Saturday, August 27, 2016

FLARE On 2015 - Challenge 7


This is the 7th challenge from FireEye's 2015 "FLARE On" challenge (


Our prompt this time looks like this:

When I was initially working through these challenges during the contest, this was the one I failed out on.

The obfuscation they used here is really nasty, and you can see it below:

Fortunately, this time I'm going to use de4dot to attempt to deobfuscate the code:

Scanning through the cleaned code, ns2's Class3 looks like the best bet for where the application logic resides. 

We can see it starts out with a few bytearrays:

.... and ends with some interesting logic:

So from this, we can guess "bytes" is our "Warning!" message, "bytes2" is our prompt for the correct password, "text" is the value we type in, and "b" is some combination of other values (and is the value our text needs to match in order to succeed...).

Let's take a closer look at smethod_0:

Looks like an xor loop! We know the raw bytes passed in are (31,100,116,97,0,84,69,21,115,97,109,29,79,68,21,104,115,104,21,84,78) and the key is generated from Class3.smethod_2().

So this is good. We know that the data we pass into the prompt has to be equal to (byte_2 xor Class3.smethod_2()) + '_' + Class3.smethod_3().

Can we invoke these functions directly from powershell? Turns out yes, you can.

So now we have everything we need. After doing the xor computation, string concatenation, and entering the resulting value in the prompt, we get this:

Woo hoo!

No comments:

Post a Comment