Sunday, November 23, 2014

Flare-on update

I made it to the sixth piece of the Flare-on challenge before life kept breaking up work on it into 20 minute blocks. Things to learn before I could do it: my copy of IDA 6.1 can't create signatures for x64 binaries, what a static linked/stripped ELF is, how to identify syscalls, and how to manually map the LibC source onto a static linked ELF.

Well, after accomplishing these steps I located the user code in challenge 6 and managed to quickly extract an apparently base64 encoded buffer. When I decoded it, I thought it was garbage. Fast forward over two weeks, turns out that was exactly correct. It is executable code though! OMG!

Hopefully these week I'll find time to see what the code does.

No comments:

Post a Comment