Author Topic: What is that?  (Read 5762 times)

Roundtrip

  • Guest
What is that?
« on: March 12, 2014, 04:56:20 AM »
Dear Community,

I and my colleagues are currently working on some challenge. For solving the current mission we got a special file. We are not sure what the file type is, but we think it's Assembler Code. :icon_confused:
Maybe one of you can help us. The goal is to find an ID from a co-worker of an unkown company.
Here is the link to the file: https://www.dropbox.com/s/0fz7nccb8ph3ien/account

Thank you very much!

jj2007

  • Member
  • *****
  • Posts: 7446
  • Assembler is fun ;-)
    • MasmBasic
Re: What is that?
« Reply #1 on: March 12, 2014, 07:39:32 AM »
It's not assembler, it's an archive. Which format? No idea... I've tested zip, rar, 7z, png, jpg, arc - no luck. Do you have any other information?

GoneFishing

  • Member
  • ****
  • Posts: 950
  • Gone fishing
Re: What is that?
« Reply #2 on: March 12, 2014, 07:55:47 AM »
...
« Last Edit: September 18, 2015, 05:46:56 AM by GoneFishing »

jj2007

  • Member
  • *****
  • Posts: 7446
  • Assembler is fun ;-)
    • MasmBasic
Re: What is that?
« Reply #3 on: March 12, 2014, 08:21:46 AM »
BTW I tried Linux utility "file" and it reported :
Quote
8086 relocatable (Microsoft)
Though I doubt this is the case but who knows ...

Olly likes it. Don't execute it directly, though 8)

0F0164FF     ³.  FFD6              call esi                                   ; [KERNEL32.GetEnvironmentStringsW
0F016501     ³.  8BF8              mov edi, eax                               ; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0F016503     ³.  3BFB              cmp edi, ebx


Olly starts ntvdm to execute it. Currently I am here:
Code: [Select]
CPU Disasm
Address      Hex dump              Command                             Comments
VdmDbgAttach Ú$  833D 8072070F 00  cmp dword ptr [0F077280], 0
0F044BFE     ³. 0F84 D6000000     je 0F044CDA
0F044C04     ³.  57                push edi
0F044C05     ³.  68 4C2C000F       push 0F002C4C                       ; ÚModuleName = "NTVDMD.DLL"
0F044C0A     ³.  FF15 3C10000F     call near [<&KERNEL32.GetModuleHand ; ÀKERNEL32.GetModuleHandleA
0F044C10     ³.  8BF8              mov edi, eax
0F044C12     ³.  85FF              test edi, edi
0F044C14     ³. 0F84 BF000000     jz 0F044CD9
0F044C1A     ³.  56                push esi
0F044C1B     ³.  8B35 3810000F     mov esi, [<&KERNEL32.GetProcAddress
0F044C21     ³.  68 1C2D000F       push 0F002D1C                       ; ÚProcname = "xxxDbgInit"
0F044C26     ³.  57                push edi                            ; ³hModule
0F044C27     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C29     ³.  68 082D000F       push 0F002D08                       ; ÚProcname = "xxxDbgIsDebuggee"
0F044C2E     ³.  57                push edi                            ; ³hModule
0F044C2F     ³.  A3 08BC090F       mov [0F09BC08], eax                 ; ³
0F044C34     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C36     ³.  68 F42C000F       push 0F002CF4                       ; ÚProcname = "xxxDbgDosAppStart"
0F044C3B     ³.  57                push edi                            ; ³hModule
0F044C3C     ³.  A3 F4BB090F       mov [0F09BBF4], eax                 ; ³
0F044C41     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C43     ³.  68 E02C000F       push 0F002CE0                       ; ÚProcname = "xxxDbgSegmentNotice"
0F044C48     ³.  57                push edi                            ; ³hModule
0F044C49     ³.  A3 10BC090F       mov [0F09BC10], eax                 ; ³
0F044C4E     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C50     ³.  68 CC2C000F       push 0F002CCC                       ; ÚProcname = "xxxDbgTraceEvent"
0F044C55     ³.  57                push edi                            ; ³hModule
0F044C56     ³.  A3 0CBC090F       mov [0F09BC0C], eax                 ; ³
0F044C5B     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C5D     ³.  68 C02C000F       push 0F002CC0                       ; ÚProcname = "xxxDbgFault"
0F044C62     ³.  57                push edi                            ; ³hModule
0F044C63     ³.  A3 1CBC090F       mov [0F09BC1C], eax                 ; ³
0F044C68     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C6A     ³.  68 B42C000F       push 0F002CB4                       ; ÚProcname = "xxxDbgBPInt"
0F044C6F     ³.  57                push edi                            ; ³hModule
0F044C70     ³.  A3 04BC090F       mov [0F09BC04], eax                 ; ³
0F044C75     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C77     ³.  68 A42C000F       push 0F002CA4                       ; ÚProcname = "xxxDbgTraceInt"
0F044C7C     ³.  57                push edi                            ; ³hModule
0F044C7D     ³.  A3 20BC090F       mov [0F09BC20], eax                 ; ³
0F044C82     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C84     ³.  68 902C000F       push 0F002C90                       ; ÚProcname = "xxxDbgNotifyNewTask"
0F044C89     ³.  57                push edi                            ; ³hModule
0F044C8A     ³.  A3 F8BB090F       mov [0F09BBF8], eax                 ; ³
0F044C8F     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C91     ³.  68 702C000F       push 0F002C70                       ; ÚProcname = "xxxDbgNotifyRemoteThreadAddress"
0F044C96     ³.  57                push edi                            ; ³hModule
0F044C97     ³.  A3 FCBB090F       mov [0F09BBFC], eax                 ; ³
0F044C9C     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044C9E     ³.  68 582C000F       push 0F002C58                       ; ÚProcname = "xxxDbgNotifyDebugged"
0F044CA3     ³.  57                push edi                            ; ³hModule
0F044CA4     ³.  A3 00BC090F       mov [0F09BC00], eax                 ; ³
0F044CA9     ³.  FFD6              call esi                            ; ÀKERNEL32.GetProcAddress
0F044CAB     ³.  A3 24BC090F       mov [0F09BC24], eax
0F044CB0     ³.  A1 08BC090F       mov eax, [0F09BC08]
0F044CB5     ³.  85C0              test eax, eax
0F044CB7     ³.  5E                pop esi
0F044CB8     ³. 74 1F             jz short 0F044CD9
0F044CBA     ³.  8B0D D074070F     mov ecx, [0F0774D0]
0F044CC0     ³.  68 14BC090F       push offset 0F09BC14
0F044CC5     ³.  FF35 8872070F     push dword ptr [0F077288]
0F044CCB     ³.  81C1 14070000     add ecx, 714
0F044CD1     ³.  51                push ecx
0F044CD2     ³.  FFD0              call eax
0F044CD4     ³.  A3 8472070F       mov [0F077284], eax
0F044CD9     ³>  5F                pop edi
0F044CDA     À>  C3                retn

GoneFishing

  • Member
  • ****
  • Posts: 950
  • Gone fishing
Re: What is that?
« Reply #4 on: March 12, 2014, 08:25:42 AM »
How did you load it into Olly? Renamed to exe?

[EDIT]: There are lots of INTERRUPTS inside the file. Maybe COM-file from old DOS days?

jj2007

  • Member
  • *****
  • Posts: 7446
  • Assembler is fun ;-)
    • MasmBasic
Re: What is that?
« Reply #5 on: March 12, 2014, 09:22:37 AM »
CreateFileA:
0205FC40  Ú0205FC8C  Œü    ; ³FileName = "C:\WINDOWS\system32\ntio.sys"
0205FC44  ³80000000     €    ; ³DesiredAccess = GENERIC_READ
0205FC48  ³00000001         ; ³ShareMode = FILE_SHARE_READ
0205FC4C  ³00000000          ; ³pSecurity = NULL
0205FC50  ³00000003         ; ³CreationDistribution = OPEN_EXISTING
0205FC54  ³00000080  €       ; ³Attributes = FILE_ATTRIBUTE_NORMAL
0205FC58  ³00000000          ; ÀhTemplate = NULL


It looks more and more like an easter egg - although Jotti has no objections :P

Olly starts ntvdm to run it, but I hesitate to let it run. DOS debug yields gibberish, although the dump at the beginning looks like the environment variables.

Besides, it is definitely also a highly compressed archive...

GoneFishing

  • Member
  • ****
  • Posts: 950
  • Gone fishing
Re: What is that?
« Reply #6 on: March 12, 2014, 09:53:36 AM »
Let's wait and see . Maybe someone will try to run it under DOS

sinsi

  • Member
  • ****
  • Posts: 984
Re: What is that?
« Reply #7 on: March 12, 2014, 10:25:57 AM »
Sergiu finally did it!
I can walk on water but stagger on beer.

dedndave

  • Member
  • *****
  • Posts: 8733
  • Still using Abacus 2.0
    • DednDave
Re: What is that?
« Reply #8 on: March 12, 2014, 04:20:50 PM »
 :biggrin:

too much compression...

Roundtrip

  • Guest
Re: What is that?
« Reply #9 on: March 12, 2014, 07:49:15 PM »
Hello everybody,

first of all thank you for your participation! Acctually we got this file by extracting a .zip file a lot of times.
So I attached the first file we got.
A friend of mine decompressed it with a selfmade script in Debian. he told me it has been compressed with: 7zip, zip, bzip2, gzip, tar
So maybe we got something wrong during decompressing this firstFile.zip !!
Here is the File: https://www.dropbox.com/s/wt6isz9r2fq4rlb/firstFile
Thanks for your effort!


Gunther

  • Member
  • *****
  • Posts: 3515
  • Forgive your enemies, but never forget their names
Re: What is that?
« Reply #10 on: March 12, 2014, 08:32:25 PM »
:biggrin:

too much compression...

yes, Sergiu was a crazy fellow.

Gunther
Get your facts first, and then you can distort them.

jj2007

  • Member
  • *****
  • Posts: 7446
  • Assembler is fun ;-)
    • MasmBasic
Re: What is that?
« Reply #11 on: March 12, 2014, 08:36:24 PM »
7z can decompress it, but there is something circular about that file - the decompressed one is again an archive, and decompressing that one produces the original archive :(

I can see the strings account ustar seclab inside that archive.

BTW I was wrong about NTVDM; apparently Olly starts NTVDM for all files that are non 32-bit executables - even for textfiles.

Roundtrip

  • Guest
Re: What is that?
« Reply #12 on: March 12, 2014, 08:44:29 PM »
@ jj2007
we noticed that the original zip file is compressed 321 times. so thats quite confusing because it's not always the same compression method!
We have to find the Account ID of a co-worker and actually we first got a wireshark capture. From this file we got this .zip file.
Wireshark capture: https://www.dropbox.com/s/t0elg9hz2tawfh5/GCHQ-wiretapped.pcap
At the current moment we don't have any idea how to get this Account ID!


GoneFishing

  • Member
  • ****
  • Posts: 950
  • Gone fishing
Re: What is that?
« Reply #13 on: March 12, 2014, 08:45:45 PM »
...
« Last Edit: September 18, 2015, 05:46:19 AM by GoneFishing »

Roundtrip

  • Guest
Re: What is that?
« Reply #14 on: March 12, 2014, 09:02:35 PM »
no we are not ;)
but yeah we have already decompressed the file like that  ;)