Finally Flareon6 from FireEye was over and I’m here want to share about one of the challenges which is bmphide (challenge 6) as it is very interesting for me since the challenge requires me to:
- Identify the LSB that hides the flag data
- Bypass anti-debug in C# binary
- Write a decoder to reverse them
Tools Used:
- dnspy (C# Decompiler)
- Basic text editor
Ok! Let’s get started.
Identify the LSB that hides the flag data
First I will identify which bits used in hidding the data by looking at the code in function (i) which will insert the pixel into the picture.
This is my first time to encounter with the LSB steganography, so I google about it and i found this link is very useful for me to understand the overall process.
From the code, it can see that it hides the data in the last few bits of each rgb in the pixel.
The equation in the red, green and blue does get my attention as there are the lines that perform the LSB hiding in each pixel. Before explain further on each lines function. Let’s solving the Program.j() function first for better understanding later.
Solving the Program.j() to get the value:
- Program.j(228) = 7
- Program.j(230) = 3
- Program.j(100) = 6
- Program.j(27) = 248
- Program.j(25) = 252
int red = ((int)pixel.R & 248) | ((int)data[num] & 7);int green = ((int)pixel.G & 248) | (data[num] >> 3 & 7);int blue = ((int)pixel.B & 252) | (data[num] >> 6 & 3);
It can see that each pixel is & (AND) with 248, 252 then | (OR) with the encrypted data that & (AND) or >> (LEFT SHIFT) followed by & <number>. The >> is really catch my attention as it move the bits of the byte to end (Most Right Hand Side) of the bytes. It will be more understandable in visual mode.
E.g. Hide data = 01011010, pixel.(R/G/B) = 01111010
In line int red (no shift operation)
1st = 01111010 & 248 (11111000) = 120 (01111000)
2nd = 00001010 & 7 (00000111) 00001010
& 00000111 (7)
-----------
00000010
-----------In line int green
1st = 01111010 & 248 (11111000) = 120 (01111000)
2nd = 01011010 >> 3 = 00001011 (Left shift bits by 3 times)
00001011 & 7 (00000111) 00001011
& 00000111 (7)
-----------
00000011
-----------In line int blue
1st = 01111010 & 252 (11111100) = 120 (01111000)
2nd = 01011010 >> 6 = 00000001 (Left shift bits by 6 times)
00000001 & 3 (00000011) 00000001
& 00000011 (3)
-----------
00000001
-----------1st | 2nd = merge both 1st and 2nd into a slightly modified color pixel
* | is XOR
As we can see, each pixel will store one byte of the hidden data (8 bits = 1 byte). To recover the data, just reverse the left shift operation (right shift) for the line green and blue.
line blue
00000001 << 6 = 01000000line green
00000011 << 3 = 00011000line red (no shift)
01011010 = 01011010Combine them together:
01 011 010 == 01 011 010 (original data)
That’s all for the LSB hidding part, then create your own script to extract the correct LSB and save it to a file. 😃 Here’s mine.
Bypass anti-debug & obfuscation in C# binary
To bypass StackOverflowException, I used a very LOL way which I created two very big bmp file and run it with the binary so that i can have enough time attach the process with dnspy. 😝
During the analysis process, it can see that there was some changes when I step in code function in function (h):
- Program.f() to Program.g()
- Program.a() to Program.b()
- Program.c() to Program.d()
In Static Analysis, I’m only able to see the function VerifySignature swaps the pointer of two of the function called. It is the first 2 obfuscation used in the binary.
After reading others writeup, the Marshal Call In A.IncrementMaxStack() did the last obfuscation. More details here.
Write a decoder to reverse them
For this one, I manually write down all the number produced for each line in Program.b() and Program.e() and figure out how to reverse it. It only spend you few time for figure it out. 😝 >> Script <<.
This is my way to solve this challenge. However, it is lack of details in anti-debug, obfuscation. Will try to read other people’s writeup to understand how does the anti-debug and obfuscation works.
Self-Thought
This is my first time participate in FlareOn Challenge and i never expected that I’m able to solve 8 out of 12 Challenges. Thanks for anyone who gave me hints along the waeee to make this happened. 😃
Reference
https://www.boiteaklou.fr/Steganography-Least-Significant-Bit.html
https://medium.com/@hegongdao/flareon6-6-c6d6bc26d5e2
