PMA 303c: IDA Pro (20 pts + 20 extra)

What you need:

Purpose

You will practice using IDA Pro Free 7.

Installing IDA Pro Free 7

If you don't have it, download IDA Pro Free here:

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Install the Windows version with the default options.

Opening Lab05-01.dll in IDA Pro

Launch IDA Pro Free. Agree to the agreement.

In the "IDA: Quick start" box, click New. Navigate to the malware sample Lab05-01.dll and double-click it.

In the "Load a new file" box, Click OK.

IDA opens the file, as shown below:

Adjusting Graph Mode Options

The screen is cluttered. On the left side, close the Functions pane and the "Graph overview" box.

The code doesn't show line numbers or hexadecimal instructions. To fix that, click Options, General.

In the IDA Options box, on the Disassembly tab, in the top right, in the "Display disassembly line parts" section, make these changes, as shown below:

Click OK.

The "graph mode" display is more informative now, as shown below.

Text Mode

Click in the Graph Mode window and press the SPACEBAR.

IDA shows the assembly code in a text-only view, as shown below.

Press the SPACEBAR again to return to Graph Mode.

Finding the Import for gethostbyname

"Gethostbyname" is a Windows API function that can preform a DNS lookup.

In IDA Pro, click View, "Open subview", Imports. Click the Name header to sort by name. Find "gethostbyname", as shown below. (Note that capital letters and lowercase letters sort into separate groups.)

(Another way to search is to type the first few letters of the desired text.)

Double-click gethostbyname.

The code for the function opens in Text mode, as shown below.

In the line numbered .idata:100163CC, click gethostbyname. Yellow highlights appear on both occurrences of that name, as shown below.

Press Ctrl+x to open the "xrefs to gethostbyname" box shown below.

There are many calls to gethostbyname. Double-click the seventh one from the top, at an address of 1001656+101, as highlighted in the image above.

A line appears showing a call to gethostbyname. If it's in text mode, press the SPACEBAR to switch to graph mode.

The function appears, outlined in purple in the image below.

It loads an address named off_10019040 into register eax, adds 13 to it (0xd in hexadecimal), pushes that address onto the stack, and calls gethostbyname.

In the first line of the function, double-click off_10019040.

The Text view shows that this location contains a pointer to a string containing "praticalmalwareanalys", as shown below.

Flag PMA 303.1: Domain Name (10 pts)

For a clearer view, click the "Hex View-1" tab.

The four bytes starting at 10019040 contain a 32-bit address in little-endian order, as highlighted in blue in the figure below.

That address is 10019194. There's a series of ASCII values at that address, outlined in green in the figure below.

Skipping the first 13 bytes leaves a string ending in

.praticalpalwareanalysis.com

as shown below. This is the domain that will be resolved by calling gethostbyname.

The flag is covered by a green box in the image below.


Examinining the Code that References "\cmd.exe /c"

In IDA Pro, click View, "Open subview", Strings. Click the String column header to sort the data.

Scroll down about 2/3 of the way, and find the String "\\cmd.exe /c", as highlighted in the image below.

(Another way to seach is to type the first few letters of the desired text.)

Double-click "\\cmd.exe /c". Click the "IDA View-A" tab.

The string appears in text mode, as shown below. Click in the word cmd so it's highlighted and press Ctrl+x. A "xrefs to aCmd_exeC" box appears, as shown below.

In the "xrefs to aCmd_exeC" box, double-click sub_1000FF58+278.

You see the code that uses this string. There are two boxes of code, one that starts a string with "cmd.exe -c" and the other that starts it with "command.exe /c". This looks like a remote shell, executing commands from the botmaster for either a 32-bit or 16-bit system.

Drag the code boxes down to see the module containing "Hi, Master", as shown below.

This looks like a message the bot sends to the botmaster, further confirming that this is a RAT (Remote Administration Tool).

Flag PMA 303.2: Message (5 pts)

Double-click "Hi, Master" to see more of the referenced strings, as shown below.

The flag is covered by a green box in the image below.

Close IDA. Don't save the database.

Challenges with IDA

Downloading the Files to Examine

Download these files. Create a C:\IDA folder and move them there.

Open a Command Prompt and execute these commands:

cd \IDA
crackme-121-1.exe
crackme-121-1.exe a
The program runs, showing a help message and the message "Fail", showing that the password is incorrect, as shown below.

Launching IDA Pro Free

Start IDA Pro Free.

Load the C:\IDA\crackme-121-1.exe file. If IDA asks about linking debug information, click No. IDA starts with an unhelpful stub loader, as shown below.

In IDA Pro, click View, "Open subview", Strings. Double-click Fail!

The rdata section opens, showing where the string "Fail!" is stored. On the right side, after the "DATA XREF" label, double-click sub_411380, as shown below.

The code appears, as shown below. The top box in the image below compares a string to the word "topsecret" and prints either the winning message or "Fail!".

Obviously the password is "topsecret".

Adjusting Graph Mode Options

If the code doesn't show line numbers or hexadecimal instructions, click Options, General.

In the IDA Options box, make these changes:

Click OK.

Flag PMA 303.3: Finding the Password (5 pts)

Examine the code using the string "topsecret".

The flag is covered by a green box in the image below.


Running the Executable

In the Command Prompt window, execute this command:
crackme-121-1 topsecret
You should see the message "You found the password!", as shown below:

Flag PMA 303.4: crackme-121-2 (5 pts extra)

Analyze crackme-121-2 in IDA. Find the password.

Run the program in a Command Prompt with the correct password and verify that it produces the "Congratulations" message.

The password is the flag.

Flag PMA 303.5: crackme-121-3 (5 pts extra)

Analyze crackme-121-3 in IDA. Find the password.

Run the program in a Command Prompt with the correct password and verify that it produces the "Congratulations" message.

The password is the flag.

Flag PMA 303.6: crackme-121-4 (10 pts extra)

Analyze crackme-121-4 in IDA. This one is different.

Find the complete command line required to see the "Congratulations" message.

The flag is that complete command line, like this:

notepad.exe topsecret

Modified for WCIL 5-21-19
Renumbered and flags changed for CCSF use 9-3-19
Revised for Windows 2016 Server and a later version of IDA 9-25-19
Reformatted with CSS 9-22-20
Small improvements in explanations 3-8-21
Background color changed and video added 4-22-24