Sample: 61921d13ef1be2285301fceafa6ecd3d0a01d45f71fe620149975d63e92d3612 (PW: infected)
AntiD.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit
The file is packed with UPX but unfortunately, it cannot be unpacked the easy way with UPX.
You must unpack it manually. However, there are thousands of tutorial which explain doing this so I will not explain it again here.
After unpacking the file (you can download the unpacked version here: AntiD_Dump PW: infected) you can load it into IDA and start looking for suspicious or interesting stuff. I always start with the “Strings Window”.
The strings “Figure the key out:” or “Well done! A+! You get a gold star!\n” look very interesting. Following those strings will bring you to the function which is doing the check against your input.
I already annotated the called function before the branch to “checkKey” because it’s quite obvious what’s going on here.
Digging deeper into the function, you will see a lot of hex values assigned to variables.
These hex values concatenated will most probably be the solution. The rest is simple reversing. For the sake of simplicity, here is the annotated decompiled version of the “checkKey” function.
You can see that there are some Anti-Debugging features in place. You can just change the specific flags to avoid getting hit by one of these features or patch them out. During debugging I thought the latter would be easier so I patched everything out.
After understanding the logic of this code, I wrote a simple python script to reverse the hex values.
key = [0x8c, 0xf1, 0x53, 0xa3, 0x8, 0xd7, 0xdc, 0x48, 0xdb, 0xc, 0x3a, 0xee, 0x15,
0x22, 0xc4, 0xe5, 0xc9, 0xa0,0xa5, 0xc, 0xd3, 0xdc, 0x51, 0xc7 ,0x39, 0xfd, 0xd0, 0xf8,
0x3b, 0xe8, 0xcc, 0x3, 0x6, 0x43, 0xf7, 0xda, 0x7e, 0x65, 0xae, 0x80]
str = ""
v2 = 0
for k in key:
a = (k ^ v2) & 0x000000ff
b = (a + 0x66) & 0x000000ff
c = (b ^ 0x55) & 0x000000ff
d = (c - 0x44) & 0x000000ff
e = (d ^ 0x33) & 0x000000ff
v2 = (v2 + k) & 0x000000ff
Running the script will display the key for the next round: