Flare-On 7 2020 Challenge #4: report

Image for post
Image for post

When I tried to open the report.xls file I received an error:

Image for post
Image for post

After pressing the “OK” button we received the Visual Basic code:

We also have something that looks like a key and encrypted message:

Image for post
Image for post

Double click on of them shows there function name:

Image for post
Image for post

I extracted them to two files in GitHub because of their size:

  1. F.L
  2. F.T

Analyzing the Visual Basic Code

It’s time to understand what the code is doing. The main function is folderol:

Image for post
Image for post

It starts by splitting F.L to the array called onzo. Later there are number of calls to rigmarole function with onzo[<nub>] while <num> is being changed. It’s a decoded function, so I converted the code (the interesting parts) to Python code to be able to print some of its variables and understand them. For example, I used it to print all the decoded variables of onzo:

Use them as a menu and the code is much more clear. The code is using WMI service to search for vmware process (“vmw” and “vmt”):

Image for post
Image for post

Then it writes something to file named “stomp.mp3” (onzo(1)):

Image for post
Image for post

Notice that it uses the encrypted text of F.T.Text with the function canoodle which decrypts it.

This is our converted code to Python and it wrote the mp3 file:

MP3 file

When I played the MP3 file, it played some music, like mini march but that it. I thought maybe this is steganography but look the hint I saw when I played it:

Image for post
Image for post

It says something about P. Code.

P-Code

According to Wikipedia, P-Code is:

P-Code is a name for several of Microsoft’s proprietary intermediate languages.

So, I guess we need to see the P-Code of the visual basic code, maybe there is something hiding there.

I found a cool tool that decompile the code:

After installing and running the tool on the report.xls file, it decompiled it and you can view all the decompiled file here.

Finding hiding commands

I followed the code to see if there is something different from the visual basic code we saw in the beginning and I found new commands.

At line #55 I noticed to a new variable called firkin and how it assigns it the name “FLARE-ON”:

At line #60 it calculates it length:

At lines #61-#63, there is a loop that reverse the string “FLARE-ON” to “NO-ERALF”:

The last piece is at line #65 when there is a call to canoodle but with different arguments we saw in the beginning:

We re-wrote the Python script with these new details:

The result is a PNG that contains the flag:

Image for post
Image for post

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store