Jump to content
Tuts 4 You

Flare-On 8


Recommended Posts

Just a tip for challenge 8

Spoiler

when checking for output on 8, it might be your alignment that is wrong. you cant just divide the whole string by 64 and then go to town checking. you'll hit a snag later on because it will be misaligned. This was the one that tripped me up and only noticed after days of scratching my head

 

Link to comment

Any tips for CH5? I search for all metadata, snapshots. Probably, i miss something in the way.

Spoiler

I couldn't realize what are the Quijote and matd files. I dont understand the sequence number1=2 and son on

 

Edited by Coca
Link to comment
On 9/25/2021 at 2:58 AM, beetj said:
  Hide contents

Stuck here as well. It feels like I have to guess the next step 😕

 

i am stuck at same point and haven't found next point to analyze 😱 A nudge would be helpful...

Link to comment

@kiyo: you're almost there. You've seen all the code, now it's just putting pieces together.

Spoiler

You have 2 encrypted halves of the flag, right? And the flag should not be encrypted. So...

 

  • Like 1
Link to comment
bucketsort

I'm hopelessly stuck on #8. Any hints to how to derive the "password" for decrypting the huge, encrypted string, would be appreciated. I haven't found any time efficient approach, but I have the feeling I'm missing something.

Link to comment

@bucketsort: 2 huge spoilers were given already:

1) https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210148

2) https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210157

 

Final hints from my side:

 

 

 

Spoiler

Valid Javascript contains only a specific set of characters.
Don't make any other assumptions about functions or variable names, you'll probably regret them.

 

Link to comment

@muppet: that might be true in a standalone JS file and ES5.1/ES6 and what not. Don't make the problem more difficult than it has to be.

Link to comment
bianrycat

@kao

Any chance for a tip on challenge #9?
 

Spoiler

I got all of the code figured out except for one big functions that seems to produce some kind of assembly instructions, should I focus on that one?
Checking the s*****.recv t***** doesn't seems to be enough

 

Link to comment

@bianrycat:

Spoiler

I'm not sure which function you mean. IIRC the only function generating some assembly instructions was anti-debug related and not really relevant to solving the challenge.

My suggestion to you is to focus on the network part instead.

 

  • Like 1
Link to comment

on ch10,

Spoiler

Is there a trick/tip as to how to analyze the loaded programs? not sure what to do with them

 

Link to comment

on ch9

Spoiler

I have a question.
Can you give me some tips for tracing the code flow of Vectored Exception Handler?
Are there any websites or blogs I can refer to?

 

Link to comment
REbeginner

Hi, I’m stuck on CH3 for a really long time. Can someone explain the solution to me in DM please?

Link to comment
layered_design

@REbeginner see DM, please don't ask for answers.

But you can tell me what you have done so far. I'll tell you of you're on the right track.

  • Thanks 1
Link to comment
0xccoxcc

Im stuck on Ch7 one day and have no idea about "An error occurred. Please close the application and try again.", any tip will be helpful

Edited by 0xccoxcc
Link to comment

@adicto: no tricks, just a pure reverse engineering fun. :) 

Spoiler

There are open-source tools to help you parse the specific data format - but the VM itself seems to be totally custom.

@loossy:

Spoiler

VEH handler is just like any other exception handler. Can you give some more details why you're struggling with it?
This is a nice VEH overview but I'm sure you already know all that: https://dimitrifourny.github.io/2020/06/11/dumping-veh-win10.html

@0xccoxcc:

Spoiler

That's a fake error message and means absolutely nothing. Use your disassembler, find suspicious code in the binary and start analyzing it.

 

Link to comment

I need a nudge on ch 5.  Can some dm me? can I dm someone?

Spoiler

I decrypted and decipher most of the files except for the n*.txt and t*.txt files.  The formula and RC4 key doesn't seem to work for these two types of files.  And what's with the 5th char?  What is that?

Thanks!

Edited by pcmcia
Link to comment
Visororia

Hi friends,
I've managed to make my way (somehow!) onto challenge 7. I think I've found a good direction, but after stumbling into the first obvious landmine, I have some concerns 😅. If someone's willing to DM with me a bit about it, to see if I'm on on the right track, I'd be grateful!

Link to comment

@Visororia: welcome to the forum!

There are already 5 pages full of hints, including several about challenge 7. Perhaps this one is the most basic one: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210182 

 

In order to keep the game fair, it's best to ask the questions publicly in this thread (use spoiler tags, if necessary). This way everyone has access to the same information.
But if you prefer, me and @Washi are available via PMs for rubber ducky debugging.

Cheers,
kao.

  • Like 2
Link to comment

Hello all,

 

Could someone give me a nudge (maybe better in DM?) on level 6.

I am not experienced with pcap's, I have trying for 4 days to find a start. But even with duckduckgo I can't figure out where to begin.

Link to comment
whitesocks

Hi everyone,

I'm lost on how to start on challenge #6. I found a file on the tcp flow 0 but at the end of the flow I see something else but I don't know what it is. Then, I understand there's an exchange between the client and the server in tcp flow 1 but I can't find anything about the signature used in these requests.

Any nudge ?

Thx

Link to comment

Hello again,

Now on CH#7 i am stuck. I found the suspicious code. I have 3 problems. How can i easily analyze the dynamic code in IDA. Now i am snapshoting to have a save points. Is there any magic workflow/plugin/trick to do this task easier?

Second question: What kind of task is it..what should i look for? Do i need to input something? Or is the message just hidden somewhere in the dynamic code. 

Third question: it this domain flare-on.com relevant in this task ?

Thank you for hints. DM is more than appreciated. 

Link to comment
13 minutes ago, ECX said:

How can i easily analyze the dynamic code in IDA. Now i am snapshoting to have a save points. Is there any magic workflow/plugin/trick to do this task easier?

I would dump the dynamic code into a file and analyze that. Something like this: https://stackoverflow.com/questions/42744445/how-in-ida-can-save-memory-dump-with-command-or-script + https://medium.com/malware-buddy/reverse-engineering-tips-debugging-shellcode-e821290a7d61

I haven't verified those specific links but it should give you an idea.

 

20 minutes ago, ECX said:

it this domain flare-on.com relevant in this task ?

The used subdomain is a pretty big hint...

All FLARE challenges can be solved without an active Internet connection.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...