{"id":3847,"date":"2016-09-26T18:57:41","date_gmt":"2016-09-26T18:57:41","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3847"},"modified":"2016-09-27T23:17:59","modified_gmt":"2016-09-27T23:17:59","slug":"old-flame-never-dies-a-k-a-decompiling-lua","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/09\/26\/old-flame-never-dies-a-k-a-decompiling-lua\/","title":{"rendered":"Old Flame Never Dies (a.k.a. decompiling LUA)"},"content":{"rendered":"<p>When the news about Flame exploded all over the media, I remember grabbing available samples and like many other researchers started poking around. Pretty quickly, I extracted a large number of very unique strings from various Flame samples and <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/05\/29\/quick-look-at\/\">posted them online<\/a>.<\/p>\n<p>Recently, I accidentally came across that old post and started wondering if anyone ever posted the decompiled Lua scripts for the malware. I googled around for some of the strings I posted on my blog back then and to my surprise &#8211; my blog was the only <a href=\"https:\/\/www.google.com\/search?q=BOOST_CONSUMER_PRIORITY_BOOST\">one showing up<\/a>!<\/p>\n<p>I guess there must be some conspiracy theory that will explain that&#8230;<\/p>\n<p>Back in 2012, I didn&#8217;t have all the samples, but I did run them through a quick analysis process which I will describe below. The procedure for obtaining the strings was extremely crude, but like many quick&amp;dirty solutions &#8211; it worked pretty well (and it was fast!).<\/p>\n<ul>\n<li>For each DLL, load it via rundll32\n<ul>\n<li>For each exported function, execute it\n<ul>\n<li>For ever every single execution, delay for some time<\/li>\n<li>Grab memory dumps for rundll32<\/li>\n<li>Kill rundll32<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Interestingly, I still have the memory dumps I used to extract the strings from, so&#8230; since I suddenly thought of these Lua scripts I re-used the memdumps to extract over 60 Lua bytecoded scripts (from both static files and memory dumps to be precise).<\/p>\n<p>And here comes the real purpose of the thread &#8211; document how to obtain decompiled Lua scripts from Flame:<\/p>\n<ul>\n<li>I wrote a quick carving tool in perl to extract Lua bytecode from both static files, and memory dumps\n<ul>\n<li>This was pretty easy, since the compiled Lua always starts with a header &#8220;\\x1BLua&#8221;<\/li>\n<li>For each extracted file, I wrote another quick&amp;dirty script to rename it to the name embedded inside the bytecoded Lua script<\/li>\n<li>That&#8217;s how we get the &#8216;original&#8217; name of the files f.ex. &#8216;MUNCH_ATTACKED_ACTION.lua&#8217; is embedded inside the bytecoded Lua script<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/MUNCH_ATTACKED_ACTION.lua_.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3848\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/MUNCH_ATTACKED_ACTION.lua_-300x41.png\" alt=\"munch_attacked_action-lua\" width=\"500\" height=\"69\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/MUNCH_ATTACKED_ACTION.lua_-300x41.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/MUNCH_ATTACKED_ACTION.lua_.png 623w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<ul>\n<li>With all the files preprocessed, I ran them through a <a href=\"https:\/\/github.com\/viruscamp\/luadec\">Lua decompiler<\/a>\n<ul>\n<li>For many files, it worked like a charm; for some, it failed<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If you remember Kaspersky&#8217;s Flame code from 2012:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky0.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3850\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky0-300x203.png\" alt=\"kaspersky0\" width=\"300\" height=\"203\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky0-300x203.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky0.png 680w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>you can find the code inside the<em> flame_props.lua.dec<\/em> file (you need to remove decompiler&#8217;s comments):<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3849\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky1-300x128.png\" alt=\"kaspersky1\" width=\"499\" height=\"213\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky1-300x128.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky1-768x328.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/kaspersky1.png 825w\" sizes=\"(max-width: 499px) 100vw, 499px\" \/><\/a><\/p>\n<p>The collection of all decompiled scripts can be found <a href=\"https:\/\/hexacorn.com\/examples\/2016-09-26_flamewar.zip\">here<\/a>.<\/p>\n<p>The password is: old_flame_never_dies<\/p>\n<p>List of all scripts:<\/p>\n<ul>\n<li>___kaspersky.dec<\/li>\n<li>attackop_base_prods.lua.dec<\/li>\n<li>attackop_base_sendfile.lua.dec<\/li>\n<li>ATTACKOP_FLAME.lua.dec<\/li>\n<li>ATTACKOP_FLAME_PRODS.lua.dec<\/li>\n<li>ATTACKOP_FLAME_STARTLEAK.lua.dec<\/li>\n<li>ATTACKOP_FLASK.lua.dec<\/li>\n<li>ATTACKOP_FLASK_PRODS.lua.dec<\/li>\n<li>ATTACKOP_JIMMY.lua.dec<\/li>\n<li>ATTACKOP_JIMMY_PRODS.lua.dec<\/li>\n<li>ATTACKOP_MOVEFILE.lua.dec<\/li>\n<li>ATTACKOP_RUNDLL.lua.dec<\/li>\n<li>basic_info_app.lua.dec<\/li>\n<li>casafety.lua.dec<\/li>\n<li>clan_entities.lua.dec<\/li>\n<li>clan_seclog.lua.dec<\/li>\n<li>CRUISE_CRED.lua.dec<\/li>\n<li>euphoria_app.lua.dec<\/li>\n<li>event_writer.lua.dec<\/li>\n<li>fio.lua.dec<\/li>\n<li>flame_props.lua.dec<\/li>\n<li>get_cmd_app.lua.dec<\/li>\n<li>IMMED_ATTACK_ACTION.lua.dec<\/li>\n<li>json.lua.dec<\/li>\n<li>leak_app.lua.dec<\/li>\n<li>libclanattack.lua.dec<\/li>\n<li>libclandb.lua.dec<\/li>\n<li>libcommon.lua.dec<\/li>\n<li>libdb.lua.dec<\/li>\n<li>libflamebackdoor.lua.dec<\/li>\n<li>liblog.lua.dec<\/li>\n<li>libmmio.lua.dec<\/li>\n<li>libmmstr.lua.dec<\/li>\n<li>libnetutils.lua.dec<\/li>\n<li>libplugins.lua.dec<\/li>\n<li>libwmi.lua.dec<\/li>\n<li>main_app.lua.dec<\/li>\n<li>MUNCH_ATTACKED_ACTION.lua.dec<\/li>\n<li>MUNCH_SHOULD_ATTACK.lua.dec<\/li>\n<li>NETVIEW_HANDLER.lua.dec<\/li>\n<li>NETVIEW_SPOTTER.lua.dec<\/li>\n<li>payload_logger.lua.dec<\/li>\n<li>post_cmd_app.lua.dec<\/li>\n<li>REG_SAFETY.lua.dec<\/li>\n<li>RESCH_EXEC.lua.dec<\/li>\n<li>rts_common.lua.dec<\/li>\n<li>SECLOG_HANDLER.lua.dec<\/li>\n<li>SECLOG_SPOTTER.lua.dec<\/li>\n<li>SNACK_BROWSER_HANDLER.lua.dec<\/li>\n<li>SNACK_ENTITY_ACTION.lua.dec<\/li>\n<li>SNACK_NBNS_HANDLER.lua.dec<\/li>\n<li>STD.lua.dec<\/li>\n<li>storage_manager.lua.dec<\/li>\n<li>SUCCESS_FLAME.lua.dec<\/li>\n<li>SUCCESS_FLAME_STARTLEAK.lua.dec<\/li>\n<li>SUCCESS_GET_PRODS.lua.dec<\/li>\n<li>table_ext.lua.dec<\/li>\n<li>transport_nu_base.lua.dec<\/li>\n<li>TRANSPORT_NU_DUSER.lua.dec<\/li>\n<li>TRANSPORT_NUSYSTEM.lua.dec<\/li>\n<li>USERPASS_CRED.lua.dec<\/li>\n<li>WMI_EXEC.lua.dec<\/li>\n<li>WMI_SAFETY.lua.dec<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>When the news about Flame exploded all over the media, I remember grabbing available samples and like many other researchers started poking around. Pretty quickly, I extracted a large number of very unique strings from various Flame samples and posted &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/09\/26\/old-flame-never-dies-a-k-a-decompiling-lua\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,21,9,44],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3847"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3847"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3847\/revisions"}],"predecessor-version":[{"id":3856,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3847\/revisions\/3856"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}