Post

Flare-On 12 Challenge 4 Writeup - UnholyDragon

Posted Updated
By Nitzan Adut
2 min read
Flare-On 12 Challenge 4 Writeup - UnholyDragon

Bag of Tricks: Python, 010 Editor

Challenge 4

Finding the Binary Differences

When opening the challenge zip I’m met with a file with a weird name, UnholyDragon-150.exe. The first thing I try to do is running it and I get the following message:

Opening in 010 Editor It’s clear the MZ header is patched.

After saving the changes to the file I see a new logo, nice. Now I’ll try running UnholyDragon-150.exe

It seemed to write 4 new files in order, and running each one in sequence. Let’s compare the files in the hex editor.

Looks like 150 and 151 only differ in a single byte, maybe every file has this byte offset in some distinct value and we need to brute force it.

Huh, different offset but still one byte difference, I’ll check another two:

Every two files in sequence differ in one byte at different offsets. Meaning file UnholyDragon-n.exe and UnholyDragon-n+5.exe will differ in 5 bytes in distinct file locations.

After confirming this my theory is correct. Even when deleting files 152 to 154 and running 151 it generates all files next after it until hitting 154.

When running 154 nothing happens..

When comparing 154, the final file and the one that comes before it, 153 we see, as expected only a 1 byte difference at offset 0x6e8f8.

Scripting Away

I’ll brute force this byte to make the program generate the next file correctly (155) but maybe a good value will give the flag, and maybe one of them will be interesting.

starting from 0xff down all the way until 0 (chose 0xff because 153 has in the diff with 154 the value 0xff).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

from os import system

DIFF_OFFSET_154 = 0x6e8f8

def main():
	data = open('UnholyDragon-154.exe', 'rb').read()
	
	for x in range(0xff, -1, -1):
	    do_write_file(f'test{x}.exe', x)
	    data[DIFF_OFFSET_154] = val
	    
		current_file = open(f'test{x}.exe', 'wb')
		current_file.write(data)
		current_file.close()
	
	    print(f'Running test{x}.exe')
	    res = os.system(f'test{x}.exe')
	    
if __name__ == '__main__':
	main()

When running the script I got a huge delay between first one and the other ones so i stopped the program. when checking the processes I saw so many new processes from files I did not posses before, the files are also committed to the disk.

Also, looks like every executed file opens a blank WinForm. To recap, 155 has it’s byte with 154 as 0xff and when running it, 150 more files were generated and executed, each opening a form. When going through the files, I checked out the old 150 file and saw it was actually replaced by a new one, that did not have the logo

Back to the Roots (UnholyDragon-150.exe)

Opening the new 150 in 010 reveals we have a patched MZ header again.

I repatched the header proceeded to running the file:

CTF flareon12
This post is licensed under CC BY 4.0 by the author.