Wednesday, September 26, 2007

IDA Pro Foo

Since I am on a roll with blogging, I will post some of my thoughts and work with reverse engineering. I have been doing RE seriously for the past year, and I really love doing it, however it is time consuming and a bit mind numbing :-). While working on some malware I came across a section of code that used a simple encryption routine where the encrypted string was passed byte for byte through this engine. Each byte was broken into a high order and low order nibble and these nibbles were reversed revealing the decoded binary equivelent of the ASCII character. I came across many specimens of malware that used this, so I wrote an IDA Pro script (IDC) to decode these strings for me.

Decryption Subroutine:

 .text:00403F21 014                 mov     ecx, [ebp+var_C_Arg1] ; start
.text:00403F24 014                 mov     dl, [ecx]
.text:00403F26 014                 mov     byte ptr [ebp+var_4], dl
.text:00403F29 014                 mov     eax, [ebp+var_4]
.text:00403F2C 014                 and     eax, 0FFh
.text:00403F31 014                 shl     eax, 4
.text:00403F34 014                 mov     byte ptr [ebp+var_8], al ; Lower 4 Bits
.text:00403F37 014                 mov     ecx, [ebp+var_4]
.text:00403F3A 014                 and     ecx, 0FFh
.text:00403F40 014                 sar     ecx, 4
.text:00403F43 014                 mov     byte ptr [ebp+var_4], cl ; Upper 4 Bits
.text:00403F46 014                 mov     edx, [ebp+var_4]
.text:00403F49 014                 and     edx, 0FFh
.text:00403F4F 014                 mov     eax, [ebp+var_8]
.text:00403F52 014                 and     eax, 0FFh
.text:00403F57 014                 or      edx, eax                ;Swap bits via OR
.text:00403F59 014                 mov     byte ptr [ebp+var_4], dl
.text:00403F5C 014                 mov     ecx, [ebp+var_10_Arg2]
.text:00403F5F 014                 mov     dl, byte ptr [ebp+var_4]
.text:00403F62 014                 mov     [ecx], dl       ; dl contains the patched byte
.text:00403F64 014                 mov     eax, [ebp+var_C_Arg1]

Here I have broken down and commented the disassembly showing the decryption routine. This should be pretty trivial to script so I don’t have to go byte for byte with a calculator and ASCII table.

DC script for swapping the low order nibble and the high order nibble of a byte
Uncomment one, or both of the functions at the bottom of the script
--Message() will just print the decoded strings to the messages window but will not patch the DB
--PatchByte() is self explanatory
Script by Chris Sia
static revbyte(void)
auto start, end, ptr, X, Y, Z;
start = SelStart();

end = SelEnd();

end = end - 1;

Message("Reversing Byte Order\n");
for (ptr = start; ptr <= end; ptr++)

X = Byte(ptr);

Y = Byte(ptr);

X = (X & 0xFF);

X = X << 4;


Y = (Y & 0xFF);

Y = Y >> 4;

Z = (X | Y);

/* Uncomment below to enable decoded strings to be printed in Messages Window */

/* Uncomment below to enable swapped bytes to be patched back to the DB */
PatchByte(ptr, Z);


This script can send the decrypted ASCII to the messages window in IDA, or actually patch the byte in the disassembly.

To use, highlight the data:

Then open the File/IDC command...and run revbyte().

The highlighted data now shows the decrypted strings. The beginning of a URL "http://20" is clearly visible.

No comments: