Intro

Every year, FireEye holds a challenge called flare-on. For a couple of years, I participated and tried to solve them. This year I have decided to write my solutions on my blog. This year I could only solve 8 challenges. During this process, I got great help from many people and I also helped a couple of people. It was a great experience. I hope I can participate next year as well.

Challenge 1

The first one was very basic.

function checkCreds() {
if (username.value == "Admin" && atob(password.value) == "goldenticket") 
{
    var key = atob(encoded_key);
    var flag = "";
    for (let i = 0; i < key.length; i++)
    {
        flag += String.fromCharCode(key.charCodeAt(i) ^ password.value.charCodeAt(i % password.value.length))
    }
}

So if we use Admin as a username and Z29sZGVudGlja2V0 as a password(goldenticket encoded as base64 string ) the first flag appears.

enter_the_funhouse@flare-on.com

Challenge 2

When we open the unlock.exe file it asks for a password. We need to find the password to decrypt all the files. Let’s decompile the exe file and see what is happening.

BOOL __cdecl sub_401220(LPCSTR lpFileName, LPCSTR a2, int a3)
{
  DWORD v3; // eax
  char Buffer; // [esp+0h] [ebp-18h]
  DWORD NumberOfBytesWritten; // [esp+8h] [ebp-10h]
  HANDLE hFile; // [esp+Ch] [ebp-Ch]
  HANDLE hObject; // [esp+10h] [ebp-8h]
  DWORD NumberOfBytesRead; // [esp+14h] [ebp-4h]

  hFile = CreateFileA(lpFileName, 0x80000000, 1u, 0, 3u, 0x80u, 0);
  if ( hFile == (HANDLE)-1 )
    LogError((void *)lpFileName);
  hObject = CreateFileA(a2, 0x40000000u, 0, 0, 2u, 0x80u, 0);
  if ( hObject == (HANDLE)-1 )
    LogError((void *)a2);
  while ( 1 )
  {
    if ( !ReadFile(hFile, &Buffer, 8u, &NumberOfBytesRead, 0) )
      LogError((void *)lpFileName);
    if ( !NumberOfBytesRead )
      break;
    sub_4011F0((int)&Buffer, a3);
    if ( !WriteFile(hObject, &Buffer, NumberOfBytesRead, &NumberOfBytesWritten, 0) )
      LogError((void *)a2);
  }
  CloseHandle(hObject);
  CloseHandle(hFile)
  v3 = sub_401000(lpFileName);
  NumberOfBytesRead = v3;
  a2[v3 - 10] = 10;
  WriteConsoleA(hConsoleOutput, lpFileName, NumberOfBytesRead, 0, 0);
  WriteConsoleA(hConsoleOutput, asc_403760, 4u, 0, 0);
  return WriteConsoleA(hConsoleOutput, a2, NumberOfBytesRead - 9, 0, 0);

We see that it reads the file 8 bytes at a time and it sends this buffer to the following function. The first parameter is the buffer second parameter is the key.

  char __cdecl sub_4011F0(int a1, int a2)
{
  int i; // ecx
  char result; // al

  for ( i = 0; (char)i < 8; LOBYTE(i) = i + 1 )
  {
    result = __ROL1__(*(_BYTE *)(i + a2) ^ *(_BYTE *)(i + a1), i) - i;
    *(_BYTE *)(i + a1) = result;
  }
  return result;
}

So the point of this challenge is finding the key so that we can decrypt the files. If we check the algorithm, there is a step after 8 bytes. So if we can have a plaintext with 8 bytes and with an encrypted file, we can recover the key. We check the files and we see that there is a PNG file named capa.png.encrypted. PNG files have a predefined header which is

0x89,0x50,0x4E,0x47,0x0D,0x0A,0x1A,0x0A

We see that the encrypted PNG file has a header with the following bytes

0xC7,0xC7,0x25,0x1D,0x63,0x0D,0xF3,0x56

Let’s reverse the algorithm

png_header = bytearray([0x89,0x50,0x4E,0x47, 0x0D, 0x0A, 0x1A, 0x0A])
encrypted =  bytearray([0xC7,0xC7,0x25,0x1D,0x63,0x0D,0xF3,0x56])

def ROR(data, shift, size=32):
    shift %= size
    body = data >> shift
    remains = (data << (size - shift)) - (body << size)
    return (body + remains)
result = ''
for i in range(len(png_header)):
    key = png_header[i]
    key += i % 0xFF
    key = ROR(key,i) % 0xFF
    key = key ^ encrypted[i]
    result += chr(key)
print(result)

So if we run this script, we find the key as No1Trust If you run the UnlockYourFiles.exe and use this password, it will decrypt all the files. If you check the contents of critical_data.txt, you will get the flag

You_Have_Awakened_Me_Too_Soon_EXE@flare-on.com

Flare-On 2021 Write-ups

I am actively job-hunting and available
Interested? Feel free to reach