Feb 27

CodeGate 2012 Quals – Binary 300

There are malicious program associated with DDoS zombie.
Calcurate the sum of port numbers used for the attack.
And, how many times does zombie try to attack?

Answer: sum(attack_ports) * attack_count (* : multiplication)

Download : 72C4DAA981E17282B12E6226A1D60162

Summary: unpack, malware analyse

There are two files: bin300.exe and dRcw.ziq.
The zombie.exe is a malware. It looks like a bot which can execute several possible commands. The dRcw.ziq is a temporary file in which consists of encrypted bot’s command.
The bot is packed, but that doesn’t take a lot of time to unpack it. The main bot’s functional is located at address 004011B0
The bot has command:

  • Execute file (4)

  • Get User ID (5)

  • Enumerate registry key (6)

  • Save command in encrypted file (7) at address 0x004014AD
  • Ddos with settings from saved file (8) at address 0x00401DE0

So, we reconstructed algorithm from ddos function 0x00401DE0

#include
#include
#define __u64 unsigned long long
#define uint32_t unsigned long
 
int xor_func(unsigned __int8 *a1, unsigned int size, int key)
{
  int result;
  unsigned int i;
  if ( key )
  {
    for ( i = 0; i < size; ++i )
    {
      a1[i] ^= key;
      result = i + 1;
    }
  }
  return result;
}
#pragma pack (push, 1)
struct param
{
    unsigned int xor_key;
    unsigned int time1;
    unsigned int time2;
    char type;
    WORD offset;
    DWORD host;
    DWORD port;
    WORD size;
    unsigned int aaa;
};
#pragma pack (pop)
 
int main(int argc, char* argv[])
{
   FILE* hFile;
   param *lpParameter = 0, *pparam = 0;
   unsigned int sum = 0;
   hFile = fopen("dRcw.ziq", "rb");
   if ( hFile )
   {
      fseek(hFile, 0, 2);
      int Count = ftell(hFile);
      rewind(hFile);
      unsigned char* Memory = (unsigned char*)malloc(Count);
      fread(Memory, 1u, Count, hFile);
      fclose(hFile);
      unsigned char* pmem = (unsigned __int8 *)Memory;
      lpParameter = (param *)((char *)Memory + 13);
      for ( int i = 0; i < *(DWORD *)(pmem + 9); ++i )       {          pparam = lpParameter;          xor_func((unsigned char*)&lpParameter->time1, 21, (int)lpParameter->xor_key);
         if ((lpParameter->time2 - lpParameter->time1) > 0)
	    sum2 += ((lpParameter->time2 - lpParameter->time1)/10000 + 1);
         printf("\n%Host: %08x Port: %08x",lpParameter->host,lpParameter->port);
         sum += (WORD)lpParameter->port;
         xor_func((unsigned char*)&lpParameter->aaa, pparam->size + pparam->offset, (int)lpParameter->xor_key);
	 printf("\n%s",(unsigned char*)lpParameter+25);
	 lpParameter = (param *)((char *)lpParameter + pparam->size + pparam->offset + 25);
       }
   }
   printf("\nKey: %d", sum*8);
   return 0;
}

Key: 45136

zyx2145

Leave a Reply

Your email address will not be published.