Insomni’hack 2013 – recycle.exe

The main idea behind this challenge came after reading an article in Valhalla magazine about inline JScript for implementing cryptography in malwares targeting Windows.

The first thing that we can look out for is what is done with the process argument or where it is stored in memory:

[code language=”bash”]
.text:00E211C7 mov eax, [ebp+argv]
.text:00E211CA xor esi, esi
.text:00E211CC mov [esp+54h+var_3C], eax

Another function that look interesting is the one named check which has two cross-references:

[code language=”bash”]

This function calls the run method of a MSScriptControl class instance (which is set to execute ‘JScript’ at the beginning of the main function). Back at our argument, the first cross-reference leads us to this code:

[code language=”bash”]
.text:00E215B3 mov eax, offset _Ptr ; “(“b”==””
.text:00E215B8 lea esi, [esp+54h+str]
.text:00E215BC call ?assign
.text:00E215C1 mov edx, [esp+54h+var_3C]
.text:00E215C5 mov eax, [edx+4]
.text:00E215C8 mov bl, [eax+2]
.text:00E215CB call ?append
.text:00E215D0 push 0Ah
.text:00E215D2 mov eax, offset a?10 ; “”) ? 1 : 0″
.text:00E215D7 mov ecx, esi
.text:00E215D9 call ?append

We can see that argv[1][1] is copied into bl (don’t be fooled by eax+2 as we are in an Unicode world) and creating the following string

[code language=”bash”]
“”b”==”<argv[1][1]>” ? 1 : 0″

and calling check. The next xref to the second argument leads to:

[code language=”bash”]
.text:00E21634 mov ebx, [esp+54h+var_3C]
.text:00E21638 mov eax, [ebx+4]
.text:00E2163B cmp word ptr [eax], 2Eh

.text:00E21645 cmp word ptr [eax+6], 3Bh

Meaning that argv[1][0] is tested against 0x2e (‘.’) and argv[1][3] against 0x3b (‘;’).

The second xref to check leads us to this code creating the following string:

[code language=”bash”]
“”X”==”<argv[1][2] + 10>” ? 1 : 0″

and running it in the js engine.

[code language=”bash”]
.text:00E21666 mov byte ptr [eax], 0
.text:00E21669 mov eax, offset asc_E2453C ; “(“X”==””
.text:00E2166E lea esi, [esp+54h+str]
.text:00E21672 call ?assign
.text:00E21677 mov ecx, [ebx+4]
.text:00E2167A mov bl, [ecx+4]
.text:00E2167D add bl, 0Ah
.text:00E21680 call ?append
.text:00E21685 push 0Ah
.text:00E21687 mov eax, offset a?01 ; “”) ? 0 : 1″
.text:00E2168C mov ecx, esi
.text:00E2168E call ?append

Linking everything back together our input should be equal to the string : ‘.bN; ‘. Enterring this value gives us the following output:

[code language=”bash”]
Password validated…
Starting incinerator