All Categories - Vitali Kremez

IDA Pro Tutorial: Unpacking Obfuscated Binary Using IDA Pro Debugger

8/27/2016

Source: hexrays.com
Goal: Advance IDA Pro understanding
Step: Load file using as Portable Executable for 80386 (metapc) reveals multiple errors and “Warning” tab informing about possible obfuscation routines.

The following flags are checked out as well:

Rename DLL sections
Create import segment

The subroutine reveals the unresolvable jmp call to nowhere, as marked in red.

Debugging C Code in Microsoft Visual Studio 2015

8/21/2016

Source: Intro to Intel x86, OpenSecurityTraining
1 - Fix C++/ Linker Setup Properties
* Program Database (/Zi)
* Disable Security Check
* __cdecl (/Gd) or __stdcall (/Gz)
* Linker/Enable Incremental Linking (No)
2 - Breakpoint on Main -> Go to Disassembly
3 - Windows/Memory -> Address on ESP (hexadecimal display and 4-byte integers)
4 - Windows/Registers

Extracting Malicious Shellcode From PDF

6/11/2016

Source: OpenSecurityTraining

PDFStreamDumper
Load -> Pdf File
View objects list in left-side box
- Tools -> About Listview Colors
choose object of interest (click on it to select)
- to export as-is: Right-click object number in left-side box -> Save Raw Stream
- to deal with JavaScript...
  1. click on object in left-side box, to select it
  2. click Javascrip_UI (in the menubar)
  3. modify JavaScript so that you remove the exploit line(s) and just have a variable that contains the shellcode
  4. add to the end of the JavaScript box (replacing VAR_NAME): tb.writeFile("C:\\shellcode.bin",VAR_NAME)
  5. click the Run button

Software Crack Challenge: ReWrit's Crackme #10.exe

6/2/2016

Inspired by: http://sgros-students.blogspot.com/2014/09/reversing-with-immunity-debugger.html

Goal:

Find where we type file password for the binary and where it is compared to the actual password, patch the program, and obtain access to the file.

We see that in case when our password is incorrect we get message Bad password. So lets try to find where that message is loaded up and displayed.

To do that we shall search binary file for string Bad password, or to be more precise, we shall search binary for all strings which are referenced to in the code. This method is effective only if binary isn't packed, obfuscated or encrypted in any way.

Manual Malware Unpacking

5/30/2016

Unpacker Tail Transitions

often (not always) found at the end of unpacking code
Usually comes in one of the following forms:
- jump immediate (jmp 0401234)
  - Jumps generally take 1 byte operand, while transitions from unpackers to application code require a larger operand (e.g. 4 bytes)
- push / ret
  - A push followed by a return is fishy as the pushed value becomes the return address
  - The unpacker may have a constant or set a register that it jumps to
- pusha / popa
  - Not a transition technique, but usually used for restoring registers to entry-point state
  - Hardware Breakpoint on one of the saved registers may halt debugger just before transition to OEP
    - View ESP in dump, select one of the 4 byte aligned values, and set bp (f2)

When a tail jump is unidentifiable, attempt to locate OEP by a section hop

Generally code resides in single section of the PE file.
Hops between sections are unusual and occur often in the transition from unpacker stubs to application code
OllyDump automates the search for such a hop and attempts to break when found

Beware of self-modifying code

How Software Breakpoints work
- Debugger stores a copy of the byte at the breakpoint address
- This byte is replaced with 0xCC
- When the address is reached, the debugger swaps in the original byte
How self-modifying code works
- A byte or block is read from memory
- Optional transformations are applied
- The byte is written (original location or elsewhere)
Self-modify reads may read wrong (0xCC) byte
Self-modify writes may overwrite breakpoints
Use Hardware breakpoints when possible (4 in 32-bit)

Breaking on common events

Debuggers often allow breaking on Library Load/Unload
- Packers often end with a series of LoadLibrary / GetProcAddress calls
Could set a breakpoint on common start-up functions
- GetCommandLineA, GetVersion
- Catch is they have to be loaded and available for brea

String Obfuscation via MOV Instructions

5/30/2016

mov ecx, 0x400000
mov [ecx], 0x53 // 'S'
inc ecx
mov [ecx], 0x54 // 'T'
inc ecx
mov [ecx], 0x52 // 'R'
inc ecx
mov [ecx], 0x00

This sequence would put the ASCII string “STR” at the memory location 0x400000.

A variant of this is to construct the string via one or more PUSH instructions:

PUSH 0x00525453

Generic RE Algorithm

5/30/2016

Source: OpenSecurityTraining

Gather information
- IAT (Import Address Table)
- Strings
- Dynamic analysis
Identify function of interest
Identify CALLs
Identify algorithms and data structures
Pseudo-code it!
- If having trouble, draw the memory and CPU and map what happens at each instruction
Rename function(s), argument(s), variable(s)
Add comments
GOTO 2

IDC Script: Coloring Unusual Instructions: Anti-Analysis

5/30/2016

#include <idc.idc> static main() {
auto start, end, addr, mnem, count, opnd, opnd1, opnd2;

start = SegStart( ScreenEA() );
nd = SegEnd( ScreenEA() );
addr = start; count = 0;
while( addr < end ) {
mnem = GetMnem( addr );

// Common VM detect instructions
if( mnem == "sidt" || mnem == "sgdt" || mnem == "sldt" || mnem == "smsw" || mnem == "str" ) { Message( "%08x: Found %s\n", addr, mnem );
SetColor( addr, CIC_ITEM, 0x0088ff ); // orange
}
// Read Time Stamp Counter
if( mnem == "rdtsc" ) {
Message( "%08x: Found %s\n", addr, mnem );
SetColor( addr, CIC_ITEM, 0xff8800 ); // blue
}
// Exception Handling or other PEB/TEB access
opnd = "";
opnd1 = GetOpnd( addr, 0 );
opnd2 = GetOpnd( addr, 1 );
if( strstr( opnd1, "fs:" ) > -1 ) {
opnd = opnd1;
}
else {
if( strstr( opnd2, "fs:" ) > -1 ) opnd = opnd2;
}
if( opnd != "" ) {
Message( "%08x: Found %s\n", addr, opnd );
SetColor( addr, CIC_ITEM, 0xff8888 ); // purple
}
addr = NextHead( addr, BADADDR );
count = count + 1;
}
Message( "Processed %d instructions from %08x to %08x\n", count, start, end );
}

OpenSecurity: Notable JCC Instructions

4/1/2016

Source: OpenSecurityTraining.info

Some Notable JCC Instructions
• JZ/JE: if ZF == 1
• JNZ/JNE: if ZF == 0
• JLE/JNG : if ZF == 1 or SF != OF
• JGE/JNL : if SF == OF
• JBE: if CF == 1 OR ZF == 1
• JB: if CF == 1