Flare-on 1 – Challenge 5 – 5get_it

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file.

5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the C:\windows\system32 directory as svchost.dll to look like a legitimate DLL file. Next, it executes a function that looks to act as a key logger.

This function sets up a buffer to store keystrokes into them write them out to a file named svchost.log. Looking at the mw_key_press_handler function we see how it handles the key presses.

This function has various handler function for each ASCII value for most upper case letters, lower case letter, number, and some other characters. However not all have handler functions, so I took a closer look at the functions.

Below are three examples of functions, some of the functions would set a global variable to 1 or 0 depending on if another variable was set, and/or call another function that sets a group of global variables to 0. Not all of the functions returned the same letter that was pressed. As shown below “`” returns the number “0”.

Returns same character
Returns different character from input
Calls a function to reset all global vars

Taking a closer look at the global variables that are manipulated I could see a pattern of them being written or read depending on the keypress handler functions.

Went through the listing of functions and created a list of the key presses and the return values and saw what looks like the key.

Memory AddressInput CharOutput Char
DAT_10019460Ll
DAT_10019464`0
DAT_10019468Gg
DAT_1001946cGg
DAT_10019470Ii
DAT_10019474Nn
DAT_10019478Gg
DAT_1001947cDd
DAT_10019480Oo
DAT_10019484Tt
DAT_10019488Uu
DAT_1001948cRr
DAT_10019490Dd
DAT_10019494Oo
DAT_10019498Tt
DAT_1001949ce5
DAT_100194a0Tt
DAT_100194a4Rr
DAT_100194a8O0
DAT_100194acKk
DAT_100194b0Ee
DAT_100194b4`5
DAT_100194b8Aa
DAT_100194bcTt
DAT_100194c0Ff
DAT_100194c4Ll
DAT_100194c8Aa
DAT_100194ccRr
DAT_100194d0Ee
DAT_100194d4Dd
DAT_100194d8Aa
DAT_100194dcSs
DAT_100194e0Hh
DAT_100194e4Oo
DAT_100194e8Nn
DAT_100194ecDd
DAT_100194f0Oo
DAT_100194f4Tt
DAT_100194f8Cc
DAT_100194fcOo

But this table does not include the letter “m” at the end of “com” the handler for “M” has an extra function that it calls.

This function that the handler calls has a large number of local variables and makes Ghidra very sad, but its main function shows a message box with the flag: l0gging.ur.5trok5@flare-on.com

Author: Ben Mason

Technical Architect - Computer Networking - Security - Electronics Hobbyist - Sometimes Photographer - Spaceflight - Cat Enthusiast - HAM KC1GDJ

Leave a Reply

Your email address will not be published. Required fields are marked *