Cyber Threat Lessons Learned from Reversing the Flare-On Challenge

The FireEye Labs Advanced Reverse Engineering (FLARE) team just hosted the third annual FLARE-On Challenge, its reverse-engineering CTF. The CTF is made up of linear challenges where one must solve the first to proceed to the next. Out of the 2,063 participants, only 124 people were able to finish all of the challenges. Of those 124 successful participants, only 17 were from the U.S., including us! Josh completed the FLARE-On Challenge last year (2015), learned a lot and improved his reversing skills significantly, which was motivation enough to challenge himself again and attempt to finish this year’s contest. Last year’s challenge had interesting problems and gave him first-hand experience reverse engineering Windows kernel drivers, native Android ARM libraries, and .NET executables, among other types of binaries.This year’s challenge was also a good way to validate that his reverse-engineering skills hadn’t dipped, and he was able to get through some of the challenges this year faster thanks to the lessons learned last year. Blaine's passion is reverse engineering, which he has applied to analyzing malicious binaries for years, including those of APTs. Due to the competition's reputation, Blaine decided to attempt the competition as a way to validate and hone his reverse engineering and malware analysis skills. While we both approached each problem set in unique ways, the competition this year did not disappoint.

So What is the FLARE-On Challenge?

This year's contest consisted of ten levels, each requiring a different strategy and set of skills. The levels progressed in difficulty starting with more basic reversing skills and escalating to the more difficult and lesser known skills. Many levels employed different anti-analysis techniques including:

    • Custom base64 encoding
    • Various symmetric encryption routines
    • Obfuscation
    • Anti-VM and anti-debugger checks
    • Custom virtual machine

As per the tradition in past FLARE-On challenges, each level consisted of a binary that participants needed to reverse-engineer to uncover a hidden flag -- an email address ending in “@flare-on.com”. Each challenge is unique and doesn’t build upon the previous challenges. Some examples of binaries seen in this year’s contest were:

    • .NET executable
    • DLL
    • Compiled Go executable
    • Ransomware sample
    • PCAP
    • SWF

This year’s FLARE-On Challenge used a variant of the CTFd framework to host the competition. Upon completing a level and finding the flag, you’d enter it into the system and it would score your flag as correct or incorrect, and record your time of completion. The framework is nice as it also provides you with a statistics view of how you are proceeding through the challenge. Below are examples of our stats:

Screen Shot 2016-11-08 at 2.49.30 PM.png

 

  

 

Screen Shot 2016-10-30 at 4.26.37 PM.png

Note: The failed submission attempts are a result of not being able to tell the difference between “0”s and “O”s on the challenges where the flag was in the form of an image.

 

Getting Started

The FLARE-On Challenge is open to all who wish to participate, and welcomes all skill levels from beginners to experts, or just the plain curious. Simply register on the site with your email and you’re off to the races. The challenges are generally open to contestants for 5-6 weeks at a time and have so far been held between July and November. This year’s contest was held for 6 weeks, starting on Sept 23 and ending on Nov 4.

If you’re new to the CTF world, there are some fundamental building blocks you’ll need to get started. First, you’ll need a virtual machine to enable you to run applications and various programs in either Windows or Linux. While not 100% necessary, we always recommend a VM as precautions should be taken when running unknown binaries on your machine. Your debugger of choice such as OllyDbg, Immunity Debugger, WinDbg, or x64dbg is also a necessity. Similarly, you’ll need your favorite disassembler. We highly recommend IDA (pro or free version), radare2, or Hopper (pro or free version). Additionally, a foundational knowledge of x86/x64 fundamentals will help with being able to read the disassembly.

With that infrastructure in place, there are a few more decisions to make. The challenge is language agnostic, although Python and C/C++ are always solid options. As we mentioned previously, each challenge is unique, so you’ll be acquiring and relying on different tools as you progress through the challenges. At various points, we relied upon tools like dnSpy and ffdec, keeping in mind that each binary is a precious snowflake that brings unique challenges. To that end, an interest in solving puzzles is perhaps the most essential requirement for succeeding at the FLARE-On challenge.

FLARE-On Strategery

A good strategy, especially for CTF-style reversing problems, is to start at the “win” basic block, and work your way backwards to see what conditions need to be satisfied to reach it. Pay attention to how your user input affects the flow of execution, and learn to block out the stuff that doesn’t matter (i.e. the white noise) which generally comes with experience -- so until then, enjoy determining what all the nitty-gritty parts do!

Writing out the pseudocode can aid in understanding what various functions and basic blocks do. For practice we highly recommend the open source IDA Pro Binary Auditing Training Material, which has many binaries representing high-level language (HLL) constructs (such as If-Then statements, pointers, C++ virtual tables, etc...). By understanding how these HLL constructs map to their disassembly counterparts you’ll quickly be able to understand what’s happening at the disassembly level and be able to reproduce near-source pseudocode. Or you can use a decompiler to do the bulk of the work for you, such as the ones found in IDA Pro and Hopper Pro.

Anti-analysis checks (such as anti-VM and anti-debugging) are sometimes thrown in the challenges to slow analysis of the binaries. However, this mirrors real world malware which usually has multiple anti-analysis checks built in. These checks serve multiple purposes in real world malware -- to hinder analysis and prevent infection of non-targeted systems (such as a malware analyst’s machine or honeypot). These checks can usually be overcome via binary patching (NOPing out the instructions) or modifying the VM if necessary (renaming or deleting specific drivers or programs).

If all else fails, keep it simple. Break apart the code one piece at a time, and if you hit a wall, Google it out! Remember, any and all tools (hopefully obtained legally) are at your disposal, so use them. Be creative! This is a great opportunity to gain a deeper understanding of real-world techniques used by malware authors to increase the difficulty of reversing.

So You Think You Know Reversing?

Are you looking for a personal test of skills and mental fortitude? Yearning for that mad street cred? Want to be the envy of everyone in your office with this most elusive of swag? The FLARE-On Challenge is for you! This year’s prize is the police-style badge below. Pretty cool, right?

1478293868725.jpg

More importantly, the FLARE-On Challenge is a tremendous way to continue to test, hone, and expand your reverse engineering skills. Now that you know how to get started, we strongly encourage you to consider participating in next year’s challenge. Over the remainder of the year, and to further assist you in your FLARE-On aspirations, we’ll provide a few more posts pertaining to the FLARE-On Challenge. We’ll get into the weeds of some of the more creative and daunting challenges we overcame on route to joining the esteemed ranks of those who completed previous challenges.