UltraSurf

20090101

Research and Analysis of UltraSurf Software by

Reverse Engineering

ABSTRACT

UltraSurf is a well-know client application on the Internet. With the

help of its private communication protocols and remoting servers as
agents, it can be used to penetrate through the network control available,
so as to make it accessible to remote information. This thesis analyzes
the UltraSurf (version 8.8) by using tools, such as Ollydbg, Ethereal and
Iptables. The main method includes White Box and Black Box of
the software reverse engineering. The analysis concentrated on the
working process, methods and algorithms of encryption and decryption,
Internet connection of the software, and the analysis result includes the
working principle of the software, the way to encrypt the communication
between the machine and the proxy servers, and dynamic methods to get
the IP address of the proxy servers.
IV

From the analysis result, a scheme to control the behavior of the

UltraSurf was set up. We validate it by deploying the system in the lab
network environment. The rest result of the current control system
indicates that the current control system could make the users in the test
environment unable to use UltraSurf, but browse other websites as usual.
We also summarize the characteristics of this kind of software and
raise a general analytical method based on the analysis of UltraSurf.

Network Monitoring, Disassembly, Secure Proxy

57

1.1
21

IE

UltraSurf

FreeGate

Garden

1.2
90

IP

DNS

2002 /

IP

UltraSurf
1

1.3

1.3.1
UltraSurf

UltraSurf

UltraSurf

1.3.2

EXE DLL

UltraSurf

UltraSurf
IP

IP IP

1.3.3
1

UltraSurf8.8 ( UltraSurf)

UltraSurf

2.1 PE
PE (Portable Executable File Format) VAX/VMS
COFF Windows EXE
DLL PE
EXE DLL [3]
PE

PE

2-1 PE
DOS

MS-DOS

exe dll

DOS MZ HEADER

DOS
5

DOS

MZ HEADER DOS STUB

PE

DOS

PE HEADER PE IMAGE_NT_HEADERS
PE

PE

PE DOS MZ HEADER PE HEADER

PE HEADER

PE

HEADER

SECTION TABLE

PE DOS MZ HEADER PE

PE HEADER PE HEADER

PE HEADER

PE

PE

SECTION

PE

PE

AddressOfEntryPoint RVA

PE HEADER

2.2

2.2.1
EXE

DLL

2-2

EXE

exe

exe

ASPack UPX PECompact

ASProtect tElock

2.2.2

FileInfo PEiD Gtw

PEiD

PEiD
400

2-1

UPX
ASPack
Petite
PECompact
Neolite
PE-PACK
ASProtect

UPX upx d
FS ProcDump
AspackDie CASPR un-ASPack DeASPack Anti-ASPack ProcDump
Unpetite ProcDump
PeunCompact tNO-Peunc UnPECompact ProcDump
Neolite ProcDump
DePEPACK UnPEPack ProcDump
AsprStripperXP CASPR Asprotect Deprotector Anti Aspr

[2]

OEP

PE

PE AddressOfEntryPoint DWORD

Scan IceDump

JMP

D.boy AsprLoader PE-

TRW2000

TRW2000

OEP

IAT()
API

Windows IAT
IAT

ImportREC Revirgin

2.3

Reverse Engineering

[5][6][7]

IDA Pro W32dasm OllyDbg IDA w32dasm

[14][19]

OllyDbg

API

2.3.1

[4][21]

0 1

2.3.2 Windows
Windows

16 Dos

windows API

VCL [17]

MFC

PE

Windows

Windows

[13][15]

OllyDbg

OllyMachine

OS

OllyDbg 1.10

10

UltraSurf
3.1 UltraSurf

3.1.1 UltraSurf

UltraSurf

UltraSurf

UltraReach Internet Corp.

3.1.2 UltraSurf
UltraSurf

3-1

IE

http://www.ultrareach.net/wujie.htm ( 3-2 UltraSurf

)

11

3-3 ,20 IE

IE http://www.ultrareach.net/wujie.htm

IE
DNS
windows cmd nslookup (
IP )http://www.ultrareach.net/wujie.htm
IP
3.1.3 UltraSurf

UltraSurf

12

Google

UltraSurf

UltraSurf

http://127.0.0.1:9666/

9666

Cookie

HTTP

3.2 UltraSurf

3.2.1

UltraSurf
PEiD UltraSurf 3-3 .
13

UPX

UPX

3.2.2
Windows
Windows API

http://127.0.0.1:9666

UltraSurf

IE

IE

Internet

9666

UltraSurf

14

3-4

UltraSurf

UltraSurf

cookie

3.2.3

Win 32

UltraSurf UPX
106K

UPX

UPX

UPX

upx -d u88c.exe
PEiD VC++ 6.0
3

5
15

UltraSurf

3.3 UltraSurf

3.3.1 OllyDbg
1

OllyDbg [10]
OllyDbg 1.10 ZIP

OllyDbg.exe RAR
OllyDbg.exe

OllyDbg

3-6

HEX

->

CPU

EAX EBX ECX EDX

16

ESP EBP

ESI

EDI EIP

OllyDbg
OllyDbg

->

->

17

F2

F2

F2
F8

CALL
F7

(F8)

CALL

F4

F9

CTR+F9 ret ()

ALT+F9

18

3.3.2

OllyDbg

3-7

IP

3.3.3

0x400000

19

F8
UltraSurf

CALL CALL

CALL

GetStartupInfo GetModuleHandle

exit

MSDN

exit

F7

F2

F9
0x400000[12]

0x400000

MFC42.dll USER32.dll

JMP CALL

MFC

DLL

OllyDbg

USER32,KERNEL32 DLL

3.3.4 MFC

004173F6|.

E8

43000000

CALL

<JMP.&MFC42.#1576_?AfxWinMain@@YGHP>
MFC

UltraSurf MFC

MFC

Windows

MFC Windows API

Windows C++

20

MFC Windows API

Windows API [9]

MFC
MFC

AfxWinMain
0040538E

.E8

MFC42.dll
CF190100

CALL

<JMP.&MFC42.#2514_?DoModal@CDialog@>; // MFC
MSDN

MFC

UltraSurf

UltraSurf

MFC DoMal()
3-8 MFC
73D3CF6D
73D3CF71
004050D4

EAX

EAX 58

[11][20][22]

3.3.5

AfxBeginThread

AfxBeginThread
MSDN AfxBeginThread worker

21

UI

UltraSurf 9 worker AfxBeginThread 1 UI

AfxBeginThread UI worker

A:

B: UDP
C:

D:
E:
F: 443
G:
H:
I:

3.3.6 UltraSurf

fopen,fwrite,fread,fseek,ftell

Filemon

ASCII

"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\" "

ADMINI~1 "

C:\Document and Settings\\Locals and Settings\Temp

Filemon

22

OllyDbg

fopen,fread,ftell,fwrite

fopen

fopen

00405C31

. E8 E4720000

CALL u.0040CF1A

00405C36

. E8 2B750000

CALL u.0040D166

00405C3B

. E8 4E710000

CALL u.0040CD8E

00405C40

. E8 07740000

CALL u.0040D04C

00405C45

. E8 5C760000

CALL u.0040D2A6

CALL fopen

CALL CALL

GetTempPath EBX

ASCII C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ CALL

CALL

CALL

GetWindowsDirectory GetVolumeInformation
GetVolumeInformation

C:\Windows

MSDN

GetWindowsDirectory Windows
C:\Windows

GetVolumeInforation

->->cmd

vol

( 3-9 )
CALL EAX
C05F0611

vol C

23

windows

ADD,DIV,SHR,XOR

C++
CALL
CALL

CALL

strcat
2

CALL

CALL

24

UltraSurf

1 2

1 2

1 2

1 2

2)

RegOpenKey,RegQueryValue,RegCloseKey.

\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
IE

IE

IE

127.0.0.1

25

UltraSurf

UltraSurf

IE cookie
UltraSurf

Windows

3)
UltraSurf

UltraSurf

0 04000000
3
IP

IP

ASCII IP

IP
5-8
40 IP IP

IP

IP

0000

040000

3.5.2
C++
9

IP 4-

DNS IP IP

IP

26

3.3.7 UltraSurf
1)
UltraSurf

IP

Etheral Outpost

Etheral

IP

3
TCP SSL
IP

IP

IP

IP

3
TCP SSL

DNS

DNS

ns2.d79872fb4.net IP DNS

TCP SSL 3

DNS IP DNS

IP

IP

DNS IP

Outpost IP

DNS

3 DNS

IP

IP IP

1 2
27

IP

IP

1 2

IP

1 2

1 2

IP

1 2

1 2 UltraSurf

2)DNS
UltraSurf DNS IP DNS DNS

ql.1y.~{z(,*{1qzk

40

DNS

ns1.flade735d.net

DNS

ns1.flade735d.net

DNS

May-21-13:50:05 | 929453: Send IDURL Query ns1.062efa01c.net to node

71.229.238.191.
IP IP
IP DNS

UltraSurf DNS

IP

UltraSurf

Etheral

DNS

DNS

3
3 IP DNS

DNS

DNS

28

Outpost

3 IP

Outpost

3 IP

3 IP

DNS

IP

3 -> DNS

3 IP

DNS IP

DNS IP IP

IP IP
DNS IP

IP

IP IP

IP IP

Outpost

IP

DNS UltraSurf

UltraSurf IP

3)IE

IE

IE

IE IE

->

-> LAN
127.0.0.1:9666

setInternetOption

127.0.0.1:9666

UltraSurf

IE

IE

4)

13

13

13

11

29

11

rand()

srand()

0x20

DeviceIOControl API

API

MSDN

API

CreateFile

CreateFile,

UltraSurf

DeviceIOControl

3.5.6

IP UltraSurf

3.4 UltraSurf
UltraSurf

30

3.4.1 UltraSurf
3-10 UltraSurf

IE

IP

Ul
tra
Su
rf

127.0.
0.1:96
66

Ul
tra
Su
rf

UltraSurf

3.4.2 UltraSurf IP
3-10 UltraSurf

4 IP

1) IP

3.5.1

IP IP
2) DNS
31

DNS

DNS IP

:ns1.flade753d.net

DNS

DNS DNS
IP IP IP
IP
3) gdoc

Google doc

https://docs.google.com/View?docid=dd4gbd38_6c8fpk2 DNS

google doc

http://docs.google.com

HTTP

1-8 13

20

IP [8]

4)
: IP IP

IP

5 IP:
211.74.78.17
66.245.217.9
66.245.217.227
66.245.196.247
118.168.50.105
UltraSurf (1)
(3) (1),(2),(3)(4)
3-11

32

(2)

3-11

DNS 40

IE 127.0.0.1:9666

IP

DNS IP 351

IP
40

DNS IP

DNS

33

ns1.f1ade735d.net

DNS DNS

IP IP,

UDP

DNS

IP IP , IP

UltraSurf

IP

3-11 IP

UltraSurf

DNS ,gdoc IP
IP

IP

IP

DNS IP IP

IP

IP IP
3.4.3 UltraSurf
UltraSurf
UltraSurf

UltraSurf

UltraSurf
2

3.3.6

1)

2)

DNS

3)

IE

4)

UltraSurf

5)

2 IP

TCP

127.0.0.1:9666 IP

7)

8)

3 IP

3 IP
TCP

10)

127.0.0.1:9666

6)

9)

10

(15)

DNS

UDP DNS

34

IP
11)

IP IP IP
IP

12)

IP

13)

URL,

14)

IP ,

15)

(15)

(15)

443

IP
16)

IP 3

17)

IE

3.5 UltraSurf
UltraSurf

UltraSurf

1)
2)
3) DNS
4) RC4
5)
6

3.5.1 UltraSurf
UltraSurf 8

9
35

2 8

UltraSurf IE
C

vol

F( A B) = C C

G C

D[i], 8

[i]

D[i]

i 0 7

para 32

vol 32

num

char 6

file_name

char 8

para

vol

API C

vol = vol ^

vol = vol ^ 0x801

vol = vol + para

vol

para * 32

file_name[0]

vol / 2 26
7

[i - 1]

i vol num

26

26
9

num vol

0x41

0x7E

0x61

vol

0x61

36

3.5.2 UltraSurf
UltraSurf
IP

3
UltraSurf

DNS IP

F([i], [j]) = t, t

0xFABEBABE

4) 3

5) 0x3F6CB254 0xAE985D36

6) 0
0x78B4FEAE

0x3DCF578A

7)

7.1) index 0
7.2) index

7.3) counter

table_[index] ^= (counter / 16) | ((counter / 16) * 16) ;

7.4) counter

37

plain_[counter] = table_[index] ^ cipher_[counter];

7.5

index

index = (cipher_[counter] % 7) ^ index;

7.6

7.2

3.5.3 UltraSurf DNS

0x00

32 0

32

32 1F

ASCII
3.5.4 UltraSurf

2008-05-05 18:40:00,send UDP query to 58.9.3.4,

RC4
RC4
256

UltraSurf
256

00-FF

38

3.5.5 UltraSurf

UltraSurf 443

14

8 6

8 6

malloc

3 1

1 1

2 3

10

11

12

10

8 6

3.5.6 UltraSurf
UltraSurf 13

39

08 01 11

rand

CreateFile

DeviceIOControl

SMART_RCV_DRIVE_DATA

netbios 10

0A+"

mac

WD-WMAM9DZ12046"

0x1E

10 3

20 "

WMAM9DZ12046"

0xF8C9

EAX( 0

),ECX( 0xF8C9)

ESI 0

WD

EDI

5 EDI EAX*ECX+EDI ECX=ECX*0x5C6B7,

8 EAX

EAX

11 EAX

UltraSurf

UltraSurf

3.6
UltraSurf

(1)

UltraSurf Visual C++ 6.0

40

(2)

UPX

UltraSurf

UltraSurf

(3)

UltraSurf MFC Windows

(4)

UltraSurf Winsock2 API

TCP UDP

(5) DNS IP

DNS DNS

IP
(6) IP URL

IP URL

DNS
(7)

UltraSurf

(8)

41

4.1
UltraSurf
IP

4.1.1

42

4.1.2

43

4-2

IP

4.2

IP

[16]

IP
IP 90

IP

IP

IP

IP

IP
2

2002

ACK-FIN

IDS

[18]

5-15 IP IP

44

IP

IP

IP
IP

IP

4.3
UltraSurf

DNS IP
DNS IP

DNS IP

UltraSurf

IP

UltraSurf

UltraSurf

DNS

DNS

DNS

DNS IP
UltraSurf
1

IP

DNS IP

IP

IP

URL

45

4.4
4.3

4-3

PC

Fedora 6 Linux

Linux

Linux iptables

IP URL

Linux

IP

IP

UltraSurf IP
UltraSurf

IP

46

IP

UltraSurf
IP

iptables

IP

IP

4.4.1

1
UltraSurf

IP

UltraSurf

IP

www.yahoo.com
spaces.msn.com

cn.profiles.yahoo.com
spaces.live.com

www.msn.com

flikcr.com

www.qxbbs.org
www.dajiyuan.com

47

4.4.2

UltraSurf

4-1 4-2

/
/

4.4.3 IP
UltraSurf IP

6000 IP

IP

IP

4-3

4512

1360

442

103

48

22

12

UltraSurf

IP

UltraSurf

IP

49

[1] ,

[2] ,

[3] ,

[4]

[5] E Chikofsky, J Cross

IEEE Software, 1990

2003

2004
2006

[] 2001

Reverse engineering and design recovery

A taxonomy

7(1)

[6] Hassan, A.E., Holt, R.C. The small world of software reverse engineering,
Reverse Engineering, 2004.Proceedings. 11th Working Conference on 8-12, 2004.11.
[7] Rainer Koschke. Software Visualization for Reverse Engineering, Lecture Notes
in Computer Science. Volume 2269, 2002.
[8] Andritsos, P., Miller, R.J. Reverse engineering meets data analysis, Program
Comprehension, 2001. IWPC 2001. Proceedings. 9th International Workshop on1213, 2001.05.
[9] Moise, D.L., Wong, K., Sun, D. Integrating a reverse engineering tool with
Microsoft Visual Studio .NET Software Maintenance and Reengineering, CSMR
2004. Proceedings, 2004.
[10] Kris Kaspersky, Hacker disassembling uncovered,

2004
[11] Kip R. Irvine

2004

[12]

Assembly language for intel-based computers

Windows 32

2006

[13] , ,

2003
[14]

, ,

Vol.2 No.2

2004.6
[15] , ,

[16]

2001.

VPN

2003.5
50

[17] ,,

Vol.14 No.4

2004.4
[18]

2000.1

[19]

[]

Vol.36 No.8 1999.8

[20]

Vol.20 No.4 2000.12
[21]
80X86
1999
[22]

40 7

2003.7

51