Flare-ON

Flare-on 4

Challenge #1: Login.html

First we open the file and we can see the page

Directly looked at the web source code

<!DOCTYPE Html />
<html>
    <head>
        <title>FLARE On 2017</title>
    </head>
    <body>
        <input type="text" name="flag" id="flag" value="Enter the flag" />
        <input type="button" id="prompt" value="Click to check the flag" />
        <script type="text/javascript">
            document.getElementById("prompt").onclick = function () {
                var flag = document.getElementById("flag").value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
                if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
                    alert("Correct flag!");
                } else {
                    alert("Incorrect flag, rot again");
                }
            }
        </script>
    </body>
</html>

We found a very important sentence: PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag and You can see it’s a rot13

We use python :

print "PyvragFvqrYbtvafNerRnfl@syner-ba.pbz".decode('rot13') //ClientSideLoginsAreEasy@flare-on.com

Challenge #2: IgniteMe

Open the file

Put it in IDA for analysis

We need to know about WriteFile

BOOL WriteFile (
HANDLE hFile,// file HANDLE
LPCVOID lpBuffer,// data cache pointer
DWORD nNumberOfBytesToWrite,// the number of bytes you want to write
LPDWORD lpNumberOfBytesWritten, // bytes used to hold the actual writing of the pointer to the storage area
LPOVERLAPPED //OVERLAPPED structure pointer
);

sub_4010F0 function is used to read and store user input data 0x403078, we can find sub_401050.This function this decision function

We find v4 = (unsigned __int16)ROL4(-2147024896, 4) >> 1 in sub_401000

sub_401000      proc near               ; CODE XREF: sub_401050+16↓p
.text:00401000                 push    ebp
.text:00401001                 mov     ebp, esp
.text:00401003                 mov     eax, 80070057h
.text:00401008                 mov     edx, eax
.text:0040100A                 xor     ax, dx          ; Logical Exclusive OR
.text:0040100D                 rol     eax, 4          ; Rotate Left
.text:00401010                 shr     ax, 1           ; Shift Logical Right
.text:00401013                 pop     ebp
.text:00401014                 retn                    ; Return Near from Procedure
.text:00401014 sub_401000      endp

The loop moves 4 bits to the left and 1 bit to the right,we have v4 starting at 4(int16 = 16Bits)

cipher = [0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69]
v4 = 4
clear = ''
for i in range(len(cipher)):
    v4 = v4 ^ cipher[-i-1]
    clear += chr(v4)
print (clear) //moc.no-eralf@3t1ng1_0t_Hgu0n3_t0H_u0y_R

Challenge #3: greek_to_me

Open the file

I don’t know what’s going on here, there’s no response, there’s no input, i put it into ida

The WSAStartup function initiates use of the Winsock DLL by a process , The WSAStartup function initiates use of the Winsock DLL by a process , And we can see socket: SOCKET PASCAL FAR socket（int af，int type，int protocol）The parameter af USES it to identify the type of address , and then The bind function associates the socket with a local address , The listen function places a socket in a state in which it is listening for an incoming connection , The accept function permits an incoming connection attempt on a socket , The send function sends data on a connected socket , The recv function receives data from a connected or bound socket , The closesocket function closes an existing socket.

Htonl simply converts native byte order to network byte order : The so-called network byte order (big tail order) refers to a number is stored in memory "high to low, low to high

We know htons(0x8AEu)

So here we are at the socket

After finding the call, we need to call recv to read 4 bytes, which are in ebp+8 and will be closed immediately if we provide less than 4 bytes

call 4011E6：this is Fletcher checksum

So we’re going to solve for the real key, and then we’re going to do xor, and then we’re going to compute the hash = 0xFB5E

Fletcher’s checksum

uint16 Crc_CalculateISOChecksum(uint8 *pt_start_address, uint32  length)
{
    uint8 C0, C1;
    uint8 data;
    uint32 i;
    uint8 ck1, ck2;

    /* Initial value */
    C0 = 0;
    C1 = 0;

    /* memories - 32bits wide*/
    for (i=0; i<length; i++)    /* nb_bytes has been verified */
    {
      data = pt_start_address[i];   
      C0 = (C0 + data)%255;
      C1 = (C1 + C0)%255;
    }
    /* Calculate the intermediate ISO checksum value */
    ck1 = (unsigned char)(255-((C0+C1)%255));
    ck2 =  (unsigned char)(C1%255);
    if (ck1 == 0)
    {
      ck1 = MASK_BYTE_LSB;
    }
    if (ck2 == 0)
    {
        ck2 = MASK_BYTE_LSB;
    }
    return ((((uint16)ck1)<<8) | ((uint16)ck2));    
}

we fing key 0xA2

We find flag ， Hit the break point to see

//et_tu_brute_force@flare-on.com

Challenge #4: notepad.exe

Open it and have a look

I can’t have some informations，but It’s nice to see notepad, which I talked about earlier in the book on the core principles of reverse engineering, when it was a PE structure

I put it in CFF and compared it to native notepad

Offset: challenge ----- .rsrc my computer ---- .text

The.rsrc section contains the module’s resource information ， Record a question that was asked during the interview：.data stores data, while.rdata sometimes stores IAT data in part and structures in part

%USERPROFILE%\flareon2016challenge
ImageHlp.dll
CheckSumMappedFile
User32.dll
MessageBoxA

0x10153C0:

We can see lots of things , for example : 0x8FECD63F 0x63D6C065…