NTU Malware Reverse Lab 1 write up

tags: NTU_MR Malware Reverse Engineering and Analysis NTU

| Name| 何秉學 |StuID| R11921A16| | ——– | ——– | ——– | ——– |

WannaCry

Change variable and data type

• Follow the video and replace most of the variable that ghidra did not recognize and retype them also.
• According to the video, you must search the entry point function(local_6c = FUN_00408140();) first and replace the signature by here
• Then click into WinMain function and you’ll see a strange url at the beginning of the top. Try to rename and retype it as char*.
• Ghidra can not recognize InternetOpenA, and InternetOpenUrlA. But you can found that ghidra cannot recognize hinternet datatype as well. So, we must create new datatype in Datt Type Manager.
• And in write_1831_to_tasksche.exe function, the first if-statement has 4 variable that ghidra can’t recognize, including createProcessA, _createFileA, _writeFile, _closeHandle. So, you’re not only rename them but retype them for the following statement for each of them.(Ghidra has all type of them but it just can not recognize.)
• When you have 1831.bin file(you can follow Analyze part at 5-th and 6-th section), useing Defined String window to check out some function including unzip_something function.
• Scroll down the Defined String, you’ll see string 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 at 0x0040f488. Then in assembly code, there’re 3 similar function be called at the sametime. We called it bitcoin_something function.

Analyze

• For the first part to analyze, you can check out for loop after strange_url variable. It does this loop for 14 times and copy strange_url to strange_url_copy by andding 4.
• Next, you can find an if statement at the below. Check this out carefully, it the internet request failed, it’ll access wannacry_real_entry() function.
• Enter to wannacry_real_entry function, you’ll see another if statement to examine your argument input. If you keyin less than 1 argument, it’ll execute no_argument_handler function and start create_wannacry_service function.
• Checking wannacry program in second function of no_argument_handler function by assembly language, you’ll find there’re two sprintf structure are not correct in the middle paragraph. Because, there’re two more argument should be pushed in stack but not be recognized by ghidra, including s_tasksche.exe_0043136c and 0x00407dea and s_WINDOWS_00431367 at 0x00407df2. So, we have to override this line signature and add the remaining argument back to sprinf.
• So, let’s take a look at this flow chart of what happened so far
• Then I used another VM(Ubuntu) to command wrestool to analyze wannacry file and output another file named 1831.bin. Using ghidra to analyze this file. Then do the same thing as above that what we do to analyze wannacry file such as change WinMain signature or renamee variable or retype variable, etc.
• While you’re analyzing in WinMain function, you’ll see a strange variable &_Str2_0040f538 which store ‘/i’ characters. You can just press ‘c’ in assembly code to show ‘\i’.
• Next, scroll down this file, you’ll see a strange swprintf parameter called _Count_0040f40c. Then select all addr type data and right click mouse and select clear with option. You’ll see many unicode strings. Finally, right click DAT_0040f40c and choose Data/TerminatedUnicode.
• Finally, you can check this figure to know the whole operation flow

1.1 What is the ‘killswitch’ string? Ans: http://www.iuqerfsodp9ifjaposdfj 1.2 What is the unzip password? (as show in below) Ans: WNcry@2o17

NoREpls

Step1 - Checking Language

• You should check what lauguage of this program, so load it in IDA and see the import. You can find a lot of functions that resemble C functions such as CreateFileW() and isDebuggerPresent function here as well.->This is important

Step2 - Static Analysis

• Try to run NoREpls.exe.
• Then you can view string window to find the function that prompt the invalid registration. However, here’s nothing useful info but a lot of random code. Try to search the string in Name window and we found this.
• Clicking in it, you’ll find important string here.
• Use x-ref to jump to the section in which to call this string.
• You’ll see the lable of this section 0x4010DB. So, let’s use x-ref method again to jump to where to called.
• Then press f5 to disassemble this section and you’ll see the function.
• Press into sub_401000 function and see an unencrypt secret code here.
• Then you got the secret code and registered it successfully

Untitiled

Refer to b1h0

Step1 - Try to run

• When you tried to run this program，it just flashed a little bit time and vanished rapidly. Then you can use dbg(debugger) to set a broken point.

Step2 - Use x64dbg debugger

• Actually, when you entry the program, you’ll find the flag easily down below the entry point a little bit.
• So, based on the truth we found above, you can observe the address 0x00401500 is as the entry of subroutine that we called sub_result_cracked
• Then we can find address 0x004013DD called address 0x0040162c that aimed to compare the important value. The command line will print the flag or try_harder depends on this important value.
• So, we can take a look next.You can focus at 0x0040163A that move C1 to memory and then compare itself at the following command.
• Review what is jle you can take a look at here. As the default, it’ll jump to 0x401653 for sure and move string “try harder” and print it out.
• So, the first point is we must let the statement false by revise the value of C1 at 0x00401642 like this. You can revise any value that make the statement false. Here is following b1H0 to revise zero.
• Bypass the jump statement, then we must set another breakpoint at 0x00401664 to watch the print out before the program closed.