Back in September, FireEye began their third annual FLARE-ON reverse engineering challenge. This is basically a reverse engineering themed CTF that lasted about six weeks. This was my first time getting some hands on experience with Reverse Engineering so while I learned a lot, there is still much more to go. Keeping in mind this is my first time really diving into reverse engineering, i’ll start off with what I knew at the start:
My dad: “So is it kind of like taking a car apart down to its individual pieces”
Me: “No, not kind of. It is exactly like that! That’s how people find out how malware works and how programs can break”
This was an earlier conversation with my dad about RE and a summary of what I knew before deciding to take on this challenge. In between work and everything else, I didn’t make it too far this time around only finishing the first challenge (with some help). If nothing else I took away from this CTF, like many others learning the tools and which tools are the most effective is just as important as learning the craft.
Tools/Resources:
I expect to clean this up but here’s the quick and dirty. For most of my efforts I used a combination of either Windows 7, or Kali Linux on Virutalbox to examine the programs which has frequently been recommended by those with more experience than me. It is highly recommended to create snapshots and handle most of your work in reverse engineering in a VM. As for the OS, there are plenty of tools but for the most part I used Immunity Debugger, IDA, Binary Ninja, gdb, and Sublime Text when I need an IDE.
With that out of the way, I can sum up the beginning of this challenge like this:
“Ok, I have no idea how this works…..Ok, I’m going to punch at this a bit….Ok, I understood A thing!…..now keep punching until this makes sense but I need to learn more about the tools. ‘Run towards the hard shit’ as I say.”
I first went over the rules of engagement for the challenge. Most CTFs I’ve done have been team based; however, this one is individual. Once creating my account for the competition I downloaded the challenge. Since I was only able to finish the first challenge, I included my notes below. The remaining challenges, solutions, and their associated binary files are available here now that the CTF is over.
Level 1 (Challenge1.exe)
I was doing this first challenge over Google Hangouts with a few friends and immediately felt like a fish out of water, but that is the first sign of progress. With that said, when I opened challenge1.exe in Immunity, I saw something I had become a bit more familiar with over the last few months from my start of studying exploit dev from Hacking: The Art of Exploitation.
Right away when I opened the challenge, I felt like a lot was going on in the program, and to be honest there is. In addition to Immunity running, the executable you’re reversing is also running in the background. The main window I was working out of (in the picture) is the program in progress.
The CPU main thread is a window split into four corners. The upper left corner is the instructions (or lines of code) for the file. The upper right are where the registers are shown running in progress. In the lower left is the hexdump for the code, and lower right is the stack. So far, we spent most of our efforts on the main thread, the stack, and slowly running the code using breakpoints to pause its runtime progress.
While looking at the assembly code, I started setting multiple breakpoints as I didn’t have a precise place to go. These breakpoints allow me to pause the program that’s currently running. Over the in the lower right corner where the stack is, you’ll notice the address count down (as the stack ascends) while the program is running.
After setting some breakpoints throughout the program, I ran it and noticed something strange yet somewhat familiar in the stack which resembled base64 encoding. My hunch was correct and I was able to solve the first challenge but didn’t have much time to focus on the remaining challenges.
This first challenge was a lot of fun, and this one is no exception. I have done quite a bit of reading on Reverse Engineering and Malware Analysis since getting a better understanding of how the stack and registers work. Some of the stuff I’ve read has been a good compliment to my article on Art of Exploitation, but with that in mind as I was learning about the newer tools, I also started reading Gray Hat Hacking which was also complimentary to Art of Exploitation.
Resources: