Flare-on Challenge 2018

Posted on 07 Oct 2018 in security • 4 min read

The fifth edition of the FireEye's Flare-on reverse challenge take place this year between august 24th and the 5th octobe with a total of 12 challenges centered on Windows binaries.

Minesweeper Championship Registration

Welcome to the Fifth Annual Flare-On Challenge! The Minesweeper World Championship is coming soon and we found the registration app. You weren't officially invited but if you can figure out what the code is you can probably get in anyway. Good luck!

Download the challenge

We download the 7z and after extraction we got the jar. We start jd-gui and load the jar. The InviteValidator class is the following:

import javax.swing.JOptionPane;

public class InviteValidator
  public static void main(String[] args)
    String response = JOptionPane.showInputDialog(null, "Enter your invitation code:", "Minesweeper Championship 2018", 3);
    if (response.equals("GoldenTicket2018@flare-on.com")) {
      JOptionPane.showMessageDialog(null, "Welcome to the Minesweeper Championship 2018!\nPlease enter the following code to the ctfd.flare-on.com website to compete:\n\n" + response, "Success!", -1);
    } else {
      JOptionPane.showMessageDialog(null, "Incorrect invitation code. Please try again next year.", "Failure", 0);

We directly got the challenge flag GoldenTicket2018@flare-on.com.

Ultimate Minesweeper

You hacked your way into the Minesweeper Championship, good job. Now its time to compete. Here is the Ultimate Minesweeper binary. Beat it, win the championship, and we'll move you on to greater challenges.

Download the challenge

Once unzip the file is a 32bits executable binary. $ file UltimateMinesweeper.exe UltimateMinesweeper.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

When executed the program is similar to every Minesweeper execpt there is a LOT of mines! Only 3 squares of the 900 are not mines. The goal is to reveal this 3 squares with exploding on a mine.


We can use a tool like DnSpy to decompile the .NET and access the source code.


We can even recompile the code. Nevertheless , the line 156 will fire a compilation error. In order to fix it, we need to convert the value to byte:

array3[(int)num2] = (byte)(array3[(int)num2] ^ array[(int)num]);

We can for instance disable the failure when revealing a mine by changing the code of the BombRevealed function and make it always return false:

public bool BombRevealed
    int num = 0;
    while ((long)num < (long)((ulong)this.Size))
      int num2 = 0;
      while ((long)num2 < (long)((ulong)this.Size))
        if (this.MinesPresent[num2, num] && this.MinesVisible[num2, num])
          return false;
    return false;

Then we can clic on every square and get the Success message.


The flag seems to be encoded. When looking at the function GetKey we see that the Random is build using a seed depending of the revealed cells.

We then discover that the mines (and more importently the 3 empty squares) are always at the same place. So we can just found the position of every empty squares with our modified binary.


And then just reveal this three squares in order to get the Success message with the flag.



When you are finished with your media interviews and talk show appearances after that crushing victory at the Minesweeper Championship, I have another task for you. Nothing too serious, as you'll see, this one is child's play.

Download the challenge

Once extraxted we get 48 executables. Each binary is a 32bits executable.

$ file ./*
./1BpnGjHOT7h5vvZsV4vISSb60Xj3pX5G.exe: PE32 executable (console) Intel 80386, for MS Window

When launching any of the executable we get an error about the VCRUNTIME140 DLL missing.


To fix this you just need to install Visual Studio Community Edition.

After a few try using IDA and OllyDBG, I found a hint on twitter: Capture7.PNG

FLOSS static UTF-16 strings
Oh, hello Batman...
I super hate you right now.
What is the password?
Go step on a brick!
Oh look a rainbow.
Everything is awesome!
%s => %s

FLOSS decoded 0 strings

FLOSS extracted 0 stackstrings

Finished execution after 2.266808 seconds

The binary password is given just after the BRICK string.

root@kalili:~/work/fleggo# wine 1BpnGjHOT7h5vvZsV4vISSb60Xj3pX5G.exe
000f:err:service:process_send_command receiving command result timed out
What is the password?
Everything is awesome!
65141174.png => w

An image is created associated to a character.

We can automatized this for the 48 binary:

root@kalili:~/work/fleggo# for f in *exe; do wine $f <<< `./floss $f | grep '^BRICK' -A 1 | grep -v BRICK` ; done
000f:err:service:process_send_command receiving command result timed out
What is the password?
Everything is awesome!
65141174.png => w
000f:err:service:process_send_command receiving command result timed out
What is the password?
Everything is awesome!
85934406.png => m

A simple redirection allow to keep the information in a file. In the corner of each image is the position of the associated charactere. (for instance the image 85934406.png is associated to the letter "m" and the number in the right corner is 35 so the "m" is in the 35th position).


We might use tesseract in order to automaticaly detect the number in the corner. But I manualy identify them and got the order of the flag:



It is time to get serious. Reverse Engineering isn't about toys and games. Sometimes its about malicious software. I recommend you run this next challenge in a VM or someone else's computer you have gained access to, especially if they are a Firefox user.

Download the challenge

Once unzip we get a simple executable.

$ file binstall.exe
Downloads/binstall/binstall.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

As said in the descritpion this file is a malware and a lot of AV detect it as someone uploaded it on virus total.


I didn't get a lot of time to work on this challenge and didn't solve it.

Contest ending

The contest is now over and fireEye realse the solution for all challenges.