Intro

The filename is myaquaticlife.exe We see that file is packed with UPX. We can easily unpack the file with upx -d myaquaticlife.exe We see that Created with Multimedia Builder at the end of the file. So we know how this file is created. Luckily I knew what this app was. I used to create some multimedia presentations with this software. We need to get the script used to create this file so we can easily debug this file. We can easily get the script file with MMUnbuilder

Unpack the file with

python MMUnbuilder.py -u myaquaticlife.exe

We get a bunch of files in the current directory.

Filename Explanation
*.gif Animal pics
index.html First screen
index2.html Result screen
fathom.dll Script DLL
myaquaticlife.mbd MMB project file

myaquaticlife.mbd is the MMB project file. You can download Multimedia Builder and open this project file. Basically, it shows the index.html page and each button triggers a script. Let’s check what the first script, Script1 does

part1$='derelict:MZZWP'
PluginSet("PlugIn","part1$")

All of the scripts do something similar except Script17

PluginRun("PlugIn","PluginFunc19")
PluginGet("PlugIn","var1$")
...

Each animal sets some internal strings in the DLL. When you click “What’s your favorite aquatic animal?” it runs Script17 which calls, PluginFunc19 from fathom.dll and shows the result. We need to understand what this function does.

Whatever we do, this function only uses the strings from floatsam and jetsam variables. The order you choose the animals to set those variables has an important role. Open this exe with a debugger, put a breakpoint on PluginFunc19 and click all the animals and then finally click the “What’s your favorite aquatic animal?” You will see something like below

push    ebx
mov     ebx, esp
sub     esp, 8
and     esp, 0FFFFFFF0h
add     esp, 4
push    ebp
mov     ebp, [ebx+4]
mov     [esp+0Ch+var_8], ebp
mov     ebp, esp
sub     esp, 78h
mov     eax, ___security_cookie
xor     eax, ebp
mov     [ebp-4], eax
movaps  xmm0, xmmword ptr ds:byte_1024F3A0
push    esi
mov     esi, floatsam_ptr
movaps  xmmword ptr [ebp-30h], xmm0
movaps  xmm0, xmmword ptr ds:byte_1024F390
movaps  xmmword ptr [ebp-20h], xmm0
cmp     dword ptr [esi-0Ch], 0
push    edi
jz      @poor
mov     eax, jetsam_ptr
mov     [ebp-78h], eax
cmp     dword ptr [eax-0Ch], 0
jz      @poor

If you analyze this function, you will see that

  • Concatenate bytes at byte_1024F3A0 and byte_1024F390
  • Xor each byte with contents of floatsam
  • Subtract each byte from the contents of jetsam
  • Calculate MD5 of those bytes and compare with 6c5215b12a10e936f8de1e42083ba184
  • If everything checks out, send the result back

We need to find the correct permutation for the floatsam and jetsam variables and calculate the result. One of the permutations will give us the result. Here is the quick script for this.

import itertools

def getPermutations(arr):
    permutations =  list(itertools.permutations(arr))
    result = []
    for element in permutations:
        result.append(''.join(element))
    return result

def encrypt(fl,jet):
    byte_arr = [0x96, 0x25, 0xA4, 0xA9, 0xA3, 0x96, 0x9A, 0x90, 0x9F, 0xAF, 0xE5, 0x38, 0xF9, 0x81, 0x9E, 0x16, 0xF9, 0xCB, 0xE4, 0xA4, 0x87, 0x8F, 0x8F, 0xBA, 0xD2, 0x9D, 0xA7, 0xD1, 0xFC, 0xA3, 0xA8]
    fl_byte = bytearray(fl.encode('utf-8'))
    jet_byte = bytearray(jet.encode('utf-8'))
    for index in range(len(byte_arr)):
        byte_arr[index] = byte_arr[index] ^ fl_byte[index % len(fl)]
        byte_arr[index] = (byte_arr[index] - jet_byte[ index % 17]) & 0xFF
    return  ''.join(map(chr, byte_arr))    

#possible values for floatsam and jetsam
float_array = ['DFWEyEW','PXopvM','BGgsuhn']
jetsam_array = ['newaui','HwdwAZ','SLdkv']

float_permutations = getPermutations(float_array)
jetsam_permutations = getPermutations(jetsam_array)

for float_str in float_permutations:
    for jet_str in jetsam_permutations:
        result = encrypt(float_str,jet_str)
        md5_hash = hashlib.md5(result.encode('utf-8')).hexdigest()
        if md5_hash == '6c5215b12a10e936f8de1e42083ba184':
            print("Found: %s" % result )
            print('Float %s JetSam %s' %(float_str,jet_str))

When we run the script, we get s1gn_my_gu357_b00k@flare-on.com

Flare-On 2021 Write-ups

I am available for new work
Interested? Feel free to reach