Flare-On 2019 solutions/notes (upd. 11.02)

Flare-On 2019 solutions/notes (upd. 11.02)

I'm well aware that there's multiple write-ups/solutions presenting 2019's Flare-On solutions but I've decided to provide my own for two reasons. Firstly, to have some notes I can easily find for future. Secondly, I think some of my solutions were non-standard so it might be useful in some other cases for other reversers not only for me.

So here's my notes for the 11 tasks (the post will be updated as a publish the recordings) I did solve in 2019 edition of Flare-On's challenge:

Memecat battlestation

Notes: .net binary, with 3 stages, 2nd stage simple xor, 3rd stage - RC4

Tools used: dnSpy, python for decoding an RC4 encoded message for stage 3
Tags: dnSpy, RC4, .net, encryption


Notes: binary with simple encryption algorithm that is decoding only part of the data
Tools: Ghidra, x32dbg
Tags: ghidra, x32dbg, encryption


Notes: java apk with non-standard AES encryption scheme (AES/CBC/PKCS7Padding)
Tools: java decompiler, text editor
Tags: java, bouncy castle, aes, cbc, PKCS7Padding


Notes: pcap with DNS request & responses, binary with shared object that explains the logic behind the requests.
Tools: wireshark, ghidra, python
Tags: wireshark, ghidra, reversing, reverse engineering, DNS, pcap


Notes: 3d app, dump data, import to blender
Tools: x32dbg, python, blender
Tags: 3d, x32dbg, python, blender


Notes: .net application that encrypts some data plus stores then inside image. Some interesting runtime code modifications to prevent analysis.
Tools: dnspy, python
Tags: steganography, dnspy


Notes: python script converted to/hidden inside exe, solving xor equations with z3 plus dumping some process data with python
Tools: python, Process Hacker
Tags: z3, python, Process Hacker, md5


Notes: Snes game analyzed in ghidra and run in FCEUX emulator.
Tools: ghidra, fceux,
Tags: 6502, ghidra, nes, snes, game, snake, emulation


Notes: program that fails Ghidra disassembly, shows different disassembly than running
Tools: Ida 7 Free, x32dbg, python
Tags: ida, python, x32dbg


Notes: Malware with broken imports, XTEA used as an algorithm to encrypt GIF files.
Tools: Ghidra, x32dbg, python
Tags: mugatu, xtea,


Notes: vm solved by using complex z3 equation
Tools: ghidra, python, x64dbg, z3
Tags: ghidra, avx, virtual machine, vm