Reverse Engineering | Maverick Kaung https://www.mavjs.org/tag/reverse-engineering/ Reverse Engineering Wowchemy (https://wowchemy.com)en-usMon, 08 Oct 2018 19:42:33 +0200 https://www.mavjs.org/media/icon_hu268191f709183466a438488e2ba784b7_1058813_512x512_fill_lanczos_center_3.png Reverse Engineering https://www.mavjs.org/tag/reverse-engineering/ 2018 FLARE-On Challenges Writeup https://www.mavjs.org/post/flareon5-writeup/ Mon, 08 Oct 2018 19:42:33 +0200 https://www.mavjs.org/post/flareon5-writeup/ <p>I decided to participate in this year&rsquo;s edition of <a href="https://www.fireeye.com/blog/threat-research/2018/08/announcing-the-fifth-annual-flare-on-challenge.html" target="_blank" rel="noopener">FLARE-On challenge</a>. It is made by the fine folks from FireEye Labs Advanced Reverse Engineering (FLARE) team.</p> <p>I wanted to see how far I could go. I did not set any goals nor did I took it as seriously as I would have liked.</p> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="https://www.mavjs.org/img/1-flareon.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> <p>The challenge is now over and I only managed to make it to the 2 challenge, as expected (you can see the reason why above 😆 ). Let&rsquo;s get on with the challenges.</p> <h1 id="minesweeper-championship-registration">Minesweeper Championship Registration</h1> <p>Simple challenge. Once you open the zipped file, you&rsquo;ll get a <code>jar</code> file.</p> <p>These days I mostly use <a href="https://bytecodeviewer.com/" target="_blank" rel="noopener">Bytecode Viewer</a> when it comes to <code>APK</code> or <code>jar</code> files. Once you open the challenge <code>jar</code> file with it and navigate to the only class file in there you&rsquo;ll see the following code:</p> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="https://www.mavjs.org/img/2-flareon.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> <p>Rest is history! 😉</p> <h1 id="ultimate-minesweeper">Ultimate Minesweeper</h1> <p>Boy, was I in for a challenge with this one. 😅</p> <p>Figured out it was a <code>.NET</code> binary and remembered a friend of mine talking about their experience decompiling them a few months back, I took this opportunity to try it out. There might have been an easier way than what I will be describing below:</p> <ul> <li>Opened up the binary using <em>Jetbrains</em>&rsquo;s <a href="https://www.jetbrains.com/decompiler/" target="_blank" rel="noopener">dotPeek</a>.</li> <li>Exported it to a Visual Studio project.</li> </ul> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="https://www.mavjs.org/img/3-1-flareon.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> <ul> <li>Opened up the solution/project with Visual Studio.</li> <li>Started looking into the main class.</li> <li>Found a function <code>SquareRevealedCallback</code> that is used as a callback after each click on the minefield tiles.</li> </ul> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="https://www.mavjs.org/img/3-2-flareon.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> <ul> <li>Got to another function <code>BombRevealed</code> that checks if any minefields were revealed, which returns <code>true</code> or <code>false</code> to the callback function above.</li> </ul> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="https://www.mavjs.org/img/3-3-flareon.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> <ul> <li>Modified the <code>if</code> statement in <code>BombRevealed</code> as below and rest is some clicking. 😆</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-C#" data-lang="C#"><span style="display:flex;"><span><span style="color:#66d9ef">if</span> (!<span style="color:#66d9ef">this</span>.MinesPresent[index2, index1]) </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> System.Console.WriteLine(index1 + <span style="color:#ae81ff">1</span>); </span></span><span style="display:flex;"><span> System.Console.WriteLine(index2 + <span style="color:#ae81ff">1</span>); </span></span><span style="display:flex;"><span>} </span></span></code></pre></div> <figure > <div class="d-flex justify-content-center"> <div class="w-100" ><img src="https://www.mavjs.org/img/3-4-flareon.png" alt="" loading="lazy" data-zoomable /></div> </div></figure> <p>Definitely going to hone my skills before next year&rsquo;s FLARE-on challenge! 💪 😎</p> <p>Also check out a more in-depth thorough writeup of the challenges from the authors: <a href="https://www.fireeye.com/blog/threat-research/2018/10/2018-flare-on-challenge-solutions.html" target="_blank" rel="noopener">https://www.fireeye.com/blog/threat-research/2018/10/2018-flare-on-challenge-solutions.html</a></p>