Intro
The filename is myaquaticlife.exe We see that file is packed with UPX. We can easily unpack the file with upx -d myaquaticlife.exe We see that Created with Multimedia Builder at the end of the file. So we know how this file is created. Luckily I knew what this app was. I used to create some multimedia presentations with this software. We need to get the script used to create this file so we can easily debug this file. We can easily get the script file with MMUnbuilder
Unpack the file with
python MMUnbuilder.py -u myaquaticlife.exeWe get a bunch of files in the current directory.
| Filename | Explanation |
|---|---|
| *.gif | Animal pics |
| index.html | First screen |
| index2.html | Result screen |
| fathom.dll | Script DLL |
| myaquaticlife.mbd | MMB project file |
myaquaticlife.mbd is the MMB project file. You can download Multimedia Builder and open this project file. Basically, it shows the index.html page and each button triggers a script. Let’s check what the first script, Script1 does
part1$='derelict:MZZWP'
PluginSet("PlugIn","part1$")All of the scripts do something similar except Script17
PluginRun("PlugIn","PluginFunc19")
PluginGet("PlugIn","var1$")
...Each animal sets some internal strings in the DLL. When you click “What’s your favorite aquatic animal?” it runs Script17 which calls, PluginFunc19 from fathom.dll and shows the result. We need to understand what this function does.
Whatever we do, this function only uses the strings from floatsam and jetsam variables. The order you choose the animals to set those variables has an important role. Open this exe with a debugger, put a breakpoint on PluginFunc19 and click all the animals and then finally click the “What’s your favorite aquatic animal?” You will see something like below
push ebx
mov ebx, esp
sub esp, 8
and esp, 0FFFFFFF0h
add esp, 4
push ebp
mov ebp, [ebx+4]
mov [esp+0Ch+var_8], ebp
mov ebp, esp
sub esp, 78h
mov eax, ___security_cookie
xor eax, ebp
mov [ebp-4], eax
movaps xmm0, xmmword ptr ds:byte_1024F3A0
push esi
mov esi, floatsam_ptr
movaps xmmword ptr [ebp-30h], xmm0
movaps xmm0, xmmword ptr ds:byte_1024F390
movaps xmmword ptr [ebp-20h], xmm0
cmp dword ptr [esi-0Ch], 0
push edi
jz @poor
mov eax, jetsam_ptr
mov [ebp-78h], eax
cmp dword ptr [eax-0Ch], 0
jz @poorIf you analyze this function, you will see that
- Concatenate bytes at
byte_1024F3A0andbyte_1024F390 - Xor each byte with contents of
floatsam - Subtract each byte from the contents of
jetsam - Calculate MD5 of those bytes and compare with
6c5215b12a10e936f8de1e42083ba184 - If everything checks out, send the result back
We need to find the correct permutation for the floatsam and jetsam variables and calculate the result. One of the permutations will give us the result. Here is the quick script for this.
import itertools
def getPermutations(arr):
permutations = list(itertools.permutations(arr))
result = []
for element in permutations:
result.append(''.join(element))
return result
def encrypt(fl,jet):
byte_arr = [0x96, 0x25, 0xA4, 0xA9, 0xA3, 0x96, 0x9A, 0x90, 0x9F, 0xAF, 0xE5, 0x38, 0xF9, 0x81, 0x9E, 0x16, 0xF9, 0xCB, 0xE4, 0xA4, 0x87, 0x8F, 0x8F, 0xBA, 0xD2, 0x9D, 0xA7, 0xD1, 0xFC, 0xA3, 0xA8]
fl_byte = bytearray(fl.encode('utf-8'))
jet_byte = bytearray(jet.encode('utf-8'))
for index in range(len(byte_arr)):
byte_arr[index] = byte_arr[index] ^ fl_byte[index % len(fl)]
byte_arr[index] = (byte_arr[index] - jet_byte[ index % 17]) & 0xFF
return ''.join(map(chr, byte_arr))
#possible values for floatsam and jetsam
float_array = ['DFWEyEW','PXopvM','BGgsuhn']
jetsam_array = ['newaui','HwdwAZ','SLdkv']
float_permutations = getPermutations(float_array)
jetsam_permutations = getPermutations(jetsam_array)
for float_str in float_permutations:
for jet_str in jetsam_permutations:
result = encrypt(float_str,jet_str)
md5_hash = hashlib.md5(result.encode('utf-8')).hexdigest()
if md5_hash == '6c5215b12a10e936f8de1e42083ba184':
print("Found: %s" % result )
print('Float %s JetSam %s' %(float_str,jet_str))When we run the script, we get s1gn_my_gu357_b00k@flare-on.com
Flare-On 2021 Write-ups