Flare-on 1
Flare-on 2014
Last updated
Flare-on 2014
Last updated
The file was built from .NET 2.0 (based on the mscorlib import). That'll be important later to determine what tool to analyze the file in -> I use DotPeek to do this .
Checking the execute the file to see what happened :
Also, it requires downloading 2.0 or 3.0 if your computer doesn't have it.
Continue DotPeek to understand what this challenge file is doing:
After looking around , start from main() function and move to this :
Look on the decode button being drawn on the screen with button.text = "DECODE"; and a subroutine applied to this button with button.Click += new EventHandler(this.btnDecode_Click); My suggestion in this case is to look for the method btnDecode_Click, which displays:
Data might from : byte[] datSecret = Resources.dat_secret; -> so will need find this data and do the xor math like that to find the message when decode
Data_secret will import from this file -> so save it to outside this file :
Now , do with basic math step by step from this , because the math in here like Decode -> Encode -> print out to the screen , so we will take first math to decode the data we need :
Solution 2 : Fastest way ( Using Process Hacker )
Running the File Challenge and click button DECODE then open Process Hacker :
Then Open Strings -> Search -> Click Ok
Now we can Filter the Strings -> search key word flare contains to look :
And I got the flag :
At this challenge contain 1 file png and html .
So let take a look on html
Now move on .png file
When I open it with HXD, I see some php in here, please take it out and see more clearly :
Fix the code to execute ( eval -> print )
Edit and got this when execute that new code :
Got this :
Let's decode this message, I will use python for this step and I get a nice looking text message
Continue replace DOT,DASH...message to look it more clearly :
Take a view about this file type :
Open this file with IDA to see what it have :
it call sub_401000 look interesting and 0×401000 is the beginning of the code section, commonly it is the function had written by user .
So let move to it :
Pass hold this and look at the end :
That showing the binary is calling the location of the first byte move on stack -> need handle the shellcode at this point so let set the break point at call eax -> set before it calling the shellcode ( need run the program to catch it ) .
I will debug this with x32dbg :
Set break-point and step through this loop :
Also saw the first string used as the decryption key in xor math : nopasaurus
Continue step through this loop by setting the break-point over that :
At this xor might look same so we can pass through the math and move it to the call instruction to retrive the flag
Got this message :
Follow the EBX in hex dump :
The Second way : ( Using Process Hacker )
Again do the same like the Challenge 1 : Execute the file then open the Process Hacker -> search for String :
So I have dealt with malicious PDF analysis before (my previous article) so let's move on to REMnux for the best tool for malicious pdf analysis
peepdf -> dump infomation also in Json format in the pdf file
Next use extract with js to extract the javascript code contain in file :
All above code just have look at unescape("%u72f9%u..... because this look like the shellcode -> move on covert this to execute
Deofuscate might help view the code for easy to look :
The shellcode need covert is in string_3
Set var to test this first -> try converting to hex then see this execute first then can move to dynamic analysis
See some message at here :
It's has a tool call shellcode2exe to make this code -> executable file
Save code to another file
And use shellcode2exe with that :
After this i open with IDA to view the code in assembly to know how it doing :
Xor math again, each push value will xor each with with privous so it was easy now : ( Can keep on static by xor each value outside this and decode from hex can get the flag ).
It's P32 executable again in windows
View on Pe-studio :
Start on DLLMain() :
Moving around i move to this function sub_10009EB0, i found the loop look very large
Press Space to view as Text -> this help easy to look up so at here found the API GetAsyncKeyState which sounds like doing with the keylogger.( or can F5 -> view on pseudocode)
I will move to analyze on Flare VM
Start from sub_1001240() which Flare Message print out and catch the key m
Use X which is Cross references to show that where dword_100194FC is set to:
Set 0 in _cfltcvt_init() note this function for later, and sub_10009AF0 and 1 in sub_10009B60
we have a look at _cfltcvt_init()
this like a flow of word so let find where all this set
Continue with dword_100194FC is set by o key :
Okay , let move on to check other until we can know all variable dword in function _cfltcvt_init() is set :
Right up on this is dword_100194F8 :
It set to 1 by c in sub_1009850
For faster we can move on function _cfltcvt_init then check references each dword
After find all the key set I note it and see this message :
Transfer it and got the flag :( note that need fill letter m at the end )
C:\Windows\System32\svchost.dll
