Reversing and
Exploiting
Green Dam
[0xdf]
Valkyrie-X Security Research Lab
VXRL 2009 1

Special Thank You
• Mr. Byoungyoung Lee from PLUS and
who is the mentor/advisor of Valkyrie-X
VXRL 2009 2

Background
• Focus on research and studies on
software/system exploitation, vulnerability
and reverse engineering, penetration test
and crypto problems.
• Activity:We joined CTF and ranked at 68 in
DefCon 17 Prequalifying Round out 230
teams.
VXRL 2009 3

4

Agenda
• Reversing a few critical modules in Green
Dam.
• Exploitation Possibility
VXRL 2009 5

Let us start 
VXRL 2009 6

Reversing
• XNet2.exe
– It is the major Green Dam service
– It is for installation and register software key
to the system
– It is responsible for password check and reset
– Commander of XDaemon.exe and gn.exe
– Kick start a number of processes with the
following executables:
• Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG,
HH, Looklog and LookPic
VXRL 2009 7

Prepare and set up processes
8

Installation
• Installation – Software Key Registration To
Registry.
9

More Interesting stuff is…
VXRL 2009 10

11

Prepare a list of processes
12

Installation Password
• After Green Dam converts the password
using the MD5 algorithm, it saves it in text
format within the kwpwf.dll file located in
the C:WINDOWSsystem32 directory.
When opened using Notepad, if the
content is then replaced with
"D0970714757783E6CF17????????????
????????" and saved, the password can
then be restored to the original
"1122??????". VXRL 2009 13

Easy Password
VXRL 2009 14

Green Dam – Data File
• Decrypted file content
– Contain keywords for filtering
• The data file naming convention and
filtering classification are exactly the same
as Cybersitter from Solid Oak.
VXRL 2009 15

Green Dam – Data File
16

VXRL 2009 17

Green Dam – Connected IPs
• Connected IPs
– Connected to ISP in USA?
– Connected to NIST’s time server?
VXRL 2009 18

VXRL 2009 19

20

VXRL 2009 21

Green Dam – Monitored Software
• Monitored software
– We could find it from injlib32.dll
– Injlib32.dll is injected to every critical process.
– Handle.dll is to create process/thread to
monitor any messages received from injected
DLL. (as it supports transmitstring).
Handler.dll Injlib32.dll
Notepad.exe
VXRL 2009 22

23

24

25

Green Dam – Exploitation
• Possible vulnerabilities in Green Dam
version 3.1.7
– As Green Dam is injected to the browser
process and it cannot handle long URL
– Stack Buffer Overflow is found.
• The exploit is published in Milw0rm.com. It
should be the same
VXRL 2009 26

What is Stack Buffer Overflow?
VXRL 2009 27

What is Stack Buffer Overflow?
(from Wikipedia.org)
VXRL 2009 28

How can we exploit?
• We try out input 2048 ‘A’s and submit it as
an URL.
• We attach OllyDbg to the process of
Internet Explorer named as iexplore.exe
for debugging purpose in runtime.
VXRL 2009 29

Demo
VXRL 2009 30

Exploitation Summary
• Successfully overwritten with our input.
• Deploying shellcode will be our next
mission.
• No patch is provided 
VXRL 2009 31

Our Conclusion
VXRL 2009 32

Conclusion
• We strongly suggest not installing this
software.
• It gives vulnerability, it is not just filtering
but monitor the use of software and the
content you typing into.
VXRL 2009 33

Thank you for your listening
• Anthony Lai (0xdf)
• 0xdarkfloyd@gmail.com
VXRL 2009 34

Reference
• Technical Analysis of Green Dam
– http://wikileaks.org/wiki/
A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-
Escort'_censorship_software
• Analysis of Green Dam Censorware System
– http://www.cse.umich.edu/~jhalderm/pub/gd/
VXRL 2009 35

Tools
• MD5 Decryption
– http://www.md5decrypter.com/
• IDA Pro (Get a free version)
– http://www.hex-rays.com/idapro/
– http://www.amazon.com/exec/obidos/ASIN/1593271786/
datarescuesanv
VXRL 2009 36