Trend Micro 2018 Reverse walkthrough

Trend Micro 2018 Reverse problem walkthrough.

1. filecrypt

Decompile the python binary and extract the python source code.

According to pcap, we can recover the crypto component

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
enc = "MzU5OThmZGI3ZmUzYjc5NDBiOTM3NWE2OGE2NTRmZjk0OWM1OGRjYjliMWFlYmIwNDhkNmFhNzRkOTA1YjdiMGM2ZTA0YjQwNGViNjExMjlmOTJhZDkxMjcwMzg1MDIwMTU4MmNlMzllNzdiZmU3MzlmZWM1Mjg3NDFiMjAyZjg5MjNhOWY4ZDYzMDM2MTdkOGU2ZTM1YTBkNjQ0MTE1ZTIzODUyMmM2ZDBjYWNkMWFmZGFlMjMwNTA0NTJjOTk4ZTM5YQ=="
enc = base64.decodestring(enc)

cipher = ARC4.new(enc[:40].decode('hex'))
dec = cipher.decrypt(enc[40:].decode('hex'))

# id=d1&key=2f87011fadc6c2f7376117867621b606&iv=95bc0ed56ab0e730b64cce91c9fe9390

n = hex(0xd1 + 16) # -> 0xe1

key = "2f87011fadc6c2f7376117867621b606".decode('hex')

key = ''.join((chr(ord(x) ^ 0xe1) for x in key))
print key.encode('hex')

iv = "95bc0ed56ab0e730b64cce91c9fe9390".decode('hex')
iv = ''.join((chr(ord(x) ^ 0xe1) for x in iv))
print iv.encode('hex')

Decrypt the file, get

1
----Trend Microt CTF 2018. Flag for this challenge is: TMCTF{MJB1200}

2. Injector

IAT Hook.

1
2
GZPGS {jnag_fhz_vng_ubbxvat}
-> ROT13

3. crmeenV5

The binary is packed by MEW 11 SE 1.2 by Northfox. It’s trivial to unpack the program and get flag immediately by patching anti-debug code:

1
TMCTF{F14g1s::____1G}

4. Arts-and-Rafts

WIP

5. some_assembly_required

Check TLS function.

1
TMCTF{g0d_th4t_mu5+_h4v3_b33n_annoy1ng}

6. catchme

The problem has a hint: find the exact c2 server.
Catchme is a malware which attempts to connect to C2 and leak user info. Some code branches need to be manually patched otherwise the program may crash.

The flag should be echoed if malware connects to http://c2:80/?rlz=abc with host error.reg. Catchme has several smc code and one function decrypts the strings:

1
2
# last updated 1535460602 (Tue Aug 28 12:50:02 2018 GMT),0.0.0.0/8,2.56.0.0/14,5.133.64.0/18,5.180.0.0/14,5.252.0.0/15,10.0.0.0/8,31.40.192.0/18,31.132.32.0/19,37.44.192.0/18,37.221.64.0/18,41.62.0.0/16,41.67.64.0/20,41.67.88.0/21,41.67.96.0/19,41.73.16.0/20,41.74.96.0/20,41.75.16.0/20,41.76.160.0/21,41.76.232.0/21,41.77.160.0/21,41.77.216.0/22,41.77.248.0/21,41.78.12.0/22,41.78.44.0/22,41.78.68.0/22,41.78.132.0/22,41.78.160.0/22,41.78.176.0/21,41.78.236.0/22,41.79.0.0/22,41.79.84.0/22,41.79.100.0/22,41.79.140.0/22,41.84.160.0/19,41.87.32
...

Run zmap

1
zmap -p 80 -o results.csv --whitelist-file=ips.txt

Unfortunately the game is ended when zmap is finished.