Author Archives: Eric Hokanson

A Simple Demonstration on Reversing Software

03 Saturday May 2014

Posted by in Hacking, Reverse Engineering

2 Comments

Tags

, , ,

In this post, we will learn how to use the demo version of IDA Pro to disassemble, debug, and crack a simple crackMe software.  You may download a copy of crackMe here.  Simply unzip, load into IDA Pro, and follow along.

After unzipping the target binary and running it

Screen Shot 2014-05-03 at 1.47.38 PM

In our scenario, we have a piece of software that is asking for a passphrase or key to unlock it.  Since we don’t know the correct passcode, the software exits with a “wrong password” message.   All is not lost.  This is the power of reverse engineering and using tools such as IDA Pro’s disassembler and debugger: we don’t need the source code to learn how the software works.  With just a debugger and a disassembler, we can often extract keys and learn a lot about the our target software.

After installing your IDA demo.  Double-click to the IDA demo icon and you should see a window like below:

Screen Shot 2014-05-03 at 1.59.26 PM

Select the “New” button and then open your crackMe binary:

Screen Shot 2014-05-03 at 2.00.00 PM

 

Then click Ok on the “Load New File” Window:

Screen Shot 2014-05-03 at 2.00.19 PM

IDA will ask if you want to switch to “proximity view now”, simply click the “No” button.  You should see a window similar to the screenshot below:

Screen Shot 2014-05-03 at 2.04.46 PM

At the very top is the navigation band.  It gives a layout of the binary as loaded in the virtual address space of memory.  The dark blue bands refer to code or functions written inside the binary.  The light blue bands refer to functions that come from a library (e.g. the C run time library), and the pink area refers to Windows APIs that are loaded by Dynamic Link Libraries (DLLs).

The boxes on the left side contain a function window and a graph overview window.  Both can be used to quickly navigate to areas of code that might be interesting to investigate.  The middle window contains a call graph of the entire binary.  You can change from this call graph view to a flat source code view by hitting the space bar.  The space bar will toggle back and forth between call graph view and flat view.

Before examining the source code, let us first set up IDA’s debugger.  In the menu bar, select Debugger, then at the dialog box, select the Local Win32 debugger.

Screen Shot 2014-05-03 at 2.23.53 PM

Once the debugger is set, the green debugging arrow should be activated.

Screen Shot 2014-05-03 at 2.29.38 PM

Before we begin debugging, lets navigate around the code to find some interesting landmarks.  Right at the start, we can see a call being made to a Windows API, IsDebuggerPresent.  According to the Microsoft Developers Network documentation, this function determines if the calling process, i.e. crackMe, is being debugged by a user-mode debugger.  It sets EAX to 1 if the calling process is being debugged.  It sets EAX to 0 if the calling process is not being debugged.  If we were to start the IDA debugger (green arrow button or hit F9 key), crackMe simply exits.  So we will have to deal with this common anti-debugging technique.

Scrolling down a little ways, we see what looks to be a command prompt asking for the passphrase and then some sort of comparison routine.  Note the hard-coded string that is moved into the ECX register:

Screen Shot 2014-05-03 at 2.46.55 PM

It looks like this comparison routine is comparing the user’s command line input to the hard-coded string “ericroolz”.

Screen Shot 2014-05-03 at 2.50.41 PM

Just by static examination, we managed to extract the passphrase.  We can test that by running crackMe from the command line and typing in “ericroolz” and we should get the “Correct password” message.  That is one way to defeat this example.  But suppose we did not see the passphrase, perhaps it was obfuscated or encrypted, or buried in thousands of thousands of lines of code.  All is not lost, we can use IDA’s debugger to step to this crucial decision point:

Screen Shot 2014-05-03 at 3.05.53 PM

Then we can manipulate the results of EAX or the JNZ command to always take the path to the correct password message.  But first, we are going to have to deal with the IsDebuggerPresent check at the start of this code.  First, lets set a break point at the very start of the program, like in the screenshot below (hit the F2 key and you will see a red band indicating the break point is set):

Screen Shot 2014-05-03 at 3.11.53 PM

Now hit run or F9.  We should break:

Screen Shot 2014-05-03 at 3.14.58 PM

While we are at this break, hit the ‘G’ key and type “kernel32_IsDebuggerPresent” in the resulting dialog box.  It is important to have the kernel32 and the underscore along with the IsDebuggerPresent):

Screen Shot 2014-05-03 at 3.17.37 PM

you should wind up here:

Screen Shot 2014-05-03 at 3.18.44 PM

Next, set a break point (F2) at the “retn” instruction at address 7C8130B0:

Screen Shot 2014-05-03 at 3.21.13 PM

Right-click on that break point and select “Edit Breakpoint”.  In the resulting dialogbox, you want to set the condition of EAX=0 and unselect the Break (under Actions) check box.  Next click OK:

Screen Shot 2014-05-03 at 3.23.21 PM,

We are setting the break point in such a way that we are not suspending the program when we hit the break point, but simply setting the return value (stored in EAX) from IsDebuggerPresent to always be 0, that is, regardless of the fact that we are running crackMe in IDA’s debugger, the condition will always return false and we will fool the program into continuing with our debug session.

Next, hit the ‘G’ key again and type in ‘eip’ in the box.  This will take us back to our current break point, that is, to where the current instruction pointer is pointing to:

Screen Shot 2014-05-03 at 3.29.51 PM

Next, we are going to want to navigate to that crucial decision point we saw earlier during our static analysis:

Screen Shot 2014-05-03 at 3.05.53 PM

So let us go to loc_401067 and set a break point there.  We can use the ‘G’ key and type in the address to take us there:

Screen Shot 2014-05-03 at 3.33.24 PM

Now after hitting F9 again, the debugger runs to this break point we just set.  Open the resulting command window and enter any passphrase you want (I typed in “whatever” then hit the enter key):

Screen Shot 2014-05-03 at 3.35.16 PM

Screen Shot 2014-05-03 at 3.38.04 PM

After typing any phassphrase, we hit the breakpoint.  Note the value in the EAX register.  It is a 1.  The TEST EAX, EAX instruction is checking whether EAX is 0 or not.  Since it is 1, the JNZ command will jump us to the incorrect password message.  We don’t want that.  We can do one of two things:

1.  We can change the value of EAX by highlighting the EAX register, right clicking and choosing the “Zero value”.  This will change EAX to 0 and we will take the path to the correct password message.

2.  We could step past the TEST EAX, EAX instruction and pause on the JNZ instruction.  If EAX was 0, the TEST instruction would set the zero flag (ZF = 1) but since what I typed in won’t match “ericroolz” either, the zero flag will not be set (ZF=0).  We can simply change the zero flag by right clicking on the ZF value and choosing “Increment value”.  This will increment the ZF to 1 from 0, thus causing the JNZ instruction to take the correct password message.

I will demonstrate method number 1.  You may re-run this example and try method 2 if you wish.  Right-clicking on the EAX value:

Screen Shot 2014-05-03 at 3.47.57 PM

We will just 0 out EAX:

Screen Shot 2014-05-03 at 3.49.04 PM

Note that the EAX value changed to 0 and if we single step past the TEST instruction:

Screen Shot 2014-05-03 at 3.51.04 PM

You should see the red arrow pointing to the correct password message blinking.  That signifies that we will take that path after setting EAX to 0.  If we continue to run the debugger (F9) we should see that even though we clearly entered the wrong key, we still were able to “unlock” our program:

Screen Shot 2014-05-03 at 3.54.49 PM

Now that we know the crucial decision point, we could use an editor such as OllyDbg and change the JNZ instruction to something that will always jump to the correct message location no matter what passphrase is typed in.

Although, this example was rather simple, it does illustrate the power of using a disassembler and a debugger.  Even though we do not possess the source code, that did not prevent us from learning how our target binary worked.  Once we understood how our binary worked, we were able to manipulate it into “unlocking” itself.

 

Frank Sinatra Did it His Way; I Just Did it Anyway

13 Sunday Apr 2014

Posted by in Success

Leave a comment

Tags

, , , , ,

I will be turning 50 in November and lately, I have been ruminating about what I have done with my life so far.

Amazingly, quite a lot.  And against some stiff odds and claims by people who said I couldn’t do it, or wasn’t smart enough, or that I would not amount to anything.  Yet, fifty years later, my track record is chock full of accomplishments that people said I couldn’t do.

My 8th grade math teacher once told me that because I sucked at math, I wouldn’t even get a job at McDonald’s.  Well, she was right.  I did not get a job at McDonald’s.  However, two science degrees, a minor in mathematics, and a position as a senior scientist at a U.S. Department of Energy research laboratory are my counter examples to the amounting to nothing score.

So what have I learned in my 50 years?  That people are more oft wrong than they are right.  So for the next 50 (I am optimistic that I will make it even though many say I won’t), I am just going to quit listening to people.

If I can impart one piece of wisdom: when ever you are feeling left out, written off, persecuted by people’s assumptions that you won’t amount to anything, that you don’t belong here… just remember that in the scheme of things, it does not matter what other people think of you.  It only matters what you think of them.  And for the naysayers, the doubters, the haters — they are not worth one iota of your precious time in thought.

Don’t ask me what I think of you, I might not give the answer that you want me to…

Fleetwood Mac  (from the 1969 song “Oh Well” composed by vocalist and guitarist Peter Green)

You can’t reason with naysayers.  The only way to prove them wrong is to do it.  I found this to be the only way you can get them to shut the f**k up.

The Weapon of Choice

05 Saturday Apr 2014

Posted by in Education, Freedom of choice, Freewill, Philosophy, Success

Leave a comment

Tags

, , , , , , , ,

WordPress has an interesting feature called writing helper that “randomly” generates a quote, a topic, or photo to inspire a blog topic. I tried it and got the following:

Take a line from a song that you love or connect with. Now forget the song, and turn that line into the title or inspiration for your post.

Ok.  For me that would be: “If you choose not to decide to decide you still have made a choice.”

The above quote comes from the song Freewill by Rush (second track of the album, Permanent Waves, 1980). The song’s subject is about freewill; how it is not a gift, but rather a choice. What resonates with me is the fact that every day you and I are faced with many choices. Should we do this, or should we do that? Often times, we try to evade the burden of choice, put off our decision for fear of making the wrong choice. However, avoidance is itself a choice.

I often hear people complain about how their lives didn’t turn out how they planned.  If only they would have gone to college right after high school, delayed getting married until they were older/more mature, or born into money, how their lives would be different or better.  Perhaps.  However, those choices are in the past; opportunities gone.  Often, people forget that in the here and now are choices to be made to forge a better life.

To show you that I am not just talking out of my arse, I am going to share a personal experience.  This happened about 16 years ago: I was freshly divorced; my career in radio hit a wall; I was in poverty (I do not recommend being poor, it really does suck).  I had been contemplating a career change but a change to what?  I had been spending my free time teaching myself computer programming; the Internet was new and fascinating to me.  I could literally spend hours on my computer and thought if there were a way to do this for a living, I think I wouldn’t mind that.  The problem was that I had no college degree.  I graduated from high school years ago; I would need an education but the thought of college scared me.  I was in my mid-thirties; I would be in classrooms of freshly graduated high school students and twenty-somethings.*  Talk about a feeling old.  Compound that with the thoughts of how I would be 40 when I graduated and that I would be starting a new career — in my forties!  These thoughts paralyzed me into inaction.

A few days later during a jog, I was listening to the radio and ironically, the song playing was Rush’s “Freewill.”  Halfway through the song came a voice; it said, “Eric, gods willing, you are going to be 40 no matter what you do.  Would it not be better to be a 40 year old with a college degree than a 40 year old with out one?”  Case closed.  I ran back home and began the application process.  Several months later, I embarked on one of the greatest experiences in my life: being a university student and it changed my life.  I am so glad I chose to do it.

The most powerful weapon is choice; the second most powerful weapon is an educated mind.  Make the smart investment in yourself.  Choose to decide.  It will be the right choice.

============================================

* This is not meant to be a slam on young people.  It turns out that being the oldest guy in the classroom wasn’t as scary as I imagined it would be.  These students welcomed me in their study groups and I learned lots from them.  I was impressed at their discipline and dedication.  I wished I had that kind of discipline when I was their age.  I should have made a wiser choice when I had the chance.

The Power of Python

29 Saturday Mar 2014

Posted by in Computer Security, Hacking, Pen-testing, Python

Leave a comment

Tags

, , , ,

I am often asked by CS students interested in a career of pen-testing, what programming language they should learn?  Is there one that is best suited for pen-testing?  My answer is Python — hands down.  It is a very easy language to learn and it is very powerful.  When a pen-tester in the field needs to whip up an automated tool, it is usually done in Python because it is fairly easy to code up working prototypes on the fly.  I will demonstrate by whipping up a Python key-logger in just a moment.

Another reason you should learn Python is that many pen-testing tools are written in Python.  So if you ever need to take an existing tool and extend its capability, you will have to understand the Python language.  Python is also available on many pen-testing platforms such as BackTrack and Kali linux.

As I said, learning Python is very easy because it is a well documented programming language.  Almost everything you need to learn the language is available at python.org.  There are also very good tutorials available here and here.  Once you get the basics down, you will be amazed at the tools you can create.  Allow me to demonstrate with a simple Python key-logger:

First, a word of warning.  This key-logger only works on Windows machines and it will log every key stroke a user presses.  Please do not load this key-logger on anybody’s machine but your own.  This key-logger is for educational purposes only.  Besides, it is not very stealthy.

Next, you will need to install Python on your Windows machine.  You can download Python here.  I am using Python 2.7.6 for a Windows 7 64-bit machine.  Python 2.7.6 is pretty stable so I prefer it to versions 3.x.  Be sure you select the proper installer for your Windows machine (i.e. 32-bit or 64-bit).

After installing Python, you will need to install a library called pyHook.  pyHook is a wrapper for global input hooks in Windows.  It wraps the Windows SetWindowsHookEx API.  You can get the appropriate version for your version of Python and Windows 32-bit or 64-bit versions here.  Scroll all the way down until you get to the pyHook section.  For my machine, I installed the pyHook‑1.5.1.win‑amd64‑py2.7.exe version.

After installing pyHook, fire up a command prompt (cmd.exe) and cd into the C:\Python27 directory, then type ‘python’ at the prompt (without the quotes) you should see:

Screen Shot 2014-03-29 at 8.52.56 PM

the three right angle brackets (>>>) is the prompt for python.  Type ‘import pyHook’ then enter.  You should see no errors if pyHook installed correctly:

Screen Shot 2014-03-29 at 8.55.40 PM

You are now good to go.  Fire up your favorite editor.  You could use notepad.exe but it is much better to use an editor that recognizes Python syntax.  A good one is notepad++ or my favorite is Vim.

Before coding up the key-logger, I visited the documentation page to learn how to use pyHook.  You should too.  Play with pyHook from the Python command shell to get a feel for what you can do with it; see if you can cobble your own key logger together before looking at my implementation.  If you need further hints, see this pyHook wiki.

Here is my implementation:

Screen Shot 2014-03-29 at 9.10.40 PM

That is it!  It only took about 20 lines of code!  That is the power of Python.  To run your key-logger, make sure you are in your Python directory (usually C:\Python27) and type the name of your key-logger (I named mine logger.py):

Screen Shot 2014-03-29 at 9.15.40 PM

Now open up another command prompt and type, ‘dir’, and ‘whoami’.

Screen Shot 2014-03-29 at 9.18.30 PM

Open up notepad and type anything you want:

Screen Shot 2014-03-29 at 9.21.30 PM

Once you are done, your logging file should contain every key you typed:

Screen Shot 2014-03-29 at 9.27.53 PM

With a little reading and some practice, Python can help you become that evil genius you’ve always aspired to be.  That is the power of Python.

 

 

Spring has Sprung in Albuquerque

21 Friday Mar 2014

Posted by in Current Events, Random Stuff

Leave a comment

Tags

,

photo

Spring got off to a great start today.  We were 72 and sunny.  To my friends back East who endured the most miserable winter in recent memory, this stuff is wending its way to you… hang in there.

The tree in the above photo is a Russian olive tree.  I don’t recall why we decided to get a Russian olive tree — I mean I love olives and I always wanted an olive tree but the Russian olive tree produces no olives.  I have no idea what purpose a Russian olive tree serves.  Well, I don’t care what it does as long as it doesn’t annex my house or my Mustang.  There will be sanctions if it does.

Just Three Steps to Success

09 Sunday Mar 2014

Posted by in Algorithms, Research, Success

Leave a comment

Tags

, , , , , ,

I am a computer scientist and I love designing algorithms to solve problems; a series of steps or instructions that one executes until there is a solution.  Wouldn’t it be great to write an algorithm for success — what ever success means for you?  Given a set of inputs, and a set of instructions, that if acted upon correctly and faithfully,  you achieve a successful solution to you problem(s) or in meeting your goal(s).

The above thought actually stems from my concerns and fears of taking on a Principal Investigator role to a research project — a very hard problem with no guarantee of a solution.  Pretty scary venture, right?  I want the project to be successful.  While formulating a team and a plan of attack, I began seeking models of successful project management in the literature.  I thought back on my own successful accomplishments — obtaining a job as a radio announcer, earning a computer science degree, obtaining the rank of Eagle Scout, starting a new career, accepting a job, and moving from one end of the continent to the other, … what did I do consistently that ensured success?

Upon reflection, I discovered that there are three key steps to any successful endeavor.  I could be wrong, but this is based on my own experience.  Therefore, I reserve the right to be wrong.

  1. The first step is a leap of faith.  Accomplishing my goals required some faith that I would succeed even though I could fail.  Despite any fear, I took small steps and built my confidence attempting to get from “here” to “there” — and I wasn’t guaranteed there would even be a there, there.
  2. The second step is personal doubt.  This is the phase of your journey where you feel you have hit a brick wall, you hit rock bottom, and you feel that there is no possible way to go any further.  You are frustrated.  Stymied.  Addled.  This is the point where you may start to feel like giving up — and most people do at this point.  However, I argue that this period of perplexity is a good thing.  It means you are tackling a very hard problem and hard problems yield great rewards.  This is not the time to quit but the time to begin.  You may need to begin by stepping back from the problem.  Take the weekend off.  Don’t think about it.  Do something else; go for a run, play golf, whatever you consider fun to do.  This gives your subconscious some time to work on the problem without your interference.  Ever have an idea suddenly spring out of nowhere?  It usually happens when you are in the shower, on the john, or at 3 A.M.  I believe this is the work of your subconscious; just make sure you have a notebook to write down what ever that flash of inspiration is.  After this period of incubation, you can start fresh.
  3. The third step is perseverance.  This is where you “gut it out”, keep at it to get past your time of doubt.  The key is to start somewhere.  Anywhere.  If you got a flash of inspiration during the incubation or break, start with that.  Otherwise formulate a hypothesis and try it.  Most likely it will be wrong.  But you will learn something.  Apply what you learned in a new hypothesis, try and fail again.  Like a smart missile, you constantly course-correct until you reach your target.

Well, there you have it.  A simple algorithm for success.  The algorithm may be simple; performing it will be hard but you can do it.  All you need to do is take that first step.

Does the End Justify the Means?

08 Saturday Mar 2014

Posted by in Philosophy

Leave a comment

Tags

, ,

In the long run we are all dead…

John Maynard Keynes*

In the end we are all dead.

It is sad when people die before their time: JFK, MLK, John Lennon, Steve Jobs, my father… way too many people to list here.   However, if you really think about it, that person would have died anyway — if not today then one day down the road.

In a way, the very first sentence does take a lot of pressure off of us.  Instead of rushing to accomplish and get everything done before the final deadline, we should remember to enjoy the now.  It is the little moments of joy we should take time to treasure; it is in the here and now that we should make our lives a life worth living and remembering.

Your time is limited, so don’t waste it living someone else’s life.

Steve Jobs (The lost interviews)

To paraphrase Abraham Lincoln, another expert in going before his time: It is doing things that are worth remembering or writing things worth reading that will give us a shot at immortality.

* The full quote is: “In the long run we are all dead. Economists set themselves too easy, too useless a task if in tempestuous seasons they can only tell us that when the storm is long past the ocean is flat again.”

The Bliss of Ignorance

21 Friday Feb 2014

Posted by in Computer Science, Learning

Leave a comment

Tags

,

I am not god’s gift to computer science (CS).  Nor am I when it comes to programming.  There.  I said it.  Why, in a public setting, would I admit my short comings?  Would it not be better to sell my strengths?  Perhaps.  But this admission takes a lot of pressure off of me.  People can no longer expect me to be perfect.  I don’t have to live up to those expectations.

You have no responsibility to live up to what other people think you ought to accomplish. I have no responsibility to be like they expect me to be. It’s their mistake, not my failing.”
Richard P. Feynman, Surely You’re Joking, Mr. Feynman!

This admission opens me up to new possibilities: I can learn to be better.  I can improve my technical skills if I open my mind to the idea that there are always new things to learn.  Isn’t there a Zen story about tea cups?  If the cup is already full there is no more room for more tea… no more room for new skills.  No room for more knowledge or wisdom.  I may not be god’s gift to CS but my degree was the best gift I ever earned.  It was in the earning of my degrees that I learned HOW to learn.

While the degree gave me the skills to learn, I still need people to learn from.  Admitting my CS weaknesses removes the fear of appearing ignorant because I AM ignorant.  But my ignorance is only temporary.  I used to feel intimidated approaching colleagues who are smarter than me.  Now I seek them out and ask for help.  I found that most technical people love to help you when you seek their expertise.  This was not easy at first, and I had to seek some professional help.  Professional as in reading the bio of jazz legend Pat Metheny.

Pat would purposely seek out musicians that were better than himself.  “Always be the worst guy in every band you’re in”, he once said.  Something interesting happens: your skills transform and becomes more like better guys.  I don’t know how to explain it, but I noticed something similar while playing golf.  If I am in a group where my handicap is better than everyone else, I don’t learn anything new.  Sure my ego feels good if I beat everybody, but I don’t improve; and sometimes I perform worse.  But when I am in a group where I am the highest handicapper, I seem to do better.  My focus is on keeping up.  I’m not taking risky shots.  I am more aware of my current ability and I play with in that ability.  Furthermore, I can learn from others while observing their short game, their putting, or how they cope with errant shots into the hazards.

The harder you work, the luckier you get.

Gary Player

One other technique I use to improve my technical skills comes from my experience during grad school as a TA teaching math.  The more I taught algebra or calculus to students, the better I got in those subjects and I began to UNDERSTAND, profoundly understand many of the concepts that I just accepted at face value from my instructors and the text books.

To Teach is to Learn Twice.

Ancient Proverb

Often, If I want to learn new skill or sharpen a current skill, I will seek out opportunities to create a class and teach it.  I find this technique strengthens understanding.  It is one thing to learn a skill; yet another to learn how to explain it, in your own words, so another human being can understand this skill, too.

The sages may have been right in their claims that ignorance is bliss.  But learning new things, and teaching them to others is blisser*.

Related articles

* Yeah, I know its not a word.  I am currently working to improve my grammar and vocabulary.

ESET CrackMe 2013 Challenge Solved!

18 Tuesday Feb 2014

Posted by in Cyber Security Research, Malware RE

Leave a comment

Tags

, , ,

my continuing adventures in reversing the eset 2013 crackme challenge…

In my last post, we found all the Easter eggs and set off looking for the solution to unlock this puzzle.  This is a challenge from an anti-malware company, so there should a “malicious-like” component to this puzzle and started examining other threads that were spawned before the WinMain function that displays the textboxes began.  We did find an interesting path, a path that led us to the process injection of Window’s userinit.exe.  That was our “malicious-like” behavior and when we traced the code to the CreateRemoteThread call:

Call_to_createRemoteThread

And stepped over that call (F8), we could observe our CrackMe code launching the newly injected userinit process:

userinit_in_task_mgruserinit_in_procmon

Unfortunately, the process goes immediately into a suspended state, which prevents OllyDbg from attaching to it.  After several failed attempts of trying to find a solution, I posed the question to the community for some help.  My thanks to the many members Reverse Engineering and Malware Group on LinkedIn for their suggestions.  The solution that worked was submitted by Mr. Mahmoudnia — he found another person’s solution to this ESET challenge.  The solution is rather clever.  Before we hit the second call to WriteProcessMemory:

before_2nd_call_to_WriteProcessMemory_0x403E70

Which is going to write the code at location 0x403E70 into userinit’s process space at 0xA0000.  We want to go to 0x403E70 and change the function prologue from “PUSH EBP” and “MOV EBP, ESP” to the opcode “EB FE”:

at_0x403E70

In Olly, right-click on the “PUSH EBP” instruction, select binary, then edit and uncheck the “keep size” box; now you can change the opcode to the value “EB FE”:

at_0x403E70_changed_to_EBFE

The opcode “EB FE” creates an infinite jump to the start of this function, i.e. to address 0x403E70.  Now we can step over the “WriteProcessMemoryCall” and proceed to step to the “CreateRemoteThread” call.  Now hit F8 to step over CreateRemoteThread and stay at location 0x4063B6:

step_over_call_to_CreateRemoteThread

Next, open a second OllyDbg instance, go to File -> Attach and scroll down the list of process until you find userinit.exe and click the “Attach” button:

attaching_to_userinit

Once attached and in the CPU window hit CTL-G and go to address 0xA0000 and change the “EB FE” back to the “PUSH EBP” and “MOV EBP, ESP” function prologue and set a break point.  This may take several attempts.  What consistently worked for me was to go to the theads window (the blue T button) and check to see if my thread was suspended.  If it was, I right clicked on the thread and selected “Resume”, then I hit F9 (Run).  If the RE gods are smiling upon us, we will hit the BP:

attached_to_userinit_goto_A0000

To see what the above routine does, I am going to single-step through this code line-by-line:

in_0xA0000_after_keygen_func

A little ways down, there is a call to a function at 0xA02F0.  I stepped inside that function and determined that this was some kind of key generation function.  Observe that ESI was set to the ASCII string “472631FB”.  Continuing on:

in_0xA0000_setting_up_Http_wget_over_port_1F90=8080

In the above chunk of code, we are making a call to a function in wininet.dll,  I used DLL Export Viewer to resolve the symbol name.  This is setting up a http network connection to localhost on port (highlighted as 0x1F90 in the stack window) 8080.  In my last post, we observed a wget POST call posting an index.php.  Continuing on, we can observe that this section of code is setting up all the parameters for an HttpOpenRequest call:

in_0xA0000_setting_up_HttpOpenRequest_index_php

Again, I fired up FakeNet and stepped over the call:

in_0xA0000_sends_index_php_over_port_8080

The wget POST with index.php is supposed to receive data but as you can clearly see, we don’t because EAX is set to 0.  The next instruction will test EAX and since it is 0, we will jump all the way down to 0xA0296.  At that location, there is code to terminate our thread.  I don’t want to end just yet.  There is an awful lot of code real estate that we are skipping and I want to see what it does.  So, I changed EAX from 0 to 1 so that the JE instruction is NOT taken in order to see what happens next:

in_0xA0000_compare_to_jules

In the above screen shot, we can see that what ever we were supposed to receive from our first wget POST is supposed to decrypt to the value of “Jules” — one of the main character’s (played by Samuel L. Jackson) in the movie “Pulp Fiction”.  So our Pulp Fiction theme continues.  Since we did not receive any data, the zero flag is not set and we make that long jump to 0xA0296 again.  So I set the ZF to 1 so the JNZ instruction is not taken.  Continuing on:

in_0xA0000_second_call_with_index_php

The code continues to set up a second HttpOpenRequest call.  This time instead of passing just index.php as one of the parameters, I thought I would change it to “index.php?key=280877F8”  This was the key that was generated in our first wget POST call.  I don’t know why I thought to try this, I was just curious and assumed that since we were getting a key, that there would be a second decryption routine.  Maybe I could coax the code to decrypted what ever is going to happen next…

in_0xA0000_second_call_index_php2

So we make the second wget POST call and and continue on to what I believe to be is a decryption routine…

in_0xA0000_decrypted_message_thats_all_congrats

Interesting!  We did get a message: “That’s all. Congratulations!”  We must be getting close to solving this thing.  So if we continue to single-step our way through this routine, eventually we wend our way to a USER32.MessageBox call:

in_0xA0000_call_to_final_messagebox

Let’s step over that call and see what message we get…

I_cracked_it_the_movie_is_over

W00t w00t — we did it!

This was a very fun RE challenge.  My thanks to ESET for creating such a fun puzzle and a special thanks to Mr. Mahmoudnia and others in the Reverse Engineering and Malware Research group on LinkedIn for their help and suggestions during the times I got stuck.  I learned some new tricks like that “EB FE” trick to attach to a suspended process.  I’ll have to remember that one if I ever encounter such a sneaky maneuver by malware in the future.