Wednesday, September 26, 2007

IDA Pro Foo

Since I am on a roll with blogging, I will post some of my thoughts and work with reverse engineering. I have been doing RE seriously for the past year, and I really love doing it, however it is time consuming and a bit mind numbing :-). While working on some malware I came across a section of code that used a simple encryption routine where the encrypted string was passed byte for byte through this engine. Each byte was broken into a high order and low order nibble and these nibbles were reversed revealing the decoded binary equivelent of the ASCII character. I came across many specimens of malware that used this, so I wrote an IDA Pro script (IDC) to decode these strings for me.

Decryption Subroutine:

 .text:00403F21 014                 mov     ecx, [ebp+var_C_Arg1] ; start
.text:00403F24 014                 mov     dl, [ecx]
.text:00403F26 014                 mov     byte ptr [ebp+var_4], dl
.text:00403F29 014                 mov     eax, [ebp+var_4]
.text:00403F2C 014                 and     eax, 0FFh
.text:00403F31 014                 shl     eax, 4
.text:00403F34 014                 mov     byte ptr [ebp+var_8], al ; Lower 4 Bits
.text:00403F37 014                 mov     ecx, [ebp+var_4]
.text:00403F3A 014                 and     ecx, 0FFh
.text:00403F40 014                 sar     ecx, 4
.text:00403F43 014                 mov     byte ptr [ebp+var_4], cl ; Upper 4 Bits
.text:00403F46 014                 mov     edx, [ebp+var_4]
.text:00403F49 014                 and     edx, 0FFh
.text:00403F4F 014                 mov     eax, [ebp+var_8]
.text:00403F52 014                 and     eax, 0FFh
.text:00403F57 014                 or      edx, eax                ;Swap bits via OR
.text:00403F59 014                 mov     byte ptr [ebp+var_4], dl
.text:00403F5C 014                 mov     ecx, [ebp+var_10_Arg2]
.text:00403F5F 014                 mov     dl, byte ptr [ebp+var_4]
.text:00403F62 014                 mov     [ecx], dl       ; dl contains the patched byte
.text:00403F64 014                 mov     eax, [ebp+var_C_Arg1]

Here I have broken down and commented the disassembly showing the decryption routine. This should be pretty trivial to script so I don’t have to go byte for byte with a calculator and ASCII table.

DC script for swapping the low order nibble and the high order nibble of a byte
Uncomment one, or both of the functions at the bottom of the script
--Message() will just print the decoded strings to the messages window but will not patch the DB
--PatchByte() is self explanatory
Script by Chris Sia
static revbyte(void)
auto start, end, ptr, X, Y, Z;
start = SelStart();

end = SelEnd();

end = end - 1;

Message("Reversing Byte Order\n");
for (ptr = start; ptr <= end; ptr++)

X = Byte(ptr);

Y = Byte(ptr);

X = (X & 0xFF);

X = X << 4;


Y = (Y & 0xFF);

Y = Y >> 4;

Z = (X | Y);

/* Uncomment below to enable decoded strings to be printed in Messages Window */

/* Uncomment below to enable swapped bytes to be patched back to the DB */
PatchByte(ptr, Z);


This script can send the decrypted ASCII to the messages window in IDA, or actually patch the byte in the disassembly.

To use, highlight the data:

Then open the File/IDC command...and run revbyte().

The highlighted data now shows the decrypted strings. The beginning of a URL "http://20" is clearly visible.

Monday, September 24, 2007

DHS Slams Unisys

I read an interesting article today:

This really hit home because a little over a year ago I was consistently called by Unisys and its sub-contractors to work there. At the time both myself and my friends knew this contract was a disaster, however even I didn't see this coming.

I feel that this highlights two failures. One, the contractor not taking the contract seriously and two, the government agency not fully knowing what it's threats really are. The main problem here is the blind, hiring the ignorant. Unisys is not fully to blame here, they have a long standing reputation of achieving the mediocre on their contracts, and DHS should have taken this into account, but they didn't. They most likely picked the contract that came in the cheapest, and that is what they got.

I hope this incident leads to a couple of things. Contractors taking the tasking of protecting an agencies IT assets more seriously, basing success on reality rather than on paper and Government agencies understanding what they are up against, and selecting contractors based on performance rather than $$.