Sunday, November 30, 2014

Fireeye - Flare-On Challenge 1

I've been playing the Flare On challenge recently and got through a few levels. Its good fun and I learnt a few things. I'll write a few short blog posts on the concepts/tools/solutions of each of these challenges as and when I solve them. Here's number 1.

Number 1 is an EXE file. The first thing I always do for any Windows files is open it up in CFF Explorer. The metadata of the file talks about something called Wextract. Wextract is the name of the program in Windows that creates self extracting compressed files. So maybe... its a Zip file...or some other compressed file?

Renamed the file to C1.rar (since I had Winrar on the system) and tried to extract the file. That worked and I get a new EXE file. Throw the new file into CFF Explorer.. its a .NET executable.

The moment I see .NET .. I'm happy... because all .NET binaries can be decompiled and the actual source code retrieved. There are many such decompilers around.. I usually use DotNetPeek or IlSpy - both should be fine for such challenges. Decompiling everything shows that all of the code is in a file called Form1.cs.

On launching the binary and clicking the button shown... the picture changes and some encrypted text is shown on screen. That means that there is some code on the "Click" event that is doing something. Looking at the code shows that this is indeed the case.

There is a decode function that is triggered when a button is clicked. This basically pulls some string from the "Resources" of the program and runs the algorithm on that string. The result of that "decoding" is the junk that you see on screen.

Now .. there's nothing else in the code. At this point you know what the code is doing. So where's the flag? Well...think. You found code which encrypts A and gives you B. Neither A or B are useful. But we need some plain text EMail address... that is the final flag. This means that..we need to look for other encrypted strings to run this algorithm on.

Searching more using CFF Explorer reveals a resource called dat_secret.encode. Use the inbuilt hex editor in CFF Explorer to identify the hex bytes that are to be decoded. This is the input that needs to be passed to the decoding function.

So I pull the code from Form1.cs out and load it into an online decompiler at I'm not too good at all at .NET so it takes me a while to compile the code :)..but eventually I manage to decode the string. I print out str1, str2, str3 and str4 to see what goes into each of those variables...using the Console.write method.

The Email address is:

No comments: