s_xor2
and s_xor4
are connected with the encryption constants (_TeX
), and s_xor3
and s_xor5
are connected with the decryption constants (_TdX
).The PEiD KANAL plug-in reveals AES constants in a similar location. shows the output of the PEiD tool. PEiD’s identification of S
and S-inv
refer to the S-box structures that are a basic component of some cryptographic algorithms.
xor
instruction at ❶ that shows that s_xor6
is being used for XOR encoding. The variable arg_0
is a pointer to a source buffer that is being transformed, and arg_4
points to the buffer providing the XOR material. As the loop is followed, pointers to the two buffers (arg_0
and arg_4
), as well as the counter var_4
, are updated as shown by the three references at ❷.To determine if s_xor6
is related to the other encoding functions, we examine its cross-references. The function that calls s_xor6
starts at 0x0040352D. shows a graph of the function cross-references from 0x0040352D.
CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/
, we learn that this string is in the function at 0x0040103F. This function does the indexed lookup into the string, and the calling function (at 0x00401082) divides the string to be decoded into 4-byte chunks. The function at 0x00401082 then is the custom Base64 decode function, and we can see in the function that calls it (0x0040147C) that the decode function lies in between a ReadFile
and a WriteFile
. This is the same pattern we saw for the use of AES, but in a different function.Before we can decrypt content, we need to determine the connection between the content and encoding algorithm. As we know, the AES encryption function is used by the function starting at 0x0040132B. Looking at the function that calls the function at 0x0040132B in , we see that 0x0040132B is the start of a new thread created with the CreateThread
shown at ❶, so we rename 0x0040132B to aes_thread
.
aes_thread
with calls to ReadFile
and WriteFile
, and the origin of the handles passed to those functions.WriteFile
in at ❷ can be mapped back to var_54
/arg_10
, as shown in at ❸..
tab
variable.Using this script, we translate the string to see what command was sent to the command shell. The output in shows that the attacker is sending a request for a directory listing (dir
).
raw.replace
function at ❷ removes the spaces from the raw
string, and the binascii.unhexlify
function turns the hex representation into a binary string. The AES.new
call at ❸ creates a new AES object with the appropriate password and mode of operation, which allows for the following decrypt call at ❹.The output of the AES script is shown in . Note that this captured content was simply a command prompt.
Block cryptography algorithms have many possible modes of operation, such as Electronic Code Book (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB). Each mode requires a different set of steps between the encoding or decoding of each block, and some require an initialization vector in addition to a password. If you don’t match the implementation used, decryption may work only partially or not at all.
In this lab, the key was provided directly. A given implementation may have its own technique for generating a key given a user-provided or string-based password. In such cases, the key-generation algorithm will need to be identified and duplicated separately.
Within a standard algorithm, there may be options that must be specified correctly. For example, a single encryption algorithm may allow multiple key sizes, block sizes, rounds of encryption or decryption, and padding strategies.