Jump to content
Tuts 4 You

Third annual Flare-On reverse engineering contest


kao

Recommended Posts

Hi Folks, doing the flareon CTF first time and am stuck at challenge 5. I see a lot of calls especially the first one which sets up something like a jump table of function ptrs. my input string is fed into these and finally before the printf call 4 parameters are passed into the function sub_401880. Only input buffer argument is in my control and it contains some kind of hash of my original input. I cant understand what kind of hash is generated and tracing through sub_401880 is not helping me. I come to understand the functions in the jump table are important for my input string. Should I focus too much on function call before the final printf? Would studying the jump table be enough? Could you please share some hints or clues that will help me progress.

 

Link to comment
Share on other sites

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

Link to comment
Share on other sites

3 minutes ago, msr said:

For the secureswf in #10, do I need to find the x and y? I tried debugging the swf with JPEXS, but it crashes everytime. I find it hard to understand what's going on in an obfuscated code without a debugger.

Did you get past the obfuscated Javascript without bruteforcing? I don't see any other way to get past it.
 

Spoiler

I also tried to reduce the bruteforcing range without success. Is this the right way to go or should I look for a hint somewhere else in the PCAP?

 

Link to comment
Share on other sites

Extreme Coders

@msr You would need to find x and y. JPEXS can debug the p-code but it isn't needed. Look in the options, it can deobfuscate.

@Mr. J Bruteforcing is not an option. The algorithm implemented is a rip off from some popular exploit kit, with a little bit of search you should be able to find it.

  • Like 1
Link to comment
Share on other sites

For those struggling with .NET debuggers: remember that IL code gets JIT'd into native code, which you can (in my experience) debug in a quite straightforward way with a normal (read: no VM mumbo jumbo) debugger.

WinDbg and !name2ee are your best friends.

  • Like 1
Link to comment
Share on other sites

Extreme Coders

@kao Hint: reuse of same rc4 key to encrypt multiple files. You have got plaintext, corresponding ciphertext and another piece of ciphertext encrypted with the same key.

Link to comment
Share on other sites

22 hours ago, Hypnz said:

Anyone can upload the challenges somewhere; thx.

Flare team has published all binary: http://flare-on.com/files/Flare-On3_Challenges.zip (pwd: flare)

Regards

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...