Phonetic — HacktivityCon 2021
To begin with, I was given an obfuscated PHP file, so my first task was to figure out what the code was doing. Since the original code was so hard to follow, I deobfuscated it.
Exclusive OR (XOR)
The first part of the code is a function that takes in as an argument the obfuscated malware and a string. The two are then XORed together, and in the end, the malware is returned.
Encrypted Malware
The malware is heavily obfuscated; not only is it XORed with some string, but it is also encrypted with base64 twice.
Decode Malware
This line of code takes the malware and passes it into the base64_decode function. Then it gets XORed with this string “tVEwfwrN302”. It is lastly getting passed through another base64_decode which completes the decoding. Once $source is printed, it outputs more PHP code is displayed.
Within the malware are two variables named $back_connect_p and $bind_port_p. Both contain data that has been encrypted with base64.
bind_port_p
After decrypting bind_port_p, I found Perl code with nothing really interesting in it so next, I took a look at back_connect_p.
back_connect_p
Flag maybe 🤔
The highlighted code seemed more interesting, after some research I found that this is a binary-to-text encoding.
begin 644 /dev/stdout
F9FQA9WLY8C5C-#,Q,V0Q,CDU.#,U-&)E-C(X-&9C9#8S9&0R-GT``
end
Bash has a function to decode this data called uudecode. This utility takes a file as input so I stored the above code block into a file and named it “flag.txt”.
Conclusion
This challenge was by far one of my favorites. I liked the layers of encryption put in place to solve this challenge. I will definitely be doing more malware analysis in the future.