Extreme Coders Posted October 12, 2022 Posted October 12, 2022 On 10/12/2022 at 7:32 AM, AeroX2 said: Also working on ch8 and would appreciate any assistance. Expand Reveal hidden contents Once you get to decode all of them (about 70 I think) the interesting ones should be evident by the presence of suspicious strings etc. Writing a tool to automate does help. 1
Canlex Posted October 12, 2022 Posted October 12, 2022 On 10/12/2022 at 8:14 AM, Extreme Coders said: Reveal hidden contents Once you get to decode all of them (about 70 I think) the interesting ones should be evident by the presence of suspicious strings etc. Writing a tool to automate does help. Expand Reveal hidden contents I can see that some sections are getting decrypted with RC4 with a constant key, (flared46 method) but just changing those sections doesn't give me anything, seems I'm missing some metadata or something.
_no_clue Posted October 12, 2022 Posted October 12, 2022 Any chance I could get a pointer in the right direction for challenge 6? Hitting a brick wall. Reveal hidden contents seems like some pipe interaction is needed. However setting up a server did nothing
Extreme Coders Posted October 12, 2022 Posted October 12, 2022 @Canlex Reveal hidden contents Check out which section contributes to the large size of the binary and where it is referenced from the code.
Canlex Posted October 12, 2022 Posted October 12, 2022 (edited) On 10/12/2022 at 12:40 PM, Extreme Coders said: @Canlex Reveal hidden contents Check out which section contributes to the large size of the binary and where it is referenced from the code. Expand Reveal hidden contents I found the section in question but I really searched hard and couldn't find where it is referenced from. unsure where to put my breakpoint to figure that out. I did however find that it uses the function tokens to generate the functions themselves, and each section (maybe not the one in question) corresponds to a function. Edited October 12, 2022 by Canlex Spoiler tags
deepzero Posted October 12, 2022 Posted October 12, 2022 @_no_clue Reveal hidden contents Setting up your own pipe is the wrong path. Keep studying the large executable. 6 is considerably simpler than 5 imo.
cybercat Posted October 13, 2022 Posted October 13, 2022 (edited) CH#8. Can someone tell me is it possible to edit signature of method in DNSpy? I would like to use hex values to edit somehow the sig, but i do not know how can i do it. How can i find the signature bytes of method in DNSpy? I got the bytes from dynamic method, pasted it into binary, but i think i have to do something with the signatures also, because after patching i do not get enter into 'decrypted' methods. Should i do something with signatures of methods? Thanks for any hint. Edited October 13, 2022 by cybercat
Extreme Coders Posted October 14, 2022 Posted October 14, 2022 On 10/13/2022 at 1:51 PM, cybercat said: CH#8. Expand Reveal hidden contents You can't paste the instruction bytes as-is from the generated dynamic methods to the original method. On 10/13/2022 at 5:09 PM, vpn said: Hi, could someone give me a hint on ch3 pls? Expand Reveal hidden contents Shake the magic8ball in a specific way. 1
er3zoid Posted October 14, 2022 Posted October 14, 2022 (edited) On 10/14/2022 at 6:37 AM, Extreme Coders said: Reveal hidden contents You can't paste the instruction bytes as-is from the generated dynamic methods to the original method. Reveal hidden contents Shake the magic8ball in a specific way. Expand Reveal hidden contents Could you point me to a resource to understand how the the tokens referenced in the IL code differ between memory and disk? I've tried looking into the ECMA spec but i haven't found anything regarding this translation in detail. Edited October 26, 2022 by er3zoid removed wrong assumptions
deepzero Posted October 14, 2022 Posted October 14, 2022 Reveal hidden contents Study the documentation of DynamicILInfo and DynamicMethod @er3zoid 1
Neo123 Posted October 15, 2022 Posted October 15, 2022 I am stuck on challenge 7. Any help is appreciated. This is what I did: Reveal hidden contents Extracted the overlay from the .exe. Slightly modified the extracted overlay script so that it will run with nodejs installation and chrome dev. There was a if condition that always throws error. So, I removed it. I removed the switch statement and cases. From here I tried several ways: 1. I tried to remove all the math.random cases and checked the output. couldn't figure out anything. 2. Tried without removing the math.random cases and checked the output. The output is random always as expected. couldn't figure anything. Also the output from the script and the actual .exe is different with same input. I think there is problem with my approach and could n't figure what is wrong.
Washi Posted October 16, 2022 Author Posted October 16, 2022 @Neo123 Reveal hidden contents On 10/15/2022 at 9:30 PM, Neo123 said: Also the output from the script and the actual .exe is different with same input Expand Then we must conclude that something is going on in the executable that makes the script behave differently from within the executable.
qpor Posted October 16, 2022 Posted October 16, 2022 For ch#8: Reveal hidden contents I got to successfully decode the first few methods. The program keeps looping though under the dnSpy debugger. Feels a bit like anti-debugging. Any resources to read up here? If I replace e.g. flared_67 with the decoded body, and try to run the modified program, I always get an exception: "System.InvalidProgramException: Common Language Runtime detected an invalid program". I'm pretty confident the method is decoded correctly, as I get correct C# in dnSpy for it. Would really appreciate any pointers to resourced to read up on. Thanks
kao Posted October 16, 2022 Posted October 16, 2022 (edited) @qpor: Reveal hidden contents On 10/16/2022 at 11:41 AM, qpor said: Feels a bit like anti-debugging Expand I believe it's just extremely slow due to all the exceptions. I guess you could call that "anti-debugging" On 10/16/2022 at 11:41 AM, qpor said: Feels a bit like anti-debugging Expand I can think of 2 possibilities: your decoded IL is wrong. DnSpy tries to decompile even invalid IL - and quite often succeeds. I would check your method with ildasm and peverify. the way you replace the method body is wrong. For example, you might have messed up tokens of all other methods. Edited October 16, 2022 by kao 1
AeroX2 Posted October 16, 2022 Posted October 16, 2022 On 10/12/2022 at 8:14 AM, Extreme Coders said: Reveal hidden contents Once you get to decode all of them (about 70 I think) the interesting ones should be evident by the presence of suspicious strings etc. Writing a tool to automate does help. Expand Thanks this helped me considerably, I think I have a rough idea of what the program is doing and I'm getting somewhere, hopefully... Quick question around Dnspy Reveal hidden contents Any idea why Dnspy doesn't decompile FLARE05 _DoTask function it seems that Dnspy can resolve the MDtokens and it doesn't seem obfuscated unlike the flared_* functions.
Extreme Coders Posted October 16, 2022 Posted October 16, 2022 @AeroX2 Reveal hidden contents If done correctly dnspy should be able to decompile. If done incorrectly the MDtokens may still resolve to something but that would not necessarily be correct. Perhaps going through the #US heap may help.
cybercat Posted October 16, 2022 Posted October 16, 2022 (edited) //deleted Edited October 16, 2022 by cybercat
Neo123 Posted October 17, 2022 Posted October 17, 2022 On 10/16/2022 at 7:54 AM, Washi said: @Neo123 Reveal hidden contents Then we must conclude that something is going on in the executable that makes the script behave differently from within the executable. Expand Reveal hidden contents I tried debugging the .exe but it has too many functions and I am not exactly familiar with how node.exe embeds and runs a .js script file in memory. As far as I know, all interpreted scripts are converted into some intermediate instructions but I am not able to pin point the exact function that does that. Any specific thing that I should look for or any specific debugging tool that makes it easier?
Washi Posted October 18, 2022 Author Posted October 18, 2022 @Neo123 Reveal hidden contents You don't really have to know exactly how node.exe works and runs the Javascript to get to know and work around the changes that were made.
cybercat Posted October 18, 2022 Posted October 18, 2022 (edited) Hello again, Guys, Can you tell me should i do something with Signatures. For example i think that i have decoded flared_66 but DNSpy does not decompile it correctly. When i look at the IL dump, code looks fine for me. I do the same thing for other flared functions but only 2 or 3 are decompiling correctly. Let's say that i am copying bytes and patch the assembly. FLARED_70 FLARED_66 FLARED_69 FLARED_35 FLARED_47 FLARED_67 FLARED_68 After patch Two of them looks ok in DNSpy and decompile them correctly, but others are not OK for DNSpy. What is the difference between those two and others which are not working. ( decompilation fails.) As an example Flared_66 is not decompiled correctly. I am trying to do patching of Signatures/Headers but with no luck. Should i touch them? Do i need to patch also Signatures related with LocalVarSigHelper? Is it possible that methods which are decompiled OK is just a luck that other things are matching in original EXE and patched version.? Where should i look? What to patch? Why i can't just only copy bytes? If i have signature in bytes array, where should i put it? Is it possible in DNspy to easily insert this signature to method? When you decode few methods, should the execution go into those Flared methods? I am asking because even if i decode one method program do not enter into it and it catches the exception and go to resolver method. Thanks for any help. This task is above my skills at the moment, but i don't know what should i learn to move a little forward. Edited October 19, 2022 by cybercat
deepzero Posted October 18, 2022 Posted October 18, 2022 > I am asking because even if i decode one method program do not enter into it and it catches the exception and go to resolver method. Reveal hidden contents Then you have not decoded them correctly. There is no need to mess with "signatures". Look at what the resolver method does, what it patches in the bytecode it executes dynamically.
kiyo Posted October 22, 2022 Posted October 22, 2022 Ch09 I would appreciate advices to proceed.. Reveal hidden contents I could understand the components (I haven't identify how some of them should be used) in the encrypted file through analyzing the binary. Now I need a key and other some factors to decrypt what we want. However they are encrypted by other algorithm like a general ransomware. The algorithm seems to be asymmetric but I haven't been able to find a clue how to proceed.
kao Posted October 22, 2022 Posted October 22, 2022 @kiyo: Reveal hidden contents On 10/22/2022 at 6:15 AM, kiyo said: The algorithm seems to be asymmetric Expand Figure out which algorithm it is and then find a bug in the implementation. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now