Flare-On 7 2020 Challenge #6: codeit

  1. Download 32-bit AuotIt and unpack it
  2. Copy autoit-v3.2.8.1.zip\Aut2Exe\AutoItSC.bin to the folder where the 64-bit compiled AutoIt resides
  3. Installed Strawberry perl for windows and saved hexacorn perl script:
use strict;
use warnings;
my $f=shift || die ("Gimme a file name!");print STDERR "Processing '$f':\n";
print STDERR "- Reading 'AutoItSC.bin'\n";
open F,"<AutoItSC.bin";
binmode F;
read F,my $a, -s 'AutoItSC.bin';
close F;
print STDERR "- Reading '$f'\n";
open F,"<$f";
binmode F;
read F,my $d, -s $f;
close F;
print STDERR "- Looking for the script\n";
if ($d=~/\xA3\x48\x4B\xBE\x98\x6C\x4A\xA9\x99\x4C\x53\x0A\x86\xD6\x48\x7D/sg)
{
my $pd=(pos $d)-16;
print STDERR "- Script found @ ".sprintf("%08lX",$pd)."\n";
print STDERR "- Creating 32-bit version '$f.a32.exe'\n";
open F,">$f.a32.exe";
binmode F;
print F $a.substr($d,$pd,length($d)-$pd);
close F;
}
else
{
print STDERR "- Script not found !\n";
}
extract_resource.a3x.a32_.au3

De-obfuscating the script

Analyzing

Understanding the modifyComputerNameStruct function

0xFF: 1111 1111
0xFE: 1111 1110
import osbmpFile = r'C:\tmp\flare2020\6\sprite.bmp'
bmpSize = os.path.getsize(bmpFile)

with open(bmpFile, 'rb') as f:
bmpContent = f.read()

count = 0

computerArray = []

for i in range(0,20):
computerArray.append(0x00)


newComputerName = ''
newComputerNameArray = []
bmpContent = bmpContent[54:]

numStr = ''
for i in range(0,len(computerArray)):
num = computerArray[i]

for j in range(6,0,-1):
num += (bmpContent[count] & 1) << j
count += 1

num += (bmpContent[count] & 1) << 0
count += 1
numStr += chr(num)
result = (num >> 1) + ((num & 1) << 7)
newComputerName += chr((num >> 1) + ((num & 1) << 7))
newComputerNameArray.append((num >> 1) + ((num & 1) << 7))

print('Result: ', numStr)
>>> Result: aut01tfan1999
flag: L00ks_L1k3_Y0u_D1dnt_Run_Aut0_Tim3_0n_Th1s_0ne!@flare-on.com

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eviatar Gerzi

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)