For last few years I'm taking part in the FLARE-ON competition. This year I finished 4th - which is not bad at all. smile
Now that the challenge is over, it's fun to read all the solutions. Of course, there are official solutions - they explain what the challenge does and one way how to solve it. Nice but I want more. smile
This was the 3rd time I played Flare-On reverse-engineering contest. And I must say, this year was much nicer than the last. Challenges were more balanced, didn't require insane arcane knowledge and rick-rolling was kept to a reasonable minimum.
As for me - I wasted too much time and effort in challenge #7 and stopped competing at that point. Later I spent few hours every weekend just to finish the entire contest on time.
I'm not planning make full-featured writeups, so here's just an overview of this year's challenges.
#1 - login.html
ROT13, what else?
Time spent: 20 seconds
#2 - IgniteMe.exe
It's XOR. For some reason I kept messing up my answer. I guess I wasn't really awake yet. bigsmile
Time spent: 30 minutes
#3 - greek_to_me.exe
Bruteforce the correct byte value which will decode valid x86 code which will get you the flag. Simples.
Time spent: 15 minutes
#4 - notepad.exe
The worst challenge in the contest. To decrypt the flag, one must get data from last years challenge files. Self-centered ego masturbation, anyone?
Time spent: 2.5 hours
#5 - pewpewboat.exe
Linux challenge in form of a Battleship game with hardcoded levels. Simple to patch to reveal all ships and equally simple to write a C# decryptor that will decrypt all levels.
Time spent: 2.5 hours
#6 - payload.dll
You get a DLL and then mess with it's exports. Reminded me very much of last year's challenge #4.
Time spent: 2 hours
#7 - zsud.exe
It's a single-player dungeon. You get a native executable that functions also as .NET CLR host and as a web server. It loads a .NET DLL which in turn decrypts PowerShell code. PowerShell code then functions as a web client, sends the player's moves to server, server validates it and sends the result back.
I followed the wrong path and got stuck. I got to the powershell code all too quickly and neglected to look at the process itself. If I had done that, I would have noticed hooked API functions and would not have wasted too much time trying to bruteforce my way through..
Time spent: way too much
#8 - flair.apk
Mandatory Android challenge. It looked like there could be some anti-debug checks but JEB worked just fine. I solved each stage be reimplementing the check in C# and then breaking it.
Time spent: few hours
#9 - remorse.ino.hex
Arduino challenge, that's a first! smile I had to learn AVR assembly, find out how to debug stuff in Atmel Studio 7 and it was a walk in the park from there.
Note to self - IDA's support for Atmega is crap. Atmel Studio kicks ass.
Time spent: few hours
#10 - shell.php
PHP challenge. Boring. It all boils down to obtaining the correct XOR key by making intelligent guesses on how the valid PHP code looks like. Repeat 4 times for extra boredom.
Time spent: few hours
#11 - covfefe.exe
It's a VM. It has one instruction. It self-modifies the code. Very nice! bigsmile I solved it by making dynamic disassembler/emulator in C#. Just after solving it, I learned about OISC and subleq in particular..
Time spent: 6-8 hours in total?
#12 - [missing]
This was probably my favorite CTF challenge ever. You get a PCAP and a malware binary. You must decode custom protocol malware uses to communicate with the bad guys and extract all the data from packets. Throw in some dynamic plugins for encryption, compression and commands and you get a whole lot of fun stuff to analyze. Awesome! bigsmile
Time spent: ~18 hours in total?
The Flare-On 2016 challenge ended almost 6 months ago and just today I received the coveted police-style badge.. That must be some sort of a record! smile
I'm not going to reinvent the wheel, so here's just my take on few of the challenges. smile
#1 - Challenge1
Time spent: 9 mins. Not much to say, it's designed to be a warmup.. Custom Base64, that's it.
#2 - DudeLocker
Time spent: 1h 20mins. The buzzword for year 2016 is "ransomware". Every self-respecting reversing challenge has to have one. It was fun and kinda easy for me - but in my opinion it was too hard for level 2.
#3 - unknown
Time spent: 7h 45mins. Since challenge starts at 3AM in Europe, one needs to get some sleep..
As for the task - reverser has to figure out the correct filename from PDB entry and then the challenge becomes solvable. No, it doesn't have anything to do with actual reversing, just a random crap obstacle thrown into your way.
#4 - flareon2016challenge
Time spent: 1h 20mins. "Play me a song, have me play along.." Given a DLL, one must figure out the correct order in which to call exported functions to play a song. Original idea, kinda refreshing.. smile
#5 - smokestack
Time spent: 1h 45mins. And, of course, every challenge has to have custom Virtual Machine. This one was just the right difficulty and offering several ways to break it. Nice.
#6 - khaki
Time spent: 2h 20mins. Obfuscated python bytecode. Considering that it was my first time directly patching python bytecode, I enjoyed it a lot. In my opinion, one of the most interesting of challenges this year.
Fun fact - opcode for nop in Python is 0x09.
#7 - hashes
Time spent: 5days 2h 22mins. This is where I got really annoyed and stopped playing.
Not only they throw in a Linux challenge into the mix, they use Go programming language and compile binary in a way that requires libgo.so.7 - which is not available on certain Linux distributions (like Debian).
So, one has to figure out which bloody Linux distribution has support for it, install that in a Virtual Machine, then find a way to install Go language, then fight with SELinux - and all that just to be able to debug the binary provided by challenge. That's just frigging stupid. How hard it is to tell the OS requirements before the challenge starts? angry
Once I got over my enrage and disgust, it was actually pretty easy. My "solution" generated ~60GB of data files - just because I let my hash generation code run while still analyzing the challenge code.. wink
#8 - CHIMERA
Time spent: 2h 10mins. The actual check was hidden in the DOS stub. There were some nice hints and neat and clean code, I loved everything about this challenge! smile
The fact that I got to boot up my Windows XP virtual machine and use debug.exe - that was just an icing on the cake.
#9 - GUI
Time spent: 1h 35mins. Mandatory .NET assembly thrown in the mix. Apparently FLARE team was running out of ideas, so they just used ConfuserEx. Three times.
To solve it, all you need to know is that DNSpy exists. I have no idea why this challenge was put as #9, difficulty wise it was more appropriate as #3..#5.
#10 - flava
Time spent: 35.5 days. Difficulty: 9, fun factor: 0.
This was just frigging stupid. I know, it's a final challenge. But it required so much of a very specialized knowledge, that it's insane.
Once you figure out this crap, you still have to get through 3 layers of Flash. First SWF is easy but second one is obfuscated and solving involves a lot of guesswork. You're supposed to guess that RC4 key is reused and decrypting other binary data with the same key stream will get you the required values to get to 3rd layer. How you're supposed to figure that one out? Well, just "do some random stuff and hope it works™".
The final layer has slightly obfuscated ActionScript code but nothing JPEXS can't handle. It is there just to generate the answer.
If I compare this year's FLARE with LabyREnth, LabyREnth wins hands down. In my opinion LabyREnth's Windows track was much more fun and tasks were much more reverse engineering related. But that's just my opinion..
I wish to express my deepest gratitude to fellow reversers who kept me going when I got really angry and upset: Extreme Coders, fasya and Levis. Your hints were invaluable, thank you so much!