Thursday, August 25, 2016

FLARE On 2015 - Challenge 3


This is the 3rd challenge from FireEye's 2015 "FLARE On" challenge (


This one looks a little different from the first two.

This time we're given a single executable file that, given the icon, looks like it may be derived from a python file using something like py2exe:

Let's see what happens when we run it.... Looks like a picture pops up like this:

So it's not immediately clear what this gets us, but let's go ahead and see if there's a way to recover the original source code if it was indeed made from Python code.

I decided to use pyinstallerextractor, which confirmed it was derived from some Python2.7 code:

Now let's take a look through the extracted code....

The file that immediately stuck out was "elfie", which looks like more obfuscated Python code:

Thousands and thousands of lines.... until finally:

Ok, let's see if we change the "exec()" call to a print() and dump the results to a new file:

Looks pretty good.... wait what's this?

Woo hoo!

No comments:

Post a Comment