kraxgrr Posted October 4, 2020 Posted October 4, 2020 4 hours ago, lazydaemon said: The in instruction appears after the running this code (thats the code, doing stuff on the data from the PCAP): Could it be a problem with the endianness? Because I just copied the data from the pcap into the allocated memory region (instead of providing data for the 'recv' call) Oh I thought you encountered the IN instruction early on. Like just after unpacking the shellcode. Then I don't know. I just copied the required data and provided it by a netcat session. I think eventually as I went over it again I just pasted the data into the recv() buffer and set retval as successful and skipped over the actual call Do check that whatever data you provide is actually correct. I had an issue with python in the sense that it encoded weirdly. As in the string "\x86" instead of setting 0x86 in a binary it would encode each character so I would have '\', 'x', '8', '6' in hex. 4 characters instead of 1. Seems to have been an issue with the way python3 wants data compared to how it was done in python2.
kraxgrr Posted October 4, 2020 Posted October 4, 2020 1 hour ago, AeroX2 said: I've really hit a wall with challenge #9 this year. I've been trying for a probably more than a week now and I still haven't felt like I have made any progress. Can someone point me in the right direction? Thanks Reveal hidden contents So I've extracted several files from the crackinstaller and tried a number of things. Things I've tried: - Extracted the driver and DLL(s) - Written a COM application to interface and debug the COM DLL, found some interesting functions writing to the registry - Debugged the driver and found a decryption routine which gives me a non-ASCII string but not sure how it "connects" with the rest of the application I think I understand the flow from the application to the driver but I'm not sure about how it communicates back and what it is communicating back, The password you find should be understandable by human. So if it is all non-human-readable (non-ASCII) you have the wrong one.
lazydaemon Posted October 4, 2020 Posted October 4, 2020 35 minutes ago, kraxgrr said: Oh I thought you encountered the IN instruction early on. Like just after unpacking the shellcode. Then I don't know. I just copied the required data and provided it by a netcat session. I think eventually as I went over it again I just pasted the data into the recv() buffer and set retval as successful and skipped over the actual call Do check that whatever data you provide is actually correct. I had an issue with python in the sense that it encoded weirdly. As in the string "\x86" instead of setting 0x86 in a binary it would encode each character so I would have '\', 'x', '8', '6' in hex. 4 characters instead of 1. Seems to have been an issue with the way python3 wants data compared to how it was done in python2. I basically did the same. Spoiler First recv call is reading 4 bytes and xor them with 524f584B. This will be the length of the actual payload (0x4D7). Then its allocating memory with VirtualAllocExA and writing the other 1239 Bytes to that memory. I also copied them directly into the memory region and skipped all the other recv calls. When I look at the decrpytion/decoding part, everything looks fine in terms of lengths and so on. So I have no idea what I'm missing.
bohaw Posted October 7, 2020 Posted October 7, 2020 (edited) For 9 I am at the point where I can step through 9 and see what is happening with the driver. I now have seen a pop culture quote. Am I on the right track, or is this something added in to be funny like the covid19-sucks string in an early challenge? and it is okay if this question is not answered, but can the flag be observed through a debugger without writing additional code? Or will I not be able to get around writing something to communicate with the DLL. Edited October 7, 2020 by bohaw
kao Posted October 7, 2020 Author Posted October 7, 2020 Thankfully, you don't need to know meaning of any memes or recognize any pop culture references to solve the challenge. String is just a string. Spoiler That specific string could be useful. I didn't have to write any COM client to get the flag. YMMV.
Washi Posted October 8, 2020 Posted October 8, 2020 I found that as a rule of thumb, when you start seeing quotes, jokes or texts that refer to flare-on, it is usually a clue put in by the challenge authors indicating that you are on the right track. Also, just noticing that it is a quote is enough, flare-on never seems to rely on riddles that go beyond the scope of reverse engineering.
ECX Posted October 9, 2020 Posted October 9, 2020 (edited) Hello again. Does Challenge 9 need clean windows 10 or any special settings? I get BSOD on DeviceIOControl. thanks for reply. Edited October 9, 2020 by ECX
Washi Posted October 10, 2020 Posted October 10, 2020 @ECX There have been multiple reports of challenge 9 causing blue screens for some people. The organizers suggested the following: Quote Avoid a possible blue-screen by debugging this on a single core VM Did you try this already?
Soozi Posted October 10, 2020 Posted October 10, 2020 7 hours ago, ECX said: Hello again. Does Challenge 9 need clean windows 10 or any special settings? I get BSOD on DeviceIOControl. thanks for reply. I used from a windows 7 with 1 core cpu in virtualbox. But you may get BSOD sometimes in debugging but a restart solves the problem. Run your debugger as administrator
Handunken22 Posted October 10, 2020 Posted October 10, 2020 Hi, any hints on the last challenge ? What I have done is: Spoiler I dumped the dll, fix its header and got IDA analyzed it. I tried debug but it kept crashing. The code is too big, I can't RE all the functions.
loossy Posted October 11, 2020 Posted October 11, 2020 I am doing flare-on7's 10th challenge. I found first flag. I analyzed the whole code, but couldn't find second flag. Does anyone have any advice for me? Bloew is what I did. Spoiler 1. Determined the relationship to fork-ptrace-waitpid. 2. The structure of ptrace was applied. 3. child2 hooks a specific syscall. 4. It is assumed that child2 and child3 operate as handlers with a specific 4byte dword value. 5. The embedded file is decrypted, and the first 32 bytes are suspicious, but there is no object for comparison.
Rurik Posted October 11, 2020 Posted October 11, 2020 7 minutes ago, loossy said: I am doing flare-on7's 10th challenge. I analyzed the whole code, but couldn't find second flag. Does anyone have any advice for me? They like to hide their flag checks in some really nice routines.
sysc4ll Posted October 11, 2020 Posted October 11, 2020 Hello guys, I'm currently doing challenge 6 and I've found the correct thing that needs to be found. I have some issues with the actual decryption, I am getting an error from CryptDecrypt (0x80090005 - NTE_BAD_DATA) and I do not understand why, If someone can help me out with this a little I would be glad. BTW I tried to change the value in the au3 script and I still get the same error (also when I implement the same api calls in C)
kao Posted October 12, 2020 Author Posted October 12, 2020 10 hours ago, sysc4ll said: I am getting an error from CryptDecrypt (0x80090005 - NTE_BAD_DATA) Crypto is 100% standard, so this error probably means you didn't find "the correct thing that needs to be found". Spoiler Are you an autoit fan?
sysc4ll Posted October 12, 2020 Posted October 12, 2020 4 hours ago, kao said: Crypto is 100% standard, so this error probably means you didn't find "the correct thing that needs to be found". Reveal hidden contents Are you an autoit fan? The answer to your question is yes, (the spoiler one), I just have no idea how to make a hidden text in here...
ashoka_ Posted October 13, 2020 Posted October 13, 2020 Hello,i am quite new to reverse engineering. My friend suggested me to try flareon challenge. I will start today. I just want to know can anyone please recommend me good reference material in case i stuck at some challenge.
Kurapica Posted October 13, 2020 Posted October 13, 2020 So you are new to reverse engineering and your friend suggested Flareon ? you really have some good friends. 2
ashoka_ Posted October 13, 2020 Posted October 13, 2020 9 minutes ago, Kurapica said: So you are new to reverse engineering and your friend suggested Flareon ? you really have some good friends. thanks
sysc4ll Posted October 13, 2020 Posted October 13, 2020 4 hours ago, Kurapica said: So you are new to reverse engineering and your friend suggested Flareon ? you really have some good friends. LOL, some friends he got there... 😂
Kurapica Posted October 13, 2020 Posted October 13, 2020 7 hours ago, ashoka_ said: thanks Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those Flareon challenges, you will definitely score better. 1
loossy Posted October 13, 2020 Posted October 13, 2020 I am analyzing ch 10. If possible, could you advice me how to checked key table information (logging, tracing.. some anything) OR reverse engineering know-how in this situation(fork-ptrace-waitpid)?
Washi Posted October 13, 2020 Posted October 13, 2020 (edited) 8 hours ago, Kurapica said: Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those Flareon challenges, you will definitely score better. To be fair though, the first few challenges are relatively easy. If you're new, you probably won't finish all challenges, maybe not even half of them, but it doesn't hurt to give it a shot Also a lot can be learnt while reading write-ups of previous runs of the flare-on CTF. 6 hours ago, loossy said: I am analyzing ch 10. If possible, could you advice me how to checked key table information (logging, tracing.. some anything) OR reverse engineering know-how in this situation(fork-ptrace-waitpid)? Spoiler Probably not the best advice, but I did everything with the good old debug print technique. Alternatively, maybe you can look into how you can "trace" certain function calls. What other techniques exists for dynamic analysis other than using a debugger directly? Edited October 13, 2020 by Washi
ECX Posted October 14, 2020 Posted October 14, 2020 (edited) Hi, need help with CH 9. Does CreateThread(kernel version) is important? I am stuck in the driver. What is important in the driver? I noticed that my remote debugging session in one certain point does not have RETN. Did you also have it when you were struggling with driver? Thanks for any tips. Also thanks for tip with 1 core VM (windows 7)...it works better but still crashing on some actions. Is windows 10(1-Core VM) a must have? Edited October 14, 2020 by ECX
ashoka_ Posted October 16, 2020 Posted October 16, 2020 On 10/13/2020 at 7:28 PM, Kurapica said: Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those Flareon challenges, you will definitely score better. After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i still try my best till the last day. 3
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now