File: revloader.exe
SHA256:A085D97CBC2C3F11062C54C1E3B4B850903FE7EC5BB8C0888CD5B7CE9034C5C6
Packed: No
Architecture: 64Bit
Tools used: exeinfo, IDA Pro, Cuckoo Sandbox, cerbero profiler
Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-8
Description: This challenge installs a driver on the target machine. Reverse the driver to get the flag!
The binary is not pack… looking through the strings we can see some interesting stuff.
Firing up Cerbero Profiler, we can see 3 resources embedded in the binary. 2 executables and 1 text file.
I shall attempt to use cuckoo sandbox to aid in my analysis (well i am lazy =D). Interestingly revloader.exe dropped 3 files in temp folder as shown below. We can also see a VBoxDrv.sys dropped by dsefix.exe. The use of this driver reminds me of a exploit few years ago that makes use of a VBox driver exploit to gain privilege escalation. Well let’s analyze this some other day. For now we shall stay focus on getting the flag.
In cuckoo box, we can download the files that has been written on disk.
Analyzing revhunt.sys via IDA Pro,w e can see some interesting strings.
Looks like there is a high chance that the flag is hidden in this driver.
Now if we look at 0x001400014D9, we can see that a function is called. In which the return result determines whether the flag is shown! Lets jump right in to the function @0x000000014000181C to see if we can find anything interesting.
From the above figure, we can see that a variable is being checked against with the string “PAN{“. Let’s analyze further down…
Looking at the figure below, @0x0140001946 we can see a cmp operations. Seems like the value is obtained after xoring with 0x1A1B1C1D (@0x014000193E). Doing a reverse xor…. eax should contain 0x2C776F57 in order to pass the cmp test. 0x2C886F57 === ,woW (to be exact Wow, -> little endian).
so far the flag is PAN{Wow, ????
Cool looks like we are on the right track! For simplicity i have tabulated a table for decoding the flag.
| pos | cmp address | math transformation | value |
| 1 | 0x0000000140001913 | None | P |
| 2 | 0x000000014000191D | None | A |
| 3 | 0x0000000140001927 | None | N |
| 4 | 0x0000000140001931 | None | { |
| 5-8 | 0x0000000140001946 | 0x366C734A ^ 0x1A1B1C1D = 0x2C776F57 | Wow, |
| 9 | 0x000000014000196C | (0xF0 ^ 0xB0) >> 1 = 0x20 | [space] |
| 10 | 0x000000014000198 | (0x56 ^ 0x20) – 4 = 0x72 | r |
| 11-18 | 0x0000000140001990 | 0x8888999900001110 ^ 0x0A9FAFCEA72656770 = 0x2172657372657660 | [` – o]verser! |
| 19 | 0x0000000140001B30 | None | [space] |
| 20 | 0x0000000140001B3C | 0x67 ^ 0x20 = 0x47 | G |
| 21 | 0x0000000140001B71 | None | r |
| 22 | 0x0000000140001B58 | 0xFC ^ 0x99 = 0x65 | e |
| 23 | 0x0000000140001B4B | 0xC3/3 + 0x20 = 0x61 | a |
| 24 | 0x0000000140001B7D | 0x3B ^ 0x4F = 0x74 | t |
| 25 | 0x0000000140001B66 | None | [space] |
| 26 | 0x0000000140001B89 | (0x71 – 0xf) ^ 0xf = 0x6D | m |
| 27 | 0x0000000140001BA4 | (0x81 ^ 0x21) – 0x31 = 0x6F | o |
| 28 | 0x0000000140001B95 | 0x46 ^ 0x30 = 0x76 | v |
| 29 | 0x0000000140001BB9 | 0x58 + 0xC + 1= 0x65 | e |
| 30 | 0x0000000140001BC2 | none | s |
| 31 | 0x0000000140001BFC | none | , |
| 32 | 0x?? | none | [space] |
| 33 | 0x0000000140001C08 | 0x1AC0 >> 6 = 0x6B | k |
| 34 | 0x0000000140001C1A | X*8 +0xFFFFFFE0 == 0x308 | e |
| 35 | 0x0000000140001C31 | ((0xE002 ^ 0xF2F2) >> 4) / 3 = 0x65 | e |
| 36 | 0x0000000140001C45 | (0x9542 ^ 8942) >> 6 | p |
| 37 | 0x?? | none | [space] |
| 38 | 0x0000000140001C6D | ((0x834 << 2) >> 4) /5 = 0x69 | i |
| 39 | 0x0000000140001C81 | (0x94DD ^ 0x83c1) / 0x33 = 0x74 | t |
| 40 | 0x0000000140001C56 | 0x1F + 1 = 0x20 | [space] |
| 41 | 0x0000000140001CC5 | (0x1DD36C ^ 0x46) / 0x4142 = 0x75 | u |
| 42 | 0x0000000140001CAC | 0x328250 / 0x7373 = 0x70 | p |
| 43 | 0x0000000140001C98 | 0x2D – 1 = 0x2C | , |
| 44 | 0x0000000140001D09 | 0xB6 ^ 0x32 = 0x2C | , |
| 45 | 0x0000000140001D29 | 0x40 – 0x20 = 0x20 | [space] |
| 46 | 0x0000000140001D1B | (0xD7 ^ 0x44) – 0x23 = 0x70 | p |
| 47 | 0x0000000140001D3B | (0xB2 ^ 0x21) – 0x21 = 0x72 | r |
| 48 | 0x0000000140001D4D | ((X*4)+7C) & 0xFF == 0x38 | o |
| 49 | 0x0000000140001D5D | (0x8F25 ^ 0x8875) >> 4 = 0x75 | u |
| 50 | 0x0000000140001D72 | (0xd6 ^ 0xE4)/2 >> 2 = 0x64 | d |
| 51 | 0x0000000140001D84 | (0x62^0x42) = 0x20 | [space] |
| 52 | 0x0000000140001E05 | (0x70D49 ^ 0x48354) / 0x833 = 0x6F | o |
| 53 | 0x0000000140001E1D | (0x14C3A1 ^ 0x232221) / 0x8C40 = 0x66 | f |
| 54 | 0x0000000140001DE3 && 0x0000000140001DEE | must be same as 50 && btc 0xA0, 7 == 0x20 | [space] |
| 55 | 0x0000000140001E5F | 0x5C ^ 0x25 = 0x79 | y |
| 56 | 0x0000000140001E71 | (0x20F63 ^ 0x23) / 0x4C0 = 0x6F | o |
| 57 | 0x0000000140001E89 | (0x242067 ^ 0x12567)/0x5100 = 0x75 | u |
| 58 | 0x0000000140001E9E | ((0x61 ^ 0x21) >> 6) + 0x20 = 0x21 | ! |
| 59 | 0x0000000140001EB3 | ((0x13F ^ 0x903) / 0x44) << 2 = 0x7C (0x7C – 0x7F) | } |
I guessed some of the values as I did not manage to spot the cmp instructions (character 32 and 37). For character 11, the value is also guessed due to loss of data during transformation.
FLAG: PAN{Wow, reverser! Great moves, keep it up, proud of you!}
jmp RSP 