0 to 31337 Real Quick:Lessons Learned by Reversing the Flare-On Challenge

Blaine StancillJosh Wang

Feb. 25th 2017

Who are we?

Josh

▪ @rh0gue

▪ Security Researcher▪ CTF player▪ Interested in binary

exploitation & VR

Blaine

▪ @MalwareMechanic

▪ Malware Researcher▪ Loves difficult to

reverse malware• Anti-disassembly

2

Agenda

3

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

Why CTFs?

▪ Exposure to old and new concepts

▪ Keeps your skills honed

▪ Get 1337 street cred and lots of “flair”

4

Flare-On Challenge

5

▪ Annual challenge hosted by FireEye’s FLARE team

▪ Challenges focus on reverse-engineering core concepts

▪ 10 levels, increasing in difficulty

▪ This year there were 124 finishers out of 2,063 participants

6

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

Agenda

7

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

Reverse Engineering 101

● Prereq is some assembly (x86, x64, ARM)

● Your best friend: IDA○ Your disassembler of choice○ Your debugger of choice

● Different analysis strategies○ “top-down”○ “bottom-up”

● Dance between static & dynamic analysis

8

RE 101: Analysis Strategy

● Top-down○ Start at beginning function (main) and work your way down

● Bottom-up○ Start at an interesting code block and work your way up

9

Bottom

Up

Down

Top

End

Start

Light

● Running strings● Viewing imports● Viewing resources● Checking entropy● Checking if known packer

Deep

● IDA Pro● Label code/data● Derive functionality● Rename functions

appropriately

RE 101: Light vs Deep Static Analysis

10

Light

● Running the executable in a sandboxed VM

● Observe general behavior● Using Process Monitor (ProcMon)

and Process Explorer (ProcExp)

Deep

● Running the executable with a debugger attached

● Setting appropriate breakpoints● Observing how different registers

and values are affected by function calls and instructions

RE 101: Light vs Deep Dynamic Analysis

11

Analysis Feedback Loop

12

Static Analysis Dynamic Analysis

Agenda

13

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

14

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

File Type

● Recognize via “magic bytes” typically at beginning● From type can derive file format● 4D 5A == “MZ” magic bytes specify PE File Format

15

PE File Format

▪ Lots of info, yuge.

16

PE File Format

Imports● functions imported from external libraries

Exports● functions exported to be called by other programs

Sections● different areas of the executable, each with a different purpose

○ .code/.text○ .data/.rdata○ .rsrc

MS-DOS Header● Ensures backwards compatibility 32/64-bit on 16-bit DOS

17

Import Hints - What can it do?

▪ FindFirstFileW▪ FindNextFileW

▪ GetVolumeInformationA▪ GetVersionExW

▪ CryptCreateHash▪ CryptHashData▪ CryptGetHashParam

18

▪ SetWindowsHook▪ Get(Async)KeyState

▪ CryptDeriveKey▪ CryptEncrypt

▪ WSAStartup▪ send▪ recv

Import Hints - What can it do?

File enumeration▪ FindFirstFileW▪ FindNextFileW

System fingerprinting▪ GetVolumeInformationA▪ GetVersionExW

Perform hashing▪ CryptCreateHash▪ CryptHashData▪ CryptGetHashParam

19

Key Logging▪ SetWindowsHook▪ Get(Async)KeyState

Use of encryption▪ CryptDeriveKey▪ CryptEncrypt

Network Capabilities▪ WSAStartup▪ send▪ recv

Import Hints - What can it do?

File enumeration▪ FindFirstFileW▪ FindNextFileW

System fingerprinting▪ GetVolumeInformationA▪ GetVersionExW

Perform hashing▪ CryptCreateHash▪ CryptHashData▪ CryptGetHashParam

20

Key Logging▪ SetWindowsHook▪ Get(Async)KeyState

Use of encryption▪ CryptDeriveKey▪ CryptEncrypt

Network Capabilities▪ WSAStartup▪ send▪ recv

DudeLocker.exe

21

▪ Challenge #2

▪ By examining the PE format

• File enumeration

• Read/Write files

• Use of encryption

• Ransom note in .rsrc section

MSDOS Header

▪ PE binaries can be run in 3 modes• 64-bit mode• 32-bit mode• 16-bit mode

▪ When a 32-bit or 64-bit PE is run in 16-bit mode, typical msg displayed:• “This program cannot be run in DOS mode”

▪ DOS Stub program• After the DOS header• Run using debug.exe (32-bit only)• Run using DOSBox emulator

22

MSDOS Header

Challenge #8, see anything interesting?

23

Double negative...

MSDOS Stub Code: Normal

24

Normal DOS stub program

▪ Prints out string

▪ Exits

MSDOS Stub Code: Modified

25

DOS stub program disassembled from Challenge #8

MSDOS Header: Modified

26

Agenda

27

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

28

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

Why base64?

▪ Base64 allows transportation of binary data over non-binary protocols• HTTP/HTTPS via GET/POST• SMTP• Chat Protocols

▪ Malware needs to communicate to C2 nodes• Data exfiltration• Commands• Next stage payloads

▪ Easy obfuscation• Powershell commands

29

Base64 Encoding

▪ Essentially a substitution cipher

▪ Typical alphabet: • A-Za-z0-9+/=• ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=

▪ Telltale sign of base64

30

Base64 Encoding: Internals

31

H i !

0 1 0 0 1 0 0 0 0 1 1 0 1 0 0 1 0 0 1 0 0 0 0 1

18 6 36 33

S G k h

Input

Bit Stream

Index

Base64-Encoded

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=

186 3633

Alphabet lookup:

Challenge #1, what’s going on?

Base64, hmmm...

32

x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q

Çgm$C¦Ê6.Ä7¦Çg.Í>\U/_UA¯Y;.Z;.Æ4jËn+Wojdecodes

Custom Alphabet

Custom alphabet:ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/

33

x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q

Çgm$C¦Ê6.Ä7¦Çg.Í>\U/_UA¯Y;.Z;.Æ4jËn+Woj

x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q

sh00ting_phish_in_a_barrel@flare-on.com

Typical alphabet:

Custom alphabet:

decodes

decodes

MiniDuke (APT29)

▪ System survey:• Victim ID• Country code• ComputerName/%USERDOMAIN%• OS major, minor, service pack major, product type, architecture (32/64bit)• Antivirus list• Proxy list• Version of the malicious sample

▪ All values are separated with ”|”

34

MiniDuke (APT29) cont.

▪ http://[site].com/index.php?a=MjIzMTQyMzkzM3xST3xIT01FL0hPTUV8NXwxfDN8MXwwfC18LXwyLjEy&g=MjIzMTQyM

▪ MjIzMTQyMzkzM3xST3xIT01FL0hPTUV8NXwxfDN8MXwwfC18LXwyLjEy• 2231423933 | RO | HOME/HOME | 5 | 1 | 3 | 1 | 0 | - | - | 2.12

▪ MjIzMTQyM• 2231424• CRC modulo 13D455h of the above encoded string

35

Agenda

36

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

37

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

Simple Encryption

▪ XOR• Symmetric• Key can be 1 or more bytes

▪ RC4• Stream Cipher• Uses a key to generate a keystream• Uses keystream to XOR the plaintext

38

XOR

▪ Exclusive OR• Typically what the english ‘or’ means.• You can have one or the other, but not both.

▪ Interesting properties:• A ⊕ A = 0• A ⊕ 0 = A• A ⊕ B ⊕ A =

(A ⊕ A) ⊕ B = 0 ⊕ B = B

39

XOR (cont.)

▪ Examples:• Key ⊕ Plaintext = Ciphertext• Key ⊕ Ciphertext = Plaintext

▪ Great for encoding:• C2 data• Strings• Constants

▪ Malware writers LOVE it due to its simplicity

40

XOR Drawbacks

▪ Key can be brute forced if length is short

▪ Known plaintext attack (KPT)• Plaintext ⊕ Ciphertext = Key

▪ Inverse algorithm• Algorithm( Plaintext ) = Ciphertext

• Inverse_Algorithm( Ciphertext ) = Plaintext

41

Rolling XOR Algorithm

H e l l o W o r l d !

48 65 6c 6c 6f 20 57 6f 72 6c 64 21

8d 65 6c 6c 6f 20 57 6f 72 6c 64 218d e8 6c 6c 6f 20 57 6f 72 6c 64 218d e8 84 6c 6f 20 57 6f 72 6c 64 218d e8 84 e8 6f 20 57 6f 72 6c 64 218d e8 84 e8 87 20 57 6f 72 6c 64 218d e8 84 e8 87 a7 57 6f 72 6c 64 218d e8 84 e8 87 a7 f0 6f 72 6c 64 218d e8 84 e8 87 a7 f0 9f 72 6c 64 218d e8 84 e8 87 a7 f0 9f ed 6c 64 218d e8 84 e8 87 a7 f0 9f ed 81 64 218d e8 84 e8 87 a7 f0 9f ed 81 e5 218d e8 84 e8 87 a7 f0 9f ed 81 e5 c4

8d e8 84 e8 87 a7 f0 9f ed 81 e5 c4

42

C5 ^

Ciphertext:

Plaintext:Challenge #8

Rolling XOR Inverse-Algorithm

43

8d e8 84 e8 87 a7 f0 9f ed 81 e5 c4

8d e8 84 e8 87 a7 f0 9f ed 81 e5 c48d e8 84 e8 87 a7 f0 9f ed 81 e5 218d e8 84 e8 87 a7 f0 9f ed 81 64 218d e8 84 e8 87 a7 f0 9f ed 6c 64 218d e8 84 e8 87 a7 f0 9f 72 6c 64 218d e8 84 e8 87 a7 f0 6f 72 6c 64 218d e8 84 e8 87 a7 57 6f 72 6c 64 218d e8 84 e8 87 20 57 6f 72 6c 64 218d e8 84 e8 6f 20 57 6f 72 6c 64 218d e8 84 6c 6f 20 57 6f 72 6c 64 218d e8 6c 6c 6f 20 57 6f 72 6c 64 218d 65 6c 6c 6f 20 57 6f 72 6c 64 2148 65 6c 6c 6f 20 57 6f 72 6c 64 21

48 65 6c 6c 6f 20 57 6f 72 6c 64 21

H e l l o W o r l d !

Ciphertext:

Plaintext:

C5 ^

Challenge #8

RC4

44

Key-scheduling algorithm (KSA)

for i from 0 to 255 S[i] := iendfor

j := 0for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]endfor

Pseudo-random generation algorithm (PRGA)

i := 0j := 0while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output Kendwhile

RC4

▪ Telltale RC4 signs:• Contains a loop with 0x100 as counter

∙ Fills an array with all numbers 0-255• Swap bytes in array• XORs follow later

45

Key-scheduling algorithm (KSA)

for i from 0 to 255 S[i] := iendfor

j := 0for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]endfor

Pseudo-random generation algorithm (PRGA)

i := 0j := 0while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output Kendwhile

Agenda

46

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

47

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

Hashing

▪ Hash is a one function• hash_function( data ) = hash

▪ Takes arbitrary sized input data

▪ Produces a fixed-length string• Called the ‘hash’ of the data

48

▪ Typical hash functions• MD5• SHA1• SHA256• SHA512

▪ Custom hash function• ROR 13

▪ Lots of constants• Initialization constants• Round constants

▪ SHA1• 0xC3D2E1F0• 0x67452301• 0xEFCDAB89• 0x98BADCFE• 0x10325476

Hashing - Recognizing

49

SHA1 function from MiniDuke

▪ Malware will sometime hide them• Inverse constant (2’s complement)• Split constant into two parts, add/subtract to combine prior to use

▪ Challenge #5• Modified MD5 using different constants

Hashing: How to hide constants

50

▪ 0xd76aa478▪ 0xe8c7b756▪ 0x242070db▪ 0xc1bdceee

▪ 0x76aad478▪ 0x8c7be756▪ 0x420720db▪ 0x1bdcceee

Nibble shifted right

Hashing - ROR13

unsigned int __stdcall hash(char* string){

__asm {

mov esi, string;xor edi, edi;xor eax, eax;cld;

next:lodsb;test al, al;jz done;ror edi, 0xd;add edi, eax;jmp next;

done:mov eax, edi;

};}

51

0xd == 13

▪ Represent string as 32-bit integer

▪ Dynamically resolve imports

▪ Parse a loaded DLL’s export table• DLL name hash• Import name hash

▪ Verify key/passwords• Hash user’s input and compare to stored hash

▪ Challenge #7 needed bruteforce triple SHA1 hashes• SHA1( SHA1( SHA1( data ) ) )

▪ Narrow keyspace• 6 characters in length• Possible values:

∙ abcdefghijklmnopqrstuvwxyz@-._1234

Hashing - Other uses?

52

▪ Check your own code for modification• Software breakpoints (0xCC)

▪ Anti-Analysis• PowerDuke checks its filename length to known hash lengths

Hashing - Other uses?

53

Agenda

54

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

55

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS PE Format

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

Anti-Analysis Techniques

▪ Malware authors employ techniques to thwart analysts

• Anti-disassembly• Anti-debugging checks• Anti-VM checks• Obfuscation

▪ Analysts use own methods to bypass these anti-analysis techniques

56

Javascript Obfuscation

57

Challenge #10

58

Manual decoding

Packers▪ Program that compresses original binary,

making the original code unreadable▪ Common examples

• UPX• ASPack• tElock

▪ Identify use of packer• PEiD• strings• Lack of imports• Entropy• Executing code in a new memory segment

▪ How to deal with them• Use an unpacking tool• Manually unpack

59

Unpacking a UPX packed executable

Packer Stub: Challenge #8

60

Unpacking or decoding Stub

Decodes to...

Encoded Decoded

Anti-Disassembly

▪ Technique that takes advantage of the assumptions made by disassemblers so that they can not properly decode instructions

▪ How to:• Add extra/junk bytes to trick the disassembler into disassembling at the

wrong offset• Add data directly in .code/.text section• Jump into the middle of another instruction

61

Anti-Disassembly: Challenge #8

62

Fake call to throw off disassembler

Incorrect disassembly!

Anti-Disassembly: Challenge #8

63

+1 gives it away

Tricking Flow-Oriented Disassemblers

▪ Flow oriented disassembly algorithm• Follows jumps and branches to continue

disassembling• Has to make assumptions and choices• Calls

∙ Most will process bytes immediately after call first

• Conditional branches∙ Most will process the false branch

first

64

From Practical Malware Analysis by Michael Sikorski and Andrew Honig

Tricking Flow-Oriented Disassemblers

65From Practical Malware Analysis by Michael Sikorski and Andrew Honig

Data interpreted as instructions!

MiniDuke (APT29)

▪ Early samples embedstrings directly in codesection

▪ Later samples XORencrypted strings tomake it less obvious

66

Anti-Debugging & Anti-VM Checks

▪ Checks to determine whether the binary is being run in a VM or not

▪ Malware will often hide functionality if it detects it is being run in a VM

▪ Common winapi debugger checking functions• IsDebuggerPresent• NtQueryInformationProcess

▪ Common structures checked• ProcessHeap flag• NTGlobalFlag

67

Agenda

68

▪ Flare-On introduction▪ Reverse engineering 101▪ Concepts & examples

• PE file format• Base-64 encoding• Simple encryption• Hashing• Anti-analysis

▪ Conclusion

Conclusion

▪ Basic concepts still apply when reversing more complex targets• From low-level malware all the way to APTs

▪ Many more RE tips and tricks exist• Defining structs• Writing IDAPython scripts• Using symbolic execution to maximize code coverage and solve

constraints• etc...

▪ Do CTFs/challenges!• Better to learn by doing, than to just read theory• CTFs allow you to immerse yourself in RE concepts very quickly

69

70

# B64 XOR RC4 Hash Anti-* Obfuscation .Net JS Exports/Imports

MemoryCarving

Go Flash Python Exe

16-bit

1

2

3

4

5

6

7

8

9

10

Challenges

Questions?▪ @MalwareMechanic▪ @rh0gue

71

Awesome Links:● https://www.endgame.com/blog/dude-wheres-my-ransomware-flare-challenge● https://www.endgame.com/blog/0-31337-real-quick-lessons-learned-reversing-fl

are-challenge

Links

● https://en.wikipedia.org/wiki/Portable_Executable● http://algo-visualizer.jasonpark.me/ ● https://pbs.twimg.com/profile_images/1109177749/Icon_1_400x400.png● http://cdn.pcwallart.com/images/tip-of-the-iceberg-titanic-wallpaper-2.jpg● https://ih0.redbubble.net/image.174516575.5882/flat,800x800,075,f.jpg● https://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf● https://img.washingtonpost.com/rf/image_480w/2010-2019/WashingtonPost/2017/02/17/Style/Images

/Trump_31494.jpg-90377-3723.jpg?uuid=4Rkv_PVfEeapsOzufOR1_A● http://reactiongifs.me/wp-content/uploads/2014/06/reading-ikea-intructions-big-lebowski-confused.gif● http://dbclipart.com/check-mark-clip-art-image-18631/● https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineerin

g-shellcode.html

72

Extra

73

MiniDuke (APT29)

▪ C2 callout data is already encrypted using CRC32 checksum of code• Makes sure no software breakpoints are set (0xCC)

▪ Use computer specific details to XOR encrypt the C2 callout data on startup• Makes it forensically difficult to retrieve C2 callout data if attempting to run

sample on a different machine

▪ Subject to known plaintext attack!

74

Simplified Example

▪ Encoded C2 data:

▪ C2 data usually have a callout URL• http://• https://• www.• .com• ?=

75

00000000 0c 11 15 14 58 4a 4a 11 13 12 4f 10 15 0c 11 12 |....XJJ...O.....|00000010 01 17 4f 07 0d 08 4a |..O...J|

Simplified Example

▪ XOR encoded data with ‘http’

▪ ‘dead’ is potential key, XOR with encoded data

▪ ‘://w’ is next known plaintext

76

00000000 68 74 74 70 3c 2f 2b 75 77 77 2e 74 71 69 70 76 |http</+uww.tqipv|00000010 65 72 2e 63 69 6d 2b | er.cim+|

00000000 64 65 61 64 30 3e 3e 61 7b 66 3b 60 7d 78 65 62 | dead0>>a{f;`}xeb|00000010 69 63 3b 77 65 7c 3e |ic;we|>|

Simplified Example

▪ XOR encoded data with ‘://w’

▪ ‘beef’ is potential key, XOR with encoded data

▪ Key is ‘deadbeef’, XOR with encoded data

77

00000000 36 3e 3a 63 62 65 65 66 29 3d 60 67 2f 23 3e 65 |6>:c beef)=`g/#>e|00000010 3b 38 60 70 37 27 65 |;8`p7'e|

00000000 6e 74 70 72 3a 2f 2f 77 71 77 2a 76 77 69 74 74 |ntpr://wqw*vwitt|00000010 63 72 2a 61 6f 6d 2f |cr*a om/|

00000000 68 74 74 70 3a 2f 2f 77 77 77 2e 74 77 69 74 74 |http://www.twitt|00000010 65 72 2e 63 6f 6d 2f |er.com/|