RTLxHA 21 CTF DININED Malware Analysis Official write up

Given a binary coded in c, let’s file it, disassemble, decompile, and run it 

Alright it’s not stripped which means we can proceed to disassembling and decompilation 

There are few things we need to notes, it execute a command in curl with specified user agent, has antidebug, and it pipe the result of curl to a bash. Let’s execute it

Alright it’s a ransomware. There are a few of couple things we need to do. Identify or find what’s inside that heroku app. 

It concat 2 strings and hex value.  

So in theory, the user agent is 0xdc9? Let’s try it out

bingo, we got the other file location. Let’s download it and analyse it

It’s stripped, but no “ELF” on the first 10 lines. Is it coded in C, C++ ??

answer: it’s python 

Alright so it’s compiled. So how can we reverse this binary? 

Using this reference: https://ctftime.org/writeup/27933

so, you need to use a tool called pyi-archive_viewer where then you need to extract the byter and modified some it parts to be able to decompile it using uncompyle6

alright, now that we got the byte code extracted, before modifying it to the pyc, modify it to match the firist line with you own magic number because when pyinstaller compiles a code, it put a magic number in the compiled code (reference: https://www.programmersought.com/article/82194419446/ ) 

Then add the magic number + ‘\x00’*12 + main_malware.bin. lastly, uncomplye6 it  

Let’s take a look at the code below

So the main function use getdir path to get current directory where then it will return fixed path of the path value and path name. Lastly the original is deleted and leaving the encrypted original path behind. And when all processes is done, it fetch a warning text for us. Let’s figure how this custom encryption works.

It’s a xor encryption with hexed keys and hexed plaintext. let’s get the key 

Alright the key is apparently ’15’, so how can we recreate this? The output of the cipher is not a string. so, we would need to turn 

b = int(lock(str(b).encode(‘utf-8’))) ^ a`

Into

b = int(unlock(str(int(b) ^ a).encode(‘utf-8′)))

And when it’s done, unhexlifying it should give us the plain text

But the question is, where is the flag? 

Alright let’s use python console for the win

and we got the flag: rtl{r4nsom3_15_m4licious}

Leave a Reply

Your email address will not be published. Required fields are marked *