Jump to content
Tuts 4 You

Flare-On 4

rand0m

By rand0m
in Reverse Engineering Articles

 Share

Recommended Posts

quend

quend

Posted
Posted

@SmilingWolfthanks for offering - I actually figured it out. Initially i was trying to use an instruction count  side channel but it won't work for #11 - had to do it the hard way lol 

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

  • kao

    10

  • Rurik

    8

  • rand0m

    6

  • Eskalina

    3

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

SmilingWolf
SmilingWolf

Suggestions:   I have seen a number of people doing something like this on twitter, am I doing it right?  

Rurik
Rurik

IIRC, if you check the input bounds, it'll take either a coordinate or a 16-byte string.

kao
kao

Let's put some links together... https://www.fireeye.com/blog/threat-research/2017/10/2017-flare-on-challenge-solutions.html - official solutions. https://lifeinhex.com/about-flare-2017/ - m

Posted Images

reversing4fun

reversing4fun

Posted
Posted

Can someone help me with level 5? I got the letters, reordered and did rot13 but I don't know what should I do with the result. Do I need to use it as a key to decrypt something?

Rurik

Rurik

Posted
Posted
  On 9/17/2017 at 1:38 PM, reversing4fun said:

Can someone help me with level 5? I got the letters, reordered and did rot13 but I don't know what should I do with the result. Do I need to use it as a key to decrypt something?

Expand  

IIRC, if you check the input bounds, it'll take either a coordinate or a 16-byte string.

  • Like 1
  • Thanks 1
reversing4fun

reversing4fun

Posted
Posted

Thanks. I noticed that call before but decided to check it later. Then I forgot it. :/

VirtualPuppet

VirtualPuppet

Posted
Posted
  On 9/17/2017 at 9:56 AM, grau said:

Got stuck on challenge 4. Can't decrypt with key.bin

Expand  

If you look at the code, you'll find the initial key (which a xor-encryption is performed on). The key for the xor-encryption is based on the key.bin file. The key.bin file is generated from a function that checks the "%USERPROFILE%\flareon2016challenge"-folder (if it exists) and then iterates the files in it, and compares the timestamp in the Optional Header of the file, and based on the timestamp, will read an offset of data from the file and write it to the key.bin file. Now, if you download all the files from the 2016 challenge and compare their Timestamps (I used CFF Explorer), you will find the necessary files. I wrote this function to parse them and print the flag: 

void flare_on_4()
{
    std::function<const char*(const char*)> get_code_base = [](const char* input) -> const char*
    {
        return input + PIMAGE_NT_HEADERS(input + PIMAGE_DOS_HEADER(input)->e_lfanew)->OptionalHeader.BaseOfCode;
    };
	    unsigned char key[] = 
    {
        0x37, 0xE7, 0xD8, 0xBE, 0x7A, 0x53, 0x30, 0x25,
        0xBB, 0x38, 0x57, 0x26, 0x97, 0x26, 0x6F, 0x50,
        0xF4, 0x75, 0x67, 0xBF, 0xB0, 0xEF, 0xA5, 0x7A,
        0x65, 0xAE, 0xAB, 0x66, 0x73, 0xA0, 0xA3, 0xA1,
        0x00
    };
	    unsigned char xor_key[32];
    memset(xor_key, 0, sizeof(xor_key));
	    const char* input_1 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\1.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
    const char* input_2 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\2.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
    const char* input_3 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\3.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
    const char* input_4 = reinterpret_cast<const char*>(LoadLibraryEx(L"C:\\Users\\Benny\\flareon2016challenge\\4.exe", NULL, DONT_RESOLVE_DLL_REFERENCES));
	    if (input_1)
        memcpy(xor_key, get_code_base(input_1), 8);
	    if (input_2)
        memcpy(xor_key + 8, get_code_base(input_2) + 0x10, 8);
	    if (input_3)
        memcpy(xor_key + 16, get_code_base(input_3) + 0x20, 8);
    
    if (input_4)
        memcpy(xor_key + 24, get_code_base(input_4) + 0x30, 8);
    
    for (int i = 0; i < 32; i++)
        key[i] ^= xor_key[i];
	    /* bl457_fr0m_th3_p457@flare-on.com */
    std::cout << key << std::endl;
}

kao

kao

Posted
Posted

@VirtualPuppet: please do not spoil the fun for others and do not post full solutions. The challenge is still ongoing.

  • Thanks 1
SmilingWolf

SmilingWolf

Posted
Posted

@VirtualPuppet if not removing the whole code (which would still be advisable) at least delete the final flag from the comments, so whoever comes across your post on this public board has to make the minimum effort of finding the right executables...

VirtualPuppet

VirtualPuppet

Posted
Posted
  On 9/18/2017 at 10:42 PM, SmilingWolf said:

@VirtualPuppet if not removing the whole code (which would still be advisable) at least delete the final flag from the comments, so whoever comes across your post on this public board has to make the minimum effort of finding the right executables...

Expand  

You cannot edit posts after a certain amount of time has passed.

Rurik

Rurik

Posted
Posted (edited)

11 is starting to hurt. It's hard to know where to start, or to identify what you're actually looking at.

  Reveal hidden contents

 

Edited by Rurik
kao

kao

Posted
Posted

@Rurik :

  Reveal hidden contents

 

grau

grau

Posted
Posted

Getting Missing entry: EntryPoint error for Challenge 6 (package.dll). I am on Windows 8.1 x64.  

entrypoint.png

Rurik

Rurik

Posted
Posted

@grau There are other ways of calling exports instead of using their names...

Adrian_12

Adrian_12

Posted
Posted

can anyone help me with pewpewboat challenge?? Am just a beginner

akkaldama

akkaldama

Posted
Posted

@Adrian_12

Just check how the map for each level is stored in the binary, how to decrypt it, how to find the ships. Then follow those hints by crystalboy and rurik.

Regards,

akkaldama

opc0d3

opc0d3

Posted
Posted

Guys, what kind of tools did you use to finish a CTF like that ?
Did anyone used radare2 as DBG? (linux)

I'm a noob entering in the CTF world.. And I saw a TONS of tools they used and sometimes I wonder why.

I mean, in point of view we need a disassembler and a DBG with a good scripting behind. 

Anyway.. Just a noob question.. :)

 

kienmanowar

kienmanowar

Posted
Posted
  On 9/28/2017 at 9:43 PM, opc0d3 said:

Guys, what kind of tools did you use to finish a CTF like that ?
Did anyone used radare2 as DBG? (linux)

I'm a noob entering in the CTF world.. And I saw a TONS of tools they used and sometimes I wonder why.

I mean, in point of view we need a disassembler and a DBG with a good scripting behind. 

Anyway.. Just a noob question.. :)

 

Expand  

I think it depends on the target that you work around ... But many experts in here always use the IDA Pro first!

Regards,

  • Like 1
kimbo

kimbo

Posted
Posted
  On 9/17/2017 at 12:45 PM, quend said:

@SmilingWolfthanks for offering - I actually figured it out. Initially i was trying to use an instruction count  side channel but it won't work for #11 - had to do it the hard way lol 

Expand  

I'm really stuck on 11 too. Tried to trace the stored password bytes, but it seems only a constant subtraction? Also tried many bytes possibilities but I dont see any readable words. :blink:

akkaldama

akkaldama

Posted
Posted

Any help on lvl7?. Reached the "follow along" by bruteforceing, got the hex bytes from Kevin by applying the base64 -like string as the key but the hex bytes seems to be garbage.

Regards, akkaldama

kao

kao

Posted
Posted

@akkaldama: Kevin will gladly RC4-decrypt anything you throw at him. You need to give a correct encrypted key to him.

  Reveal hidden contents

@kimbo: there are no readable words. You need to supply correct flag and then the program will print a good boy message.

  On 10/1/2017 at 2:44 PM, kimbo said:

it seems only a constant subtraction?

Expand  

Yes. That's a very special computer with only one instruction. :) Maybe you can solve it by using a constraint solver, I don't know. For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#.

  • Thanks 1
satoshi

satoshi

Posted
Posted
  On 10/2/2017 at 10:52 AM, kao said:

@akkaldama: Kevin will gladly RC4-decrypt anything you throw at him. You need to give a correct encrypted key to him.

  Reveal hidden contents

@kimbo: there are no readable words. You need to supply correct flag and then the program will print a good boy message.

Yes. That's a very special computer with only one instruction. :) Maybe you can solve it by using a constraint solver, I don't know. For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#.

Expand  

I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools?

satoshi

satoshi

Posted
Posted
  On 10/3/2017 at 4:25 AM, ilya01 said:

Yes, this is possible.

See on api functions.:)

Expand  

I'll give those API functions a look then and see if I can get a bit further. Thank you!

Rurik

Rurik

Posted
Posted
  On 10/3/2017 at 1:27 AM, satoshi said:

I'm also pretty stuck on challenge 7, is it possible to solve the challenge without using brute force methods? For example, if I were exclusively relying on disassembly tools?

Expand  

@satoshi The organizer gave a good hint on Twitter: 

  Reveal hidden contents

 

kimbo

kimbo

Posted
Posted
  On 10/2/2017 at 10:52 AM, kao said:

there are no readable words. You need to supply correct flag and then the program will print a good boy message.

Expand  

Thanks a lot for the suggestions @kao, hopefully I can continue tracing it and solve the challenge, not sure if I can make it with this short time though.

  On 10/2/2017 at 10:52 AM, kao said:

For me, the fastest way was pen, paper and small disassembler/emulator I wrote in C#.

Expand  

Yup, can't denied you are a very good reverser with awesome skill :) 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...