flare-on

Flare-On 2019 solutions/notes (upd. 11.02)

Paweł Łukasik

2 min read
Flare-On 2019 solutions/notes (upd. 11.02)

I'm well aware that there's multiple write-ups/solutions presenting 2019's Flare-On solutions but I've decided to provide my own for two reasons. Firstly, to have some notes I can easily find for future. Secondly, I think some of my solutions were non-standard so it might be useful in some other cases for other reversers not only for me.

So here's my notes for the 11 tasks (the post will be updated as a publish the recordings) I did solve in 2019 edition of Flare-On's challenge:

Memecat battlestation

Notes: .net binary, with 3 stages, 2nd stage simple xor, 3rd stage - RC4

Tools used: dnSpy, python for decoding an RC4 encoded message for stage 3
Tags: dnSpy, RC4, .net, encryption

Overlong

Notes: binary with simple encryption algorithm that is decoding only part of the data
Tools: Ghidra, x32dbg
Tags: ghidra, x32dbg, encryption

Flarebear

Notes: java apk with non-standard AES encryption scheme (AES/CBC/PKCS7Padding)
Tools: java decompiler, text editor
Tags: java, bouncy castle, aes, cbc, PKCS7Padding

Dnschess

Notes: pcap with DNS request & responses, binary with shared object that explains the logic behind the requests.
Tools: wireshark, ghidra, python
Tags: wireshark, ghidra, reversing, reverse engineering, DNS, pcap

demo

Notes: 3d app, dump data, import to blender
Tools: x32dbg, python, blender
Tags: 3d, x32dbg, python, blender

bmphide

Notes: .net application that encrypts some data plus stores then inside image. Some interesting runtime code modifications to prevent analysis.
Tools: dnspy, python
Tags: steganography, dnspy

wopr

Notes: python script converted to/hidden inside exe, solving xor equations with z3 plus dumping some process data with python
Tools: python, Process Hacker
Tags: z3, python, Process Hacker, md5

snake

Notes: Snes game analyzed in ghidra and run in FCEUX emulator.
Tools: ghidra, fceux,
Tags: 6502, ghidra, nes, snes, game, snake, emulation

reloaderd

Notes: program that fails Ghidra disassembly, shows different disassembly than running
Tools: Ida 7 Free, x32dbg, python
Tags: ida, python, x32dbg

MugatuWare

Notes: Malware with broken imports, XTEA used as an algorithm to encrypt GIF files.
Tools: Ghidra, x32dbg, python
Tags: mugatu, xtea,

vv_max

Notes: vm solved by using complex z3 equation
Tools: ghidra, python, x64dbg, z3
Tags: ghidra, avx, virtual machine, vm