🇺🇦 Xorhex 🇺🇦
@xorhex.bsky.social
Reposted by 🇺🇦 Xorhex 🇺🇦
And #FlareOn12 Task 8: wp.me/p2mVNF-2Qf
Flare-On 12 – Task 8
In this mini-series I describe the solutions of my favorite tasks from this year’s Flare-On competition. To those of you who are not familiar, Flare-On is a marathon of reverse engineering. This ye…
wp.me
November 27, 2025 at 9:55 PM
And #FlareOn12 Task 8: wp.me/p2mVNF-2Qf
Decoy doc is blank 😂
November 25, 2025 at 8:34 PM
Decoy doc is blank 😂
Ransomware I get, but everything else should be shared!
November 25, 2025 at 7:03 PM
Ransomware I get, but everything else should be shared!
Another steam_monitor.exe
Wish 7z would give the extracted files their actual names (like when the msi file is executed) versus the "temp" names.
Wish 7z would give the extracted files their actual names (like when the msi file is executed) versus the "temp" names.
November 25, 2025 at 6:11 PM
Another steam_monitor.exe
Wish 7z would give the extracted files their actual names (like when the msi file is executed) versus the "temp" names.
Wish 7z would give the extracted files their actual names (like when the msi file is executed) versus the "temp" names.
Corrected 🤞
rule a {
condition:
with offset = 0: (
for any idx in (0..100): (
uint8(start + idx) == 0x00
and
console.log("Length:", idx)
)
)
}
rule a {
condition:
with offset = 0: (
for any idx in (0..100): (
uint8(start + idx) == 0x00
and
console.log("Length:", idx)
)
)
}
November 14, 2025 at 10:14 PM
Corrected 🤞
rule a {
condition:
with offset = 0: (
for any idx in (0..100): (
uint8(start + idx) == 0x00
and
console.log("Length:", idx)
)
)
}
rule a {
condition:
with offset = 0: (
for any idx in (0..100): (
uint8(start + idx) == 0x00
and
console.log("Length:", idx)
)
)
}
Actually, there might be a logic error in my solution now that I've shared it publicly.
November 14, 2025 at 10:04 PM
Actually, there might be a logic error in my solution now that I've shared it publicly.
rule a {
condition:
with offset = 0: (
for any idx in (0..100): (
with
i = idx: (
for all idx2 in (0..i): (
uint8(offset + idx) == 0x00
)
and console.log("Length:", i)
)
)
)
}
condition:
with offset = 0: (
for any idx in (0..100): (
with
i = idx: (
for all idx2 in (0..i): (
uint8(offset + idx) == 0x00
)
and console.log("Length:", i)
)
)
)
}
November 14, 2025 at 9:59 PM
rule a {
condition:
with offset = 0: (
for any idx in (0..100): (
with
i = idx: (
for all idx2 in (0..i): (
uint8(offset + idx) == 0x00
)
and console.log("Length:", i)
)
)
)
}
condition:
with offset = 0: (
for any idx in (0..100): (
with
i = idx: (
for all idx2 in (0..i): (
uint8(offset + idx) == 0x00
)
and console.log("Length:", i)
)
)
)
}
Didn't think of doing this, nice!
`b >= 0x20 and b <= 0x7e`
And Oops, yeah meant to say final size 🙃 only. Glad to know we had similar thoughts on how to solve it though.
`b >= 0x20 and b <= 0x7e`
And Oops, yeah meant to say final size 🙃 only. Glad to know we had similar thoughts on how to solve it though.
November 14, 2025 at 9:59 PM
Didn't think of doing this, nice!
`b >= 0x20 and b <= 0x7e`
And Oops, yeah meant to say final size 🙃 only. Glad to know we had similar thoughts on how to solve it though.
`b >= 0x20 and b <= 0x7e`
And Oops, yeah meant to say final size 🙃 only. Glad to know we had similar thoughts on how to solve it though.
This came about because I wanted to show the length of the string via #BinYars 🙃. The solution I came up with probably should not be left in any rules going to VT, as it will get the performance ban hammer 😅
November 14, 2025 at 9:30 PM
This came about because I wanted to show the length of the string via #BinYars 🙃. The solution I came up with probably should not be left in any rules going to VT, as it will get the performance ban hammer 😅