Flare-On 9

[predat0r]

On 10/3/2022 at 2:30 PM, Aeri said:

  Hide contents

Patching may not be the right approach. Bruteforcing is definitively not the right approach. Maybe what you've patched is acting as a way to check if the password is correct ... Take the time to understand what you've patched. It's here for a reason.

 

The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else.

[deepzero]

@loossyfocus on the first communication. the challenge can be solved offline.

[w00she]

3 hours ago, predat0r said:

The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else.

I'm looking at challenge 4 too, I didn't know how to solve challenge 3 because I was just trying to get the flag without understanding ... but once you 'relax' and take time , you'll be able to make progress, I know it's boring to proceed step by step but this is the way..so Tomorrow maybe I'll see what I can do because am tired now and can't focus :p
Good Luck

[predat0r]

1 hour ago, w00she said:

I'm looking at challenge 4 too, I didn't know how to solve challenge 3 because I was just trying to get the flag without understanding ... but once you 'relax' and take time , you'll be able to make progress, I know it's boring to proceed step by step but this is the way..so Tomorrow maybe I'll see what I can do because am tired now and can't focus 😛
Good Luck

Yes, I did it already

[btmc]

Is anyone will to offer some guidance for challenge 8?

Spoiler

I've figured out how to decrypt the flared_* functions but I don't know how to resolve the tokens. When I try to extract the flared_* bytecode dynamically all the tokens are wrong...

 

Edited October 8, 2022 by btmc

[Rurik]

[Edit] Removing post.

Challenge 5 is very straight forward and I struggled with one aspect. But it was all because I kept confusing the conversion of the data. Py3 makes that a PITA

Edited October 8, 2022 by Rurik

[er3zoid]

.

Edited October 11, 2022 by er3zoid
solved

[Rishi]

Please help with challenge 5 struggling from many hours, below are the steps i did.

Spoiler

1. patched initial time, to make the executable work for communication

2. created fake C2 and sent response which i got from shared pcap file

3. even i changed the request also just to simulate that the request and response are accurate as its shown in the pcap.

The executable is not decrypting the data  and on 2nd communication the application is getting crashed.

 

Edited October 9, 2022 by Rishi

[kao]

@Rishi: could you please use spoiler tags? 

Spoiler

1 hour ago, Rishi said:

even i changed the request also

Do you know why your request was not matching the pcap? 

 

[Rishi]

3 hours ago, kao said:

@Rishi: could you please use spoiler tags? 

  Hide contents

 

 

Do you know why your request was not matching the pcap? 

 

 

no trying to figure it out using ghidra, however i seems like lost

[adicto]

For challenge 8

Spoiler

do we have to do something else for the decrypted functions?
forexample, in flared_38, one of the instructions is like this

FLARE02.flare_03((string)/*Error near IL_0037: Stack underflow*/)

which doesnt make sense and will error out. Looks like its trying to cast something into string but the actual variable is lost.

 

[cybercat]

Hello everyone,

I am stuck with CH7.

Can someone point me in right direction... is something wrong with my setup?

Spoiler

I have script, but it does not work correctly...i have problems with the BigInts. Do i need to have specific version or setting to be able to debug it correctly?

What tool do you use? My problem is that code does not looping inside main because of problems with Integers. I mean those messages.

Thank you for suggestions.

 

[kao]

@adicto:

Spoiler

that most likely means you did not decrypt the function correctly.

 

[bucketsort]

Any hint on how to get the DynamicMethods in ch 8 dumped in a way that they can be disassembled/decompiled? There are so many tools out there, but nothing seems to fit the bill. 

[adicto]

10 hours ago, kao said:

@adicto:

  Hide contents

that most likely means you did not decrypt the function correctly.

 

@kao

 

Spoiler

I didn't actually decrypt but got it from the setcode bytes, would that give me the wrong bytes?

 

[kao]

@adicto yes. 

[adicto]

@kaothanks!

[Pon]

@Rishi I have a question about challenge 5

Spoiler

How did you patch the initial time to the correct time? (i can patch it to skip stuff but the decryption wont work)
I've managed to find the minutes & milliseconds & seconds for the rand seed, but not the specific date needed to stop the sleep.
Tried to reproduce the code using python but it doesn't seem to work

 

[kao]

@Pon: see https://forum.tuts4you.com/topic/43724-flare-on-9/?do=findComment&comment=213123

 

Edited October 11, 2022 by kao

[Canlex]

Spoiler

.

 

Edited October 11, 2022 by Canlex
remove

[er3zoid]

Spoiler

would anyone be kind enough to suggest tools to translate raw bytes to IL code for ch8? I've looked into mono.cecil but it requires a lot of other stuff on top of the actual bytes that think i don't have access to.

 

[loossy]

I have a question about ch07.

 

Spoiler

I figured out how the switch statement of javascript is executed.
However, there are too many formulas and the amount of change in the values is not constant.
It seems like it would take too much time to implement the code as it is.

Is there any way to efficiently analyze or reduce these formulas?
Are there any websites I can refer to?

 

[cybercat]

About CH7... Guys can you tell me is Z3 is a good direction to solve this task?

[Extreme Coders]

27 minutes ago, loossy said:

I have a question about ch07.

Spoiler

Once you unflatten the execution flow (i.e. removing the switch case) you would be left only with the calculations in a linear form in the proper order.
Plus for easier analysis you can always inject your own JS to be run in the context of the provided node runtime to get the above execution order .

 

@er3zoid

Spoiler

There's AsmResolver and dnlib but reading disassembly of raw cil bytes wont make much sense without resolving the token references.
For a manual approach you can always use dnspy to construct a method out of the IL bytes and disassemble/decompile in place.

 

Edited October 12, 2022 by Extreme Coders

[AeroX2]

Also working on ch8 and would appreciate any assistance.

Spoiler

I've decoded a bunch of the flare_* functions and I'm following the execution of the program but I haven't found the network functions and I'm getting really lost and I think I need a slight hint.