Decrypting Binaries Dropped by Exploit Kits

Spent some time analyzing the exploit kits. Some exploit kits/packs transfers the binaries in encrypted form. Many a times it is good if we have a customer decryptor for these binaries, so that we don’t need to setup vulnerable environments. Only very few Exploit Kits download binaries in encrypted form. If you have any captures that does not work with this, please let me know.

Angler EK:

#define KEY_LEN 8
bool decryptme(char *buffer, long bSize)
{
    unsigned char key[KEY_LEN]= {0x00};
    long index=0;
    int i=0;
    long remainingCount= bSize%8;

    if(bSize < 48){
        return false;
    }

    memcpy(&key[0],(void*)&buffer[0x20], KEY_LEN);

    printhex(key, KEY_LEN);

    for(; index < bSize-remainingCount;){
        for(i=0; i < KEY_LEN;i++)
            buffer[index+i] ^= key[i];

        index = index + KEY_LEN;
    }

    for(i=0; i < remainingCount;i++)
        buffer[index+i] ^= key[i];
    return true;
}

Fiesta EK:

unsigned int first4= *(unsigned int*)buffer;
unsigned int second4= *(unsigned int*)(buffer+4);

if ((first4 ^ second4) == 0x50545346){
    //printf(“Method2\n”);
    decryptedbuffer= decryptmeMethod2(buffer,&lSize);
} else {
    //printf(“Method1\n”);
    decryptedbuffer= decryptme(buffer,lSize);
}

#define KEY_LEN 256
unsigned char * decryptme(char *buffer, long bSize)
{
    unsigned char key[KEY_LEN]= {0x00};
    long index=0;
    int i=0;
    int gins=0;
    unsigned char *encrypted= NULL;

    printf(“Decrypting…of size: %d\n”, bSize);

    if(bSize < KEY_LEN){
        return NULL;
    }

    printf(“Key size: %d\n”, KEY_LEN);
    memcpy(&key[0],(void*)&buffer[0], KEY_LEN);
    printhex(key, KEY_LEN);

    encrypted= (unsigned char*)&buffer[KEY_LEN];

    printf(“Decrypting buffer of size: %d\n”, bSize-KEY_LEN);

    for(; i < bSize-KEY_LEN; i++){
        index = index + 1 & 0xFF;
        gins = gins + key[index] & 0xFF;
        int j = key[index];
        key[index] = key[gins];
        key[gins] = (unsigned char)j;
        int k = key[index] + key[gins] & 0xFF;
        encrypted[i] = ((unsigned char)(encrypted[i] ^ key[k]));
    }
    printf(“Finished decrypting…\n”);
    return encrypted;
}

unsigned char * decryptmeMethod2(char *buffer, long* bSize)
{
    //[first4 bytes is XOR key] [second fourbyte] [length (XOR with first four bytes)] [CRC]
    buffer+= 16;
    *bSize= *bSize – 16;
    buffer= (char*)decryptme(buffer, *bSize);
    bool found= false;
    char *tmpbuffer= buffer;
    long tmpsize= *bSize;

    while(!found && tmpsize){
        while( *tmpbuffer != 0x4D){
            tmpbuffer += 1;
            tmpsize-= 1;
        }

        if( *(tmpbuffer + 1) == 0x5A){
            found= true;
            break;
        } else {
            tmpbuffer += 1;
            tmpsize-= 1;
        }
    }
    if(found){
        buffer= tmpbuffer;
        *bSize= tmpsize;
    }
    return (unsigned char *)buffer;
}

GoonEK:

#define KEY_LEN 256
unsigned char * decryptme(char *buffer, long bSize)
{
    unsigned char key[KEY_LEN]= {0xFA,0x4B,0xF6,0x11,0x50,0xA6,0x82,
                                 0xEF,0xC8,0x27,0x9E,0xDC,0x3B,0xEB,
                                 0xDD,0x5C,0x0F,0x2D,0x49,0x25,0xAF,
                                 0x77,0xE4,0xA0,0x68,0x23,0x79,0xE2,
                                 0x47,0x6A,0x2C,0x7E,0x57,0xDF,0xBF,
                                 0x44,0x9B,0x40,0xB5,0x85,0x61,0xE6,
                                 0xA8,0x21,0x07,0x52,0x09,0xB6,0x22,
                                 0x46,0x75,0xFC,0x62,0x0C,0x38,0x0B,
                                 0x00,0x13,0x9F,0x72,0xDE,0x8B,0x59,
                                 0x8F,0xB2,0x90,0xD0,0x12,0x81,0xC6,
                                 0x24,0x4F,0x63,0xAD,0xD5,0x51,0x80,
                                 0xF1,0xA2,0x55,0x87,0xE3,0xE9,0xB4,
                                 0x19,0x5E,0x76,0x4D,0x95,0xC5,0x03,
                                 0xAE,0x2A,0x1D,0x10,0x31,0x53,0x36,
                                 0x97,0x28,0xFD,0x98,0x3D,0xEC,0x1C,
                                 0xD1,0x92,0xF3,0x15,0x0A,0x84,0x74,
                                 0xD9,0xB3,0xC3,0x08,0x73,0x94,0xD6,
                                 0xB8,0xD2,0x70,0xE7,0x8E,0xEA,0x93,
                                 0x7F,0x58,0x3C,0x2B,0x1A,0x34,0x78,
                                 0xCC,0xEE,0xC7,0xA1,0x7B,0xBA,0x88,
                                 0xDA,0xCA,0x04,0x71,0xD4,0x6E,0x83,
                                 0xBE,0x6C,0x4E,0xA5,0x6F,0xBB,0x05,
                                 0x6D,0x16,0xC4,0xB9,0xF7,0x8A,0x0E,
                                 0x29,0xCD,0x18,0xBD,0x7C,0xF9,0x67,
                                 0x6B,0x1B,0x9D,0x02,0xAA,0x4A,0x35,
                                 0x33,0x26,0xB0,0x1F,0x86,0x2E,0xF4,
                                 0xA3,0x4C,0xFE,0x42,0xD7,0x5A,0x65,0xE1,
                                 0x9A,0x56,0xCB,0x3A,0x3F,0xE8,0xD3,
                                 0xD8,0x91,0xB7,0x01,0x5D,0x30,0xAB,
                                 0xA7,0xAC,0x37,0x60,0xC2,0x06,0x69,
                                 0xED,0x9C,0xA9,0x7A,0x41,0x5B,0x20,
                                 0x96,0xC1,0x3E,0x43,0xE0,0x5F,0x2F,
                                 0x32,0x45,0x66,0xB1,0xBC,0xA4,0xE5,
                                 0xC0,0x7D,0x17,0x1E,0xFF,0xCE,0x48,
                                 0x8C,0x8D,0xC9,0x99,0x14,0x0D,0x54,
                                 0xF8,0xFB,0xCF,0xF2,0x64,0xF5,0xDB,
                                 0xF0,0x89,0x39};
    long index=0;
    int i=0;
    int gins=0;
    unsigned char *encrypted= NULL;

    printf(“Decrypting…of size: %d\n”, bSize);

    printf(“Key size: %d\n”, KEY_LEN);
    printhex(key, KEY_LEN);

    encrypted= (unsigned char*)&buffer[0];

    printf(“Decrypting buffer of size: %d\n”, bSize);

    for(; i < bSize; i++){
        index = index + 1 & 0xFF;
        gins = gins + key[index] & 0xFF;
        int j = key[index];
        key[index] = key[gins];
        key[gins] = (unsigned char)j;
        int k = key[index] + key[gins] & 0xFF;
        encrypted[i] = ((unsigned char)(encrypted[i] ^ key[k]));
    }
    printf(“Finished decrypting…\n”);
    return encrypted;
}

Advertisements
This entry was posted in Exploit Kit and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s