- first i wanted to know what type of file it was so i ran the file command against it:
ubuntu@nu11byt3s:/mnt/malware-repo/flare$ file i_am_happy_you_are_to_playing_the_flareon_challenge.exe
i_am_happy_you_are_to_playing_the_flareon_challenge.exe: PE32 executable (console) Intel 80386, for MS Windows
- Good, it seems its a windows binary. so i went ahead an ran it to see what it was like:
- it seems this binary performs some authentication possibly related to the key. so lets open the binary on idapro and see how it looks like in there:
- The section above illustrates the part of the program in which processes the input. the input is then saved on byte_402158 after the call to ReadFile is executed. the next instruction is then a xor instruction which zero out ecx. and after the xor there is a section which seems like an encoding routine lets take a closer look:
On looking at the Loc_40104D region it seems the program moves a byte from byte_402158 region to lower byte of eax. then it performs a XOR with value 7D, the xored AL value then gets compared with a byte located on the following region byte_402140 if the comparison is successful it increases ecx by one, it checks if exc is 24 and if not it goes back to the beginning of the loop. once the loop reaches 24 it then reaches the section where it prints "you are success".
After this analysis i opened up the binary in inmunity debugger and placed a breakpoint on the xor operation it was described above. once the input was entered which i used "AAAA" i went ahead and located the location in which our key was located by right clicking->follow dump->address constant on the following section [ECX+402140]
00401055 |. 3A81 40214000 |CMP AL,BYTE PTR DS:[ECX+402140]
it would automatically show the location where the encoded key resides as well the data from your input. see below:
as we can see our encoded key covers 24 bytes starting from address 00402140. i then created an immunity plugin to acquire the key. see the script in action below:
i called my plugin myplugin and it takes 2 parameters first paramenter is the start address of the key, the next parameter is the end address for the key. see source code below:
#!/usr/bin/python
import immlib
import getopt
import immutils
from immutils import *
imm = immlib.Debugger()
def usage():
imm.log("Usage: [startingaddr] [endingaddr]")
def main(args):
key = list()
if not args:
usage()
else:
if (len(args) > 1):
startingAddr = int(args[0],16)
bytes = int(args[1],16) - int(args[0],16)
for i in range(bytes):
memchar = imm.readMemory(startingAddr + i,1)
memchar = chr(int(hex(ord(memchar) ^ 0x7d),16))
key.append(memchar)
imm.log("key is %s" % ("".join(key)))
return "key was found ^_^"
Thank you for reading and see you next time.
No comments:
Post a Comment