Tags: csharp maldropper easyctf
Rating: 5.0
Original Writeup available at [https://ctfshellclub.github.io/2018/02/21/easyctf-maldrop/](https://ctfshellclub.github.io/2018/02/21/easyctf-maldrop/)
# EASYCTF - Maldrop
> Mind looking at this malware dropper I found?
> Note: this isn't actually malware, it just borrows obfuscation techniques from low quality malware.
Using PEiD we identified it was a .NET Binary, let's use Reflector or another decompiler to inspect the C# code:
```c
private static void Main(string[] args)
{
Console.WriteLine("All the techniques implemented in this were found in malware samples I analyzed");
byte[] arr = File.ReadAllBytes(Assembly.GetEntryAssembly().Location);
string str2 = "[SPLIT";
string str3 = "ERATOR]";
byte[][] bufferArray = SplitByteArray(arr, Encoding.ASCII.GetBytes(str2 + str3));
List<string> list = new List<string>();
for (int i = 0; i < bufferArray[2].Length; i++)
{
list.Add(bufferArray[2][i].ToString());
}
object[] parameters = new object[] { list.ToArray() };
Assembly.Load(bufferArray[1]).EntryPoint.Invoke(null, parameters);
}
```
It seems the binary is loading itself and split into 3 parts which can be extracted with the following script:
```c
with open("maldrop.exe","r") as f:
alltxt = f.read()
data = alltxt.split("[SPLITERATOR]")
with open('mal0.exe','w') as f: # loader
f.write(data[0])
with open('mal1.exe','w') as f: # payload , file gzip : extract
f.write(data[1])
with open('mal2.txt','w') as f:
f.write(data[2])
```
Here we are with :
* a binary which do the splitting
* an another PE
* some encrypted text
Once again we run Reflector on the second PE to discover what it does.
```
List<byte> list = new List<byte>();
for (int i = 0; i < args.Length; i++)
{
list.Add(byte.Parse(args[i]));
}
MemoryStream stream = new MemoryStream(list.ToArray());
GZipStream stream2 = new GZipStream(stream, CompressionMode.Decompress);
byte[] buffer = new byte[0x100];
List<byte> list2 = new List<byte>();
int count = 0;
do
{
count = stream2.Read(buffer, 0, 0x100);
list2.AddRange(buffer.Take<byte>(count));
}
while (count > 0);
Assembly.Load(list2.ToArray()).EntryPoint.Invoke(null, null);
```
It appears the string was only "gzipped" after extracting it we have another .NET PE..
With the source code I recompiled it online using `ideone`, the output was the flag :D
```
using System;
using System.Text;
public class Test{
public static void Main(){
Random random = new Random(0xe45ec7f);
StringBuilder builder = new StringBuilder();
builder.Append("easyctf{");
for (int i = 0; i < 6; i++){
builder.Append(random.Next());
}
builder.Append("}");
string str = builder.ToString();
Console.WriteLine(str);
}
}
```
`easyctf{12761716281964844769159211786140015599014519771561198738372}`
