blog.sat0ri.com

My last reverseme was too easy due to the nature of the code de-obfuscation key length and usage. This time I have made some minor changes to precisely this portion of the code. Furthermore, I have added some anti-debugging stuff that I observed in a piece of malware. I hope you enjoy.

Here is a screen dump of this reverseme:

It can be downloaded here: nine (80).

While many ActiveX components are slowly being replaced with technologies considered more secure and/or web-mature, many developers still utililise ActiveX controls as a quick way to push advanced functionality out to web browsers. ActiveX security is based on digital signatures, if you trust the source of the component then it is safe to run the control. That said, when the control is run, it runs like any other Win32 desktop application and has access to the same resources, unlike Java, which executes inside a safe environment known as a “sandbox”, thus limiting what the Applet has access to. Well that’s how the sandbox  works in theory at least. In other words, you better trust the authors of the ActiveX component.

In this paper, I won’t be focussing on the ActiveX security model, but rather on the identification of vulnerabilities in the ActiveX control itself, not in the way the control interacts with its environment. This is an interesting topic, as the presence of such vulnerabilities could enable malicious individuals to compromise a user’s computer, simply by guiding them to a malicious web site. In other words, no actions, on the part of the user, are required for remote code execution.

This paper is currently being re-written and thus unavailable.

If you have any comments, please don’t hesitate to write to me.

IFAU is a simple utility that was written to analyse binary files and count how many times each hex byte is present in a given file. This is useful when attempting to identify frequently used op codes. The results are written to a hash which is dumped to an XML report as well as a graph upon completion.

A sample XML report might resemble the following:

<?xml version=”1.0″ encoding=”iso-8859-1″ ?>
<bytes count=”10″>
<byte value=”11″ count=”1″ />
<byte value=”23″ count=”1″ />
<byte value=”32″ count=”1″ />
<byte value=”38″ count=”1″ />
<byte value=”4a” count=”1″ />
<byte value=”69″ count=”1″ />
<byte value=”87″ count=”2″ />
<byte value=”ad” count=”1″ />
<byte value=”df” count=”1″ />
<byte value=”fa” count=”1″ />
</bytes>

As mentioned above, this information is also presented in a graph. A large number of different bytes can result in the graph being difficult to read, which is why the previously presented XML report is also generated.

As an illustration, a graph for a small binary file might resemble the following:

IFAU can be downloaded here: ifau (46). This is a beta release so use at your own risk.

Based on all the comments I have received on the previous two unlockmes (six and seven), I have created a new and improved version, which I will hope will offer more of a challenge than its predecessors. If you manage to find a valid Unlock Code, type it in and press the Unlock Code button. If it is correct, you should be able to find the hidden secret.

Here is a screen dump of this unlockme challenge:

It can be downloaded here: eight (38).

Here is my latest crackme, which is no longer a keygenme. I decided to drop that functionality as I feel that finding a valid Unlock Code for the code obfuscation is the only real challenge. If you manage to find a valid Unlock Code, type it in and press the Unlock Code button. If it is correct, things should go well when you press the Check button.

Here is a screen dump of this unlockme challenge:

It can be downloaded here: seven (38).

All sorts of stuff is obfuscated here, including the serial-generation code as well as other “code” that may be of interest. I won’t say much more. After the unlock code has been found, type it in and it will de-obfuscate the serial generation code as with the two other challenges. If you enter an invalid code, the crackme will crash, as the de-obfuscation routine will contain garbage instruction sequences. After this bit has been complete it should be straight forward.

Here is a screen dump of this keygenme:

It can be downloaded here: six (35).

The serial-generation code in this crackme is obfuscated, there are no signatures this time and the entire serial generation code has been re-written. After the unlock code has been found, type it in and it will de-obfuscate the serial generation code. If you enter an invalid code, the crackme will die (depending on your luck of course), as the de-obfuscation routine may very well result in invalid instruction sequences. After this bit has been defeated, it should be straight forward.

Here is a screen dump of this keygenme:

It can be downloaded here: five (37).

I chose to obfuscate most of the code in this crackme besides the unlock functionality. The serial generation code is the same as in my last crackme (#3) so there will be opcode signatures that will enable you to brute out the code encryption key. If you haven’t completed my last crackme, you should still be able to find valid code signatures in the code. After the Unlock Code has been found, type it in and it will decrypt the serial generation code. Then it should be straight forward.

I figured that a good way to protect serial generation code was to obfuscate it; the code will not execute unless a valid unlock code is entered. Well the that’s the plan at least.

Here is a screen dump of this keygenme:

It can be downloaded here: four (40).

FIT-sig (File Identification Tool-kit Signature Utility) is a tool designed to be used to aid in the identification of common signatures, of varying lengths, in two given files of any type (e.g. binary and non-binary files). FIT-sig was originally written to help when identifying Portable Executable packers/protectors.

The general idea is that you take two different files (e.g. executables) of varying sizes and pack them with the same packer/protector and feed them to FIT-sig. The result is an XML report containing signatures common for both files. FIT-sig can also be used to find similarities in other files such as images (e.g. GIF, BMP, and JPEG) and PDF documents. The length of the desired signatures can be specified in the configuration file as can the number of signatures required. For further information regarding how this tool is used, please consult the configuration file.

It can be downloaded here: fit-sig (40). This is a beta release so use at your own risk.

I had been using Code Crafter’s Ability Server for some time when a
colleague brought to my attention, the fact that there was a remotely
exploitable vulnerability in precisely the version I was using. After a
short conversation with a friend regarding the vulnerability, I decided
to delve a little deeper in an attempt to identify and remove the
vulnerability.

The paper can be downloaded here: Finding, Exploiting, and Fixing Bugs in Binaries (44).