Forum Discussion

redreturn's avatar
redreturn
Icon for Bronze II rankBronze II
6 months ago
Solved

Practical Malware Analysis: .NET Encryption and Encoding

I have completed all of the questions except decrypting the configuration string. I have the correct AES key (question 7 is correct - first 5 chars of the AES key) Although it seems that the instru...
help & support
  • redreturn's avatar
    redreturn
    6 months ago

    Hi KieranRowley,

    I pointed out in a support ticket and will mention it here that there are a couple of errors in the lab instructions:

    1. In point 6 the instructions state: "Your key should be:MD5 hash of password + first 16 bytes of MD5 hash of password"

      This is the opposite way round from the format support provided (which is correct when using the python snippet provided in the briefing section.
    2. In addition, I believe it is not the first 16 bytes of the md5 hash that should be used. The complete md5 hash is in total 16 bytes as each char is 4 bits so as the md5 hash is 32 chars; 32 x 4 = 128 bits and 8 bits in a byte means 128 / 8 = 16 bytes.

      As you are using the first 30 chars of the md5 hash this would mean that 30 * 4 (bits) =  120 bits / 8 (bytes) = 15 bytes.

      This should be corrected to read: 

      "Your key should be:
      The first 15 bytes of MD5 hash of password + the full MD5 hash of password + 00

      i.e. XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00
MrReaper's avatar
MrReaper
Icon for Bronze II rankBronze II
6 months ago

Hi redreturn

I've been reading the tip to have the key with the pattern you mentioned, however, when tried to decrypt the configuration string from base64 and then decrypt from AES, got the same issue as you mentioned in CyberChef that "unable to decrypt input with these parameters".

Set the key field with the key (XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00), but in the field IV what should be set?. Or am I missing another step?.

Mode is on ECB but can't find the solution to this.

Thanks and regards.

  • redreturn's avatar
    redreturn
    Icon for Bronze II rankBronze II
    6 months ago

    IV is empty (not needed in ECM mode) and the other two fields should be RAW.

    • MrReaper's avatar
      MrReaper
      Icon for Bronze II rankBronze II
      6 months ago

      Nothing.

      The key is set in UTF-8 i guess. But tried as you mentioned the key, and no clue what is wrong.

      (XXXX are to obfuscate key).

      thanks.

      • redreturn's avatar
        redreturn
        Icon for Bronze II rankBronze II
        6 months ago

        Key is Hex iirc