0 to 31337 Real Quick:Lessons Learned by Reversing the Flare-On Challenge
Blaine StancillJosh Wang
Feb. 25th 2017
Who are we?
Josh
▪ @rh0gue
▪ Security Researcher▪ CTF player▪ Interested in binary
exploitation & VR
Blaine
▪ @MalwareMechanic
▪ Malware Researcher▪ Loves difficult to
reverse malware• Anti-disassembly
2
Agenda
3
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
Why CTFs?
▪ Exposure to old and new concepts
▪ Keeps your skills honed
▪ Get 1337 street cred and lots of “flair”
4
Flare-On Challenge
5
▪ Annual challenge hosted by FireEye’s FLARE team
▪ Challenges focus on reverse-engineering core concepts
▪ 10 levels, increasing in difficulty
▪ This year there were 124 finishers out of 2,063 participants
6
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
Agenda
7
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
Reverse Engineering 101
● Prereq is some assembly (x86, x64, ARM)
● Your best friend: IDA○ Your disassembler of choice○ Your debugger of choice
● Different analysis strategies○ “top-down”○ “bottom-up”
● Dance between static & dynamic analysis
8
RE 101: Analysis Strategy
● Top-down○ Start at beginning function (main) and work your way down
● Bottom-up○ Start at an interesting code block and work your way up
9
Bottom
Up
Down
Top
End
Start
Light
● Running strings● Viewing imports● Viewing resources● Checking entropy● Checking if known packer
Deep
● IDA Pro● Label code/data● Derive functionality● Rename functions
appropriately
RE 101: Light vs Deep Static Analysis
10
Light
● Running the executable in a sandboxed VM
● Observe general behavior● Using Process Monitor (ProcMon)
and Process Explorer (ProcExp)
Deep
● Running the executable with a debugger attached
● Setting appropriate breakpoints● Observing how different registers
and values are affected by function calls and instructions
RE 101: Light vs Deep Dynamic Analysis
11
Agenda
13
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
14
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
File Type
● Recognize via “magic bytes” typically at beginning● From type can derive file format● 4D 5A == “MZ” magic bytes specify PE File Format
15
PE File Format
Imports● functions imported from external libraries
Exports● functions exported to be called by other programs
Sections● different areas of the executable, each with a different purpose
○ .code/.text○ .data/.rdata○ .rsrc
MS-DOS Header● Ensures backwards compatibility 32/64-bit on 16-bit DOS
17
Import Hints - What can it do?
▪ FindFirstFileW▪ FindNextFileW
▪ GetVolumeInformationA▪ GetVersionExW
▪ CryptCreateHash▪ CryptHashData▪ CryptGetHashParam
18
▪ SetWindowsHook▪ Get(Async)KeyState
▪ CryptDeriveKey▪ CryptEncrypt
▪ WSAStartup▪ send▪ recv
Import Hints - What can it do?
File enumeration▪ FindFirstFileW▪ FindNextFileW
System fingerprinting▪ GetVolumeInformationA▪ GetVersionExW
Perform hashing▪ CryptCreateHash▪ CryptHashData▪ CryptGetHashParam
19
Key Logging▪ SetWindowsHook▪ Get(Async)KeyState
Use of encryption▪ CryptDeriveKey▪ CryptEncrypt
Network Capabilities▪ WSAStartup▪ send▪ recv
Import Hints - What can it do?
File enumeration▪ FindFirstFileW▪ FindNextFileW
System fingerprinting▪ GetVolumeInformationA▪ GetVersionExW
Perform hashing▪ CryptCreateHash▪ CryptHashData▪ CryptGetHashParam
20
Key Logging▪ SetWindowsHook▪ Get(Async)KeyState
Use of encryption▪ CryptDeriveKey▪ CryptEncrypt
Network Capabilities▪ WSAStartup▪ send▪ recv
DudeLocker.exe
21
▪ Challenge #2
▪ By examining the PE format
• File enumeration
• Read/Write files
• Use of encryption
• Ransom note in .rsrc section
MSDOS Header
▪ PE binaries can be run in 3 modes• 64-bit mode• 32-bit mode• 16-bit mode
▪ When a 32-bit or 64-bit PE is run in 16-bit mode, typical msg displayed:• “This program cannot be run in DOS mode”
▪ DOS Stub program• After the DOS header• Run using debug.exe (32-bit only)• Run using DOSBox emulator
22
Agenda
27
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
28
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
Why base64?
▪ Base64 allows transportation of binary data over non-binary protocols• HTTP/HTTPS via GET/POST• SMTP• Chat Protocols
▪ Malware needs to communicate to C2 nodes• Data exfiltration• Commands• Next stage payloads
▪ Easy obfuscation• Powershell commands
29
Base64 Encoding
▪ Essentially a substitution cipher
▪ Typical alphabet: • A-Za-z0-9+/=• ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
▪ Telltale sign of base64
30
Base64 Encoding: Internals
31
H i !
0 1 0 0 1 0 0 0 0 1 1 0 1 0 0 1 0 0 1 0 0 0 0 1
18 6 36 33
S G k h
Input
Bit Stream
Index
Base64-Encoded
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
186 3633
Alphabet lookup:
Challenge #1, what’s going on?
Base64, hmmm...
32
x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
Çgm$C¦Ê6.Ä7¦Çg.Í>\U/_UA¯Y;.Z;.Æ4jËn+Wojdecodes
Custom Alphabet
Custom alphabet:ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/
33
x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
Çgm$C¦Ê6.Ä7¦Çg.Í>\U/_UA¯Y;.Z;.Æ4jËn+Woj
x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
Typical alphabet:
Custom alphabet:
decodes
decodes
MiniDuke (APT29)
▪ System survey:• Victim ID• Country code• ComputerName/%USERDOMAIN%• OS major, minor, service pack major, product type, architecture (32/64bit)• Antivirus list• Proxy list• Version of the malicious sample
▪ All values are separated with ”|”
34
MiniDuke (APT29) cont.
▪ http://[site].com/index.php?a=MjIzMTQyMzkzM3xST3xIT01FL0hPTUV8NXwxfDN8MXwwfC18LXwyLjEy&g=MjIzMTQyM
▪ MjIzMTQyMzkzM3xST3xIT01FL0hPTUV8NXwxfDN8MXwwfC18LXwyLjEy• 2231423933 | RO | HOME/HOME | 5 | 1 | 3 | 1 | 0 | - | - | 2.12
▪ MjIzMTQyM• 2231424• CRC modulo 13D455h of the above encoded string
35
Agenda
36
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
37
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
Simple Encryption
▪ XOR• Symmetric• Key can be 1 or more bytes
▪ RC4• Stream Cipher• Uses a key to generate a keystream• Uses keystream to XOR the plaintext
38
XOR
▪ Exclusive OR• Typically what the english ‘or’ means.• You can have one or the other, but not both.
▪ Interesting properties:• A ⊕ A = 0• A ⊕ 0 = A• A ⊕ B ⊕ A =
(A ⊕ A) ⊕ B = 0 ⊕ B = B
39
XOR (cont.)
▪ Examples:• Key ⊕ Plaintext = Ciphertext• Key ⊕ Ciphertext = Plaintext
▪ Great for encoding:• C2 data• Strings• Constants
▪ Malware writers LOVE it due to its simplicity
40
XOR Drawbacks
▪ Key can be brute forced if length is short
▪ Known plaintext attack (KPT)• Plaintext ⊕ Ciphertext = Key
▪ Inverse algorithm• Algorithm( Plaintext ) = Ciphertext
• Inverse_Algorithm( Ciphertext ) = Plaintext
41
Rolling XOR Algorithm
H e l l o W o r l d !
48 65 6c 6c 6f 20 57 6f 72 6c 64 21
8d 65 6c 6c 6f 20 57 6f 72 6c 64 218d e8 6c 6c 6f 20 57 6f 72 6c 64 218d e8 84 6c 6f 20 57 6f 72 6c 64 218d e8 84 e8 6f 20 57 6f 72 6c 64 218d e8 84 e8 87 20 57 6f 72 6c 64 218d e8 84 e8 87 a7 57 6f 72 6c 64 218d e8 84 e8 87 a7 f0 6f 72 6c 64 218d e8 84 e8 87 a7 f0 9f 72 6c 64 218d e8 84 e8 87 a7 f0 9f ed 6c 64 218d e8 84 e8 87 a7 f0 9f ed 81 64 218d e8 84 e8 87 a7 f0 9f ed 81 e5 218d e8 84 e8 87 a7 f0 9f ed 81 e5 c4
8d e8 84 e8 87 a7 f0 9f ed 81 e5 c4
42
C5 ^
Ciphertext:
Plaintext:Challenge #8
Rolling XOR Inverse-Algorithm
43
8d e8 84 e8 87 a7 f0 9f ed 81 e5 c4
8d e8 84 e8 87 a7 f0 9f ed 81 e5 c48d e8 84 e8 87 a7 f0 9f ed 81 e5 218d e8 84 e8 87 a7 f0 9f ed 81 64 218d e8 84 e8 87 a7 f0 9f ed 6c 64 218d e8 84 e8 87 a7 f0 9f 72 6c 64 218d e8 84 e8 87 a7 f0 6f 72 6c 64 218d e8 84 e8 87 a7 57 6f 72 6c 64 218d e8 84 e8 87 20 57 6f 72 6c 64 218d e8 84 e8 6f 20 57 6f 72 6c 64 218d e8 84 6c 6f 20 57 6f 72 6c 64 218d e8 6c 6c 6f 20 57 6f 72 6c 64 218d 65 6c 6c 6f 20 57 6f 72 6c 64 2148 65 6c 6c 6f 20 57 6f 72 6c 64 21
48 65 6c 6c 6f 20 57 6f 72 6c 64 21
H e l l o W o r l d !
Ciphertext:
Plaintext:
C5 ^
Challenge #8
RC4
44
Key-scheduling algorithm (KSA)
for i from 0 to 255 S[i] := iendfor
j := 0for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]endfor
Pseudo-random generation algorithm (PRGA)
i := 0j := 0while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output Kendwhile
RC4
▪ Telltale RC4 signs:• Contains a loop with 0x100 as counter
∙ Fills an array with all numbers 0-255• Swap bytes in array• XORs follow later
45
Key-scheduling algorithm (KSA)
for i from 0 to 255 S[i] := iendfor
j := 0for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]endfor
Pseudo-random generation algorithm (PRGA)
i := 0j := 0while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output Kendwhile
Agenda
46
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
47
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
Hashing
▪ Hash is a one function• hash_function( data ) = hash
▪ Takes arbitrary sized input data
▪ Produces a fixed-length string• Called the ‘hash’ of the data
48
▪ Typical hash functions• MD5• SHA1• SHA256• SHA512
▪ Custom hash function• ROR 13
▪ Lots of constants• Initialization constants• Round constants
▪ SHA1• 0xC3D2E1F0• 0x67452301• 0xEFCDAB89• 0x98BADCFE• 0x10325476
Hashing - Recognizing
49
SHA1 function from MiniDuke
▪ Malware will sometime hide them• Inverse constant (2’s complement)• Split constant into two parts, add/subtract to combine prior to use
▪ Challenge #5• Modified MD5 using different constants
Hashing: How to hide constants
50
▪ 0xd76aa478▪ 0xe8c7b756▪ 0x242070db▪ 0xc1bdceee
▪ 0x76aad478▪ 0x8c7be756▪ 0x420720db▪ 0x1bdcceee
Nibble shifted right
Hashing - ROR13
unsigned int __stdcall hash(char* string){
__asm {
mov esi, string;xor edi, edi;xor eax, eax;cld;
next:lodsb;test al, al;jz done;ror edi, 0xd;add edi, eax;jmp next;
done:mov eax, edi;
};}
51
0xd == 13
▪ Represent string as 32-bit integer
▪ Dynamically resolve imports
▪ Parse a loaded DLL’s export table• DLL name hash• Import name hash
▪ Verify key/passwords• Hash user’s input and compare to stored hash
▪ Challenge #7 needed bruteforce triple SHA1 hashes• SHA1( SHA1( SHA1( data ) ) )
▪ Narrow keyspace• 6 characters in length• Possible values:
∙ abcdefghijklmnopqrstuvwxyz@-._1234
Hashing - Other uses?
52
▪ Check your own code for modification• Software breakpoints (0xCC)
▪ Anti-Analysis• PowerDuke checks its filename length to known hash lengths
Hashing - Other uses?
53
Agenda
54
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
55
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
Anti-Analysis Techniques
▪ Malware authors employ techniques to thwart analysts
• Anti-disassembly• Anti-debugging checks• Anti-VM checks• Obfuscation
▪ Analysts use own methods to bypass these anti-analysis techniques
56
Packers▪ Program that compresses original binary,
making the original code unreadable▪ Common examples
• UPX• ASPack• tElock
▪ Identify use of packer• PEiD• strings• Lack of imports• Entropy• Executing code in a new memory segment
▪ How to deal with them• Use an unpacking tool• Manually unpack
59
Unpacking a UPX packed executable
Anti-Disassembly
▪ Technique that takes advantage of the assumptions made by disassemblers so that they can not properly decode instructions
▪ How to:• Add extra/junk bytes to trick the disassembler into disassembling at the
wrong offset• Add data directly in .code/.text section• Jump into the middle of another instruction
61
Tricking Flow-Oriented Disassemblers
▪ Flow oriented disassembly algorithm• Follows jumps and branches to continue
disassembling• Has to make assumptions and choices• Calls
∙ Most will process bytes immediately after call first
• Conditional branches∙ Most will process the false branch
first
64
From Practical Malware Analysis by Michael Sikorski and Andrew Honig
Tricking Flow-Oriented Disassemblers
65From Practical Malware Analysis by Michael Sikorski and Andrew Honig
Data interpreted as instructions!
MiniDuke (APT29)
▪ Early samples embedstrings directly in codesection
▪ Later samples XORencrypted strings tomake it less obvious
66
Anti-Debugging & Anti-VM Checks
▪ Checks to determine whether the binary is being run in a VM or not
▪ Malware will often hide functionality if it detects it is being run in a VM
▪ Common winapi debugger checking functions• IsDebuggerPresent• NtQueryInformationProcess
▪ Common structures checked• ProcessHeap flag• NTGlobalFlag
67
Agenda
68
▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples
• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis
▪ Conclusion
Conclusion
▪ Basic concepts still apply when reversing more complex targets• From low-level malware all the way to APTs
▪ Many more RE tips and tricks exist• Defining structs• Writing IDAPython scripts• Using symbolic execution to maximize code coverage and solve
constraints• etc...
▪ Do CTFs/challenges!• Better to learn by doing, than to just read theory• CTFs allow you to immerse yourself in RE concepts very quickly
69
70
# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS Exports/Imports
MemoryCarving
Go Flash Python Exe
16-bit
1
2
3
4
5
6
7
8
9
10
Challenges
Questions?▪ @MalwareMechanic▪ @rh0gue
71
Awesome Links:● https://www.endgame.com/blog/dude-wheres-my-ransomware-flare-challenge● https://www.endgame.com/blog/0-31337-real-quick-lessons-learned-reversing-fl
are-challenge
Links
● https://en.wikipedia.org/wiki/Portable_Executable● http://algo-visualizer.jasonpark.me/ ● https://pbs.twimg.com/profile_images/1109177749/Icon_1_400x400.png● http://cdn.pcwallart.com/images/tip-of-the-iceberg-titanic-wallpaper-2.jpg● https://ih0.redbubble.net/image.174516575.5882/flat,800x800,075,f.jpg● https://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf● https://img.washingtonpost.com/rf/image_480w/2010-2019/WashingtonPost/2017/02/17/Style/Images
/Trump_31494.jpg-90377-3723.jpg?uuid=4Rkv_PVfEeapsOzufOR1_A● http://reactiongifs.me/wp-content/uploads/2014/06/reading-ikea-intructions-big-lebowski-confused.gif● http://dbclipart.com/check-mark-clip-art-image-18631/● https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineerin
g-shellcode.html
72
MiniDuke (APT29)
▪ C2 callout data is already encrypted using CRC32 checksum of code• Makes sure no software breakpoints are set (0xCC)
▪ Use computer specific details to XOR encrypt the C2 callout data on startup• Makes it forensically difficult to retrieve C2 callout data if attempting to run
sample on a different machine
▪ Subject to known plaintext attack!
74
Simplified Example
▪ Encoded C2 data:
▪ C2 data usually have a callout URL• http://• https://• www.• .com• ?=
75
00000000 0c 11 15 14 58 4a 4a 11 13 12 4f 10 15 0c 11 12 |....XJJ...O.....|00000010 01 17 4f 07 0d 08 4a |..O...J|
Simplified Example
▪ XOR encoded data with ‘http’
▪ ‘dead’ is potential key, XOR with encoded data
▪ ‘://w’ is next known plaintext
76
00000000 68 74 74 70 3c 2f 2b 75 77 77 2e 74 71 69 70 76 |http</+uww.tqipv|00000010 65 72 2e 63 69 6d 2b | er.cim+|
00000000 64 65 61 64 30 3e 3e 61 7b 66 3b 60 7d 78 65 62 | dead0>>a{f;`}xeb|00000010 69 63 3b 77 65 7c 3e |ic;we|>|
Simplified Example
▪ XOR encoded data with ‘://w’
▪ ‘beef’ is potential key, XOR with encoded data
▪ Key is ‘deadbeef’, XOR with encoded data
77
00000000 36 3e 3a 63 62 65 65 66 29 3d 60 67 2f 23 3e 65 |6>:c beef)=`g/#>e|00000010 3b 38 60 70 37 27 65 |;8`p7'e|
00000000 6e 74 70 72 3a 2f 2f 77 71 77 2a 76 77 69 74 74 |ntpr://wqw*vwitt|00000010 63 72 2a 61 6f 6d 2f |cr*a om/|
00000000 68 74 74 70 3a 2f 2f 77 77 77 2e 74 77 69 74 74 |http://www.twitt|00000010 65 72 2e 63 6f 6d 2f |er.com/|