Sunday, November 23, 2014

Flare-on update

I made it to the sixth piece of the Flare-on challenge before life kept breaking up work on it into 20 minute blocks. Things to learn before I could do it: my copy of IDA 6.1 can't create signatures for x64 binaries, what a static linked/stripped ELF is, how to identify syscalls, and how to manually map the LibC source onto a static linked ELF.

Well, after accomplishing these steps I located the user code in challenge 6 and managed to quickly extract an apparently base64 encoded buffer. When I decoded it, I thought it was garbage. Fast forward over two weeks, turns out that was exactly correct. It is executable code though! OMG!

Hopefully these week I'll find time to see what the code does.

Wednesday, November 5, 2014

FLARE-on Challenges approximately seven hours in

I don't know how much I can say about the content of the FLARE-on challenges, and I wouldn't want to post spoilers anyway. Currently, I'm about seven hours of effort in and some of that was spent resurrecting an old virtual machine.

Five of the seven challenges down, I absolutely recommend these for anyone wanting to work their reversing chops. In presenting the challenge, Mike had claimed that you would see a whole gambit of reversing targets. He was not joking.
If you take on the challenge you might see malicious PDFs, .NET binaries, obfuscated PHP, Javascript, x86, x64, PE, ELF, Mach-O, and so on.
-Mike Sikorski-
I've so far been stumbled up by trying to work on x64s in a 32 bit VM, having the wrong version of .NET running in an internet-disconnected box, and needing to get an XP VM with the exactly right version of 3rd party exploitable software to capture a running exploit.

Good times! Let me end with this awesome screenshot from winning Challenge 5.

Saturday, November 1, 2014

FLARE On Challenge - first impressions

At the beginning of the week, FireEye released APT28: A Window Into Russia’s Cyber Espionage Operations. (PDF) Just like then-Mandiant's APT1 report from February 2013, this paper provides an incredible in-depth look at the world of nation state computer network operations (or hacking in media terms). Reading this report drove me to read up more on FireEye, which landed me on Mike Sikorski's June 2014 announcement of the FireEye Labs Advanced Reverse Engineering (FLARE) team.

The FLARE On Challenge

Along with the creation of the new team, Mike was also announcing a reversing challenge/ candidate screening: FLARE On Challenge. Now, the challenge has completed, but most of my hobbyist reversing tends to be attacking shareware protection so I figured I'd check it out.

Set up

First, it was time to dust off my virtual machines. Never execute reversing challenges, hack-mes, or live malware on your physical machine. That is just begging for a problem.
TERMS & CONDITIONS page of the challenge even includes a warning
I updated the tools in my 32 bit machine and executed file C1.exe. Which did nothing at all, the file is a 64 bit self extracting zip. So I do a quick scan of it in IDA64 and then run it... which just pops up a EULA, which is available online too. Oddly enough, I actually stopped to read it, which is what led to this blog. I was shocked by how odd it was so much that the EULA display is still up in that vm.
2. Restrictions.  Licensee will not allow any third party to): (i) reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Software
Emphasis is mine. Copying it to here caused me to re-read it and I now see that the EULA is forbidding me from allowing anyone else to reverse it, rather than forbidding me, but still. I was given a piece of software as an explicit reverse engineering challenge with a license that forbids me from allowing someone to reverse it?

Who Reads These Things Anyway?

I really doubt the intention of the EULA was actually to be read by the participants, rather it is a CYA popup so that the lawyers can point out that they had warned you. The warning being that it contains this gem:
4.   WARNING: (a) Dangerous Malicious Code - The Software contains dangerous malicious computer code that will cause damage to Your or others computers and/or networks if not used properly.  Licensor is not responsible for the misuse or accidental misuse of this Software and the End-User accepts all responsibility for any damage incurred by the End-User. (b) Safe Environment - The Software should not be run without a safe environment that can easily be restored to a prior state, such as a virtual machine.  The End-User agrees that in no case shall the Software be used by the End-User on production systems or systems that contain sensitive or valuable information. (c) Prohibition on Connecting this Software to the Internet - The End-User agrees that the Software will not be used on systems connected to the Internet due to the risks posed to the machine running the Software as well as the risks posed to the greater Internet.
Well. That is fun. Of course VMWare Player can't snapshot so this is going to require a bit more setup before I continue.