Thanks drome for sharing his knowledge and skills! He completed all 10 challenges and this series of writeups is done by him :)
Details | Links |
---|---|
Official Challenge Site | https://flare-on.com/ |
Official Challenge Announcement | https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html |
Official Solutions | https://www.mandiant.com/resources/flare-on-8-challenge-solutions |
Official Challenge Binaries | http://flare-on.com/files/Flare-On8_Challenges.zip |
02_known
We need your help with a ransomware infection that tied up some of our critical files. Good luck.
7-zip password:flare
This challenge contains an executable as well as some encrypted files.
arch x86
baddr 0x400000
binsz 6144
bintype pe
canary false
retguard false
class PE32
cmp.csum 0x0000b497
compiled Thu Jul 22 19:36:49 2021
crypto false
endian little
havecode true
hdr.csum 0x00000000
laddr 0x0
lang c
linenum false
lsyms false
machine i386
nx true
os windows
overlay false
cc cdecl
pic true
relocs false
signed false
sanitize false
static false
stripped false
subsys Windows CUI
va true
Analysis
The start
function at 401460
prints some text then reads an 8 byte string, then calls sub_401370
.
sub_401370
finds all the files in Files
with the extension .encrypted
, then calls sub_401220
on every file.
sub_401220
reads 8 bytes at a time and then runs sub_4011F0
on each 8 byte block, which is a decryption routine with the following pseudocode
|
|
We hence need to use the given encrypted files to find the key.
In flarevm.jpg.encrypted
, we keep seeing the repeated bytes 4E EF B1 34 32 5D 6B 7A
. JPEG files generally contain many null byte blocks. We hence have to find a key that makes that byte block null after decryption
rol(key[i] ^ cipher[i], i) - i = 0
rol(key[i] ^ cipher[i], i) = i
key[i] ^ cipher[i] = ror(i, i)
key[i] = ror(i, i) ^ cipher[i]
We hence use this script to get the key
|
|
which gives us the key No1Trust
. We run the executable with that key, and find our flag in critical_data.txt
(>0_0)> You_Have_Awakened_Me_Too_Soon_EXE@flare-on.com <(0_0<)
Flag
You_Have_Awakened_Me_Too_Soon_EXE@flare-on.com