Reversing as an Art

Notes on RCE fun.

Flare-On Challenge v Solution

Back to Solutions List

This one starts the series of more challenging puzzles. The binary is actually a key logger with a twist, writing every pressed key into a log file.

Fig. 1

It will try to install itself in your system under %SystemRoot% by disguising as svchost.dll. It will also add itself under Run key to ensure persistence (boring). The interesting things are waiting for us latter on.

As I mentioned previously, this key-logger has a twist – each key press is monitored by GetAsyncKeyState which is running in the loop. Once the pressed key generated a character, it will be passed to a processing switch statement:

Fig. 2

The twist here is that the “secret” message was encoded by the means of flags that in the beginning all are initialized by init_secret_flags. Each flag represents the letter in the final “secret” message and the keys must be pressed in the particular order.

Fig. 3

If there is an error in the sequence, for example pressing 4, everything will be reset (Fig.4 – 2) – init_secret_flags called again. On the other hand, i will be somewhere in the final “secret” message (Fig. 4 – 3) as the next flag is set to ‘on’ state.

Fig. 4

The way to solve this puzzle is rather simple – just follow the flags in IDA (for example, using XRefs) where the particular flag is compared with 0 and write down the letter that is processes by that function. Pay attention, that the first flag is already set in init_secret_flags. Let’s walk the process for first 2 characters:

  • find reference for first flag where it is compared with 0
  • write down the character (‘l’)
  • find reference for second flag where it is compared with 0
  • write down the character (‘0’ – zero)

Fig. 5

Once done, you should see the following: