malware
2022
reversing
TeamT5
2021 winter security camp
去年(2021) 獲選參加 TeamT5 的寒假資安培訓營,收穫豐富。過了一年,想說複習之前學習的逆向惡意程式內容,也順手做紀錄。為了練習英文寫作,所以接下來都是使用英文書寫,請大家包含。如果想看中文的話,也歡迎搭配其他參加大大的技術分析文章 。
For educational usage binary
After unzipping the zip file, you are good to execute the binary.
17.1
with Windows 10
in it7.6
v3.03
9.27
Version: Nov 26 2019
Version 3.4.2
v5.0.20211.51073
IDA Pro has two friendly configurations that makes our analysis much more comfortable.
After these two configurations, we are good to go!
After executing the binary, we can see a message box pop up. We can see a string from the console message that says, I am so sorry, you failed! :(
. The string is the exact spot we start our journey! Besides that, we know the flag format is flag{...}
.
Dragging the binary to the IDA Pro, let's start the analysis.
Now let's observe the path where it shows, I am so sorry, you failed! :(
. To avoid this path, let's see why it chooses this failing path? From the image below, we can find out that at (1) it call sub_4014F0
, at (2) test al, al
, and at (3) jnz loc_4019A5
which results in the failing path at (4). From calling convention, we know that al
derives from sub_4014F0
and al=0
leads to the failing path. Hence let's examine this function and see what happened inside.
In sub_4014F0
, we can see that there is a comparison if sub_403380
equals 0x3B47B2E6
. If the answer is yes, we can go to the correct path at [5]. Besides that, we can find out that szUrl
is passed to the first argument of sub_403380
. By making the educated guess, the goal of solving the problem could be filling szUrl
with the correct value as the input and validating the comparison.
And thus, let's find out the reference of szUrl
.
By pressing x
in IDA Pro, we can get the references of szUrl
. From the image below, at [2] is where we press the x
of szUrl
. At [1] is the place where szUrl
comes from. Finally, at [3] is where szUrl
is being used.
Let's first examine [3], we can see szUrl
is setted as an argument of function sub_4033D0
It's time to check function sub_4033D0
, we can see that szUrl
is one of the arguments of InternetOpenUrlA
the esi register dervives from the argument of sub_4033D0
which szUrl
comes from
From docs-ms-InternetOpenUrlA, it is documented that the lpszUrl
is A pointer to a null-terminated string variable that specifies the URL to begin reading. Only URLs beginning with FTP:, HTTP:, or HTTPS: are supported.
To keep it simple, these functions open an URL.
Seeing the following code in sub_4033D0
, we can determine that InternetReadFile
is called.
hFile
is an Handle returned from a previous call to InternetOpenUrl, FtpOpenFile, or HttpOpenRequest
.So if we can confirm that the result of output from InternetOpenUrlA
is passed through InternetReadFile
's first argument, we can ensure that the binary will download some contents from the szUrl
.
And the answer is yes!
Let's examine [1] where szUrl
comes from.
From the image below, we can see that szUrl
is one of the arguments of sub_4031C0
Let's rely on the decompilation of IDA Pro. We can figure out that szUrl
is part of the CryptDecrypt
function
szUrl
is served as pbData
pbData
: A pointer to a buffer that contains the data to be decrypted. After the decryption has been performed, the plaintext is placed back into this same buffer.
We can guess from the info we get that szUrl
must be decrypted. After the decryption of the URL, the binary will request the URL. Eventually, the binary will download some content from the URL.
We know from the image below that CryptHashData
is called to create a hash from the binary passes.
The pbData
derives from the key_buf
, the fourth argument of sub_4031C0
.
This hash's importance is because it will derive the decryption key (which will be used to decrypt the szUrl
) at CryptoDerivekEY
later.
Now, let's find out where the key_buf
is referenced. From the image below, we can see at least nine places key_buf
is referenced
The key_buf
is mangled at nine places before activating the decryption. So to protect the integrity of the key_buf
, we have to enter each function and patch any branch that will violate the content of key_buf
. And that means we have to fix nine functions.
There are several methods to patch the binary, you can either use PE-bear to patch (like the author of this binary does), or you can patch it by x32dbg which I prefer the latter one.
Nine addresses to patch
The result of patching:
It shows that You are on the right track!
at the console with the popup Nope :(
Start the Wireshark and start to monitor the network. We can find that the binary is trying to query pastebin.com
and downloading data from the website (we already know from static analysis).
To ensure 104.23.99.190
is the IP of pastebin.com
, we can dig pastebin.com
and confirm that's true.
To see the encrypted data, you have to enable the decrypt HTTPs options in Fiddler
which we get the complete url pastebin.com/raw/9FugFa91
The downloaded content
Although we obtain the contents from the URL, we still fail to continue running the binary. So let's dive down to static analysis and reveal what the binary does afterward.
Let's focus on the string Nope :(
and xrefs
it. It's referenced at funciton sub_401690
Let's discover function sub_401690
and see the secret inside.
There are four processes in function sub_401690
. It's worthy of analyzing this function dynamically with x32dbg.
We can get the key malwarebytes
from the dump data while there are a bunch of empty spaces in this binary. (reason: malwarebytes xor 0 = malwarebytes
)
MZ
which will be validated later. This is the stage2.exe
binary, and we can dump the binary from x32dbg with offset 0xE400
from the start of address 0x752e40
.Right-click the .text section -> Find in Dump -> Address: EDI
0xE400
?
00E4
(in little Endian) and we convert it to E400
This is the message I got from the second PE.
Bypass the two following branches, and we can get the shellcode injected later.
The dump data we get will be served as shellcode. It comes from the address 0x2fe000
savedata
function: savedata file-directory,start address,offset
Scylla
Use PE-bear to inject the shellcode back to stage.exe
. This is impressive when I see the author's instruction video
stage2.exe
.shellcode
is added to stage2.exe
section.e0
This is an interesting binary to learn Windows API, patch binary, static/dynamic analysis, dump data with x32dbg, and injecting shellcode to process.
cmp A B => A - B to see if they are the same
A = B
=> ZF=1
test eax eax => eax AND eax to see if they are the same
eax = 0
=> ZF=1
Zero flag: if the result equals 0 ZF=1
e.g. cmp 100 100 => results in 0 => ZF=1 => JZ will be taken (which is same as JE)
JE
equals JZ
JE
: Jump if cmp is equalJZ
: Jump if Zeroxor:
xor eax eax
equals mov eax, 0
but with shorter opcode