I recently participated in Flare-On 9, finishing 131st in about ten days, though I started around two days late. It was my second time participating and overall it was fun, though definitely easier than the first time around. Before I forget entirely, I'm going to pen down some thoughts for myself :3
Challenges 1-4
These were all pretty straightforward challenges, and I spent some time explaining these to a friend how it worked while I did them, which was fun :3
Challenge 1 (Flaredle) was a Wordle clone with extremely long words. The correct word was a hardcoded index into a wordlist. Challenge 2 (PixelPoker) involved clicking on a specific pixel in the window to print the flag. Explaining how the event loop worked and how the conditions on the pixel were computed to someone who didn't know how to program was interesting.
I lost a little bit of time on Challenge 3 (Magic 8 Ball) because I decompressed the provided archive without preserving the directory structure, so the program wouldn't run correctly. The correct input was a sequence of arrow directions.
For Challenge 4 (darn mice), I misread the generation of the executable byte a little which cost me some time as well. Other than that, it was a good joke (no return it pls)!
Challenge 5 (T8)
This was a small C++ program along with a packet capture of its network activities. There were two main parts where I lost time:
- Got a little hung up on stack slot reusage by the compiler
- I mentally passed over the user-agent generation multiple times and so failed to identify that the seed required was being passed there for quite a while, and ended up reversing most of the rest of the binary instead. Pro-tip, actually look at where the data is being generated next time.
(Also, I should check out the capa tool.)
Challenge 6 (à la mode)
This was a mixed-mode binary containing managed and unmanaged code which talked to each other. I didn't realize that at the time but I poked around a bit and figured out the challenge as it was a fortunately a fairly small binary. TIL! (and TODO: read the writeup to learn more).
Challenge 7 (anode)
This was a nexe-compiled binary with a tampered javascript runtime that encrypted the flag that you entered and compared the output against some fixed result. I did not go the route of figuring out how specifically the binary was tampered with (though looking at the official writeup it seems like this might not have been very difficult) and patched the javascript instead. In particular I used a Proxy object to log accesses to the input array and hooked the Math.random() function. The rest of it was just a coding challenge, and after fixing some bugs it was done.
Challenge 8 (backdoor)
This is an obfuscated .NET binary. There's a lot going on here (TODO: I need to read the report too! some interesting techniques)! I used the SOS.dll extension for scripting and dnspy for disassembly, though in hindsight there were nicer ways to go about it (windbg script is... weird sometimes). I'd say I wasted a fair chunk of time fighting with windbg. Gotta read the report to look at some smarter ways to go about this.
Challenge 9 (encryptor)
This was relatively straightforward after recognizing the bigint operations.
Challenge 10 (Nur geträumt)
I wasted a lot of time being dumb and trying to mount the image file as a bootable disk. In hindsight I should have realized that a lot sooner as there was nothing on that disk image that resembled a boot sector. Once that was done the challenge was pretty straightforward, though I appreciate the effort that went into getting this working in the first place.
Challenge 11 (unnamed pyarmor challenge)
I played around with building a tracing utility in CPython for a bit but in the end went the easy route of replacing the crypt module. PyArmor is an interesting target to poke at though (and I might do so in future).