CTF Shell Club

Collection of CTF write ups made with <3.

© 2019. All rights reserved.

EASYCTF - Maldrop

21 Feb 2018

Mind looking at this malware dropper I found? Note: this isn’t actually malware, it just borrows obfuscation techniques from low quality malware.

Using PEiD we identified it was a .NET Binary, let’s use Reflector or another decompiler to inspect the C# code:

private static void Main(string[] args)
{
    Console.WriteLine("All the techniques implemented in this were found in malware samples I analyzed");
    byte[] arr = File.ReadAllBytes(Assembly.GetEntryAssembly().Location);
    string str2 = "[SPLIT";
    string str3 = "ERATOR]";
    byte[][] bufferArray = SplitByteArray(arr, Encoding.ASCII.GetBytes(str2 + str3));
    List<string> list = new List<string>();
    for (int i = 0; i < bufferArray[2].Length; i++)
    {
        list.Add(bufferArray[2][i].ToString());
    }
    object[] parameters = new object[] { list.ToArray() };
    Assembly.Load(bufferArray[1]).EntryPoint.Invoke(null, parameters);
}

It seems the binary is loading itself and split into 3 parts which can be extracted with the following script:

with open("maldrop.exe","r") as f:
    alltxt = f.read()
    data = alltxt.split("[SPLITERATOR]")
    with open('mal0.exe','w') as f: # loader
        f.write(data[0])
    with open('mal1.exe','w') as f: # payload , file gzip : extract
        f.write(data[1])
    with open('mal2.txt','w') as f:
        f.write(data[2])

Here we are with :

Once again we run Reflector on the second PE to discover what it does.

List<byte> list = new List<byte>();
for (int i = 0; i < args.Length; i++)
{
    list.Add(byte.Parse(args[i]));
}
MemoryStream stream = new MemoryStream(list.ToArray());
GZipStream stream2 = new GZipStream(stream, CompressionMode.Decompress);
byte[] buffer = new byte[0x100];
List<byte> list2 = new List<byte>();
int count = 0;
do
{
    count = stream2.Read(buffer, 0, 0x100);
    list2.AddRange(buffer.Take<byte>(count));
}
while (count > 0);
Assembly.Load(list2.ToArray()).EntryPoint.Invoke(null, null);

It appears the string was only “gzipped” after extracting it we have another .NET PE.. With the source code I recompiled it online using ideone, the output was the flag :D

using System;
using System.Text;

public class Test{
	public static void Main(){
	Random random = new Random(0xe45ec7f);
    StringBuilder builder = new StringBuilder();
    builder.Append("easyctf{");
    for (int i = 0; i < 6; i++){
        builder.Append(random.Next());
    }
    builder.Append("}");
    string str = builder.ToString();
    Console.WriteLine(str);
	}
}

easyctf{12761716281964844769159211786140015599014519771561198738372}


Related Posts