Applied Reverse Engineering: FlareOn2019 Competition First Step

In this series of posts we are going to solve the new CTF that FireEye security company held last week to serve friends step by step.

The annual online course is one of the most prestigious in the field of reverse engineering and malware analysis.

My goal is to make friends who are interested in reverse engineering and malware analysis able to become familiar with the tools and

techniques in this area step by step and to become an introduction to more advanced topics. Certainly you can't become a malware analyst by completing this CTF,

but your best starting point here seems to be that it can move you from the easiest to the most professional and give you a good overview.


Before starting this post there are a few tips about this post:


* Who is this post for?


This post is written for those interested in working in the areas of malware analysis, binary file analysis, reverse engineering and Windows kernel debugging.


* Prerequisites for Understanding These Posts:

For those interested in the field to understand what is being said, you need to be familiar with the  assembly language first.

you need to work well with C / C ++ programming languages, Python, and at least understand these languages.

Because in some places it may be necessary for us to write a code challenge.

Getting to know the Windows operating system, the process of running the RAM, and getting to know the debugger and the disk assembler are other prerequisites for this course,

but of course I have tried to thoroughly review these posts in general.

* This CTF consists of 12 steps, starting with the easiest, and reaching its final peak, stage 12, which includes debug kernel, driver, network traffic monitoring to find malware, and so on.

So prepare yourself for a difficult and breathtaking challenge that adds a lot of information to your science.

* In these posts I try to explain everything from the basics so that who with good basic information in this area can understand the content.

* Before each challenge requires a set of tools, which I set out in each of the prerequisites for each of these steps and give a brief explanation of each.

* The password for all zip files is flare.

Lastly, I recommend running all steps of this CTF on the main Windows or Host, as some files may use Anti VM techniques to disrupt the process of running the VM.

You don't even have to worry about anything because nothing dangerous will threaten your Windows.

Challenge # 1: Memecat Battlestation

Get files on this challenge here.


Windows 7 or higher

DnSpy software

Introduction to C # programming language

Well you have a zip file with two files inside it, an exe file that is the main purpose of the question, and a Message file that gives us some challenge information.



When we first open the Message file, we are told that this is very easy and that you have to fight the two enemies that attack you in this program and kill them.

It may sound funny, of course, but in most CTFs it always tries to make the first challenge a fun one, and it's easy to get here.


When you open the exe file you will see an animation of a cat being fixed and another cat attacking this one with an open mouth.

And at the bottom of the page you'll see a textbox and a Button. According to what is said in the guide, you have to enter a word into this textbox

so that you can kill that wild cat. So now you have definitely realized that the purpose is to find a password and enter it and go to the next step.


As exemplified in the help file, this exe file is written in .net. In order for us to find the cipher of the step and eliminate the wild cat we need to reverse this exe file and find that cipher.

Here's what I need to say about how to reverse .net files:


Interpretive programming languages, such as .net (C#, VB, F#) or java, are executed in such a way that the code being written by the programmer is converted to a middle language and

then an interpreter Converts that middle language to machine language and executes. This means that when you write a program in C # language such as C #, it cannot run alone and

 its interpreter, the .net framework, must be present on the system. Reversing these programs are much easier and easier than programs written in Native languages ​​because

 when you write a program in C / C ++, it will be converted to machine language directly by the compiler and so , To reverse these,

 it takes a long time for us to convert them from machine language to assembly language, and finally we need to examine program behavior from assembly language.

 But it is much easier to reverse-engineering interpreter applications because the intermediate codes are much simpler to be converted to a high level programming language.


Now, according to my explanation, the program we are currently dealing with is written in .net language so we can easily extract it and check its code.


The best tool I can introduce and highly effective for reverse .net files is the dnSpy tool that you can get the latest version.


So after we open the dnspy ​​software, we drag and drop the exe file into it and the dnspy ​​software starts to decompile it for us.