Disclaimer

Friday, February 2, 2018

Flare Challenge #3



Challenge #03 Solutions:

Filename: greek_to_me.exe

Analysis:


This file is quite interesting since the key it waits to solve the flag is from the listening port it opens to the machine.
The file contains 4 functions including the OEP of the file namely:

0x00401000 – Entry-point of the file.
0x00401008 – Start of the code
0x00401121 – the functions that listen and accept the key to the open port in localhost (127.0.0.1)
0x004011E6 – the validation function

At First, the file need to setup a socket and open a port (2222) in local host (127.0.0.1). where it will listen and wait for the BYTE key to decrypt the code (dynamic code) on its body.



fig 1: setting up the port to the local host

Once you send the byte to the listening port, it will send back a success or failed message through that open port socket. Example: (using internetmaniac.exe tool)

 

Fig 2: sample message
The Validation Function:

In the validation function, the first thing it will do is to decrypt its dynamic code using the byte data it received in the listening port.






Then it will call the function 0x004011E6 that has 2 parameters (sizeof_enc_code & enc_code_VA)

Fig 4: validation function



In short summary, the function will compute the hash of the 0x79 bytes of its dynamic code after being decrypted by the BYTE data sent to port 2222. Then check if the hash is 0xFBE5.


Fig 5: hashing routine
In this scenario, it looks like I need to do brute force to get the right byte decryption key to match the hash. So instead guessing byte from 0-256, I decided to create a python that will iterate from 0-255 byte key to decrypt the dynamic code and check if it matches the valid hash.

So first I gather the dynamic byte and put it to list

 
enc_data = [0x33, 0xE1, 0xC4, 0x99, 0x11, 0x06, 0x81, 0x16, 0xF0, 0x32, 0x9F, 0xC4, 0x91, 0x17, 0x06, 0x81,
            0x14, 0xF0, 0x06, 0x81, 0x15, 0xF1, 0xC4, 0x91, 0x1A, 0x06, 0x81, 0x1B, 0xE2, 0x06, 0x81, 0x18,
            0xF2, 0x06, 0x81, 0x19, 0xF1, 0x06, 0x81, 0x1E, 0xF0, 0xC4, 0x99, 0x1F, 0xC4, 0x91, 0x1C, 0x06,
            0x81, 0x1D, 0xE6, 0x06, 0x81, 0x62, 0xEF, 0x06, 0x81, 0x63, 0xF2, 0x06, 0x81, 0x60, 0xE3, 0xC4,
            0x99, 0x61, 0x06, 0x81, 0x66, 0xBC, 0x06, 0x81, 0x67, 0xE6, 0x06, 0x81, 0x64, 0xE8, 0x06, 0x81,
            0x65, 0x9D, 0x06, 0x81, 0x6A, 0xF2, 0xC4, 0x99, 0x6B, 0x06, 0x81, 0x68, 0xA9, 0x06, 0x81, 0x69,
            0xEF, 0x06, 0x81, 0x6E, 0xEE, 0x06, 0x81, 0x6F, 0xAE, 0x06, 0x81, 0x6C, 0xE3, 0x06, 0x81, 0x6D,
            0xEF, 0x06, 0x81, 0x72, 0xE9, 0x06, 0x81, 0x73, 0x7C, 0x6a]
 



Then do the decryption of its code using the iterated byte.

 
for a in range(0, 0xFF):
    dec = []
    for i in enc_data:
        x = ((a ^ i) + 0x22) & 0xFF
        dec.append(x)
    # print ''.join(dec)
    x = [hex(i) for i in dec]
    print x

Then I created a function that do the hashing process of the greek_to_me.exe.




Example output of my python code: right BYTE: 0xA2 to satisfied the hash


This will decrypt the encrypted code that will create this string.


Fig 6: decrypted code

Fig 7: hidden flag

Fig 8:send success message




at
Labels:

"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...