adicto Posted September 30, 2021 Share Posted September 30, 2021 Just a tip for challenge 8 Spoiler when checking for output on 8, it might be your alignment that is wrong. you cant just divide the whole string by 64 and then go to town checking. you'll hit a snag later on because it will be misaligned. This was the one that tripped me up and only noticed after days of scratching my head Link to comment Share on other sites More sharing options...
Coca Posted September 30, 2021 Share Posted September 30, 2021 (edited) Any tips for CH5? I search for all metadata, snapshots. Probably, i miss something in the way. Spoiler I couldn't realize what are the Quijote and matd files. I dont understand the sequence number1=2 and son on Edited October 1, 2021 by Coca Link to comment Share on other sites More sharing options...
kiyo Posted October 1, 2021 Share Posted October 1, 2021 On 9/25/2021 at 2:58 AM, beetj said: Hide contents Stuck here as well. It feels like I have to guess the next step 😕 i am stuck at same point and haven't found next point to analyze 😱 A nudge would be helpful... Link to comment Share on other sites More sharing options...
kao Posted October 1, 2021 Author Share Posted October 1, 2021 @kiyo: you're almost there. You've seen all the code, now it's just putting pieces together. Spoiler You have 2 encrypted halves of the flag, right? And the flag should not be encrypted. So... 1 Link to comment Share on other sites More sharing options...
kiyo Posted October 1, 2021 Share Posted October 1, 2021 @kao Appreciate your help! The final part of #7 was very hard mode for me.. 🥶 Link to comment Share on other sites More sharing options...
bucketsort Posted October 1, 2021 Share Posted October 1, 2021 I'm hopelessly stuck on #8. Any hints to how to derive the "password" for decrypting the huge, encrypted string, would be appreciated. I haven't found any time efficient approach, but I have the feeling I'm missing something. Link to comment Share on other sites More sharing options...
kao Posted October 2, 2021 Author Share Posted October 2, 2021 @bucketsort: 2 huge spoilers were given already: 1) https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210148 2) https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210157 Final hints from my side: Spoiler Valid Javascript contains only a specific set of characters. Don't make any other assumptions about functions or variable names, you'll probably regret them. Link to comment Share on other sites More sharing options...
muppet Posted October 2, 2021 Share Posted October 2, 2021 LOL. I was searching allowed characters in JS. Basically anything goes and still being valid 😄 https://mathiasbynens.be/notes/javascript-identifiers https://mothereff.in/js-variables#ಠ_ಠ Link to comment Share on other sites More sharing options...
kao Posted October 2, 2021 Author Share Posted October 2, 2021 @muppet: that might be true in a standalone JS file and ES5.1/ES6 and what not. Don't make the problem more difficult than it has to be. Link to comment Share on other sites More sharing options...
bucketsort Posted October 2, 2021 Share Posted October 2, 2021 Thanks @kao. I think I know which of my assumptions were wrong now. Let's hope I'm right. Link to comment Share on other sites More sharing options...
bianrycat Posted October 2, 2021 Share Posted October 2, 2021 @kao Any chance for a tip on challenge #9? Spoiler I got all of the code figured out except for one big functions that seems to produce some kind of assembly instructions, should I focus on that one? Checking the s*****.recv t***** doesn't seems to be enough Link to comment Share on other sites More sharing options...
kao Posted October 2, 2021 Author Share Posted October 2, 2021 @bianrycat: Spoiler I'm not sure which function you mean. IIRC the only function generating some assembly instructions was anti-debug related and not really relevant to solving the challenge. My suggestion to you is to focus on the network part instead. 1 Link to comment Share on other sites More sharing options...
adicto Posted October 3, 2021 Share Posted October 3, 2021 on ch10, Spoiler Is there a trick/tip as to how to analyze the loaded programs? not sure what to do with them Link to comment Share on other sites More sharing options...
loossy Posted October 3, 2021 Share Posted October 3, 2021 on ch9 Spoiler I have a question. Can you give me some tips for tracing the code flow of Vectored Exception Handler? Are there any websites or blogs I can refer to? Link to comment Share on other sites More sharing options...
REbeginner Posted October 3, 2021 Share Posted October 3, 2021 Hi, I’m stuck on CH3 for a really long time. Can someone explain the solution to me in DM please? Link to comment Share on other sites More sharing options...
layered_design Posted October 4, 2021 Share Posted October 4, 2021 @REbeginner see DM, please don't ask for answers. But you can tell me what you have done so far. I'll tell you of you're on the right track. 1 Link to comment Share on other sites More sharing options...
0xccoxcc Posted October 4, 2021 Share Posted October 4, 2021 (edited) Im stuck on Ch7 one day and have no idea about "An error occurred. Please close the application and try again.", any tip will be helpful Edited October 4, 2021 by 0xccoxcc Link to comment Share on other sites More sharing options...
kao Posted October 4, 2021 Author Share Posted October 4, 2021 @adicto: no tricks, just a pure reverse engineering fun. Spoiler There are open-source tools to help you parse the specific data format - but the VM itself seems to be totally custom. @loossy: Spoiler VEH handler is just like any other exception handler. Can you give some more details why you're struggling with it? This is a nice VEH overview but I'm sure you already know all that: https://dimitrifourny.github.io/2020/06/11/dumping-veh-win10.html @0xccoxcc: Spoiler That's a fake error message and means absolutely nothing. Use your disassembler, find suspicious code in the binary and start analyzing it. Link to comment Share on other sites More sharing options...
pcmcia Posted October 4, 2021 Share Posted October 4, 2021 (edited) I need a nudge on ch 5. Can some dm me? can I dm someone? Spoiler I decrypted and decipher most of the files except for the n*.txt and t*.txt files. The formula and RC4 key doesn't seem to work for these two types of files. And what's with the 5th char? What is that? Thanks! Edited October 4, 2021 by pcmcia Link to comment Share on other sites More sharing options...
Visororia Posted October 4, 2021 Share Posted October 4, 2021 Hi friends, I've managed to make my way (somehow!) onto challenge 7. I think I've found a good direction, but after stumbling into the first obvious landmine, I have some concerns 😅. If someone's willing to DM with me a bit about it, to see if I'm on on the right track, I'd be grateful! Link to comment Share on other sites More sharing options...
kao Posted October 4, 2021 Author Share Posted October 4, 2021 @Visororia: welcome to the forum! There are already 5 pages full of hints, including several about challenge 7. Perhaps this one is the most basic one: https://forum.tuts4you.com/topic/43170-flare-on-8/?do=findComment&comment=210182 In order to keep the game fair, it's best to ask the questions publicly in this thread (use spoiler tags, if necessary). This way everyone has access to the same information. But if you prefer, me and @Washi are available via PMs for rubber ducky debugging. Cheers, kao. 2 Link to comment Share on other sites More sharing options...
barber Posted October 5, 2021 Share Posted October 5, 2021 Hello all, Could someone give me a nudge (maybe better in DM?) on level 6. I am not experienced with pcap's, I have trying for 4 days to find a start. But even with duckduckgo I can't figure out where to begin. Link to comment Share on other sites More sharing options...
whitesocks Posted October 5, 2021 Share Posted October 5, 2021 Hi everyone, I'm lost on how to start on challenge #6. I found a file on the tcp flow 0 but at the end of the flow I see something else but I don't know what it is. Then, I understand there's an exchange between the client and the server in tcp flow 1 but I can't find anything about the signature used in these requests. Any nudge ? Thx Link to comment Share on other sites More sharing options...
ECX Posted October 5, 2021 Share Posted October 5, 2021 Hello again, Now on CH#7 i am stuck. I found the suspicious code. I have 3 problems. How can i easily analyze the dynamic code in IDA. Now i am snapshoting to have a save points. Is there any magic workflow/plugin/trick to do this task easier? Second question: What kind of task is it..what should i look for? Do i need to input something? Or is the message just hidden somewhere in the dynamic code. Third question: it this domain flare-on.com relevant in this task ? Thank you for hints. DM is more than appreciated. Link to comment Share on other sites More sharing options...
kao Posted October 5, 2021 Author Share Posted October 5, 2021 13 minutes ago, ECX said: How can i easily analyze the dynamic code in IDA. Now i am snapshoting to have a save points. Is there any magic workflow/plugin/trick to do this task easier? I would dump the dynamic code into a file and analyze that. Something like this: https://stackoverflow.com/questions/42744445/how-in-ida-can-save-memory-dump-with-command-or-script + https://medium.com/malware-buddy/reverse-engineering-tips-debugging-shellcode-e821290a7d61 I haven't verified those specific links but it should give you an idea. 20 minutes ago, ECX said: it this domain flare-on.com relevant in this task ? The used subdomain is a pretty big hint... All FLARE challenges can be solved without an active Internet connection. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now