#FlareOn6 Write-Up of Write-Ups

Remco Verhoef
15 min readSep 29, 2019

This post summarizes the posts, tools and techniques as shown in several other write-ups combined with the official solution.

#FlareOn6 is a reverse engineering challenge hosted by FireEye. Within 6 weeks you’ll be challenged to solve 12 reverse engineering challenges.

You can still download the challenges here.

Takeaways

  • use latest versions of the tools (docker will help with this)
  • combine dynamic- with static analyses (don’t trust static analyses solely)
  • native debugging (eg windows for windows challenges) will save time. Take into account potential issues like FlareBear not running properly in Vmware (by default) and anti debugging tricks
  • scripting and automating will help you reproduce and eventually save time
  • learning some tools thoroughly is better than using many different tools shallowly
  • take into account the messages and name of the challenge, they contain often tips and references
  • find the tool suiting the job best
  • patch binaries to enable static analyses
  • Always use a PE header parser like CFF explorer or PE Bear to verify the that the header looks correct

Collection of tools

Volatility — An advanced memory forensics framework (https://github.com/volatilityfoundation/volatility)

docker run -rm -it -v (pwd):/data blacktop/volatility

Radare2 — unix-like reverse engineering framework and commandline tools
(https://github.com/radareorg/radare2)

docker radare/radare2:latest  -t -i /bin/bash

Cutter — Free and Open Source Reverse Engineering Platform powered by radare2. (https://github.com/radareorg/cutter)
Ghidra — A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission (https://ghidra-sre.org/)
IDA Pro — IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. (https://www.hex-rays.com/products/ida/)
Windbg Preview — We’ve updated WinDbg to have more modern visuals, faster windows, a full-fledged scripting experience, and Time Travel Debugging, all with the easily extensible debugger data model front and center. (https://www.microsoft.com/en-us/p/windbg-preview/9pgjgd53tn86?activetab=pivot:overviewtab)
binwalk — Firmware Analysis Tool (https://github.com/ReFirmLabs/binwalk)
Wireshark — Wireshark is the world’s foremost and widely-used network protocol analyzer. (https://www.wireshark.org/)
kpbrute — A dictionary-based brute force tool for KeePass 1.x databases (https://github.com/Jimvin/kpbrute)
x64dbg — An open-source x64/x32 debugger for windows (https://x64dbg.com/#start)
x64dbg/DbgChild — Debug Child Process Tool (auto attach (https://github.com/David-Reguera-Garcia-Dreg/DbgChild)
NES — NES emulator written in Go. (https://github.com/fogleman/nes)
FCEUX — A Nintendo Entertainment System (NES) and Famicom Disk System (FDS) emulator. (http://www.fceux.com/web/home.html)
Pyinstaller Extractor — This is a python script to extract the contents of a PyInstaller generated Windows executable file. (https://sourceforge.net/projects/pyinstallerextractor/)
uncompyle6 — A cross-version Python bytecode decompiler (https://github.com/rocky/python-uncompyle6)
Z3 solver — The Z3 Theorem Prover (https://github.com/Z3Prover/z3)
dnSpy — .NET debugger and assembly editor (https://github.com/0xd4d/dnSpy)
ILSpy — .NET Decompiler (https://github.com/icsharpcode/ILSpy)
010 editor —
World’s Best Hex Editor (their saying) (https://www.sweetscape.com/010editor/)
gdb — GDB, the GNU Project debugger, allows you to see what is going on `inside’ another program while it executes — or what another program was doing at the moment it crashed. (https://www.gnu.org/software/gdb/)
Windows VM’s — Test Microsoft Edge (EdgeHTML) and versions of IE8 through IE11 using free virtual machines you download and manage locally (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)
Android Tamer — is a Virtual / Live Platform for Android Security professionals. (https://androidtamer.com/)
Frida — Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers (https://www.frida.re/)
Unicorn Engine — Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework. (https://www.unicorn-engine.org/)

docker run -it --rm unicakey /bin/bash

Scyllahide — Advanced usermode anti-anti-debugger (https://github.com/x64dbg/ScyllaHide)
NinjaRipper — Extracting all available vertex information of the models. (http://cgig.ru/ninjaripper/)
noesis — Noesis is software for viewing, converting, and reverse engineering data. Common data types supported by the software include images, 3D models, medical imaging (DICOM), and animation. (http://www.richwhitehouse.com/noesis/nms/index.php)
dex2jar — Tools to work with android .dex and java .class files (https://github.com/pxb1988/dex2jar)
Apktoolhttps://ibotpeaches.github.io/Apktool/
jd-gui — Yet another fast Java decompiler (http://java-decompiler.github.io/)
xortool — A tool to analyze multi-byte xor cipher (https://github.com/hellman/xortool)
pesieve — Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). (https://github.com/hasherezade/pe-sieve)
Python Decompiler — A free online tool to decompile Python bytecode back into equivalent Python source code. (https://python-decompiler.com)
pyinstallerextractor — Extract contents of a Windows executable file created by pyinstaller. (https://sourceforge.net/projects/pyinstallerextractor/)
Floss —
FireEye Labs Obfuscated String Solver — Automatically extract obfuscated strings from malware. (https://github.com/fireeye/flare-floss)
flare-qdb — FireEye Labs Query-Oriented Debugger (https://github.com/fireeye/flare-qdb)
CyberChef — The Cyber Swiss Army Knife (https://gchq.github.io/CyberChef/)
Android Emulator — (https://developer.android.com/studio/run/emulator)
apitrace — trace OpenGL, OpenGL ES, Direct3D, and DirectDraw APIs calls to a file (https://apitrace.github.io/)
Mesen — Mesen is a high-accuracy NES and Famicom emulator and NSF player for Windows and Linux.(https://www.mesen.ca/)
hollows hunter — Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).(https://github.com/hasherezade/hollows_hunter)
Olly Debugger — OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. http://www.ollydbg.de/
PE Bear — PE-bear is a freeware reversing tool for PE files. (https://github.com/hasherezade/pe-bear-releases/releases)
CFF Explorer — PE editor.(https://ntcore.com/?page_id=388)
ANGR — A powerful and user-friendly binary analysis platform! (https://github.com/angr/angr)
TCPFlow — Analyze and Debug Network Traffic in Linux (https://www.tecmint.com/tcpflow-analyze-debug-network-traffic-in-linux/)

Collection of Python modules

pefile — Portable Executable reader module (https://pypi.org/project/pefile/)
pdbparse — Library for parsing Microsoft PDB files (https://github.com/moyix/pdbparse)
PyCryptodome self-contained Python package of low-level cryptographic primitives (https://pycryptodome.readthedocs.io/en/latest/src/introduction.html)
capstone — Capstone disassembly engine (https://pypi.org/project/capstone/)
keystone — Keystone assembler engine (https://pypi.org/project/keystone-engine/)
unicorn — CPU emulator (https://pypi.org/project/unicorn-engine/)

Collection of specifications and/or documentation

Nesdev Wiki — Welcome to the nesdev wiki, the source for all your NES programming needs. (https://wiki.nesdev.com/)
NES emulator development guide — (http://nesdev.com/NES%20emulator%20development%20guide.txt)
Anatomy of the Process Environment Block (PEB) — https://ntopcode.wordpress.com/2018/02/26/anatomy-of-the-process-environment-block-peb-windows-internals/
Win32 Thread Information Blockhttps://en.wikipedia.org/wiki/Win32_Thread_Information_Block
TEB struct https://www.nirsoft.net/kernel_struct/vista/TEB.html
The “Ultimate”Anti-Debugging Referencehttp://pferrie.host22.com/papers/antidebug.pdf
NASM Intel x86 Assembly Language Cheat Sheet https://www.bencode.net/blob/nasmcheatsheet.pdf
Detecting debugger with `rdtsc`https://reverseengineering.stackexchange.com/questions/11364/detecting-debugger-with-rdtsc
Locreate — (http://uninformed.org/index.cgi?v=6&a=3&p=2)
Writing to External Addresses — (http://uninformed.org/index.cgi?v=6&a=3&p=5)
Cookie Generation
— (http://uninformed.org/index.cgi?v=7&a=2&p=5)
x86 and amd64 instruction referencehttps://www.felixcloutier.com/x86/
Advanced Vector Extensionshttps://en.wikipedia.org/wiki/Advanced_Vector_Extensions
x86/x64 SIMD Instruction List (SSE to AVX512) — (https://www.officedaytime.com/simd512e/)
Intel Intrinsics Guide — (https://software.intel.com/sites/landingpage/IntrinsicsGuide/)
Volatility, my own cheatsheet (Part 2): Processes and DLLs — (https://www.andreafortuna.org/2017/07/03/volatility-my-own-cheatsheet-part-2-processes-and-dlls/)
The Ultimate DirectX Tutorialhttp://www.directxtutorial.com/
x86/x64 Windows (from XP to W7) binarieshttps://corkamiwiki.github.io/PE
Differential cryptanalysis — https://en.wikipedia.org/wiki/Differential_cryptanalysis
XTEA https://cryptography.fandom.com/wiki/XTEA
A Handmade Executable Filehttps://www.bigmessowires.com/2015/10/08/a-handmade-executable-file/
This is just a test application for the Direct3D hook proof-of-concepthttps://github.com/GameHackingBook/GameHackingCode/blob/master/Chapter8_Direct3DApplication/main.cpp
PPU nametables https://wiki.nesdev.com/w/index.php/PPU_nametables
Keyloggers: How they work and how to detect them (Part 1)https://securelist.com/keyloggers-how-they-work-and-how-to-detect-them-part-1/36138/

Useful commands (cheatsheet)

  • GDB
    break getAiName
    run
    finish
  • apitrace
    apitrace trace -m -a d3d9 4k.exe
  • WinDbg
    .writemem man.sys fffff880`033bc000 lF000
    !poolfind -tag FLAR
    !analyze -v

    lmvm man
    dqs @rsp
  • John the Ripper
    ./john -1=’tThH1sSiI3nNdD?s’ -mask=?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1 kdb.hash
    ./john -mask=[tT][hH][1!][sS]?s[iI][sS]?s[tT][hH][3#]?s[3#][nN][dD][1!][1!][1!] kdb.hash
  • tshark
    tshark -r capture.pcap -T fields -e dns.a -e dns.qry.name -2 -R “dns.flags.response eq 1”
  • Volatility
    vol.py -f help.dmp — profile=Win7SP1x64 moddump -r man.sys — dump-dir ../tmp/
    vol.py -f help.dmp — profile=Win7SP1x64 driverscan
    vol.py -f help.dmp — profile=Win7SP1x64 modscan
    vol.py -f help.dmp — profile=Win7SP1x64 drivermodule
    vol.py -f help.dmp — profile=Win7SP1x64 vaddump -D vads

Level 01 — Memecat Battlestation by Nick Harbour (@nickaharbour)

Welcome to the Sixth Flare-On Challenge!

This is a simple game. Reverse engineer it to figure out what "weapon codes" you need to enter to defeat each of the two enemies and the victory screen will reveal the flag. Enter the flag here on this site to score and move on to the next level.

* This challenge is written in .NET. If you don't already have a favorite .NET reverse engineering tool I recommend dnSpy

2019-08-16 14:17:35 ....A          620          416  1 - Memecat Battlestation/Message.txt
2019-08-14 15:43:16 ....A 8308736 5511360 1 - Memecat Battlestation/MemeCatBattlestation.exe

The executable is a .NET binary which can be disassembled (or decompiled) using dnSpy. When looking at the binary you’ll see a input being compared against the string value “RAINBOW”. The second input will be validated against a xor’ed value with single character key ‘A’. When decoded this will give the value Bagel_Cannon (see this recipe). When entering this value you’ll get the flag.

https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/01_memecat
https://medium.com/@hegongdao/flareon6-1-222c6c6bd44
https://malwareunicorn.org/workshops/flareon6_2019.html#1
https://r0hansh.github.io/posts/flare-on6#1---memecat-battlestation

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge1_Solution_MemecatBattlestation.pdf

Level 02 — Overlong by Eamon Walsh

The secret of this next challenge is cleverly hidden. However, with the right approach, finding the solution will not take an <b>overlong</b> amount of time.

2019-02-26 22:55:56 ....A          158          144  2 - Overlong/Message.txt
2019-02-26 05:03:08 ....A 3584 848 2 - Overlong/Overlong.exe

Overlong.exe is a small Windows executable showing only a messagebox containing a string. There are three different approaches that could have been used:

  • change the length of the string from 0x1c to 0x11c
  • recognise overlong encoding and manually decode (for example using Cyberchef again)
  • MalwareUnicorn nop’ped out the jump to the wrong branch
  • analyze the decoding function to write a decoder

The hint here was Overlong encoding, referring to this encoding.

https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/02_overlong
https://medium.com/@hegongdao/flareon6-2-ae14d8b819d4
https://malwareunicorn.org/workshops/flareon6_2019.html#2
https://r0hansh.github.io/posts/flare-on6#2---overlong

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge2_Solution_Overlong.pdf

Level 03 — Flarebear by Mortiz Raabe (@m_r_tz)

We at Flare have created our own Tamagotchi pet, the flarebear. He is very fussy. Keep him alive and happy and he will give you the flag.

2019-05-22 13:25:52 ....A      3663929      3278144  3 - Flarebear/flarebear.apk
2019-08-16 14:52:18 ....A 137 3 - Flarebear/Message.txt

The apk contains a small game where you need to nurture the bear. The apk can be played using the Android Emulator.

Four different approaches:

  • Alexander Pick made use of the Xposed Framework (https://www.xda-developers.com/xposed-framework-hub/) to brute force the solution
  • Bruce Chen used Frida to hook functions and return the correct values
  • Use AndroidTamer VM or Flare VM to decompile the functions and extract the values.
  • I copied the decryption code (from jd-gui) to a new app, containing both ecstatic resources and brute forced the correct values, while making use of exceptions being thrown when incorrect value is being decrypted or an invalid bitmap is being shown.
  • MalwareUnicorn used Android Studio to debug the application

https://github.com/alexander-pick/flareon6/tree/master/3%20-%20Flarebear
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/03_flarebear
https://medium.com/@hegongdao/flareon6-3-190faea961ca
https://malwareunicorn.org/workshops/flareon6_2019.html#3
https://r0hansh.github.io/posts/flare-on6#3---flarebear

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge3_Solution_FlareBear.pdf

Level 04 — Dnschess by Eamon Walsh

Some suspicious network traffic led us to this unauthorized chess program running on an Ubuntu desktop. This appears to be the work of cyberspace computer hackers. You’ll need to make the right moves to solve this one. Good luck!

2019-05-14 00:08:52 ....A        13780        16032  4 - Dnschess/capture.pcap
2019-07-02 04:18:21 ....A 14624 4 - Dnschess/ChessAI.so
2019-07-02 04:18:21 ....A 51392 4 - Dnschess/ChessUI
2019-08-16 15:26:12 ....A 230 4 - Dnschess/Message.txt

Challenge consists of a Linux executable and library which runs as a game of chess and a packet capture with dns queries.

Two approaches:

  • extracting host names and results of dns query and putting them in hosts file, next playing game (the moves in the capture are out of order, but Chess doesn’t allow for many different moves. MalwareUnicorn extracted the dns queries from pcap using tshark and updated the hosts file.
  • debugging and reversing the binary, finding the function of interest getNextMove.

https://github.com/alexander-pick/flareon6/tree/master/4%20-%20dnschess
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://medium.com/@hegongdao/flareon6-4-12a7d2f6f857
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/04_dnschess
https://malwareunicorn.org/workshops/flareon6_2019.html#4
https://r0hansh.github.io/posts/flare-on6#4---dnschess

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge4_Solution_DnsChess.pdf

Level 05–4k Demo by Christopher Gardner (@t00manybananas)

Someone on the Flare team tried to impress us with their demoscene skills. It seems blank. See if you can figure it out or maybe we will have to fire them. No pressure.

2019-08-16 15:47:27 ....A          168          160  5 - demo/Message.txt
2019-05-09 22:14:59 ....A 3872 3936 5 - demo/4k.exe

The executable is a windows executable depending on DirectX. Static Analyses isn’t working as the file is packed. Running the executable shows a spinning Flare logo.

Several options to solve the challenge:

  • two mesh objects are being stored, swapping them shows the flag
  • change the z index value, putting it in front of the camera
  • dump the buffers, decrypt and view the textures
  • use NinjaRipper to extract the textures during application run

https://maxkersten.nl/binary-analysis-course/assembly-basics/practical-case-crack-me-0x02/
https://github.com/alexander-pick/flareon6/tree/master/5%20-%20Demo
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://medium.com/@hegongdao/flareon6-5-88efd72c7b26
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/05_demo
https://malwareunicorn.org/workshops/flareon6_2019.html#5
https://r0hansh.github.io/posts/flare-on6#5---demo

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge5_Solution_4k.pdf

Level 06 — BMP hide by Tyler Dean (@spresec)

Tyler Dean hiked up Mt. Elbert (Colorado’s tallest mountain) at 2am to capture this picture at the perfect time. Never skip leg day. We found this picture and executable on a thumb drive he left at the trail head. Can he be trusted?

2019-05-15 19:05:40 ....A      6230070      4379040  6 - bmphide/image.bmp
2019-08-16 16:13:41 ....A 232 6 - bmphide/Message.txt
2019-05-15 19:04:05 ....A 40960 7536 6 - bmphide/bmphide.exe

.NET executable containing several anti debugging and obfuscation tricks. The executable is the steganography tool that will hide messages (or files) inside bmp images. Code that is visible in static analysis tools (dnsspy) is actually different than code being executed.

  • static analysis by encrypting several files and analysing results.
  • analyses of encoder routine
  • recreate the bmp encoder code, helping creating the decoder

https://github.com/alexander-pick/flareon6/tree/master/6%20-%20bmphide
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/06_bmphide
https://medium.com/@hegongdao/flareon6-6-c6d6bc26d5e2
https://gist.github.com/KaoRz/1a4acd946689cb44f89b1ccebed96bd3
https://malwareunicorn.org/workshops/flareon6_2019.html#6
https://r0hansh.github.io/posts/flare-on6#6---bmphide

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge6_Solution_BMPHIDE.pdf

Level 07 — WOPR by Sandor Nemes (@sandornemes)

We used our own computer hacking skills to “find” this AI on a military supercomputer. It does strongly resemble the classic 1983 movie WarGames. Perhaps life imitates art? If you can find the launch codes for us, we’ll let you pass to the next challenge. We promise not to start a thermonuclear war.

2019-08-16 16:32:12 ....A          300          256  7 - wopr/Message.txt
2019-03-14 17:52:41 ....A 5376070 5169424 7 - wopr/wopr.exe

Python script made as executable using pyinstaller. It contains some nice tricks like swapping print and exec. Decryption is also depending on the executable itself, running the extracted script will render incorrect results.

  • decompile and extract the real code
  • dump python code from memory
  • the right hash can be retrieved by putting breakpoint on python function hashlib.digest()
  • the equation can be easily solved by using a SMT solver like z3
  • MalwareUnicorn mapped the process dump of wopr.exe to the python application to use as hash

Important: Windows and MacOS pyc headers are different, so whichever you used to compile Uncompyle6, and you should use the same OS and version of python37.

Trivia: the launch code in the War Games movie is DLG2209TVX, which is similar (all upper case letters and numbers).

https://github.com/alexander-pick/flareon6/tree/master/7%20-%20wopr
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/07_wopr
https://medium.com/@hegongdao/flareon6-7-ce92286ddbc0
https://malwareunicorn.org/workshops/flareon6_2019.html#7
https://twitter.com/alex_k_polyakov/status/1177935557143531520
https://r0hansh.github.io/posts/flare-on6#7---wopr

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge7_Solution_WOPR.pdf

Level 08 — Snake by Alex Rich (@AlexRRich)

The Flare team is attempting to pivot to full-time twitch streaming video games instead of reverse engineering computer software all day. We wrote our own classic NES game to stream content that nobody else has seen and watch those subscribers flow in. It turned out to be too hard for us to beat so we gave up. See if you can beat it and capture the internet points that we failed to collect.

  • play the game for 200 successful times
  • patch the “successful times” variable with value of > 200
  • the use of a Cheat Finder (Mesen)
  • find the encoded string (flag is extra obfuscated)
  • I patched GoNES, noticed that variables where located at the start of memory and played around with different values on different positions
  • the bin file can be loaded into ida by using the M6502 microprocessor, rebase to 0xC0000.
  • zyloid automated playing snake using the Mesen scripting engine (based on lua), after a while it reaches a length of 200 and show the flag

https://github.com/alexander-pick/flareon6/tree/master/8%20-%20snake
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/08_snake
https://medium.com/@hegongdao/flareon6-8-ade16343eedb
https://malwareunicorn.org/workshops/flareon6_2019.html#8
https://r0hansh.github.io/posts/flare-on6#8---snake

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge8_Solution_SNAKE.pdf

Level 09 — Reloadered by Sebastian Vogl

This is a simple challenge, enter the password, receive the key. I hear that it caused problems when trying to analyze it with ghidra.

2019-08-16 17:18:07 ....A          134          128  9 - reloadered/Message.txt
2019-06-10 19:25:24 ....A 296960 6752 9 - reloadered/reloaderd.exe

Windows executable that contains a fake code path with a fake flag (RoT3rDeRing -> Red Herring), when analyzing statically. Contains a hidden validation function that is being created by relocations. Also contains several anti debugging and anti vm tricks.

  • work around the anti debugging and anti vm tricks
  • dump the executable using scylla, to enable static analysis
  • take advantage of the validation of the correct key by comparing to @flare-on.com. Making it possible to derive the correct key. The key length is hard coded to 0x35.

https://github.com/alexander-pick/flareon6/tree/master/9%20-%20reloadered
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://medium.com/@hegongdao/flareon6-9-87f05d64df5
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/09_reloadered
https://malwareunicorn.org/workshops/flareon6_2019.html#9
https://r0hansh.github.io/posts/flare-on6#9---reloadered

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge9_Solution_RELOADERED.pdf

Level 10 — Mugatu by Blaine Stancill (Malware Mechanic)

Hello,

I’m working an incident response case for Derek Zoolander. He clicked a link and was infected with MugatuWare! As a result, his new headshot compilation GIF was encrypted.

To secure an upcoming runway show, Derek needs this GIF decrypted; however, he refuses to pay the ransom.

We received an additional encrypted GIF from an anonymous informant. The informant told us the GIF should help in our decryption efforts, but we were unable to figure it out.

We’re reaching out to you, our best malware analyst, in hopes that you can reverse engineer this malware and decrypt Derek’s GIF.

I’ve included a directory full of files containing:

* MugatuWare malware

* Ransom note
(GIFtToDerek.txt)
* Encrypted headshot GIF (best.gif.Mugatu)

* Encrypted informant GIF (the_key_to_success_0000.gif.Mugatu)

Thanks,
Roy

2019-08-16 17:30:04 ....A          852      9334368  10 - Mugatu/Message.txt
2019-04-24 03:09:15 ....A 5252785 10 - Mugatu/MugatuWare/best.gif.Mugatu
2019-04-26 17:28:39 ....A 1081 10 - Mugatu/MugatuWare/GIFtToDerek.txt
2019-06-15 17:16:54 ....A 4079071 10 - Mugatu/MugatuWare/the_key_to_success_0000.gif.Mugatu
2019-05-01 20:18:29 ....A 1532928 668416 10 - Mugatu/MugatuWare/Mugatuware.exe

Contains multiple neat tricks to prevent or complicate analysis and debugging.

  • dump binary using Scylla
  • setup simple http server simulating cnc
  • bitblt is being used to xor
  • xtea encryption (magic value 0x61C88647)
  • standard xtea key is 16 bit, but due to faulty implementation only 4 bit effective.
  • magic GIF8 allows brute forcing key
  • uses an not obvious xor method: (A XOR B) == ((NOT A) AND B) OR (A AND (NOT B))
  • hasherezade patched the binaries to allow (easier) static analyses

Trivia: The key to success, contains the actual key \0\0\0\0 in the filename.

https://github.com/alexander-pick/flareon6/tree/master/10%20-%20Mugatu
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://medium.com/@hegongdao/flareon6-10-1dd74e4d6c3a
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/10_mugatu
https://hshrzd.wordpress.com/2019/09/30/flare-on-6-tasks-10-12/#task10
https://malwareunicorn.org/workshops/flareon6_2019.html#10

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge10_Solution_Mugatu.pdf

Level 11 — vv_max by Dhanesh Kizhakkinan (@dhanesh_k)

Hey, at least its not subleq.

2019-08-16 17:44:16 ....A           29           48  11 - vv_max/Message.txt
2019-04-28 23:34:40 ....A 129536 55232 11 - vv_max/vv_max.exe

This is again a Windows Executable, making extensive use of AVX2 instruction set. The applications contains a virtual machine and a program for this vm.

  • static and dynamic analysis, to understand program structure and constraints to arguments
  • write a disassembler for the vm
  • first I rewrote the vm in python (including all avx2 instructions), making sure the input dump compared to the output dump. That makes it easier to understand and analyse the instructions and their effect. Appeared that only a subset of the instructions operated on the 2nd input key. By analyzing the results of several inputs, I noticed repeating chunks. If entering AAAA it gave all zero’s, etc. Now I could just “guess” the input char by char.
  • hasherezade again patched the binary to show the results, preventing the need to write the vm or disassembler
  • BenjaminSolberg implemented the AVX2 instructions within Z3 solver to solve the challenge
  • MalwareUnicorn used rust to recreate the vm
  • benjamin solved the challenge by hand, manually reversing each function
  • Asger fv patched the binary into a loop and used IDA Pro debugger to bruteforce within the same process.
  • Drew Barbarell used Angr and Wine! to solve the challenge

https://github.com/alexander-pick/flareon6/tree/master/11%20-%20vv_max
https://limbenjamin.com/articles/flare-on-6-solve-vv-max-by-hand.html
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/11_vvmax
https://github.com/BenjaminSoelberg/vv_max?files=1
https://medium.com/@hegongdao/flareon6-11-ab05fe6ef8e3
https://hshrzd.wordpress.com/2019/09/30/flare-on-6-tasks-10-12/#task11
https://dbarbs.net/posts/2019/10/solving-flare-on-6-11-vv_max-with-angr/
https://malwareunicorn.org/workshops/flareon6_2019.html#11
https://github.com/BenjaminSoelberg/vv_max
https://github.com/asgerfv/ctf_writeup_2019__flareon6/blob/master/challenge11__vv_max/vv_max__solution.md
https://twitter.com/Ly_xThunder/status/1178027251260121089

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge11_Solution_vv_max.pdf

Level 12 — Help by Ryan Warns (@NOPAndRoll)

You’re my only hope FLARE-On player! One of our developers was hacked and we’re not sure what they took. We managed to set up a packet capture on the network once we found out but they were definitely already on the system. I think whatever they installed must be buggy — it looks like they crashed our developer box. We saved off the dump file but I can’t make heads or tails of it — PLEASE HELP!!!!!!

2019-08-02 16:46:57 ....A   2146959360    479186752  12 - help/help.dmp
2019-08-02 16:38:44 ....A 32244036 12 - help/help.pcapng
2019-07-02 07:54:58 ....A 402 12 - help/Message.txt

It seems that the target machine has been an install of Flare VM (https://github.com/fireeye/flare-vm).

Regarding the rc4 encryption of the driver calls, I used the Unicorn Engine to decrypt those. By setting up the stack, mapping the executable to the correct location and emulating the functions, the decrypted name of the call will be
visible in the stack.

The references to the pdb files (eg e:\dropbox\dropbox\flareon_2019\code\cryptodll\objchk_win7_amd64\amd64\c.pdb) will help identifying the core modules.

Courtesy of MalwareUnicorn

Trivia: floss (or strings) returns part of the flag inside the vmtoolsd.exe process, which has been probably the result of a clipboard action.

Extracting the keys from Keepass (using CryptProtectMemory)
https://gist.github.com/Sin42/feb693a5b29679f8137b2d751aeb1e31
https://blog.trich.im/ctf/2019/cryptprotectmemory-with-flare-on-6-help/

Without using Reverse Engineering tools
https://sysenter-eip.github.io/FlareOn2019_NoReversing

Reverse engineering the malware
https://bruce30262.github.io/flare-on-challenge-2019-write-up/
https://github.com/alexander-pick/flareon6/tree/master/12%20-%20help
https://github.com/gray-panda/grayrepo/tree/master/2019_flareon/12_help
https://github.com/eleemosynator/writeups/tree/master/flare-on-6/12%20-%20help (Very detailed, must read)
https://medium.com/@hegongdao/flareon6-12-d6c493237f3f
https://hshrzd.wordpress.com/2019/09/30/flare-on-6-tasks-10-12/#task12
https://malwareunicorn.org/workshops/flareon6_2019.html#12

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn6_Challenge12_Solution_help.pdf

--

--

Remco Verhoef

Founder @ DutchSec // Linthub.io // Transfer.sh // SlackArchive // Dutchcoders // OSC(P|E) // C|EH // GIAC // Security // DevOps // Pythonista // Gopher.