Flare-on 2022 - in a tweet + images
Flare-on is a yearly competition that focuses on reverse engineering. In 2022 we could compete in the 9th edition solving 11 challenges. Here's a really, really short version how we could approach and solve them.
Flare-on is a yearly competition that focuses on reverse engineering. In 2022 we could compete in the 9th edition solving 11 challenges. Here's a really, really short version how we could approach and solve them.
01 - Flaredle
Wordle + 21 letters words? JS Wordle app and the flag is among the allowed entries.
Use RegEx
to find matching words, grep for flare
to win or check the code to find the winning entry...
02 - Pixel Poker
Decompile the binary and find an interesting function (0x4012c0
- WinProc).
X = int(FLAR) % 741, Y = int(E-On) % 641
Correct point: (95,313). Click that pixel to get the flag. #flareon9
03 - Magic 8 Ball
Shake in the following order "LLURULDUL" (FUN_004024e0
) and type 'gimme flag pls?' (FUN_00401e50
). Get the flag.
04 - darn_mice
Locate interesting values inside FUN_401000
. That input and your input is added byte by byte to produce valid code and executed.
Try the simplest code there is to get correctly executed and return -> ret (0xC3)
,
get the valid input -> "see three, C3 C3 C3 C3 C3 C3 C3! XD".
Use it and get the flag.
05 - T8
C++ binary with vtables? No problem. We are also given PCAP file where we can see requests being made.
Patch the Sleep
, function that makes the request is FUN_403D70
.
The first data is F09 with a number, is hashed with MD5
and used as a key for RC4
to encrypt ahoy
. And since we know the correct output from PCAP we can find the correct number by checking full range (110950
- 0x2eae
).
We can write our server that replay the answers from the PCAP file and follow the code and following the code.
06 - à la mode
Is it .NET binary? Is it native? How about both! Opening in dnSpy shows some code, but Ghidra looks also interesting. It decodes string, finds functions and use them to connect to pipe in a new thread.
Write native binary that load the dll, follow the code and at FUN_10001000
decrypts the phrase "MyV0ice!" and later at FUN_10001187
decrypts the flag.
07 - anode
Modified Node.JS binary that runs the embedded script. Script can be extracted from the process memory.
It has obfuscated flow and heavy use of calls to Random. Binary has fixed random values and modified boolean logic. The place where
SEED for random is set inside FUN_140832ee0
, dump the results for if's (couldn't find where that change is done in code).
Follow control flow and generate operations via python script, reverse, execute them -> flag
08 - backdoor
Heavily obfuscated .NET binary. dnSpy can't decompile certain methods.
Deobfuscate binary with use of the code from the binary, Mono.Cecil and extract Flared_XX methods.
Understand that binary gets commands via DNS name resolution. Cook your own DNS server and feed data in correct order. Decrypts the image with the flag from one of the sections in the binary.
09 - encryptor
ChaCha20 + RSA with e = 65537^-1 mod ϕ(n)
. n & c - given. Since we encrypt with 65537^-1
, our d
is 65537
. It was so obvious yet hidden in plain sight.
Decrypt RSA and get the key and nonce for ChaCha20, decrypt ChaCha20, grab the flag.
10 - Nur geträumt
Setup the tooling.
Use pre-installed tools to find resource with the flag also the decodeFlag
function (FUN_000E964C
).
Use known part of the flag @flare-on.com
to find part of the key.
Know all Nena songs and find the rest of the key. Spent 15 minutes wondering about umlaut. Find the message in the resources to drop it.
Solve the challenge.
11 - The challenge that shall not be named.
Extract files from exe using pyinstextractor
(https://github.com/extremecoders-re/pyinstxtractor) -> uncompyle6
- stumble on pyarmor
. Nothing seems to work.
Binary quickly closes when run so can't really play with it. Run wireshark - see the evil domain.
Set it up with DNS from chall 8. Now the binary works for a bit longer. Inject python with pyinjector
(https://github.com/call-042PE/PyInjector). Dump the _pyi_main_co
Summary
8th the hardest, as there was a lot of code to process. 11 was a bit of a bummer. 10 was fun but the most difficult part was to setup the tooling ;). Need more crypto knowledge as it took me way too much time on 9th.
See you next year.