Rating: 5.0

The Malware was recovered from pcap in Phase 1.

Task: Get the malware's config.

A quick analysis of the code shows us that the libinit function calls another function to decrypt the config. This function is FUN_00101bbf and it recursively calls the function FUN_00101a19 that actually decrypts a config entry in .data. Function FUN_00101a19 takes two arguments: the pointer to the key located at 0x0106398 and the config entry at 0x01061a0 + i * 0x32. Each config entry starts with a byte \x04 when not yet decrypted and then \x08 when decrypted to avoid multiple decryptions. The pointer to key points in .rodata at 0x0104010 and the key is 32 bytes long. The data to decrypt is located at 0x01061a1 + i * 0x32 for i from 0 to 9 and is 0x31 bytes long.

Here's a simple python script to decrypt this config:


from Crypto.Cipher import ARC4
from pwn import *

def rc4_decrypt(key,ct):
len = 0x31
cipher = ARC4.new(key)
ctmp = list(cipher.decrypt(b"\x00"*len))
ct = list(ct[1:])
i = len - 1
while i >= 0:
x = (i+ ctmp[i]) % len
y = ct[i]
ct[i] = ct[x]
ct[x] = y
i -= 1
return cipher.decrypt(bytes(ct)).decode().rstrip('\x00')

file = "malware"

elf = ELF(file)
ro = elf.get_section_by_name(".rodata").data()
data = elf.get_section_by_name(".data").data()

key = ro[0x10:0x30]
for i in range(10):
offset = 0x20+i*0x32
ct = data[offset:offset+0x32]
pt = rc4_decrypt(key,ct)

stky 7a9d6fad3798a7867a9d6fad3798a786
cont bhuwehobiwsnbqpxnws.damctf.xyz
jgie google.com
slti 300
xvee facebook.com
flag dam{1m4g1n3_m4k1ng_w1nd0ws_m4lw4re_lma0}
ehbn amazon.com
bnwe microsoft.com
stiv f83646fad02d42e6
port 3613