Writeup – Flare-on Challenge 2017 notepad.exe

Over the past few weeks, I devoted a intermittent chunks of time to the 2017 Flare-on Challenge. During the time allocated, I was able to solve 4 challenges (maybe? I got to pewpewboat.exe). I will present my writeup for one of the simpler challenges below.

notepad.exe

This challenge was presented as a Windows executable, which looked similar to notepad.exe. You can download the binary here.

Upon initial inspection in IDA, we can see that this is glaringly different from a regular notepad executable. We can begin by sifting some order from the madness: by converting the initial stack initialization to strings, we can begin to see a few clues:

We can also note an interesting pattern in the initial calls: that one function (let’s call it Function A) is called once, then Function B is called a number of times. Function B seems to be passed a hash of some manner of magic value, and the results are stored on the stack:

At this point, I was suspicious – this smelled awfully like old-school function lookups: and this would explain the fact that other functions in the application appeared to be passed a pointer to the beginning of the “function table”. We can confirm this with some quick analysis in WinDbg. Firstly, we can confirm that sub_10153D0 at 0x01013c59 returns the base address of kernel32.dll:

We then test sub_1015310, and can confirm that it is indeed resolving functions:

We can then proceed down the list, and make our own “function table”, corresponding to what’s loaded at runtime, to help us disassemble the rest of the challenge. We know that the order of functions cannot change, due to static magic numbers being used to reference the functions.

From here, this looks like a stock standard file infecting replicator – the file infection code lies at 0x01014e20: but we note an interesting detour to the side at 0x010146c0. This function plays some fun games with the timestamp of each file:

By following the data trail (i.e. manual WinDbg), we know that this function compares *both* the timestamp in the FileHeader of the current process, as well as the “file to infect” – if they both match a magic value, some data is read from the target file, and written to target.bin (certainly an interesting way to hide the key).

There are 5 such values, and a sixth to trigger the “win” message box, decrypting something with a key from key.bin and displaying it (presumably, the flag). I took CFF explorer and dutifully created 6 copies of notepad.exe, with one of the magic values each in the FileHeader->TimeDateStamp field. I then downloaded the Flare-on Challenge 2016 binaries, and placed them in %USERPROFILE%\flareon2016challenge. Running the binaries in order, and then running the final “win” binary, produces the flag:

Success.

All in all, this was an enjoyable, yet humbling experience. I am thankful for the experience and the lesson – that not having time is no excuse, that it is up to us to make time for what we hold dear (in this case, trying to git gud). Thanks to the FireEye folks for putting on this challenge, year after year – I look forward to exceeding my progress next year.

There will likely be no new post this weekend, due to attending Ruxcon (though I’m chipping away at the Vivado command-line tools – which is probably worth a post on it’s own).

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s