owned this note
owned this note
Published
Linked with GitHub
# NTU Malware Reverse HW 1 write up
###### tags: `NTU_MR` `Malware Reverse Engineering and Analysis` `NTU`
[TOC]
## Task 1
### Analyze the `Lab06-01.exe`
* What is the major code construct found in the only subroutine called by main?
Ans: It has only an if statement in the main function.
* What is the subroutine located at 0x40105F?
Ans: It’s just a `printf` function. At the beginning, I can not recognize this code block do exactly until I analyze the program behavior by using string side bar to search the specific string in the code.
* What is the purpose of this program?
Ans: This program’s main purpose is to check if the device connects the internet or not. If the variable returns true, it’ll print the string `Success: Internet Connection` on the command panel. Otherwise, it’ll show `Error 1.1: No Internet`.
## Task 2
### Analyze the `Lab06-02.exe`
* What operation does the first subroutine called by the main perform?
Ans: The main perform is called subroutine to check if the internet connection or not. If there is no internet, just return and do nothing, otherwise, continue to execute.
* What is the subroutine located at 0x40117F?
Ans: It’s a `printf` function.
* What does the second subroutine called by main do?
Ans:
* The second subroutine called by the main function is sub_401040 which is located at 0x401040. The main purpose of this block is to open the internet connection and get the web page information then close the internet handle at the end.
* According to the web page document, `InternetOpenA` function is the first `WinINet` function called by an application. It tells the Internet `DLL` to initialize internal data structures and prepare for future calls from the application. When the application finishes using the Internet functions, it should call `InternetCloseHandle` to free the handle and any associated resources. It’ll return a valid handle if true, otherwise, return null.
* According to the web page document, this function is a general function that an application can use to retrieve data over any of the protocols that `WinINet` supports. This function is especially useful when the application does not need to access the particulars of a protocol, but only requires the data corresponding to a URL. For instance, the URL provided by the author exists as a global variable though this page has nothing response but a 404 error. It’ll return a valid handle if true, otherwise, return null.
* According to the web page document, `InternetReadFile` function operates much like the base `ReadFile` function, with a few exceptions. Typically, `InternetReadFile` retrieves data from an `HINTERNET` handle as a sequential stream of bytes. It’ll return true if successful, or false otherwise.
* According to the web page document, `InternetCloseHandle` function terminates any pending operations on the handle and discards any outstanding data. And it returns TRUE if the handle is successfully closed, or FALSE otherwise.
* What type of code construct is used in this subroutine?
Ans: It’ll use character array to call `loc_40109D` function (`InternetReadFile`). If connection failed, it’ll print “Error 2.1: Fail to OpenUrl” and close the handle procedure.
* Are there any network-based indicators for this program?
Ans: There’re two network-based indicator in this program shown as below. The program also used `url` string and user agent string to set up the internet environment which shown as below as well.
* What is the purpose of this malware?
Ans: The main purpose of this block is to check the internet connection first and then open the internet connection to get the web page information if the connection success. Finally, close the internet handle and sleep one minute at the end.
## Task 3
### Analyze the `Lab06-03.exe`
* Compare the calls in main to `Lab6-2’s` main method. What is the new function called from this main?
Ans: The new function is called sub_401150 and it’ll do something based on what it get from the page.
* What parameters does this new function take?
Ans: It must have character `a1` as a case number and `LPCSTR` `lpExistingFileName` which is representing the name of an existing file.
* What major code construct does this function contain?
Ans: It contains a simple switch case structure to decide what it can do.
* What can this function do?
Ans: It can create a directory the in specified path, copy a file, delete a file, open the specified registry key, sleep 100 seconds, or print an error message by default.
* Are there any host-based indicators for this malware?
Ans: `Subkey` parameter and Data parameter can be host-based indicator in this malware.
## Task 4
### Analyze the `Lab06-04.exe`
* What is the difference between the calls made from the main method in `Lab6-3` and `6-4`?
Ans: In `Lab6-3`, the main block just executes one time if it got something from the domain name address. But in `Lab6-4`, there’s a for loop wrapping the main block to repeat it 1440 times.
* What new code construct has been added to the main?
Ans: There’s a for loop in the main block to execute the program repeatedly 1440 times.
* What is the difference between this lab’s parse HTML function and those of the previous labs?
Ans: In `Lab6-3`, it just accesses `Internet Explorer 7.5/pma` string to Windows API named `InternetOpenA`. But in `Lab6-4`, it connects character `a1` string which is generated by for loop looks like `Internet Explorer 7.50/pma%d`(%d is in which the parameter `a1` should be put).
* How long will this program run? (Assume that it is connected to the Internet)
Ans: Assume to ignore the internet checking time and ignore if statement checking time Assume executing time for case a is A second, for case b is B second, for case c is C second, for case d is D second, for case e is 100 second, and the probability of all cases that we get are the same. The average of execution time is `T= (A+B+C+D+100)/5`. So, the whole execution time of this program is approximately `1440*(T+60)` seconds.
* Are there any new network-based indicators for this malware?
Ans: No.
* What is the purpose of this malware?
Ans: First, check the internet connection like above and continue to execute if successful, return zero otherwise. Then get the info from the URL which is set up by default in this program and close the internet handle when it is finished. Finally, do something according to what you get from the page such as creating a directory the in specified path, copying a file, deleting a file or opening the specified registry key, and repeatedly 1440 times until the end.
## Task 5
### Please analyze `Easy_CrackMe.exe.` (Use IDA PRO)
After you run the `exe` file, you will see an input box like
Please Find the correct Password and you will get the correct response.
* Ans: The correct password is “Ea5yR3versing”.
## Task 6
### Please analyze `Easy_Keygen.exe.` (Use IDA PRO)
You need to run the `exe` file in `cmd` like
In this case, you need to enter the Input Name and Input Serial. If Name and Serial are matched, you will get correct response. Please find the Input Name when the Input Serial is 5B134977135E7D13.
* Ans: `K3yg3nm3`
* Write Up:
* 
First, you can check the declaration of `v6` to `v8` and `v12` to `v14` that they connected respectively.
* By the way, v9 is the variable stored what you input
* The main concept of this PE file is in this for loop. To get the address of v9 and plus v3, then get actual value by * operator. That means every time will compute just one character and one by one until every character you enter has been computed.
* Operator ^ means bitwise of XOR in C and the operand is *(&v6 + i). When you get the reverse of this operation, you’ll get 16 char with hex value(4B337967336E6D33). Put these value to Hex2ASCII online converter, you can get the password answer.
Google Drive
Gist
Clipboard
Sign in with Wallet
