Flare-On 7 2020 Challenge #4: report

When I tried to open the report.xls file I received an error:

After pressing the “OK” button we received the Visual Basic code:

We also have something that looks like a key and encrypted message:

Double click on of them shows there function name:

I extracted them to two files in GitHub because of their size:

  1. F.L
  2. F.T

Analyzing the Visual Basic Code

It’s time to understand what the code is doing. The main function is :

It starts by splitting to the array called . Later there are number of calls to function with while is being changed. It’s a decoded function, so I converted the code (the interesting parts) to Python code to be able to print some of its variables and understand them. For example, I used it to print all the decoded variables of :

Use them as a menu and the code is much more clear. The code is using WMI service to search for vmware process (“vmw” and “vmt”):

Then it writes something to file named “stomp.mp3” ():

Notice that it uses the encrypted text of with the function which decrypts it.

This is our converted code to Python and it wrote the mp3 file:

MP3 file

When I played the MP3 file, it played some music, like mini march but that it. I thought maybe this is steganography but look the hint I saw when I played it:

It says something about P. Code.

P-Code

According to Wikipedia, P-Code is:

P-Code is a name for several of Microsoft’s proprietary intermediate languages.

So, I guess we need to see the P-Code of the visual basic code, maybe there is something hiding there.

I found a cool tool that decompile the code:

After installing and running the tool on the report.xls file, it decompiled it and you can view all the decompiled file here.

Finding hiding commands

I followed the code to see if there is something different from the visual basic code we saw in the beginning and I found new commands.

At line #55 I noticed to a new variable called and how it assigns it the name “FLARE-ON”:

At line #60 it calculates it length:

At lines #61-#63, there is a loop that reverse the string “FLARE-ON” to “NO-ERALF”:

The last piece is at line #65 when there is a call to but with different arguments we saw in the beginning:

We re-wrote the Python script with these new details:

The result is a PNG that contains the flag:

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)