Sunday, November 6, 2016

Join ESET Crackme 2015 Solution


This is my solution for the JoinESET Crackme 2015, It was on my disk for more than a year and I'm sharing it maybe someone is interested in how to solve this challenge.

Working files can be downloaded from here.

Stage One 

The crackme has two files EsetCrackme2015.exe and EsetCrackme2015.dll. Both don’t
seem to be packed.

The crackme asks for three passwords, lets hunt the first password.

The executable loads the DLL, which has multiple files appended to it. To enumerate all the files we have first the file ID which is two bytes then four bytes that represent the file size followed by the file.
I coded a small tool to dump all the files and here is the ID list 0x1, 0x2, 0x3, 0x4, 0x101, 0x102, 0x103, 0x104, 0x151, 0x152, 0x153, 0x154, 0x155, 0xAA02, 0xAA06, 0xBB01, 0xBB02, 0xFF00, 0xFF02, 0xFF04 and 0xFF05.

File 0x2 is the name of the pipe, “\\.\pipe\EsetCrackmePipe” that will be created and will be used to communicate with the different crakme's processes.
File 0x3 contains "SXJyZW4lMjBpc3QlMjBtZW5zY2hsaWNo" or "Irren%20ist%20menschlich" base64 decoded, and that string will be used to decrypt later files.

The file 0x151 is an executable that gets injected into SVCHOST.exe through a virtual machine which its engine resides in the file 0x102 and opcode in 0x103. I will explain the virtual machine later in stage two.

The pipe works as follows, the main module waits for either a file request (0x1) or STATUS_COMPLETE (0x2) followed by the file ID and responds with the file requested or OK message in case of STATUS_COMPLETE.

The injected code in svchost.exe starts with retrieving the handle to a window, whose class name is EDIT and then uses SetWindowLong to change the address of the window procedure to 0x00AD2360.
The files 0xBB01 and 0xBB02, both gets decrypted by xoring with “PIPE”. The file 0xBB01 contains the hashes of the three passwords respectively as follows:

0F30181CF3A9857360A313DB95D5A169BED7CC37 0B6A1C6651D1EB5BD21DF5921261697AA1593B7E

The crackme hashes every entered password using a hash algorithm similar to SHA-1 and compares it with the hashes above.
When entering the first password we get the window procedure 0x00AD2360 triggered. What it do is it base64 encode the password then decrement each odd indexed character, finally it compares it with RFV1aV4fQ1FydFxk which it got from the file 0xBB02.

By reversing this operation we get our first password “Devin Castle”

Upon entering the right password a STATUS_COMPLETE with ID 0xBB01 is sent through the pipe, declaring that we have completed stage one and a is written to disk.
The procedure that handles the progress of the crackme is loaded from the file 0x101.

FLARE-On 2016 Writeup


I usually don't blog but this challenge comes every year with much more quality challenges and interesting stuff to analyze, So I just couldn't resist to publish my solutions :).
Despite this year's guessing metric was really high, the obfuscation and other quality stuff implemented made the challenge much more entertaining than the last two challenges.

Before you start I suggest you download the working files from here which contains all the challenges, deobfuscated files and tools I coded to solve this challenge.

Level One

First level is tricky for people with short experience in RE. It simply uses BASE64 encoding with custom alphabet.

Decoding the string “x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q” using "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/” as custom alphabet will result in the first email "".

Level Two

Level two starts by checking the folder “Briefcase” on the desktop. then checks if the volume serial number equals to 0x7DAB1D35. You have to meet both requirements.

Then it starts to encrypt all the files in the "Briefcase" folder using AES-256 then drops a ransom note in the form of an image in the "Briefcase" folder. Also changes the computer background to the ransom not image.

As this level two I didn't took much time in analzying how the key is generate, I patched the executable to decrypt the files instead of decrypting it using the following two patches:

The encrypted file "BusinessPapers.doc" which was provided by the challenge appears to be an JPEG image that contains the email.