Flare-On 2015 #3

Starting the executable will result in a very nice picture but no real hint to start with.

We can see that the file size of that executable is unsually big. Anyways, we’re doing some basic stuff like strings and let’s see what we can find:

Based on the output we can assume that this file must be written in python and be converted into an executable with PyInstaller or py2exe. In order to extract the python code I used pyinstxtractor.py which can be downloaded here (I also used some other tools but none of those really worked except pyinstxtractor.py).

The following command will extract all the python stuff from the executable.

The result looks like as follows:

We’re looking for something suspicious here:

The file “elfie” seems to be just ASCII text. Let’s have a look on that:

That’s quite a lot of concatenated base64 strings. Just build the complete string and decode the string. I just used PyCharm and copied all the obfuscation code into a python script to decode it. After decoding you will find a lot of crappy python code and if you scroll down you will notice something which kinda looks like an email address.

Just reverse it and you’ll have the solution for challenge #3.

Elfie <3

This entry was posted in Reverse Engineering and tagged . Bookmark the permalink.