About FLARE 2018

kao

For last few years I'm taking part in the FLARE-ON competition. This year I finished 4th - which is not bad at all. 🙂

Mandatory bragging screen:

Now that the challenge is over, it's fun to read all the solutions. Of course, there are official solutions - they explain what the challenge does and one way how to solve it. Nice but I want more. 🙂
Read More

About FLARE 2017

kao

This was the 3rd time I played Flare-On reverse-engineering contest. And I must say, this year was much nicer than the last. Challenges were more balanced, didn't require insane arcane knowledge and rick-rolling was kept to a reasonable minimum.

As for me - I wasted too much time and effort in challenge #7 and stopped competing at that point. Later I spent few hours every weekend just to finish the entire contest on time.

Mandatory bragging screen:

I'm not planning make full-featured writeups, so here's just an overview of this year's challenges.

#1 - login.html

ROT13, what else?
Time spent: 20 seconds

#2 - IgniteMe.exe

It's XOR. For some reason I kept messing up my answer. I guess I wasn't really awake yet. 😀
Time spent: 30 minutes

#3 - greek_to_me.exe

Bruteforce the correct byte value which will decode valid x86 code which will get you the flag. Simples.
Time spent: 15 minutes

#4 - notepad.exe

The worst challenge in the contest. To decrypt the flag, one must get data from last years challenge files. Self-centered ego masturbation, anyone?
Time spent: 2.5 hours

#5 - pewpewboat.exe

Linux challenge in form of a Battleship game with hardcoded levels. Simple to patch to reveal all ships and equally simple to write a C# decryptor that will decrypt all levels.
Time spent: 2.5 hours

#6 - payload.dll

You get a DLL and then mess with it's exports. Reminded me very much of last year's challenge #4.
Time spent: 2 hours

#7 - zsud.exe

It's a single-player dungeon. You get a native executable that functions also as .NET CLR host and as a web server. It loads a .NET DLL which in turn decrypts PowerShell code. PowerShell code then functions as a web client, sends the player's moves to server, server validates it and sends the result back.

I followed the wrong path and got stuck. I got to the powershell code all too quickly and neglected to look at the process itself. If I had done that, I would have noticed hooked API functions and would not have wasted too much time trying to bruteforce my way through..
Time spent: way too much

#8 - flair.apk

Mandatory Android challenge. It looked like there could be some anti-debug checks but JEB worked just fine. I solved each stage be reimplementing the check in C# and then breaking it.
Time spent: few hours

#9 - remorse.ino.hex

Arduino challenge, that's a first! 🙂 I had to learn AVR assembly, find out how to debug stuff in Atmel Studio 7 and it was a walk in the park from there.

Note to self - IDA's support for Atmega is crap. Atmel Studio kicks ass.
Time spent: few hours

#10 - shell.php

PHP challenge. Boring. It all boils down to obtaining the correct XOR key by making intelligent guesses on how the valid PHP code looks like. Repeat 4 times for extra boredom.
Time spent: few hours

#11 - covfefe.exe

It's a VM. It has one instruction. It self-modifies the code. Very nice! 😀 I solved it by making dynamic disassembler/emulator in C#. Just after solving it, I learned about OISC and subleq in particular..
Time spent: 6-8 hours in total?

#12 - [missing]

This was probably my favorite CTF challenge ever. You get a PCAP and a malware binary. You must decode custom protocol malware uses to communicate with the bad guys and extract all the data from packets. Throw in some dynamic plugins for encryption, compression and commands and you get a whole lot of fun stuff to analyze. Awesome! 😀
Time spent: ~18 hours in total?

About FLARE 2016 contest

kao

This year's FLARE reverse engineering contest is over. I managed to finish it on time - but I really had to force myself to keep going several times. This graph tells it all:
flare2016-progress

You can get all the challenges from the official site (password: flare) and there are already a number of writeups all over the web.

I'm not going to reinvent the wheel, so here's just my take on few of the challenges. 🙂

#1 - Challenge1

Time spent: 9 mins. Not much to say, it's designed to be a warmup.. Custom Base64, that's it.

#2 - DudeLocker

Time spent: 1h 20mins. The buzzword for year 2016 is "ransomware". Every self-respecting reversing challenge has to have one. It was fun and kinda easy for me - but in my opinion it was too hard for level 2.

#3 - unknown

Time spent: 7h 45mins. Since challenge starts at 3AM in Europe, one needs to get some sleep..

As for the task - reverser has to figure out the correct filename from PDB entry and then the challenge becomes solvable. No, it doesn't have anything to do with actual reversing, just a random crap obstacle thrown into your way.

#4 - flareon2016challenge

Time spent: 1h 20mins. "Play me a song, have me play along.." Given a DLL, one must figure out the correct order in which to call exported functions to play a song. Original idea, kinda refreshing.. 🙂

#5 - smokestack

Time spent: 1h 45mins. And, of course, every challenge has to have custom Virtual Machine. This one was just the right difficulty and offering several ways to break it. Nice.

#6 - khaki

Time spent: 2h 20mins. Obfuscated python bytecode. Considering that it was my first time directly patching python bytecode, I enjoyed it a lot. In my opinion, one of the most interesting of challenges this year.

Fun fact - opcode for nop in Python is 0x09.

#7 - hashes

Time spent: 5days 2h 22mins. This is where I got really annoyed and stopped playing.

Not only they throw in a Linux challenge into the mix, they use Go programming language and compile binary in a way that requires libgo.so.7 - which is not available on certain Linux distributions (like Debian).

So, one has to figure out which bloody Linux distribution has support for it, install that in a Virtual Machine, then find a way to install Go language, then fight with SELinux - and all that just to be able to debug the binary provided by challenge. That's just frigging stupid. How hard it is to tell the OS requirements before the challenge starts? >:(

Once I got over my enrage and disgust, it was actually pretty easy. My "solution" generated ~60GB of data files - just because I let my hash generation code run while still analyzing the challenge code.. 😉

#8 - CHIMERA

Time spent: 2h 10mins. The actual check was hidden in the DOS stub. There were some nice hints and neat and clean code, I loved everything about this challenge! 🙂

The fact that I got to boot up my Windows XP virtual machine and use debug.exe - that was just an icing on the cake.

#9 - GUI

Time spent: 1h 35mins. Mandatory .NET assembly thrown in the mix. Apparently FLARE team was running out of ideas, so they just used ConfuserEx. Three times.

To solve it, all you need to know is that DNSpy exists. I have no idea why this challenge was put as #9, difficulty wise it was more appropriate as #3..#5.

#10 - flava

Time spent: 35.5 days. Difficulty: 9, fun factor: 0.

This was just frigging stupid. I know, it's a final challenge. But it required so much of a very specialized knowledge, that it's insane.

First you need to get through 3 layers of JavaScript obfuscation. Hard but doable. Then you'll arrive at some serious crypto. Normal person can't know this is bugged Diffie-Hellman key exchange which was used by Angler exploit kit and got broken by Kaspersky Labs. So, if you're not a crypto wizard or you don't focus on exploit kit research, you're screwed.

Once you figure out this crap, you still have to get through 3 layers of Flash. First SWF is easy but second one is obfuscated and solving involves a lot of guesswork. You're supposed to guess that RC4 key is reused and decrypting other binary data with the same key stream will get you the required values to get to 3rd layer. How you're supposed to figure that one out? Well, just "do some random stuff and hope it works™".

The final layer has slightly obfuscated ActionScript code but nothing JPEXS can't handle. It is there just to generate the answer.

Conclusion

If I compare this year's FLARE with LabyREnth, LabyREnth wins hands down. In my opinion LabyREnth's Windows track was much more fun and tasks were much more reverse engineering related. But that's just my opinion..

I wish to express my deepest gratitude to fellow reversers who kept me going when I got really angry and upset: Extreme Coders, fasya and Levis. Your hints were invaluable, thank you so much!

What’s wrong with this file – ASLR is tricky!

kao

I love magic tricks. My absolute favorites are "there's nothing up my sleeve" kind of tricks. You can look at the equipment, you can examine magicians outfit, everything seems fine - yet the rabbit magically appears and disappears.

Here's a similar reversing challenge for you: https://www.mediafire.com/?38evlc6gmyieskn

This EXE file contains relocations. It has all the necessary necessary flags in PE header. And it gets ASLR support in Windows 10, as you can see in picture:
win10_has_aslr
But on Windows 7/8.1 this poor executable will be always loaded at it's preferred imagebase 0x400000, and doesn't get ASLR support:
win7_no_aslr
Can you figure out what's so special about it? 🙂

I will provide the correct answer in one week. Or you can provide your opinions in comments. Extra respect awarded for detailed answers and explaining how you figured that out. Extra extra respect if you knew the answer even before looking at the executable. 🙂