F-Secure 2019 Qualification and Semi Final: Write-up


Welcome back guys. Today I’m gonna do reverse engineering and steganograpy challenges from FSecure2019.


Challenge 1


Investigate the image and then decode the flag. Let’s dive in into the image.


Okay first question. We need to decode this image and get “something” from it. Try to extract information using tools like binwalk, foremost and strings gave us nothing. Then I immidiately go to google to check some online stegano tools.

Using this online steganography tool. I managed to get morse code from the image.

..-. ... ··--·- .. -- .- --. . ··--·- ... - ...-- --. .- -.  --. .-. .- .--. .... -.-- ··--·- --  .-. ... . -.-.  -.. . ··--·- -.-. -.-- -... . .-.

Decode the morse code using this online tool converter and we get the flag.

The flag is fsoimageost3ganographyomorsecodeocyber

Challenge 5


Organizer gave us a file which we don’t know what file it is. Trying file command on it gave us nothing. Just a “data” output.

Strings command it gave us this strange strings.

#@~^NgAAAA==\ko$K6,J0k+ ^!9kUo|xG2M!4^n:1X4.E~,vl~~JP4PWVmLPb/lE8BEAAA==^#~@

Hmm. Still gave us no clue.

Then I try to execute binwalk command, and yeah it make me smile again to solve this challenge.


It’s a Windows Script Encode! I immidately go to google, search some decoder for it and I found this. Download it and execute on our file.


Apply strings command to file that have decoded (challenge5decoded) gave us the flag!


The flag is fsenc0ding_nopr0blemcyber

Challenge 6


Investigate the Spreadsheet. Okay let’s dive in into the document. Basically, we need to clarify that Microsoft office file is actually a compressed file. Therefore we can decompressed it.

Unzip it and then we will get these files.

  • rels
  • customXml
  • docProps
  • xl
  • [Content_Types]


Investigate it using Sublime text, one by one of the files and we managed to get the flag in xl/worksheet/sharedStrings.xml.


The flag is fssUPERhIdDEncyber

Challenge 8


Execute file command on the binary, and it said the binary is a CDFV2 Microsoft Outlook Message.


strings command it gave us a big clue how to find the flag. It give us an encrypted text and said “I hope you remember what base it is :p

So, it said something about base. Hmm. Base64? Base32? The text seems not like the format of both of this base. After doing some google, there is one more base which is base85 / Ascii85 !

I use this online tool, and we got the flag!


The flag is fsbase85enc0dedcyber

Challenge 9


They gave us a picture of FSecure logo again. This must be steganography challenge again.


Google some of online steganography tools and we found this site.

Upload the photo and give “fsecure” as the password. Then, we got the flag.

The flag is fsmeta_stegcyber

Challenge 10


Soon we download the file, we executed it.

The program ask me for a PIN number.


Test the program with a random key gave us this strings "I'll give you an A for effort... but better luck next time!"

Okay let’s open it using IDA to dive into it’s code.


I go to Strings window to get clue where the main function are. From the strings window, I double click on “INPUT THE KEY” and it bring me to .rdata segment.


Then, click on the variable name “aInputTheKey” press X for cross reference. Cross references can help us determine where certain functions were called from, which can be useful for a number of reasons.

So, this strings were called by this instruction. Double click on it will bring us to the instruction code.


From this graph, we can see it compare our input with number “1337”.

Decompile it, we can see the in the circle, the flag is obfuscated by some algorithm.


Try 1337 as the PIN and we got the flag.


The flag is fs4NT1D3BUGIZCOMM0Ncyber


You can get the dump binaries at here.

Challenge 1


The first challenge was about a .jar file. Let’s see what is the output when we execute it.


Run it in terminal gave us an output said “Nice Try!”.

Step 1:

Decompile it using JADX and then we will get the souce code of the program.


After understand the codes, you can see that the flag was encrypted using xor operation with a letter “A”.

Step 2:

Let’s do a script with python to reverse xor the encrypted string.

First, I converted the xored string to hexadecimal value.

*wwvrvyrqvsw wpvwuqwrvxwswtvs* --> *0x77 0x77 0x76 0x72 0x76 0x79 0x72 0x71 0x76 0x73 0x77 0x20 0x77 0x70 0x76 0x77 0x75 0x71 0x77 0x72 0x76 0x78 0x77 0x73 0x77 0x74 0x76 0x73*

Then, I make the script with the hexa values.

    s = [0x77, 0x77, 0x76, 0x72, 0x76, 0x79, 0x72, 0x71, 0x76, 0x73, 0x77, 0x20, 0x77, 0x70, 0x76, 0x77, 0x75, 0x71, 0x77, 0x72, 0x76, 0x78, 0x77, 0x73, 0x77, 0x74, 0x76, 0x73]
    // each of 0x__ is the characters of the encrypted string.
    print  ''.join([chr(i ^  0x41) for i in s])
    // 0x41 is letter "A" in hexadecimal

Or you can cook the string using this recipe!

Step 3: Execute the command and it will print a hexadecimal value. Convert it to ASCII will give us the flag.


xxd - make a hexdump of the binary.

-r tells it to convert hex to ascii as opposed to its normal mode of doing the opposite.

-p tells it to use a plain format.

The flag is fsx0rjav@cyber

Challenge 2


This challenge was quite easy. They gave us a .pyc binary.

If you don’t know what file it is, just issuing file command on it then it will tell us it’s a python 2.7 byte-compiled. Knowing what file it is, can give you clue how to run the binary.

Run the python program and then it print a hexa strings. Decode the hexadecimal into ASCII characters will get us the flag.


The flag is fsx0r3dpythoncyber

Challenge 3

This challenge was tough for me. My debugging skill was so bad. I think I was so lucky to get the flag by patching randomly the conditional jump using IDA Pro.


Execute the program and then it will print a youtube link.


Open it using IDA and I saw another youtube link.


The blue pen is for the printed youtube link, and the red pen is the other youtube link I mentioned before.

From the graph view above, I decided to patch a few conditional jump to make the program print the “other” youtube link. But, surprisingly.. it print the flag we wanted hahaha.

I really don’t know how this program work actually. The assembly code and decompiled code are also looks messy to me. I was really lazy to dive in into the assembly code deeply.

enter image description here

After patch the program.. I executed the patched binary and it print the flag.

enter image description here

The flag is fsRICKR0LLEDcyber

Challenge 4

enter image description here

Soon get the binary, unzip it recursively four times until you get two files called almost_there (encrypted zip file) and rockyou.txt (dictionary for bruteforcing the encrypted zip file).

enter image description here

Crack the encrypted zip file using rockyou.txt dictionary with fcrackzip.

enter image description here

fcrackzip -u -D -p rockyou.txt almost_there

PASSWORD FOUND!!!!: pw == lovet-joearceneaux 

-u tells the program to test the password with unzip before declaring it correct

-D to specify a dictionary based attack

-p which is used to specify the password file.

Then, unzip the file with cracked password and it will extracting a file called flag. cat command the flag gave us the flag.

enter image description here

The flag is fs_compr3ss10n_w1th_unknOwn_p@ssw0rd_cyber

Challenge 5

enter image description here

This challenge require knowledge in powershell obfuscation.

We try to execute the powershell and it printed “No, this is not the answer!”.

enter image description here

Okay now let’s open the .ps1 file with your text editor. Remove this line.

|&( $enV:cOMSpEC[4,26,25]-JOIN'')

enter image description here

Then, execute the .ps1 file back will print us the real text of obfuscated script.

There we see the flag of this challenge.

enter image description here

The flag is fsThIngsVDO4cyber.

Challenge 7

enter image description here

Execute the program and it ask us for a true/false question. Giving a wrong answer will make the program terminate.

enter image description here

After doing static analysis on the application, this binary was packed using UPX packer. So, we need to unpack it to reverse the program. You can unpack it using upx tool. I use this.

Open it using IDA gave us the answer of each of the question in the main function.

enter image description here

The answer is

  1. true
  2. true
  3. false
  4. true
  5. false
  6. false
  7. true
  8. true
  9. true
  10. false

After submitting the all true answer, it will print us the flag.

The flag is fswh@tw@sth@tcyber.

Challenge 10

enter image description here

The file is a document file by Microsoft Word.

Issuing binwalk -e command to the file will extract us the files embedded in the document file.

binwalk -e 1124.doc 

6034          0x1792          Zip archive data, at least v2.0 to extract, compressed size: 255, uncompressed size: 540, name: [Content_Types].xml
6338          0x18C2          Zip archive data, at least v2.0 to extract, compressed size: 192, uncompressed size: 310, name: _rels/.rels
6571          0x19AB          Zip archive data, at least v2.0 to extract, compressed size: 131, uncompressed size: 138, name: theme/theme/themeManager.xml
6760          0x1A68          Zip archive data, at least v2.0 to extract, compressed size: 1704, uncompressed size: 7076, name: theme/theme/theme1.xml
8516          0x2144          Zip archive data, at least v2.0 to extract, compressed size: 182, uncompressed size: 283, name: theme/theme/_rels/themeManager.xml.rels
9116          0x239C          End of Zip archive, footer length: 22
9138          0x23B2          XML document, version: "1.0"
12461         0x30AD          Zip archive data, at least v2.0 to extract, compressed size: 254, uncompressed size: 481, name: [Content_Types].xml
12764         0x31DC          Zip archive data, at least v2.0 to extract, compressed size: 214, uncompressed size: 404, name: _rels/.rels
13019         0x32DB          Zip archive data, at least v2.0 to extract, compressed size: 714, uncompressed size: 2678, name: drs/e2oDoc.xml
13777         0x35D1          Zip archive data, at least v2.0 to extract, compressed size: 221, uncompressed size: 269, name: drs/downrev.xml
14286         0x37CE          End of Zip archive, footer length: 22
22528         0x5800          XML document, version: "1.0"
28544         0x6F80          XML document, version: "1.0"
36928         0x9040          XML document, version: "1.0"
40832         0x9F80          XML document, version: "1.0"
41088         0xA080          XML document, version: "1.0"
41920         0xA3C0          XML document, version: "1.0"

Go to _1124.doc.extracted\drs, open the e2oDoc.xml using your text editor.

enter image description here

From the display above, the characters with “
” looks suspicious to me. Remove it one by one will give us the clear text of the flag.

enter image description here

The flag is fsHideInAltTextcyber.