Flare-On 6 CTF WriteUp (Part 5)

. 5 min read

This is the fifth part of the Flare-On 6 CTF WriteUp series.

5 - Demo

The challenge reads

Someone on the Flare team tried to impress us with their demoscene skills. It seems blank. See if you can figure it out or maybe we will have to fire them. No pressure.
** You will need DirectX 9

We have a PE file named 4k.exe. Running the binary pops up a window containing the rotating Flare logo on a black background.

Figure 1: Rotating Flare logo
Figure 1: Rotating Flare logo

The window doesn't exhibit any other behavior. It does not respond to mouse clicks or keypresses except the ESC key which closes it.

An entropy scan in Detect It Easy reveals the binary is packed.

Figure 2: The binary is packed
Figure 2: The binary is packed

The instructions near the entrypoint does not look to be generated by a standard compiler which confirms that the binary is indeed packed.

Figure 3: This does not look to be generated by a standard compiler
Figure 3: This does not look to be generated by a standard compiler

Dynamic analysis in a debugger is generally the best way when reversing packed binaries. Packed binaries have a decompression stub at the beginning whose purpose is to decompress the compressed code to a proper location in memory and transfer control to it. Analyzing the decompression stub is not always needed. Likewise, in this binary we can can bypass the decompression stub. Set a breakpoint on the ret instruction as shown in Figure 4. Its located a few lines below the entrypoint.

Figure 4: Bypassing the decompression stub
Figure 4: Bypassing the decompression stub

When the breakpoint hits, single step once to reach Figure 5 which is close to the Original Entry Point (OEP)

Figure 6: Near OEP
Figure 6: Near OEP

The OEP is located just below at 42008E as shown in Figure 7.

Figure 7: At OEP
Figure 7: At OEP

As mentioned in the challenge description, the binary requires DirectX 9 to run. To ease analysis, its recommended to have the proper pdb symbols loaded. First ensure that Symbol Store and Symbol path are set in x64dbg preference. Now go to the symbols tab, Right Click -> Download Symbols for all modules.

At the beginning we  have a call to Direct3DCreate9.

Figure 8: Call to Direct3DCreate9
Figure 8: Call to Direct3DCreate9

If the call is successful, it proceeds to create a window and set its size as in Figure 9.

Figure 9: Creating a window
Figure 9: Creating a window

Next down, we have a call to a function which creates two meshes. A mesh is an ordered collection of vertices describing an object.

Figure 10: Creating two meshes
Figure 10: Creating two meshes

Note that the function name create_mesh  is not a part of the original binary and have been added later based on the function's disassembled code. Next, it sets up lighting as shown in Figure 11.

Figure 11: Lighting up!
Figure 11: Lighting up!

Finally, it calls GetAsyncKeyState in an infinite loop listening for the state of the ESC key.

Figure 12: The Frame loop
Figure 12: The Frame loop

If ESC is not pressed. it goes on to draws a frame. This continues in a loop.

Analyzing setup_meshes

Inside setup_meshes we already saw two calls to create_mesh as in Figure 10. That's strange considering we can only see a single mesh on the window - the rotating Flare logo. Let's look inside create_mesh.

Figure 13: The create_mesh function

There is a call to D3DXCreateMeshFVF. The first two parameters of this function are the number of faces and number of vertices of the mesh respectively. Lets find out the number of faces and vertices for each of the mesh. This can be done by simply setting a breakpoint at the call instruction and inspecting the stack.

For the first mesh,

Figure 14: First Mesh
Figure 14: First Mesh

Number of faces = 0x38 = 56
Number of vertices = 0x1E = 30

For the second mesh,

Figure 14: Second Mesh
Figure 15: Second Mesh

Number of faces = 0x10A = 266
Number of vertices = 0x128 = 296

The second mesh has a large number of faces and vertices and its highly unlikely that it is the Flare logo. This mesh is probably hidden/not drawn and that's why we cannot see it on the screen. Let's see if we can make it visible.

Figure 16: The return value is stored in memory
Figure 16: The return value is stored in memory

The return value from create_mesh in eax is stored in memory as shown in Figure 16. For the first call, this goes to 0x430050, and 0x430054 for the second. Lets interchange those two memory locations. This can be easily done in x64dbg by double clicking the instruction and changing the addresses. Our patched code looks like Figure 17.

Figure 17: Swapping the memory locations

Now all that is left is to see the changes in action!

Figure 18: A change for the better!
Figure 18: A change for the better!

Instead of the rotating Flare logo, we have the rotating flag. Thus the second mesh was indeed the flag.

FLAG: moar_pouetry@flare-on.com



Barun

Reverse Engineer with an interest in low level stuff and anything about security.

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram