Friday, November 5, 2010

Friday hexadecimal entertainment

TLDR: 
  • OllyDBG works like a charm in Wine
  • Looking into malwares on Friday is fun

Working on fridays sucks. So here is a little reverse-engineering fun.

On a supposedly "empty" USB stick, I found a weirdly-named file:
$ ls
gy.cmd
$ file gy.cmd
gy.cmd: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

You can get it there (pass: GraLandSec).

A quick visit to Virus Total confirms that it is a Trojan. And here is something fun to do before week-end !
First, a quick look at the file with IDA, now with a native Qt interface under Linux. No need to boot a VM, my good old XP in VirtualBox is now officially half-useless (as we will see later, we can do a lot of things with PE juste with Linux). Here is what the flow-chart looks like at the entrypoint:


Very simple and linear, except for what looks like a loop at the end. Let's zoom in:

This really looks like a decoding loop (with the memory acces sub [esi], al). After the loop, we apparently have junk / random bytes. At this point, we can say that the program is packed, with a simple decoding routine at the entrypoint. How can we continue the analysis ? Under Linux, IDA have debugging capabilities for Linux executables, or using a remote debugger.
So here comes our second tool, the best for PE32 debugging: OllyDbg. Even if it is only distributed for Windows, it runs perfectly under Wine. Lets see what our loop looks like :

We have a lot of junk code (useless instructions like add eax, N; dec eax, N). Fill it with NOPs. Looking at the bottom of the loop, we can see that ECX is the loop counter. Let's track operation on it. After a bit of cleanup, our code looks like this:

Much cleaner ! Now, we can run the program in the debugger and make it decode itself. Set a break point on the bottom of the loop, and watch it do the work ! You'll see that our counter is indeed ECX, and it is decremented at each loop. You can set a conditionnal breakpoint to make the program stop when ECX==0.
The next part is another decoding loop, similar to the first one. The decoding loop counter is in EDX, the "key" is stored in ESI, the write index is ECX. I'll let you look at it, there is a lot of funny stuff to see in this file. Happy native-PE32-linux-debugging !
Posted by blind_key at 14:57

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)