mrexodia's blog

Dot Net Callstack From Windbg

2020-02-16T00:00:00+00:00

Recently I experienced a bug with Git Extensions and I did not yet have JitMagic set up with dnSpy integration. I needed the callstack to report an issue to the developers.

I chose WinDbg as the just-in-time debugger. And simply ran !analyze -v:

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

DEBUG_FLR_EXCEPTION_CODE(80131509) and the ".exr -1" ExceptionCode(e0434352) don't match
MethodDesc:   00007ffc4ae31d70
Method Name:  System.Reactive.Concurrency.SynchronizationContextScheduler.Schedule[[System.ValueTuple`2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]], System.ValueTuple]](System.ValueTuple`2<System.__Canon,System.__Canon>, System.Func`3<System.Reactive.Concurrency.IScheduler,System.ValueTuple`2<System.__Canon,System.__Canon>,System.IDisposable>)
Class:        00007ffc7f601a38
MethodTable:  00007ffc7fed5ba0
mdToken:      00000000060011ac
Module:       00007ffc7f3b1000
IsJitted:     yes
CodeAddr:     00007ffc4ad2e360
Transparency: Critical
GetUrlPageData2 (WinHttp) failed: 12007.

KEY_VALUES_STRING: 1

    Key  : CLR.System.InvalidOperationException._message
    Value: Invoke or BeginInvoke cannot be called on a control until the window handle has been created.


STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
    Name: <blank>
    Time: 2020-02-16T21:23:49.402Z
    Diff: 402 mSec

Timeline: Dump.Current
    Name: <blank>
    Time: 2020-02-16T21:23:49.0Z
    Diff: 0 mSec

Timeline: Process.Start
    Name: <blank>
    Time: 2020-02-16T21:17:54.0Z
    Diff: 355000 mSec

Timeline: OS.Boot
    Name: <blank>
    Time: 2020-02-16T13:48:23.0Z
    Diff: 27326000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
KERNELBASE!RaiseException+68
00007ffc`b7e7908c 488b8c24c0000000 mov     rcx,qword ptr [rsp+0C0h]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffcb7e7908c (KERNELBASE!RaiseException+0x0000000000000068)
   ExceptionCode: e0434352 (CLR exception)
  ExceptionFlags: 00000001
NumberParameters: 5
   Parameter[0]: ffffffff80131509
   Parameter[1]: 0000000000000000
   Parameter[2]: 0000000000000000
   Parameter[3]: 0000000000000000
   Parameter[4]: 00007ffcaa250000

FAULTING_THREAD:  000010d4

EXCEPTION_CODE: (HRESULT) 0x80131509 (2148734217) - <Unable to get error code text>

EXCEPTION_CODE_STR:  80131509

WATSON_BKT_PROCSTAMP:  5e1310a0

WATSON_BKT_PROCVER:  3.3.1.7897

PROCESS_VER_PRODUCT:  Git Extensions

WATSON_BKT_MODULE:  KERNELBASE.dll

WATSON_BKT_MODSTAMP:  5d26b6e9

WATSON_BKT_MODOFFSET:  908c

WATSON_BKT_MODVER:  6.3.9600.19425

MODULE_VER_PRODUCT:  Microsoft® Windows® Operating System

BUILD_VERSION_STRING:  9600.19629.amd64fre.winblue_ltsb_escrow.200127-1700

MODLIST_WITH_TSCHKSUM_HASH:  642958e44b66935a181d61b4c64e4bdbaa672d71

MODLIST_SHA1_HASH:  abdd8c7f6b6b349838b6e46c74e36108e0c55c11

NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

PROCESS_NAME:  unknown

MISSING_CLR_SYMBOL: 0

ANALYSIS_SESSION_HOST:  MYPC

ANALYSIS_SESSION_TIME:  02-16-2020 22:23:49.0402

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

MANAGED_CODE: 1

MANAGED_ENGINE_MODULE:  clr

MANAGED_ANALYSIS_PROVIDER:  SOS

MANAGED_THREAD_ID: 10d4

MANAGED_EXCEPTION_ADDRESS: 3c4b0ff98

LAST_CONTROL_TRANSFER:  from 00007ffcaa26a451 to 00007ffcb7e7908c

THREAD_ATTRIBUTES: 
THREAD_SHA1_HASH_MOD_FUNC:  496307919b5c20eda4b6b1d7f8f57fe40ecc2624

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  27cfc7cdea8e40dd4dc3a7ebac53d16e2aeb6dac

OS_LOCALE:  NLD

BUGCHECK_STR:  CLR_EXCEPTION_System.InvalidOperationException

DEFAULT_BUCKET_ID:  CLR_EXCEPTION_System.InvalidOperationException

PRIMARY_PROBLEM_CLASS:  CLR_EXCEPTION

PROBLEM_CLASSES: 

    ID:     [0n254]
    Type:   [CLR_EXCEPTION]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x10d4]
    Frame:  [0] : KERNELBASE!RaiseException

    ID:     [0n252]
    Type:   [@ManagedObjectName]
    Class:  Addendum
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Omit
    Data:   Add
            String: [System.InvalidOperationException]
    PID:    [0x2f30]
    TID:    [Unspecified]
    Frame:  [0]

STACK_TEXT:  
00000003`dc8eec80 00007ffc`91ef1173 System_Windows_Forms_ni!System.Windows.Forms.Control.MarshaledInvoke+0x3d3
00000003`dc8eedc0 00007ffc`91ef0c72 System_Windows_Forms_ni!System.Windows.Forms.Control.BeginInvoke+0x62
00000003`dc8eee30 00007ffc`92972b71 System_Windows_Forms_ni!System.Windows.Forms.WindowsFormsSynchronizationContext.Post+0x51
00000003`dc8eee80 00007ffc`4ad2e47b System_Reactive_ni!System.Reactive.Concurrency.SynchronizationContextScheduler.Schedule[[System.ValueTuple_2[[System.__Canon,_mscorlib],[System.__Canon,_mscorlib]],_System.ValueTuple]]+0x11b
00000003`dc8eeef0 00007ffc`7fb379b4 System_Reactive_ni!System.Reactive.Concurrency.Scheduler.ScheduleAction[[System.__Canon,_mscorlib]]+0x154
00000003`dc8eef70 00007ffc`7fc56771 System_Reactive_ni!System.Reactive.Linq.ObservableImpl.EventProducer_2+Session+__c[[System.__Canon,_mscorlib],[System.__Canon,_mscorlib]]._Connect_b__5_0+0xf1
00000003`dc8eeff0 00007ffc`7fc623e2 System_Reactive_ni!System.Reactive.Disposables.AnonymousDisposable_1[[System.ValueTuple_3[[System.__Canon,_mscorlib],[System.__Canon,_mscorlib],[System.__Canon,_mscorlib]],_System.ValueTuple]].Dispose+0x82
00000003`dc8ef050 00007ffc`7fb3478e System_Reactive_ni!System.Reactive.Disposables.Disposable.TryDispose+0x5e
00000003`dc8ef090 00007ffc`7fc49314 System_Reactive_ni!System.Reactive.Linq.ObservableImpl.Throttle_1+_[[System.__Canon,_mscorlib]].Dispose+0x24
00000003`dc8ef0c0 00007ffc`7fb4797b System_Reactive_ni!System.Reactive.Sink_1[[System.__Canon,_mscorlib]].Dispose+0xab
00000003`dc8ef120 00007ffc`7fb3478e System_Reactive_ni!System.Reactive.Disposables.Disposable.TryDispose+0x5e
00000003`dc8ef160 00007ffc`7fb49003 System_Reactive_ni!System.Reactive.ObserveOnObserverNew_1[[System.__Canon,_mscorlib]].Dispose+0x23
00000003`dc8ef1a0 00007ffc`7fb4797b System_Reactive_ni!System.Reactive.Sink_1[[System.__Canon,_mscorlib]].Dispose+0xab
00000003`dc8ef200 00007ffc`81b9697b GitUI_ni!GitUI.CommitInfo.CommitInfoHeader.DisposeCustomResources+0x1b
00000003`dc8ef230 00007ffc`81aa6643 GitUI_ni!GitUI.GitModuleControl.Dispose+0x53
00000003`dc8ef270 00007ffc`a8233371 System_ni!System.ComponentModel.Component.Finalize+0x11


STACK_COMMAND:  !sos.pe 0x3c4b0ff98 ; ** Pseudo Context ** ManagedPseudo ** Value: 534961d8e0 ** ; kb

THREAD_SHA1_HASH_MOD:  15163896b4156cc0a0208a3b87e3d5d6d3923e94

FOLLOWUP_IP: 
System_Windows_Forms_ni+2c1173
00007ffc`91ef1173 90              nop

FAULT_INSTR_CODE:  1247e890

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  System_Windows_Forms_ni!System.Windows.Forms.Control.MarshaledInvoke+2c1173

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: System_Windows_Forms

IMAGE_NAME:  System.Windows.Forms.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5d7a9e88

FAILURE_BUCKET_ID:  CLR_EXCEPTION_System.InvalidOperationException_80131509_System.Windows.Forms.dll!System.Windows.Forms.Control.MarshaledInvoke

BUCKET_ID:  CLR_EXCEPTION_System.InvalidOperationException_System_Windows_Forms_ni!System.Windows.Forms.Control.MarshaledInvoke+2c1173

FAILURE_EXCEPTION_CODE:  80131509

FAILURE_IMAGE_NAME:  System.Windows.Forms.dll

BUCKET_ID_IMAGE_STR:  System.Windows.Forms.dll

FAILURE_MODULE_NAME:  System_Windows_Forms

BUCKET_ID_MODULE_STR:  System_Windows_Forms

FAILURE_FUNCTION_NAME:  System.Windows.Forms.Control.MarshaledInvoke

BUCKET_ID_FUNCTION_STR:  System.Windows.Forms.Control.MarshaledInvoke

BUCKET_ID_OFFSET:  2c1173

BUCKET_ID_MODPRIVATE: 1

BUCKET_ID_MODTIMEDATESTAMP:  5d7a9e88

BUCKET_ID_MODCHECKSUM:  0

BUCKET_ID_MODVER_STR:  4.8.4042.0

BUCKET_ID_PREFIX_STR:  CLR_EXCEPTION_System.InvalidOperationException_

FAILURE_PROBLEM_CLASS:  CLR_EXCEPTION

FAILURE_SYMBOL_NAME:  System.Windows.Forms.dll!System.Windows.Forms.Control.MarshaledInvoke

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/unknown/3.3.1.7897/5e1310a0/KERNELBASE.dll/6.3.9600.19425/5d26b6e9/80131509/0000908c.htm?Retriage=1

TARGET_TIME:  2020-02-16T21:23:56.000Z

OSBUILD:  9600

OSSERVICEPACK:  19538

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 8.1

OSEDITION:  Windows 8.1 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2019-10-15 05:45:31

BUILDDATESTAMP_STR:  200127-1700

BUILDLAB_STR:  winblue_ltsb_escrow

BUILDOSVER_STR:  6.3.9600.19629.amd64fre.winblue_ltsb_escrow.200127-1700

ANALYSIS_SESSION_ELAPSED_TIME:  1dab

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:clr_exception_system.invalidoperationexception_80131509_system.windows.forms.dll!system.windows.forms.control.marshaledinvoke

FAILURE_ID_HASH:  {c279e3a4-dab2-09ec-a135-2281bfa61101}

Followup:     MachineOwner
---------

Everything was magically analyzed and I was able to open an issue. As an added bonus I recently worked to allowing dnSpy to be used as a JIT debugger from JitMagic:

Best regards,

Duncan

Not Analyzing Keyboard Firmware Part 3

2019-11-25T00:00:00+00:00

In the first post I briefly discussed my motivation to analyze the keyboard’s firmware and I did make a small amount of progress since last time (thanks to /u/thoquz who suggested to try SVD Loader), but unfortunately other projects required my attention and I didn’t think there was enough (interesting) progress to report. However I did make significant progress towards solving my actual problem (a caps lock macro layer), so I decided to share that here as well!

The macro layer

The solution I came up with is based on AutoHotkey, which I heard about but never actually used myself before. For those not familiar, AutoHotkey allows you to create system-wide hotkeys in a custom scripting language. It is a bit weird, but it can apparently do crazy things, so why not give it a try?

After a while of thinking and experimenting I came up with the following key map (thanks to Keyboard Layout Editor. Green is the macro layer, the rest is just for reference:

Initially I just had the arrows + home/end, but while doing some actual programming work I came up with a bunch of other useful things. For example Caps+G(it) is bound to F13, which I linked in Visual Studio to start my GitExtBar utility:

Similarly I bound Caps+E(xplore) to my DirBrowser utility in Visual Studio, which allows me to quickly open the project’s output directory in Total Commander or a command prompt:

A bunch of C++ related symbols are also bound to this layer, so I can keep holding caps lock when closing an if-block. I also bound Caps+S/D to scroll the mouse wheel, something I always appreciate in my browser with Saka Key. Finally Alt is also used for quickly navigating. For Left/Right it acts as Ctrl (meaning Caps+Alt+J maps to Ctrl+Left), for Home/End it acts as Shift (meaning Caps+Alt+U maps to Shift+Home).

If you are interested you can find a snapshot of capslayer.ahk here. I set up a cloud sync service and a hotkey to quickly reload the script to make sure things work the same across my various computers. Additionally I run the script as Administrator on login to make sure it is always available everywhere.

Beating old habits

Even though my macro layer was working perfectly I still found myself using the arrows and home/end keys over the macro keys all the time. Because I think the macro layer will be a more economic way of typing in the long run I decided to completely disable the original keys (which thankfully is super easy with AutoHotkey). This was quite a pain for a few days at work, but I can now (proudly?) say that I am typing utter garbage on other machines.

Generally I noticed that when it comes to forming habits on your computer, you should always use that same computer to simply enforce what you want to learn and punish old habits. Want to take more breaks? Simply configure Workrave to not allow you to continue and block all inputs. Want to get yourself in the habit of using Total Commander (which, frankly, you should if you value your time as a professional using Windows), use AutoHotkey to redirect Win+E to start Total Commander. Want to browse social media less? Use StayFocusd.

The future

If time permits and interest comes back I will definitely continue analyzing the keyboard firmware, because I did learn a lot from the short amount of time I spent on it so far. However, for my daily needs I will keep fine-tuning this AutoHotkey-based solution because it is so much easier. I did already find Karabiner-Elements for macOS, which should allow similar things, so I will play with that a bit before my trip next month.

Please let me know if you have any questions or suggestions with regards to my workflow and have a good week!

Duncan

Analyzing Keyboard Firmware Part 2

2019-10-13T00:00:00+00:00

In last post we looked at obtaining the firmware for my new keyboard. I downloaded the firmware update utility and extracted a firmware image. The next step will be to set up the tooling and try to build a hello world as a point of reference.

I think the first step to any reverse engineering project should be to try and understand how the software you are reverse engineering was developed. Things like the libraries and compilers involved are very important, because without that frame of reference you might waste a lot of time on unimportant implementation details. If you are interested there is a great talk by Alex Ionescu called Reversing Without Reversing that goes more in depth about this topic.

The tools

Now the tricky part about writing a post like this is that it takes hours of research (downloading files, trying different things), but in the end it can be represented as a simple list:

Download and install Keil MDK-ARM (you can get an evaluation version);
Install the pack for the SN32F240;
Download and install SN32F240_Startkit_Package_V3.4R.zip;
Open the project in Keil uVision5;
Hit build.

Pretty much all of the information (including the download links) can be found on the SN32F40 product page. Initially I was having some issues having to be logged in to download the starter kit, but that got magically resolved and from there it was easy.

Installing Keil MDK-ARM is straightforward, just fill in the evaluation form and run the installer. You can then use PackInstaller.exe to search for and install the SN32F240 pack (alternatively you can use SONiX.SN32F2_DFP.1.2.11.pack from the starter kit):

You then need to install SONiX’ proprietary Hex2Bin utility and open SN32F240_Startkit_Package_V3.4R\CMSIS Firmware Library_V3.2\USB_Library_For_64K_V1.5\SN32F240_Demo.uvprojx in the IDE and hit build (F7). If you did everything right you should see something like:

HexConvertVer = V24
CheckSum = 0xAC6E
".\obj\SN32F240.axf" - 0 Error(s), 0 Warning(s).
Build Time Elapsed:  00:00:01

Now if you take a look in the obj directory there are two interesting files: SN32F240.BIN and SN32F240.axf. The .BIN file is a firmware image very similar to the one extracted earlier and the .axf is a regular ELF file.

Ghidra

If you have been living under a rock you might not know that the NSA released their reverse engineering suite called Ghidra a while back. I tried it out a little, but didn’t really have a use case yet so I decided to try and use it for this project. I also tried IDA and it worked fine on the ELF file, but it was a total mess setting up the memory map and getting references to work so I decided to stick with Ghidra.

There was also a bug with Ghidra 9.0.2, so I will be using the 9.1-BETA_DEV version. Now all left to do is create a project in Ghidra, import SN32F240.axf and load it in the CodeBrowser:

Next steps

In the next post we will take a look at the firmware initialization routines and use the information obtained from the ELF file and the datasheet to be able to properly load and analyze the extracted keyboard firmware. The posts are a bit short for my taste right now, but I do not have that much time to spend on this project so I think it allows me to write more consistently like this.

Best regards,

Duncan

Thanks again to F. for the proofread!

Analyzing Keyboard Firmware Part 1

2019-09-28T00:00:00+00:00

Recently I bought a cheap SPC Gear GK530 mechanical keyboard to test out the Kailh Brown keyswitches. Overall it has a nice feel and you can change the epic RGB-lights to just be a dimmed constant color so I would recommend it for typing.

Unfortunately the macro/rebind feature is not very much to my liking. Right now you have to switch to Gaming mode (FN+Win) and then you can use use your modified keymap (with macros). In this mode you cannot use the Windows key (because it is locked) and it is generally quite awkward.

My preferred mode would be that holding Caps Lock enables my custom layer, which unfortunately does not seem to be supported. At this point I thought it would be a fun project to try and hack the firmware to support this behavior.

Obtaining the firmware

Luckily for us SPC Gear provides two firmware update utilities on their Software page. The utility is called 1 - GK530 keyboard upgrade.exe and when I started it I was reminded of a similar utility I took at look at in the past.

The similar utility was a firmware upgrade tool for my current keyboard:

When looking at a firmware upgrade tool in the past I documented it on a Github issue. From a quick glance it appears that nothing has changed, except that the firmware is no longer ‘encypted’ now and the UI looks a bit more fancy.

To obtain the image:

Extract the "BINARY" resource (170). You can use CFF Explorer for this task.
The extracted blob is an executable with no functionality, which has an ‘overlay’ appended to it (data after the end of the last section).
The overlay is the firmware image (65k) with some additional metadata at the end.

The interesting string there is at the very end, which says SN32F24x (all SONiX chips seem to start with SN). With a bit of Google-fu and creativity you can land on the product page for the SN32F248. Over there you can also find a bunch of links to utilities and manuals, one of which is called SONiX_USB_MCU_ISP_Tool_V2.3.1.7.7z. Opening the extracted firmware yields a good result:

Additionally there is also a data sheet available to the public (SN32F248_V2.0_EN.pdf), which should help progressing further. Initial information I gathered is that the chip is based on an ARM Cortex-M0.

Next steps

My next idea of progression is to try and set up the same tooling as someone developing hardware with this chip would. Get a C compiler and actually build a ROM of our own, to have a point of reference when starting reverse engineering. I do not have any experience looking at ARM code and not much experience with embedded software, so anything to aid my understanding in that area will be good.

Hopefully till next time,

Duncan

Thanks to F for the proofread!

Analyzing Torrent Repack Malware

2017-07-12T00:00:00+00:00

Never trust a repack…

The torrent I looked at was: The Legend of Zelda: Breath of the Wild CEMU 1.8.0b [Multi-Lang] by HZolomon.

TL;DR: It is definitely malware. All the torrent by HZolomon appear to have been infected with malware equal/similar to this one.

[MEGA Folder with relevant files] WARNING: THIS CONTAINS ACTIVE MALWARE (in case you didn’t read the title and like executing random files)… The key is 8NcPVw1TCm_dvZM9s2SU_g.

Tooling

I used x64dbg, DbgChild, TitanHide, CFF Explorer, Exe2Aut and VirtualBox.

You have to select the checkboxes in the DbgChild plugin to automatically attach x64dbg to any process started by the executable you’re currently debugging:

From here on I’ll just give a brief description of each analysis step.

setup.exe

VirusTotal

With innoextract (innounp has a similar error):

Stream error while parsing setup headers!
 ├─ detected setup version: 5.4.2
 └─ error reason: basic_ios::clear
If you are sure the setup file is not corrupted, consider
filing a bug report at http://innoextract.constexpr.org/issues
Done with 1 error.

Extracts %temp%\is-[A-Z0-9]{5}.tmp\setup.tmp (is-K35T2.tmp in MEGA folder)
Probably this is: http://forum.ru-board.com/topic.cgi?forum=5&topic=34920&start=0&limit=1&m=1#1 and/or http://krinkels.org/resources/categories/innoultra.29/

setup.tmp

VirusTotal

Command line (this is similar to what InnoSetup does from what I know):

"C:\Users\Admin\AppData\Local\Temp\is-RPR25.tmp\setup.tmp" /SL5="$230522,1892858,54272,F:\Users\Admin\Documents\Downloads\The Legend of Zelda - Breath of the Wild\setup.exe" 

Extracts %temp%\is-[A-Z0-9]{5}.tmp\ISDone.dll and some other files (including unarc.dll).
Put a DLL breakpoint on unarc.dll in x64dbg.
Start the installation, which causes more stuff to be extracted to %temp%\is-[A-Z0-9]{5}.tmp.

All the extracted files are hidden. You can use attrib -S -H to unhide them (Windows explorer doesn’t allow you to do uncheck the Hidden box for some readon).

Break on FreeArcExtract (see my earlier blog post for more details). TL;DR it runs unarc.exe with the function arguments as command line arguments.

Some of the commands used in FreeArcExtract:

l -- setup-2.bin
x -o+ -pawdawdawd -wF:\BotW\ -dpF:\BotW\ -- setup-2.bin

Find cbArcExtract at ISDone.dll:$1A340 from the first parameter of FreeArcExtract, break on the password? action check:

Arc password: awdawdawd

The unarc.dll uses compression algorithm hooks from facompress.dll (relevant code) + hooks for CLS-compressors (relevant code, CLS-MSC.dll, CLS-srep.dll) so make sure to put those next to unarc.exe if you want to (safely) extract the files.

After all the files are extracted it runs DSETUP.exe, which at first looked fine, but looking a second time the file is not signed by Microsoft and it has no version information or anything.

DSETUP.exe

VirusTotal

This is an AutoIt executable (32 bit), it’s basically the first layer of the dropper. With Exe2Aut I extracted the script (slightly deobfuscated by hand):

It tries to identify your anti-virus and based on that drops CLDe2bugLog.txt in your temp directory with the FileInstall function. It then replaces the bytes 00000000001C0004 with 377ABCAF271C0004 (7z header) and extracts it with the following command:

CLDe2bugLog.txt e -p"DQMDDMNBQ3824Nnd2nd8812@2*$(#!&NDQB2" CRDebugLog.txt

The contents of CRDebugLog.txt, but the malware inside does pretty much the same thing. I (unfortunately) looked at the contents of dxdllreg_x86:

64.exe
SystemCheck.xml
start.bat

start.bat

attrib -h -r -s /S /D %userprofile%\AppData\Roaming\Microsoft\Windows\\svchost.exe
copy /y "64.exe" "%userprofile%\AppData\Roaming\Microsoft\Windows\svchost.exe"
attrib +h +r +s /S /D %userprofile%\AppData\Roaming\Microsoft\Windows\\svchost.exe
schtasks.exe /Create /XML "SystemCheck.xml" /TN "System\SystemCheck"
del 64.exe /f
del SystemCheck.xml /f
del CRDebugLog.txt /f
del CLDebugLog.txt /f
del "%0"

This copies the file to %userprofile%\AppData\Roaming\Microsoft\Windows\svchost.exe, which made it clear that this is indeed a malicious file. It then goes on to create a scheduled task with SystemCheck.xml.

SystemCheck.xml

This executes the newly-created svchost.exe with the -WindowsCheck command line every X amount of time (probably days, not really worth exploring in this case).

64.exe (svchost.exe)

VirusTotal

This file is packed with Enigma x64. TitanHide works fine for debugging Enigma (ScyllaHide has issues). The original entry point (OEP) is at 64.exe:$3059C . It has stolen bytes, but they are easy to retrieve:

48 83 EC 28 E8 BF B3 00 00 48 83 C4 28 E9 36 FE FF FF

EDIT: I have been asked on reddit to give more details about the “stolen bytes” mentioned here. Before I could answer user izizizizizizi gave a nice explanation:

“Stolen bytes” (is there any non-colloquial name for this I wonder) is a feature of many packers/protectors which prevents easy dumping. During the protection process, a part of the original executable code gets removed and stored in the protector stub. When it’s about to be executed there’s a redirection to the protector’s code instead of the original function. The stub either writes original code in some dynamic buffer and executes it or an obfuscated version of the original function is executed.

To get them I created my own Hello World-style AutoIt executable and pasted the entry point.

After the ‘unpacking’ enigma, I extracted the SCRIPT resource and put it in a Hello World AutoIt executable (32 bit), I then used Exe2Aut.exe to get the AutoIt script source code (irrelevant parts omitted):

The interesting part is the bot() function:

It uses a YouTube video (reported, but please report again) as a command and control mechanism. If the description contains one of the _download, _run, etc. command it will perform certain actions based on the data in the description (such as downloading a file or updating to a newer version).

It also appears to run some kind of crypto currency miner, although I couldn’t find the SystemCheck executable:

Well, that has been all for today. It has certainly been fun reversing malware for a change!

“Heb ik dat nou al gezouten?”

Freearc And Dark Souls 3

2017-07-06T00:00:00+00:00

In my free time I work on lots of small projects. One of those is called DarkSouls3.TextViewer and it lets you view all dialogue and item descriptions in Dark Souls 3:

To do this you have to extract the contents of Data1.bdt, which can be done with BinderTool by Atvaark. However, recently I got interested in possible changes made to item descriptions during updates, so I went on a hunt for all versions of Data1.bdt. Because Steam does not allow you to downgrade the game versions I started looking for pirated releases and updates to try to piece everything together. I downloaded Dark.Souls.III.The.Ringed.City-CODEX to get started, but then I noticed that I was too low on disk space to install the game…

InnoSetup

A quick look at setup.exe with ProtectionID reveals that it is an InnoSetup installer:

There are several free tools available (innoextract, innounp) to see what’s inside:

>innoextract.exe -l e:\setup.exe
Listing "Dark Souls III The Ringed City" - setup data version 5.5.0.1 (unicode)
 - "tmp\ISDone.dll" [temp] (446 KiB)
 - "tmp\english.ini" [temp] (15.4 KiB)
 - "tmp\Style.vsf" [temp] (44.7 KiB)
 - "tmp\VclStylesinno.dll" [temp] (1.95 MiB)
 - "tmp\BASS.dll" [temp] (107 KiB)
 - "tmp\bp.dll" [temp] (129 KiB)
 - "tmp\wintb.dll" [temp] (27.5 KiB)
 - "tmp\Music.ogg" [temp] (2.34 MiB)
 - "tmp\Play1.bmp" [temp] (540 B)
 - "tmp\Play2.bmp" [temp] (540 B)
 - "tmp\Play3.bmp" [temp] (540 B)
 - "tmp\Pause1.bmp" [temp] (540 B)
 - "tmp\Pause2.bmp" [temp] (540 B)
 - "tmp\Pause3.bmp" [temp] (540 B)
 - "tmp\trackBkg.bmp" [temp] (776 B)
 - "tmp\trackbtn1.bmp" [temp] (344 B)
 - "tmp\trackbtn2.bmp" [temp] (344 B)
 - "tmp\trackbtn3.bmp" [temp] (344 B)
 - "tmp\unarc.dll" [temp] (368 KiB)
Warning: "setup-1.bin" is not part of the installer!
Use the --gog option to try listing the contents of this file.
Done with 1 warning.

The setup-1.bin file starts with ArC, so I checked the exports of unarc.dll and one that stands out is called FreeArcExtract, which points to FreeArc.

I tried to list the files in the archive, but the file format appears to be customized (or an older version):

>unarc l e:\setup-1.bin
FreeArc 0.67 unpacker
ERROR: archive structure corrupted (descriptor failed CRC check)

FreeArc

Then I thought, perhaps I can use unarc.dll from the setup to extract the relevant files? The lead is the name of the export FreeArcExtract. A bit of Googlefoo pointed to the relevant code, which looks like this:

int __cdecl FreeArcExtract (cbtype *callback, ...)
{
  va_list argptr;
  va_start(argptr, callback);

  int argc=0;
  char *argv[1000] = {"c:\\unarc.dll"};  //// Здесь будет искаться arc.ini!

  for (int i=1; i<1000; i++)
  {
    argc = i;
    argv[i] = va_arg(argptr, char*);
    if (argv[i]==NULL || argv[i][0]==0)
      {argv[i]=NULL; break;}
  }
  va_end(argptr);

  COMMAND command (argc, argv);    // Распарсить команду
  if (command.ok) {                // Если парсинг был удачен и можно выполнить команду
    command.Prepare();
    CThread thread;
    DLLUI *ui = new DLLUI(&command);
    thread.Create (timer_thread,      ui);   //   Спец. тред, вызывающий callback 100 раз в секунду
    thread.Create (decompress_thread, ui);   //   Выполнить разобранную команду

    for(;;)
    {
      ui->DoEvent.Lock();
      if (strequ (ui->what, "quit"))
        return ui->n1;  // error code of command
      ui->result = callback (ui->what, ui->n1, ui->n2, ui->str);
      ui->EventDone.Signal();
    }
    thread.Wait();
  }
  return command.ok? FREEARC_OK : FREEARC_ERRCODE_GENERAL;
}

Basically what this does is forward all the input parameters as the argv of unarc. After a lot of fooling around with the awfulness of va_list and lots of crashes I finally got the code to forward argv to the FreeArcExtract function:

#include <windows.h>
#include <cstdio>

#define whut(x) (strcmp(what, #x) == 0)

static int __stdcall cbExtract(char* what, int int1, int int2, char* str)
{
    if(whut(read) || whut(write))
        return 0; //filter out the plentiful "read" and "write" messages
    printf("\"%s\", %d, %d, \"%s\"\n", what, int1, int2, str);
    return 0;
}

typedef int __stdcall cbtype(char* what, int int1, int int2, char* str);
typedef int __cdecl pFreeArcExtract(cbtype* callback, ...);

int main(int argc, char* argv[])
{
    auto hMod = LoadLibraryA("unarc.dll");
    if(!hMod)
    {
        puts("Failed to load DLL: unarc.dll!");
        return 1;
    }
    auto FreeArcExtract = (pFreeArcExtract*)GetProcAddress(hMod, "FreeArcExtract");
    if(!FreeArcExtract)
    {
        puts("Failed to find export: FreeArcExtract");
        return 1;
    }
    auto a = [&](int i)
    {
        return i < argc ? argv[i] : "";
    };
    return FreeArcExtract(cbExtract, a(1), a(2), a(3), a(4), a(5), a(6), a(7), a(8), a(9), a(10), nullptr);
}

First I tried to get the help with unarc_cmd.exe, but this came up empty. Instead I asked unarc.exe:

>unarc
FreeArc 0.67 unpacker  http://freearc.org  2014-03-16
Usage: unarc command [options] archive[.arc] [filenames...]
Available commands:
  l - display archive listing
  v - display verbose archive listing
  e - extract files into current directory
  x - extract files with pathnames
  t - test archive integrity
... (more irrelevant options)

Then I tried to list all the files in the archive, which did not give me the output I expected at all (but hey, at least no CRC errors):

>unarc_cmd.exe l e:\setup-1.bin
"total_files", 283, 0, ""
"origsize", 25527, 998151285, ""
"compsize", 25096, 545797223, ""

The v option also came up empty, but the t option had more promise:

>unarc_cmd t e:\setup-1.bin
"total", 25096, 545800879, ""
"filename", 0, 810208, "Game\Data0.bdt"
"filename", 922, 967053390, "Game\Data1.bdt"
"filename", 2450, -1724920912, "Game\Data2.bdt"
... (it takes a few minutes to test all files)

To extract Data1.bdt, BinderTool also needs a file with decryption keys called Data1.bhd, so I used the following command to extract both those files:

>unarc_cmd x e:\setup-1.bin Data1.bdt Data1.bhd
"total", 25096, 545800879, ""
"filename", 0, 810208, "Game\Data0.bdt"
"overwrite?", 922, 967053390, "Game\Data1.bdt"
"filename", 922, 967053390, "Game\Data1.bdt"
"filename", 2450, -1724920912, "Game\Data2.bdt"
"filename", 1474, 1546563828, "Game\Data3.bdt"
"filename", 1172, 1229026224, "Game\Data4.bdt"
"filename", 13172, 927431435, "Game\Data5.bdt"
"filename", 1551, 1626443628, "Game\DLC1.bdt"
"filename", 2929, -1222753793, "Game\DLC2.bdt"
"filename", 0, 2212, "Game\Data0.bhd"
"filename", 0, 411904, "Game\Data1.bhd"

Conclusion

Well, I hope this was interesting to some people. It was just a 45 minute side project of mine that I decided to share.

If anyone has 魔法うんちく_dlc2.fmg from before the description of the White Birch Bow was changed, please ping me (the CODEX release is from after the update apparently).

Cmake Openssl And Mingw On Windows

2017-04-01T00:00:00+00:00

If you found this you are probably having issues linking OpenSSL to MinGW-w64 using CMake (or CLion) on Windows. In this post I will give a quick overview on how to get this to work on a clean Windows machine…

The distribution I used to get it to work is Win64OpenSSL-1_2_2k.exe. The issue was that there are no MinGW-compatible link libaries. To solve this you can use my genlib tool to generate them:

cd c:\OpenSSL-Win64
set PATH=%PATH%;c:\genlib

genlib ssleay32.dll
genlib libeay32.dll

copy *.a lib\

The CMakeLists.txt looks like this:

# Project configuration
cmake_minimum_required(VERSION 2.7)
project(OpenSSLTest)

# Use C++11
set(CMAKE_CXX_STANDARD 11)

# Project source files
set(SOURCE_FILES main.cpp)
add_executable(OpenSSLTest ${SOURCE_FILES})

# OpenSSL (find, include, link) 
find_package(OpenSSL REQUIRED)
include_directories(${OPENSSL_INCLUDE_DIR})
target_link_libraries(${PROJECT_NAME} ${OPENSSL_LIBRARIES})

And some simple test code:

#include <iostream>
#include <openssl/ssl.h>

int main() {
    std::cout << "SSLeay Version: " << SSLeay_version(SSLEAY_VERSION) << std::endl;
    SSL_library_init();
    auto ctx = SSL_CTX_new(SSLv23_client_method());
    if (ctx) {
        auto ssl = SSL_new(ctx);
        if (ssl) {
            std::cout << "SSL Version: " << SSL_get_version(ssl) << std::endl;
            SSL_free(ssl);
        } else {
            std::cout << "SSL_new failed..." << std::endl;
        }
        SSL_CTX_free(ctx);
    } else {
        std::cout << "SSL_CTX_new failed..." << std::endl;
    }
}

If everything is configured correctly this should print:

SSLeay Version: OpenSSL 1.0.2k  26 Jan 2017
SSL Version: TLSv1.2

If you cannot be bothered to run genlib yourself, you can find a copy the required files here and get started immediately.

Hope this helped,

Duncan

My Inactivity

2016-09-22T00:00:00+00:00

Currently I do not have much time to update this blog because I am writing for the x64dbg blog, check it out!

Duncan

Github Gpg

2016-05-30T00:00:00+00:00

Hello everyone,

Today I saw this broadcast on Github which states that GPG signature verification was added to Github. It took me a bit of searching before I got it to work from both the command line and Git Extensions so in this guide I will explain how I did it.

Installing Git (Extensions)

The first thing to install is the latest (v2.0.0+) version of Git for Windows.

After will have to install Git Extensions. Make sure to select the -SetupComplete but do not install MsysGit from there since you already installed a newer version.

Make sure you configure Git (Extensions) correctly so your identity is in sync with your Github email/username.

Installing GPG

You can download and install GPG from here. Next verify that you installed everything correctly:

C:\Users\Admin>git --version
git version 2.8.3.windows.1

C:\Users\Admin>gpg --version
gpg (GnuPG) 2.0.30 (Gpg4win 2.3.1)
libgcrypt 1.6.5
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Admin/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

If you get any errors, make sure you added everything to your PATH environment variable.

Generating GPG Keys

Follow this guide. In short:

C:\Users\Admin>gpg --gen-key
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

Real name: githubgpgtest
Email address: githubgpgtest@gmail.com
Comment:

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/6B84CA35 2016-05-30
      Key fingerprint = DF55 D8E3 B4E5 9614 7ADF  8E6E E5B6 4A58 6B84 CA35
uid       [ultimate] githubgpgtest <githubgpgtest@gmail.com>
sub   4096R/63BEB3EE 2016-05-30

Notice: I will be using 6B84CA35 as my identifier for my key, you should use your own in the upcoming commands.

Adding your key to Github

Follow this guide. In short:

C:\Users\Admin>gpg --list-keys
C:/Users/Admin/AppData/Roaming/gnupg/pubring.gpg
------------------------------------------------
pub   4096R/6B84CA35 2016-05-30
uid       [ultimate] githubgpgtest <githubgpgtest@gmail.com>
sub   4096R/63BEB3EE 2016-05-30


C:\Users\Admin>gpg --armor --export 6B84CA35
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFdMlawBEADUmBNVR8psLgeBQ1hz2N7VjVmiPiwbgpIK9VAToLX8BYl2ZPYB
...
=k1LJ
-----END PGP PUBLIC KEY BLOCK-----

Add your key to your Github account through this page:

Configuring Git

Set your globally installed GPG version in Git (make sure to alter this path if you installed gpg2.exe in a different location):

git config --global gpg.program "C:/Program Files (x86)/GNU/GnuPG/gpg2.exe"

Then set your generated signing key:

git config --global user.signingkey 6B84CA35

These commands enable automatic GPG signing for commits and tags (which is required if you want this to work with Git Extensions):

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Now when commiting the Git Extensions it should show you the following dialog:

After pushing to the repository Github shows your commits as verified:

Conclusion

That’s about it, your passphrase should cache for a while so you shouldn’t be bothered with entering your passphrase every single time you commit. You can configure your caching times here:

The first entry is the default-cache-ttl option, the second max-cache-ttl:

--default-cache-ttl n
    Set the time a cache entry is valid to n seconds. The default is 600
    seconds.
--max-cache-ttl n
    Set the maximum time a cache entry is valid to n seconds. After this time a
    cache entry will be expired even if it has been accessed recently. The
    default is 2 hours (7200 seconds).

If you enjoyed this post, feel free to share it with your friends through social media.

Duncan

Dynamic Menu Builder

2016-02-03T00:00:00+00:00

Hello folks,

While on the plane back home I decided to write another little blog post. This time I will be showing you a nice class I came up with for x64dbg to manage menu items.

The problem

As with every abstraction it starts with a problem you are trying to solve. In this case the problem was code duplication and general tediousness with the construction of the context (right click) menus in x64dbg.

The general idea of Qt is great. From my understanding, every context menu is a QMenu with a bunch of QAction or other QMenu items in it. When a user right-clicks in the widget a signal will be emitted and the widget can connect to the signal, construct the QMenu and ‘execute’ the menu on the mouse position. Each QAction has a signal called triggered() which you can connect to a slot in your widget to handle the click event.

If there is no variation in the menu everything works perfectly fine. You just create all the actions, menus and connections in the constructor and store the final QMenu item in the class. Then when you need the menu you do mMenu->exec(position) and you are done with it.

In x64dbg the menus are based on the context, so the static approach doesn’t work. What we did was create and connect all the QAction items in the constructor and then dynamically create the menu. What this did was create a lot of fragmentation. All the actions had to be declared in the header, the slots for the actions had to be declared in the header and the source and adding a new action would result in a lot of code that looked exactly like this:

mFollowAddress = new QAction("&Follow in Disassembler", this);
connect(mFollowAddress, SIGNAL(triggered()), this, SLOT(followAddress()));

For actions with a shortcut and an icon it was even worse:

mToggleBreakpoint = new QAction("Toggle Breakpoint", this);
mToggleBreakpoint->setShortcutContext(Qt::WidgetShortcut);
mToggleBreakpoint->setIcon(QIcon(":/images/icons/breakpoint.png"));
addAction(mToggleBreakpoint);
connect(mToggleBreakpoint, SIGNAL(triggered()), this, SLOT(toggleBreakpoint()));

Shortcuts also require setting the actual shortcut in a dedicated slot called refreshShortcutsSlot() which is connected to the settings dialog so shortcuts are updated when the user updates the settings:

void ReferenceView::refreshShortcutsSlot()
{
    mToggleBreakpoint->setShortcut(ConfigShortcut("ActionToggleBreakpoint"));
    mToggleBookmark->setShortcut(ConfigShortcut("ActionToggleBookmark"));
}

Finally the menu is created in contextMenuEvent like this:

if(!DbgMemIsValidReadPtr(addr))
        return;
wMenu->addAction(mFollowAddress);
wMenu->addAction(mFollowDumpAddress);
if(apiAddressFromString(mCurList->getCellContent(mCurList->getInitialSelection(), 1)))
    wMenu->addAction(mFollowApiAddress);
wMenu->addSeparator();
wMenu->addAction(mToggleBreakpoint);
wMenu->addAction(mToggleBookmark);

As you can imagine, adding an action with an icon, a shortcut and some context-dependent behaviour was a very tedious process and this needed to change.

MenuBuilder

Part of the solution is a MenuBuilder class. This is a recursive datatype (like QMenu) but it lazily builds the menu, which allows for proper context-awareness.

To achieve context-awareness, each QAction/QMenu/MenuBuilder you add to a MenuBuilder is paired with an std::function. If the callback returns true, the item is added to the final QMenu, otherwise it is ommitted. This allows for constructs like this:

mBuilder->addAction(followAction, [this](QMenu* menu)
{ //only add followAction if the selected address is readable.
    return DbgMemIsValidReadPtr(this->selectedAddress());
});

The followAction will only be added to the final QMenu if the currently selected address is a valid memory address. This is a huge save in code, the menu creation slot can be replaced with:

QMenu menu;
mBuilder->build(&menu);
menu.exec(pos);

There are some extra features (like using the menu parameter of the lambda to add extra actions to the final QMenu, but if you want more details, read the code here.

Actions

The next problem to solve is the creation of the QAction and QMenu items. The solution was to create a few simple helper methods in the base class (AbstractTableView):

template<typename T>
inline QAction* makeAction(const QString & text, T slot)
{
    return connectAction(new QAction(text, this), slot);
}

inline QAction* connectAction(QAction* action, const char* slot)
{
    connect(action, SIGNAL(triggered(bool)), this, slot);
    return action;
}

inline QAction* connectAction(QAction* action, QActionLambda::TriggerCallback callback)
{
    auto lambda = new QActionLambda(action->parent(), callback);
    connect(action, SIGNAL(triggered(bool)), lambda, SLOT(triggeredSlot()));
    return action;
}

The makeAction uses a template because I added lambda support to the actions. This is not in Qt 4 and rather simple to implemented so I decided to add it:

class QActionLambda : public QObject
{
    Q_OBJECT
public:
    typedef std::function<void()> TriggerCallback;

    QActionLambda(QObject* parent, TriggerCallback callback)
        : QObject(parent),
          _callback(callback)
    {
    }

public slots:
    void triggeredSlot()
    {
        if(_callback)
            _callback();
    }

private:
    TriggerCallback _callback;
};

Now to create an action you’d write:

makeAction("Selection (&No Bytes)", SLOT(copySelectionNoBytesSlot()))

And similarly an action with shortcut and icon:

makeShortcutAction(QIcon(":/icons/images/highlight.png"), "&Highlighting mode", SLOT(enableHighlightingModeSlot()), "ActionHighlightingMode")

Final words

I guess that’s about it for this blog post. If you want to see what the final menu creation code looks like, check out the code here. For reference, the old code is available here, as you can tell it is a great improvement.

Finally, I know reader interaction has been practically non-existent on this blog so far, however it would be nice if you could send me parts of x64dbg you’d like to get insight in development-wise. Any other topics (reversing/programming) related are also welcome!

Greetings,

Duncan

Ollydbg

2016-01-31T00:00:00+00:00

Today I wrote an answer on Quora about how OllyDbg was written. I thought it was interesting so I decided to cross-post it here as a blog entry:

Writing a tool like OllyDbg is not a trivial task. OllyDbg is in essence a debugger with code analysis features, however it has a big range of relatively small extra features that make it a nice thing to use. As of my qualifications, I’m the main developer of x64dbg, which is heavily influenced by OllyDbg and offers similar features but on the 64-bit platform.

The debugger part starts out quite simply. Check out Creating a Basic Debugger for a simple example of what a debugger looks like. In essence you start a process (debuggee) with a special flag so it sends information (debug events) to the debugger. The debugger then processes these events and shows information about the process to the user. Certain events (mainly single-step and breakpoint exceptions) are used to control the execution of the debuggee. If you are interested in a little more detail, check out GleeBug. It is a debug library that will be used in x64dbg soon.

The code analysis is a far more difficult problem to solve. The ‘easy’ part involves giving information about instructions pointing to memory/exported symbols and providing nice syntax highlighting. An all-white deadlisting of instructions is not very friendly to read and OllyDbg does various things to ease the experience. The hard part is actually doing control flow analysis (detecting functions and loops for instance). If you’re interested I wrote up the details of a very naive algorithm here. Some more involved algorithms are available here (by me) and here (by Nukem). Analysis is really, really hard to get working right. There are lots of corner cases and obfuscated binaries that ‘fool’ your analysis and things get especially fuzzy when control flow branches inside of other instructions or otherwise breaks the linear disassembly.

Even if you have a really good debugger and code analyser, you are still far from done. Once people start using your software, bug reports and feature request will come raining in and it can sometimes be soul-destroying to work on a project like this (especially with just intellectual motivation).

Everything needs to be very generic and getting things stable becomes a very complex problem very quickly. See the x64dbg bug tracker if you are interested in what kind of issues people have and report.

Another thing that makes OllyDbg great is that it’s so user-friendly. There are no complex commands involved and everything can be done from the graphical user interface. This is what I believe makes OllyDbg strong. Creating a GUI similar to the one of OllyDbg is rather complex (and boring). It involves custom painted components and a lot of menus.

Finally, OllyDbg offers a great plugin ecosystem, allowing people to extend/modify OllyDbg in lots of ways. People created hundreds of plugins, ranging from simple breakpoint managers to a total overhaul of the program. Creating a system like this is very challenging and pleasing everyone is really hard. It involves writing wrappers around internal functionality and make those available to the plugin writer. You also need to provide the plugins with an interface to hook in the debug loop and intercept debug events.

I hope this answers your question. Feel free to ask me if you need more information.

More content is coming soon to this blog, stay tuned!

Duncan

Lightshot Reversing

2015-12-21T00:00:00+00:00

Hello everyone,

No surprise it has been a very long time since I last wrote something here, I guess I don’t have enough time or will to keep up with this blog. However, today I did something simple that I would like to share with you guys.

We all know screenshot tools like Lightshot, PokIt or ShareX. This blogpost will be about Lightshot in particular but these are just some alternatives to use.

I like Lightshot very much, it has a very simple interface with a text editor, some arrows and boxes and it is great for quick screencapping. However it has one downside: the uploader. The uploader uploads your image and then returns an URL in the prntscr.com subdomain. This wouldn’t be much of a problem, if the page wasn’t ad infested and it is also difficult to get the direct link to the image (for example to link to in your blog).

Today I was bored so I decided to take a look at how their API works so we can change this behavior to show a direct link.

For tools I’ll be using Fiddler4 and XAMPP (basically Apache, but XAMPP is just a nice wrapper around it for simplicity).

After you started Fiddler4, go in options and enable decryption of HTTPS traffic for non-browsers. This will notify you to install a new certificate in the root. This certificate is used for the man in the middle proxy so HTTPS traffic can be decrypted.

Now simply capture something on your screen and hit the upload button in Lightshot. Fiddler should capture the traffic and you can stop the capture (F12).

The result looked something like this for me:

You can check out all the details of the traffic in the various tabs, but to summarize:

Lightshot uploads the image to imgur using the imgur API imgur-apiv3.p.mashape.com;
It sends some data to Google Analytics (not very interesting for us);
It sends a request to their own API api.prntscr.com.

Checking the request headers to their own API they look something like this (if you’re logged in it will also contain a token for authorization, which I ommited for obvious reasons):

POST https://api.prntscr.com/v1/ HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: api.prntscr.com
Content-Length: 261
Cache-Control: no-cache

{"jsonrpc":"2.0","method":"save","id":1,"params":{"img_url":"http:\/\/i.imgur.com\/q2clfFY.png","thumb_url":"http:\/\/i.imgur.com\/q2clfFYs.png","delete_hash":"3VYbjevxfJ0qIJw","app_id":"{F1F88C8C-9A9B-45E2-913F-489DF108D86F}","width":450,"height":354,"dpr":1}}

The response is something like this:

HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Mon, 21 Dec 2015 17:51:55 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1a123603fd50b8f9fb5992716bd5cb0f1450720314; expires=Tue, 20-Dec-16 17:51:54 GMT; path=/; domain=.prntscr.com; HttpOnly
X-Powered-By: PHP/5.5.9-1ubuntu4.14
CF-RAY: 2585700ef8880767-AMS

7b
{"jsonrpc":"2.0","id":1,"result":{"url":"http:\/\/prntscr.com\/9gvphh","info":"Anonymously uploaded image","success":true}}
0

As you can see, they send the imgur URL to the API and the API will add the image to the database and return their own custom URL. We just want the direct link to the image, so we are going to write a very simple emulator for this API that just returns the URL it was given.

The code is very simple, you can get it from here it should be really straightforward to understand, especially with the comments. Basically it does this:

Get the raw POST data (JSON encoded);
Decode the JSON to an associative array;
Construct a response associative array;
Encode the response in JSON;
Set the right header and echo the response text.

Their API uses chunked transfer encoding, but CURL eats a raw response just as well.

Put this line in C:\Windows\system32\drivers\etc\hosts:

127.0.0.1 api.prntscr.com

Then put index.php in a directory called v1 and start your Apache server. If everything went okay, the upload window should look like this:

That’s all for now, I hope you enjoyed this post!

Oh, quick update. This also works on the OS X version of Lightshot, however there you need to reboot in order to make the /private/etc/hosts file change work.

mrexodia

Crackme

2015-10-24T00:00:00+00:00

Hello everybody,

Even though there has been almost no activity on this blog for a few months I have been very busy.

Here is a simple crackme for you guys, contact me with a keygen (and preferably a small tutorial) to get listed (with a website of choice) in this list:

kao files
Dave
Nobody

Have fun!

mrexodia

123456

2015-08-10T00:00:00+00:00

Sitting at a camping with a broken toe makes you bored, very bored in fact. So bored I started to look at the camping network structure.

Scanning the environment

The first thing I noticed was the cameras with a nice little antenna hanging all over the place. In an old DefCon talk I saw the security of most IP cameras was shit, so I decided to give it a shot myself.

The camera model I am currently talking about is the ELRO C903IP.2. I reversed the firmware of another ELRO camera and it had very similar directory structures and web commands, so I believe it is safe to assume all ELRO cameras are affected.

Because I had no idea of the network layout beforehand I ran a little nmap scan to get the list of online IP addresses in the local subnet:

MacBook-Air:~# nmap -sP 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-10 00:28 CEST
Nmap scan report for 192.168.1.1
Host is up (0.0055s latency).
Nmap scan report for 192.168.1.4
Host is up (0.00048s latency).
Nmap scan report for 192.168.1.6
Host is up (0.057s latency).
Nmap scan report for 192.168.1.7
Host is up (0.054s latency).
Nmap scan report for 192.168.1.8
Host is up (0.047s latency).
Nmap scan report for 192.168.1.11
Host is up (0.052s latency).
Nmap scan report for 192.168.1.17
Host is up (0.044s latency).
Nmap scan report for 192.168.1.24
Host is up (0.11s latency).
Nmap scan report for 192.168.1.26
Host is up (0.0028s latency).
Nmap scan report for 192.168.1.101
Host is up (0.0085s latency).
Nmap scan report for 192.168.1.102
Host is up (0.0084s latency).
Nmap scan report for 192.168.1.105
Host is up (0.021s latency).
Nmap done: 256 IP addresses (12 hosts up) scanned in 9.12 seconds

The thing that struck me was the low addresses after the gateway 192.168.1.1 so I first checked those out. Turned out the lower addresses were DHCP (my MacBook was 192.168.1.4). I did find a nice open printer though:

Web authentication gone wrong

After some more checking I found a login screen at 192.168.1.101. This could be a camera!

Trying some default stuff (admin:admin, admin:1234) etc. didn’t appear to work, so I just pressed the Cancel button:

Besides the lack of even a self-signed HTTPS certificate it was obvious that even the login screen had serious security issues. After the initial state of shock I decided to check out the page source code:

check_user.cgi appears to be the page generating the HTTP authentication (which is plain text by the way). The page only shows us 401 Unauthorized and the name and version of the web server mini_httpd/1.19 19dec2003. There are some known vulnerabilities for that version, but they had no POC code for reading files so I put that on halt for the time being.

get_status.cgi requires no authentication (wtf) and it shows some identifying information like the system version and some other status information

Since there were some links on the login page I decided to try and sign in to the camera web interface. Clicking the link and pressing cancel a few times showed the full web interface, but unfortunately the feed was black.

An unexpected surpise

Trying to click some of the terrible popup menus on the left (I had been a few hours on the web interface at this point) gave some more device information (obtained from the get_status.cgi), but the P2P menu showed some actually interesting stuff!

The iframe led me to p2p.htm, which contained some GUID, a username and a password (you are kidding me right?) Just setting the input type to text with the inspector revealed the details in full glory:

Checking the source it turns out that get_tutk_account.cgi has no .htpasswd protection which is why it shows the password in the web interface.

Theory in practice

Googling for a P2P IP Camera app gives this nice app that automatically gets the running cameras:

Selecting the right camera and entering the password given by the web interface shows this nice feed by the campfire (notice me walking around with crutches):

The other cameras have the same vulnerability (probably the same model):

Going for gold

After this serious issue I couldn’t get much further with the web interface (just some directory listings, but no directory traversal or anything). I did try to access .htpasswd (read something about that for old versions of mini_httpd), but it gave a graceful 403.

Let’s try another nmap scan to see what services are running on the device:

MacBook-Air:~# nmap -sV -vv 192.168.1.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-10 00:52 CEST
NSE: Loaded 29 scripts for scanning.
Initiating Ping Scan at 00:52
Scanning 192.168.1.101 [2 ports]
Completed Ping Scan at 00:52, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:52
Completed Parallel DNS resolution of 1 host. at 00:52, 0.02s elapsed
Initiating Connect Scan at 00:52
Scanning 192.168.1.101 [1000 ports]
Discovered open port 80/tcp on 192.168.1.101
Discovered open port 23/tcp on 192.168.1.101
Increasing send delay for 192.168.1.101 from 0 to 5 due to max_successful_tryno increase to 4
Completed Connect Scan at 00:52, 6.99s elapsed (1000 total ports)
Initiating Service scan at 00:52
Scanning 2 services on 192.168.1.101
Completed Service scan at 00:52, 7.00s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.101.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for 192.168.1.101
Host is up (0.0026s latency).
Scanned at 2015-08-10 00:52:16 CEST for 14s
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  BusyBox telnetd
80/tcp open  http    mini_httpd 1.19 19dec2003

Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.24 seconds

There is telnet! Trying telnet 192.168.1.101 asks for a login and password, but at least it is not blocking connections! Not sure how that would work out remotely, but I suspect it would connect just fine.

Trying some of the worst passwords of 2014 it appears to actually be using the worst password in the world for root access: 123456.

MacBook-Air:~# telnet 192.168.1.101
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.

(none) login: root
Password: 

BusyBox v1.12.1 (2012-11-19 22:34:42 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# 

Some firmware reversing adventures led me to check in the /mnt/5350 directory (I might write something about that another time):

# ls
var     tmp     sbin    mnt     lib     home    etc     bin
usr     sys     proc    media   init    etc_ro  dev
# cd mnt
# ls
pdbmountfs  5350        mtd         bin
test.sh     tmp         nfs
# cd 5350
# ls
mini_httpd.conf    modules            web                etc
user_info          usb_reset_logfile  lib

The user_info file looks interesting:

# cat user_info
admin:1357# 

Well, looks like plaintext credentials for the web interface to me. Trying it and it works perfectly fine:

Final words

So that would be about it for this blogpost. Before I finish I do want to say that this research was done just for fun and no cameras were harmed in the process. Another thing is that I had access to the local network. I think that if you isolate these camera’s on a separate subnet and make sure they are not accessible from the outside (or only accessible from a fixed IP address with firewall rules in the router) you will be fine.

After this post is published I will send a link to ELRO to inform them about the security issues discussed here. If they release a firmware update to fix these issues I will update this post.

Till next time,

mrexodia

Extending De4dot

2015-07-17T00:00:00+00:00

Hey, what’s up everybody?

About two months ago I came across a modified version of de4dot someone made, which required me to replace my current de4dot version in it’s entirety. I did not like this and therefore I decided to work on extension support for de4dot. Basically it allows you to add new deobfuscator modules or replace the existing (sometimes outdated) ones, in a dynamic way.

In this blogpost I will explain to you how to add a simple deobfuscator for OrangeHeap. The actual deobfuscator code is not written by me, but by TheProxy. It only serves as an example of how de4dot can be extended :)

Getting started

To get started, we need to set up our development environment. For this you need Git and Visual Studio. Follow these steps to get a development environment running:

Clone the repository with git clone --recursive https://github.com/0xd4d/de4dot.git;
Copy and rename the deobfuscator.Template directory to deobfuscator.OrangeHeap;
In that same directory, rename deobfuscator.Template.csproj to deobfuscator.OrangeHeap.csproj;
Open the main de4dot.sln in Visual Studio 2010 or higher and add deobfuscator.OrangeHeap.csproj to the solution;
Now the only thing left is to rename the output file name and namespace from deobfuscator.Template to deobfuscator.OrangeHeap.

Coding the deobfuscator

In this post I won’t go too much in depth about the internal de4dot architecture, mainly because I don’t know a whole lot about it. You’d have to check the built-in deobfuscators by yourself to find out how it works. Here is a post by kao that explains extending de4dot in a more detailed manner.

The identifying class for a deobfuscator is the DeobfuscatorInfo class. It has to provide a Name and a Type string field, where the Type field must be unique. It also has a CreateDeobfuscator method that will handle the actual deobfuscation.

You can find the full code over here. TheProxy wrote a full tutorial with details over at his blog

Now before I go into this, I have to say that you are obligated by the license de4dot uses (GPL) to share any modifications you make to de4dot under the same (GPL) license. This includes extensions that are dynamically loaded by de4dot, although this is controversial.

Now to share the deobfuscator, for example for internal company usage or simply because you want to share prebuilt binaries of your GPL extension, simply copy the bin/deobfuscator.OrangeHeap.dll to the de4dot bin directory on another machine. Here is a screenshot that shows what happens before and after I added the DLL to the bin directory (obviously without any other modifications to de4dot):

Overriding/Extending existing deobfuscators

If you want to change the behavior of an existing deobfuscator, simply make the DeobfuscatorInfo.Type field return an already-present typename (like co for CryptoDeobfuscator or df for Dotfuscator). Basically you have to rip the current deobfuscator class out in a separate project (I tested this). See here for a starting point. It should be pretty straightforward.

Well, that’s all for today. Hopefully till next time!

mrexodia

Script Api

2015-07-01T00:00:00+00:00

Hey everyone,

For the people who keep checking this blog: thanks a lot!

Recently I had quite a lot of deadlines, so as usual I didn’t write anything on my blog :) I did however work on quite some interesting things. Together with the guys on #x64dbg and some other people I worked on a script API for x64dbg. What this means is that (once this API is finished) people can write bindings for their favorite script language and publish it as a plugin!

Right now I have these implemented:

Basic debugging stuff (run, step, stop, pause);
Register setters/getters;
Memory read/write;
Pattern finding/writing;
Module information;
GUI selection setters/getters.

I plan on adding much more:

PE information;
Breakpoint management;
Comment/Bookmark/Label/Function/Loop management (useful for analysis scripts);
Settings;
Event callbacks;
Etc (contact me if you have requests).

Some work was done with AngelScript in the testplugin.

void myStepOut()
{
    duint cip = Register::GetCIP();
    Print("[SCRIPT] Started on CIP = 0x%p\n", cip);
    do
    {
        Debug::StepOver();
        cip = Register::GetCIP();
    }
    while(Memory::ReadByte(cip) != 0xC3);
    Print("[SCRIPT] Finished on CIP = 0x%p\n", cip);
}

void main()
{
    Print("[SCRIPT] Welcome to AngelScript!\n");
    myStepOut();
}

Another idea I had was to load script DLLS, so you can write scripts in your favorite programming language (basically any language that supports native exports). You would write a single export StartScript that then calls the script API directly. This would allow for many possibilities, including commercial unpacking scripts.

This summer I will try to work on x64dbg as much as I can, to at least complete the script API. I also plan on fixing performance problems and solving as many issues as I can. Contact me if you know C++ and like to work on x64dbg. All help is appreciated.

Till next time,

mrexodia

Function Analysis

2015-05-11T00:00:00+00:00

Hey everyone!

Right now I am in the fourth and final term of this education year. It looks like I can go on studying computer science, since I passed all my exams as of now!

Introduction

In this post I will discuss a (fairly simple) algorithm I came up with half-drunk with the purpose of determining function boundaries in x86 assembly code. Right now, it is implemented in x64dbg and you can see how it works with a command called anal (short for analyze). It does not work on weird/obfuscated/Microsoft’s code, but it’s nice to have an idea where functions start and end without having to manually go through every function you are looking at.

Screenshot:

The requirements

Maybe you already noticed, but x64dbg does barely use the information provided in the PE Header of a debuggee for its operations. If your executable is malformed, but can be started by CreateProcess without problems x64dbg should be able to debug it.

The downside is that x64dbg has no idea if it is looking at code, an import table, a resource table or just random data. You would have to figure that out yourself. The upside is that anything that can be run by Windows can at least be started by x64dbg.

The algorithm has a very simple input: a block of memory. The output should be a list of function boundaries. It requires nothing to work, except the virtual base address of the memory block.

The idea

After talking with various people (including cyberbob who created ArkDasm) the thing a lot of people (including our ‘competition’ at HexRays) appear to do is some kind of recursive ‘tracing’ from a certain point (usually the entry point). Basically it simulates multiple possible execution paths from that point and constructs the function boundaries from data (such as call and ret instructions) it collected on the way.

Usually I like what the cool kids on the block do, but I saw some problems:

Recursive algorithms require housekeeping. In this case you would need to make sure data is not analyzed more than once (in case of analyzing a recursive function).
It is hard to estimate when the recursive algorithm would end. Maybe there is only one (very small) execution path and it ends immediately, or it keeps dragging on, evaluating thousands of possible paths.
There is no known entry point.

Now computer scientists appear to like complexity analysis of an algorithm. Probably you cannot do better than linear anyway, so I decided that I wanted to algorithm to be done in linear time O(n).

The idea I had was very simple, but it requires two assumptions to work:

Every call destination or immediate pointing inside the memory block given for analysis is assumed to be the start of a function;
A function ends at or after the start of that function and cannot overlap with other functions.

The first assumption should be clear to you. The second assumption might not be, but it is actually very simple: when a function starts it has to end before another function starts. This means that this system will horribly break on optimized code that places chunks of code randomly scattered throughout the memory region. Microsoft’s kernel32.dll does this for example.

Now the actual idea is to do things in two steps:

Find all function starts;
Figure out where functions end.

Simple right?

Finding all function starts

Doing this is actually trivial with the given assumptions! Just find any immediate that points in the memory block currently being analyzed and then sort the results and remove duplicates (a function might be called from multiple places is why). The reason for the sorting that the end cannot be further away than the next function start.

Finding the end of a function #1

The thing that immediately comes to mind is just searching for the first ret instruction after the function start and call this the function end.

The problem with this approach is that there might be multiple exit points:

Finding the end of a function #2

Another thing that comes in mind really quickly is just to scan backwards from a function start for the ret instruction. When found, this is the end of the previous function:

The main problem with this is that there could be unreferenced functions between the two functions that were found using the method for finding function starts. This could make really weird functions appear:

Finding the end of a function #3

The actual method I used to find the end of a function is a variation of #1. This algorithms has four cursors (the names are taken from the actual algorithm):

addr is the current address being disassembled. addr will always move forward disassembling every instruction on the way;
end is the current function end (basically this is the last ret instruction encountered by addr);
fardest is the farthest forward destination of a jxx. This will point to the farthest destination the function can go by using jumps;
jumpback is the address of the last jmp instruction that jumps before the end at that time.

For the understanding of the algorithm I visualized it using x64dbg. These are the colors used to indicate the various variables:

addr
end
fardest
jumpback

The first animation shows how fardest is used. When a ret instruction is encountered it is considered to be the function end if fardest has no value or points before the current ret instruction. When fardest points after the ret instruction, the algorithm will continue instead looking for another ret:

The second animation shows how the jumpback variable is used. Basically what could happen is that there is some kind of repeated structure before a function returns and that the compiler optimized this by jumping back to this structure from the end of the function (this could be done to save space for example). When the limit to where the algorithm can disassemble is reached the jumpback will be used as end of the function instead of end:

Final words

Alright, that was about it! I plan on improving this algorithm to support weird function structures done by some compilers, but the idea will stay the same (I think). I hope you enjoyed reading through this, I definitely enjoyed making it (even fixed some bugs on the way).

Greetings,

mrexodia

Progress

2015-04-18T00:00:00+00:00

Hey guys,

After (again) almost a month of not writing I decided to write a little about various things I’m doing currently.

GleeBug

As some of you might have picked up I’m working on a replacement for TitanEngine. This replacement is going to be called GleeBug. Currently the project is in early stages, but with some help from nice people in my live stream we got single stepping with callbacks working very well!

GleeBug is going to have full support for child process debugging and it will be written in an object oriented style. (name) is working with me. You can find the repository here.

x64dbg

After I started a bachelor in computer science, other projects started degrading because of the lack of motivation and time I had. Recently I did a weekend of live streaming and it motivated me greatly! If I have some time between the assignments I have to do and playing GTA 5 (amazing game by the way) I will do another streaming session this weekend. Otherwise Monday (which is when I have to hand in the assignments).

A lot has happened to x64dbg since the last time I wrote, here is a quick summary for the people not following the commit logs:

YARA rules matching was added;
A new version was released;
x64_dbg is renamed to x64dbg;
We moved to GitHub;
You can now donate with PayPal (or Bitcoin);
Nukem did a great deal of refactoring with the result that x64dbg is now on VS2013. XP will stay supported, but backwards compatibility is still a WIP so the current snapshots will not run on XP (move on already guys);
Various bugs were fixed (some fixed as a result of the refactoring), see the commit logs on the repository for more information.

Well, that’s about it! Thanks for reading and leave me a comment on my twitter or in the comment section.

mrexodia

Look Out!

2015-03-21T00:00:00+00:00

Hey,

At the moment I feel like I should say I plan on posting something like every month from now on.

This is just a small post warning you guys for some very annoying behavior in DeviceIoControl. After a quick read of the documentation I did code like this:

static bool ControlDevice(HIDECOMMAND Command, HIDEINFO* HideInfo)
{
    HANDLE hDevice = GetDeviceHandle();
    if (hDevice == INVALID_HANDLE_VALUE)
	    return false;
    bool result = !!DeviceIoControl(hDevice, //hDevice
                                    Command, //dwIoControlCode
                                    HideInfo, //lpInBuffer
                                    sizeof(HIDEINFO), //nInBufferSize
                                    NULL, //lpOutBuffer
                                    0, //nOutBufferSize
                                    NULL, //lpBytesReturned
                                    NULL //lpOverlapped
                                   ); //
    CloseHandle(hDevice);
    return result;
}

Reading the documentation in a quick glance it looked like lpBytesReturned and lpOverlapped are optional (it says so in the function definition).

I tested the code on Windows 8.1 and everything worked fine, so I published the code. After a while however, my client told me there was a crash on Windows 7 near DeviceIoControl.

Reading the documentation again I stumbled across this sentence:

If lpOverlapped is NULL, lpBytesReturned cannot be NULL. Even when an operation returns no output data and lpOutBuffer is NULL, DeviceIoControl makes use of lpBytesReturned. After such an operation, the value of lpBytesReturned is meaningless.

Moral of the story: don’t assume optional actually means a parameter is optional in WinAPI documentation :)

Cya around,

mrexodia

Titanhide

2015-02-05T00:00:00+00:00

Hello,

First of all I would like to thank to ~200 people (or bots) who still visit this blog! I didn’t post for a long time (again) because I was busy with a project for the university. Right now I had my exams, so I will have a little time to write a new blogpost.

Introduction

Some people might remember a project I started about a year ago. This project is called TitanHide and it was created to make kernel-mode debugger hiding possible on the x64 versions of Windows. At the time there was no kernel-mode hiding driver that worked on the x64 versions of Windows and that was also open-source. Trusting kernel drivers is really important (especially when they install hooks) because they can do anything with your system they like. TitanHide was meant to be easy to extend and it should work on both x32 and x64 systems.

Debug Detection

Software protection or malware usually doesn’t like being debugged. For this reason they usually insert various debugger checks. There are lots and lots of anti-debug tricks, see this paper for example. Some tricks like IsDebuggerPresent or NtGlobalFlag can be bypassed by changing the PEB in memory of the usermode process. Other detection methods cannot be evaded by a simple memory patch (NtClose for example). These detection methods require hooks. Hooks in user-mode (such as done by ScyllaHide) work in most cases, but more advanced debugger detection systems also detect user-mode hooks. In this case there is need for kernel-mode hooks, which is what TitanHide is using to evade debug detection methods. TitanHide does not patch the PEB or other things that can be done in user-mode, it’s focus lays purely in kernel-mode.

PatchGuard

In x32 times patching the kernel was officially unsupported by Microsoft, but there were no countermeasures built into the operating system against it. When Windows x64 came along, Microsoft added Kernel Patch Protection, also referred to as ‘PatchGuard’. PatchGuard prevents modification of critical kernel structures, such as the SSDT, which TitanHide uses to hook kernel functions. There are various methods of disabling PatchGuard, but TitanHide does not implement any of those. The main reason behind this is that TitanHide is purely meant to bypass debugger checks, not as a full-fledged rootkit library. If you want a quick way to disable PatchGuard, simply enable debug mode on your computer. This effectively stops PatchGuard from loading. If you want more information about PatchGuard I recommend reading this article. Everything that happens after this point is with PatchGuard disabled.

TitanHide

This post will mainly be about TitanHide installs it’s hooks. If you want more information about how the functions are modified to make it look like certain processes are not being debugged, you should read the code. I also recommend reading this paper about ScyllaHide. It can help while reading the TitanHide code (since the code itself is not greatly documented).

Many ideas in TitanHide come from different people around the internet, but the code in TitanHide is mostly written by myself. Code I used from the internet usually has a comment explaining where it came from. Some code was also written by cypherpunk. You can see which code specifically in the commit log.

SSDT Hooking

In short the System Service Dispatch Table (SSDT) is used by the operating system to determine which function to call after a transition from user to kernel-mode. The table contains kernel-mode function pointers and when a user-mode program wants to call such a function it provides an index to the function it wants to call in EAX. SSDT Hooking means replacing these kernel-mode function pointers with custom functions that either fully replace the existing function or modify the function behavior.

In x32 mode, replacing SSDT functions is quite straightforward (see this article for more information). Basically what happens is this:

SSDTStruct* SSDT = MmGetSystemRoutineAddress(L"KeServiceDescriptorTable");
SSDT->pServiceTable[FunctionIndex] = NewFunctionPointer;

On x32 versions of the operating system the SSDT structure is exported under the name KeServiceDescriptorTable by ntoskrnl.exe, which makes SSDT hooks really easy to implement.

On x64 versions of the operating system SSDT hooking becomes much harder. There are two reasons for this. The first reason is that the SSDT is no longer exported by ntoskrnl.exe, which means TitanHide must use different ways to find the SSDT. The other reason is that the SSDT no longer uses direct pointers, but offsets relative to the start of the SSDT. This means our hooks cannot be located too far from the ntoskrnl memory region.

Locating the SSDT on x64

After lots of searching around I found someone who discovered a semi-reliable way of locating the SSDT on x64 (I tested this method on Windows XP x64 - Windows 8.1 x64 with success). Read the original post here. For the purpose of this post I will line out the basics here, supported with some code.

An exported function called KeAddSystemServiceTable has a reference to the RVA of the SSDT. To find this RVA, TitanHide uses the following code:

/*
000000014050EA4A 48 C1 E0 05                shl rax, 5
000000014050EA4E 48 83 BC 18 80 3A 36 00 00 cmp qword ptr [rax+rbx+363A80h], 0 <- we are looking for this instruction
000000014050EA57 0F 85 B2 5C 0A 00          jnz loc_1405B470F
000000014050EA5D 48 8D 8B C0 3A 36 00       lea rcx, rva KeServiceDescriptorTableShadow[rbx]
000000014050EA64 48 03 C8                   add rcx, rax
000000014050EA67 48 83 39 00                cmp qword ptr [rcx], 0
*/
int rvaSSDT = 0;
for (unsigned int i = 0; i < function_size; i++)
{
    if (((*(unsigned int*)(function + i)) & 0x00FFFFF0) == 0xBC8340 && //4?83bc??
        !*(unsigned char*)(function + i + 8)) //???????? 00 
    { //cmp qword ptr [r?+r?+????????h], 0
        rvaSSDT = *(int*)(function + i + 4);
        break;
    }
}
SSDT = (SSDTStruct*)((ULONG_PTR)GetKernelBase() + rvaSSDT);

Locating the SSDT on Windows 10 Technical Preview is a little trickier, but still possible:

/*
Windows 10 Technical Preview:
fffff800e21b30ec 757f             jne nt!KeAddSystemServiceTable+0x91 (fffff800e21b316d)
fffff800e21b30ee 48833deafee4ff00 cmp qword ptr [nt!KeServiceDescriptorTable+0x20 (fffff800e2002fe0)],0 <- we are looking for this instruction
fffff800e21b30f6 7575             jne nt!KeAddSystemServiceTable+0x91 (fffff800e21b316d)
fffff800e21b30f8 48833da0fee4ff00 cmp qword ptr [nt!KeServiceDescriptorTableShadow+0x20 (fffff800e2002fa0)],0
fffff800e21b3100 756b             jne nt!KeAddSystemServiceTable+0x91 (fffff800e21b316d)
*/
int rvaFound = -1;
int rvaSSDT = 0;
for (unsigned int i = 0; i < function_size; i++)
{
    if (((*(unsigned int*)(function + i)) & 0x00FFFFFF) == 0x3D8348 && //48833d
        !*(unsigned char*)(function + i + 7)) //???????? 00
    { //cmp qword ptr [?],0
        rvaFound = i;
        rvaSSDT = *(int*)(function + i + 3);
        break;
    }
}
//Calculate the actual address (rvaSSDT is a RIP-relative offset)
SSDT = (SSDTStruct*)((ULONG_PTR)KeASST + rvaFound + rvaSSDT + 8 - 0x20);

Hooking the SSDT on x64

In order to make sure the new function pointers ‘fit’ into the SSDT, I created a function called FindCaveAddress. That looks for compiler-generated padding, usually found around functions. It searched for a certain number of padding bytes and when found, a hook stub like this is inserted:

mov rax, NewFunctionPointer
push rax
ret

These stubs redirect the instruction pointer to our hooked function, making things really easy.

SSDT Function Index

Every function in the SSDT has an index, there are websites such as this one that list the all Nt* functions and their index, but hardcoding everything for every possible OS is tedious and error-prone work so I wrote a function to heuristically find an SSDT index for an exported ntdll.dll function. What is does is reading ntdll.dll from disk and then it parses the export table, searching for a function. If the function was found it looks for mov eax, XXXXXXXX, where XXXXXXXX will be the SSDT index. This is based on the fact that the ntdll.dll stubs look pretty much the same on every version of ntdll.dll until Windows 8.1:

0000000077EF0E10 | 4C 8B D1       | mov r10,rcx
0000000077EF0E13 | B8 40 00 00 00 | mov eax,40
0000000077EF0E18 | 0F 05          | syscall
0000000077EF0E1A | C3             | ret

If you are interested in the specifics of this code, take a look at ntdll.cpp.

This is how you hook a function exported by ntdll.dll using the current TitanHide codebase:

HOOK hNtQueryInformationProcess = SSDT::Hook("NtQueryInformationProcess", (void*)HookNtQueryInformationProcess);

That’s right, only one line of code to do any SSDT hook you want!

Conclusion

I hope you found this blogpost interesting, if you have any remarks, feel free to post them in the comments or send them to me.

Enjoy,

mrexodia

Itubes Library Format 2

2014-12-27T00:00:00+00:00

A few days ago I wrote some things about the iTunes library file format. Today I will try to write the remainder about this subject.

A small recap

In the previous post I discussed the structure of the encrypted file and there should also be enough information for a mediocre programmer to decrypt a .itl file by yourself. In this post I will be using a decrypted .itl file.

The base structure

Every .itl file starts with an hdfm information header. The approximate format of this header block is documented the older file format from iTunes v1.x - v3.x. Basically after this everything is the same as in the older file format, except the header ‘names’. The hdsm now is reversed to msdh. The whole file is basically build of msdh blocks with variable sizes.

Here is a small screenshot that shows the header and the msdh blocks:

Structure of the ‘msdh’ blocks

The msdh blocks contain the headerLength, totalLength and blockType as most important fields. After the msdh header, there is blockData that can contain various other types of structures. These structures very often look similar to this C-style structure:

typedef struct
{
    char signature[4]; //"mlrh" as signature identification.
    int headerLength; //total length of the header.
    char unknown[headerLength - 8]; //structure-specific data.
} mlrh;

A screenshot of how such a grammar looks:

Content of the ‘msdh’ blocks

The blockType field of the msdh block says something about the contents of the block. The value 4 for example has blockData that contains a path to the music library, /Users/xxxxxx/Music/iTunes/iTunes%20Media in my case. blockData can also contain other blocks. The miah and mith blocks for example both contain mhoh blocks. mhoh blocks are some kind of general-purpose block that can contain a lot of things.

Conclusion

The basic file format was all I needed to continue fixing requiem, so this it all for now. Maybe I will blog more about my progress later. You can find the grammar here, feel free to expand on it and don’t forget to send me the latest version if you do ;)

Merry Christmas,

mrexodia

X64_dbg From Top To Bottom 1

2014-12-24T00:00:00+00:00

Hello everyone,

Quite some time ago I started thinking about ways to engage more developers in x64dbg. The main problem new developers (in my view of things) have is that x64dbg is poorly documented. Code documentation is very important in software development but when I started with x64dbg the whole concept of software development was new to me, so I did not document my code. Recently I started documenting the code of x64dbg, but code documentation is very boring, so I decided to spice it up a little (for myself mainly) with a few blog posts.

Before reading

Before you start reading this post, I recommend you read up on Creating a Basic Debugger and you should know a little about threads. You should also know where to find x64dbg’s source code in case you want to see more of the code.

The debug loop

Technically the debug loop is part of TitanEngine, not of x64dbg. The design of the debug loop, however is very important for x64dbg in general, so I will explain it here anyway.

A basic debug loop looks like this:

This is also how TitanEngine’s debug loop works. It handles events by calling so-called “Custom Handlers”, which you can register by calling the SetCustomHandler() function. In addition to calling custom handlers TitanEngine does a lot of housekeeping (like storing information about the threads, modules and breakpoints). It also handles certain exceptions like STATUS_SINGLE_STEP for stepping and STATUS_BREAKPOINT for software breakpoints.

The most important point of these custom handlers is the fact that they are part of the debug loop, which means the debug loop won’t continue until the custom handler returns.

Threading of the debug loop

Because the DebugLoop() function of TitanEngine does not return until debugging is finished (debuggee termination), it has to be run on a new thread, so we can continue using the GUI while debugging (which is the whole point of the GUI anyway).

Here is a little image for the overview:

A block represent a thread;
A dashed arrow represents starting a new thread;
A red arrow represents thread termination;
A circle contains the termination condition.

The Main Thread starts the Command Thread. The Command Thread has an architecture similar to the debug loop; it waits for a command, calls a command handler and then starts waiting again.

When an InitDebug command is encountered (see help), information is obtained about the executable to debug and a Debug Thread is started. This Debug Thread contains the debug loop we discussed above.

Syncing the threads

The Debug Thread has to wait in custom handlers until the user tells it to continue (by pressing the run button in the GUI). This is done by a very simple locking system that has three main functions: lock(), unlock() and wait(). The wait() function simply waits while the lock is locked and it works across threads, so when the Debug Thread is waiting and the Command Thread calls unlock(), the Debug Thread will continue execution. You can find all this code here.

To provide thread-safe access to certain global variables (like breakpoint/comment/bookmark lists), x64dbg uses a class called CriticalSectionLocker. This class can be found in the same file as locking system above.

Conclusion

That’s all for now, I hope you enjoyed reading this and I will continue to cover various aspects of x64dbg, from the bigger picture, to small interesting details.

mrexodia

Itunes Library Format 1

2014-12-16T00:00:00+00:00

Hello everyone,

More than a month ago I posted about some code I had to write for a project, today it will be about exploring the iTunes Library file format.

Background

“Why reverse the iTunes Library format?” you might ask, well it all started with a university project. Basically we’re developing an app for Android/iOS using Xamarin and since Apple doesn’t like Windows, it is impossible to create/compile/test iOS apps without having access to Mac OS X. I installed a hackintosh distribution to start developing the app.

One time, when I was browsing iTunes I saw I had 15 euros left on my account, so I decided to buy an eBook I saw on TV. But Apple still hates Windows/Android/Whatever and after I spent my money I discovered it was impossible to read books bought in the iBooks store on a non-iDevice. I tried searching for some DRM removal tools, but there was only one and it didn’t work (it’s called requiem by the way).

Since I like reversing I decided to take on FairPlay (Apple’s DRM) in order to unlock the .epub file so I can read it on my Sony eReader.

In the process of checking out the old sources I discovered that the iTunes Library was read and decrypted, but after that the file format did not match the code anymore. Since the code was made for iTunes v10.x, not v12.x I had to figure out the new library file format.

The past

In the past people tried to reverse the iTunes Library file format, the more notable document is this one. It’s for iTunes v1.x - v3.x, but it was still useful for me now. Another resource is the previously mentioned requiem source code.

Getting started

Before we get started I’d like to introduce a very good tool called Synalyze It! Pro. Basically it’s a hex editor, but it’s main feature (for us at least) is the ‘Grammars’ option. Grammers are XML files that describe data structures and when a structure matches with a file, you can see the structure contents and highlight/manipulate the bytes they are mapped to. Reading the documentation is recommended before you continue.

It might also be useful to note I’m doing everything on Mac OS X (probably iTunes for Windows has the same format, but I didn’t check).

Now copy the iTunes Library file called iTunes Library.itl from ~/Music/iTunes/ to your documents folder or something and open it up in Synalyze It to start working with it.

Encryption + ZLIB

In the requiem source code, you can see in ModifyLib.loadLibrary() that the iTunes file from v10.x used AES/ECB/NoPadding with the key BHUILuilfghuila3:

...

// decrypt all full blocks in the body
Key key = new SecretKeySpec("BHUILuilfghuila3".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, key);
int crypt_size = (data.length - header_size) & ~0xf;
int max_crypt_size = read32(data, 0x5C);
if (max_crypt_size != 0)
    crypt_size = Math.min(crypt_size, max_crypt_size);
cipher.doFinal(data, header_size, crypt_size, data, header_size);

// un-zip body (ZLIB)
Inflater inflater = new Inflater();
inflater.setInput(data, header_size, data.length - header_size);
byte[] clear_data = new byte[65536];
while (!inflater.finished())
{
    int n = inflater.inflate(clear_data);
    o.write(clear_data, 0, n);
}

...

After reading the older file format from iTunes v1.x - v3.x and the requiem source it is quite easy to create a Grammar for the encrypted file format:

Conclusion (for now)

Hopefully this was an interesting start. Unfortunately I don’t have enough time to post the full story, but there will be a next post soon (I hope). In the meantime, try modifying the requiem source to output a decrypted iTunes library of your own. This will be required for the next post. Another thing you might want to do it setting up Eclipse with the Makefile included in the requiem source. This will make dumping the decrypted library a lot easier.

Till next time,

mrexodia

Undolist

2014-11-01T00:00:00+00:00

It’s been two months, but I finally found some time to post something in this blog :)

Background

As a programming exercise for the University we have to create a simple Paint-like program in C#. It has some tools (lines, rectangles, ellipses, text), it must be able to save/load to a custom format that represents the current drawing and it must be able to export to common image formats.

As representation of the current sketch I use a List<T> structure. The objects that were last added to the list are draw ‘above’ objects added previously. A bonus task was to add an Undo/Redo functionality, which I will explain in this post.

Objectives

What I wanted to create was a transparent data structure that could just replace the existing List<T> structure, without having to add additional statements to keep the Undo/Redo state. Furthermore the structure should be usable in a wide variety of cases.

What I did (summary)

First I created a class that represents the List<T> functionality called UndoList<T>. This class has a private class called UndoAction<U>, which represents something that happened to the original list. The UndoList<T> class has a List<UndoAction<T>> member that represents the stack of changes. To be able to provide a Redo functionality, there is a pointer member that points to the last change (I will come to this later).

UndoAction

This class is very simple. It contains the action performed (ActionType) and the actual object that was Added/Removed:

private class UndoAction<U>
{
    public ActionType Type { get; private set; }
    public U Value { get; private set; }

    public UndoAction(ActionType type, U value)
    {
        this.Type = type;
        this.Value = value;
    }
}

UndoList

This class has to be able to do the simple list operations: list[i], list.Add(), list.RemoveAt() and List.Clear(). These functionalities are very easy to implement:

public void Add(T value)
{
    list.Add(value); //add the value to the actual list
    addUndoAction(new UndoAction<T>(ActionType.Add, value)); //add an entry to the Undo list
}

public void RemoveAt(int index)
{
    addUndoAction(new UndoAction<T>(ActionType.Remove, list[index]));
    list.RemoveAt(index);
}

public void Clear()
{
    foreach (T value in list)
        addUndoAction(new UndoAction<T>(ActionType.Remove, value));
    list.Clear();
}

public T this[int index]
{
    get
    {
        return list[index];
    }
    set
    {
        list[index] = value;
    }
}

To provide the functionality of the foreach loop, UndoList<T> needs to be a subclass of System.Collections.IEnumerable. Implementing this interface is really easy for us: we simply return the Enumerator of the actual List<T> member which contains the representation of the sketch.

Implementing the IEnumerable interface goes like this:

public class UndoList<T> : IEnumerable
{
    private List<T> list; //the actual list with data

    public IEnumerator GetEnumerator()
    {
        return list.GetEnumerator();
    }

    //other members
}

The `pointer` member

If we were only required to provide an Undo functionality, we could just use a list with UndoAction<U> entries. When the Undo() function is called, undo the action and remove the last entry of the list. For Redo() to work, we either need to keep track of the Undo’s we did (which comes down to keeping track of a list that is used to keep track of another list) or we need to use a pointer. The pointer member of the UndoList<T> class points to the last action that was added to the List<UndoAction<T>> list. When Undo() is called, the action will be undone and after that the pointer is decreased. We can do this until the pointer equals -1, which means there is no action left to undo. After you called Undo() a few times and you then call Redo(), the pointer will be increased and after that, the action will be applied to the list with data (see Undo() and Redo() functions for code).

Final words

This class is a good example of how templates can be used in a meaningful way and I learned quite some things from it. I made the source available under the MIT License, you can get it here.

This class has very minimal functionality of the List<T> class. Sorting has no Undo/Redo and Clear() makes it look like every element was removed one-by-one. Feel free to improve on this :)

mrexodia

Utf8

2014-09-13T00:00:00+00:00

Quite some time since I last wrote something. I recently started attending a University, so that took all of my time past weeks :)

Anyway, during a very easy lecture about programming I decided to actually program something myself, which turned out to be Unicode support for x64dbg!

Theory

At first I thought I would have to rewrite the command parser and whatnot, but that turned out to be not needed at all…

At first I wanted to convert every char pointer and constant to the Windows-supported wchar_t type, but this would take far too long to execute + it would break plugin compatibility and the complete internal API, which just sucks. Various discussions and a blogpost later I decided to use UTF-8 internally and call WinAPI with conversion functions.

Basically it required three things: 1) A C++ class like QString that allows string operations on UTF-8 string; 2) Conversion functions from UTF-8 to UTF-16 and the other way around; 3) ‘Converting’ all external ASCII calls to their UNICODE variant (WinAPI, TitanEngine, dbghelp, etc).

Practice

The first step was quite easy, I grabbed this GPLv3 UTF::String class and changed it to my needs. This became the UString class.

The second step was also very easy, the blogpost I mentioned earlier had two ready-to-use functions called ConvertFromUtf16ToUtf8 and ConvertFromUtf8ToUtf16. Those worked great, except that they would crash when fed with null as argument. Wrapping them in UString solved that issue without having to think :)

The third step seemed easy at first, I could debug a random application with a Chinese path within minutes. After that however, came a small moment of confusion, because Qt appears to be interpreting const char* strings as Latin1 per default. The following code solved this and after that the log etc. were working correctly:

// Set QString codec to UTF-8
QTextCodec::setCodecForLocale(QTextCodec::codecForName("UTF-8"));
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("UTF-8"));
QTextCodec::setCodecForTr(QTextCodec::codecForName("UTF-8"));

Now all that is left is the tedious task of snooping through the code looking for incompatible GetModuleFileNameExA functions calls and convert them.

Concerns

The main concern will be that plugins will need to support UTF-8 and that new developers for x64dbg will have to adapt their coding a little. For plugin coders there will be conversion functions in the Bridge, but the conversion functions from the blogpost are really easy to copy-paste.

Conclusion

In overall adding UTF-8 support turned out to be quite easy and the work involved is just tedious, not really hard or very annoying. It can be done in little free time by almost anyone, so feel free to submit pull-requests :)

Coverity

2014-09-02T00:00:00+00:00

Recently jvoisin contacted me on IRC (#x64dbg on Freenode) about Coverity:

Find defects in your Java, C# or C/C++ open source project for free.

Test every line of code and potential execution path.

The root cause of each quality or security defect is clearly explained, making it easy to fix bugs

Integrated with Github and Travis Ci

The best thing about all of this: It’s free for open source software. Simple register an account and then your open source project and you’re good to go. Before you can see the scan results they have to approve your project though.

For me the tricky part was building x64dbg with the command line. I never did this before and the documentation wasn’t very clear to me. Basically you run the following commands:

>Configure cov-build for MSVC
cov-configure --msvc
>Build into the required databases
cov-build --dir cov-int --instrument [command that builds here]

What was recommended on the internet was creating a script that fully builds your project. This is coverity_build.bat:

@echo off

echo Building DBG...
devenv /Rebuild "Release|x64" x64dbg.sln

echo Building GUI...
rmdir /S /Q build
mkdir build
cd build
qmake ..\src\gui\x64dbg.pro CONFIG+=release
jom

Notice that you have to be in the Visual Studio Command Prompt (+ Qt paths configured) for this to work. Just run coverity_setenv:

@echo off
echo Setting Qt in PATH
set PATH=%PATH%;c:\Qt\4.8.6-x64\bin
set PATH=%PATH%;c:\Qt\qtcreator-3.1.1\bin

call %comspec% /k ""C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"" amd64

This will launch a new console, from there run coverity.bat:

@echo off
cov-configure --msvc
cov-build --dir cov-int --instrument coverity_build.bat

exit

After a long time (I have 6 cores, it still took me 5-10 minutes to build with cov-build), the building is finished and you have to ZIP the cov-int directory (not the files inside, the whole directory has to be in the ZIP).

When zipped, simply submit the build to your Coverity project and start analyzing errors.

Here is a screenshot of what the Coverity interface looks like:

See you all later,

mrexodia

A New Blog

2014-08-31T00:00:00+00:00

Hey everyone, this is my first blogpost using Jekyll. My previous blog used WordPress and I never posted anything there. Hopefully it will be different this time :)

mrexodia

mrexodia's blog

Dot Net Callstack From Windbg

Not Analyzing Keyboard Firmware Part 3

The macro layer

Beating old habits

The future

Analyzing Keyboard Firmware Part 2

The tools

Ghidra

Next steps

Analyzing Keyboard Firmware Part 1

Obtaining the firmware

Next steps

Analyzing Torrent Repack Malware

Tooling

setup.exe

setup.tmp

DSETUP.exe

start.bat

SystemCheck.xml

64.exe (svchost.exe)

Freearc And Dark Souls 3

InnoSetup

FreeArc

Conclusion

Cmake Openssl And Mingw On Windows

My Inactivity

Github Gpg

Installing Git (Extensions)

Installing GPG

Generating GPG Keys

Adding your key to Github

Configuring Git

Conclusion

Dynamic Menu Builder

The problem

MenuBuilder

Actions

Final words

Ollydbg

Lightshot Reversing

Crackme

123456

Scanning the environment

Web authentication gone wrong

An unexpected surpise

Theory in practice

Going for gold

Final words

Extending De4dot

Getting started

Coding the deobfuscator

Sharing the deobfuscator

Overriding/Extending existing deobfuscators

Script Api

Function Analysis

Introduction

The requirements

The idea

Finding all function starts

Finding the end of a function #1

Finding the end of a function #2

Finding the end of a function #3

Final words

Progress

GleeBug

x64dbg

Look Out!

Titanhide

Introduction

Debug Detection

PatchGuard

TitanHide

SSDT Hooking

Locating the SSDT on x64

Hooking the SSDT on x64

SSDT Function Index

Conclusion

Itubes Library Format 2

A small recap

The `pointer` member