Here is a new little Python script to perform bitwise operations on files (like XOR, ROL/ROR, …). For maximum flexibility, it requires you to provide the operation as a Python expression, like this:
translate.py malware malware.decoded ‘byte ^ 0x10’
This will read file malware, perform XOR 0x10 on each byte (this is, expressed in Python: byte ^ 0x10), and write the result to malware.decoded.
The script has been added to my software page.
Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.
It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. 😉 Or did I, what do you think?
My first SpiderMonkey trick is more than 6 months old, and I still haven’t released the source code. Let’s do it now, but let’s also talk about a new trick.
Obfuscated JavaScrip has become a trademark of cybercriminals, and they are ever perfecting their tools, read what Bojan and Ismael have uncovered. This reminds me of another trick I’ve been learning my SpiderMonkey: whenever the eval function is called, it will write its argument to a file, giving you the possibility to analyze the code. Eval is used in some obfuscation schemes.
When eval is called the first time, for example eval(“a=10;”), my SpiderMonkey will create a file eval.001.log containing the argument, a=10; For each new eval call in the current JavaScript session, a new eval file will be created: eval.002.log, eval.003.log, … (if you’re wondering, after eval.999.log, we just move to eval.1000.log). Unlike the document.write trick, I will not append to the existing file, but create a new file for each call.
Internally, SpiderMonkey works with Unicode strings. Hence, I programmed SpiderMonkey to create 2 files for each call, one ASCII file and one Unicode file, like this: eval.001.log and eval.001.uc.log. eval.001.log is the ASCII file (actually, it’s just the first byte of each Unicode character) and eval.001.uc.log is the Unicode file. When analyzing obfuscated JavaScript, you’ll mostly see ASCII.
BTW, can you guess why I added ; echo to the cat command of this demo?
Adding this king of logging feature is not difficult: just find the source code of the JavaScript function that needs logging, locate the arguments and write them to a file.
Download the source code here.
Be ready to compete in the F-Secure Reverse Engineering Challenge (http://www.khallenge.com) this Friday. I expected the challenge to start on Thursday like last year, so now I have a scheduling conflict!
It looks like the challenge is organized like last year: go to the website and download the first challenge. Start the program, and provide the correct password (this is where reversing skills come in handy). You’ll be given an e-mail address in exchange for the correct password (a wrong password yields no e-mail address).
Send an e-mail to the address and you’ll get an URL in reply. Download the second challenge and repeat the process. And finally: download the third challenge and repeat the process.
Don’t forget my tools to help you with this challenge:
– Challenger
– OllyStepNSearch
Now honestly, I don’t expect Challenger to be of any help, except with a dictionary attack on the first challenge. Last year, the passwords for the second and third challenge were so long that brute-forcing was no option.
Think it’s too difficult for you? Think again, this movie (YouTube) shows how easy the first level of last year’s challenge was, XviD hires here.
One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.
The binary tools I used for the YACoSTO post can be found here, I published them afterwards.
Contrary to what some of you might think, this is not a “I’m on holiday” post 😦 . We took a short cruise in June. My sister-in-law, a professional wedding film producer, shot this movie (YouTube) during our holiday, hires version here. Absolutely no malware, hacking, revering, … in the movie, just holidaying.
Oh, and BTW, until now, nobody ever asked me what YACoSTO means…
Coming Soon: Reverse Engineering Khallenge
Give it a shot, last year, the first stage was very easy, you could even crack it just using Windows Notepad!
This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.
It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.
Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.
See how easy it becomes understanding what this malware does once you have the source code:
And did you notice the folder under F:\Documents and Settings at the beginning of the script? Oops!
When I submitted this malware to VirusTotal, only 4 AV engines detected it (July 18th 2007).
I played with the AutoIt compiler and decompiler and found some interesting things, I’ll probably blog about this later. Here is a hint: when you password-protect a compiled AutoIt script, you have to provide the password to decompile it, but not to execute it. Can you guess what this means? 😉 Post your answer in the comment section!
My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent 😉 But I’m not French, I’m Flemish!
I’m releasing version 2.3.0 of my UserAssist tool with these new features:
Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.
The software is hosted on my site now, as Microsoft will phase-out the User Samples section of the gotDotNet site.
Thanks to Ovie and Bret of the CyberSpeak podcast for talking about my UserAssist tool on their show. The announced interview is recorded 🙂
Yes, I’ve the feeling it will be late in Brussels again…
Didier Stevens 