Dear Community,
I and my colleagues are currently working on some challenge. For solving the current mission we got a special file. We are not sure what the file type is, but we think it's Assembler Code. :icon_confused:
Maybe one of you can help us. The goal is to find an ID from a co-worker of an unkown company.
Here is the link to the file: https://www.dropbox.com/s/0fz7nccb8ph3ien/account
Thank you very much!
It's not assembler, it's an archive. Which format? No idea... I've tested zip, rar, 7z, png, jpg, arc - no luck. Do you have any other information?
...
Quote from: vertograd on March 12, 2014, 07:55:47 AM
BTW I tried Linux utility "file" and it reported :
Quote8086 relocatable (Microsoft)
Though I doubt this is the case but who knows ...
Olly likes it. Don't execute it directly, though 8)
0F0164FF ³. FFD6 call esi ; [KERNEL32.GetEnvironmentStringsW
0F016501 ³. 8BF8 mov edi, eax ; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0F016503 ³. 3BFB cmp edi, ebxOlly starts ntvdm to execute it. Currently I am here:
CPU Disasm
Address Hex dump Command Comments
VdmDbgAttach Ú$ 833D 8072070F 00 cmp dword ptr [0F077280], 0
0F044BFE ³.� 0F84 D6000000 je 0F044CDA
0F044C04 ³. 57 push edi
0F044C05 ³. 68 4C2C000F push 0F002C4C ; ÚModuleName = "NTVDMD.DLL"
0F044C0A ³. FF15 3C10000F call near [<&KERNEL32.GetModuleHand ; ÀKERNEL32.GetModuleHandleA
0F044C10 ³. 8BF8 mov edi, eax
0F044C12 ³. 85FF test edi, edi
0F044C14 ³.� 0F84 BF000000 jz 0F044CD9
0F044C1A ³. 56 push esi
0F044C1B ³. 8B35 3810000F mov esi, [<&KERNEL32.GetProcAddress
0F044C21 ³. 68 1C2D000F push 0F002D1C ; ÚProcname = "xxxDbgInit"
0F044C26 ³. 57 push edi ; ³hModule
0F044C27 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C29 ³. 68 082D000F push 0F002D08 ; ÚProcname = "xxxDbgIsDebuggee"
0F044C2E ³. 57 push edi ; ³hModule
0F044C2F ³. A3 08BC090F mov [0F09BC08], eax ; ³
0F044C34 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C36 ³. 68 F42C000F push 0F002CF4 ; ÚProcname = "xxxDbgDosAppStart"
0F044C3B ³. 57 push edi ; ³hModule
0F044C3C ³. A3 F4BB090F mov [0F09BBF4], eax ; ³
0F044C41 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C43 ³. 68 E02C000F push 0F002CE0 ; ÚProcname = "xxxDbgSegmentNotice"
0F044C48 ³. 57 push edi ; ³hModule
0F044C49 ³. A3 10BC090F mov [0F09BC10], eax ; ³
0F044C4E ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C50 ³. 68 CC2C000F push 0F002CCC ; ÚProcname = "xxxDbgTraceEvent"
0F044C55 ³. 57 push edi ; ³hModule
0F044C56 ³. A3 0CBC090F mov [0F09BC0C], eax ; ³
0F044C5B ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C5D ³. 68 C02C000F push 0F002CC0 ; ÚProcname = "xxxDbgFault"
0F044C62 ³. 57 push edi ; ³hModule
0F044C63 ³. A3 1CBC090F mov [0F09BC1C], eax ; ³
0F044C68 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C6A ³. 68 B42C000F push 0F002CB4 ; ÚProcname = "xxxDbgBPInt"
0F044C6F ³. 57 push edi ; ³hModule
0F044C70 ³. A3 04BC090F mov [0F09BC04], eax ; ³
0F044C75 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C77 ³. 68 A42C000F push 0F002CA4 ; ÚProcname = "xxxDbgTraceInt"
0F044C7C ³. 57 push edi ; ³hModule
0F044C7D ³. A3 20BC090F mov [0F09BC20], eax ; ³
0F044C82 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C84 ³. 68 902C000F push 0F002C90 ; ÚProcname = "xxxDbgNotifyNewTask"
0F044C89 ³. 57 push edi ; ³hModule
0F044C8A ³. A3 F8BB090F mov [0F09BBF8], eax ; ³
0F044C8F ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C91 ³. 68 702C000F push 0F002C70 ; ÚProcname = "xxxDbgNotifyRemoteThreadAddress"
0F044C96 ³. 57 push edi ; ³hModule
0F044C97 ³. A3 FCBB090F mov [0F09BBFC], eax ; ³
0F044C9C ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044C9E ³. 68 582C000F push 0F002C58 ; ÚProcname = "xxxDbgNotifyDebugged"
0F044CA3 ³. 57 push edi ; ³hModule
0F044CA4 ³. A3 00BC090F mov [0F09BC00], eax ; ³
0F044CA9 ³. FFD6 call esi ; ÀKERNEL32.GetProcAddress
0F044CAB ³. A3 24BC090F mov [0F09BC24], eax
0F044CB0 ³. A1 08BC090F mov eax, [0F09BC08]
0F044CB5 ³. 85C0 test eax, eax
0F044CB7 ³. 5E pop esi
0F044CB8 ³.� 74 1F jz short 0F044CD9
0F044CBA ³. 8B0D D074070F mov ecx, [0F0774D0]
0F044CC0 ³. 68 14BC090F push offset 0F09BC14
0F044CC5 ³. FF35 8872070F push dword ptr [0F077288]
0F044CCB ³. 81C1 14070000 add ecx, 714
0F044CD1 ³. 51 push ecx
0F044CD2 ³. FFD0 call eax
0F044CD4 ³. A3 8472070F mov [0F077284], eax
0F044CD9 ³> 5F pop edi
0F044CDA À> C3 retn
How did you load it into Olly? Renamed to exe?
[EDIT]: There are lots of INTERRUPTS inside the file. Maybe COM-file from old DOS days?
CreateFileA:
0205FC40 Ú0205FC8C Œü�� ; ³FileName = "C:\WINDOWS\system32\ntio.sys"
0205FC44 ³80000000 € ; ³DesiredAccess = GENERIC_READ
0205FC48 ³00000001 � ; ³ShareMode = FILE_SHARE_READ
0205FC4C ³00000000 ; ³pSecurity = NULL
0205FC50 ³00000003 � ; ³CreationDistribution = OPEN_EXISTING
0205FC54 ³00000080 € ; ³Attributes = FILE_ATTRIBUTE_NORMAL
0205FC58 ³00000000 ; ÀhTemplate = NULL
It looks more and more like an easter egg - although Jotti has no objections (http://virusscan.jotti.org/en-gb/scanresult/25bd75f90637ed14c88fd8a19a2be813b711dc90) :P
Olly starts ntvdm to run it, but I hesitate to let it run. DOS debug yields gibberish, although the dump at the beginning looks like the environment variables.
Besides, it is definitely also a highly compressed archive...
Let's wait and see . Maybe someone will try to run it under DOS
Sergiu (http://www.masmforum.com/board/index.php?topic=13454.msg105090#msg105090) finally did it!
:biggrin:
too much compression...
Hello everybody,
first of all thank you for your participation! Acctually we got this file by extracting a .zip file a lot of times.
So I attached the first file we got.
A friend of mine decompressed it with a selfmade script in Debian. he told me it has been compressed with: 7zip, zip, bzip2, gzip, tar
So maybe we got something wrong during decompressing this firstFile.zip !!
Here is the File: https://www.dropbox.com/s/wt6isz9r2fq4rlb/firstFile
Thanks for your effort!
Quote from: dedndave on March 12, 2014, 04:20:50 PM
:biggrin:
too much compression...
yes, Sergiu was a crazy fellow.
Gunther
7z can decompress it, but there is something circular about that file - the decompressed one is again an archive, and decompressing that one produces the original archive :(
I can see the strings account ustar seclab inside that archive.
BTW I was wrong about NTVDM; apparently Olly starts NTVDM for all files that are non 32-bit executables - even for textfiles.
@ jj2007
we noticed that the original zip file is compressed 321 times. so thats quite confusing because it's not always the same compression method!
We have to find the Account ID of a co-worker and actually we first got a wireshark capture. From this file we got this .zip file.
Wireshark capture: https://www.dropbox.com/s/t0elg9hz2tawfh5/GCHQ-wiretapped.pcap
At the current moment we don't have any idea how to get this Account ID!
...
no we are not ;)
but yeah we have already decompressed the file like that ;)
Did you see this ? :
ok guys,
we finally got the solution. due to the running competition we can't tell you how we solved this but we want to thank Mark Russinovich. ;)
Quote from: vertograd on March 12, 2014, 09:08:40 PM
Did you see this ?
Yes. The
ustar is the tar format magic. SecLab is a frequently used acronym, unfortunately.
Congrats to RoundTrip and your team :t
We are of course curious now ;-)
Quote from: Roundtrip on March 12, 2014, 09:36:37 PM
ok guys,
we finally got the solution. due to the running competition we can't tell you how we solved this but we want to thank Mark Russinovich. ;)
Congratulations! Maybe later you'll tell us how you got it ?
Did Mark Russinovich help you personally or you used some of his utilities?
i am going to release the solution after the end of the competition ;)
so stay calm and wait ;)
What would the ID look like,perhaps like this.
00018CEB: xAccount: 499550439979-125084150537
Just did an ascii peek program and this stood out about in the middle of the file.
As Roundtrip said they found the ID with Mark Russinovich' help
Now I understand that they used his 'STRINGS' utility :
Quote
>strings -a -n 12 account
Strings v2.1
Copyright (C) 1999-2003 Mark Russinovich
Systems Internals - www.sysinternals.com
xAccount: 499550439979-125084150537
We went wrong way from the very beginning .
Nice find, Anunitu :t
I think that if this was a challenge,that they played the "hidden in plain sight gambit". I tend to always go from very simple to the complex. It may be that the complexity was a red herring. Seeing the file one would assume it must be complex,and therefore in need of a complex solution. Reminds me of a "College stupid" example.
When I was working(worked in a production mail facility) The problem was this,we had a mailing that was multiple pages depending on the addressee(this was a billing statement. Problem was determining the postage for each one. Now a manager tried to work the problem using Calculus because he was "collage stupid" and believed that was a valid way to attack the problem. The woman that worked the postage station just started stacking pages on the scale and noting when the postage changed,the simple common sense solution. So here the expectation was a complex solution when in fact it was simple.
If one is interested,the Peek program can be found here.
http://www.loramel.net/blender_minutes/peek/
@anunitu
Thanks. Now I have a name for a condition I have being guilty of too many times.
"College Stupid"
When one finds the simpler solution after trying many over-complicated ones, one ends up feeling like "Homer Simpson" for a while.