Flare-On 5: Challenge 12 Solution - Suspicious Floppy Disk Challenge Author: Nick Harbour Background This challenge is framed as spy tool. You are told that we found a suspicious floppy disk that we suspect was given to spies to transmit secret messages. The spies were given the password but you weren’t. You need to figure out the hidden message. Running the floopy disk I recommend using the Bochs emulator for this challenge. You can start up a minimal x86 VM and add this disk image as a bootable floppy drive. Plus, the bochs image is directly loadable and debuggable with IDA Pro. If you load the floppy correctly with bochs you will see the screen shown in Figure 1 below. FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) |
[email protected] | www.FireEye.com 1 Figure 1: Bochs Initial Bootup Before we attempt to look closer at the contents of the floopy disk we can determine that the program that is launched in the boot sequence that appears to be prompting for the password is named infohelp.exe. If you hit Ctrl-C here it will terminate the batch job (autoexec.bat) and return you to the command prompt. Using the DIR command here will show you the list of files as shown in Figure 2 below. Figure 2: Floppy disk contents You can see from the file timestamps that many of the files on this disk are old. This floopy disk was originally generated with WindowXP using a “format /s” command to create a bootable floppy.