fl0wer Posted October 23, 2022 Posted October 23, 2022 (edited) Could use some help with challenge 5.. I am rather new to reversing, sorry for the dumb questions here. I am too stuck on ch5. Reveal hidden contents When you guys are decrypting, are you editing the actual binary before execution (through some python script that iterates through the binary)? Or are you decrypting during runtime? It looks like stuff is getting encrypted/obfuscation, but I struggle to find some kind of input key that I can follow to identify what exactly is getting encrypted. First thing I did was to set the time back to June 14th 2022, I did this manually through the Windows systime. I also tried to just set `eax` to `0xF` where the program does a `cmp eax, F` to see if time is right. Both things "works" it seems - gets me out of the long `sleep`. However, when moving forward, I am not sure what and where something gets encrypted - and how I decrypt it. I see where the first base64 encoded string is being created, but I feel I need to figure out what is being base64 encoded in the first place, which I struggle with. The word `ahoy` prefixed by some numbers seems to what's doing a XOR obfuscation, but I am not sure at all. I spent around 8 hours looking at this 😅. I guess I need to read up on encryption/decryption. I learned something new about base64 encoding/decoding - didn't know you could change the scheme's index cipher and it would still be valid base64, pretty cool. Hope someone can help 🙂 Edited October 23, 2022 by fl0wer
Rurik Posted October 23, 2022 Posted October 23, 2022 (edited) Me: "You can be a good reverse engineer without a background in software development and computer science." Me, on challenge 8: "Well, crap ..." Edited October 23, 2022 by Rurik 2
fl0wer Posted October 23, 2022 Posted October 23, 2022 (edited) On 10/23/2022 at 2:08 PM, Rurik said: Me: "You can be a good reverse engineer without a background in software development and computer science." Me, on challenge 8: "Well, crap ..." Expand Pretty jealous you made it that far. Well done! Edited October 23, 2022 by fl0wer
vpn Posted October 24, 2022 Posted October 24, 2022 Hi, could someone give me a hint on ch7 pls? i can predict with math.random but i don't know what to do 'state'??
deepzero Posted October 24, 2022 Posted October 24, 2022 (edited) Reveal hidden contents look into control flow flattening. @vpn Edited October 24, 2022 by deepzero
vpn Posted October 25, 2022 Posted October 25, 2022 On 10/24/2022 at 10:29 AM, deepzero said: Reveal hidden contents look into control flow flattening. @vpn Expand Any more in-depth suggestions?
Extreme Coders Posted October 25, 2022 Posted October 25, 2022 On 10/25/2022 at 10:03 AM, vpn said: Any more in-depth suggestions? Expand Reveal hidden contents Try to convert the code to a linear form - without the loop & switch-case. The value of 'state' at the end of each case is known, so its possible to deduce which case executes next. Alternatively you may just insert an appropriate logging statement within each case to know the execution order. Once the order is known, the statements can be rearranged in a linear form without the switch-case. No special tools are needed. Use of regex, text-manipulation utilities like sed, grep and a decent text editor are enough.
cybercat Posted October 25, 2022 Posted October 25, 2022 (edited) Hi, Regarding the CH8...Does the hash from the based64 commands is crucial for this task? I think i am at the end of this task, but still cannot get any good output to Process.Start. Is this hash calculation is some kind of anti-tamper trick? If someone is willing to help please send me a direct message because i don't know if i got the correct hash. is there any fast method to acquire the correct hash or i need to take all necessary stuff 'manually' by extracting strings and mixing it with those Stackmethod strings. ps. If i could compare my values with someone, please send me a PM. Thank you Edited October 25, 2022 by cybercat
nullul Posted October 25, 2022 Posted October 25, 2022 (edited) On 10/25/2022 at 1:37 PM, Extreme Coders said: Reveal hidden contents Try to convert the code to a linear form - without the loop & switch-case. The value of 'state' at the end of each case is known, so its possible to deduce which case executes next. Alternatively you may just insert an appropriate logging statement within each case to know the execution order. Once the order is known, the statements can be rearranged in a linear form without the switch-case. No special tools are needed. Use of regex, text-manipulation utilities like sed, grep and a decent text editor are enough. Expand Reveal hidden contents sorry I might have missed out something, but for every case, after the `state` is assigned a new value, it goes to back to the beginning of the loop and xor with some random value again, how do you determine it's value? or the random value can somehow be predicted? edit: nvm, I think I know it. anode.exe has some weird behaviour. thank you always~ Edited October 25, 2022 by nullul
Cat4425 Posted October 25, 2022 Posted October 25, 2022 Hello, I stuck on challenge 10 since I cannot even boot up the machine... Reveal hidden contents I've tried to recompile the software to disable checksum check but it doesn't help, could someone advise me how to continue ?
deepzero Posted October 25, 2022 Posted October 25, 2022 @cybercat Reveal hidden contents yes, the hash is used for decryption. there are probably different ways to go about it but the easiest is probably massaging the exe into a state where it is working with the right hashes internally by itself. @fl0wer Reveal hidden contents you are broadly on the right track. keep reversing. the xor encryption you mention might be hashing. @Cat4425 Reveal hidden contents what software did you recompile? probably easiest is to use one of the OS images floating around in the internet.. 1
vpn Posted October 26, 2022 Posted October 26, 2022 On 10/25/2022 at 6:26 PM, nullul said: Reveal hidden contents sorry I might have missed out something, but for every case, after the `state` is assigned a new value, it goes to back to the beginning of the loop and xor with some random value again, how do you determine it's value? or the random value can somehow be predicted? edit: nvm, I think I know it. anode.exe has some weird behaviour. thank you always~ Expand what kind of strange behavior is the anode doing??
regexninja826 Posted October 26, 2022 Posted October 26, 2022 (edited) On 10/6/2022 at 8:14 AM, predat0r said: The bcrypt function is Hashing. So how are we supposed to get the password? I see that the characters inputted as passwords in the command line args are added to the value stored that starts with P^^. the salt is there. But I couldnt get anywhere else. Expand I am in the same place. I am completely bumfuzzled by this challenge. I know the answer is staring me right in the face like the previous 2. I have the password or I think I do. The virtual alloc function is providing the correct result. Now what? I get a crypted output update: yup staring me right tin the face (details matter) lol.. finished Edited October 26, 2022 by regexninja826 update
fl0wer Posted October 26, 2022 Posted October 26, 2022 (edited) Challenge 5 Thank you @deepzero Did someone ever stumple upon a similar CTF-exercise before? I'd really like to solve this one, but I feel I need more experience with encryption, could be nice to try another, similar one, but with some sort of write-up! Reveal hidden contents I feel the exact time is really important, down to the milisecond, am I way off here? I get that hunch because I am looking at a function's input which also calculates with miliseconds: GetLocalTime(&SystemTime); sub_D32015(SystemTime.wMilliseconds + 1000 * (SystemTime.wSecond + 60 * SystemTime.wMinute)); Edited October 26, 2022 by fl0wer
nullul Posted October 26, 2022 Posted October 26, 2022 On 10/26/2022 at 9:04 AM, vpn said: what kind of strange behavior is the anode doing?? Expand Reveal hidden contents hmmm, the Math.random in anode.exe is not actually random, that's all I see..
Rurik Posted October 29, 2022 Posted October 29, 2022 After staring at #9 for a long long time... Reveal hidden contents I get the idea. I've found multiple simplistic implementations in the wild. I've labeled up my code and it's matching what I expect, taking into account the large sized basic maths. I've compared them to known code, and compiled my own to compare the bytecode against. I've read 5 white papers on theorems to find exploits, Chinese Remainder, Shors, Euclidean etc, and reviewed a ton of CTF write-ups for similar attacks (PicoCTF seems to do this often). For us people that don't have math brains to understand literally linear quadratic formulas, is there something that is easy to overlook?
Pon Posted October 29, 2022 Posted October 29, 2022 Hey, I would really appropriate some help with CH8 Reveal hidden contents Till now Im stuck with a very basic understanding of the EXE. The file sends DNS to <random>.flare-on.com When I tried to approach the file using DnSpy, there were that those annoying compilation errors. Looking deeper, I came to a realization that flare_70 & flare_71, are in charge of decryption (or more accurately obfuscation) and execution. So I injected code the mscorlib, that would get me the real IL for each method executed, but that only got me few functions decrypted (flared_66, flared_69, flared_35, flared_47, flared_67, flared_68). Then I tried to injected code that iterate on each method and tries to decrypt it using a copy of flare_71 and the corresponding array&dict but it didn't really work... Some nudge to the right direction will be much appreciated ( or any tool that might make my life easier)
kao Posted October 29, 2022 Posted October 29, 2022 @Rurik Reveal hidden contents On 10/29/2022 at 1:43 PM, Rurik said: I've labeled up my code and it's matching what I expect Expand Recheck your labels. Or your expectations. Hint: you don't need a supercomputer or PhD in applied mathematics to solve it.
milomoli Posted October 30, 2022 Posted October 30, 2022 For chall11 Reveal hidden contents The binary makes a request to a sever with sth looks like base64 encoded But when i decode it there is no interesting stuff in there Can someone give me a hint for next step?
Extreme Coders Posted October 30, 2022 Posted October 30, 2022 @milomoli Reveal hidden contents On 10/30/2022 at 5:05 AM, milomoli said: The binary makes a request to a sever with sth looks like base64 encoded But when i decode it there is no interesting stuff in there Can someone give me a hint for next step? Expand The interesting stuff is encrypted and base64 encoded just before making the request.
Rurik Posted October 30, 2022 Posted October 30, 2022 On 10/29/2022 at 3:38 PM, kao said: Reveal hidden contents Recheck your labels. Or your expectations. Hint: you don't need a supercomputer or PhD in applied mathematics to solve it. Expand @kaothank you. You were right. Reveal hidden contents I edited the numbers in memory to be easier to track by sight and I got them confused.
kao Posted October 31, 2022 Posted October 31, 2022 @Rurik: congratulations on finishing FLARE! Are you planning to publish your solutions once the competition is over?
Rurik Posted October 31, 2022 Posted October 31, 2022 @kaoI haven't done a proper writeup in years. And most of my attempts haven't been very novel. I also force myself to revert snapshots so that I'm not tempted to do a full writeup But, I have fun with my horrible methods to get answers. Which includes #2, #10, and most definitely #11 (which took about 5 mins of effort and was way dirtier than the dirty method). I may get a few up. I don't think I've done a lulz writeup since writing an Excel spreadsheet to do x86 rotate / xchg / xor decryption for me. 2
milomoli Posted November 2, 2022 Posted November 2, 2022 On 10/31/2022 at 9:12 PM, Rurik said: @kaoI haven't done a proper writeup in years. And most of my attempts haven't been very novel. I also force myself to revert snapshots so that I'm not tempted to do a full writeup But, I have fun with my horrible methods to get answers. Which includes #2, #10, and most definitely #11 (which took about 5 mins of effort and was way dirtier than the dirty method). I may get a few up. I don't think I've done a lulz writeup since writing an Excel spreadsheet to do x86 rotate / xchg / xor decryption for me. Expand can i have a hint for chall11 pls? how can you solve that in such a short time ??
Rurik Posted November 2, 2022 Posted November 2, 2022 (edited) On 11/2/2022 at 2:23 PM, milomoli said: can i have a hint for chall11 pls? how can you solve that in such a short time ?? Expand Reveal hidden contents Just do the basics of malware analysis. Work on it like a Junior Analyst No reverse engineering required. Edited November 2, 2022 by Rurik
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now