Flare-On 7

[kao]

Get your tools ready!

 

[Washi]

Registration already open? I cannot seem to find the form.

Also I still haven't received my badge from last year

[Extreme Coders]

Official announcement:

https://www.fireeye.com/blog/threat-research/2020/08/announcing-the-seventh-annual-flare-on-challenge.html

Registrations not yet open. As far as I remember the badge arrived in late November last year.

 

 

[Washi]

Yea I did get an e-mail in late November but the tracking code was missing, so I don't even know where it went:

Tried already a few times to contact nickharbour but can't seem to get him to read my messages. At this point I don't think I'll ever receive it. Maybe this year I have more luck  😅

[Loki]

Registration is open

 

 

[waronz]

After burning hours on challenge #2, does anybody have a hint or can confirm that I am on the right track:

After fixing the binary, it still does not "work". Taking a look at the code hows 3 interesting functions. Stuff is being manipulated by heavy pointer usage? I tried rebuild the relevant code parts but after a few iterations it crashes. Does this sound familiar to anyone or am I completely off track?

w.

[Kurapica]

scanning the "garbage.exe" file shows it's packed with UPX 3.94, several fields in the "Data directories" have invalid values, and the Import directory is also missing

The Imports are missing from the .rsrc section, you can fix some stuff by hand and manipulate it to force stub to unpack UPX1, but it won't resolve the imports correctly

the dumped section contains several suspicious strings and a "covid19sucks" message, a quick look at the dumped section in IDA shows some xor functions at the main

function, I'm not a big fan of those challenges but I think kao can shed more light since he solved 9 challenges on first day

[deepzero]

They have considerable skill placing this challenge at times where i absolutely cant spare the time to participate...

I just solved the first two though - little hint: Wine seems more allowing with corrupted exe files, it's relatively easy to fix it up to a point where Wine will eat it.

 

[akkaldama]

Spoiler

1. Used some unpacker tool to unpack this file
2.Used CFF explorer to fix the corrupted pe file
3.Run the exe and get the key

 

Here is how I solved it

 

Edited September 13, 2020 by akkaldama

[kraxgrr]

Im trying challenge 4. I have a decent idea of how to solve if only I had access to MS Office. But I can't run the scripts due to I lack MS Office.

Any suggestions for other ways of running the scripts ?

 

[Kurapica]

you may have to wait until the end of the match, no one will be posting info during the match for the sake of honest competition.

you can find several downloads of office on the web if it's needed to solve the challenge

Good Luck

[kraxgrr]

Well. My idea of how to solve was correct. I was just lacking a copy of office. I can't see that as cheating to ask if any alternatives to pirating office exist.

Now I pirated office and I'm on to challenge #5.

[kao]

Retail copy of MS Office offers a 30 day trial before mandatory activation. That's not piracy.

In one of the next challenges, you'll also need pretty new build of Windows 10. Again, there are evaluation copies available.

 

[waronz]

I feel pretty stupid for asking for a hint again. This time, it's ch3. Feel free to DM me if somebody wants to avoid spoilers.

I can control pretty much everything, score, highscore, obstacles, etc. I know how many points I need and I can win the game, winner screen appears but no flag is displayed. So I think there might be more "tamper" protection? Did anybody else have this problem?

[noweileen]

Does anyone have any hints for 6/codeit? I deobfuscated the autoit script, but I'm not sure how to get the hash for decryption (or if this is even required)

Edit: Solved 🙂

Edited September 16, 2020 by noweileen

[kraxgrr]

So challenge #8 I get CoCreateInstance() fails.

Is this part of the challenge or my setup is bad ?

[Rurik]

4 hours ago, kraxgrr said:

So challenge #8 I get CoCreateInstance() fails.

Is this part of the challenge or my setup is bad ?

That's your setup. It should just run cleanly on a standard Windows 10 system.

[kraxgrr]

2 hours ago, Rurik said:

That's your setup. It should just run cleanly on a standard Windows 10 system.

Thanks. I managed to get it working by turning on "virtual machine platform". Only "WSL" was not enough.

[ECX]

Hello,

Can someone give me a little tip for CodeIT. I deobfuscated code and i understand how the app works ( more or less)

Spoiler

 

1. Do i need to focus on bruteforce the hash stuff somehow (search for any weakspot)? I think it is not possible. AES / SHA256 etc inside.

2. Should i focus on the picture stuff and name?

 

Thanks for any help. Cheers.

Edited September 24, 2020 by ECX

[Futex]

46 minutes ago, ECX said:

Hello,

Can someone give me a little tip for CodeIT. I deobfuscated code and i understand how the app works ( more or less)

  Reveal hidden contents

 

1. Do i need to focus on bruteforce the hash stuff somehow (search for any weakspot)? I think it is not possible. AES / SHA256 etc inside.

2. Should i focus on the picture stuff and name?

 

Thanks for any help. Cheers.

Spoiler

Focus on the function that used the computer name

 

[ECX]

8 hours ago, Futex said:

  Hide contents

Focus on the function that used the computer name

 

Spoiler

 

I work with this task 3-4 days and my brain is going to explode :) I have rewritten the code related with pc-name generation and manipulation. At this moment i would like to try bruteforcing the computer name. Is it good direction?

What i found is : take pcname-> lowercase it->perform manipulation of pcname with picture = output. Take output->sha256. use this sha256 to decrypt data. If contains magic string in front and at the end do manipulation with data in QRCode data-> Convert QR to Bitmap. Probably after that manipulation there will be encoded flag in the QRCode bitmap.

ps. Is it possible to get PCname from the picture? (like reverse it )

 

Can you give me more tips. Thank you. 

 

[Kurapica]

don't brute-force it, and forget about the crypto function, it's all in the function which does the shifting

A pseudo code would look like

 

Local $flxmdchrqd = DllStructCreate("struct;byte[54];byte[" & $flvburiuyd - 54 & "];endstruct", DllStructGetPtr($flnfufvect))

Local $Counter = 1

;first Loop >>

For $dummy = 1 To DllStructGetSize($lowerCompName)

    Local $flydtvgpnc = 0

    ;second loop

    For $LoopCounter = 6 To 0 Step -1

        $flydtvgpnc += BitShift(BitAND(Number(DllStructGetData($flxmdchrqd, 2, $Counter)), 1), -1 * $LoopCounter)
        
        $Counter += 1

    Next

    ConsoleWrite("ASCII >> " & $flydtvgpnc & @CRLF)

Next

 

Watch for that ASCII value

 

 

 

Edited September 26, 2020 by Kurapica

[ECX]

Thank you for help. I managed to get the flag. Still little confused with this task. But i am glad that i pass it. Thank for help. I owe you a tea/coffee/beer

[Rurik]

If there was more of a hint, it'd be the answer. IMO what's already here for that problem is stretching it for acceptable help, especially in public.

[kraxgrr]

So anyway. #9. Crackstaller. I hate it. 😞

I have found an entry for a certain CLSID that contains an empty entry for FLAG and PASSWORD.

I've extracted several files.

Reversing around these functions I found that the only place this is written is where they are actually set to NULL so there is nothing to get.

Yet I see people announcing they have passed it.

Any hint for what I should look for or do next ?