Thursday, January 16, 2020

Reverse engineering an encryption binary using IDA


A step by step SANS KingleCon2 2019 holiday hack challenge case study 

This article was also published as part of my write-up at the following URL: 
https://medium.com/@walid.daboubi/sans-kringlecon-holiday-hack-challenge-2019-write-up-b47dbb7ce0c1

Context 

  • The encrypted document saved to encrypted_test_document.txt
  • A seed: 1578901591
  • An encryption key: 6eec852fbca5a71c
  • A secret id: bca2ff81-fdd5–4ac3–8aa4-a2d4e2b45154




Yes as you guessed, the next step is to have a look at the shark 



As we are trying to understand how does the encryption work, let’s try We can then check the do_encrypt function.
We can see that it starts by reading the file to encrypt
It then imports the key, encrypts the input file and finally stores the key
As we are interested to get how the key is generated, we will have a look at generate_key function.
As we can see, generate_key function is calling time function and then giving the the result (stored in EAX) as an input for super_secure_srandfunction.


What we can conclude it that the key generation may be based on current. The make sure about this conclusion we can make a small experience:
  • Add a breakpoint at push EAX before calling super_secure_srand

  • Check the value returned by time (stored at EAX)
  • Modify the value of EAX
  • Check if the value returned by generate_key changes if we change the time. This could be done by adding a breakpoint at push EAXjust before calling print_hex (because we are pushing a value that contains a the key to be displayed to the stack, as an argument for the function call. And since we are pushing EAX, it should contain the key)

Truth moment, let run the executable. This could be done by adding the necessary arguments by using Debugger->Process options.
We now can run the executable.
As we can see below It breaks at the first breakpoint, we double click on the RAX in General registers list to get the value currently stored in EAX. It displays 0x000000005E1C3235which is 1578906165,hum it looks like a timestamp. Yes, indeed it’s the current time Monday, January 13, 2020 9:02:45 AM.
What we can do now is the modify the value stored in EAX (the timestamp) with the seed (yes, it’s a timestamp, we can check it by converting it to human readable time) we get when testing the executable in the beginning (1578901591) and check if we get the same key(6eec852fbca5a71c).
By keeping in the same breakpoint, we change the value stored in EAX:
We continue the execution until the next breakpoint we defined. And check the value of the key (stored in EAX before getting pushed to the stack).
As we can see in the previous instruction just before push, we moved a memory address the EAX. Let’s check the value of EAX (the memory address).

Let’s now check the content of that address by clicking on jump in a new window.
And, bingo It contains the key 6eec852fbca5a71c
We now are totally sure that the key is generated based on the timestamp.
As the the Elfscrow.exe uses the same key generated at encryption to decrypt the encrypted file, and as we now that the encryption was done on Dec 12thbetween 7pm and 9pm. We can consider writing a program that given a timestamp produces a key using the same logic in Elfscrow.exe and that trying all the timestamps between Dec 12th7pm and Dec 12th9pm. Before applying this idea we need to understand two things:
  • What is the logic Elfscrow.exe uses to generate key based on a timestamp
  • How does the decryption work in term of used functions/librarie.


Step3

Understanding how is the function generate_key transforming the seed (timestmap) to a key
When having a look at the code in generate_key function we can see two interesting function, super_secure_srand and super_secure_rand.
super_secure_srand is taking the content of EAX (which is the timestamp) as argument. We concluded this in the previous experiment above.
Let’s have a look inside super_secure_srand
We we can to get a more concrete idea of what it is doing, we set a breakpoint at mov state, ecx and check the value of ECX.
It contains the same seed value 1578901591. We now know that this function set the state variable to variable to the seed value.
Let’s now have a look at super_secure_random function.
The first thing we can notice is that it is using the state variable which contains the seed value. Let’s try to figure out what is this function doing.
As we can see starting from the @ 012B1DC3 it:
  • It sets EAX to state (the seed value)
  • It multiplies the seed by 343FDh and save the result in EAX
  • It adds 269EC3h to EAX
  • Saves the value of EAX in state
  • Save the value of state in EAX
  • Shifts 10h bits of EAX to the right
  • Make and ADD operation of EAX and 7FFFh and save the result to EAX

Interesting, we now know how does super_secure_random work. When we get outside the function we can see that it is put inside a loop that repeats 8 (which is the key length) times.
  • Update EAX to it’s new value (using super_secure_random)
  • Copy the low part (AL) of the value store in EAX to ECX
  • Make and ADD operation of ECX and 0FFh and save the result to ECX
  • Append CL to a memory address stored in EDX
To get more sense about what’s happening let’s set a break point at the @ 0x012B1E4B and keep watching the content of CL (Low part of ECX)for the 8 iteration.
Well, we know understand that chunks of the key are stored on every iteration in CL to finally get final key 6eec852fbca5a71c which will be stored at [EDX].
Now that we know the algorithm used to generate the key we can easily write a C program to imitate it, something like (it worked for me):
#include <stdio.h>
#include <windows.h>
#include <strsafe.h>

long multiply(long long x, long long y) {

    return  (long)x * y;
}
int main() {
    long timestamp = 1578901591;
    int KEY_LENGTH = 8;
    long seed = timestamp;
    long state = 0;
    char* hex_chunk = "";
    char key[16] = "";
    int len;
    for (int i = 0; i < KEY_LENGTH; i++) {
        hex_chunk = "";
        state = multiply(seed, 0x343FD);
        state = state + 0x269EC3;
        seed = state;
        state = state >> 0x10;
        state = state & 0x7FFF;
        sprintf(hex_chunk, "%x", state);
        len = strlen(hex_chunk);
        const char* last_two = &hex_chunk[len - 2];
        strcat(key, last_two);
    }
    printf("The seed value is %i\n", timestamp);
    printf("The key value is %s\n", key);
}

This program could be fount at: https://github.com/slrbl/SANS-KringleCon-Holiday-Hack-Challenge-2019/blob/master/10/key_gen.c 

After compiling the code, we execute it and we get the following:
We are now able to generate a timestamp based key using the same logic in Elfscrow.exe ;)

Step4

Understand how is the decryption done (from operational/API point of view)
Let’s start by having a look at the content of do_decrypt function:
This function is calling three main functions:
We observe that each of the above functions takes the result of the precedent one as a parameter (with other parameters).
After a small research we conclude that those function belongs to Windows Wincrypt.h. Documentation about the functions could be done found at https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportkey.

Step5

Putting all together: Coding time 
Now that we know how to generate a key with the same logic used in Elfscrow, that the key was generated on Dec 12thbetween 7pm and 9pm and how to use Wincryp API, we can finally write program to decrypt the document and get the original PDF. The C program could be found at: https://github.com/slrbl/SANS-KringleCon-Holiday-Hack-Challenge-2019/blob/master/10/decryp.c

Step6

Bingo time  
The git repository contains a precompiled executable of the decryption program we wrote. But in case you do modification, you can compiling using cl (Visual Studio developer tools) command as the following:

After compiling the program, we launch it and keep waiting until a file with the same size as ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc appears in the output files. Please not that the result will be saved in ./result folder.
The following is an example of launching the decryption program and the output you get when it succeeds:

...





















After a while, we get the decrypted PDF decrypted_dest_1575663650.pdf. According to the timestamp, it was encrypted at Friday, December 6, 2019 8:20:50 PM.
The decrypted document could be found at: https://github.com/slrbl/SANS-KringleCon-Holiday-Hack-Challenge-2019/blob/master/10/decrypted_dest_1575663650.pdf

The document first page is:


Thank you and enjoy!