary, just follow the network traffic. Which is the first pulled from server, you should deal with it the first

[quend]

On 9/29/2016 at 6:01 PM, kao said:

@fasya:

  Hide contents

$ is the hint. So is the geezers reference.

Hi, I'm new to this forum, and can't seem to figure out the decoding scheme to use on the data in .text. Tried to copy the decoding scheme used on the fake input checks

Spoiler

(to get:  this is the wrong password).

Maybe I'm missing something more in the .data segment?

[kao]

@quend: 

Spoiler

The answer is not in .text or .data segment$.
Look at other place$.

 

@evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers.  

 

[evandrix]

<redacted>

Edited October 18, 2016 by evandrix

[evandrix]

On 10/17/2016 at 3:37 PM, kao said:

@quend: 

  Reveal hidden contents

The answer is not in .text or .data segment$.
Look at other place$.

 

@evandrix: please, don't ruin the fun for others - hide the spoilers and don't ask for straight answers.  

 

i can't delete my posts...

[msr]

Hi,

regarding #9 (GUI.EXE). This is probably really lame, but here goes:

I am using dnSpy and after decrypting layer1 I am able to place a breakpoint on the Layer1.Main() (after it is loaded up). Then I can meet the requirements to get another key and decrypt layer2.

But then I place breakpoints all over Layer2 (including Main()), but they never hit. What am I missing here? The method.Invoke seems the same.

[kao]

12 hours ago, msr said:

I place breakpoints all over Layer2 (including Main()), but they never hit

I had a similar problem and it seems to me that dnSpy is unable to link dumped Layer2 assembly (where you set breakpoints) with the dynamically loaded assembly. I worked around it by unpacking each layer, saving as a new exe file, and then running this new exe under dnSpy. 

[0ne]

#Challenge3 - Unknown, 

 

Spoiler

 

I know that the software makes some actions on the command line arguments, but I can not really follow what it is doing.
I think the calculations associated with these strings:
"RSDS", "yOU MAKE GOOD Arguhments !", and of course the string found in argv [1]
And I saw a string named "MD5" probably there use of MD5, but I have not seen references to it in the Import (neither by dynamic loading with LoadLibrary & GetProcAddress.

Any tips?

 

 

[hyper-v]

@0ne you need to loop harder, because the values you wrote aren't correct. Also, as I (think) I described some posts behind, the binary has a custom MD5 implementation. But you don't really need that. You just have to know it's hashing some data and outputting a (one-way) 16 byte buffer.

[Extreme Coders]

Finally completed all challenges.
The last one was particularly demoralising and it took a lot of time to get through. A  quantum computer should speed up things though  

 

[quend]

Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value

 

[msr]

On 10/22/2016 at 0:27 PM, quend said:

Did anyone else have a hard time setting breakpoints for #9 layer1? I'm thinking dnSpy is struggling bc it failed to decompile it, got this error: icsharpcode.decompiler exception null value

 

Once the assembly is loaded, you can set breakpoints on the "helper" class and its first few methods. If you step into (F11) the second method it will dynamically decompile the main program logic and you will be able to debug there (at least that was my experience with this particular binary). 

[quend]

Yeah, the trick that helped me was step into.