PMA 303: IDA Pro (20 pts + 20 extra)

What you need:

Purpose

You will practice using IDA Pro.

Opening Lab05-01.dll in IDA Pro

Launch IDA Pro Free. Click OK. Click New. Click the "PE Dynamic Library" icon and click OK. Navigate to Lab05-01.dll and open it.

In the "Welcome to the PE Dynamic Library file loading Wizard" box, click Next, Next, Finish. IDA opens the file, as shown below:

Adjusting Graph Mode Options

The screen is cluttered. Close the little "Graph overview" box and maximize the "IDA View-A" window. Drag the message area to the bottom of the screen to minimize it, as shown below:

The code doesn't show line numbers or hexadecimal instructions. To fix that, click Options, General.

In the IDA Options box, in the top right, in the '"Display disassembly line parts" pane, make these changes, as shown below:

Click OK.

The "graph mode" display is more informative now, as shown below.

Text Mode

Click in the Graph Mode window and press the SPACEBAR.

IDA shows the assembly code in a text-only view, as shown below.

Press the SPACEBAR again to return to Graph Mode.

Finding the Import for gethostbyname

"Gethostbyname" is a Windows API function that can preform a DNS lookup.

In IDA Pro, click View, "Open subview", Imports. Click the Name header to sort by name. Find "gethostbyname", as shown below. (Note that capital letters and lowercase letters sort into separate groups.)

Double-click gethostbyname.

The code for the function opens in Text mode, as shown below.

Click gethostbyname. Yellow highlights appear on both occurrences of that name, as shown below. Press Ctrl+x to open the "xrefs to gethostbyname" box shown below.

There are nine calls to gethostbyname in five different functions. Double-click the third one from the bottom, at an address of 1001656+101, as highlighted in the image above.

The function appears, as shown below. It loads an address named off_10019040 into register eax, adds 13 to it (0d in hexadecimal), pushes that address onto the stack, and calls gethostbyname.

Double-click off_10019040.

The Text view shows that this location contains a pointer to a string containing "praticalmalwareanalys", as shown below.


Flag PMA 303.1: Domain Name (10 pts)

For a clearer view, click the "Hex View-A" tab.

The four bytes starting at 10019040 contain a 32-bit address in little-endian order, as highlighted in blue in the figure below. That address is 10019194. There's a series of ASCII values at that address, outlined in green in the figure below. Skipping the first 13 bytes leaves a string ending in

.praticalpalwareanalysis.com

as shown below. This is the domain that will be resolved by calling gethostbyname.

The flag is covered by a green box in the image below.


Examinining the Code that References "\cmd.exe /c"

In IDA Pro, click the Strings tab. Click the gray String column header to sort the data.

Scroll down about 3/4 of the way, and find the String "\\cmd.exe /c", as highlighted in the image below.

Double-click "\\cmd.exe /c". Click the "b>IDA View-A" tab.

The string appears in text mode, as shown below. Click in the word cmd so it's highlighted and press Ctrl+x. A "xrefs to aCmd_exeC" box appears, as shown below.

In the "xrefs to aCmd_exeC" box, double-click sub_1000FF58+278.

You see the code that uses this string. There are two boxes of code, one that starts a string with "cmd.exe -c" and the other that starts it with "command.exe /c". This looks like a remote shell, executing commands from the botmaster for either a 32-bit or 16-bit system.


Flag PMA 303.2: Message (5 pts)

Drag the code boxes down to see the module containing "Hi, Master", as shown below.

Hover the mouse over aHiMasterDDDDDD to see more of the referenced strings, as shown below.

This looks like a message the bot sends to the botmaster, further confirming that this is a RAT (Remote Administration Tool).

The flag is covered by a green box in the image below.


Challenges with IDA

Downloading the Files to Examine

If you are using the VM handed out by your instructor, the files you need are already on the disk in the C:\IDA folder.

Otherwise, download these files into the C:\IDA folder.

Launching IDA Pro Free

Start IDA Pro Free.

When you see the IDA window shown below, click the OK button.

Click "I Agree".

In the "Welcome to IDA!" box, as shown below, click the New button.

In the "About" box, click the OK button.

Loading the EXE File

In the "Welcome to IDA" box, click the New button.

In the "New disassembly database" box, click "PE Executable", and then click OK, as shown below:

In the "Select PE Executable to disassemble" box, navigate to C:\IDA\crackme-121-1.exe and double-click it.

In the "Welcome to the PE Executable file loading Wizard" box, click the Next button, as shown below:

In the "Segment Creation" box, click Next.

In the "File loading" box, click Finish.

A box pops up saying "...the input file was linked with debug information...", as shown below. Click the Yes button.

Viewing Disassembled Code

In IDA Pro, find the "View-A" pane, which shows boxes containing code linked to other boxes in a flowchart style. Maximize this pane, by clicking the button indicated by the arrow in the figure below:

Close the "Graph Overview" box in the lower right corner.

Drag the lower border of the "View-A" pane down, to make as large a viewable area as possible.

From the IDA menu bar, click Search, Text.

Search for crackme as shown below.

Click OK.

Right-click in the "View-A" box and click "Fit window", as shown below:

You should now see the entire program shown as six boxes connected by lines, as shown below. (Ignore the two extra boxes at the upper left):

For this project, I have labelled the modules with letters as shown below:

Right-click in the "View-A" box and click "Zoom 100%", as shown below:

Click and drag the "View-A" display as needed to make module A visible, as shown below:

The assembly code is hard to read, but you don't need to understand it all. Focus on the last two instructions:

cmp     [ebp+arg_0], 2
jz      short loc_4113C2

This compares some number to 2 with the cmp (Compare) operation, and jumps to a different module if it is 2, using the jz (Jump if Zero) operation.

C Source Code

Here is the actual C source code for the file you are disassembling. Module A is the assembly code for the first "if" statement, labelled with the yellow "A" box below:

Drag the "View-A" display to make Module C visible, as show below:

Notice the gray readable text on the right side, saying "Usage: crackme-121-1 password".

This module pushes those characters onto the stack with a push command, and then calls the printf function with the call   ds:_imp_printf command.

The figure below shows the C statements that comple to the "C" module:

Follow along in IDA Pro and make sure you see what each of the six modules do, and how they correspond to the C source code.

Adjusting Graph Mode Options

If the code doesn't show line numbers or hexadecimal instructions, click Options, General.

In the IDA Options box, make these changes:

Click OK.

Flag PMA 303.3: Finding the Password (5 pts)

Drag the "View-A" screen to show module "B", as shown below. The password "topsecret" is visible.

The flag is covered by a green box in the image below.


Running the Executable

Click Start, type in CMD, and press Enter to open a Command Prompt window.

In the Command Prompt window, execute these commands:

cd \IDA

crackme-121-1

You should see the message "Usage: crackme-121-1 password", as shown below:

This message is telling you that you need to add a password after the "crackme-121-1".

In the Command Prompt window, execute this command:

crackme-121-1 wrongpassword
You should see the message "Fail!".

In the Command Prompt window, execute this command:

crackme-121-1 topsecret
You should see the message "You found the password!", as shown below:


Flag PMA 303.4: crackme-121-2 (5 pts extra)

Analyze crackme-121-2 in IDA. Find the password. Run the program in a Command Prompt with the correct password and verify that it produces the "Congratulations" message.

The password is the flag.


Flag PMA 303.5: crackme-121-3 (5 pts extra)

Analyze crackme-121-3 in IDA. Find the password. Run the program in a Command Prompt with the correct password and verify that it produces the "Congratulations" message.

The password is the flag.


Flag PMA 303.6: crackme-121-4 (10 pts extra)

Analyze crackme-121-4 in IDA. This one is different. Find the complete command line required to see the "Congratulations" message.

The flag is that complete command line, like this:

notepad.exe topsecret

Modified for WCIL 5-21-19
Renumbered and flags changed for CCSF use 9-3-19