Flare on 07 002 - Garbage // Xploiter

Challenge Info

One of our team members developed a Flare-On challenge but accidentally deleted it. We recovered 
it using extreme digital forensic techniques but it seems to be corrupted. We would fix it but we 
are too busy solving today's most important information security threats affecting our global economy. 
You should be able to get it working again, reverse engineer it, and acquire the flag.

Solving Challenge

In this challenge 1 binary is given called “garbage.exe”. When i tried to run the application it didn’t run. Also, when i tried to open with debugger it failed to start process.

failed-to-open-binary

Then i suspect something is wrong with the binary so i opened the binary in hex editor. I scrolled to the end of the binary in hex editor and saw that manifest data wasn’t full. It looks like the binary wasn’t dumped properly some of the bytes were missing.

hxd

Then i opened the binary with CFF explorer, i noticed both Import Directory RVA and Relocation Directory RVA were invalid. invalid-RVA

Then in the dependency walker section i saw that the File size is less than the PE size. File size and the PE size must be equal, so i calculated the number of missing bytes and found out that the 732 bytes were missing.

missing-bytes

So to fix this issue, i added 732 null(00) bytes to the bottom of the binary.

adding-zeros

Then i tried to unpack the binary with upx unpacker this time it successfully unpacked the binary.

unpacked

However, if i try to run unpacked binary it’ll not run instead it’ll throw error message side-by-side configuration is incorrect.

side-by-side-err

This is because the resource is not complete. If we recall, we applied null bytes to fixed the size of binary not the original metadata. To fix this we can simply remove the incomplete resource.

incomplete-conf

The side-by-side configuration error was solved but the new error appeared. It didn’t find the correct dll to run the program.

dll-not-found

If we look into the Import Directory section, we can see the module names are missing.

dll-not-found

By looking at the function list i assume the first one is kernel32.dll and second one is shell32.dll.

fixed-module-names

Now if i save and try to run the program it’ll popup the messagebox with the flag.

Flag

C0rruptGarbag3@flare-on.com