Saturday, 29 December 2018

Corebot writeup - 35C3 CTF

The binary given in this challenge is a 32-bit Windows Binary.

The main subroutine of the binary looks like shown below:

It stores the flag encrypted in the resource section in the resource called: "65".

Main functions performed by the binary are:

1. It retrieves the VolumeID with GetVolumeInformationA() API.
2. This is used to calculate a key of length 0x20 bytes.
3. The key is imported using CryptImportKey() and the entire key including the public key structure looks like shown below:

The public key structure looks like shown below:

typedef struct _PUBLICKEYSTRUC {
  BYTE   bType;
  BYTE   bVersion;
  WORD   reserved;
  ALG_ID aiKeyAlg;

Based on this, we can see:

bVersion = 0x02
aiKeyAlg = 0x6610 (AES)
length of the key = 0x20 bytes.

The actual 32 byte key is stored after this.

Decryption of the Flag:

1. Encrypted flag is loaded from the resource called "65".
2. The key imported above using CryptImportKey() will be used to decrypt the flag using CryptDecrypt()

013C1210  |. 813F 33354333  CMP DWORD PTR DS:[EDI],33433533
013C1216  |. 74 0B          JE SHORT corebot.013C1223

If the first DWORD of the decrypted flag is: 0x33433533, then we have found the correct flag.

To solve this challenge, we need to bruteforce the VolumeID. I wrote a few lines of assembly code to bruteforce the VolumeID from 0x0 to 0xffffffff as shown below:

xor eax, eax
inc eax
push eax
call main()

Inside the main() subroutine, we have to NOP out the call to GetVolumeInformationA() and ensure that eax is restored when we return back to above code to continue bruteforcing.

Using this method, we can find the flag as shown below:

Correct value of Volume ID is: 0x25C3
Flag is: 35C3_MalwareAuthorKryptoChef


No comments:

Post a Comment