Jump to content
Tuts 4 You

Flare-On 7


Recommended Posts

AeroX2

I've really hit a wall with challenge #9 this year. I've been trying for a probably more than a week now and I still haven't felt like I have made any progress.
Can someone point me in the right direction? Thanks
 

Spoiler

So I've extracted several files from the crackinstaller and tried a number of things.
Things I've tried:
- Extracted the driver and DLL(s)
- Written a COM application to interface and debug the COM DLL, found some interesting functions writing to the registry
- Debugged the driver and found a decryption routine which gives me a non-ASCII string but not sure how it "connects" with the rest of the application
I think I understand the flow from the application to the driver but I'm not sure about how it communicates back and what it is communicating back,

 

Edited by AeroX2 (see edit history)
Link to post
  • Replies 82
  • Created
  • Last Reply

Top Posters In This Topic

  • kraxgrr

    9

  • ECX

    8

  • Kurapica

    7

  • Rurik

    7

Top Posters In This Topic

Popular Posts

Get your tools ready!  

After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i stil

With all respect to the efforts of the authors of the challenges, I advise you guys not to evaluate yourself or skills based on how many challenges of those you were able to solve, do it only for

Posted Images

kraxgrr
4 hours ago, lazydaemon said:

The in instruction appears after the running this code (thats the code, doing stuff on the data from the PCAP):

 

challenge7.png

 

Could it be a problem with the endianness? Because I just copied the data from the pcap into the allocated memory region (instead of providing data for the 'recv' call)

 

Oh I thought you encountered the IN instruction early on. Like just after unpacking the shellcode.

Then I don't know.

I just copied the required data and provided it by a netcat session.

I think eventually as I went over it again I just pasted the data into the recv() buffer and set retval as successful and skipped over the actual call

Do check that whatever data you provide is actually correct.

I had an issue with python in the sense that it encoded weirdly.

As in the string "\x86" instead of setting 0x86 in a binary it would encode each character so I would have '\', 'x', '8', '6' in hex. 4 characters instead of 1.

Seems to have been an issue with the way python3 wants data compared to how it was done in python2.

 

Link to post
kraxgrr
1 hour ago, AeroX2 said:

I've really hit a wall with challenge #9 this year. I've been trying for a probably more than a week now and I still haven't felt like I have made any progress.
Can someone point me in the right direction? Thanks
 

  Reveal hidden contents

So I've extracted several files from the crackinstaller and tried a number of things.
Things I've tried:
- Extracted the driver and DLL(s)
- Written a COM application to interface and debug the COM DLL, found some interesting functions writing to the registry
- Debugged the driver and found a decryption routine which gives me a non-ASCII string but not sure how it "connects" with the rest of the application
I think I understand the flow from the application to the driver but I'm not sure about how it communicates back and what it is communicating back,

 

 

The password you find should be understandable by human.

So if it is all non-human-readable (non-ASCII) you have the wrong one.

 

Link to post
lazydaemon
35 minutes ago, kraxgrr said:

 

Oh I thought you encountered the IN instruction early on. Like just after unpacking the shellcode.

Then I don't know.

I just copied the required data and provided it by a netcat session.

I think eventually as I went over it again I just pasted the data into the recv() buffer and set retval as successful and skipped over the actual call

Do check that whatever data you provide is actually correct.

I had an issue with python in the sense that it encoded weirdly.

As in the string "\x86" instead of setting 0x86 in a binary it would encode each character so I would have '\', 'x', '8', '6' in hex. 4 characters instead of 1.

Seems to have been an issue with the way python3 wants data compared to how it was done in python2.

 

I basically did the same.

 

Spoiler

First recv call is reading 4 bytes and xor them with 524f584B. This will be the length of the actual payload (0x4D7). Then its allocating memory with VirtualAllocExA and writing the other 1239 Bytes to that memory. I also copied them directly into the memory region and skipped all the other recv calls. When I look at the decrpytion/decoding part, everything looks fine in terms of lengths and so on. So I have no idea what I'm missing.

 

Link to post

For 9

I am at the point where I can step through 9 and see what is happening with the driver. I now have seen a pop culture quote. Am I on the right track, or is this something added in to be funny like the covid19-sucks string in an early challenge?

and it is okay if this question is not answered, but can the flag be observed through a debugger without writing additional code? Or will I not be able to get around writing something to communicate with the DLL.

Edited by bohaw (see edit history)
Link to post
kao

Thankfully, you don't need to know meaning of any memes or recognize any pop culture references to solve the challenge. String is just a string.
 

Spoiler

That specific string could be useful.

I didn't have to write any COM client to get the flag. YMMV.

Link to post
Washi

I found that as a rule of thumb, when you start seeing quotes, jokes or texts that refer to flare-on, it is usually a clue put in by the challenge authors indicating that you are on the right track. Also, just noticing that it is a quote is enough, flare-on never seems to rely on riddles that go beyond the scope of reverse engineering.

 

Link to post

@ECX There have been multiple reports of challenge 9 causing blue screens for some people. The organizers suggested the following:

Quote

Avoid a possible blue-screen by debugging this on a single core VM

Did you try this already?

Link to post
7 hours ago, ECX said:

Hello again.

Does Challenge 9 need clean windows 10 or any special settings? I get BSOD on DeviceIOControl. thanks for reply.

I used from a windows 7 with 1 core cpu in virtualbox. But you may get BSOD sometimes in debugging but a restart solves the problem. Run your debugger as administrator

Link to post
Handunken22

Hi, any hints on the last challenge ?

What I have done is:

Spoiler
  • I dumped the dll, fix its header and got IDA analyzed it.
  • I tried debug but it kept crashing.
  • The code is too big, I can't RE all the functions.

 

Link to post

I am doing flare-on7's 10th challenge.

I found first flag.

I analyzed the whole code, but couldn't find second flag.

Does anyone have any advice for me?

Bloew is what I did.

Spoiler

1. Determined the relationship to fork-ptrace-waitpid.
2. The structure of ptrace was applied.
3. child2 hooks a specific syscall.
4. It is assumed that child2 and child3 operate as handlers with a specific 4byte dword value.
5. The embedded file is decrypted, and the first 32 bytes are suspicious, but there is no object for comparison.

 

Link to post
7 minutes ago, loossy said:

I am doing flare-on7's 10th challenge.

I analyzed the whole code, but couldn't find second flag.

Does anyone have any advice for me?

 

They like to hide their flag checks in some really nice routines.

Link to post
sysc4ll

Hello guys, I'm currently doing challenge 6 and I've found the correct thing that needs to be found.
I have some issues with the actual decryption, I am getting an error from CryptDecrypt (0x80090005 - NTE_BAD_DATA) and I do not understand why, If someone can help me out with this a little I would be glad.
BTW I tried to change the value in the au3 script and I still get the same error (also when I implement the same api calls in C)

Link to post
kao
10 hours ago, sysc4ll said:

I am getting an error from CryptDecrypt (0x80090005 - NTE_BAD_DATA)

Crypto is 100% standard, so this error probably means you didn't find "the correct thing that needs to be found".

Spoiler

Are you an autoit fan?

 

Link to post
sysc4ll
4 hours ago, kao said:

Crypto is 100% standard, so this error probably means you didn't find "the correct thing that needs to be found".

  Reveal hidden contents

Are you an autoit fan?

 

The answer to your question is yes,

(the spoiler one), I just have no idea how to make a hidden text in here... 

Link to post
ashoka_

Hello,i am quite new to reverse engineering. My friend suggested me to try flareon challenge. I will start today. I just want to know can anyone please recommend me good reference material in case i stuck at some challenge. 

Link to post
Kurapica

So you are new to reverse engineering and your friend suggested Flareon ?

you really have some good friends.

  • Haha 1
Link to post
ashoka_
9 minutes ago, Kurapica said:

So you are new to reverse engineering and your friend suggested Flareon ?

you really have some good friends.

thanks

Link to post
sysc4ll
4 hours ago, Kurapica said:

So you are new to reverse engineering and your friend suggested Flareon ?

you really have some good friends.

LOL, some friends he got there... 😂

Link to post
Kurapica
7 hours ago, ashoka_ said:

thanks

Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics

and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those

Flareon challenges, you will definitely score better.

  • Like 1
Link to post

I am analyzing ch 10.

If possible, could you advice me how to checked key table information (logging, tracing.. some anything) OR reverse engineering know-how in this situation(fork-ptrace-waitpid)?

Link to post
8 hours ago, Kurapica said:

Man, Flareon is for experienced reversers or at least those who are not just starting, I recommend that you start mastering the basics

and familiarize yourself with the many concepts that you may need to understand, and come back next year to play those

Flareon challenges, you will definitely score better.

To be fair though, the first few challenges are relatively easy. If you're new, you probably won't finish all challenges, maybe not even half of them, but it doesn't hurt to give it a shot :)

Also a lot can be learnt while reading write-ups of previous runs of the flare-on CTF.

  

6 hours ago, loossy said:

I am analyzing ch 10.

If possible, could you advice me how to checked key table information (logging, tracing.. some anything) OR reverse engineering know-how in this situation(fork-ptrace-waitpid)?

Spoiler

Probably not the best advice, but I did everything with the good old debug print technique. Alternatively, maybe you can look into how you can "trace" certain function calls. What other techniques exists for dynamic analysis other than using a debugger directly?

 

Edited by Washi (see edit history)
Link to post

Hi, need help with CH 9.

 Does CreateThread(kernel version) is important? I am stuck in the driver.  What is important in the driver?

I noticed that my remote debugging session in one certain point does not have RETN. Did you also have it when you were struggling with driver?

Thanks for any tips.

Also thanks for tip with 1 core VM (windows 7)...it works better but still crashing on some actions.

Is windows 10(1-Core VM) a must have?

 

 

 

 

Edited by ECX (see edit history)
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...