This page looks best with JavaScript enabled

Flare-on 1 - Challenge 5 - 5get_it

 ·  ☕ 3 min read  ·  ✍️ suidroot

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file.

5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the C:\windows\system32 directory as svchost.dll to look like a legitimate DLL file. Next, it executes a function that looks to act as a key logger.

This function sets up a buffer to store keystrokes into them write them out to a file named svchost.log. Looking at the mw_key_press_handler function we see how it handles the key presses.

This function has various handler function for each ASCII value for most upper case letters, lower case letter, number, and some other characters. However not all have handler functions, so I took a closer look at the functions.

Below are three examples of functions, some of the functions would set a global variable to 1 or 0 depending on if another variable was set, and/or call another function that sets a group of global variables to 0. Not all of the functions returned the same letter that was pressed. As shown below “`” returns the number “0”.

Returns same character

Returns different character from input

Calls a function to reset all global vars
Taking a closer look at the global variables that are manipulated I could see a pattern of them being written or read depending on the keypress handler functions.

Went through the listing of functions and created a list of the key presses and the return values and saw what looks like the key.

Memory Address Input Char Output Char
DAT_10019460 L l
DAT_10019464 ` 0
DAT_10019468 G g
DAT_1001946c G g
DAT_10019470 I i
DAT_10019474 N n
DAT_10019478 G g
DAT_1001947c D d
DAT_10019480 O o
DAT_10019484 T t
DAT_10019488 U u
DAT_1001948c R r
DAT_10019490 D d
DAT_10019494 O o
DAT_10019498 T t
DAT_1001949c e 5
DAT_100194a0 T t
DAT_100194a4 R r
DAT_100194a8 O 0
DAT_100194ac K k
DAT_100194b0 E e
DAT_100194b4 ` 5
DAT_100194b8 A a
DAT_100194bc T t
DAT_100194c0 F f
DAT_100194c4 L l
DAT_100194c8 A a
DAT_100194cc R r
DAT_100194d0 E e
DAT_100194d4 D d
DAT_100194d8 A a
DAT_100194dc S s
DAT_100194e0 H h
DAT_100194e4 O o
DAT_100194e8 N n
DAT_100194ec D d
DAT_100194f0 O o
DAT_100194f4 T t
DAT_100194f8 C c
DAT_100194fc O o

But this table does not include the letter “m” at the end of “com” the handler for “M” has an extra function that it calls.

This function that the handler calls has a large number of local variables and makes Ghidra very sad, but its main function shows a message box with the flag:

Share on

Ben Mason
Computer Security – Reverse Engineering – Malware – Electronics Hobbyist – Sometimes Photographer – Spaceflight – Cat Enthusiast