[Writeup] Challenge3.exe

Simple write-up here and some source code for poc
 The binary is a visual c++ application from PE identifier and not packed with any packer.

when open up the file we will see this windows


error message is like this

the algo/logic in assembly with my messed up comment on each line


the algo in psuedocode is
//a is input character
//value 2108268 in decimal


[(a1*2)+(a3*5)+(a5*1)+(a2*3)+(a4*7)+(a6*3)+(a7*7)]*[a1+a2+a3+a4+a5+a6+a7]==2108268


WARNING! This is POC only, possible not working is expected.

Fix Unable to locate package linux-headers-4.0.0-kali1-amd64 on kali 2.0

After installing Kali on hard disk, i stumbled upon a problem when installing nvidia driver

when I try command

apt-get install -y linux-headers-$(uname -r)

it shows package not found

E: Unable to locate package linux-headers-4.0.0-kali1-amd64

this problem persist because I have opt out to install from network mirror. So you need to update your /etc/apt/sources.list

i found solution when reading this post install tips

If for some reason you chose “no” when asked “use a network mirror” during your Kali installation, you may be missing some entries in your sources.list file. If this is the case, check the official repository list for the entries that should be in that file. Despite what many unofficial guides instruct you to do, avoid adding extra repositories to your sources.list file. Don’t add kali-dev, kali-rolling, or any other Kali repositories unless you have a specific reason to – which usually, you won’t. If you *must* add additional repositories, drop a new sources file in /etc/apt/sources.list.d/ instead.
make sure the lines is in your sources.lisr

deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free 


then update your repository

apt-get update
apt-get dist-upgrade

now you can install back anything you need.
 

RE APK for Fun and Profit

Today i stumbled upon an apk called proxy.apk which is also provided a configuration file that is encrypted. the configuration look like this ALMOST identical to base64


So I decompiled the apk using enjarify, which is quite good like an improved version of dex2jar.

C:\>enjarify proxy.apk

but when reading the decompiled dex files, i found out apkprotect.com, this is the cause that enjarify could not decompile apk properly


After quick google I found out that the apk is protected using apkprotect which is currently down at this time of writing. Then quick google on how to deobfuscate apkprotect, I found out this blog post Anti_APKProtect



will generate the following files


Then I analyze the classes_unpack.dex using bytecode viewer. After a while, i found out jsypt is doing the encryption and decryption process on the config file. from the official project state that
Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
So how I decrypt the config file?
The docs page on jasypt website clearly explain how encryption/decryption process works and also provided tools along with it. It clearly stated that the encryption/decryption required a password

So lets dive into the apk and find the password

looks easy enough to find, then lets decrypt all the strings!
using the tools provided by jasypt. lets picture do the talking


so you can see, some ip, port maybe configuration date was create.
so thats all, till next time!


Wargames.my 2015 Challenge5 Sikit-sikit lama-lama jadi bukit

On this wargames.my 2015, our team managed to settled only 2 challenged because we were busy with our final exam, no brain left to commit to the competition.

so lets go with the challenge
the hint given is some C&C server address which is blablayadaaofeiwnfvocwvonwec.wargames.my

so we open sinkholed_traffic.pcapng with wireshark and filter the address
after a while we managed to find something useful in http header which is
"wefwavwef="

I am no master in programming, so I utilize the linux tools and shell
here the summary of if



 r0x@b0x:~/Desktop$ sudo tcpick -C -yP -r sinkholed_traffic.pcapng | grep wefwavwef= > decode.txt   

r0x@b0x:~/Desktop$ cat decode.txt
wefwavwef=3b2cc923a4beb7dfff5e378cdb41626a86c05ef6MDQvMDY%3dAQEFXQAAAQAMJwAICgHA5%2f0%2bAAAFAREZAHMAeQBz
wefwavwef=6a7dd901c5965c767b69e3eea46c2afa82a12485MDIvMDY%3d%2fCcAOhoIznZkpyGug6wH%2bnE%2bf0ygjpQO3U005JRj
wefwavwef=f31e92d008b9a49d3047b15b44c627e0b05ffdbfMDYvMDY%3dARUGAQAgAAAAAAA%3d
wefwavwef=a6b153ee99408406b3a9ac260c809fb74d990bf3MDUvMDY%3dAGkAbgBmAG8ALgB0AHgAdAAAABQKAQDQffjJPZTQ
wefwavwef=f0a021760a1407e957c080362497f2f726f1b774MDMvMDY%3d5gBiE9NITMr1ItKk%2fiLBAQQGAAEJKwAHCwEAASMD
wefwavwef=8bc85586c9caafcc26673c98caaf980f57277091MDEvMDY%3dN3q8ryccAAMGi8mhKwAAAAAAAABWAAAAAAAAAGG4

r0x@b0x:~/Desktop$ urlencode -d wefwavwef=3b2cc923a4beb7dfff5e378cdb41626a86c05ef6MDQvMDY%3dAQEFXQAAAQAMJwAICgHA5%2f0%2bAAAFAREZAHMAeQBz \
> wefwavwef=6a7dd901c5965c767b69e3eea46c2afa82a12485MDIvMDY%3d%2fCcAOhoIznZkpyGug6wH%2bnE%2bf0ygjpQO3U005JRj \
> wefwavwef=f31e92d008b9a49d3047b15b44c627e0b05ffdbfMDYvMDY%3dARUGAQAgAAAAAAA%3d \
> wefwavwef=a6b153ee99408406b3a9ac260c809fb74d990bf3MDUvMDY%3dAGkAbgBmAG8ALgB0AHgAdAAAABQKAQDQffjJPZTQ \
> wefwavwef=f0a021760a1407e957c080362497f2f726f1b774MDMvMDY%3d5gBiE9NITMr1ItKk%2fiLBAQQGAAEJKwAHCwEAASMD \
> wefwavwef=8bc85586c9caafcc26673c98caaf980f57277091MDEvMDY%3dN3q8ryccAAMGi8mhKwAAAAAAAABWAAAAAAAAAGG4 | tr " " "\n" > decode.txt

r0x@b0x:~/Desktop$ cat decode.txt | perl -p -e 's/^.*?MD/MDY/' | sort | sed 's/.*MDY=//' | base64 -d > decode.7z

r0x@b0x:~/Desktop$ 7z e decode.7z | cat sysinfo.txt | grep flag
the flag is - worryingwontmakeanybetter
r0x@b0x:~/Desktop$



the flag is - worryingwontmakeanybetter

a little bit messy, but it get the job done. Kudos for organizer for awesome and pecah kepala punya soalan. Congratz to team Rempah, aleuto, deyum and all teams that participating. Till next time
Page 3 of 4