Flare-On 7 2020 Challenge #2: garbage

  • x64dbg
  • HxD
  • pestudio
  • upx-3.96-win64
  • IDA
  • Python
Sections are with UPX name

Loading the file

Static Analysis to the unpacked file

The Data

KglPFOsQDxBPXmclOpmsdLDEPMRWbMDzwhDGOyqAkVMRvnBeIkpZIhFznwVylfjrkqprBPAdPuaiVoVugQAlyOQQtxBNsTdPZgDH
nPTnaGLkIqdcQwvieFQKGcTGOTbfMjDNmvibfBDdFBhoPaBbtfQuuGWYomtqTFqvBSKdUMmciqKSGZaosWCSoZlcIlyQpOwkcAgw
[ebp+var_58], 2C332323h
[ebp+var_54], 49643F0Eh
[ebp+var_50], 40A1E0Ah
[ebp+var_4C], 1A021623h
[ebp+var_48], 24086644h
[ebp+var_44], 2C741132h
[ebp+var_40], 0F422D2Ah
[ebp+var_3C], 0D64503Eh
[ebp+var_38], 171B045Dh
[ebp+var_34], 5033616h
[ebp+var_30], 8092034h
[ebp+var_2C], 0E242163h
[ebp+var_28], 58341415h
[ebp+var_24], 3A79291Ah
[ebp+var_20], 58560000h
[ebp+var_1C], 54h
[ebp+var_18], 3B020E38h
[ebp+var_14], 341B3B19h
[ebp+var_10], 3E230C1Bh
[ebp+var_C], 42110833h
[ebp+var_8], 731E1239h
Cleaner version:
2C 33 23 23
49 64 3F 0E
40 A1 E0 0A
1A 02 16 23
24 08 66 44
2C 74 11 32
0F 42 2D 2A
0D 64 50 3E
17 1B 04 5D
50 33 61 06
80 92 03 04
0E 24 21 63
58 34 14 15
3A 79 29 1A
58 56 00 00
54
3B 02 0E 38
34 1B 3B 19
3E 23 0C 1B
42 11 08 33
73 1E 12 39

Analyzing the Decryption Function (sub_401000)

Creating the function in Python

//        (result    ,    key, length, encoded_string, ecx)
sub_401000(lpFileName, var_18, 0x14, eax, ecx)
def sub_401000(key, length, encoded_string):
modulo = 102
result = ''
for v5 in range(length):
r = ord(key[v5%modulo]) ^ ord(encoded_string[v5])
result += chr(r)
print(result)

Decoding the encoded string for the CreateFile

3B 02 0E 38 34 1B 3B 19 3E 23 0C 1B 42 11 08 33 73 1E 12 39
KglPFOsQDxBPXmclOpmsdLDEPMRWbMDzwhDGOyqAkVMRvnBeIkpZIhFznwVylfjrk
encoded_string1 = 'KglPFOsQDxBPXmclOpmsdLDEPMRWbMDzwhDGOyqAkVMRvnBeIkpZIhFznwVylfjrkqprBPAdPuaiVoVugQAlyOQQtxBNsTdPZgDH'key1 = '\x38\x0E\x02\x3B\x19\x3B\x1B\x34\x1B\x0C\x23\x3E\x33\x08\x11\x42\x39\x12\x1E\x73'>>> sub_401000(key1, ,0x14, encoded_string1)
sink_the_tanker.vbs

Decoding the encoded string for the WriteFile

encoded_string2 = 'nPTnaGLkIqdcQwvieFQKGcTGOTbfMjDNmvibfBDdFBhoPaBbtfQuuGWYomtqTFqvBSKdUMmciqKSGZaosWCSoZlcIlyQpOwkcAgw'
key2= '\x23\x23\x33\x2C\x0E\x3F\x64\x49\x0A\x1E\x0A\x04\x23\x16\x02\x1A\x44\x66\x08\x24\x32\x11\x74\x2C\x2A\x2D\x42\x0F\x3E\x50\x64\x0D\x5D\x04\x1B\x17\x16\x36\x03\x05\x34\x20\x09\x08\x63\x21\x24\x0E\x15\x14\x34\x58\x1A\x29\x79\x3A\x00\x00\x56\x58\x54\x00\x00\x00\x38\x0E\x02\x3B\x19\x3B\x1B\x34\x1B\x0C\x23\x3E\x33\x08\x11\x42\x39\x12\x1E\x73\x81\x2C\x11\x35\xF0\xFC\xB5\x00\x94\x84\x80\x77\x00\xE0\x9B\x00\x70\x84\x80\x77\x5D\xD0\xA4\x35\x38\xFD\xB5\x00'
>>> sub_401000(key2, 0x3d, encoded_string2)
MsgBox("Congrats! Your key is: C0rruptGarbag3@flare-on.com")
flag: C0rruptGarbag3@flare-on.com

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eviatar Gerzi

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)