This page looks best with JavaScript enabled

Flare-On 8 2021 Challenge 2 Solution - 02_known

Hosted by FireEye's FLARE team from 10 September - 22 October

 ·  ☕ 2 min read  ·  🌚 drome

Thanks drome for sharing his knowledge and skills! He completed all 10 challenges and this series of writeups is done by him :)

Details Links
Official Challenge Site https://flare-on.com/
Official Challenge Announcement https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html
Official Solutions https://www.mandiant.com/resources/flare-on-8-challenge-solutions
Official Challenge Binaries http://flare-on.com/files/Flare-On8_Challenges.zip

02_known

We need your help with a ransomware infection that tied up some of our critical files. Good luck.
7-zip password: flare

This challenge contains an executable as well as some encrypted files.

arch     x86
baddr    0x400000
binsz    6144
bintype  pe
canary   false
retguard false
class    PE32
cmp.csum 0x0000b497
compiled Thu Jul 22 19:36:49 2021
crypto   false
endian   little
havecode true
hdr.csum 0x00000000
laddr    0x0
lang     c
linenum  false
lsyms    false
machine  i386
nx       true
os       windows
overlay  false
cc       cdecl
pic      true
relocs   false
signed   false
sanitize false
static   false
stripped false
subsys   Windows CUI
va       true

Analysis

The start function at 401460 prints some text then reads an 8 byte string, then calls sub_401370.
sub_401370 finds all the files in Files with the extension .encrypted, then calls sub_401220 on every file.
sub_401220 reads 8 bytes at a time and then runs sub_4011F0 on each 8 byte block, which is a decryption routine with the following pseudocode

1
2
3
4
5
6
7
8
9
char __cdecl decrypt_4011F0(char *a_ciphertext, char *a_key)
{
  for ( i = 0; i < 8; i++)
  {
    result = __ROL1__(a_key[i] ^ a_ciphertext[i], i) - i;
    a_ciphertext[i] = result;
  }
  return result;
}

We hence need to use the given encrypted files to find the key.
In flarevm.jpg.encrypted, we keep seeing the repeated bytes 4E EF B1 34 32 5D 6B 7A. JPEG files generally contain many null byte blocks. We hence have to find a key that makes that byte block null after decryption

rol(key[i] ^ cipher[i], i) - i = 0
rol(key[i] ^ cipher[i], i)     = i
    key[i] ^ cipher[i]         = ror(i, i)
    key[i]                     = ror(i, i) ^ cipher[i]

We hence use this script to get the key

1
2
3
4
5
6
7
8
enc_key = b'\x4E\xEF\xB1\x34\x32\x5D\x6B\x7A'

def ror(num, n):
    return ((num >> n) | (num << (8-n))) & 0xFF

key = bytes([ror(i, i) ^ k for i, k in enumerate(enc_key)])

print(key)

which gives us the key No1Trust. We run the executable with that key, and find our flag in critical_data.txt

(>0_0)> You_Have_Awakened_Me_Too_Soon_EXE@flare-on.com <(0_0<)

Flag

You_Have_Awakened_Me_Too_Soon_EXE@flare-on.com
Share on