The file was built from .NET 2.0 (based on the mscorlib import). That'll be important later to determine what tool to analyze the file in -> I use DotPeek to do this .
Checking the execute the file to see what happened :
Also, it requires downloading .Net 2.0 or 3.0 if your computer doesn't have it.
Continue DotPeek to understand what this challenge file is doing:
After looking around , start from main() function and move to this :
Look on the decode button being drawn on the screen with button.text = "DECODE"; and a subroutine applied to this button with button.Click += new EventHandler(this.btnDecode_Click); My suggestion in this case is to look for the method btnDecode_Click, which displays:
Data might from : byte[] datSecret = Resources.dat_secret; -> so will need find this data and do the xor math like that to find the message when decode
Data_secret will import from this file -> so save it to outside this file :
Now , do with basic math step by step from this , because the math in here like Decode -> Encode -> print out to the screen , so we will take first math to decode the data we need :
Solution 2 : Fastest way ( Using Process Hacker )
Running the File Challenge and click button DECODE then open Process Hacker :
Open Properties
Then Open Strings -> Search -> Click Ok
Now we can Filter the Strings -> search key word flare contains to look :
And I got the flag :
Q2. Challenge 2 β flare-on.png key?
At this challenge contain 1 file png and html .
So let take a look on html
It's like just for description, not contain anything
Now move on .png file
When I open it with HXD, I see some php in here, please take it out and see more clearly :
Fix the code to execute ( eval -> print )
got another code from here
Edit and got this when execute that new code :
Let follow the result
Got this :
Let's decode this message, I will use python for this step and I get a nice looking text message
Continue replace DOT,DASH...message to look it more clearly :
Finaly i got the correct one
Q3. Challenge 3 β such_evil.exe key?
Take a view about this file type :
It's look file make for windows execute so change to .exe and analyze with that
Open this file with IDA to see what it have :
it call sub_401000 look interesting and 0Γ401000 is the beginning of the code section, commonly it is the function had written by user .
So let move to it :
The code look very long
Pass hold this and look at the end :
That showing the binary is calling the location of the first byte move on stack -> need handle the shellcode at this point so let set the break point at call eax -> set before it calling the shellcode ( need run the program to catch it ) .
I will debug this with x32dbg :
Set break-point at 0040249B and step into eax
Set break-point and step through this loop :
Also saw the first string used as the decryption key in xor math : nopasaurus
Continue step through this loop by setting the break-point over that :
At this xor might look same so we can pass through the math and move it to the call instruction to retrive the flag
Got this message :
Alsmost there
Skip the last loop
Follow the EBX in hex dump :
The Second way : ( Using Process Hacker )
Again do the same like the Challenge 1 : Execute the file then open the Process Hacker -> search for String :
Got the flag with the easy way
Q4 . Challenge 4 β APT9001.pdf key?
So I have dealt with malicious PDF analysis before (my previous article) so let's move on to REMnux for the best tool for malicious pdf analysis
peepdf -> dump infomation also in Json format in the pdf file
Next use extract with js to extract the javascript code contain in file :
All above code just have look at unescape("%u72f9%u..... because this look like the shellcode -> move on covert this to execute
Deofuscate might help view the code for easy to look :
The shellcode need covert is in string_3
Set var to test this first -> try converting to hex then see this execute first then can move to dynamic analysis
See some message at here :
It's has a tool call shellcode2exe to make this code -> executable file
Save code to another file
And use shellcode2exe with that :
After this i open with IDA to view the code in assembly to know how it doing :
Xor math again, each push value will xor each with with privous so it was easy now : ( Can keep on static by xor each value outside this and decode from hex can get the flag ).
base x86 so need swap edianess
Q5 . Challenge 5 β 5get_it.exe key?
It's P32 executable again in windows
View on Pe-studio :
Can try research start from here then move to IDA decomplie
Start on DLLMain() :
look like the file doing is copies itself to C:\Windows\System32\svchost.dll
Create a Registry entry
Moving around i move to this function sub_10009EB0, i found the loop look very large
Press Space to view as Text -> this help easy to look up so at here found the API GetAsyncKeyState which sounds like doing with the keylogger.( or can F5 -> view on pseudocode)
I will move to analyze on Flare VM
Start from sub_1001240() which Flare Message print out and catch the key m
Have a look on dword_100194FC
Flare message
Use X which is Cross references to show that where dword_100194FC is set to:
Set 0 in _cfltcvt_init() note this function for later, and sub_10009AF0 and 1 in sub_10009B60
we have a look at _cfltcvt_init()
this like a flow of word so let find where all this set
Continue with dword_100194FC is set by o key :
Okay , let move on to check other until we can know all variable dword in function _cfltcvt_init() is set :
Right up on this is dword_100194F8 :
It set to 1 by c in sub_1009850
Next is dword_1001194EC
Set to 1 by d in sub_10009880
For faster we can move on function _cfltcvt_init then check references each dword
After find all the key set I note it and see this message :
Transfer it and got the flag :( note that need fill letter m at the end )
void _cfltcvt_init()
{
dword_10017000 = 1;
dword_10019460 = 0; // set by 'l'
dword_10019464 = 0; // set by '0'
dword_10019468 = 0; // set by 'g'
dword_1001946C = 0; // set by 'g'
dword_10019470 = 0; // set by 'i'
dword_10019474 = 0; // set by 'n'
dword_10019478 = 0; // set by 'g'
dword_1001947C = 0; // set by 'd'
dword_10019480 = 0; // set by 'o'
dword_10019484 = 0; // set by 't'
dword_10019488 = 0; // set by 'u'
dword_1001948C = 0; // set by 'r'
dword_10019490 = 0; // set by 'd'
dword_10019494 = 0; // set by 'o'
dword_10019498 = 0; // set by 't'
dword_1001949C = 0; // set by '5'
dword_100194A0 = 0; // set by 't'
dword_100194A4 = 0; // set by 'r'
dword_100194A8 = 0; // set by '0'
dword_100194AC = 0; // set by 'k'
dword_100194B0 = 0; // set by 'e'
dword_100194B4 = 0; // set by '5'
dword_100194B8 = 0; // set by 'a'
dword_100194BC = 0; // set by 't'
dword_100194C0 = 0; // set by 'f'
dword_100194C4 = 0; // set by 'l'
dword_100194C8 = 0; // set by 'a'
dword_100194CC = 0; // set by 'r'
dword_100194D0 = 0; // set by 'e'
dword_100194D4 = 0; // set by 'd'
dword_100194D8 = 0; // set by 'a'
dword_100194DC = 0; // set by 's'
dword_100194E0 = 0; // set by 'h'
dword_100194E4 = 0; // set by 'o'
dword_100194E8 = 0; // set by 'n'
dword_100194EC = 0; // set by 'd'
dword_100194F0 = 0; // set by 'o'
dword_100194F4 = 0; // set by 't'
dword_100194F8 = 0; // set by 'c'
dword_100194FC = 0; // set by 'o'
dword_10019500 = 0;
}
