SlideShare una empresa de Scribd logo

HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

Hackito Ergo Sum
Hackito Ergo Sum
Tecnología
1 de 29
Descargar para leer sin conexión
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Hackito Ergo Sum Crackme ´ Eloi Vanderb´ken e eloi.vanderbeken (at) ens-cachan.fr 09 April 2011 ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions About me Last year of master’s degree in cryptology and software ´ security at Ecole Normale Sup´rieure of Cachan e Reversing software protection for 6 years Participate to several Capture The Flags in my spare time ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some facts and numbers First crackme 2 months 6000 lines of python Use TTASM and BeaEngine Randomly generated Only 3 valid solutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Algorithm Custom RC4 (initial table changed, starts with ”HESFTW”) Serial is used as a 256-byte key Generate the first 7 DWORDs Combine them with 0xDEADBEEF to generate a DWORD Use it as a constant to calculate the length of the last layers ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Instruction mutation Make a static analysis to get freely modifiable registers Use them to mutate instructions Main rule: if your code use an instruction, it has to be used everywhere ⇒ no difference between the useful code and the garbage one ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Control Flow Graph (CFG) obfuscation Before instruction mutation: Duplicate some piece of code Add a fake or non determinist test to choose which block will be executed After: Make a static analysis to know which flags are set/unset for each instruction Add conditional jump which are never/always taken according to the flags Shuffle blocks ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Figure: (incomplete) CFG of a layer made by IDA
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers How to make a layer the most annoying possible? Hide the end address of the encryption layer Hide the size of the encrypted code ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers (continued) Use Linear Feedback Shift Register (LFSR) to encrypt n times both end address and a dword counter At execution, decrypt them one time at each loop execution When the dword counter has been decrypted, jump to the decrypted address Use indirect jump to avoid breakpoint: cmp counter, CST setz cl jmp [ecx + addresses] Bonus: LFSR having the biggest possible period, you can add as many fake comparison as you want ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Direct native API call Get syscall numbers at initialisation Use sysenter (do not work on 64bit systems) Make random invalid or non invasives (ZwYieldExecution) syscalls to prevent conditional breakpoints on KiFastSystemCallRet ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Classical anti-debuggers tricks Well known anti-debuggers trick made difficult to bypass because of direct use of sysenter: NtQueryInformationProcess + ProcessDebugPort NtSetInformationThread + ThreadHideFromDebugger NtSetContextThread to delete hardware breakpoints ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti-instrumentation framework Detect hook on KiUserExceptionDispatcher and KiUserCallbackDispatcher Detect stack reuse by instrumentation code: place a constant in esp-4, execute a sysenter, check if esp-4 has been changed ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti data-tainting After execution of each part of the algorithm, result is copied using indirect dependance AntiTaintMemcpy (BYTE* source, BYTE *dest, int size) { for (int t =0 t < size ++t) { BYTE val = 0 do { BOOL isDiff = FALSE if (source[t] != val) isDiff = True if (! isDiff) dest[t] = val ++val } while (val != 0) } } ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions So how to solve it? API init Set memory breakpoint on ntdll PE Anti-Dbg Don’t use debugger, inject a DLL and use VectoredExceptionHandler to set HBP Anti-HBP Replace ZwSetThreadContext syscall number by an harmless or invalid one ReadFile Use kernel debugger or replace syscall numbers by a GDI one which will call KiUserCallbackDispatcher Obfuscation Step the code :) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions How to find a valid serial Bruteforce (JB B´drune) e Use of the RC4 internal table created with the key published (Kyriakos Economou and Mark Wodrich) Generate a valid keystream, use a backward algorithm to find an internal table which generate this keystream, find a key which generate this table (Me :) ) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some ideas for the next year ;) Recode all the crackme generation in C Use XED (by intel) to disassemble and reassemble instruction Multi-thread Virtualisation More mutation rules, more complex instructions (FPU, MMX, SSE etc.) More anti-X ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Thanks Thank you ! ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Questions ? Questions ? ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011

Recomendados

Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Ponsini automatic slides
Ponsini automatic slidesPonsini automatic slides
Ponsini automatic slidesICSM 2010
 
Itc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits DoneItc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits Donera3197
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 

Recomendados

Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Ponsini automatic slides
Ponsini automatic slidesPonsini automatic slides
Ponsini automatic slidesICSM 2010
 
Itc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits DoneItc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits Donera3197
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflowsAkbar Romadhoni
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlationamiable_indian
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-auditsJohann-Peter Hartmann
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability DevelopmentDan H
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHackito Ergo Sum
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Más contenido relacionado

Similar a HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflowsAkbar Romadhoni
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlationamiable_indian
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability DevelopmentDan H
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 

Similar a HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme (8)

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflows
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlation
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability Development
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
 

Más de Hackito Ergo Sum

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHackito Ergo Sum
 

Más de Hackito Ergo Sum (8)

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
 

Último

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

  • 1. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Hackito Ergo Sum Crackme ´ Eloi Vanderb´ken e eloi.vanderbeken (at) ens-cachan.fr 09 April 2011 ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 2. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 3. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions About me Last year of master’s degree in cryptology and software ´ security at Ecole Normale Sup´rieure of Cachan e Reversing software protection for 6 years Participate to several Capture The Flags in my spare time ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 4. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 5. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some facts and numbers First crackme 2 months 6000 lines of python Use TTASM and BeaEngine Randomly generated Only 3 valid solutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 6. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 7. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Algorithm Custom RC4 (initial table changed, starts with ”HESFTW”) Serial is used as a 256-byte key Generate the first 7 DWORDs Combine them with 0xDEADBEEF to generate a DWORD Use it as a constant to calculate the length of the last layers ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 8. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 9. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 10. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Instruction mutation Make a static analysis to get freely modifiable registers Use them to mutate instructions Main rule: if your code use an instruction, it has to be used everywhere ⇒ no difference between the useful code and the garbage one ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 11. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 12. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Control Flow Graph (CFG) obfuscation Before instruction mutation: Duplicate some piece of code Add a fake or non determinist test to choose which block will be executed After: Make a static analysis to know which flags are set/unset for each instruction Add conditional jump which are never/always taken according to the flags Shuffle blocks ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 13. Figure: (incomplete) CFG of a layer made by IDA
  • 14. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 15. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers How to make a layer the most annoying possible? Hide the end address of the encryption layer Hide the size of the encrypted code ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 16. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers (continued) Use Linear Feedback Shift Register (LFSR) to encrypt n times both end address and a dword counter At execution, decrypt them one time at each loop execution When the dword counter has been decrypted, jump to the decrypted address Use indirect jump to avoid breakpoint: cmp counter, CST setz cl jmp [ecx + addresses] Bonus: LFSR having the biggest possible period, you can add as many fake comparison as you want ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 17. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 18. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Direct native API call Get syscall numbers at initialisation Use sysenter (do not work on 64bit systems) Make random invalid or non invasives (ZwYieldExecution) syscalls to prevent conditional breakpoints on KiFastSystemCallRet ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 19. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 20. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Classical anti-debuggers tricks Well known anti-debuggers trick made difficult to bypass because of direct use of sysenter: NtQueryInformationProcess + ProcessDebugPort NtSetInformationThread + ThreadHideFromDebugger NtSetContextThread to delete hardware breakpoints ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 21. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti-instrumentation framework Detect hook on KiUserExceptionDispatcher and KiUserCallbackDispatcher Detect stack reuse by instrumentation code: place a constant in esp-4, execute a sysenter, check if esp-4 has been changed ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 22. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti data-tainting After execution of each part of the algorithm, result is copied using indirect dependance AntiTaintMemcpy (BYTE* source, BYTE *dest, int size) { for (int t =0 t < size ++t) { BYTE val = 0 do { BOOL isDiff = FALSE if (source[t] != val) isDiff = True if (! isDiff) dest[t] = val ++val } while (val != 0) } } ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 23. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 24. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions So how to solve it? API init Set memory breakpoint on ntdll PE Anti-Dbg Don’t use debugger, inject a DLL and use VectoredExceptionHandler to set HBP Anti-HBP Replace ZwSetThreadContext syscall number by an harmless or invalid one ReadFile Use kernel debugger or replace syscall numbers by a GDI one which will call KiUserCallbackDispatcher Obfuscation Step the code :) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 25. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions How to find a valid serial Bruteforce (JB B´drune) e Use of the RC4 internal table created with the key published (Kyriakos Economou and Mark Wodrich) Generate a valid keystream, use a backward algorithm to find an internal table which generate this keystream, find a key which generate this table (Me :) ) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 26. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 27. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some ideas for the next year ;) Recode all the crackme generation in C Use XED (by intel) to disassemble and reassemble instruction Multi-thread Virtualisation More mutation rules, more complex instructions (FPU, MMX, SSE etc.) More anti-X ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 28. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Thanks Thank you ! ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 29. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Questions ? Questions ? ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011