Didier Stevens

Tuesday 31 July 2007

F-Secure Reverse Engineering Challenge 2007

Filed under: Reverse Engineering — Didier Stevens @ 19:08

Be ready to compete in the F-Secure Reverse Engineering Challenge (http://www.khallenge.com) this Friday. I expected the challenge to start on Thursday like last year, so now I have a scheduling conflict!

It looks like the challenge is organized like last year: go to the website and download the first challenge. Start the program, and provide the correct password (this is where reversing skills come in handy). You’ll be given an e-mail address in exchange for the correct password (a wrong password yields no e-mail address).

level1.png

Send an e-mail to the address and you’ll get an URL in reply. Download the second challenge and repeat the process. And finally: download the third challenge and repeat the process.

Don’t forget my tools to help you with this challenge:
Challenger
OllyStepNSearch

Now honestly, I don’t expect Challenger to be of any help, except with a dictionary attack on the first challenge. Last year, the passwords for the second and third challenge were so long that brute-forcing was no option.

Think it’s too difficult for you? Think again, this movie (YouTube) shows how easy the first level of last year’s challenge was, XviD hires here.

YACoSTO, One Year Ago

Filed under: Reverse Engineering — Didier Stevens @ 6:04

One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.

The binary tools I used for the YACoSTO post can be found here, I published them afterwards.

Contrary to what some of you might think, this is not a “I’m on holiday” post 😦 . We took a short cruise in June. My sister-in-law, a professional wedding film producer, shot this movie (YouTube) during our holiday, hires version here. Absolutely no malware, hacking, revering, … in the movie, just holidaying.

Oh, and BTW, until now, nobody ever asked me what YACoSTO means…

Thursday 26 July 2007

Yes, It Will Be Late In Brussels Again…

Filed under: Reverse Engineering — Didier Stevens @ 8:17

Coming Soon: Reverse Engineering Khallenge

Give it a shot, last year, the first stage was very easy, you could even crack it just using Windows Notepad!

Tuesday 24 July 2007

RSR

Filed under: Malware,Reverse Engineering — Didier Stevens @ 6:53

This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.

It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.

Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.

autoit.png

See how easy it becomes understanding what this malware does once you have the source code:

  • the URLs are defined in variables at the beginning
  • you can see from where the malware downloads updates and where they get installed
  • how it disables tools that can help you clean the infected machine, like Task Manager
  • that it tries to spread via IM applications

And did you notice the folder under F:\Documents and Settings at the beginning of the script? Oops!

When I submitted this malware to VirusTotal, only 4 AV engines detected it (July 18th 2007).

I played with the AutoIt compiler and decompiler and found some interesting things, I’ll probably blog about this later. Here is a hint: when you password-protect a compiled AutoIt script, you have to provide the password to decompile it, but not to execute it. Can you guess what this means? 😉 Post your answer in the comment section!

Monday 23 July 2007

CyberSpeak interview

Filed under: My Software,Reverse Engineering — Didier Stevens @ 8:11

My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent 😉 But I’m not French, I’m Flemish!

Tuesday 17 July 2007

UserAssist V2.3.0

Filed under: My Software,Reverse Engineering — Didier Stevens @ 6:05

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

  • saved CSV files have a header.
  • entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
  • the Save command also supports HTML.
  • support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
  • registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

The software is hosted on my site now, as Microsoft will phase-out the User Samples section of the gotDotNet site.

Thanks to Ovie and Bret of the CyberSpeak podcast for talking about my UserAssist tool on their show. The announced interview is recorded 🙂

Monday 16 July 2007

Will it be late in Brussels again?

Filed under: Reverse Engineering — Didier Stevens @ 21:58

Yes, I’ve the feeling it will be late in Brussels again

Wednesday 11 July 2007

ExtractScripts Update

Filed under: Malware,My Software,Update — Didier Stevens @ 0:06

I’ve updated ExtractScripts to handle comments inside <script> tags.

Tuesday 3 July 2007

The BlockSite Firefox Add-on

Filed under: Reverse Engineering — Didier Stevens @ 8:00

The Firefox add-on BlockSite by Erik van Kempen allows you to maintain a blacklist of sites you want to block for surfing. I extended his add-on with a whitelist: in stead of specifying the sites you want to block, you can decide to specify the sites you want to allow, and all other sites will be blocked. Erik has integrated my code in his add-on:

Version 0.5 — December 30, 2006 — 34 KB

[+] Whitelist/Blacklist feature (by Didier Stevens): Choose if the list is a blacklist or a whitelist.
[~] Password protection still pending (unfortunately), most probably in next major release

Reverse engineering a Firefox add-on is really simple. The file format for add-ons, XPI, is in fact a ZIP file. After unzipping the XPI file, you’ll find a JAR file (again, this is also based on ZIP). Unzip the JAR file and then you can analyze the JavaScript and XUL files.

You can also load an unpacked Firefox add-on in Firefox to test and debug it, how is explained here.

Blog at WordPress.com.