The-FLARE-On-Challenge-2015/Challenge-9

From aldeid
Jump to navigation Jump to search
You are here
Challenge 9

File

Uncompress 4568CB1948CCD11DDB9B90359F7DC79A.zip (password is "flare") and you will get a file named you_are_very_good_at_this with following properties:

MD5 51105503d77689facbf2b8a8b4fd040b
SHA1 39cf8909062d191d26bee53658906104f8121528
SHA256 9a953f71ab89e7b6336d4efa7be7ee7a8ac466f012b459898320d211e7860b62
File type PE32 executable (console) Intel 80386, for MS Windows

Analysis

The program is actually prompting for a password interactively and immediately exits if the incorrect password is provided:

Flare-on-challenge-2015-l9-run-wrong-password.png

Opening the executable in IDA-Pro warns that the import segment is likely to be destroyed and then shows a huge block of obfuscated code.

Flare-on-challenge-2015-l9-exe-in-ida-pro.png

Let's rather take a simple assumption: what about if the password is checked letter by letter? We could imagine the following workflow:

Flare-on-challenge-2015-check-password-workflow.png

Pintool

Proof of Concept

If our assumption is correct, it's very likely that the workflow associated to a successful letter will be different than the one directly terminating the program. It would imply that the number of instructions would be different for these 2 workflows.

Let's use the incount0.cpp pintool to count the number of instructions and use this as a proof of concept to confirm our initial assumption. If it is correct, we will develop a brute forcer.

Here is the initial test to challenge the 1st letter of the password:

For letter a:

C:\pin>pin.exe -t inscount0.dll -- c:\_malware\you_are_very_good_at_this.exe
I have evolved since the first challenge. You have not. Bring it.
Enter the password> a.....
You are failure

C:\pin>more inscount.out
Count 32894

For letter b:

C:\pin>pin.exe -t inscount0.dll -- c:\_malware\you_are_very_good_at_this.exe
I have evolved since the first challenge. You have not. Bring it.
Enter the password> b.....
You are failure

C:\pin>more inscount.out
Count 32894

...and so on, till letter I:

C:\pin>pin.exe -t inscount0.dll -- c:\_malware\you_are_very_good_at_this.exe
I have evolved since the first challenge. You have not. Bring it.
Enter the password> I....
You are failure

C:\pin>more inscount.out
Count 32856

We see that the number of instructions when the 1st letter of the password is "I" is different than the one for the other letters. We conclude that our assumption is correct and can develop a bruteforcer based on this proof of concept.

Brute forcer

Below is the code for my brute forcer. It is partially automatized because it is only brute forcing a given position.

# PowerShell script
add-type -AssemblyName System.Windows.Forms

for($i=32; $i -le 126; $i++){

  # Bruteforce 1st letter
  $pass_guess = [char]$i + ".........."
  # Launch pin
  Start-Process -FilePath "c:\pin\pin.exe" -ArgumentList "-t inscount0.dll -- ch9.exe" -NoNewWindow

  # send user input
  start-sleep -Milliseconds 200
  [System.Windows.Forms.SendKeys]::SendWait("$pass_guess{ENTER}")

  # Read content of file
  start-sleep -Milliseconds 200
  write-output "---"
  Write-Output $pass_guess
  Get-Content .\inscount.out

}

Results and solution

Below is the output from my script for the 1st letter:

Flare-on-challenge-2015-l9-poc-running-1st-letter.png

We can guess that the 1st letter is I. Now, let's modify the code as follows:

add-type -AssemblyName System.Windows.Forms

for($i=32; $i -le 126; $i++){

  # "I" is the first known letter of password. Now bruteforcing 2nd letter
  $pass_guess = "I" + [char]$i + ".........."
  # Launch pin
  Start-Process -FilePath "c:\pin\pin.exe" -ArgumentList "-t inscount0.dll -- ch9.exe" -NoNewWindow

  # send user input
  start-sleep -Milliseconds 200
  [System.Windows.Forms.SendKeys]::SendWait("$pass_guess{ENTER}")

  # Read content of file
  start-sleep -Milliseconds 200
  write-output "---"
  Write-Output $pass_guess
  Get-Content .\inscount.out

}

Once we have the second letter (s), we change the $pass_guess as follows:

  $pass_guess = "Is" + [char]$i + ".........."

Once I arrived at [email protected], I took the assumption that the remaining characters would be "lare-on.com" and tested...

Flare-on-challenge-2015-l9-solution.png

The solution is:

[email protected]

Comments

blog comments powered by Disqus

Keywords: reverse-engineering challenge flare fireeye pin pintools inscount0