[CTF Series #7] FlareOn-6 bmphide In LOL Way

Finally Flareon6 from FireEye was over and I’m here want to share about one of the challenges which is bmphide (challenge 6) as it is very interesting for me since the challenge requires me to:

  • Identify the LSB that hides the flag data
  • Bypass anti-debug in C# binary
  • Write a decoder to reverse them

Tools Used:

  • dnspy (C# Decompiler)
  • Basic text editor

Ok! Let’s get started.

Identify the LSB that hides the flag data

First I will identify which bits used in hidding the data by looking at the code in function (i) which will insert the pixel into the picture.

This is my first time to encounter with the LSB steganography, so I google about it and i found this link is very useful for me to understand the overall process.

From the code, it can see that it hides the data in the last few bits of each rgb in the pixel.

The equation in the red, green and blue does get my attention as there are the lines that perform the LSB hiding in each pixel. Before explain further on each lines function. Let’s solving the Program.j() function first for better understanding later.

Solving the Program.j() to get the value:
- Program.j(228) = 7
- Program.j(230) = 3
- Program.j(100) = 6
- Program.j(27) = 248
- Program.j(25) = 252

int red = ((int)pixel.R & 248) | ((int)data[num] & 7);int green = ((int)pixel.G & 248) | (data[num] >> 3 & 7);int blue = ((int)pixel.B & 252) | (data[num] >> 6 & 3);

It can see that each pixel is & (AND) with 248, 252 then | (OR) with the encrypted data that & (AND) or >> (LEFT SHIFT) followed by & <number>. The >> is really catch my attention as it move the bits of the byte to end (Most Right Hand Side) of the bytes. It will be more understandable in visual mode.

E.g. Hide data = 01011010, pixel.(R/G/B) = 01111010
In line int red (no shift operation)
1st = 01111010 & 248 (11111000) = 120 (01111000)
2nd = 00001010 & 7 (00000111)
00001010
& 00000111 (7)
-----------
00000010
-----------
In line int green
1st = 01111010 & 248 (11111000) = 120 (01111000)
2nd = 01011010 >> 3 = 00001011 (Left shift bits by 3 times)
00001011 & 7 (00000111)
00001011
& 00000111 (7)
-----------
00000011
-----------
In line int blue
1st = 01111010 & 252 (11111100) = 120 (01111000)
2nd = 01011010 >> 6 = 00000001 (Left shift bits by 6 times)
00000001 & 3 (00000011)
00000001
& 00000011 (3)
-----------
00000001
-----------
1st | 2nd = merge both 1st and 2nd into a slightly modified color pixel
* | is XOR

As we can see, each pixel will store one byte of the hidden data (8 bits = 1 byte). To recover the data, just reverse the left shift operation (right shift) for the line green and blue.

line blue
00000001 << 6 = 01000000
line green
00000011 << 3 = 00011000
line red (no shift)
01011010 = 01011010
Combine them together:
01 011 010 == 01 011 010 (original data)

That’s all for the LSB hidding part, then create your own script to extract the correct LSB and save it to a file. 😃 Here’s mine.

Bypass anti-debug & obfuscation in C# binary

To bypass StackOverflowException, I used a very LOL way which I created two very big bmp file and run it with the binary so that i can have enough time attach the process with dnspy. 😝

During the analysis process, it can see that there was some changes when I step in code function in function (h):

  • Program.f() to Program.g()
  • Program.a() to Program.b()
  • Program.c() to Program.d()

In Static Analysis, I’m only able to see the function VerifySignature swaps the pointer of two of the function called. It is the first 2 obfuscation used in the binary.

Code to change the pointer of the function called which you cant see with plain sight 😈

After reading others writeup, the Marshal Call In A.IncrementMaxStack() did the last obfuscation. More details here.

Write a decoder to reverse them

For this one, I manually write down all the number produced for each line in Program.b() and Program.e() and figure out how to reverse it. It only spend you few time for figure it out. 😝 >> Script <<.

Code Snippet of Decoder
Code Snippet of Encryption From Original Binary (Beware of Program.(f/a/c) 😈)
Flag YEAH!!!!

This is my way to solve this challenge. However, it is lack of details in anti-debug, obfuscation. Will try to read other people’s writeup to understand how does the anti-debug and obfuscation works.

Self-Thought

This is my first time participate in FlareOn Challenge and i never expected that I’m able to solve 8 out of 12 Challenges. Thanks for anyone who gave me hints along the waeee to make this happened. 😃

Yeah!! Statisfied with my first FlareOn results. Aim for higher next year. 😊

Reference

https://www.boiteaklou.fr/Steganography-Least-Significant-Bit.html
https://medium.com/@hegongdao/flareon6-6-c6d6bc26d5e2

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec