Malware reverse engineering challenges are a great way to keep reversing skills sharp and learn new techniques. The Flare-On Challenge is one of the most difficult and respected ones out there. Participants must complete ten unique challenges of increasing sophistication over a six-week period. Only 17 people in the US successfully completed this year's challenge, including the two of us. In this presentation, we'll familiarize reversers and non-reversers alike with how to approach challenge problems, and arm them with tools and tricks to successfully solve the types of problems they regularly see. These techniques not only helped solve this year's Flare-On problems, but more importantly, have real-world applicability. Many of the tools and techniques needed to complete the Flare-On challenge are key to understanding and reversing actual sophisticated malware, such as those used by APTs. We'll walk through how we solved several of the most relevant and creative challenges, providing the audience unique reversing insights that can help both experienced reversers and non-reversers augment their skill sets.

1. 0 to 31337 Real Quick:
Lessons Learned by Reversing the
Flare-On Challenge
Blaine Stancill
Josh Wang
Feb. 25th 2017

2. Who are we?
Josh
▪ @rh0gue
▪ Security Researcher
▪ CTF player
▪ Interested in binary
exploitation & VR
Blaine
▪ @MalwareMechanic
▪ Malware Researcher
▪ Loves difficult to
reverse malware
• Anti-disassembly
2

3. Agenda
3
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

4. Why CTFs?
▪ Exposure to old and new concepts
▪ Keeps your skills honed
▪ Get 1337 street cred and lots of “flair”
4

5. Flare-On Challenge
5
▪ Annual challenge hosted by FireEye’s FLARE team
▪ Challenges focus on reverse-engineering core concepts
▪ 10 levels, increasing in difficulty
▪ This year there were 124 finishers out of 2,063 participants

6. 6
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE
Format
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

7. Agenda
7
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

8. Reverse Engineering 101
● Prereq is some assembly (x86, x64, ARM)
● Your best friend: IDA
○ Your disassembler of choice
○ Your debugger of choice
● Different analysis strategies
○ “top-down”
○ “bottom-up”
● Dance between static & dynamic analysis
8

9. RE 101: Analysis Strategy
● Top-down
○ Start at beginning function (main) and work your way down
● Bottom-up
○ Start at an interesting code block and work your way up
9
Bottom
Up
Down
Top
End
Start

10. Light
● Running strings
● Viewing imports
● Viewing resources
● Checking entropy
● Checking if known packer
Deep
● IDA Pro
● Label code/data
● Derive functionality
● Rename functions
appropriately
RE 101: Light vs Deep Static Analysis
10

11. Light
● Running the executable in a
sandboxed VM
● Observe general behavior
● Using Process Monitor (ProcMon)
and Process Explorer (ProcExp)
Deep
● Running the executable with a
debugger attached
● Setting appropriate breakpoints
● Observing how different registers
and values are affected by function
calls and instructions
RE 101: Light vs Deep Dynamic Analysis
11

12. Analysis Feedback Loop
12
Static Analysis Dynamic Analysis

13. Agenda
13
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

14. 14
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE
Format
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

15. File Type
● Recognize via “magic bytes” typically at beginning
● From type can derive file format
● 4D 5A == “MZ” magic bytes specify PE File Format
15

16. PE File Format
▪ Lots of info, yuge.
16

17. PE File Format
Imports
● functions imported from external libraries
Exports
● functions exported to be called by other programs
Sections
● different areas of the executable, each with a different purpose
○ .code/.text
○ .data/.rdata
○ .rsrc
MS-DOS Header
● Ensures backwards compatibility 32/64-bit on 16-bit DOS
17

18. Import Hints - What can it do?
▪ FindFirstFileW
▪ FindNextFileW
▪ GetVolumeInformationA
▪ GetVersionExW
▪ CryptCreateHash
▪ CryptHashData
▪ CryptGetHashParam
18
▪ SetWindowsHook
▪ Get(Async)KeyState
▪ CryptDeriveKey
▪ CryptEncrypt
▪ WSAStartup
▪ send
▪ recv

19. Import Hints - What can it do?
File enumeration
▪ FindFirstFileW
▪ FindNextFileW
System fingerprinting
▪ GetVolumeInformationA
▪ GetVersionExW
Perform hashing
▪ CryptCreateHash
▪ CryptHashData
▪ CryptGetHashParam
19
Key Logging
▪ SetWindowsHook
▪ Get(Async)KeyState
Use of encryption
▪ CryptDeriveKey
▪ CryptEncrypt
Network Capabilities
▪ WSAStartup
▪ send
▪ recv

20. Import Hints - What can it do?
File enumeration
▪ FindFirstFileW
▪ FindNextFileW
System fingerprinting
▪ GetVolumeInformationA
▪ GetVersionExW
Perform hashing
▪ CryptCreateHash
▪ CryptHashData
▪ CryptGetHashParam
20
Key Logging
▪ SetWindowsHook
▪ Get(Async)KeyState
Use of encryption
▪ CryptDeriveKey
▪ CryptEncrypt
Network Capabilities
▪ WSAStartup
▪ send
▪ recv

21. DudeLocker.exe
21
▪ Challenge #2
▪ By examining the PE format
• File enumeration
• Read/Write files
• Use of encryption
• Ransom note in .rsrc section

22. MSDOS Header
▪ PE binaries can be run in 3 modes
• 64-bit mode
• 32-bit mode
• 16-bit mode
▪ When a 32-bit or 64-bit PE is run in 16-bit mode, typical msg displayed:
• “This program cannot be run in DOS mode”
▪ DOS Stub program
• After the DOS header
• Run using debug.exe (32-bit only)
• Run using DOSBox emulator
22

23. MSDOS Header
Challenge #8, see anything interesting?
23
Double negative...

24. MSDOS Stub Code: Normal
24
Normal DOS stub program
▪ Prints out string
▪ Exits

25. MSDOS Stub Code: Modified
25
DOS stub program disassembled from Challenge #8

26. MSDOS Header: Modified
26

27. Agenda
27
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

28. 28
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE
Format
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

29. Why base64?
▪ Base64 allows transportation of binary data over non-binary protocols
• HTTP/HTTPS via GET/POST
• SMTP
• Chat Protocols
▪ Malware needs to communicate to C2 nodes
• Data exfiltration
• Commands
• Next stage payloads
▪ Easy obfuscation
• Powershell commands
29

30. Base64 Encoding
▪ Essentially a substitution cipher
▪ Typical alphabet:
• A-Za-z0-9+/=
• ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
▪ Telltale sign of base64
30

31. Base64 Encoding: Internals
31
H i !
0 1 0 0 1 0 0 0 0 1 1 0 1 0 0 1 0 0 1 0 0 0 0 1
18 6 36 33
S G k h
Input
Bit Stream
Index
Base64-Encoded
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
186 3633
Alphabet
lookup:

32. Challenge #1, what’s going on?
Base64, hmmm...
32
x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
Çgm$C¦Ê6.Ä7¦Çg.Í>U/_UA¯Y;.Z;.Æ4jËn+Wojdecodes

33. Custom Alphabet
Custom alphabet:
ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/
33
x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
Çgm$C¦Ê6.Ä7¦Çg.Í>U/_UA¯Y;.Z;.Æ4jËn+Woj
x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
sh00ting_phish_in_a_barrel@flare-on.com
Typical alphabet:
Custom alphabet:
decodes
decodes

34. MiniDuke (APT29)
▪ System survey:
• Victim ID
• Country code
• ComputerName/%USERDOMAIN%
• OS major, minor, service pack major, product type, architecture (32/64bit)
• Antivirus list
• Proxy list
• Version of the malicious sample
▪ All values are separated with ”|”
34

35. MiniDuke (APT29) cont.
▪ http://[site].com/index.php?a=MjIzMTQyMzkzM3xST3xIT01FL0hPTUV8NXwxfD
N8MXwwfC18LXwyLjEy&g=MjIzMTQyM
▪ MjIzMTQyMzkzM3xST3xIT01FL0hPTUV8NXwxfDN8MXwwfC18LXwyLjEy
• 2231423933 | RO | HOME/HOME | 5 | 1 | 3 | 1 | 0 | - | - | 2.12
▪ MjIzMTQyM
• 2231424
• CRC modulo 13D455h of the above encoded string
35

36. Agenda
36
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

37. 37
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE
Format
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

38. Simple Encryption
▪ XOR
• Symmetric
• Key can be 1 or more bytes
▪ RC4
• Stream Cipher
• Uses a key to generate a keystream
• Uses keystream to XOR the plaintext
38

39. XOR
▪ Exclusive OR
• Typically what the english ‘or’ means.
• You can have one or the other, but not both.
▪ Interesting properties:
• A ⊕ A = 0
• A ⊕ 0 = A
• A ⊕ B ⊕ A =
(A ⊕ A) ⊕ B =
0 ⊕ B = B
39

40. XOR (cont.)
▪ Examples:
• Key ⊕ Plaintext = Ciphertext
• Key ⊕ Ciphertext = Plaintext
▪ Great for encoding:
• C2 data
• Strings
• Constants
▪ Malware writers LOVE it due to its simplicity
40

41. XOR Drawbacks
▪ Key can be brute forced if length is short
▪ Known plaintext attack (KPT)
• Plaintext ⊕ Ciphertext = Key
▪ Inverse algorithm
• Algorithm( Plaintext ) = Ciphertext
• Inverse_Algorithm( Ciphertext ) = Plaintext
41

42. Rolling XOR Algorithm
H e l l o W o r l d !
48 65 6c 6c 6f 20 57 6f 72 6c 64 21
8d 65 6c 6c 6f 20 57 6f 72 6c 64 21
8d e8 6c 6c 6f 20 57 6f 72 6c 64 21
8d e8 84 6c 6f 20 57 6f 72 6c 64 21
8d e8 84 e8 6f 20 57 6f 72 6c 64 21
8d e8 84 e8 87 20 57 6f 72 6c 64 21
8d e8 84 e8 87 a7 57 6f 72 6c 64 21
8d e8 84 e8 87 a7 f0 6f 72 6c 64 21
8d e8 84 e8 87 a7 f0 9f 72 6c 64 21
8d e8 84 e8 87 a7 f0 9f ed 6c 64 21
8d e8 84 e8 87 a7 f0 9f ed 81 64 21
8d e8 84 e8 87 a7 f0 9f ed 81 e5 21
8d e8 84 e8 87 a7 f0 9f ed 81 e5c4
8d e8 84 e8 87 a7 f0 9f ed 81 e5 c4
42
C5 ^
Ciphertext:
Plaintext:Challenge #8

43. Rolling XOR Inverse-Algorithm
43
8d e8 84 e8 87 a7 f0 9f ed 81 e5 c4
8d e8 84 e8 87 a7 f0 9f ed 81 e5c4
8d e8 84 e8 87 a7 f0 9f ed 81 e521
8d e8 84 e8 87 a7 f0 9f ed 81 64 21
8d e8 84 e8 87 a7 f0 9f ed 6c 64 21
8d e8 84 e8 87 a7 f0 9f 72 6c 64 21
8d e8 84 e8 87 a7 f0 6f 72 6c 64 21
8d e8 84 e8 87 a7 57 6f 72 6c 64 21
8d e8 84 e8 87 20 57 6f 72 6c 64 21
8d e8 84 e8 6f 20 57 6f 72 6c 64 21
8d e8 84 6c 6f 20 57 6f 72 6c 64 21
8d e8 6c 6c 6f 20 57 6f 72 6c 64 21
8d 65 6c 6c 6f 20 57 6f 72 6c 64 21
48 65 6c 6c 6f 20 57 6f 72 6c 64 21
48 65 6c 6c 6f 20 57 6f 72 6c 64 21
H e l l o W o r l d !
Ciphertext:
Plaintext:
C5 ^
Challenge #8

44. RC4
44
Key-scheduling algorithm (KSA)
for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j + S[i] + key[i mod keylength]) mod 256
swap values of S[i] and S[j]
endfor
Pseudo-random generation algorithm (PRGA)
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 256]
output K
endwhile

45. RC4
▪ Telltale RC4 signs:
• Contains a loop with 0x100 as counter
∙ Fills an array with all numbers 0-255
• Swap bytes in array
• XORs follow later
45
Key-scheduling algorithm (KSA)
for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j + S[i] + key[i mod keylength]) mod 256
swap values of S[i] and S[j]
endfor
Pseudo-random generation algorithm (PRGA)
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 256]
output K
endwhile

46. Agenda
46
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

47. 47
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE
Format
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

48. Hashing
▪ Hash is a one function
• hash_function( data ) = hash
▪ Takes arbitrary sized input data
▪ Produces a fixed-length string
• Called the ‘hash’ of the data
48
▪ Typical hash functions
• MD5
• SHA1
• SHA256
• SHA512
▪ Custom hash function
• ROR 13

49. ▪ Lots of constants
• Initialization constants
• Round constants
▪ SHA1
• 0xC3D2E1F0
• 0x67452301
• 0xEFCDAB89
• 0x98BADCFE
• 0x10325476
Hashing - Recognizing
49
SHA1 function from MiniDuke

50. ▪ Malware will sometime hide them
• Inverse constant (2’s complement)
• Split constant into two parts, add/subtract to combine prior to use
▪ Challenge #5
• Modified MD5 using different constants
Hashing: How to hide constants
50
▪ 0xd76aa478
▪ 0xe8c7b756
▪ 0x242070db
▪ 0xc1bdceee
▪ 0x76aad478
▪ 0x8c7be756
▪ 0x420720db
▪ 0x1bdcceee
Nibble shifted right

51. Hashing - ROR13
unsigned int __stdcall hash(char* string)
{
__asm
{
mov esi, string;
xor edi, edi;
xor eax, eax;
cld;
next:
lodsb;
test al, al;
jz done;
ror edi, 0xd;
add edi, eax;
jmp next;
done:
mov eax, edi;
};
}
51
0xd == 13
▪ Represent string as 32-bit integer
▪ Dynamically resolve imports
▪ Parse a loaded DLL’s export table
• DLL name hash
• Import name hash

52. ▪ Verify key/passwords
• Hash user’s input and compare to stored hash
▪ Challenge #7 needed bruteforce triple SHA1 hashes
• SHA1( SHA1( SHA1( data ) ) )
▪ Narrow keyspace
• 6 characters in length
• Possible values:
∙ abcdefghijklmnopqrstuvwxyz@-._1234
Hashing - Other uses?
52

53. ▪ Check your own code for modification
• Software breakpoints (0xCC)
▪ Anti-Analysis
• PowerDuke checks its filename length to known hash lengths
Hashing - Other uses?
53

54. Agenda
54
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

55. 55
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE
Format
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

56. Anti-Analysis Techniques
▪ Malware authors employ
techniques to thwart analysts
• Anti-disassembly
• Anti-debugging checks
• Anti-VM checks
• Obfuscation
▪ Analysts use own methods to bypass
these anti-analysis techniques
56

57. Javascript Obfuscation
57

58. Challenge #10
58
Manual decoding

59. Packers
▪ Program that compresses original binary,
making the original code unreadable
▪ Common examples
• UPX
• ASPack
• tElock
▪ Identify use of packer
• PEiD
• strings
• Lack of imports
• Entropy
• Executing code in a new memory segment
▪ How to deal with them
• Use an unpacking tool
• Manually unpack
59
Unpacking a UPX packed executable

60. Packer Stub: Challenge #8
60
Unpacking or
decoding Stub
Decodes to...
Encoded Decoded

61. Anti-Disassembly
▪ Technique that takes advantage of the assumptions made by disassemblers
so that they can not properly decode instructions
▪ How to:
• Add extra/junk bytes to trick the disassembler into disassembling at the
wrong offset
• Add data directly in .code/.text section
• Jump into the middle of another instruction
61

62. Anti-Disassembly: Challenge #8
62
Fake call to throw
off disassembler
Incorrect
disassembly!

63. Anti-Disassembly: Challenge #8
63
+1 gives it away

64. Tricking Flow-Oriented Disassemblers
▪ Flow oriented disassembly algorithm
• Follows jumps and branches to continue
disassembling
• Has to make assumptions and choices
• Calls
∙ Most will process bytes
immediately after call first
• Conditional branches
∙ Most will process the false branch
first
64
From Practical Malware Analysis by
Michael Sikorski and Andrew Honig

65. Tricking Flow-Oriented Disassemblers
65
From Practical Malware Analysis by Michael Sikorski and Andrew Honig
Data interpreted as instructions!

66. MiniDuke (APT29)
▪ Early samples embed
strings directly in code
section
▪ Later samples XOR
encrypted strings to
make it less obvious
66

67. Anti-Debugging & Anti-VM Checks
▪ Checks to determine whether the binary is being run in a VM or not
▪ Malware will often hide functionality if it detects it is being run in a VM
▪ Common winapi debugger checking functions
• IsDebuggerPresent
• NtQueryInformationProcess
▪ Common structures checked
• ProcessHeap flag
• NTGlobalFlag
67

68. Agenda
68
▪ Flare-On introduction
▪ Reverse engineering 101
▪ Concepts & examples
• PE file format
• Base-64 encoding
• Simple encryption
• Hashing
• Anti-analysis
▪ Conclusion

69. Conclusion
▪ Basic concepts still apply when reversing more complex targets
• From low-level malware all the way to APTs
▪ Many more RE tips and tricks exist
• Defining structs
• Writing IDAPython scripts
• Using symbolic execution to maximize code coverage and solve
constraints
• etc...
▪ Do CTFs/challenges!
• Better to learn by doing, than to just read theory
• CTFs allow you to immerse yourself in RE concepts very quickly
69

70. 70
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS Exports/
Imports
Memory
Carving
Go Flash Python
Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges

71. Questions?
▪ @MalwareMechanic
▪ @rh0gue
71
Awesome Links:
● https://www.endgame.com/blog/dude-wheres-my-ransomware-flare-challenge
● https://www.endgame.com/blog/0-31337-real-quick-lessons-learned-reversing-fl
are-challenge

72. Links
● https://en.wikipedia.org/wiki/Portable_Executable
● http://algo-visualizer.jasonpark.me/
● https://pbs.twimg.com/profile_images/1109177749/Icon_1_400x400.png
● http://cdn.pcwallart.com/images/tip-of-the-iceberg-titanic-wallpaper-2.jpg
● https://ih0.redbubble.net/image.174516575.5882/flat,800x800,075,f.jpg
● https://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf
● https://img.washingtonpost.com/rf/image_480w/2010-2019/WashingtonPost/2017/02/17/Style/Images
/Trump_31494.jpg-90377-3723.jpg?uuid=4Rkv_PVfEeapsOzufOR1_A
● http://reactiongifs.me/wp-content/uploads/2014/06/reading-ikea-intructions-big-lebowski-confused.gif
● http://dbclipart.com/check-mark-clip-art-image-18631/
● https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineerin
g-shellcode.html
72

73. Extra
73

74. MiniDuke (APT29)
▪ C2 callout data is already encrypted using CRC32 checksum of code
• Makes sure no software breakpoints are set (0xCC)
▪ Use computer specific details to XOR encrypt the C2 callout data on startup
• Makes it forensically difficult to retrieve C2 callout data if attempting to run
sample on a different machine
▪ Subject to known plaintext attack!
74

75. Simplified Example
▪ Encoded C2 data:
▪ C2 data usually have a callout URL
• http://
• https://
• www.
• .com
• ?=
75
00000000 0c 11 15 14 58 4a 4a 11 13 12 4f 10 15 0c 11 12 |....XJJ...O.....|
00000010 01 17 4f 07 0d 08 4a |..O...J|

76. Simplified Example
▪ XOR encoded data with ‘http’
▪ ‘dead’ is potential key, XOR with encoded data
▪ ‘://w’ is next known plaintext
76
00000000 68 74 74 70 3c 2f 2b 75 77 77 2e 74 71 69 70 76 | http</+uww.tqipv|
00000010 65 72 2e 63 69 6d 2b | er.cim+|
00000000 64 65 61 64 30 3e 3e 61 7b 66 3b 60 7d 78 65 62 | dead0>>a{f;`}xeb|
00000010 69 63 3b 77 65 7c 3e |ic;we|>|

77. Simplified Example
▪ XOR encoded data with ‘://w’
▪ ‘beef’ is potential key, XOR with encoded data
▪ Key is ‘deadbeef’, XOR with encoded data
77
00000000 36 3e 3a 63 62 65 65 66 29 3d 60 67 2f 23 3e 65 |6>:c beef)=`g/#>e|
00000010 3b 38 60 70 37 27 65 |;8`p7'e|
00000000 6e 74 70 72 3a 2f 2f 77 71 77 2a 76 77 69 74 74 |ntpr://wqw*vwitt|
00000010 63 72 2a 61 6f 6d 2f |cr*a om/|
00000000 68 74 74 70 3a 2f 2f 77 77 77 2e 74 77 69 74 74 |http://www.twitt|
00000010 65 72 2e 63 6f 6d 2f |er.com/|