Thanks drome for sharing his knowledge and skills! He completed all 10 challenges and this series of writeups is done by him :)
|Official Challenge Site||https://flare-on.com/|
|Official Challenge Announcement||https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html|
|Official Challenge Binaries||http://flare-on.com/files/Flare-On8_Challenges.zip|
We need your help with a ransomware infection that tied up some of our critical files. Good luck.
This challenge contains an executable as well as some encrypted files.
arch x86 baddr 0x400000 binsz 6144 bintype pe canary false retguard false class PE32 cmp.csum 0x0000b497 compiled Thu Jul 22 19:36:49 2021 crypto false endian little havecode true hdr.csum 0x00000000 laddr 0x0 lang c linenum false lsyms false machine i386 nx true os windows overlay false cc cdecl pic true relocs false signed false sanitize false static false stripped false subsys Windows CUI va true
start function at
401460 prints some text then reads an 8 byte string, then calls
sub_401370 finds all the files in
Files with the extension
.encrypted, then calls
sub_401220 on every file.
sub_401220 reads 8 bytes at a time and then runs
sub_4011F0 on each 8 byte block, which is a decryption routine with the following pseudocode
We hence need to use the given encrypted files to find the key.
flarevm.jpg.encrypted, we keep seeing the repeated bytes
4E EF B1 34 32 5D 6B 7A. JPEG files generally contain many null byte blocks. We hence have to find a key that makes that byte block null after decryption
rol(key[i] ^ cipher[i], i) - i = 0 rol(key[i] ^ cipher[i], i) = i key[i] ^ cipher[i] = ror(i, i) key[i] = ror(i, i) ^ cipher[i]
We hence use this script to get the key
which gives us the key
No1Trust. We run the executable with that key, and find our flag in
(>0_0)> You_Have_Awakened_Me_Too_Soon_EXE@flare-on.com <(0_0<)