Saturday, December 20, 2014

FLARE - Challenge 1


About:

This is the 1st challenge from FireEye's "FLARE On" challenge (http://flare-on.com/)


Solution:

$ file ./Challenge1.exe
./Challenge1.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly


After running file on the binary and seeing it was a Windows executable written in .NET, I ran it in a Windows VM and was greeted by Bob Ross with a nice painting:



Hitting the DECODE! button makes both the picture and text change:




At this point, I opened up the trial version of Red Gate's .NET Reflector and started going through the decompiled code. The first thing that sticks out is the XXXXXXXXXXX object:


Looking through InitializeComponent(), it looks like this is where the main functionality is implemented.

 You can see that btnDecode_Click() is used to handle the click event, so whatever it is, it's probably relevant:

It looks like some bit-fiddling of the dat_secret resource.


 I took the dat_secret.encode object and wrote a quick python script to walk through the operations in btnDecode_Click():

#!/usr/bin/env python3
#

secret = "\xA1\xB5\x44\x84\x14\xE4\xA1\xB5\xD4\x70\xB4\x91\xB4\x70\xD4\x91\xE4\xC4\x96\xF4\x54\x84\xB5\xC4\x40\x64\x74\x70\xA4\x64\x44"

str1 = str2 = str3 = ""

for i in range(len(secret)):
    num2 = ord(secret[i])
    str1 += chr(((num2 >> 4) | ((num2 << 4) & 240)) ^ 0x29)

str1 += "\0"

for i in range(len(secret)):
    str2 += str1[i + 1] + str1[i]

for i in range(len(str2)):
    ch1 = str2[i]
    str3 += chr(ord(str2[i])^0x66)

print(secret, str1, str2, str3, sep='\n')

When you run this, you get the following output:

$ python3 flare-01.py
¡µD„䡵Ôp´‘´pÔ‘äÄ–ôT„µÄ@dtp¤dD
3rmahg3rd.b0b.d0ge@flare-on.com
r3mramhagh3gr3dr.db.0bb0.bd.0dg0eg@ef@lfalraer-eo-no.nc.ocmom
U

UUHHVVHHVV&&

K K H
f


Looks like one of the intermediate strings (str1) is the target email address!

No comments:

Post a Comment