Forum Discussion
redreturn
Bronze II
6 months agoPractical Malware Analysis: .NET Encryption and Encoding
I have completed all of the questions except decrypting the configuration string. I have the correct AES key (question 7 is correct - first 5 chars of the AES key) Although it seems that the instru...
- 6 months ago
Hi KieranRowley,
I pointed out in a support ticket and will mention it here that there are a couple of errors in the lab instructions:
- In point 6 the instructions state: "Your key should be:MD5 hash of password + first 16 bytes of MD5 hash of password"
This is the opposite way round from the format support provided (which is correct when using the python snippet provided in the briefing section. - In addition, I believe it is not the first 16 bytes of the md5 hash that should be used. The complete md5 hash is in total 16 bytes as each char is 4 bits so as the md5 hash is 32 chars; 32 x 4 = 128 bits and 8 bits in a byte means 128 / 8 = 16 bytes.
As you are using the first 30 chars of the md5 hash this would mean that 30 * 4 (bits) = 120 bits / 8 (bytes) = 15 bytes.
This should be corrected to read:
"Your key should be:
The first 15 bytes of MD5 hash of password + the full MD5 hash of password + 00
i.e. XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00
- In point 6 the instructions state: "Your key should be:MD5 hash of password + first 16 bytes of MD5 hash of password"
MrReaper
Bronze II
6 months agoHi redreturn!
I've been reading the tip to have the key with the pattern you mentioned, however, when tried to decrypt the configuration string from base64 and then decrypt from AES, got the same issue as you mentioned in CyberChef that "unable to decrypt input with these parameters".
Set the key field with the key (XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00), but in the field IV what should be set?. Or am I missing another step?.
Mode is on ECB but can't find the solution to this.
Thanks and regards.
- redreturn6 months ago
Bronze II
IV is empty (not needed in ECM mode) and the other two fields should be RAW.