Tear or Dare Malware

JetBlack · October 4, 2017, 4:00am

Maybe I’m just bad at disassembly… but I found some startling things in this challenge. And I did NOT write this code.

I attempted the challenge with the decompiler dotPeek, but I moved into Visual Studio to debug the process to see if I could circumvent some of the obfuscation. When I opened it, I found a VERY interesting piece of code shown in these screenshots and this pastebin:

[Album] imgur.com

That’s clearly a Windows 7 privilege escalation exploit along with malicious shellcode. I sincerely hope I somehow found my way into random malware on my computer, and not malware embedded in a reversing challenge…

delo · October 4, 2017, 4:44am

Very interesting.

JetBlack · October 4, 2017, 4:45am

The code is from this exploit: Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014) - Windows_x86 local Exploit

ch4p · October 4, 2017, 4:50am

Can you send us back checksums of the file you have? In my decompiler I get the following:

// Decompiled with JetBrains decompiler
// Type: TearORDear.Program
// Assembly: TearORDear, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: FAD666A4-4959-43F0-9D38-7FD79F826579
// Assembly location: C:\TearORDear.exe
// Compiler-generated code is shown

using System;
using System.Windows.Forms;

namespace TearORDear
{
  internal static class Program
  {
    [STAThread]
    private static void Main()
    {
      Application.EnableVisualStyles();
      Application.SetCompatibleTextRenderingDefault(false);
      Application.Run((Form) new LoginForm());
    }
  }
}

JetBlack · October 4, 2017, 4:56am

I get the same thing, the code only showed up when debugging the process. I have a side-by-side picture as well with the JetBrains decompiler and VS: Imgur: The magic of the Internet

anyways,
SHA-256: D419ADCAEE5D77143E3537F558A6CDDD6BCD7AC9CD6C6783A02B8C67ACBFEA9F
SHA-1:
1A848729F8770A2137FEDB367C42962F43A1D266
MD5:
033F2A528BBB55D37A47FF3F8A3D5197

ch4p · October 4, 2017, 5:05am

As I see in your screenshot, right side shows on top Program.cs* (Star denoting file was changed).

Furthermore, check line:

Application.Run((Form/*

It seems to me like you accidentally pasted an exploit there while trying to debug the file

Even if there was malware on the file (that i cannot rule out) It would not be an exact exploitdb copy (including comments!!)

Hashes are correct.

JetBlack · October 4, 2017, 5:11am

I ran it again, and I did NOT add anything to the code, but it’s still there. I’m talking to Arrexel about it in Discord, but it’s just weird. And I know how this looks, but I swear, I didn’t add anything to the code.

ch4p · October 4, 2017, 5:15am

I know you didn’t do it in purpose, what I believe is that you added it by mistake. Did you try opening a new debug instance? Rename the exe to something else and open it again from debugger. Let me know how it goes.

JetBlack · October 4, 2017, 5:29am

I figured out the problem… It was a combination of user error (me) and Visual Studio having a stupid layout, sorry for the wasted time.

JetBlack · October 4, 2017, 5:31am

I apologize for any inconvenience I caused the moderators, it was my mistake.

ch4p · October 4, 2017, 7:31am

No worries.

Topic		Replies	Views
Tear or Dear, getting past false positives? Challenges hint , i , im-dumb	7	1935	April 2, 2019
TearOrDear.exe - Reverse Engineering Challenge Challenges challenge , reverse	2	898	March 19, 2019
Tear or Dear Challange Challenges reversing , tearordear , tearordearreversing	13	3780	April 3, 2019
TearOrDear - have I gone down the rabbit hole? Challenges reversing , tearordear , tearordearreversing	4	914	June 27, 2018
Official vmcrack Discussion Challenges	19	4912	December 29, 2023

Tear or Dare Malware

Related topics