14 Oct

About FLARE 2017

This was the 3rd time I played Flare-On reverse-engineering contest. And I must say, this year was much nicer than the last. Challenges were more balanced, didn't require insane arcane knowledge and rick-rolling was kept to a reasonable minimum.

As for me - I wasted too much time and effort in challenge #7 and stopped competing at that point. Later I spent few hours every weekend just to finish the entire contest on time.

Mandatory bragging screen:

I'm not planning make full-featured writeups, so here's just an overview of this year's challenges.

#1 - login.html

ROT13, what else?
Time spent: 20 seconds

#2 - IgniteMe.exe

It's XOR. For some reason I kept messing up my answer. I guess I wasn't really awake yet. bigsmile
Time spent: 30 minutes

#3 - greek_to_me.exe

Bruteforce the correct byte value which will decode valid x86 code which will get you the flag. Simples.
Time spent: 15 minutes

#4 - notepad.exe

The worst challenge in the contest. To decrypt the flag, one must get data from last years challenge files. Self-centered ego masturbation, anyone?
Time spent: 2.5 hours

#5 - pewpewboat.exe

Linux challenge in form of a Battleship game with hardcoded levels. Simple to patch to reveal all ships and equally simple to write a C# decryptor that will decrypt all levels.
Time spent: 2.5 hours

#6 - payload.dll

You get a DLL and then mess with it's exports. Reminded me very much of last year's challenge #4.
Time spent: 2 hours

#7 - zsud.exe

It's a single-player dungeon. You get a native executable that functions also as .NET CLR host and as a web server. It loads a .NET DLL which in turn decrypts PowerShell code. PowerShell code then functions as a web client, sends the player's moves to server, server validates it and sends the result back.

I followed the wrong path and got stuck. I got to the powershell code all too quickly and neglected to look at the process itself. If I had done that, I would have noticed hooked API functions and would not have wasted too much time trying to bruteforce my way through..
Time spent: way too much

#8 - flair.apk

Mandatory Android challenge. It looked like there could be some anti-debug checks but JEB worked just fine. I solved each stage be reimplementing the check in C# and then breaking it.
Time spent: few hours

#9 - remorse.ino.hex

Arduino challenge, that's a first! smile I had to learn AVR assembly, find out how to debug stuff in Atmel Studio 7 and it was a walk in the park from there.

Note to self - IDA's support for Atmega is crap. Atmel Studio kicks ass.
Time spent: few hours

#10 - shell.php

PHP challenge. Boring. It all boils down to obtaining the correct XOR key by making intelligent guesses on how the valid PHP code looks like. Repeat 4 times for extra boredom.
Time spent: few hours

#11 - covfefe.exe

It's a VM. It has one instruction. It self-modifies the code. Very nice! bigsmile I solved it by making dynamic disassembler/emulator in C#. Just after solving it, I learned about OISC and subleq in particular..
Time spent: 6-8 hours in total?

#12 - [missing]

This was probably my favorite CTF challenge ever. You get a PCAP and a malware binary. You must decode custom protocol malware uses to communicate with the bad guys and extract all the data from packets. Throw in some dynamic plugins for encryption, compression and commands and you get a whole lot of fun stuff to analyze. Awesome! bigsmile
Time spent: ~18 hours in total?

04 Oct

October update to Molebox unpacker

Thanks to my reader Max I have fixed another bug in the Molebox unpacker.

  • Removed memory leak that caused "out of memory" error when unpacking very large files (1.5GB+)

The usual request

I hope you find this unpacker useful. But if it doesn't work for you, please send me an error report with all the details you can and I'll try to fix it. Have fun!

Download link: https://www.mediafire.com/?pd555sk18yj3wl3
Alternative link: https://mega.nz/#!thYFDCCB!EO5-BQRr_idpJKXm6c_82YrcIEadpXCB7M_tC4cZ7nA