Know Your Enemy
Contents
1. FSCTL I VOLUME M C Documents and Settings Administrat SUCCESS 12 41 33 AM NOTEPAD EXE IRP MJ CREATE CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 IRP_MJ_CREATE C WINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 FASTIO_QUERY_BASI C WINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 NOTEPAD EXE IRP_MJ_SET_INFORM C WINNTSSystem32 WINSPOOL DRY SUCCESS F 12 41 33 NOTEPAD EXE IRP_MJ_QUERY_INFO C WINNTSSystem32 WINSPOOL DRY SUCCESS F 12 41 33 NOTEPAD EXE IRP_MJ_CLEANUP CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 IRP MJ CLOSE C NWINNT System32W INSPODL DRV SUCCESS 12 41 33 NOTEPAD EXE IRP MJ CREATE CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 AM NOTEPAD EXE FASTIO QUERY BASIL C WINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 IRP_LMJ_SET_INFORM C WINNTSSystem32 WINSPOOL DRY SUCCESS F 12 41 33 NOTEPAD EXE FASTIO_QUERY_STAN C WINNTSSystem32 WINSPOOL DRY SUCCESS E 12 41 33 AM NOTEPAD EXE IRP MJ CLEANUP C WINNTSSystem32 wINSPOOL DRY SUCCESS 12 41 33 NOTEPAD EXE IRP_MJ_CLOSE CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 AM NOTEPAD EXE IRP_MJ_CLEANUP C A WINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 NOTEPAD EXE IRP_MJ_CLOSE CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 AM NOTEPAD EXE FSCTL_IS_VOLUME_M C Documents and S2. 22 2222 LEE 222 y it ITIOT Know Your Enemy Secur Wa O REILLY Cyrus Peikari amp Anton Chuvakin CHAPTER 2 Windows Reverse Engineering Software reverse engineering also known as reverse code engineering RCE is the art of dissecting closed source binary applications Unlike open source software which theoretically can be more easily peer reviewed for security closed source software presents the user with a black box Historically RCE has been performed on Win dows platforms but there is now a growing need for expert Linux reversers as well as we will explain in Chapter 3 RCE allows you to see inside the black box By disassembling a binary application you can observe the program execution at its lowest levels Once the application is broken down to machine language a skilled practitioner can trace the operation of any binary application no matter how well the software writer tries to protect it As a security expert why would you want to learn RCE The most common reason is to reverse malware such as viruses or Trojans The antivirus industry depends on the ability to dissect binaries in order to diagnose disinfect and prevent them In addition the proliferation of unethical commercial spyware and software antipiracy protections that phone home raises serious privacy concerns We TS In this chapter we work on desktop Windows operating systems 42 Since Windows is a
3. 0000550h FF 00 00 00 00 37 04 01 00 00 00 00 00 B3 7 00000560 21 00 OC 3B 04 00 00 00 00 00 00 08 4D 41 49 00000570h 4E 49 43 4 4E 09 54 4D 41 49 4E 46 4F 52 4D 03 NICON TMAINFORM 00000580h 4C 44 44 03 53 4C 46 07 54 46 4C 45 56 45 4C 05 LDD SIF TFLEVEL 00000590h 54 46 4E 41 47 OD 54 46 50 52 49 4E 54 53 54 41 TENAG TFPRINTSTA 000005a0h 54 55 53 07 54 46 45 4D 41 49 4C 54 46 43 TUS TFEMAIL TFCO 000005b0h 4D 50 49 4C 45 4F 50 54 05 43 44 52 4F 4D 0 43 MPILEOPT CDROM C 000005 0 4C 4F 53 45 44 46 4F 4C 44 45 52 OD 43 55 52 52 LOSEDFOLDER CURR 000005d0h 45 4E 54 46 4F 4C 44 45 52 0 45 58 45 43 55 54 ENTFOLDER EXECUT 000005e0h 41 42 4C 45 06 46 4C 4F 50 50 53 04 48 41 52 44 ABLE FLOPPY HARD 00000Sf h 09 4B 4E 4 S 4E 46 49 4C 45 07 4E 45 54 57 4F KNOUNFILE HETWO 00000600h 52 4B GA 4F 50 45 4E 46 4F 4C 44 45 52 03 52 41 RK OPENFOLDER R zl For Help pressFi Pos 0 Cw pos 11 8 2000 7 50 10AM File Size 10939978 fins 2 Figure 2 1 For opcode patching we recommend UltraEdit an advanced Windows hex editor IDA treats an executable file as a structured object that has been created from a data base representing the source code In other words it attempts to re create viable source code as opposed to W32DASM which only displays the code it thinks is important One of the most powerful features of IDA is the use of FLIRT sig
4. This is a simple program with a twist The program s only function is to keep you from closing it For example when you run the program you will see an Exit button However pressing the Exit button does not work on purpose Instead it presents you with a nag screen that says Your job is to make me work as an exit button Figure 2 12 Muad Dib s Reverseme 1 It s simple Your only job is to make the exit button work GOAL Your job is to make me work as an exit button OK Figure 2 12 Solving Muad Dib s crackme 24 Chapter 2 Windows Reverse Engineering Thus the crackme emulates shareware or software that has features removed or restricted to the user i e crippleware Your job is to enable the program in order to make it fully functional Fortunately the program itself gives you a great clue By searching the disassembled program for the following string Your job is to make me work as an exit button you will probably be able to trace back to find the jump in the program that leads to functionality i e a working Exit button Once you have installed IDA Pro open your target in our case Muad Dib s Crackme 1 and wait for it to disassemble You will be looking at the bare naked ASM Go straight for the protection by searching the convenient list of strings that IDA Pro has extracted Figure 2 13 Strings window i T j ial x Actions Search St
5. Sklyarov was subsequently released on 50 000 bail and was restricted to California In December 2001 he was permitted to return home to Russia with his family under the condition that he remain on call to return to the U S and testify against his employer Elcomsoft After a painful legal battle both Sklyarov and Elcomsoft were completely exonerated There still may be some breathing space left in the law as DMCA has a limited provi sion allowing security experts to circumvent protection schemes in order to test security However the interpretation of this clause remains nebulous History of RCE Modern RCE started with programmers who circumvented copy protection on classic computer games such as those written for the Apple II in the early 1980s Although this trend quickly became a way to distribute pirated computer software a core of experts remained who developed the RCE field purely for academic reasons 10 Chapter 2 Windows Reverse Engineering One of the legendary figures of those heady days was the Old Red Cracker ORC Not only was ORC a genius software reverser he was a prolific author and teacher of the subject His classic texts are still considered mandatory reading for RCE students In order to further RCE research ORC founded the High Cracking University or HCU The sign next to a nickname or handle designated members of the HCU The HCU students included the most elite Wind
6. boxes are checked Also make sure Rename DLL entries and Manual load are unchecked We Make sure that you chose the correct system DLL directory when con M S d figuring IDA Pro When you are ready press and watch IDA work its magic In order to view strings in IDA select View Open Subviews Strings Figure 2 3 You will also see the other subview options The keyboard shortcut for strings is Shift F12 Take some time to explore this sample disassembly and to get used to moving around in IDA c IDA Airscanner exe File Edit Jump Search Yiew Options Windows Help 21 Open subvievis Notepad IDA Vieu am Graphs gt 3 Disassembly text 00401404 ct bees vp F4 text 0050140h Calculator Shift 7 Functions Shit F3 text 00401404 Bug Pert ceomentregsters space Names ShiFt F4 60401404 Fi text 08h8158h va Print internal flags sre zie text 00501505 segments Shift F7 text 00401404 Hide Num E Segmentregisters Shift Fa text 88501405 Unhide Num selectors text 00461467 Hide all Functions lal Cross references text 00401480D text 00468149E Setup hidden items Ctrl F2 Structures Shift F9 text 00401413 lea ea En Enumerations Shift F10 text 00581419 push es 2 Problems text 6646141A push ea text 00501418 push text 66464441D call ds Shi
7. 13 Example 2 2 IDA options for disassembly continued more intelligently Sequence jmp short label db 90h will be converted to jmp short label nop Now it s time to fire up IDA Run the program and open the target binary that you happen to be using Figure 2 2 shows IDA s startup window Load a new file x Load file C Documents and Settings 4 dministrator s Desktop 4irscannerexe Portable executable for IBM PC MS DOS executable EXE dos ldw Binary file Processor type intel 80586 processors metapc Set Analypsi Loading segment 000001 000 Jv Enabled Loading offset 0 00000000 7 Indicator enabled Options V Greate segments v Load resources Rename DLL entries Manual load Eill seament aaps Make imports segment Don t align segments System DLL directory c NWINNT system32 Cancel Help Kernel options Kernel options2 Processor options Figure 2 2 IDA startup window 14 Chapter 2 Windows Reverse Engineering On most Windows files you will use the Portable Exectuable PE format discussed later in this chapter so select this option Select your processor type if you have not already configured the default in your config file Make sure both Analysis options are checked Under Options make sure the Load resources and Make imports segment
8. Install program details Install program d c documents and SettingsvAdministratonDesktophbac 32 bit Windows Executable Parameters Description Betup Factory setup launcher Reports Report filename epragram filesnctriXRP T ODDO HTM Default paths Preview old reports What ta track vO Registry Figure 2 10 In Control 5 install manager 22 Chapter 2 Windows Reverse Engineering One way that install managers work is by comparing a snapshot of your drive files startup files and registry keys before and after installation Figure 2 11 InCtrls Install Control for Windows L N r Fre install r Install m e Registry Files and falders Click the Install complete button when the install is completely finished INI files Em Install complete Text files Past install Analysis z ES Registry Registry geese Files and folders Files and folders zi INI files INI files Text files Text files HKEY CLASSES ROOT ceviperdig9s ceviperdlgaa 1 Figure 2 11 In Control 5 is comparing registry keys to find what was installed As you can see install managers are valuable for detecting hidden system changes during installation In particular they are useful to track spyware and Trojan changes to your system so that you can develop disinfection steps by hand Simply start th
9. Microsoft windows NTXCurrentersionCompatibility2 Idag exe 1 448 HKLM Software Microsoft Windows NT CurrentVersion IME Compatibility Idag exe 1448 HKLM Software Microsoft Windows NT CurrentVersion IME Compatibilit Al dag Idag exe 1448 HKLM S oftware Microsoft Windows NT CurrentVersion IME Compatibility Idag exe 1448 HKLM SystemNCurrentControlS etNControlS ession M anager AppCompaitibility idag exe Idag exe 1448 HKLM Software Microsoft Windows NT CurrentVersion Windows Idag exe 1448 HKLM Software Microsoft Windows NT Current ersion Windows Applnit_DLLs Idag exe 1448 HKLM SoftwarexMicrosoft amp windows NTXCurrenf ersionwW indows WINLOGON EXE 196 OpenKey HKCU Oooooooooooooooooo Figure 2 7 Using regmon to trace hidden registry calls Unpackers Many commercial software programs are compressed with commercial packers e g AsPack from http www aspack com in order to save space or to frustrate disassem blers Unfortunately you will not be able to disassemble a binary if it is packed Fortu nately there are tools to unpack a packed binary This section reviews the tools and methods used for unpacking a compressed application so that you may proceed to reverse engineer it Aw The science of unpacking compressed binaries is very complex and comprises an entire subspecialty of RCE The PE file format IThe native file format of Windows is the Portable Executable PE Portable means that all Windows p
10. closed source and often hostile platform by Dar S js winian pressure Windows RCE has now matured to the pinnacle of its technology In subsequent chapters we touch upon the emerging sci ence of RCE on other platforms including Linux and Windows CE in which RCE is still in its infancy The legality of RCE is still in question in many areas Most commercial software ships with a click through end user license agreement EULA According to the software manufacturers clicking AGREE when you install software contractually binds you to accept their licensing terms Most EULAs include a clause that prevents the end user from reverse engineering the application in order to protect the intellectual property of the manufacturer In fact the Digital Millennium Copyright Act DMCA now pro vides harsh criminal penalties for some instances of reverse engineering For example those of us who spoke at the Defcon 9 computer security conference in Las Vegas in July 2001 were shocked and distressed to hear that one of our fellow speakers had been arrested simply for presenting his academic research Following his speech on e book security Dmitry Sklyarov a 27 year old Russian citizen and Ph D student was arrested on the premises of the Alexis Park Hotel This FBI arrest was insti gated by a complaint from Adobe Systems maker of the e book software in question In a move that seemed to give new legal precedent to the word when
11. 00400000 c program Files jasc software inc paint shop pro 7 psp exe 0000069 00400000 c documents and settings administrator desktop notepad exe O00006E8 01000000 Unpack PE Editor Bhrama Server eldacuments and eekFinact adminictraror Admninear nnnnnezn Options UE wp address size ci winnt system32 ntdlll dil 00000000 77F80000 00078000 c winnt system32 comdlg32 dll 76631817 76830000 00030000 c winnt system32 shlwapi dll 70BDFO69 70800000 0004 000 c winnt system32 adi32 dil 00000000 7740000 0003 000 c Wwinntksystem321kernel 52 dll 77E8871D 77E60000 00086000 About c winnt system32 user32 dll 77E2ABDB 77E10000 00065000 7 c lwinntisystem32 adyvani32 dll 77DB5A85 77080000 00050000 zl EL Figure 2 9 Using ProcDump to unpack a compressed program After starting ProcDump you ll see a split screen GUI The top contains a list of pro cesses running under Windows the bottom of the GUI lists all modules attached to a certain process On the right side of this screen you ll see the following six buttons Unpack Unpacks an executable or a dump file Rebuild PE Rebuilds the PE header of a executable or dump file PE Editor Allows you to edit a PE header Bhrama Server Starts the Bhrama Server which allows you to write your own custom plug ins for ProcDump About Provides application info Exit Ends ProcDump To unpack an applica
12. 1CT10 data 8646362F aGoal db GOAL 6 DATA XREF sub_461629 17To data 66463635 align data 88463638 HINSTANCE hInstance data 88583038 hInstance dd DATA XREF start 7Tw dataz8656836038 start 17 ir data 8858303C align 298h data 88548383C data ends You may start to explore the input file right now Propagating type information ormation is propagated 5 is finished Function argument 1 The initial autoana idle Down Disk scs 00000800 004 2 Figure 2 14 Using strings to find target code in the disassembly 0040102C 817D0C11010000 cmp dword ptr ebp 0C 00000111 100401033 751F jne 00401054 200401035 8B4510 mov eax dword ptr ebp 10 00401038 6683F864 cmp ax 0064 0040103C 752A jne 00401068 0040103E 6A00 push 00000000 Possible StringData Ref from Data Obj GOAL 00401040 682F304000 push 0040302F This references the text in the MessageBox Possible StringData Ref from Data Obj Your job is to make me work as an exit button 00401045 6800304000 push 00403000 0040104A FF7508 push ebp 08 These lines push the Caption and Handle of the MessageBox Reference To USER32 MessageBoxA Ord 01BBh 0040104D E832000000 Call 00401080 00401053 EB2A jmp 00401068 This is the call to the annoying message box that we want to bypass We need to patch this address to jump to the Exit Process API This is the heart of the pr
13. CE DAT to uncomment the particular features that you need For example if you are editing WINICE DAT to include 32 bit calls recom mended uncomment the following lines gdi32 dll kernel32 dll user32 dll SoftICE is a complex application In fact it comes with a large two volume user s manual just to help get you started with the basics of its use However the most dif ficult part of using SoftICE is remembering the command shortcuts If you are per forming RCE with SoftICE you will need a reference list that you can keep handy while you are cracking Even the official user s manual for SoftICE doesn t list these critical breakpoints For this reason we have included a basic list of useful SoftICE 16 Chapter2 Windows Reverse Engineering commands and breakpoints in the Appendix We also recommend that you read through the SoftICE user s manual at least once before working the examples at the end of this chapter System Monitors The wizards at SysInternals http www sysinternals com have developed two pow erful real time system monitors regmon and filemon The programs are freely avail able for personal use with source code from their web site With these two programs you can see which hidden registry and file calls your target binary is mak ing The programs are easy to master To use filemon first install and run the program You ll soon see a flood of data scroll ing down the filemon window which will rapidl
14. and Settings Administrat SUCCESS F 11 15 12 PM System 8 RP MJ WRITE C pagefile sys SUCCESS t 11 15 12 PM System MJ WRITE C pagefile sys SUCCESS C 111512 PM NOTEPAD EXE IAP MJ QUERY INFO C Documents and Settings Administrat SUCCESS i 11 15 12 PM NOTEPAD EXE IRP_MJ_CREATE C Documents and Settingss amp dministrat SUCCESS n 11 15 12 NOTEPAD EXE IRP MJ READ C Documents and Settings Administrat SUCCESS 11 15 12 PM NOTEPAD EXE FSCTL IS VOLLIME M C Documents and Settings Administrat SUCCESS 11 15 12 PM NOTEPAD EXE IRP MJ CREATE C Documents and Settings Administrat FILE NOT 11 15 12 PM NOTEPAD EXE FSCTL IS VOLLIME M C Documents and Settings Administrat SUCCESS 11 15 12 PM NOTEPAD EXE IRP MJ CREATE C Documents and Settings Administrat FILE NOT FO 11 15 12 PM NOTEPAD EXE FSCTL_IS_VOLUME_M C Documents and Settings Administrat SUCCESS 11 15 12 PM NOTEPAD EXE IRP_MJ_CREATE C AWINNTSSpstem32 WINSPOOL DRY SUCCESS 11 15 12 PM NOTEPAD EXE F STID GLIERY BASIL C WINNTSSystem32 WINSPOOL DRY SUCCESS 11 15 12 PM NOTEPAD EXE IRP_MJ_CLEANUP CAWINNTSSystem324WiNSPOOL DRY SUCCESS 11 15 12 Phd NOTEPAN EVE IDP MI CLOSE Custam 22V IKE Pn nb nip A Figure 2 4 filemon gathers all system file accesses by default Immediately after starting the target application enter Ctrl E to pause the data cap ture Then scro
15. d exe metapc extensions if no extension is 12 Chapter2 Windows Reverse Engineering Example 2 1 Processor specific parameters in IDA Pro continued given PalmPilot programs dll metapc drv metapc sys metapc bin metapc ovl metapc VIT c metapc ov metapc nlm metapc lan metapc dsk metapc obj s metapc prc 68000 axf arm710a h68 68000 151 8051 sav 11 rom 280 cla java 519 6811 o metapc MC68000 for H68 files 18051 for 151 files PDP 11 for SAV files 280 for ROM files IDA allows you to tune several options for disassembly For example you can deter mine whether you want to automatically analyze 90h NOPs The configuration for this is shown in Example 2 2 Example 2 2 IDA options for disassembly ifdef PC USE FPP YES IBM PC specific analyzer options PC ANALYSE PUSH YES PC ANALYSE NOP NO INTEL 80x86 PROCESSORS Floating Point Processor instructions are enabled Convert immediate operand of push to offset In sequence push seg push num IDA will try to convert lt num gt to offset Convert db 90h after jmp to nop Now it is better to turn off this option because the final pass of the analysis will convert 90h to nops ReversingTools
16. dvanced Window Help Deer ASR wH 8 amp n a PLE i S 6S EIS m 000005 00 000005e0h 00 00 00 00 OO OO 000005 0 00 00 00 00 OO OO OO OO OO 00 00 00000600h 82 20 00 00 74 20 00 00 00 00 00 00000610 C2 20 00 00 4 20 00 OO 00 00 00 00 58 20 00 DO 00000620 00 00 00 00 00 00 00 OO 96 20 00 00 00 20 00 00 00000630 64 20 00 00 00 00 00 00 DO 20 00 OQ 00000640 OC 20 00 00 00 OO 00 OQ 00000650h 00 00 00 00 00 OO 00 00 82 20 00 00 74 20 00 VNDE 00000660h 00 00 00 00 B6 20 00 00 20 00 00 4 20 00 00 T LR 00000670h 00 00 00 00 75 00 45 78 69 74 50 72 63 65 73 u ExitProces 00000680h 73 00 11 01 47 65 74 4D 64 75 6C 65 48 61 s GetModuleHan 00000690h 64 6C 65 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 dle KERNEL32 d 000006a0h 6C 6C 00 00 92 00 44 69 61 6C 67 42 6F 78 50 ll DialogBoxP 000006b0h 61 72 61 6D 41 00 B8 00 45 GE 64 44 69 6C 6C GF aramA EndDilflo 000006 0 67 00 BB 01 4D 65 73 73 61 67 65 42 78 41 00 g MessageBoxA O00006d0h 55 53 45 52 33 32 2E 64 6C 6C 00 00 00 00 00 00 USER32 dll 000006e0h 00 00 00 00 00 OO OO OO 00 00 00 00 00 00 00 OO 000006 0h 00 00 00 00 00 00 00 OO 00 00 00 00 00 00 00 OO Figure 2 15 dump of o
17. e uninstall manager browse to the program you want to install and then use the uninstall manager to launch the installer Reverse Engineering Examples Before beginning your practical journey there is one final issue to note Similar to software debugging reverse engineering by definition goes in reverse In other words you must be able to think backward Zen meditation skills will serve you better than many years of formal programming education If you are good at solving verbal Reverse Engineering Examples 23 brain teaser riddles on long trips with friends you will probably be good at RCE In fact master reversers like Fravia recommend cracking while intoxicated with a mix ture of strong alcoholic beverages While for health reasons we cannot recommend this method you may find that a relaxing cup of hot tea unwinds your mind and allows you to think in reverse The following segments walk you through live exam ples of Windows reverse engineering We Since it is illegal to defeat protections on copyrighted works reverse 42 engineers now program their own protection schemes for teaching SU d 45 purposes Thus crackmes are small programs that contain the heart of the protection scheme and little else Example 1 A Sample Crackme Example 1 is Muad Dib s Crackme 1 FAS The sample binaries crackmes used in this chapter may be down 42 loaded from our web site at http www securitywarrior com So d Hs
18. es Following the PE header is an array of structures known as the section table A struc ture holds section specific data such as attribute file offset and virtual offset During program execution the PE header maps each section into memory based on the information stored in the sections It also assigns attributes to each section in memory based on information in the section table After mapping the PE file into memory the PE loader imports data from an array known as the import table ProcDump For educational purposes at some point you may want to learn how to manually unpack an unknown binary However the RCE scene has developed useful tools to help you save time by addressing many commercial packers make sure to get per mission from all relevant software manufacturers before reverse engineering their code In addition there are tools to help unpack even unknown compression schemes ProcDump written by G RoM Lorian and Stone is a powerful tool to help with unpacking Figure 2 9 shows the startup screen which lists open tasks and modules Simply press Unpack to start the unpacking wizard 20 Chapter2 Windows Reverse Engineering kx WF ProcDump32 1998 1999 2000 G RoM Lorian amp Stone 151 TERE rE ci winntisystem32 mdm exe 00000678 00400000 c program files internet explorer iexplore exe 00000504 00400000 Rebuild PE c program files common Files real update_obevntsvc exe 0000060
19. ess or implied warranty in no event will the author be held liable for any damages arising from the use of it thor can held ible for any illegal action s ig from the 5 are in other words if you do anything illegal with SubS even you re the only one resposible for it if you don t agree to any of the above then exit Sub now left click anywhere to continue right click to exit Figure 2 18 The SubSeven disclaimer is filled with irony as we will soon uncover read latest Sub news sub version 2 1 GOLD ready Figure 2 19 Use the SubSeven client to connect to localhost The server uses the WSOCK32 recv function to retrieve data sent from a socket int recv SOCKET s char FAR buf 30 Chapter2 Windows Reverse Engineering int len int flags The second parameter char FAR buf is the important one as the data will be stored within it Before you continue to enter the password hit Ctrl D to break into SoftICE Now set a breakpoint on the recv function as follows bpx recv do d esp gt 8 Enter Ctrl D again then click OK to send the password to the client SoftICE will break on the bpx Press F11 and you will see your dummy password in SoftICE s data window along with its current address in memory Now set a bpr on the password s address e g bpr 405000 405010 RW Run the program again and this time SoftICE will break at location 004040dd You will see the
20. ettings Administrat SUCCESS 12 41 33 AM IRP_MJ_CREATE C Documents and 5 FILE NOT FO 1A Figure 2 6 Filtered capture of NOTEPAD exe system file calls 18 Chapter2 Windows Reverse Engineering For regmon the process is nearly identical Figure 2 7 By using regmon you focus on a suspected Trojan for example to see the hidden registry calls that it utilizes Fle Edit Options Help E Ag MSOFFICE EXE 1460 HKCR AllFilesystemCbjects MSOFFICE EXE T4B0 CloseKe HKCRsInkfile Idag exe 1 448 HKLM Software Microsoft Windows NT CurrentVersion Image File Execution Options idag exe Idag exe 1448 HKLM System CurentControlS et Control T erminal Server Idag exe 1448 HKLMS System CurentControlSetControlT erminal Server T SAppCompat Idag exe 1448 HKLM System CurrentControlSet ControlsT erminal Server Idag exe 1448 HKLM System CurrentControl et Control E ror Message Instrument Idag exe 1448 HKLM Software Microsofts windows NTXCurrenfersion Compatibility 32 Idag exe 1448 HKLM SoftwarexMlicrosoft amp windows NTXCurrenfy ersion Compatibility32N dag Idag exe 1 448 HKLM Software Microsoft Windows NT CurrentVersion Compatibility32 Idag exe 1448 HKLM Software Microsoft Windows NT Current ersion Compatibility2 Idag exe 1448 HKLM Software Microsoft Windows NT Current ersion Compatibility2 ldag0 0 Idag exe 1448 HKLM Software
21. everse Engineering
22. following code 0167 004040dd 8b0e mov ecx esi our password 0167 004040df 8b1f mov ebx edi 0167 004040e1 39d9 cmp ecx ebx 0167 004040e3 755 102 00404134 0167 004040e5 4a dec edx 0167 004040e6 7415 jz 004040fd 0167 004040e8 8b4e04 ecx esi 04 move 1st 4 chars into ecx 0167 004040eb 8b5f04 mov edi 04 move another 4 chars into 0167 004040ee 39d9 cmp ecx ebx compare the two values The program breaks at line 4040dd after we set a bpr on our dummy password Thus the password must be located inside the buffer to which esi points The first four characters are moved into ecx and another four characters are moved into ebx They will then be compared We have now found the cmp that compares our dummy password with the real one right Wrong We have stumbled on to the fact that the author of SubSeven has put a backdoor in his backdoor Type d edi to see the data contents of the edi register in SoftICE and you will see the following 016F 012A3DD4 31 34 34 33 38 31 33 36 37 38 32 37 31 35 31 30 1443813678271510 016F 012A3DE4 31 39 38 30 00 69 6F 00 28 00 00 00 22 00 00 00 1980 io 016F 012A3DF4 01 00 00 OO 13 OO OO 00 53 75 62 73 65 76 65 6E Subseven 016F 012A3E04 5F 5F 5F 3C 20 70 69 63 6B 20 00 10 3E 2A O1 pick 016F 012A3E14 10 2A 01 38 00 00 00 53 75 62 73 65 76 65 6E 8 Subseven This number 14438136782715101980 is not the password we set We now disable all of
23. ft F12 text 004501423 nou cl text 885814209 xor edx edx text 66461426 test cl cl text 6046142 lea eax ebp Filenamb text 60461433 jz short loc 548144B Figure 2 3 Viewing strings in IDA Reversing Tools 15 Debuggers Fravia calls SoftICE http www numega com the Alpha and the Omega of debug gers However what many modern reverse engineers are too young to remember unless your hair is as grey as that of the authors is that the forefather of SoftICE itself known as ICE 86 was actually a hardware based in circuit emulator from Intel designed to debug their seminal 8086 processor A full description of this hardware can be found in the classic 8086 Family User s Manual published by Intel in 1979 SoftICE allows you to single step through program code and to edit memory regis ters variables and flags on the fly as the program executes The following function keys let you step through code and edit memory in SoftICE F8 Single step F10 Program step F11 Return to a routine from a call F12 Forward to next Return D Display memory contents Search memory for a string WW Watch a register Once you have SoftICE installed your system will boot WINICE EXE along with Win dows SoftICE is integrated with the Windows operating system itself at Ring 0 which is what makes it so powerful SoftICE is configured by editing the WINICE DAT file Remove the semicolons in WINI
24. latforms and processors recognize the program In order to under stand the process of unpacking a compressed application it is first necessary to under stand the structure of the Win32 PE file format Figure 2 8 This format has remained relatively constant over the years even with newer 64 bit Windows platforms Reversing Tools 19 DOS MZ header DOS stub PE header Section table Section 1 Section 2 Figure 2 8 A simplified representation of the PE file format The programmer s assembler or compiler creates the PE sections automatically The purpose of the DOS MZ header is so that if you happen to run DOS Disk Operating System DOS can recognize the program In contrast the DOS stub is simply a built in executable provided to display an error message e g This program cannot be run in MS DOS mode in case the operating system does not recognize DOS We are most interested in the third section the PE header a structure that contains several fields used by the PE loader When you execute the program on an operating system that can process the PE file format the PE loader uses the DOS MZ header to find the starting offset of the PE header thus skipping the DOS stub The data in a PE file is grouped into blocks called sections These sections are orga nized based on common attributes rather than on a logical basis Thus a section can contain both code and data as long as they have the same attribut
25. ll up until you find the exe name and hit Ctrl L to enter it into the filter window Figure 2 5 Reversing Tools 17 Filemon Filter x Enter multiple filter match strings separated by the character Appl UNAM pply is a wildcard Include notepad exel x Reset Exclude Cancel Highlight Log Reads Iv Log Whites Figure 2 5 Using the filemon filter Next hit Ctrl X to clear the display and then Ctrl E to toggle capture on again You will see that you have a pure capture that is focused on file access by one executable only in this case NOTEPAD exe Figure 2 6 f File Monitor Sysinternals www sysinternals com 0 xf File Edit Options Drives Help v9 time Process Request Path i ae 12 41 33 AM NOTEPAD EXE IRP_MJ_CREATE C Documents and Settings Administrat FILE NOT 12 41 33 AM NOTEPAD EXE FSCTL IS VOLLIME M C Documents and Settings Administrat SUCCESS 12 41 33 AM NOTEPAD EXE IRP MJ CREATE CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 NOTEPAD EXE FASTIO QUERY BASI C WINNTSSystem32 wINSPOOL DAY SUCCESS 2 41 33 AM NOTEPAD EXE IAP MJ CLEANUP System 32 WiINSPOOLDRM SUCCESS 12 41 33 AM IRP MJ CLOSE CAWINNTSSystem32 WINSPOOL DRY SUCCESS 12 41 33 NOTEPAD EXE FSCTL_IS_VOLUME_M C Documents and Settings Administrat SUCCESS 12 41 33 AM
26. natures FLIRT stands for Fast Library Identification and Recognition Technology This means that IDA uses a proprietary algorithm to attempt to recognize compiler specific library functions Mastering IDA takes considerable time and effort The company admits in the user s manual that IDA is difficult to understand However once you have mastered IDA you ll probably prefer it to the combination of W32DASM SoftICE discussed next This section walks you through a few basic IDA configuration and manipulation steps A configuration file controls IDA s preferences Search your Program Files directory for the IDA folder and use a text editor to open Ida cfg the configuration file The configuration file is read two times The first pass is performed as soon as IDA is loaded while the second pass is performed when IDA determines the processor type All processor specific tuning is located in the second part of the config file IDA allows you to choose the default processor at program startup As you can see in Example 2 1 the developers have created support for an extensive range of proces sor types Here you can view the processors that IDA supports For example if you mostly crack PocketPC Windows CE applications you will probably be using the ARM processor Otherwise the default is setting is metapc x86 Example 2 1 Processor specific parameters in IDA Pro Extension Processor com 8086 IDA will try the specifie
27. obtaining the warrant the FBI agent adduced written proof that Defcon was advertised as a hacker conference and asserted that the speakers must therefore be criminals However the arresting FBI agent neglected to note in this warrant request that other high ranking law enforcement officers members of the military and even fellow FBI agents have been featured speakers at this same hacker conference and its harbin ger Black Hat In fact Richard Clarke Special Advisor to President Bush for Cyber space Security spoke at Defcon the following year Sklyarov helped create the Advanced eBook Processor AEBPR software for his Rus sian employer Elcomsoft According to Elcomsoft their software permits e book owners to translate Adobe s secure e book format into the more common Portable Document Format PDF Since the software only works on legitimately purchased e books it does not inherently promote copyright violations It is useful for making legitimate backups in order to protect valuable data Sklyarov was charged with distributing a product designed to circumvent copyright protection measures which was now illegal under the DMCA described later in this section Widespread outcry by academics and civil libertarians followed and pro tests gained momentum outside of Adobe offices in major cities around the world Adobe sensing its grave error immediately backpedaled but it was too little too late The damage had been done
28. otection Looking back at line 401024 we see it calls the exit process 0040106C as follows Referenced by a CALL at Address 00401024 TIhis made the call to 0040106C 26 Chapter2 Windows Reverse Engineering Reference To KERNEL32 ExitProcess Ord 0075h This is the Exit Process API call that we need 0040106C FF2504204000 jmp dword ptr 00402004 Thus we will patch with this jump instead We replace the bytes at offsets 40104D and 401053 with those at offset 40106C and when we click on the Exit button the program will exit and the nagging message box will not appear The best way to patch it is to replace these lines 0040104D E832000000 Call 00401080 00401053 EB2A jmp 00401068 with the following 0040104D FF2504204000 jmp dword ptr 00402004 100401053 90 nop Thus 0040104D now jumps to the ExitProcess address The program exits appropri ately when we click on either the X or the Exit button 00401053 is extraneous so we can just NOP it this involves changing the JMP to a NOP no operation In order to do the actual opcode patching you need to open the program in a hex editor After you have installed the hex editor simply right click the binary program in Windows and select open with Ultra Edit You will see the raw hex code Figure 2 15 ready to be patched Ug Ultr aEdit 32 C Documents and Settings AdministratorDesktop rmi exe A File Edit Search Project View Format Column Macro A
29. ows reversers in the world Each year the HCU published a new reverse engineering challenge and the authors of a handful of the best written responses were invited as students for the new school year One of the professors known as Fravia maintained a motley web site known as Fravia s Pages of Reverse Engineering In this forum Fravia not only challenged programmers but society itself to reverse engineer the brainwashing of a corrupt and rampant materialism At one point Fravia s site was receiving millions of traf fic hits per year and its influence was widespread Today most of the old HCU has left Windows for the less occult Linux platform only a few such as Tsehp have remained to reverse Windows software A new gen eration of reversers has rediscovered the ancient texts and begun to advance the sci ence once again Meanwhile Fravia himself can still be found wandering his endless library at http www searchlores org Reversing Tools As a software reverse engineer you are only as good as your tools Before diving into practical examples later in the chapter we first review some of the classic Windows RCE tools Some you can learn in a day while others may take years to master Hex Editors To edit binaries in hexadecimal or opcode patching you need a good hex editor One of the best is Ultra Edit by Ian Meade http www ultraedit com shown in Figure 2 1 Disassemblers disassembler attem
30. pts to dissect a binary executable into human readable assem bly language The disassembler software reads the raw byte stream output from the processor and parses it into groups of instructions These instructions are then trans lated into assembly language instructions The disassembler makes a best guess at the assembly language code often with variable results Nevertheless it is the most essential tool for a software cracker popular disassembler and one that is the tool of choice for many expert reverse engi neers is IDA Pro IDA http www datarescue com is a multiprocessor multioperating system interactive disassembler It has won numerous accolades not the least being chosen as the official disassembler of the HCU in 1997 ReversingTools 11 ultraEdit 32 C Documents and Settings Administrator My eppz wa 3 al xi CH File Edit Search Project View Format Column Macro Advanced Window Help Due 10 fima vdaLexe 000004e0h Q0000df0h 09 00 00 OO 00 B3 3F 20 00 30 1C OA SF 00 00 00000500h 00 00 D3 20 00 30 iC OB 00 00 00 00 9F 00000510n 20 00 30 1C F9 SF 00 00 00 00 13 0 20 00 30 1C 0D000520h FA 00 00 00 00 33 AO 10 00 30 1C FB 00 00 00000530h 00 00 43 10 00 30 iC FD 8F 00 00 00 00 53 00000540h 10 00 30 1C FE 8F 00 00 00 00 63 A0 10 00 30 1C
31. rch using hex rather than ASCII Once you have found the target bytes carefully replace them to bypass the jump Then simply save the binary application again and run it In our example the pro gram exits properly when you click the Exit button Example 2 Reversing Malicious Code One of the most important functions of RCE is to reverse engineer malicious code such as computer viruses or Trojans In this example we will be reversing the notori ous SubSeven Trojan by MobMan By reverse engineering a Trojan you can find its unique hex byte signature its registry entries etc for the purposes of antivirus pro grams or manual extraction However in this case we will be reversing SubSeven in order to demonstrate its hidden secret Interestingly we will demonstrate why these days you can t even trust an honest Trojan writer At the time of this writing you can obtain the Trojan from http www subseven ws or when that site goes down which it undoubtedly will by a simple web search Credit for this discovery goes to the Defiler and portions are reprinted with permis sion from Tsehp For this exercise you need SoftICE installed and running 28 Chapter2 Windows Reverse Engineering You may choose from several versions of SubSeven each of which will give you slightly different results After installing the software you configure the server por tion using the accompanying EditServer program Figure 2 17 In this exerci
32. ring teu 00401018 00000005 580 text 00401038 00000005 C text 00401040 00000005 00402076 00000007 ExitProcess tdata 00402084 00000011 GetModuleHandles pdata 00402096 00000000 KERNEL32 dll a tdata 00402046 00000010 DialogB oxParam4 00402088 00000004 EndDialog pdata 004020C4 O000000C MessageBosA tdata 004020D0 00000008 C USER32 dll L Your job is to make me work as an exit button GOAL data 0040302F 00000006 Line 11 of 12 p Figure 2 13 String disassembly in IDA Pro Double clicking on our target string takes us directly to the target code in the disassembly Figure 2 14 We arrive at this code Reference To KERNEL32 ExitProcess Ord 0075h 100401024 E843000000 Call 0040106C ThisCalls ExitProcess when we click on theWindows Exit Cross 100401029 55 push ebp 0040102A 8BEC mov ebp esp Reverse Engineering Examples 25 AIDA rm1 eKe E Incl xl File Edit Jump Search View Options Windows Help AE gl cool os 7 N Xx LEG ec a e wl KL data 89463096 aj data 88563088 Segment type Pure data data 885483888 data segment para public DATA use32 data 88503000 assume cs data data 884636668 zorg 483866h data 88583008 aVourJobIsToMak db Your job is te make me work as an exit button 8 data B85638608 DATA XREF sub 81829
33. se we will use the localhost address for the server and configure it with port 666 and pass word Peikari read current settings chang ver icon i method k method O enable IRC notify 9 notify tc O bind server with EXE file 9 Figure 2 17 Configuring SubSeven with the EditServer program Make sure to use an uninstall manager when installing any malware so that you will be able to manually remove it later For this exercise you must turn off your virus scanners or you will be unable to work with the malware Once the server is config ured launch the client The disclaimer that appears Figure 2 18 is quite ironic as we will soon see We point the client to localhost 127 0 0 1 as shown in Figure 2 19 Note that we will change the port from the default of 27374 to read 666 which is how we con figured our server Next open SoftICE s symbol loader to import winsock exports wsock32 dll depending on your operating system After you load the SubSeven server in Soft ICE s symbol loader the Trojan will run Once you click connect to reach local host the password dialog pops up In this case enter a dummy password that is different from the real password Peikari that we chose previously Reverse Engineering Examples 29 SubSeven v2 1 GOLD edition http subseven slak org By using SubSeven you MUST agree to the following 1 SubS everris provided a nithout any expr
34. the breakpoints bd and run the program this time entering the password 14438136782715101980 SubSeven responds with connected This exercise reveals that SubSeven s author has secretly included a hardcoded mas ter password for all of his Trojans The Trojan itself has been Trojaned You just can t trust anyone these days Reverse Engineering Examples 31 References The example crackmes from this chapter are at http www securitywarrior com Due to their controversial nature some of the references in this book have volatile URLs Whenever possible we list the updated links at http www securitywarrior com Windows Internet Security Protecting Your Critical Data by Seth Fogie and Cyrus Peikari Prentice Hall 2001 Server Security Architecture and Policy Vulnerabilities Paper presented at Defcon 10 August 2002 PE header Format Iczelion s Win32 Assembly Homepage http win32asm cjb net Mankind comes into the Ice Age Mammon_ s Tales to his Grandson An IDA Primer Mammon_ s Tales to Fravia s Grandson SoftICE breakpoints http www anticrack de WoRKiNG WiTH UCF s ProcDump32 by Hades Win32 Assembly Tutorial Copyright 2000 by Exagone http exagone cjb net SubSeven official site http www subseven ws Reversing a Trojan Part I by the Defiler Published by Tsehp Muad dib s Crackme published by Tsehp 32 Chapter 2 Windows R
35. tion start by clicking the Unpack button Then choose the name of the commercial or other packing program that protects the program Next an Open Dialog will pop up Choose the executable you want to unpack and click Open ProcDump will load the executable in memory When this is done hit OK and the program will unpack automatically Personal Firewalls personal firewall is a useful addition to the reverse engineer s arsenal Personal fire walls are software applications that run on end user machines to filter data passing Reversing Tools 21 through the TCP IP stack For example if there is a hidden backdoor installed on your system a good personal firewall can alert you to normally hidden communica tion Similarly a personal firewall can uncover commercial spyware when it attempts to phone home Please note that you still might be fooled as some products use port redirection tunneling or even methods as simple as embedding the signal in an allowed SMTP message An example of a personal firewall is Zone Alarm from http www zonelabs com We A sniffer is another valuable tool for a reverse engineer We will cover 42 packet dissection in Chapter 6 wd D Install Managers Install managers are programs that monitor unknown binaries as they install on your system There are many commercial install managers like In Control 5 Figure 2 10 InCtrl5 Install Control for Windows T
36. ur binary How do we find the bytes that we need to patch Search the hex dump for a unique string of hex bytes that represents the target code For example to find 0040104D E832000000 Call 00401080 100401053 EB2A jmp 00401068 Reverse Engineering Examples 27 we search for its unique hex string Figure 2 16 E832000000EB2A 000007f0h 00 OO 00 OO OO OO 00 00 00 00 00 00 00 00 OO 00000800 59 75 72 20 6A 62 20 69 73 20 74 20 6D Your job is to m 00000810 61 6B 65 20 6D 65 20 7 6F 72 6B 20 61 73 20 61 ake me work as a 00000820 20 65 78 69 74 20 62 75 74 74 21 00 47 n exit button G O0000830h AF 41 4 00 00 00 00 00 00 00 00 00 00 00 00 00000840h nn 000000 ee ox 00000860h 00000870h _FindNext 00000870 Find what 8 32 00 00 00 EB 24 00000890h Hex strings should have two characters per byte and 000008a0h each byte may be separated fram another with D0000SbOhE 000008 0 Example FD or FFFEFD Cancel brownie Nea sy ays 000008d0h PME Bears Find ASCII 0000900 Match Case Heb nd nae 5 Regular Expressions ASCI On dg tU coOoooooooooooococ 00000930h Figure 2 16 Searching for our hex code to patch The key is to search for a hex string that is long enough that it will be unique in the application Aw Make sure to sea
37. y overwhelm you Our goal here is to focus on one application that we want to monitor i e NOTEPAD exe Figure 2 4 Acl xl File Edit Options Drives Help v9 Time Request _ resus 11 15 12 PM 1292 IRP_MJ_CLOSE C Documents and Settings Administrat SUCCESS 11 15 12 PM 1292 FASTIO_QUERY_STAN C Documents and Settings Administrat SUCCESS 11 15 12 1292 IRP MJ READ C Documents and Settings Administrat SUCCESS 11 15 12 PM 1292 IRP_MJ_CLEANUP C Documents and Settingss amp dministrat SUCCESS 11 15 12 PM explorer exe 1292 FSCTL_IS_VOLUME_M C Program Files Common Files System SUCCESS 11 15 12 PM 1292 FSCTL_IS_VOLUME_M C Program Files Common Files System SUCCESS 11 15 12 PM explorer exe 1292 IRP_MJ_CREATE C Documents and Settings Administrat SUCCESS 11 15 12 PM enplorer exe 1292 FASTIO_QUERY_BASI C Documents and Settings Administrat SUCCESS 11 15 12 PM 1292 IRP_MJ_CLEANUP C Documents and Settingss amp dministrat SUCCESS 11 15 12 PM explorer exe 1292 IRP_MJ_CLOSE C Documents and Settings Administrat SUCCESS 11 15 12 PM 1292 FSCTL_IS_VOLUME_M C Program Files Common Files System SUCCESS 11 15 12 PM 1292 IRP_MJ_SET_INFORM C Documents
Download Pdf Manuals
Related Search