Flare-On 8

[adicto]

Just a tip for challenge 8

Spoiler

when checking for output on 8, it might be your alignment that is wrong. you cant just divide the whole string by 64 and then go to town checking. you'll hit a snag later on because it will be misaligned. This was the one that tripped me up and only noticed after days of scratching my head

 

[Coca]

Any tips for CH5? I search for all metadata, snapshots. Probably, i miss something in the way.

Spoiler

I couldn't realize what are the Quijote and matd files. I dont understand the sequence number1=2 and son on

 

Edited October 1, 2021 by Coca

[kiyo]

On 9/25/2021 at 2:58 AM, beetj said:

  Hide contents

Stuck here as well. It feels like I have to guess the next step 😕

 

i am stuck at same point and haven't found next point to analyze 😱 A nudge would be helpful...

[kao]

@kiyo: you're almost there. You've seen all the code, now it's just putting pieces together.

Spoiler

You have 2 encrypted halves of the flag, right? And the flag should not be encrypted. So...

 

[kiyo]

@kao Appreciate your help!  The final part of #7 was very hard mode for me.. 🥶

[bucketsort]

I'm hopelessly stuck on #8. Any hints to how to derive the "password" for decrypting the huge, encrypted string, would be appreciated. I haven't found any time efficient approach, but I have the feeling I'm missing something.

[kao]

@bucketsort: 2 huge spoilers were given already:

1) https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210148

2) https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210157

 

Final hints from my side:

 

 

 

Spoiler

Valid Javascript contains only a specific set of characters.
Don't make any other assumptions about functions or variable names, you'll probably regret them.

 

[muppet]

LOL. I was searching allowed characters in JS.

Basically anything goes and still being valid 😄

https://mathiasbynens.be/notes/javascript-identifiers

 

https://mothereff.in/js-variables#ಠ_ಠ

 

[kao]

@muppet: that might be true in a standalone JS file and ES5.1/ES6 and what not. Don't make the problem more difficult than it has to be.

[bucketsort]

Thanks @kao. I think I know which of my assumptions were wrong now. Let's hope I'm right.

[bianrycat]

@kao

Any chance for a tip on challenge #9?
 

Spoiler

I got all of the code figured out except for one big functions that seems to produce some kind of assembly instructions, should I focus on that one?
Checking the s*****.recv t***** doesn't seems to be enough

 

[kao]

@bianrycat:

Spoiler

I'm not sure which function you mean. IIRC the only function generating some assembly instructions was anti-debug related and not really relevant to solving the challenge.

My suggestion to you is to focus on the network part instead.

 

[adicto]

on ch10,

Spoiler

Is there a trick/tip as to how to analyze the loaded programs? not sure what to do with them

 

[loossy]

on ch9

Spoiler

I have a question.
Can you give me some tips for tracing the code flow of Vectored Exception Handler?
Are there any websites or blogs I can refer to?

 

[REbeginner]

Hi, I’m stuck on CH3 for a really long time. Can someone explain the solution to me in DM please?

[layered_design]

@REbeginner see DM, please don't ask for answers.

But you can tell me what you have done so far. I'll tell you of you're on the right track.

[0xccoxcc]

Im stuck on Ch7 one day and have no idea about "An error occurred. Please close the application and try again.", any tip will be helpful

Edited October 4, 2021 by 0xccoxcc

[kao]

@adicto: no tricks, just a pure reverse engineering fun.  

Spoiler

There are open-source tools to help you parse the specific data format - but the VM itself seems to be totally custom.

@loossy:

Spoiler

VEH handler is just like any other exception handler. Can you give some more details why you're struggling with it?
This is a nice VEH overview but I'm sure you already know all that: https://dimitrifourny.github.io/2020/06/11/dumping-veh-win10.html

@0xccoxcc:

Spoiler

That's a fake error message and means absolutely nothing. Use your disassembler, find suspicious code in the binary and start analyzing it.

 

[pcmcia]

I need a nudge on ch 5.  Can some dm me? can I dm someone?

Spoiler

I decrypted and decipher most of the files except for the n*.txt and t*.txt files.  The formula and RC4 key doesn't seem to work for these two types of files.  And what's with the 5th char?  What is that?

Thanks!

Edited October 4, 2021 by pcmcia

[Visororia]

Hi friends,
I've managed to make my way (somehow!) onto challenge 7. I think I've found a good direction, but after stumbling into the first obvious landmine, I have some concerns 😅. If someone's willing to DM with me a bit about it, to see if I'm on on the right track, I'd be grateful!

[kao]

@Visororia: welcome to the forum!

There are already 5 pages full of hints, including several about challenge 7. Perhaps this one is the most basic one: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210182 

 

In order to keep the game fair, it's best to ask the questions publicly in this thread (use spoiler tags, if necessary). This way everyone has access to the same information.
But if you prefer, me and @Washi are available via PMs for rubber ducky debugging.

Cheers,
kao.

[barber]

Hello all,

 

Could someone give me a nudge (maybe better in DM?) on level 6.

I am not experienced with pcap's, I have trying for 4 days to find a start. But even with duckduckgo I can't figure out where to begin.

[whitesocks]

Hi everyone,

I'm lost on how to start on challenge #6. I found a file on the tcp flow 0 but at the end of the flow I see something else but I don't know what it is. Then, I understand there's an exchange between the client and the server in tcp flow 1 but I can't find anything about the signature used in these requests.

Any nudge ?

Thx

[ECX]

Hello again,

Now on CH#7 i am stuck. I found the suspicious code. I have 3 problems. How can i easily analyze the dynamic code in IDA. Now i am snapshoting to have a save points. Is there any magic workflow/plugin/trick to do this task easier?

Second question: What kind of task is it..what should i look for? Do i need to input something? Or is the message just hidden somewhere in the dynamic code. 

Third question: it this domain flare-on.com relevant in this task ?

Thank you for hints. DM is more than appreciated. 

[kao]

13 minutes ago, ECX said:

How can i easily analyze the dynamic code in IDA. Now i am snapshoting to have a save points. Is there any magic workflow/plugin/trick to do this task easier?

I would dump the dynamic code into a file and analyze that. Something like this: https://stackoverflow.com/questions/42744445/how-in-ida-can-save-memory-dump-with-command-or-script + https://medium.com/malware-buddy/reverse-engineering-tips-debugging-shellcode-e821290a7d61

I haven't verified those specific links but it should give you an idea.

 

20 minutes ago, ECX said:

it this domain flare-on.com relevant in this task ?

The used subdomain is a pretty big hint...

All FLARE challenges can be solved without an active Internet connection.