Beruflich Dokumente
Kultur Dokumente
recca(at)rstack.org - kostya.kortchinsky(at)eads.net serpilliere(at)droids-corp.org - fabrice.desclaux(at)eads.net EADS Corporate Research Center DCR/STI/C SSI Lab Suresnes, FRANCE
1/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
2/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
3/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
From a network security administrator point of view Almost everything is obfuscated (looks like /dev/random) Peer to peer architecture
many peers no clear identication of the destination peer
Automatically reuse proxy credentials Trac even when the software is not used (pings, relaying) = Impossibility to distinguish normal behaviour from information exltration (encrypted trac on strange ports, night activity) = Jams the signs of real intrusions exltration
4/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
From a system security administrator point of view Many protections Many antidebugging tricks Much ciphered code A product that works well for free (beer) ?! From a company not involved on Open Source ?! = Is there something to hide ? = Impossible to scan for trojan/backdoor/malware inclusion
5/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
The Chief Security Ocer point of view Is Skype a backdoor ? Can I distinguish Skypes trac from real data exltration ? Can I block Skypes trac ? Is Skype a risky program for my sensitive business ?
6/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Our point of view We need to interoperate Skype protocol with our rewalls We need to check for the presence/absence of backdoors We need to check the security problems induced by the use of Skype in a sensitive environment
7/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
8/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
This means in C:
LPVOID VirtualAlloc( LPVOID lpAddress, // address of region to reserve or commit DWORD dwSize, // size of region DWORD flAllocationType, // type of allocation DWORD flProtect // type of access protection );
9/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Round initialization Then, it does key initialization and decryption of the parts
mov ... add ... mov add ... mov ... mov eax , o f f s e t b i n b a s e a d d r eax , ds : s t a r t c i p h e r e d p t r [ edx 4 ] eax , ds : s t a r t u n c i p h e r e d p t r [ eax 4 ] eax , ds : a l l o c a t e d m e m o r y dword p t r [ ebp14h ] , 7077 F00Fh eax , ds : s i z e c i p h e r e d [ eax 4 ] Section information loading Key initialization
10/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
11/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Data deciphering Skype uses its allocated memory to store deciphered areas.
decipher loop : mov eax , [ eax+edx 4 ] xor eax , [ ebp14h ] mov [ edx+e c x 4 ] , eax ... mov eax , [ eax+edx 4 ] xor eax , [ ebp14h ] mov [ ebp28h ] , eax add dword p t r [ ebp14h ] , 71 h inc dword p t r [ ebp18h ] dec dword p t r [ ebp34h ] jnz short decipher loop
12/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
13/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
14/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Import by name
dd offset aWaveinreset dd 0 dd 3D69D0h ; "waveInReset"
Import by ordinal
Ordinal 3 dd 0 dd 3 dd 3D6A90h
15/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Some statistics
Ciphered vs clear code
Legend: Code
Data
Unreferenced code
Ciphered vs clear code Libraries used in hidden imports 674 classic imports 169 hidden imports
KERNEL32.dll WINMM.dll WS2 32.dll RPCRT4.dll ...
Vanilla Skype part 1 16/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Binary smashing: tricks used Erase the 0xF4 rst bytes located at the entry point: a memory dump wont be executable The addresses of additional imports replace the import table: in theory, we cannot dump both at same time
Fabrice Desclaux, Kostya Kortchinsky Vanilla Skype part 1 17/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Structure overwriting
Anti-dumping tricks
1 2 3
The program erases the beginning of the code The program deciphers encrypted areas Skype import table is loaded, erasing part of the original import table
Code Erased code Erased code Erased code
Transition code
Transition code
Transition code
Transition code
Ciphered code
Ciphered code
Deciphered code
Deciphered code
18/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Conclusion
Binary reconstruction Skype seems to have its own packer. We need an unpacker to build a clean binary Read internal area descriptors Decipher each area using keys stored in the binary Read all custom import table Rebuild new import table with common one plus custom one in another section Patch to avoid auto decryption Oups Humm, it seems it crashes randomly... Lets have more fun
Fabrice Desclaux, Kostya Kortchinsky Vanilla Skype part 1 19/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Conclusion
Binary reconstruction Skype seems to have its own packer. We need an unpacker to build a clean binary Read internal area descriptors Decipher each area using keys stored in the binary Read all custom import table Rebuild new import table with common one plus custom one in another section Patch to avoid auto decryption Oups Humm, it seems it crashes randomly... Lets have more fun
Fabrice Desclaux, Kostya Kortchinsky Vanilla Skype part 1 19/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
20/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Why it crashes?
Analysis We made a little patch to avoid Softice detection Maybe a piece of code checks if we patched the binary Test: hardware breakpoint on the Softice detection code Bingo! part of the software does a checksum on the Softice detection code Suspicious checksums In fact, it seems the code is full of checksums! A quick search shows more than 10...
21/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Checker 2
Checker 2
Checker N
Checker N
22/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Why checksums?
Integrity checks It prevents binary modication If a virus infects a binary, it changes its checksum... If someone puts a breakpoint or removes some code parts it will be detected The high number of checksums may mean the third reason is the good one.
23/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Automatic code ngerprinting Find a generic way to spot checksums Simulate them to get the correct value Generate a patch Do that until total annihilation Here is a code sample
24/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
start : xor edi , edi add e d i , Ox688E5C mov eax , Ox320E83 xor eax , Ox1C4C4 mov ebx , eax add ebx , OxFFCC5AFD loop start : mov ecx , [ e d i+Ox10 ] jmp lbl1 db Ox19 lbl1 : sub eax , e c x sub edi , 1 dec ebx jnz loop start jmp lbl2 db Ox73 lbl2 : jmp lbl3 dd OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0B8797A db Ox61 , OxBD lbl3 : sub eax , Ox4C49F346
25/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
But... Its composed of A pointer initialization A loop A lookup A test/computation We can build a script that spots such code
27/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Checksum ngerprint
28/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Checksum ngerprint
Invariant code
MOV ... ARIT ... ARIT ... ARIT ADDR1 : REG , CSTE | XOR REG , REG , REG , REG , REG
If register value is in a code segment when EIP reaches ADDR1, this is a checksum x86emu The code is emulated with x86emu (x86 emulator IDA plugin) to nd the nal value
Fabrice Desclaux, Kostya Kortchinsky Vanilla Skype part 1 29/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Patch generation
Automatic patch generator The goal is to compute the right value of the checksum. =This is done with x86emu again It detects the end of the loop (JCC) And stop the emulation when the JCC condition is not satised
30/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
31/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
32/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
start : xor edi , edi add e d i , Ox688E5C mov eax , Ox320E83 xor eax , Ox1C4C4 mov ebx , eax add ebx , OxFFCC5AFD loop start : mov ecx , [ e d i+Ox10 ] jmp lbl1 db Ox19 lbl1 : mov eax , Ox4C49F311 nop nop nop nop nop nop jmp lbl2 db Ox73 lbl2 : jmp lbl3 dd OxC8528417 , OxD8FBBD1 , OxA36CFB2F , OxE8D6E4B7 , OxC0B8797A db Ox61 , OxBD lbl3 : sub eax , Ox4C49F346
33/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Signature based integrity-check In fact our Skype version has another problem... It crashes randomly again There is a nal check: integrity check based on RSA signature Moduli stored in the binary
lea mov call lea mov call eax edx str eax edx str , [ ebp+v a r C ] , o f f s e t a65537 ; "65537" to bignum , [ ebp+v a r 1 0 ] , o f f s e t a38133593136037 ; " 3 8 1 3 3 5 9 3 1 3 6 0 3 7 6 7 7 5 4 2 3 0 6 4 3 4 2 9 8 9 3 6 7 5 1 1 8 4 2 " ... to bignum
34/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
35/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Counter measures against dynamic attack Skype has some protections against debuggers Anti-Softice: try to load its driver. If succeded, Softice is loaded Generic anti-debugger: the checksums spot software breakpoints as they change the integrity of the binary
36/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Another test Hidden test: it checks if Softice is not in the drivers list.
c a l l EnumDeviceDrivers ... c a l l GetDeviceDriverBaseNameA ... cmp eax , ntic jnz next cmp ebx , e.sy jnz next cmp ecx , s \ x00 \ x00 \ x00 jnz next
37/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Timing measures Skype does timing measures in order to check if the process is being debugged or not
call mov gettickcount g e t t i c k c o u n t r e s u l t , eax
38/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
39/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Solution The random memory page is allocated with special characteristics So breakpoint on malloc(), ltered with those properties in order to spot the creation of this page We then spot the pointer that stores this page location We can then put an hardware breakpoint to monitor it, and break in the detection code
40/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
41/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
42/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Techniques used
Code indirection calls
mov sub mov mov call neg add mov mov call eax , 9FFB40h eax , 7 F80h edx , 7799 C1Fh ecx , [ ebp14h ] eax ; s u b _ 9 F 7 B C 0 eax eax , 19 C87A36h edx , 0CCDACEF0h ecx , [ ebp14h ] eax ; eax = 009 F8F70 sub 9F8F70 : mov eax , [ e c x +34h ] push esi mov e s i , [ e c x +44h ] sub eax , 292 C1156h add e s i , eax mov eax , 371509EBh sub eax , edx mov [ e c x +44h ] , e s i xor eax , 40 F0FC15h pop esi retn
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Techniques used
44/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
In C, this means
45/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Techniques used
Execution ow rerouting
lea add push push mov call rol xor pop edx , [ e s p+4+v a r 4 ] eax , 3D4D101h o f f s e t area edx [ e s p+0Ch+v a r 4 ] , eax RaiseException 0 eax , 17 h eax , 350CA27h ecx In random functions, the code raises an exception So an error handler is called Skype decides if its a true error, or a generated one In the second case, Skype does calculus on memory addresses and registers So it comes back to the faulty code
Principle It makes it a bit harder to understand the whole code: we have to stop the error handler and study its code.
46/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
47/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Skype on UDP
Skype UDP start of frame Skype UDP frames begin With a 2 byte ID number Then one obfuscated byte that introduces the following layer:
Obfuscated layer Ack / NAck Command forwarding Command resending few other stus
48/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Packets are encrypted with RC4 The RC4 key is calculated with elements from the datagram
public source and destination IP Skypes packet ID Skypes obfuscation layers IV
Source IP
Destination IP
ID
\x00\x00
IV CRC32
seed
RC4 key
(128 bytes)
50/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
At the begining, it uses 0.0.0.0 Its peer wont be able to decrypt the message (bad CRC) = The peer sends a NAck with the public IP Skype updates what it knows about its public IP accordingly
24 16 08 03 00 13 08 54 9238 2051 19 0x854 0x7f4e 0x77 82.124.72.51 131.176.134.86
Vanilla Skype part 1 51/72
UDP sport dport len chksum Skype SoF id func Skype NAck src dst
7f 4e 77
52 7c 48 33 83
b0 86 56
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Problem 2: What is the seed to RC4 key engine ? It is not an improvement of the ux capacitor It is a big fat obfuscated function It was designed to be the keystone of the network obfuscation RC4 key is 80 bytes, but there are at most 232 dierent keys It can be seen as an oracle We did not want to spend time on it = rst solution: we parasitized it
52/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
read requests on a UNIX socket fed the requets to the oracle function wrote the answers to the UNIX socket
53/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
56/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
57/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Value propagation
From asm to C At this point, we need to follow the white rabbit (eax, ecx)
mov mov call eax , [ KEY ] ecx , loc OUT sub 007ADB80
Value propagation initialization INPUT: EDX alias KEY ECX alias OUT Data ow analysis We need to follow EDX and ECX
Fabrice Desclaux, Kostya Kortchinsky Vanilla Skype part 1 58/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Value propagation
Assembly
Data Flow
59/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 xor esi , edx ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx rol eax, 3 ; EAX = ROL(KEY, 3) mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
From asm to C
EDX = KEY ECX = OUT sub 007ADB80: mov eax, edx ; EAX = KEY push esi ; None mov edx, [ecx+1Ch] ;EDX = OUT[0x1C] mov esi , [ecx+28h] ; ESI = OUT[0x28] sub edx, 354C1FF2h ;EDX = OUT[0x1C] - 0x354C1FF2 ; ESI = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor esi , edx ; EAX = ROL(KEY, 3) rol eax, 3 mov [ecx+28h], esi ; OUT[0x28] = OUT[0x28]^ ( OUT[0x1C] - 0x354C1FF2 ) xor eax, 22E40A3Eh ;EAX = ROL(KEY, 3) ^ 0x22E40A3E pop esi ; None retn ; None
60/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Value propagation
C back-end We can re-generate C code Only generate expressions that write output variables Discard all other intermediate expressions Some execution ow informations are needed to correctly update variables
61/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
62/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
62/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Value propagation
Final code
u n s i g n e d i n t sub 007ADB80 ( u n s i g n e d c h a r OUT, u n s i g n e d i n t KEY) { OUT[ 0 x28 ] = OUT[ 0 x28 ] ( OUT[ 0 x1C ] 0 x354C1FF2 ) ; r e t u r n ROL(KEY, 3 ) 0 x22E40A3E ; }
63/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Sub-functions
Generate function calls To generate calls to sub-functions, we need to know arguments form
AND MOV MOV LDR LDR MOV MOV R0 , LR , PC , R3 , R2 , LR , PC , R0 , #0xFF PC R2 =s i n [ R3 ] PC R2 ; sin ( r0 )
Function description
f u n c i m p o r t e d ={ __addd : [ R0 , R2 , R3 ] , sqrt : [ R0 ] , cos : [ R0 ] , sin : [ R0 ] , __ltd : [ R0 , R2 , R3 ] , ... Fabrice Desclaux, Kostya Kortchinsky Vanilla Skype part 1 64/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Example
v o i d sub 16957C ( u n s i g n e d unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var unsigned i n t tmp var try{ i n t TAB, u n s i g n e d i n t IN KEY){ 507 ; 0; 6; 224 ; 96 ; 522 ; 408 ; 62 ; 31 ;
t m p v a r 0 = ( ( ( TAB [ 48 ] TAB [ 28 ] ) IN KEY ) \ ( LSR ( m u l 6 4 h ( ( ( TAB [ 48 ] TAB [ 28 ] ) IN KEY ) , 0 x38E38E39 ) , 1 ) + LSL ( LSR ( m u l 6 4 h ( ( ( TAB [ 48 ] TAB [ 28 ] ) IN KEY ) , 0 x38E38E39 ) i f ( ! ( ( t m p v a r 0 != 8 ) ) ) { sub 16254C ( TAB , 0xBC04BB40 ) ; s u b 1 6 5 8 8 0 ( TAB , 0 x141586A ) ; sub 1645CC ( TAB , TAB [ 60 ] ) ; } t m p v a r 6 = ( ( LSL ( TAB [ 64 ] , TAB [ 16 ] = t m p v a r 6 ; i f ( ! ( ( t m p v a r 0 != 0 ) ) ) { sub 1656B0 ( TAB , 0x1CB835FD sub 166D34 ( TAB , 0 x835400E0 s u b 1 6 4 3 7 4 ( TAB , TAB [ 64 ] Fabrice Desclaux, Kostya Kortchinsky 4 ) TAB [ 64 ] ) + TAB [ 16 ] ) ;
); ); );
65/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Demo
66/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
h Warning!
This is not generic asm2c program It can only recover simple expressions It doesnt support complex ow graph Dont think about taking an OS and recovering its source code
67/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Outline
1 2 3 4 5 6 7
Context of the study Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation Conclusion
68/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Conclusion
Automated reversing Using simple hypothesis, it works But it can be improved... Future work Better execution ow analyzer Detection of trivial dead-code (or opaque conditions) Automatic variable nding (IN/OUT variables) Stack analyzer for local variable manipulation Python Back-end
69/72
Binary packing Code integrity checks Anti debugging technics Code obfuscation Skype network obfuscation
Conclusion
Questions?
70/72
References
Outline
8
References
71/72
References
References
P. Biondi, Scapy
http://www.secdev.org/projects/scapy/
72/72