16 Oct

About FLARE 2018

For last few years I'm taking part in the FLARE-ON competition. This year I finished 4th - which is not bad at all. smile

Mandatory bragging screen:

Now that the challenge is over, it's fun to read all the solutions. Of course, there are official solutions - they explain what the challenge does and one way how to solve it. Nice but I want more. smile

Then there are "writeups" which basically say "this is my code that gets the answer". Dude, if that makes your e-penis seem bigger, feel free to twit about it. But I don't care about your code. Really.

What I do care about, is how the challenge can be solved. So, here are few selected challenges and related writeups that actually make sense.

Challenge #2 - minesweeper

I wasted too much time on it, relatively speaking. Whopping 37 minutes, on a challenge #2!

I will blame the fact that I was barely awake at the time. In the end I resorted to editing variables in dnSpy, just like @bruce30262 does in his solution.

Other solutions:
* By @mathmare_ - remove IL that triggers failure.
* By @jared703 - find the correct spots.
* By @Eleemosynator - another "find the correct spots".
* By @bruce30262 - edit variables in dnSpy.

Challenge #5 - webassembly

It was my first real encounter with Webassembly, so I just used Chrome to debug it. Plus wabt just to get a better look at the disassembly. It wasn't that bad in this particular case.

Since I don't really do Linux and gcc, I wasn't able and willing to try WASM-to-C conversion and compilation to x86 code. bigsmile

Other solutions:
* By @ctfhacker #1 - uses Chrome, shows the recompilation as well.
* By @ctfhacker #2 - uses wasabi.

Challenge #6 - solving 666 tasks on Linux

My Linux skills suck and I wasn't able to find a reliable way to pipe output from my solver into the challenge.

So I solved the task like a trained monkey.

This bash crap uses gdb to get current challenge from process memory and feeds it to my C# solver running under Mono. Output from solver gets fed to xclip which puts solution into the clipboard. Then I right-click mouse and paste solution into the challenge window. Repeat 666 times. The entire process takes around 20-30 minutes. Click-click-click-click..

Yes, it's extremely inefficient and braindead stupid - but the result is guaranteed and faster than spending hours trying to learn how to automate Linux tools.

Other solutions:
* By @MrAdz350 - uses Unicorn, pexpect.
* By @crudd40233929 - patches original binary to generate keys, uses pexpect.
* By @0xabc0 - uses Frida.
* By @bruce30262 - uses pwntools to send answers to challenge.
* By @ctfhacker - shows how to use angr. Solver needed 28 hours to finish! bigsmile

Challenge #12 - VM inside the VM

This challenge actually consisted of 2 separate parts - 16-bit bootkit and a nasty VM in the VM. Since it was the final challenge, everyone just focused on breaking the VMs. It's a shame because the bootkit part was extremely nice and deserved much more attention than it actually received.

Until the official solutions came out, I didn't know that Subleq code actually ran another VM! Why? Because my solution was data-flow analysis done with pen and paper. When I finished, it looked like this:

Yes, all 10 pages are from this challenge.

Close-up of one of the pages:

Each row contains a flag that I traced, columns are the "cell indexes" of Subleq VM and values are the values I observed during the run. Plus notes, plus attempts to recover the formula..

Kids, don't try this at home! smile

Other solutions:
* By @bruce30262 - writing 2 disassemblers.
* By @SalimSolid - tracing instruction pointer.
* By @invano #1 - cat'n'grep
* By @invano #2 - disasm + recognize high-level macros.
* By @Dark_Puzzle - snapshotting VMs and bruteforcing chars.

14 Oct 2017

About FLARE 2017

This was the 3rd time I played Flare-On reverse-engineering contest. And I must say, this year was much nicer than the last. Challenges were more balanced, didn't require insane arcane knowledge and rick-rolling was kept to a reasonable minimum.

As for me - I wasted too much time and effort in challenge #7 and stopped competing at that point. Later I spent few hours every weekend just to finish the entire contest on time.

Mandatory bragging screen:

I'm not planning make full-featured writeups, so here's just an overview of this year's challenges.

#1 - login.html

ROT13, what else?
Time spent: 20 seconds

#2 - IgniteMe.exe

It's XOR. For some reason I kept messing up my answer. I guess I wasn't really awake yet. bigsmile
Time spent: 30 minutes

#3 - greek_to_me.exe

Bruteforce the correct byte value which will decode valid x86 code which will get you the flag. Simples.
Time spent: 15 minutes

#4 - notepad.exe

The worst challenge in the contest. To decrypt the flag, one must get data from last years challenge files. Self-centered ego masturbation, anyone?
Time spent: 2.5 hours

#5 - pewpewboat.exe

Linux challenge in form of a Battleship game with hardcoded levels. Simple to patch to reveal all ships and equally simple to write a C# decryptor that will decrypt all levels.
Time spent: 2.5 hours

#6 - payload.dll

You get a DLL and then mess with it's exports. Reminded me very much of last year's challenge #4.
Time spent: 2 hours

#7 - zsud.exe

It's a single-player dungeon. You get a native executable that functions also as .NET CLR host and as a web server. It loads a .NET DLL which in turn decrypts PowerShell code. PowerShell code then functions as a web client, sends the player's moves to server, server validates it and sends the result back.

I followed the wrong path and got stuck. I got to the powershell code all too quickly and neglected to look at the process itself. If I had done that, I would have noticed hooked API functions and would not have wasted too much time trying to bruteforce my way through..
Time spent: way too much

#8 - flair.apk

Mandatory Android challenge. It looked like there could be some anti-debug checks but JEB worked just fine. I solved each stage be reimplementing the check in C# and then breaking it.
Time spent: few hours

#9 - remorse.ino.hex

Arduino challenge, that's a first! smile I had to learn AVR assembly, find out how to debug stuff in Atmel Studio 7 and it was a walk in the park from there.

Note to self - IDA's support for Atmega is crap. Atmel Studio kicks ass.
Time spent: few hours

#10 - shell.php

PHP challenge. Boring. It all boils down to obtaining the correct XOR key by making intelligent guesses on how the valid PHP code looks like. Repeat 4 times for extra boredom.
Time spent: few hours

#11 - covfefe.exe

It's a VM. It has one instruction. It self-modifies the code. Very nice! bigsmile I solved it by making dynamic disassembler/emulator in C#. Just after solving it, I learned about OISC and subleq in particular..
Time spent: 6-8 hours in total?

#12 - [missing]

This was probably my favorite CTF challenge ever. You get a PCAP and a malware binary. You must decode custom protocol malware uses to communicate with the bad guys and extract all the data from packets. Throw in some dynamic plugins for encryption, compression and commands and you get a whole lot of fun stuff to analyze. Awesome! bigsmile
Time spent: ~18 hours in total?

07 Nov 2016

About FLARE 2016 contest

This year's FLARE reverse engineering contest is over. I managed to finish it on time - but I really had to force myself to keep going several times. This graph tells it all:
flare2016-progress

You can get all the challenges from the official site (password: flare) and there are already a number of writeups all over the web.

I'm not going to reinvent the wheel, so here's just my take on few of the challenges. smile

#1 - Challenge1

Time spent: 9 mins. Not much to say, it's designed to be a warmup.. Custom Base64, that's it.

#2 - DudeLocker

Time spent: 1h 20mins. The buzzword for year 2016 is "ransomware". Every self-respecting reversing challenge has to have one. It was fun and kinda easy for me - but in my opinion it was too hard for level 2.

#3 - unknown

Time spent: 7h 45mins. Since challenge starts at 3AM in Europe, one needs to get some sleep..

As for the task - reverser has to figure out the correct filename from PDB entry and then the challenge becomes solvable. No, it doesn't have anything to do with actual reversing, just a random crap obstacle thrown into your way.

#4 - flareon2016challenge

Time spent: 1h 20mins. "Play me a song, have me play along.." Given a DLL, one must figure out the correct order in which to call exported functions to play a song. Original idea, kinda refreshing.. smile

#5 - smokestack

Time spent: 1h 45mins. And, of course, every challenge has to have custom Virtual Machine. This one was just the right difficulty and offering several ways to break it. Nice.

#6 - khaki

Time spent: 2h 20mins. Obfuscated python bytecode. Considering that it was my first time directly patching python bytecode, I enjoyed it a lot. In my opinion, one of the most interesting of challenges this year.

Fun fact - opcode for nop in Python is 0x09.

#7 - hashes

Time spent: 5days 2h 22mins. This is where I got really annoyed and stopped playing.

Not only they throw in a Linux challenge into the mix, they use Go programming language and compile binary in a way that requires libgo.so.7 - which is not available on certain Linux distributions (like Debian).

So, one has to figure out which bloody Linux distribution has support for it, install that in a Virtual Machine, then find a way to install Go language, then fight with SELinux - and all that just to be able to debug the binary provided by challenge. That's just frigging stupid. How hard it is to tell the OS requirements before the challenge starts? angry

Once I got over my enrage and disgust, it was actually pretty easy. My "solution" generated ~60GB of data files - just because I let my hash generation code run while still analyzing the challenge code.. wink

#8 - CHIMERA

Time spent: 2h 10mins. The actual check was hidden in the DOS stub. There were some nice hints and neat and clean code, I loved everything about this challenge! smile

The fact that I got to boot up my Windows XP virtual machine and use debug.exe - that was just an icing on the cake.

#9 - GUI

Time spent: 1h 35mins. Mandatory .NET assembly thrown in the mix. Apparently FLARE team was running out of ideas, so they just used ConfuserEx. Three times.

To solve it, all you need to know is that DNSpy exists. I have no idea why this challenge was put as #9, difficulty wise it was more appropriate as #3..#5.

#10 - flava

Time spent: 35.5 days. Difficulty: 9, fun factor: 0.

This was just frigging stupid. I know, it's a final challenge. But it required so much of a very specialized knowledge, that it's insane.

First you need to get through 3 layers of JavaScript obfuscation. Hard but doable. Then you'll arrive at some serious crypto. Normal person can't know this is bugged Diffie-Hellman key exchange which was used by Angler exploit kit and got broken by Kaspersky Labs. So, if you're not a crypto wizard or you don't focus on exploit kit research, you're screwed.

Once you figure out this crap, you still have to get through 3 layers of Flash. First SWF is easy but second one is obfuscated and solving involves a lot of guesswork. You're supposed to guess that RC4 key is reused and decrypting other binary data with the same key stream will get you the required values to get to 3rd layer. How you're supposed to figure that one out? Well, just "do some random stuff and hope it works™".

The final layer has slightly obfuscated ActionScript code but nothing JPEXS can't handle. It is there just to generate the answer.

Conclusion

If I compare this year's FLARE with LabyREnth, LabyREnth wins hands down. In my opinion LabyREnth's Windows track was much more fun and tasks were much more reverse engineering related. But that's just my opinion..

I wish to express my deepest gratitude to fellow reversers who kept me going when I got really angry and upset: Extreme Coders, fasya and Levis. Your hints were invaluable, thank you so much!