NTU Malware Reverse HW 1 write up

Posted on | Post modified | In |

NTU Malware Reverse HW 1 write up

tags: NTU_MR Malware Reverse Engineering and Analysis NTU

[TOC]

Task 1

Analyze the Lab06-01.exe

  • What is the major code construct found in the only subroutine called by main? Ans: It has only an if statement in the main function.

  • What is the subroutine located at 0x40105F? Ans: It’s just a printf function. At the beginning, I can not recognize this code block do exactly until I analyze the program behavior by using string side bar to search the specific string in the code.

  • What is the purpose of this program? Ans: This program’s main purpose is to check if the device connects the internet or not. If the variable returns true, it’ll print the string Success: Internet Connection on the command panel. Otherwise, it’ll show Error 1.1: No Internet.

Task 2

Analyze the Lab06-02.exe

  • What operation does the first subroutine called by the main perform? Ans: The main perform is called subroutine to check if the internet connection or not. If there is no internet, just return and do nothing, otherwise, continue to execute.

  • What is the subroutine located at 0x40117F? Ans: It’s a printf function.

  • What does the second subroutine called by main do? Ans:
    • The second subroutine called by the main function is sub_401040 which is located at 0x401040. The main purpose of this block is to open the internet connection and get the web page information then close the internet handle at the end.
    • According to the web page document, InternetOpenA function is the first WinINet function called by an application. It tells the Internet DLL to initialize internal data structures and prepare for future calls from the application. When the application finishes using the Internet functions, it should call InternetCloseHandle to free the handle and any associated resources. It’ll return a valid handle if true, otherwise, return null.
    • According to the web page document, this function is a general function that an application can use to retrieve data over any of the protocols that WinINet supports. This function is especially useful when the application does not need to access the particulars of a protocol, but only requires the data corresponding to a URL. For instance, the URL provided by the author exists as a global variable though this page has nothing response but a 404 error. It’ll return a valid handle if true, otherwise, return null.
    • According to the web page document, InternetReadFile function operates much like the base ReadFile function, with a few exceptions. Typically, InternetReadFile retrieves data from an HINTERNET handle as a sequential stream of bytes. It’ll return true if successful, or false otherwise.
    • According to the web page document, InternetCloseHandle function terminates any pending operations on the handle and discards any outstanding data. And it returns TRUE if the handle is successfully closed, or FALSE otherwise.

  • What type of code construct is used in this subroutine? Ans: It’ll use character array to call loc_40109D function (InternetReadFile). If connection failed, it’ll print “Error 2.1: Fail to OpenUrl” and close the handle procedure.

  • Are there any network-based indicators for this program? Ans: There’re two network-based indicator in this program shown as below. The program also used url string and user agent string to set up the internet environment which shown as below as well.

  • What is the purpose of this malware? Ans: The main purpose of this block is to check the internet connection first and then open the internet connection to get the web page information if the connection success. Finally, close the internet handle and sleep one minute at the end.

Task 3

Analyze the Lab06-03.exe

  • Compare the calls in main to Lab6-2’s main method. What is the new function called from this main? Ans: The new function is called sub_401150 and it’ll do something based on what it get from the page.
  • What parameters does this new function take? Ans: It must have character a1 as a case number and LPCSTR lpExistingFileName which is representing the name of an existing file.
  • What major code construct does this function contain? Ans: It contains a simple switch case structure to decide what it can do.
  • What can this function do? Ans: It can create a directory the in specified path, copy a file, delete a file, open the specified registry key, sleep 100 seconds, or print an error message by default.
  • Are there any host-based indicators for this malware? Ans: Subkey parameter and Data parameter can be host-based indicator in this malware.

Task 4

Analyze the Lab06-04.exe

  • What is the difference between the calls made from the main method in Lab6-3 and 6-4? Ans: In Lab6-3, the main block just executes one time if it got something from the domain name address. But in Lab6-4, there’s a for loop wrapping the main block to repeat it 1440 times.
  • What new code construct has been added to the main? Ans: There’s a for loop in the main block to execute the program repeatedly 1440 times.
  • What is the difference between this lab’s parse HTML function and those of the previous labs? Ans: In Lab6-3, it just accesses Internet Explorer 7.5/pma string to Windows API named InternetOpenA. But in Lab6-4, it connects character a1 string which is generated by for loop looks like Internet Explorer 7.50/pma%d(%d is in which the parameter a1 should be put).
  • How long will this program run? (Assume that it is connected to the Internet) Ans: Assume to ignore the internet checking time and ignore if statement checking time Assume executing time for case a is A second, for case b is B second, for case c is C second, for case d is D second, for case e is 100 second, and the probability of all cases that we get are the same. The average of execution time is T= (A+B+C+D+100)/5. So, the whole execution time of this program is approximately 1440*(T+60) seconds.
  • Are there any new network-based indicators for this malware? Ans: No.
  • What is the purpose of this malware? Ans: First, check the internet connection like above and continue to execute if successful, return zero otherwise. Then get the info from the URL which is set up by default in this program and close the internet handle when it is finished. Finally, do something according to what you get from the page such as creating a directory the in specified path, copying a file, deleting a file or opening the specified registry key, and repeatedly 1440 times until the end.

Task 5

Please analyze Easy_CrackMe.exe. (Use IDA PRO)

After you run the exe file, you will see an input box like Please Find the correct Password and you will get the correct response.

  • Ans: The correct password is “Ea5yR3versing”.

Task 6

Please analyze Easy_Keygen.exe. (Use IDA PRO)

You need to run the exe file in cmd like In this case, you need to enter the Input Name and Input Serial. If Name and Serial are matched, you will get correct response. Please find the Input Name when the Input Serial is 5B134977135E7D13.

  • Ans: K3yg3nm3
  • Write Up:
    • First, you can check the declaration of v6 to v8 and v12 to v14 that they connected respectively.
    • By the way, v9 is the variable stored what you input
    • The main concept of this PE file is in this for loop. To get the address of v9 and plus v3, then get actual value by * operator. That means every time will compute just one character and one by one until every character you enter has been computed.
    • Operator ^ means bitwise of XOR in C and the operand is *(&v6 + i). When you get the reverse of this operation, you’ll get 16 char with hex value(4B337967336E6D33). Put these value to Hex2ASCII online converter, you can get the password answer.