Breaking the world, one application at a time
For last few years I'm taking part in the FLARE-ON competition. This year I finished 4th - which is not bad at all. π
Mandatory bragging screen:
Now that the challenge is over, it's fun to read all the solutions. Of course, there are official solutions - they explain what the challenge does and one way how to solve it. Nice but I want more. π
Read More
This was the 3rd time I played Flare-On reverse-engineering contest. And I must say, this year was much nicer than the last. Challenges were more balanced, didn't require insane arcane knowledge and rick-rolling was kept to a reasonable minimum.
As for me - I wasted too much time and effort in challenge #7 and stopped competing at that point. Later I spent few hours every weekend just to finish the entire contest on time.
Mandatory bragging screen:
I'm not planning make full-featured writeups, so here's just an overview of this year's challenges.
ROT13, what else?
Time spent: 20 seconds
It's XOR. For some reason I kept messing up my answer. I guess I wasn't really awake yet. π
Time spent: 30 minutes
Bruteforce the correct byte value which will decode valid x86 code which will get you the flag. Simples.
Time spent: 15 minutes
The worst challenge in the contest. To decrypt the flag, one must get data from last years challenge files. Self-centered ego masturbation, anyone?
Time spent: 2.5 hours
Linux challenge in form of a Battleship game with hardcoded levels. Simple to patch to reveal all ships and equally simple to write a C# decryptor that will decrypt all levels.
Time spent: 2.5 hours
You get a DLL and then mess with it's exports. Reminded me very much of last year's challenge #4.
Time spent: 2 hours
It's a single-player dungeon. You get a native executable that functions also as .NET CLR host and as a web server. It loads a .NET DLL which in turn decrypts PowerShell code. PowerShell code then functions as a web client, sends the player's moves to server, server validates it and sends the result back.
I followed the wrong path and got stuck. I got to the powershell code all too quickly and neglected to look at the process itself. If I had done that, I would have noticed hooked API functions and would not have wasted too much time trying to bruteforce my way through..
Time spent: way too much
Mandatory Android challenge. It looked like there could be some anti-debug checks but JEB worked just fine. I solved each stage be reimplementing the check in C# and then breaking it.
Time spent: few hours
Arduino challenge, that's a first! π I had to learn AVR assembly, find out how to debug stuff in Atmel Studio 7 and it was a walk in the park from there.
Note to self - IDA's support for Atmega is crap. Atmel Studio kicks ass.
Time spent: few hours
PHP challenge. Boring. It all boils down to obtaining the correct XOR key by making intelligent guesses on how the valid PHP code looks like. Repeat 4 times for extra boredom.
Time spent: few hours
It's a VM. It has one instruction. It self-modifies the code. Very nice! π I solved it by making dynamic disassembler/emulator in C#. Just after solving it, I learned about OISC and subleq in particular..
Time spent: 6-8 hours in total?
This was probably my favorite CTF challenge ever. You get a PCAP and a malware binary. You must decode custom protocol malware uses to communicate with the bad guys and extract all the data from packets. Throw in some dynamic plugins for encryption, compression and commands and you get a whole lot of fun stuff to analyze. Awesome! π
Time spent: ~18 hours in total?
This year's FLARE reverse engineering contest is over. I managed to finish it on time - but I really had to force myself to keep going several times. This graph tells it all:
You can get all the challenges from the official site (password: flare) and there are already a number of writeups all over the web.
I'm not going to reinvent the wheel, so here's just my take on few of the challenges. π
Time spent: 9 mins. Not much to say, it's designed to be a warmup.. Custom Base64, that's it.
Time spent: 1h 20mins. The buzzword for year 2016 is "ransomware". Every self-respecting reversing challenge has to have one. It was fun and kinda easy for me - but in my opinion it was too hard for level 2.
Time spent: 7h 45mins. Since challenge starts at 3AM in Europe, one needs to get some sleep..
As for the task - reverser has to figure out the correct filename from PDB entry and then the challenge becomes solvable. No, it doesn't have anything to do with actual reversing, just a random crap obstacle thrown into your way.
Time spent: 1h 20mins. "Play me a song, have me play along.." Given a DLL, one must figure out the correct order in which to call exported functions to play a song. Original idea, kinda refreshing.. π
Time spent: 1h 45mins. And, of course, every challenge has to have custom Virtual Machine. This one was just the right difficulty and offering several ways to break it. Nice.
Time spent: 2h 20mins. Obfuscated python bytecode. Considering that it was my first time directly patching python bytecode, I enjoyed it a lot. In my opinion, one of the most interesting of challenges this year.
Fun fact - opcode for nop in Python is 0x09.
Time spent: 5days 2h 22mins. This is where I got really annoyed and stopped playing.
Not only they throw in a Linux challenge into the mix, they use Go programming language and compile binary in a way that requires libgo.so.7 - which is not available on certain Linux distributions (like Debian).
So, one has to figure out which bloody Linux distribution has support for it, install that in a Virtual Machine, then find a way to install Go language, then fight with SELinux - and all that just to be able to debug the binary provided by challenge. That's just frigging stupid. How hard it is to tell the OS requirements before the challenge starts? >:(
Once I got over my enrage and disgust, it was actually pretty easy. My "solution" generated ~60GB of data files - just because I let my hash generation code run while still analyzing the challenge code.. π
Time spent: 2h 10mins. The actual check was hidden in the DOS stub. There were some nice hints and neat and clean code, I loved everything about this challenge! π
The fact that I got to boot up my Windows XP virtual machine and use debug.exe - that was just an icing on the cake.
Time spent: 1h 35mins. Mandatory .NET assembly thrown in the mix. Apparently FLARE team was running out of ideas, so they just used ConfuserEx. Three times.
To solve it, all you need to know is that DNSpy exists. I have no idea why this challenge was put as #9, difficulty wise it was more appropriate as #3..#5.
Time spent: 35.5 days. Difficulty: 9, fun factor: 0.
This was just frigging stupid. I know, it's a final challenge. But it required so much of a very specialized knowledge, that it's insane.
First you need to get through 3 layers of JavaScript obfuscation. Hard but doable. Then you'll arrive at some serious crypto. Normal person can't know this is bugged Diffie-Hellman key exchange which was used by Angler exploit kit and got broken by Kaspersky Labs. So, if you're not a crypto wizard or you don't focus on exploit kit research, you're screwed.
Once you figure out this crap, you still have to get through 3 layers of Flash. First SWF is easy but second one is obfuscated and solving involves a lot of guesswork. You're supposed to guess that RC4 key is reused and decrypting other binary data with the same key stream will get you the required values to get to 3rd layer. How you're supposed to figure that one out? Well, just "do some random stuff and hope it works™".
The final layer has slightly obfuscated ActionScript code but nothing JPEXS can't handle. It is there just to generate the answer.
If I compare this year's FLARE with LabyREnth, LabyREnth wins hands down. In my opinion LabyREnth's Windows track was much more fun and tasks were much more reverse engineering related. But that's just my opinion..
I wish to express my deepest gratitude to fellow reversers who kept me going when I got really angry and upset: Extreme Coders, fasya and Levis. Your hints were invaluable, thank you so much!
Last Friday authors of Dotfuscator made quite an interesting blogpost, claiming that reverse engineering applications in USA is becoming a legal means for acquiring intellectual property, thanks to the Defend Trade Secrets Act of 2016.
I am not a lawyer, and such statements coming from authors of obfuscator should be taken with a grain of salt - but it's an interesting read nevertheless. What's your take on that?
Every other days or two a new guy appears at Tuts4You asking "I want to learn Reverse Engineering, where do I start?".
Hmmm...
There are lots of suggestions, eg. in this Reddit thread. One of the most common recommendation is to with Lena151's tutorials. And there's a good reason for that - these tutorials give a good overview of most common tasks, most common tools and provide "instant gratification". But do they actually teach you Reverse Engineering? I don't think so.
Apparently I'm not the only one who thinks so:
I have been thinking about why this happens. Thinking back to myself, I started learning reverse engineering by reading the Lena151 tutorials. I thought they were awesome until Daeken told me that was an awful approach to learn reverse engineering.
At first I didnβt understand why they were so bad. After all, Lenaβs tutorials had taught me how to crack my first software.
And that's exactly the problem. You managed to crack your first software. Instant gratification! But what did you actually learn? Run some common tools, find the "bad boy jump" and patch it? Wow! You must be so l33t!
In reality, these tutorials have produced entire generation of wanna-be-crackers who can only use ready-made tools, but are actually unable to think for themselves. For every problem they need a video tutorial. For every small obstacle they create a new topic asking for help.
And that's only half of the problem.
Albert Einstein once said:
The more I learn, the more I realize how much I don't know.
Beginners who watched Lena151's series don't realize that. They cracked their first program and they consider themselves to be reversers. And what's even worse, they try to spread their "knowledge" by making an incredible amount of incredibly crappy video "tutorials" to be watched by next generation of wannabes.
I've actually watched a 15 minute movie titled "How to unpack CryptoObfuscator". You know how? You drag-and-drop the file on de4dot. Yes, that simple. Yes, someone made 15 minute movie to teach you that.
ReverseWithMe blog suggests to learn:
I don't think this is the correct approach either.
It's like learning a foreign language by reading a dictionary. Start with an "a", and once you finish with "z", you'll know all the words. Maybe. But you won't be able to make a proper sentence, let alone speak or understand a native speaker.
To put it into context: I've been reversing .NET executables for 10 years now. I've written unpackers for pretty much every .NET protection there is. And yet I still don't know IL assembly "by heart". Why? Because I don't need to. What's the mnemonic for "branch-if-equal"? Is it be, beq or bre? Does it pop one or two arguments from stack? I don't know. If I'll ever need that, the answer is one Google search away.
Yes, to be a great reverser, you will need to master most of those items. But you don't need to know all that at the start of your journey.
Well, start with Lena151's tutorials. Yes, I said they are not good, but that's the best there is. And if you follow few extra advices, you'll do just fine: