Using Speakeasy emulator on Flare-On challenge

The challenge

The challenge it self is exciting; the authors implemented an obfuscation technique based on Vector Exception Handling. The binary has 5 encrypted function code blocks and one encrypted data block. The allocated page for each encrypted block has the PAGE_NO_ACCESS permission set. When the instruction flow is led to those parts or encrypted data are accessed an exception is generated. The exception handler decrypts on the fly the instructions and resume the execution, then the instructions are encrypted again. The same stands for the data block. It should be noted that the decryption / encryption does not happen once but multiple times in different sections of the block. Each section is described from a map structure.

  • XOR
  • Incrementing XOR
  • RC4
  • A hybrid algorithm containing XOR loops and RC4

Speakeasy

Speakeasy (link here) is an emulator platform based on Unicorn emulator. The Speakeasy platform has numerous wrappers over Unicorn. Significant parts of Windows user and kernel mode have been implemented. Kernel mode emulation is for sure something unusual. Everything from threads, processes, network and file operations have been implemented also. Various Window DLL functions are implemented and described by Python files so they can easily be extended.

The algorithm

In the following script we can see the decompiled code of the aforementioned code block. We will not go into many details as the goal is to merely get an overview.

esi — encryption keys
offset map
ebx — map, offset
ebx — map, length
edi — encrypted buffer
sbox parameter

Speakeasy script

Having described all the necessary components we can now build our script. First lets create a class inheriting the Speakeasy class and it contains the necessary components such as logger and code callbacks.

Custom Emulator class
Initialization
  • 0x401479 which is the call in the SBox initialization function (see screen below). As stated before the decryption function allocates a byte array in the stack in order to store the SBox.
  • 0x40148A which is the call to the RC4 function.
  • 0x4013b1 the return address of the function
code hook callback

Conclusion

Speakeasy emulator is very versatile and can assist an analyst in analyzing complex functions when live analysis is cumbersome. In my opinion it can significantly reduce the effort on decrypting / decoding obfuscated strings or encrypted blocks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store