Write-up for Chal6 of Flareon4. This may not be a good solution, but that’s the method how I found the final flag.

1. Collect information

  • Target is a dll file: payload.dll

  • Check the basic information:
    • File format: PE+(64)
    • Resource section of the file doesn’t contain any special information.
    • API functions are imported primarily from kernel32.dll  and user32.dll .
    • Information related to Export function:

  • About the string, there are some important strings as following:

2. Try to run payload.dll

Try running payload.dll with the above suggestion:

I received the message: “Missing entry: Entrypoint”. So, I think the exported Entrypoint function was altered when running payload.dll.

To check whether the exported function is changed, use x64dbg to debug:

  • Load  C:\Windows\System32\rundll32.exe  into x64dbg.
  • Modify the input parameters at at Debug > Change Command Line . Edit similarly as following:  "C:\Windows\System32\rundll32.exe" C:\Users\manowar\Desktop\FlareOn4\Chal6\payload.dll, EntryPoint EntryPoint
  • Reconfigure the Options > Preferences, Settings > Events, select DLL Load & DLL Entry

Then press F9 to run and watch carefully when payload.dll is loaded, stop at DLLMain and execute completely:

Don’t close the above message, using the OllyDumpEx plugin for dumping the entire payload.dll, and then saving as the new name payload_dump_64.dll . Check the dumped file with CFF Explorer, Export function information is changed as following:

Note: Ordinal is still 1, thus can concluding the Entrypoint function has been renamed to basophileslapsscrapping .

Based on above information, try to execute again with the following command: rundll32.exe payload.dll, basophileslapsscrapping basophileslapsscrapping . As a result, I received a message box about 24th character of the flag: ( 0x6f -> ASCII: o ):

In addition, during the test, try to run the payload.dll by ordinal: rundll32.exe payload.dll, #1 . Get the error message box:

3. Analyze and debug payload.dll

Load payload.dll into IDA, first go to exported EntryPoint function at 0x0000000180005C00 . Here, I see the code that only shows the usage instructions:

Next, following the “Insert clever error message here!” string, go to listing at sub_180005A50 . Along with the process of analyzing code in IDA, I also use x64dbg to load the payload.dll with parameters passed is ( "C:\Windows\System32\rundll32.exe" C:\Users\manowar\Desktop\FlareOn4\Chal6\payload.dll, basophileslapsscrapping basophileslapsscrapping ), set a breakpoint at the instruction:

After deep dive analysis and debug code, get the following information:

In summary,  sub_180005A50  does the following tasks:

  • B1: Get the name of the function exported by payload.dll.
  • B2: Calculate an index value based on the TimeDateStamp (this  TimeDateStamp  value will vary and for each exported function name).  Index = TimeDateStamp & 0xFF
  • B3: Calculate a size value, this value will be used as the size for the data to be decoded by RC4 algorithm.
  • B4: Perform a loop to verify that the name of the exported function is the same as the key to be passed. Because, according to the original instruction, dll must be run with the following syntax ( rundll32 payload.dll, EntryPoint EntryPoint ), so if not the same, it will show the error message: “Insert clever error message here!”
  • B5: Based on the index value obtained in B2, it will be added to  off_1800198E0  to retrieve the address location in the .text section as the location to decrypt the data. Through the VirtualProtect API, the access protection of this memory area is changed to  PAGE_EXECUTE_READWRITE  with a size of 0x1000 .
  • B6: RC4 context is initialized by using the key provided (key coincides with the name of the exported function).
  • B7: Use the initialized context to decode the data region that is obtained in B5 with the calculated size in B3.
  • B8: Finally, jump to the decrypted code and execute payload to display the message about the character of final flag in hexadecimal code.

However, I recognized  sub_180005A50  that analyzed above is a function handler after the original EntryPoint function was replaced by another function name. Thus, the code that performs the replacement of a new function name has already taken before. How to find this listing?

Deep dive into the code, due to involve taking information about the export function,  sub_180005A50  analyzed earlier has other  sub_180004760  function (which has been renamed to Get_ExportDirectory ):

Placing yourself in the position of coder, they will often write a generic function to perform a certain task. Therefore, the  Get_ExportDirectory()  function will be called somewhere earlier. By using IDA’s xrefs feature, I found the call to this function at sub_180005D30 .

Set a breakpoint at:

After deep dive analysis and debug code at sub_180005D30 , get the following information:

In summary  sub_180005D30  does the following tasks:

  • B1: Perform a loop to obtain information related to ImageBase and PE header of payload.dll when mapped into memory.
  • B2: Call VirtualProtectEx to change the access protection on the memory area at the ImageBase to PAGE_EXECUTE_READWRITE .
  • B3: Call  Get_ExportDirectory()  to get information of Export Directory.
  • B4: Calculate and index value based on SystemTime, index = (SystemTime.wYear + SystemTime.wMonth) % 26 . Thereby, I can conclude that the index value will be in the range of 0 -> 25 .
  • B5: Based on the calculated index earlier, call  DecryptExportFunction(index)  function to decode data, and then reset the TimeDateStamp value and the new name of export function.
  • B6: Finally, adjust the RVA value and new size of IMAGE_EXPORT_DIRECTORY .

After obtaining the new information about TimeDateStamp and the new export function name, they will be used at  sub_180005D30  to decode corresponding to the index position in the flag.

So, if I manually change each index value that returned by  GetIndexFromTime()  function,  in the range from 0 25 , I finally get the following export functions :

According to FLARE-ON’s flag structure, the final flag will has the format: [chars]@flare-on.com .  Based on the above index information, I conclude that the flag has 26 characters (the 24th character is known as ‘o’). So try each export function until get the message that the character corresponding to index = 13  has a hex code is  0x40  (ASCII code is ‘@’).

Finally got the flag to submit is: wuuut-exp0rts@flare-on.com

End!

No Comments
Post a Comment