Yara Analysis
Shown in Report
Fitzy Shortstack is standing next to a Terminal.
Objective Image
Back
Challenge
HELP!!!

This critical application is supposed to tell us the sweetness levels of our candy
manufacturing output (among other important things), but I can't get it to run.

It keeps saying something something yara. Can you take a look and see if you
can help get this application to bypass Sparkle Redberry's Yara scanner?

If we can identify the rule that is triggering, we might be able change the program
to bypass the scanner.

We have some tools on the system that might help us get this application going:
vim, emacs, nano, yara, and xxd

The children will be very disappointed if their candy won't even cause a single cavity.

snowball2@e3932e4afe25:~$ 
Solution

First run of the blocked binary:

snowball2@312ab12cd1a9:~$ ./the_critical_elf_app 
yara_rule_135 ./the_critical_elf_app

That yara rule says

 strings:
      $s = "candycane"

So just open the binary (a simple editor like vi is sufficient), look for that string and replace the lower case c with a capital C
Second run:

snowball2@45408967b971:~$ ./the_critical_elf_app 
yara_rule_1056 ./the_critical_elf_app 

That yara rule says

    strings:
        $s1 = {6c 6962 632e 736f 2e36}
        $hs2 = {726f 6772 616d 2121}

Just feed that numbers into CyberChef and apply the magic recipe:

From_Hexdump()
c.so.6gram!!    Valid UTF8
Entropy: 3.25

So just open the binary again, look for the second string and replace the ! With another character like -
Third run:

snowball2@45408967b971:~$ ./the_critical_elf_app 
yara_rule_1732 ./the_critical_elf_app

That yara rule looks for a lot of string but we can take the easy route looking at the conditions:

   condition:
      uint32(1) == 0x02464c45 and filesize < 50KB and
      10 of them

Let’s append some null bytes at the end of the file:

snowball2@45408967b971:~$ dd if=/dev/zero count=100 >> the_critical_elf_app 
100+0 records in
100+0 records out
51200 bytes (51 kB, 50 KiB) copied, 0.000323874 s, 158 MB/s
snowball2@45408967b971:~$ ls -l the_critical_elf_app 
-rwxr-xr-x 1 snowball2 snowball2 67889 Dec 13 21:34 the_critical_elf_app

The binary will be able to bypass the yara checks now:

snowball2@45408967b971:~$ ./the_critical_elf_app 
Machine Running.. 
Toy Levels: Very Merry, Terry
Naughty/Nice Blockchain Assessment: Untampered
Candy Sweetness Gauge: Exceedingly Sugarlicious
Elf Jolliness Quotient: 4a6f6c6c7920456e6f7567682c204f76657274696d6520417070726f766564