Thursday, August 25, 2016

FLARE On 2015 - Challenge 1


This is the 1st challenge from FireEye's 2015 "FLARE On" challenge (

I'll be writing up solutions to last year's challenges as a way to prep for the 2016 challenges, coming out (hopefully) soon :)


Opening up the first challenge .exe in IDA, the functionality looks quite simple:

So this doesn't look too bad. It prompts for a password, copies the string to memory, runs a loop over it (xor decryption?), and then decides if "You are failure" or if "You are success".

Given that it's such an early level, it seems definitely possible it's just that simple.

Let's look at the section of memory that's used in or XOR loop:

Hmm ok this looks pretty good.... definitely seems plausible it's just ciphertext that's been xor'd with the value 0x7B.

Let's write a quick Python script to un-xor the raw bytes:

Woohoo! Looks like we're all done :)

No comments:

Post a Comment