Tuesday, 20 October 2015

FireEye Flare Challenge 2 (2015) Solutions


This year's Flare challenge was lengthier and tougher than the last year's. Some android challenges were also included which give a chance to experience mobile reversing for people like me who never had the chance to explore that side. Anyways lets get started.


Challenge 1:

Challenge 1 exe (Flare-On_start_2015.exe) is 64 bit executable which is actually an EULA (End User License Agreement). Upon accepting the agreement challenge binary with the name of i_am_happy_you_are_to_playing_the_flareon_challenge.exe is extracted. This challenge can be solved by two ways, one, the easy one, by decompiling and the other by reversing. I always choose the hard way in initial challenges because it helps in furher challenges.

Here are the steps:

  1. open the binary with ollydbg/immunity 
  2. right click in the main thread and click search for and  all referenced strings
  3. Click "Lets start with easy. Enter password". It will open assembly.
  4. Insert a breakpoint on call to kernel32.ReadFile some lines below
  5. enter some garbage string, press enter. It will stop at breakpoint. press F8
  6. You can see the XOR AL, 7D instruction. 7D is the key
  7. Now xored byte will be compared one by one in the memory in next instruction. It means if we just XOR this data with 7D, we will have our key. For this i have written a python script which prints the key after xoring.




Here is the script:

bytes="1F08131304220E114D0D183D1B111C0F18501213531E1210"
j=0
email=''
while j < len(bytes):
try:
email+=chr(int(bytes[j:j+2],16) ^ 0x7D)
j+=2

except:
j+=2
pass
print email


Challenge 2:

 Challenge 2 is on the same footing as challenge1 but a bit harder.  Same steps can be followed to reach at the password matching block.
Algorithm:
char+=previuos
char & 03
rotate (ah) left with anded result of above
xor your input with C7
add above result with ah+carry
compare usinf scos in reverse





Following script replicates the above algorithm, key is found using bruteforce :)

def print_in_reverse(bytes):
a=[]
j=0
while j < len(bytes):
a.append(bytes[j:j+2])
j+=2
x=len(a)
b=''
while(x!=0):
b+=a[x-1]
x-=1
return b
def ROL(data, shift,size):
    shift %= size
    remains = data >> (size - shift)
    body = (data << shift) - (remains << size )
    return (body + remains)


#  get data in reverse
bytes="AFAAADEBAEAAECA4BAAFAEAA8AC0A7B0BC9ABAA5A5BAAFB89DB8F9AE9DABB4BCB6B3909AA8"

j=0
r=''
a=[]
bx=0x0000
add=0
key=0x00
result=''
bytes=print_in_reverse(bytes)
while j < len(bytes):
anded=bx & 0x03
add=0
add=ROL(1, anded,8)+1
found =False
key=0x00
while(found==False):
if (int(key ^ 0xC7)+add) == int(bytes[j:j+2],16):
found=True
result+=chr(key)
else:
pass
key+=1

bx+=int(bytes[j:j+2],16)
j+=2
print result 


Challenge 3:

Challenge 3 looks annoying in the beginning but if you investiagate the memory and strings, you will realize that its the easiest one. Strings investigation by pestudio did not reveal anything useful, except lot of garbage as exe has been created by QT framework. When i started to see some base64 strings and other code structures in dump, i became interested in memory dumps rather than strings.

elfie.exe creates another process so opening it in debugger won't do any good. Run the elfie.exe and attach the debugger with the process whose window name is "Look inside! you can ..."

Steps:

  1. Go to View -> Executable Modules. Select QtGUI4
  2. Click M (memory dump) in the task bar 
  3. Search for "import base64". Memory dump shows the concatenation of base64 strings which will be decoded and executed, see the below images


image 3.1

image 3.2

     4. Save this file (right click and backup ->save data to file) with py (c3.py in below example) extension, after removing junk code above and below the dump. Run this command and you will have the code for this binary saved to c3.txt


 image 3.3

5. Email string is printed in reverse, as in below image


image 3.4

Challenge 4:


As soon as you check the file attributes of youpecks using PE exploerer or some other tools, you will realize that the bnary is UPX packed and name suggests too. In my test i could not get around it by unpacking by upx (exception occured right after execution). So, you have to manually unpack and reverse it. If you use Ollydbg 2, it will automatically stop at the OEP (original entry) and let you analyze the rest cleanly.
Without argemunets binary terminated early, so i tried with an argument. I must say i was lucky to see the email in plain after some analysis. Put a breakpoint on memcpy functions and see the data being copied, email will be there after copying some base64 strings. Later i figured that if you provide "16" as argument, email is printed after 2 + 2 = 4.


Challenge 5:


This challenge is little interesting than the previous ones. A pcap is given that contains the encoded data captured on the wire, we have to find the key with which it was encoded using the suspected binary sender.exe which is sending this data. Here are the steps to solve it:
  1. open the pcap in wireshark
  2. apply filter "http". Every packet contains the four bytes string. Save this data for later use
  3.  Open the binary "sender.exe" with ollydbg or with your favorite debugger. It requires a file with the name "key.txt", from which binary reads the keys and encodes it. So, create a file in the working directory with the name key.txt and write any junk data in this file.
  4. First of all every character of the key is added with "flarebearstare" string  as shown in the following image
  5. Then an algorithm encodes the data and later this data is sent. Here is the little snap of the assembly code where key is being encoded. Here is my understanding of algorithm

       
                            C5.2
c5.4


C5.5 Algorithm 

alphanumerals='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='
for all keys:
key_data+="flarebearstare"
while(read key_data):
array[2]=3 bytes from key
checkbit or whatever=array[2]&0x3f (position) in alphanumerals
first_char=array[0] >> 0x12 anded with 0x3f (position) in alphanumerals
second_char=array[1] >> 0x0c anded with 0x3f (position) in  alphanumerals
first_char=array[2] >> 0x06 anded with 0x3f (position) in  alphanumerals
sent_data+=first_char+second_char+third_charcheckbit



I have written a python script which takes the pcap data and reverses it into the key. Here is the script:
    
                
#!/usr/bin/python
addent="flarebearstare"
#encoded string retrieved from pcap
result="UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DpxKTxAJ9xuZW==" 
str='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='
def position(chr):
x=False
pos=0
while x!=True:
if(pos<len(str)):
if(str[pos]==chr):
x=True
return pos
pos+=1

def iterator(data): # reversing function
i=0
key=''
b=0
shift=0x12
k=0
pos=position(data[3:4]) #position of encoded chars in string
end=pos&0x3f # checksum 4th byte of each encoded string
tmp=0
while b!=3:
pos=position(data[b:b+1])
k=(pos&0x3f)
if shift == 0x12:
key=hex(k)[2:4]
tmp=int(key,16)<<shift
if shift == 0x0c:
key=hex(k)[2:4]
tmp+=int(key,16) <<shift
if shift == 0x06:
key=hex(k)[2:4]
tmp+=int(key,16) <<shift
b+=1
shift-=6
tmp+=int(hex(end)[2:4],16) # add 4th byte thing
#print hex(tmp)[2:] 
return hex(tmp)[2:8]

val=''
j=0
while j < len(result):
tetro=result[j:j+4] # four bytes chunks as in pcap
val+=iterator(tetro) 
j+=4
email=''
i=0
index=0
# loop to minus flarebearstare string and get the original key 
while(i < len(val)):
try:
if index == 14: #length of flarebearstare 
index=0
email+=chr(int(val[i:i+2],16)-ord(addent[index]))

index+=1
i+=2
except:
index+=1
i+=2
pass

print email


More to Come....