0
Introduction  Verification algorithm            Obfuscation      Encryption layers  Direct native API call                 ...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                   Verification algorithm                             Obfuscation                       Encrypt...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                      Verification algorithm                                Obfuscation                        ...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                    Verification algorithm                              Obfuscation                        Encr...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                     Verification algorithm                               Obfuscation                         E...
Introduction                    Verification algorithm                              Obfuscation                        Encr...
Introduction                     Verification algorithm                               Obfuscation                         E...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Figure: (incomplete) CFG of a layer made by IDA
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                   Verification algorithm                             Obfuscation                       Encrypt...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                     Verification algorithm                               Obfuscation                         E...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                     Verification algorithm                               Obfuscation                         E...
Introduction                    Verification algorithm                              Obfuscation                        Encr...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                    Verification algorithm                              Obfuscation                        Encr...
Introduction                     Verification algorithm                               Obfuscation                         E...
Introduction                       Verification algorithm                                 Obfuscation                      ...
Introduction                        Verification algorithm                                  Obfuscation                    ...
Introduction         Verification algorithm                   Obfuscation             Encryption layers         Direct nati...
Introduction              Verification algorithm                        Obfuscation                  Encryption layers     ...
Upcoming SlideShare
Loading in...5
×

HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

1,879

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,879
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
104
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme"

  1. 1. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsHackito Ergo Sum Crackme ´ Eloi Vanderb´ken e eloi.vanderbeken (at) ens-cachan.fr 09 April 2011 ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  2. 2. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  3. 3. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsAbout me Last year of master’s degree in cryptology and software ´ security at Ecole Normale Sup´rieure of Cachan e Reversing software protection for 6 years Participate to several Capture The Flags in my spare time ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  4. 4. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  5. 5. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsSome facts and numbers First crackme 2 months 6000 lines of python Use TTASM and BeaEngine Randomly generated Only 3 valid solutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  6. 6. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  7. 7. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsAlgorithm Custom RC4 (initial table changed, starts with ”HESFTW”) Serial is used as a 256-byte key Generate the first 7 DWORDs Combine them with 0xDEADBEEF to generate a DWORD Use it as a constant to calculate the length of the last layers ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  8. 8. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  9. 9. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  10. 10. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutionsInstruction mutation Make a static analysis to get freely modifiable registers Use them to mutate instructions Main rule: if your code use an instruction, it has to be used everywhere ⇒ no difference between the useful code and the garbage one ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  11. 11. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  12. 12. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutionsControl Flow Graph (CFG) obfuscation Before instruction mutation: Duplicate some piece of code Add a fake or non determinist test to choose which block will be executed After: Make a static analysis to know which flags are set/unset for each instruction Add conditional jump which are never/always taken according to the flags Shuffle blocks ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  13. 13. Figure: (incomplete) CFG of a layer made by IDA
  14. 14. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  15. 15. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsLayers How to make a layer the most annoying possible? Hide the end address of the encryption layer Hide the size of the encrypted code ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  16. 16. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsLayers (continued) Use Linear Feedback Shift Register (LFSR) to encrypt n times both end address and a dword counter At execution, decrypt them one time at each loop execution When the dword counter has been decrypted, jump to the decrypted address Use indirect jump to avoid breakpoint: cmp counter, CST setz cl jmp [ecx + addresses] Bonus: LFSR having the biggest possible period, you can add as many fake comparison as you want ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  17. 17. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  18. 18. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsDirect native API call Get syscall numbers at initialisation Use sysenter (do not work on 64bit systems) Make random invalid or non invasives (ZwYieldExecution) syscalls to prevent conditional breakpoints on KiFastSystemCallRet ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  19. 19. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  20. 20. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsClassical anti-debuggers tricks Well known anti-debuggers trick made difficult to bypass because of direct use of sysenter: NtQueryInformationProcess + ProcessDebugPort NtSetInformationThread + ThreadHideFromDebugger NtSetContextThread to delete hardware breakpoints ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  21. 21. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsAnti-instrumentation framework Detect hook on KiUserExceptionDispatcher and KiUserCallbackDispatcher Detect stack reuse by instrumentation code: place a constant in esp-4, execute a sysenter, check if esp-4 has been changed ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  22. 22. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsAnti data-tainting After execution of each part of the algorithm, result is copied using indirect dependance AntiTaintMemcpy (BYTE* source, BYTE *dest, int size) { for (int t =0 t < size ++t) { BYTE val = 0 do { BOOL isDiff = FALSE if (source[t] != val) isDiff = True if (! isDiff) dest[t] = val ++val } while (val != 0) } } ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  23. 23. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  24. 24. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsSo how to solve it? API init Set memory breakpoint on ntdll PE Anti-Dbg Don’t use debugger, inject a DLL and use VectoredExceptionHandler to set HBP Anti-HBP Replace ZwSetThreadContext syscall number by an harmless or invalid one ReadFile Use kernel debugger or replace syscall numbers by a GDI one which will call KiUserCallbackDispatcher Obfuscation Step the code :) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  25. 25. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsHow to find a valid serial Bruteforce (JB B´drune) e Use of the RC4 internal table created with the key published (Kyriakos Economou and Mark Wodrich) Generate a valid keystream, use a backward algorithm to find an internal table which generate this keystream, find a key which generate this table (Me :) ) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  26. 26. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsPlan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  27. 27. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsSome ideas for the next year ;) Recode all the crackme generation in C Use XED (by intel) to disassemble and reassemble instruction Multi-thread Virtualisation More mutation rules, more complex instructions (FPU, MMX, SSE etc.) More anti-X ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  28. 28. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsThanks Thank you ! ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  29. 29. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutionsQuestions ? Questions ? ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×