Flare-On Challenge 7 - 06 - Codeit

tags: ctf challenge write-up binary reverse engineer Malware Analysis
by Firpo7

Reverse engineer this little compiled script to figure out what you need to do to make it give you the flag (as a QR code).

The challenge provides you with an executable, the program asks you for input and then generates a QR code based on it. The goal of the challenge is to let the program meet a condition so that the generated QR code contains the flag.

CodeIt Program

The name of the challenge suggests it could be an AutoIt3 compiled executable. Looking with pestudio and searching for the string AU3!EA06 at the and of the code section confirmed the hypothesis.

Fortunately, there are tools that decompile AutoIt3 executable for you. The output code obtained is obfuscated, so I made other operations to it in order to make it much more readable.

The decompiler tool will output also a qr_encoder.dll and a sprite.bmp.

The first thing done, to try to deobfuscate the code, was to replace the variables instantiated for each number used inside the code with the numbers themselves, using a parser that I’ve written for this challenge.

regex = r'([a-z]+) = Number\(" ([0-9]+) "'

content = ''
with open(FILE_OBFUSCATED, "r") as f:
    content = f.read()
r1 = re.findall(regex,content)

for name, num in r1:
    content = content.replace(f"${name}", str(num))

After that was much easier to deobfuscate all the strings. They are saved as hexadecimal strings in an array and then decoded runtime. Replacing the call to the function that does these operations, with the deobfuscated strings, will result in a much more clear code.

for n,c in enumerate(hexencoded_strings_array):
    if c == '':
        content = content.replace(f"decoder($os[{n+1}])", "''")

    content = content.replace(f"decoder($os[{n+1}])", f'"{libnum.n2s(int(c,16))}"')

What the challenge does is to take our input and transform it into a QR code. Once the code it’s more clear it can be seen that, when the program meets a certain condition, it substitute the input with a decrypted string.

The string gets decrypted using a key generated from the computer name. Analyzing the function that processes the computer name turns out that it reads some bytes from sprite.bmp, getting only the bit of them, grouping the bits each 7, sum them with the bytes of our computer name and then divide the result by 2.

Converting the 7 bits groups, obtained from the sprite.bmp, in ASCII will decode the string aut01tfan1999. So if we put as computer name that string what the above algorithm will do is to multiply each byte of 2 (as the characters it is summing are the same) and then dividing them by 2, resulting in an unchanged string. These string, as explained before, will be used to decipher the flag that will be then encoded in a QR code.

To solve the challenge it is needed only to change the computer name to aut01tfan1999 and then generate a QR code with any input string, also empty.

QR Code Flag