Beruflich Dokumente
Kultur Dokumente
20090101
ABSTRACT
57
1.1
21
IE
UltraSurf
FreeGate
Garden
1.2
90
IP
DNS
2002 /
IP
UltraSurf
1
1.3
1.3.1
UltraSurf
UltraSurf
UltraSurf
1.3.2
EXE DLL
UltraSurf
UltraSurf
IP
IP IP
1.3.3
1
UltraSurf8.8 ( UltraSurf)
UltraSurf
2.1 PE
PE (Portable Executable File Format) VAX/VMS
COFF Windows EXE
DLL PE
EXE DLL [3]
PE
PE
2-1 PE
DOS
MS-DOS
exe dll
DOS MZ HEADER
DOS
5
DOS
PE
DOS
PE HEADER PE IMAGE_NT_HEADERS
PE
PE
PE HEADER
PE
HEADER
SECTION TABLE
PE DOS MZ HEADER PE
PE HEADER PE HEADER
PE HEADER
PE
PE
SECTION
PE
PE
AddressOfEntryPoint RVA
PE HEADER
2.2
2.2.1
EXE
DLL
2-2
EXE
exe
exe
ASProtect tElock
2.2.2
PEiD
400
2-1
UPX
ASPack
Petite
PECompact
Neolite
PE-PACK
ASProtect
UPX upx d
FS ProcDump
AspackDie CASPR un-ASPack DeASPack Anti-ASPack ProcDump
Unpetite ProcDump
PeunCompact tNO-Peunc UnPECompact ProcDump
Neolite ProcDump
DePEPACK UnPEPack ProcDump
AsprStripperXP CASPR Asprotect Deprotector Anti Aspr
[2]
OEP
PE
PE AddressOfEntryPoint DWORD
Scan IceDump
JMP
TRW2000
TRW2000
OEP
IAT()
API
Windows IAT
IAT
ImportREC Revirgin
2.3
Reverse Engineering
[5][6][7]
[14][19]
OllyDbg
API
2.3.1
[4][21]
0 1
2.3.2 Windows
Windows
16 Dos
windows API
VCL [17]
MFC
PE
Windows
Windows
[13][15]
OllyDbg
OllyMachine
OS
OllyDbg 1.10
10
UltraSurf
3.1 UltraSurf
3.1.1 UltraSurf
UltraSurf
UltraSurf
3.1.2 UltraSurf
UltraSurf
3-1
IE
11
3-3 ,20 IE
IE http://www.ultrareach.net/wujie.htm
IE
DNS
windows cmd nslookup (
IP )http://www.ultrareach.net/wujie.htm
IP
3.1.3 UltraSurf
UltraSurf
12
UltraSurf
UltraSurf
http://127.0.0.1:9666/
9666
Cookie
HTTP
3.2 UltraSurf
3.2.1
UltraSurf
PEiD UltraSurf 3-3 .
13
UPX
UPX
3.2.2
Windows
Windows API
http://127.0.0.1:9666
UltraSurf
IE
IE
Internet
9666
UltraSurf
14
3-4
UltraSurf
UltraSurf
cookie
3.2.3
Win 32
UltraSurf UPX
106K
UPX
UPX
UPX
upx -d u88c.exe
PEiD VC++ 6.0
3
5
15
UltraSurf
3.3 UltraSurf
3.3.1 OllyDbg
1
OllyDbg [10]
OllyDbg 1.10 ZIP
OllyDbg.exe RAR
OllyDbg.exe
OllyDbg
3-6
HEX
->
CPU
ESP EBP
ESI
EDI EIP
OllyDbg
OllyDbg
->
->
17
F2
F2
F2
F8
CALL
F7
(F8)
CALL
F4
F9
CTR+F9 ret ()
ALT+F9
18
3.3.2
OllyDbg
3-7
IP
3.3.3
0x400000
19
F8
UltraSurf
CALL CALL
CALL
GetStartupInfo GetModuleHandle
exit
MSDN
exit
F7
F2
F9
0x400000[12]
0x400000
MFC42.dll USER32.dll
JMP CALL
MFC
DLL
OllyDbg
USER32,KERNEL32 DLL
3.3.4 MFC
004173F6|.
E8
43000000
CALL
<JMP.&MFC42.#1576_?AfxWinMain@@YGHP>
MFC
UltraSurf MFC
MFC
Windows
Windows C++
20
AfxWinMain
0040538E
.E8
MFC42.dll
CF190100
CALL
<JMP.&MFC42.#2514_?DoModal@CDialog@>; // MFC
MSDN
MFC
UltraSurf
UltraSurf
MFC DoMal()
3-8 MFC
73D3CF6D
73D3CF71
004050D4
EAX
EAX 58
[11][20][22]
3.3.5
AfxBeginThread
AfxBeginThread
MSDN AfxBeginThread worker
21
UI
A:
B: UDP
C:
D:
E:
F: 443
G:
H:
I:
3.3.6 UltraSurf
fopen,fwrite,fread,fseek,ftell
Filemon
ASCII
"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\" "
ADMINI~1 "
Filemon
22
OllyDbg
fopen,fread,ftell,fwrite
fopen
fopen
00405C31
. E8 E4720000
CALL u.0040CF1A
00405C36
. E8 2B750000
CALL u.0040D166
00405C3B
. E8 4E710000
CALL u.0040CD8E
00405C40
. E8 07740000
CALL u.0040D04C
00405C45
. E8 5C760000
CALL u.0040D2A6
CALL fopen
CALL CALL
GetTempPath EBX
CALL
CALL
GetWindowsDirectory GetVolumeInformation
GetVolumeInformation
C:\Windows
MSDN
GetWindowsDirectory Windows
C:\Windows
GetVolumeInforation
->->cmd
vol
( 3-9 )
CALL EAX
C05F0611
vol C
23
windows
ADD,DIV,SHR,XOR
C++
CALL
CALL
CALL
strcat
2
CALL
CALL
24
UltraSurf
1 2
1 2
1 2
1 2
2)
RegOpenKey,RegQueryValue,RegCloseKey.
\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
IE
IE
IE
127.0.0.1
25
UltraSurf
UltraSurf
IE cookie
UltraSurf
Windows
3)
UltraSurf
UltraSurf
0 04000000
3
IP
IP
ASCII IP
IP
5-8
40 IP IP
IP
IP
0000
040000
3.5.2
C++
9
IP 4-
DNS IP IP
IP
26
3.3.7 UltraSurf
1)
UltraSurf
IP
Etheral Outpost
Etheral
IP
3
TCP SSL
IP
IP
IP
IP
3
TCP SSL
DNS
DNS
ns2.d79872fb4.net IP DNS
TCP SSL 3
DNS IP DNS
IP
IP
DNS IP
Outpost IP
DNS
3 DNS
IP
IP IP
1 2
27
IP
IP
1 2
IP
1 2
1 2
IP
1 2
1 2 UltraSurf
2)DNS
UltraSurf DNS IP DNS DNS
ql.1y.~{z(,*{1qzk
40
DNS
ns1.flade735d.net
DNS
ns1.flade735d.net
DNS
UltraSurf DNS
IP
UltraSurf
Etheral
DNS
DNS
3
3 IP DNS
DNS
DNS
28
Outpost
3 IP
Outpost
3 IP
3 IP
DNS
IP
3 -> DNS
3 IP
DNS IP
DNS IP IP
IP IP
DNS IP
IP
IP IP
IP IP
Outpost
IP
DNS UltraSurf
UltraSurf IP
3)IE
IE
IE
IE IE
->
-> LAN
127.0.0.1:9666
setInternetOption
127.0.0.1:9666
UltraSurf
IE
IE
4)
13
13
13
11
29
11
rand()
srand()
0x20
DeviceIOControl API
API
MSDN
API
CreateFile
CreateFile,
UltraSurf
DeviceIOControl
3.5.6
IP UltraSurf
3.4 UltraSurf
UltraSurf
30
3.4.1 UltraSurf
3-10 UltraSurf
IE
IP
Ul
tra
Su
rf
127.0.
0.1:96
66
Ul
tra
Su
rf
UltraSurf
3.4.2 UltraSurf IP
3-10 UltraSurf
4 IP
1) IP
3.5.1
IP IP
2) DNS
31
DNS
DNS IP
:ns1.flade753d.net
DNS
DNS DNS
IP IP IP
IP
3) gdoc
Google doc
https://docs.google.com/View?docid=dd4gbd38_6c8fpk2 DNS
google doc
http://docs.google.com
HTTP
1-8 13
20
IP [8]
4)
: IP IP
IP
5 IP:
211.74.78.17
66.245.217.9
66.245.217.227
66.245.196.247
118.168.50.105
UltraSurf (1)
(3) (1),(2),(3)(4)
3-11
32
(2)
3-11
DNS 40
IE 127.0.0.1:9666
IP
DNS IP 351
IP
40
DNS IP
DNS
33
ns1.f1ade735d.net
DNS DNS
IP IP,
UDP
DNS
IP IP , IP
UltraSurf
IP
3-11 IP
UltraSurf
DNS ,gdoc IP
IP
IP
IP
DNS IP IP
IP
IP IP
3.4.3 UltraSurf
UltraSurf
UltraSurf
UltraSurf
UltraSurf
2
3.3.6
1)
2)
DNS
3)
IE
4)
UltraSurf
5)
2 IP
TCP
127.0.0.1:9666 IP
7)
8)
3 IP
3 IP
TCP
10)
127.0.0.1:9666
6)
9)
10
(15)
DNS
UDP DNS
34
IP
11)
IP IP IP
IP
12)
IP
13)
URL,
14)
IP ,
15)
(15)
(15)
443
IP
16)
IP 3
17)
IE
3.5 UltraSurf
UltraSurf
UltraSurf
1)
2)
3) DNS
4) RC4
5)
6
3.5.1 UltraSurf
UltraSurf 8
9
35
2 8
UltraSurf IE
C
vol
F( A B) = C C
G C
D[i], 8
[i]
D[i]
i 0 7
para 32
vol 32
num
char 6
file_name
char 8
para
vol
API C
vol = vol ^
vol
para * 32
file_name[0]
vol / 2 26
7
[i - 1]
i vol num
26
26
9
num vol
0x41
0x7E
0x61
vol
0x61
36
3.5.2 UltraSurf
UltraSurf
IP
3
UltraSurf
DNS IP
F([i], [j]) = t, t
0xFABEBABE
4) 3
5) 0x3F6CB254 0xAE985D36
6) 0
0x78B4FEAE
0x3DCF578A
7)
7.1) index 0
7.2) index
7.3) counter
37
index
7.2
0x00
32 0
32
32 1F
ASCII
3.5.4 UltraSurf
RC4
RC4
256
UltraSurf
256
00-FF
38
3.5.5 UltraSurf
UltraSurf 443
14
8 6
8 6
malloc
3 1
1 1
2 3
10
11
12
10
8 6
3.5.6 UltraSurf
UltraSurf 13
39
08 01 11
rand
CreateFile
DeviceIOControl
SMART_RCV_DRIVE_DATA
netbios 10
0A+"
mac
WD-WMAM9DZ12046"
0x1E
10 3
20 "
WMAM9DZ12046"
0xF8C9
EAX( 0
),ECX( 0xF8C9)
ESI 0
WD
EDI
8 EAX
EAX
11 EAX
UltraSurf
UltraSurf
3.6
UltraSurf
(1)
40
(2)
UPX
UltraSurf
UltraSurf
(3)
(4)
TCP UDP
(5) DNS IP
DNS DNS
IP
(6) IP URL
IP URL
DNS
(7)
UltraSurf
(8)
41
4.1
UltraSurf
IP
4.1.1
42
4.1.2
43
4-2
IP
4.2
IP
[16]
IP
IP 90
IP
IP
IP
IP
IP
2
2002
ACK-FIN
IDS
[18]
5-15 IP IP
44
IP
IP
IP
IP
IP
4.3
UltraSurf
DNS IP
DNS IP
DNS IP
UltraSurf
IP
UltraSurf
UltraSurf
DNS
DNS
DNS
DNS IP
UltraSurf
1
IP
DNS IP
IP
IP
URL
45
4.4
4.3
4-3
PC
Fedora 6 Linux
Linux
Linux iptables
IP URL
Linux
IP
IP
UltraSurf IP
UltraSurf
IP
46
IP
UltraSurf
IP
iptables
IP
IP
4.4.1
1
UltraSurf
IP
UltraSurf
IP
www.yahoo.com
spaces.msn.com
cn.profiles.yahoo.com
spaces.live.com
www.msn.com
flikcr.com
www.qxbbs.org
www.dajiyuan.com
47
4.4.2
UltraSurf
4-1 4-2
/
/
4.4.3 IP
UltraSurf IP
6000 IP
IP
IP
4-3
4512
1360
442
103
48
22
12
UltraSurf
IP
UltraSurf
IP
49
[1] ,
[2] ,
[3] ,
[4]
2003
2004
2006
[] 2001
A taxonomy
7(1)
[6] Hassan, A.E., Holt, R.C. The small world of software reverse engineering,
Reverse Engineering, 2004.Proceedings. 11th Working Conference on 8-12, 2004.11.
[7] Rainer Koschke. Software Visualization for Reverse Engineering, Lecture Notes
in Computer Science. Volume 2269, 2002.
[8] Andritsos, P., Miller, R.J. Reverse engineering meets data analysis, Program
Comprehension, 2001. IWPC 2001. Proceedings. 9th International Workshop on1213, 2001.05.
[9] Moise, D.L., Wong, K., Sun, D. Integrating a reverse engineering tool with
Microsoft Visual Studio .NET Software Maintenance and Reengineering, CSMR
2004. Proceedings, 2004.
[10] Kris Kaspersky, Hacker disassembling uncovered,
2004
[11] Kip R. Irvine
2004
[12]
Windows 32
2006
[13] , ,
2003
[14]
, ,
Vol.2 No.2
2004.6
[15] , ,
[16]
2001.
VPN
2003.5
50
[17] ,,
Vol.14 No.4
2004.4
[18]
2000.1
[19]
[]
40 7
2003.7
51