The-FLARE-On-Challenge-2015/Challenge-8

From aldeid
Jump to navigation Jump to search
You are here
Challenge 8

File

Uncompress FE9D3BA1789DC6371105042D80291205.zip (password is "flare") and you will get a file named gdssagh with following properties:

MD5 dbeb2a78592b520c5f46aecab454e3c7
SHA1 d87383f84fae4ed0543115d1d52a42929bbd6151
SHA256 fdf031e61bbb0413312731f1401a4b0c752f4172711ce32455fc8910c9b31cf2
File type PE32 executable (console) Intel 80386, for MS Windows

Analysis

Strings

I usually start with a basic static analysis. The strings command immediately catched my attention. There are strings that seem to be part of a huge base64 block (see ending characters ==):

$ strings gdssagh
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
iVBORw0KGgoAAAANSUhEUgAAAlgAAAHgCAIAAAD2dYQOAAEAAElEQVR4nIT9b5Ak13UfCp57
8ubNW7eysrOrq6trenp6GoPBcDAcjkCQhGCIhGmQomg/WfbKtGQ7HLbCsbGxX97au/Ei/OHt
ft5dvxfvbXgdu7L3xYsNr0PPT6a1WlpS6FESDfFBFAiCIDgYDgaNRqPR6Ompqa6uzs7Kunnz
5smT+6F6QNnWxubExHTU1J+u/HN+f87v3BT/h3/275xbWJdrHQwHcYu1tWfM1O+vMGM2W0Sy
U3kochqkAyn1xB3FsZGSAShJVBqbQEIAKKX03jMAAzGQ1hK19M6Wc5HnOTBrrR05u5h3E725
[REMOVED]
Zch9p0TCaVlVVdQiYvG+rYmaRu/dXYKz2ayW4K7HWlmVFGNWBBrjKDknqDQR4rwsq/eXb29g
CiE8x3xrjYjJ6kNED0d0UhZARVoyBgQR4RFwh6abqhsyYOuCBB5UDWOsFESS8IIqppoOfnbT
ljYkuyMi9ZorXEZEIMCmCk0L0lqz1rJi7fAI5izeqT3ICYucOqxWkrd9qBlvdej3Pda+Rpiv
cjmTbpGMJdXIIyISAql5IDv7wJ1I9/7zcTH7/JU/fMcR6nsTQyt/2E322P/i/xepIVI4nOLY
RQAAAABJRU5ErkJggg==j
ExitProcess
kernel32.dll
printf
msvcrt.dll
the one who seeks finds...

Decode the base64 block

Let's export these strings to a file:

$ strings gdssagh > strings

And remove the content that is not part of the base64 block:

!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
iVBORw0KGgoAAAANSUhEUgAAAlgAAAHgCAIAAAD2dYQOAAEAAElEQVR4nIT9b5Ak13UfCp57
[REMOVED]
RQAAAABJRU5ErkJggg==j
ExitProcess
kernel32.dll
printf
msvcrt.dll
the one who seeks finds...

Now, let's try to decode the base64 block:

$ cat strings | tr -d "\n" | base64 -d > file
$ file file
file: PNG image data, 600 x 480, 8-bit/color RGB, non-interlaced

It's an image that looks like this:

Flare-on-challenge-2015-L8-image.png

After spending some time on the image, trying to zoom in on different parts of the image to discover something hidden, trying to find a hidden content on the image with an Hex editor, and performing searches on Google, I finally made this assumption that we could have to do with steganography.

Steganography

Identification

zsteg is a great tool to deal with steganography.

Identify pattern (the one with "PE32" looks interesting):

$ zsteg file.png 
imagedata           .. text: "\r\t(%%*,&"
b1,r,msb,xy         .. file: Applesoft BASIC program data, first line number 64
b1,rgb,msb,xy       .. file: PE32 executable (Unknown subsystem 0x1814) Intel 80386, for MS Windows
b1,bgr,lsb,xy       .. file: GLS_BINARY_LSB_FIRST
b2,rgb,msb,xy       .. text: "UDDADPAE"
b2,bgr,msb,xy       .. text: "|[email protected]"
b4,r,msb,xy         .. text: "[email protected]&we-b e"
b4,g,msb,xy         .. text: "%`$Q\"[email protected]"
b4,b,msb,xy         .. text: "C$qFqgf#0wpq"
b4,rgb,msb,xy       .. text: "BcrpAPpv#"
b4,bgr,msb,xy       .. text: "@[email protected] s"

Data extraction

Extract data:

$ zsteg -E "b1,rgb,msb,xy" file.png > extracted.exe

Solution

$ strings extracted.exe | head
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
ExitProcess
kernel32.dll
printf
msvcrt.dll
[email protected]

Comments

blog comments powered by Disqus

Keywords: reverse-engineering challenge flare fireeye