FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

The challenge is about selecting correct coordinates on to the map and advancing to the next stage to get flag.


As we advance to next stage, the game print some metadata.

After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage.

import binascii

 key = 0x3B1EE5F6B3D99FF7                #initial key to decrypt metadata.
offset = 0x50E0                         #offset of metadata in binary
f = open('pewpewboat.exe','rb')
for i in range(0,11):
    stage = i
    v = ((i << 3) + i) << 6
    f.seek(offset + v)
    mask = '0x'
    temp = '0x'
    res = []
    metadata = []
    for i in range(0,0x240):
        key = ((key * 0x41c64e6d) + 0x3039) & 0xFFFFFFFFFFFFFFFF
        c = binascii.hexlify(f.read(1))
        c = int(c,16)
        c = c ^ (key & 0xFF)
        metadata.append(chr(c))
        c = "0x%02X" % c
        res.append(c[2::])
    #print("".join(metadata))
    for i in range(7,-1,-1):
        mask = mask + res[i]
    for i in range(len(res)-1,15,-1):
        temp = temp + res[i]                
    #print("mask",mask)                      #used in key calculation for next round metadata
    mask =  int(mask,16)
    key = int(temp,16)
    count = 0
    cord = []
    for i in range(0x41,0x49):
        for j in range(0x31,0x39):
            prevcount = count
            row = i - 0x41
            col = j - 0x31
            var38 = 1 << (((row*8) + col) & 0xFF)
            count = (count | var38)
            var48 = count
            var4C = 0
            prevvar4C = 0
            while True:
                temp = var48 & 1
                if temp != 0:
                    var4C = var4C + 1
                var48 = (var48 >> 1) & 0xFFFFFFFF
                if var48 == 0:
                    break
            if (count & mask) > prevcount: #remove later
                v1 = (j * 0x593) & 0xFFFFFFFF
                v2 = (i * 0x1E01) & 0xFFFFFFFF
                res_add = v1 + v2
                v3 = ((j * i) + res_add + 0x14A1)
                key = key + v3
                cord.append(chr(i)+chr(j))
    print("========= Stage " + str(stage) + " Cordinates =========")
    print("Cordinates : " + str(cord))
    if stage == 10:
        print("Metadata: " + "".join(metadata))
    print("===================================================")
    print('')
f.close()

 Below are the coordinates produced by above script.For clarity i have printed metadata of last stage.

Coordinates provided at each stage on the map forms a character.

0 cord - B4 B5 B6 B7 C4 D4 E4 E5 E6 E7 F4 G4 - O
1 cord - B4 B8 C4 C8 D4 D8 E4 E5 E6 E7 E8 F4 F8 G4 G8 - H
2 cord - A2 A3 A4 A5 A6 A7 B1 B8 C1 D1 E1 E5 E6 E7 E8 F1 F8 G1 G8 H2 H3 H4 H5 H6 H7 - G
3 cord - D5 D8 E5 E8 F5 F8 G5 G8 H5 H6 H7 H8 - U
4 cord - B4 B5 B6 B7 B8 C7 D6 E5 F4 F5 F6 F7 F8 - Z
5 cord - A1 A2 A3 B1 B4 C1 C2 C3 D1 D3 E1 E4 - R
6 cord - D5 D6 D7 E5 F5 F6 F7 G5 H5 H6 H7 - E
7 cord - B2 B3 B4 B5 B6 C4 D4 E4 F1 F4 G2 G3 - J
8 cord - D3 D7 E3 E7 F3 F7 G4 G6 H5 - V
9 cord - D3 D4 E2 E5 F2 F5 G2 G5 H3 H4 - O

 Below is the instruction provided in stage 10 metadata to get the flag.

"Aye! You found some letters did ya? To find what you're looking for, you'll want to re-order them: 9, 1, 2, 7, 3, 5, 6, 5, 8, 0, 2, 3, 5, 6, 1, 4. Next you let 13 ROT in the sea! THE FINAL SECRET CAN BE FOUND WITH ONLY THE UPPER CASE"

Applying operation to letters from each stage "OHGJURERVFGUREHZ" we get below key word.

 Key word : BUTWHEREISTHERUM

 Providing the keyword when game starts gives the flag.

Comments

  1. Shron Prysock7 May 2020 at 15:26


    BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE….. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . ………. EXPLANATION OF HOW THESE CARD WORKS………. You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $1,000, 2nd VAULT $2,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done. ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com) We are located in USA.

    ReplyDelete
    Replies
    1. Peeter 25 February 2022 at 09:02

      **Contact 24/7**
      Telegram > @killhacks
      ICQ > 752822040
      Skype > Peeterhacks
      Wicker me > peeterhacks

      **HIGH CREDIT SCORES SSN FULLZ AVAILABLE**

      >For tax filling/return
      >SSN DOB DL all info included
      >For SBA & PUA
      >Fresh spammed & Fresh database

      **TOOLS & TUTORIALS AVAILABLE FOR HACKING SPAMMING
      CARDING CASHOUT CLONING SCRIPTING**

      Fullz info included
      NAME+SSN+DOB+DL+DL-STATE+ADDRESS
      Employee & Bank details included
      High credit fullz with DL 700+
      (bulk order preferable)
      **Payment in all crypto currencies will be accepted**

      ->You can buy few for testing
      ->Invalid or wrong info will be replaced
      ->Serious buyers contact me for long term business & excellent profit
      ->Genuine & Verified stuff

      TOOLS & TUTORIALS AVAILABLE:

      "SPAMMING" "HACKING" "CARDING" "CASH OUT"
      "KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"

      **TOOLS & TUTORIALS LIST**

      =>US CC Fullz
      =>Ethical Hacking Tools & Tutorials
      =>Bitcoin Hacking
      =>Kali Linux
      =>Keylogger & Keystroke Logger
      =>Bulk SMS Sender
      =>Facebook & Google Hacking
      =>Bitcoin Flasher
      =>SQL Injector
      =>Logins Premium (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
      =>Bitcoin Cracker
      =>SMTP Linux Root
      =>Shell Scripting
      =>DUMPS with pins track 1 and 2 with & without pin
      =>SMTP's, Safe Socks, Rdp's brute
      =>PHP mailer
      =>SMS Sender & Email Blaster
      =>Cpanel
      =>Server I.P's & Proxies
      =>Viruses & VPN's
      =>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc)

      ==>Contact 24/7<==
      Telegram> @killhacks
      ICQ> 752822040
      Skype> Peeterhacks
      Wicker me > peeterhacks

      *Serious buyers are always welcome
      *Big Discount in bulk order
      *Offer gives monthly, quarterly, half yearly & yearly
      *Hope we do a great business together

      **You should try at least once**

      Delete
    2. Anonymous7 April 2022 at 18:05

      Fireeye Flare Ctf 2017 : Pewpewboat Challenge 5 >>>>> Download Now

      >>>>> Download Full

      Fireeye Flare Ctf 2017 : Pewpewboat Challenge 5 >>>>> Download LINK

      >>>>> Download Now

      Fireeye Flare Ctf 2017 : Pewpewboat Challenge 5 >>>>> Download Full

      >>>>> Download LINK Fn

      Delete
  2. doron22 April 2021 at 04:53

    i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or

    always too scared to pin anything on her. with the help a friend who recommended me to who help hack her phone,

    email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to

    SUPERIOR.HACK@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 213-295-1376(whatsapp) contact and thank me later

    ReplyDelete
  3. No Name18 May 2021 at 21:06

    Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>2$ each with SSN+DOB+DL
    >>5$ each for premium (also included relative info)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    Socks, rdp's, vpn's
    Server I.P's
    HQ Emails with passwords

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  4. mike26 July 2021 at 19:36

    I just have to introduce this hacker that I have been working with him on getting my credit score been boosted across the Equifax, TransUnion and Experian report. He made a lot of good changes on my credit report by erasing all the past eviction, bad collections and DUI off my credit report history and also increased my FICO score above 876 across my three credit bureaus report you can contatc him for all kind of hacks . Email him here via Email him here via hackintechnology@cyberservices.com or whatsapp Number: +1 213 295 1376.

    ReplyDelete
  5. Unknown21 August 2021 at 07:27

    DO YOU NEED A PERSONAL/BUSINESS/INVESTMENT LOAN? CONTACT US TODAY VIA WhatsApp +19292227023 Email drbenjaminfinance@gmail.com

    HELLO
    Loan Offer Alert For Everyone! Are you financially down and you need an urgent credit/financial assistance? Or are you in need of a loan to start-up/increase your business or buy your dream house. Are you in search of a legit loan? Tired of Seeking Loans and Mortgages? Have you been turned down by your banks? Have you also been scammed once? Have you lost money to scammers or to Binary Options and Cryptocurrency Trading, We will help you recover your lost money and stolen bitcoin by our security FinanceRecovery Team 100% secured, If you are in financial pains consider your financial trauma over. We Offer LOANS from $3,000.00 Min. to $30,000,000.00 Max. at 2% interest rate NO MATTER YOUR CREDIT SCORE. GET YOUR INSTANT LOAN APPROVAL 100% GUARANTEED TODAY VIA WhatsApp:+19292227023 Email: drbenjaminfinance@gmail.com


    ReplyDelete
  6. Unknown14 October 2021 at 23:27

    I was in so much debit and needed a way to clear it up because my life was in danger, then I saw comments about cloned ATM Credit Cards that can be programmed to hack into and withdraw money from any ATM machines around you . I doubted this but decided to give it a try by contacting {skylinktechnes@yahoo.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day and it had a usage limit of 12 months. So I requested one & paid the delivery fee to obtain the card, i was shocked to see the parcel{card} delivered at my doorstep. I picked it up and went back inside and confirmed the workings and genuinity of the card at the atm machine closest to me. This is no doubt because I have the card & have made use of the card countless times without any complaints. These hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via email skylinktechnes@yahoo.com whatsapp/t: +1(213)785-1553

    ReplyDelete
  7. No Name25 October 2021 at 18:23

    FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  8. vstcomplex28 October 2021 at 11:38

    Excellent post. I've been browsing this blog constantly thanks for sharing

    vstcomplex
    Goodhertz Vulf Crack
    4Front TruePianos Crack
    Arturia Pigments Crack
    XSplit VCam Crack
    AMEK EQ Crack
    MusicLab RealEight Crack
    WiFi Explorer Pro Crack

    ReplyDelete
  9. MARGARET MAGOTHE1 November 2021 at 20:55

    Hello everyone, Are you looking for a professional trader, forex and binary manager who will help you trade and manager your account with good and massive amount of profit in return. you can contact Mr. Anderson for your investment plan, for he helped me earned 8,000usd with little investment funds. Mr Anderson you're the best trader I can recommend for anyone who wants to invest and trade with a genuine trader, he also helps in recovery of loss funds..you can contact him on his whatsapp: (+447883246472) Email (tdameritrade077@gmail.com)I advice you shouldn't hesitate He's great.

    ReplyDelete
  10. DARK WEB CYBER HACKERS23 December 2021 at 21:41

    One evening, i was reading a blog of how so many people got this blank card online when i was trying to search for a new job, but it didn't seem clear to me so i ignored. Three days later, i was so surprised to see a comment by my cousin on how he got the blank card worth Thousand Dollars and without hesitation i gave him a call to come over to the house to tell me more about the card and he told me that its a miracle that i needed to per-take. He gave me the email address ( darkwebcyberhackers@gmail.com OR WhatsApp: +18033921735 ) of the hackers and i contact them for the card and they responded and told me all the procedures and terms of the card which was also what my cousin told me, i agreed and completed their requirement to get the card. Four days later, i heard knock on my door an behold was the courier agent who brought the parcel to my house and today i am rich and i thank God to this hackers and to my cousin brother who lead me to them. It might sounds odd but you can get yours via.

    Email: darkwebcyberhackers@gmail.com OR darkwebcyberhackers@yahoo.com

    Text & Call or WhatsApp: +18033921735

    Visit: https://darkwebcycberhackers.com/

    ReplyDelete
  11. Anonymous7 April 2022 at 18:05

    Fireeye Flare Ctf 2017 : Pewpewboat Challenge 5 >>>>> Download Now

    >>>>> Download Full

    Fireeye Flare Ctf 2017 : Pewpewboat Challenge 5 >>>>> Download LINK

    >>>>> Download Now

    Fireeye Flare Ctf 2017 : Pewpewboat Challenge 5 >>>>> Download Full

    >>>>> Download LINK zV

    ReplyDelete
  12. sarah smith19 June 2022 at 11:18


    Investing online has been a main source of income, that's why knowledge plays a very important role in humanity, you don't need to over work yourself for money.All you need is the right information, and you could build your own wealth from the comfort of your home!Binary trading is dependent on timely signals, assets or controlled strategies which when mastered increases chance of winning up to 90%-100% with trading. It’s possible to earn $10,000 to $20,000 trading weekly-monthly in cryptocurrency(bitcoin) investment,just get in contact with Mr Bernie Doran my broker. I had almost given up on everything and even getting my lost funds back, till i met with him, with his help and guidance now i have my lost funds back to my bank account, gained more profit and I can now trade successfully with his profitable strategies and software!! 
Reach out to him through Gmail : Bernie.doranfx01@gmail.com ,Telegram: bernie_doran_fx or +1(424)285-0682 for inquires

    ReplyDelete
  13. Anonymous28 September 2022 at 04:35

    제주콜걸
    제주콜걸
    제주콜걸
    제주콜걸
    제주콜걸

    총판출장샵
    총판출장샵
    총판출장샵
    고고출장샵
    심심출장샵

    ReplyDelete
  14. Tools & Tutorials11 December 2022 at 12:51

    Fullz (CC, CVV, High CS, EIN Business, etc)
    Tools (Carding, Spamming, Hacking, Penetration, etc)
    Tutorials (Filling, SBA, Carding, CAshout, Dumps Cash out, etc)
    Scam Pages (FB, E-Bay, Spotify, Amazon, etc)
    Dumps (Track 101 & 202 Pins/without Pins)
    Mailers (PHP, SMTP, alxus, web mailer, etc)
    Senders
    Leads/Pros (SSN DOB, SSN DOB DL, Employement, etc)
    Dead Fullz
    Viruses (RAT's, Key-loggers, etc)
    Kali Linux Complete

    All legit stuff Available at cheap Prices
    Guidance will be provided if needed
    Contact for more info

    @killhacks ' TG/icq
    peeterhacks ' Skype/Wickr
    Mail ' exploit(dot)tools4u at gmail (dot)com

    ReplyDelete

Post a Comment

Popular posts from this blog

VIrtual Machine Detection Techniques

This post will cover techniques that can be used to detect virtualized environment. Sample Analyzed - hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/ 1.VMWare Backdoor This techniques uses special I/O port to send command and get output. VMware Command Execution code In above image VMWare I/O port is 'VX' (5658h) . Command number 0x0A (get vmware version). VMware version is return in register EAX as shown below. More About VM Backdoor Port  https://sites.google.com/site/chitchatvmback/backdoor 2.VPCEXT VPCEXT instruction is used to detect presence of Virtual PC. If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected. 3.DMIDECODE Utility dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a
Read more

Analyzing ATM Malwares

This post will explain how to analyze ATM malwares developed using middle ware CEN/XFS (extension for financial services). ATM (Automated Teller machine). The three leading ATM vendors are - 1.NCR 2.Diebold 3.Wincor The main services (peripherals) of an ATM are - 1.Card Reader 2.PinPad 3.Cash Dispenser Applications developed to interact with ATM services (peripherals) uses CEN/XFS (extension for financial services). XFS provides the API to access and manipulate the ATM peripherals from different vendors as shown in below image. CEN/XFS Application Programming interface and SDK can be downloaded from below website under Published CWA's. https://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-XFS.aspx Apart from CEN/XFS Application Programming interface and SDK other important guides as mentioned below and can be download from above mentioned website. 1.Service Class Definition - Programmer's Reference 2.Identification Card Device Class Interface - Programmer&
Read more

Memory Forensics : Tracking Process Injection

This post describe about process memory internals which allow us to track process injections. Example used below is recent Brazil Malspam (hxxp://malware-traffic-analysis.net/2017/07/07/index.html) which inject DLL  fltLib.dll into process notepad.exe. Attach kernel debugger to infected machine and get information about notepad.exe  Process   object. Process object is represented by EPROCESS structure. VAD (Virtual Address Descriptors) is member of EPROCESS  structure and describes the layout of process memory segments. VADs contain the names of memory-mapped files, the total number of pages in the region, the initial protection (read, write, execute), and several other flags that can tell you a lot about what type of data the regions contain. VAD is a self balancing tree and each node in tree represent one range in process virtual memory.Each node has child in the form of left and right node.A node is represented using MMADDRESS_NODE structure. Listing all V
Read more

Samsung CTF : Chicken or Egg Reversing Challenge

 The CTF is over but i really enjoyed solving the challenge (https://sctf.codeground.org/ctf/prob).The challenge is to decrypt flag.enc. This is another APK + JNI (Java Native Interface) kind of challenge similar to the one in Google CTF 2017 (http://shasaurabh.blogspot.com/2017/07/google-ctf-2017-android-re-challenge.html). Challenge can be divided into three parts. 1.Android application (application) loading Native Library 2.Native Library decrypts DEX file in memory. 3.Using Reflection to call methods of decrypted DEX file in step 2. 1. Android application loading Native Library OnClick() method of MainActivity class calls constructor of Crypt class. Calling constructor of Crypt class results in loading of Native library ( libegg.so ) which is ELF for ARM. Constructor of Crypt class calls crackEgg method implemented in native library. 2.Native Library decrypts DEX file in memory. The native library reads the encrypted DEX file stored in asset fo
Read more

FireEye FLARE CTF 2017 : APK Challenge 8

The challenge required decrypting passwords in order to form AES key to decrypt the flag bytes. On decompiling flair.apk file we can see four classes for which we need to decrypt passwords. 1.Michael Class  It was pretty simple password comparison.The password is  MYPRSHE__FTW . 2. Brian Class Password is formed as shown below. String.format("%s_%s%x_%s!", new Object[]{t, y, Integer.valueOf(p), c}); t = (ImageView) findViewById(R.id.pfdu).getTag().toString() y = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), 128).metaData.getString("vdf") p = (TextView) findViewById(R.id.vcxv).getCurrentTextColor() & SupportMenu.USER_MASK; c = (TextView) findViewById(R.id.vcxv).getText().toString().split(" ")[4]; The Password is  hashtag_covfefe_Fajitas! . 3.Milton Class The password is formed by decrypting a string and taking SHA1 of the decrypted string. Decryption algorithm
Read more

Debugging MBR : IDA Pro and Bochs Emulator

This post will explain how to setup Bochs Emulator to debug MBR. I will be taking NotPetya\Petya ransomware MBR as an example. Take dump of Physical Drive whose MBR is overwritten by NotPetya\Petya ransomware by its malicious MBR. dd utility for windows can be used for this purpose.Command to dump the disk is as shown below. dd.exe if=\\?\Device\Harddisk0\DR0 of=<output file path> bs=512k --size --progress if = input file of = output file bs = read and write bytes at a time Configuring Bochs Emulator. Go to installation directory of Bochs Emulator and open file bochsrc and provide below information. 1.Disk Geometry 2.Boot Drive Disk Geometry setting contain Cylinder,Head and Sector (CHS) value of disk. # ATA controller for hard disks and cdroms ata0-master: type=disk, path="winxp0.img", mode=flat, cylinders=124830, heads=16, spt=63 where path is dump of disk taken using dd utility. Boot Drive setting contain bootable drive type. # BOOT: # This de
Read more

Windows Registry Forensics

This blog post will cover how registry keys are stored in memory. There are many good tools available to extract windows registry information from memory or dump but it's always good to learn how the information is stored in memory and how these tools are extracting it. Windows Registry (Configuration Manager) in memory is represented using CMHIVE  structure.You can view CMHIVE structure here  https://www.nirsoft.net/kernel_struct/vista/CMHIVE.html . More about Registry structure can be found here  https://binaryforay.blogspot.in/2015/01/registry-hive-basics.html . We can locate CMHIVE structure in memory by scanning pool tag value  CM10 . The pool tag is part of POOL_HEADER ( https://www.nirsoft.net/kernel_struct/vista/POOL_HEADER.html ).The size of POOL_HEADER structure is 8 bytes in 32-bit OS and lies above CMHIVE structure in memory.Below is the result of command ! poolfind <tag> <pooltype>  in windbg where tag is CM10 and pooltype =1 (paged pool). B
Read more

DoublePulsar Backdoor

This post explains DoublePulsar Backdoor and how WannaCry Ransomware uses it to spread Itself. EternalBlue Installing DoublePulasr Backdoor EternalBlue exploits vulnerability in SMB protocol and execute shell code.Offset of shell code in EternalBlue binary that is present in shadow broker dump. Shellcode finds address of srv.sys (SMB Driver) and replace address of srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with its own function address as shown below. Offset of function code in EternalBlue binary which replaces srv!SrvTransactionNotImplemented function address in srv!SrvTransaction2DispatchTable . Before overwriting srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with  its own function address shell code allocates memory using ExAllocatePool API and write function bytes. Function code is stored at 0x48 offset from memory address re
Read more

Google CTF 2017 : Android RE Challenge

The challenge was consist of three parts. 1.Android application loading native library (ARM or x86) depending on platform. 2.Native library drops a dex file and dynamically loads it. 3.Native library modify bytes (in memory) of loaded dex file in step2. 1.Android application loading native library Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class. Looking at FoodActivity class it only loads the native library cook .The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so , while a Win32 system converts the same cook name to cook.dll . 2.Attaching to libcook.so . We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to nati
Read more