SlideShare a Scribd company logo

HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

Hackito Ergo Sum
Hackito Ergo Sum

This document is a presentation about a crackme called Hackito Ergo Sum. It discusses the various techniques used to protect the crackme, including a verification algorithm using RC4 encryption, instruction mutation, control flow graph obfuscation, encryption layers, direct native API calls, anti-debugging methods, and ways attackers could potentially break it such as bruteforcing the encryption key or reversing the encryption algorithm. The presentation concludes by thanking the audience and opening the floor for questions.

Technology
1 of 29
Download to read offline
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Hackito Ergo Sum Crackme ´ Eloi Vanderb´ken e eloi.vanderbeken (at) ens-cachan.fr 09 April 2011 ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions About me Last year of master’s degree in cryptology and software ´ security at Ecole Normale Sup´rieure of Cachan e Reversing software protection for 6 years Participate to several Capture The Flags in my spare time ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some facts and numbers First crackme 2 months 6000 lines of python Use TTASM and BeaEngine Randomly generated Only 3 valid solutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Algorithm Custom RC4 (initial table changed, starts with ”HESFTW”) Serial is used as a 256-byte key Generate the first 7 DWORDs Combine them with 0xDEADBEEF to generate a DWORD Use it as a constant to calculate the length of the last layers ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Instruction mutation Make a static analysis to get freely modifiable registers Use them to mutate instructions Main rule: if your code use an instruction, it has to be used everywhere ⇒ no difference between the useful code and the garbage one ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Control Flow Graph (CFG) obfuscation Before instruction mutation: Duplicate some piece of code Add a fake or non determinist test to choose which block will be executed After: Make a static analysis to know which flags are set/unset for each instruction Add conditional jump which are never/always taken according to the flags Shuffle blocks ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Figure: (incomplete) CFG of a layer made by IDA
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers How to make a layer the most annoying possible? Hide the end address of the encryption layer Hide the size of the encrypted code ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers (continued) Use Linear Feedback Shift Register (LFSR) to encrypt n times both end address and a dword counter At execution, decrypt them one time at each loop execution When the dword counter has been decrypted, jump to the decrypted address Use indirect jump to avoid breakpoint: cmp counter, CST setz cl jmp [ecx + addresses] Bonus: LFSR having the biggest possible period, you can add as many fake comparison as you want ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Direct native API call Get syscall numbers at initialisation Use sysenter (do not work on 64bit systems) Make random invalid or non invasives (ZwYieldExecution) syscalls to prevent conditional breakpoints on KiFastSystemCallRet ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Classical anti-debuggers tricks Well known anti-debuggers trick made difficult to bypass because of direct use of sysenter: NtQueryInformationProcess + ProcessDebugPort NtSetInformationThread + ThreadHideFromDebugger NtSetContextThread to delete hardware breakpoints ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti-instrumentation framework Detect hook on KiUserExceptionDispatcher and KiUserCallbackDispatcher Detect stack reuse by instrumentation code: place a constant in esp-4, execute a sysenter, check if esp-4 has been changed ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti data-tainting After execution of each part of the algorithm, result is copied using indirect dependance AntiTaintMemcpy (BYTE* source, BYTE *dest, int size) { for (int t =0 t < size ++t) { BYTE val = 0 do { BOOL isDiff = FALSE if (source[t] != val) isDiff = True if (! isDiff) dest[t] = val ++val } while (val != 0) } } ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions So how to solve it? API init Set memory breakpoint on ntdll PE Anti-Dbg Don’t use debugger, inject a DLL and use VectoredExceptionHandler to set HBP Anti-HBP Replace ZwSetThreadContext syscall number by an harmless or invalid one ReadFile Use kernel debugger or replace syscall numbers by a GDI one which will call KiUserCallbackDispatcher Obfuscation Step the code :) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions How to find a valid serial Bruteforce (JB B´drune) e Use of the RC4 internal table created with the key published (Kyriakos Economou and Mark Wodrich) Generate a valid keystream, use a backward algorithm to find an internal table which generate this keystream, find a key which generate this table (Me :) ) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some ideas for the next year ;) Recode all the crackme generation in C Use XED (by intel) to disassemble and reassemble instruction Multi-thread Virtualisation More mutation rules, more complex instructions (FPU, MMX, SSE etc.) More anti-X ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Thanks Thank you ! ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Questions ? Questions ? ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011

Recommended

Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
IRJET Journal
 
Ponsini automatic slides
Ponsini automatic slidesPonsini automatic slides
Ponsini automatic slides
ICSM 2010
 
Itc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits DoneItc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits Done
ra3197
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
Hackito Ergo Sum
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
Hackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
Hackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 

Recommended

Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
IRJET Journal
 
Ponsini automatic slides
Ponsini automatic slidesPonsini automatic slides
Ponsini automatic slides
ICSM 2010
 
Itc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits DoneItc Theater09 Sep1420 P Redits Done
Itc Theater09 Sep1420 P Redits Done
ra3197
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
Hackito Ergo Sum
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
Hackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
Hackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflows
Akbar Romadhoni
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlation
amiable_indian
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
Johann-Peter Hartmann
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
Yury Chemerkin
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability Development
Dan H
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Denim Group
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
Hackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
Hackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
Hackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
Hackito Ergo Sum
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 

More Related Content

Similar to HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflows
Akbar Romadhoni
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlation
amiable_indian
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
Johann-Peter Hartmann
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
Yury Chemerkin
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability Development
Dan H
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Denim Group
 

Similar to HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme (8)

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflows
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlation
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability Development
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
 

More from Hackito Ergo Sum

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
Hackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
Hackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
Hackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
Hackito Ergo Sum
 

More from Hackito Ergo Sum (8)

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
 

Recently uploaded

AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 

Recently uploaded (20)

AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 

HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

  • 1. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Hackito Ergo Sum Crackme ´ Eloi Vanderb´ken e eloi.vanderbeken (at) ens-cachan.fr 09 April 2011 ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 2. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 3. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions About me Last year of master’s degree in cryptology and software ´ security at Ecole Normale Sup´rieure of Cachan e Reversing software protection for 6 years Participate to several Capture The Flags in my spare time ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 4. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 5. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some facts and numbers First crackme 2 months 6000 lines of python Use TTASM and BeaEngine Randomly generated Only 3 valid solutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 6. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 7. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Algorithm Custom RC4 (initial table changed, starts with ”HESFTW”) Serial is used as a 256-byte key Generate the first 7 DWORDs Combine them with 0xDEADBEEF to generate a DWORD Use it as a constant to calculate the length of the last layers ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 8. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 9. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 10. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Instruction mutation Make a static analysis to get freely modifiable registers Use them to mutate instructions Main rule: if your code use an instruction, it has to be used everywhere ⇒ no difference between the useful code and the garbage one ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 11. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 12. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Control Flow Graph (CFG) obfuscation Before instruction mutation: Duplicate some piece of code Add a fake or non determinist test to choose which block will be executed After: Make a static analysis to know which flags are set/unset for each instruction Add conditional jump which are never/always taken according to the flags Shuffle blocks ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 13. Figure: (incomplete) CFG of a layer made by IDA
  • 14. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 15. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers How to make a layer the most annoying possible? Hide the end address of the encryption layer Hide the size of the encrypted code ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 16. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers (continued) Use Linear Feedback Shift Register (LFSR) to encrypt n times both end address and a dword counter At execution, decrypt them one time at each loop execution When the dword counter has been decrypted, jump to the decrypted address Use indirect jump to avoid breakpoint: cmp counter, CST setz cl jmp [ecx + addresses] Bonus: LFSR having the biggest possible period, you can add as many fake comparison as you want ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 17. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 18. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Direct native API call Get syscall numbers at initialisation Use sysenter (do not work on 64bit systems) Make random invalid or non invasives (ZwYieldExecution) syscalls to prevent conditional breakpoints on KiFastSystemCallRet ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 19. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 20. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Classical anti-debuggers tricks Well known anti-debuggers trick made difficult to bypass because of direct use of sysenter: NtQueryInformationProcess + ProcessDebugPort NtSetInformationThread + ThreadHideFromDebugger NtSetContextThread to delete hardware breakpoints ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 21. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti-instrumentation framework Detect hook on KiUserExceptionDispatcher and KiUserCallbackDispatcher Detect stack reuse by instrumentation code: place a constant in esp-4, execute a sysenter, check if esp-4 has been changed ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 22. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti data-tainting After execution of each part of the algorithm, result is copied using indirect dependance AntiTaintMemcpy (BYTE* source, BYTE *dest, int size) { for (int t =0 t < size ++t) { BYTE val = 0 do { BOOL isDiff = FALSE if (source[t] != val) isDiff = True if (! isDiff) dest[t] = val ++val } while (val != 0) } } ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 23. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 24. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions So how to solve it? API init Set memory breakpoint on ntdll PE Anti-Dbg Don’t use debugger, inject a DLL and use VectoredExceptionHandler to set HBP Anti-HBP Replace ZwSetThreadContext syscall number by an harmless or invalid one ReadFile Use kernel debugger or replace syscall numbers by a GDI one which will call KiUserCallbackDispatcher Obfuscation Step the code :) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 25. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions How to find a valid serial Bruteforce (JB B´drune) e Use of the RC4 internal table created with the key published (Kyriakos Economou and Mark Wodrich) Generate a valid keystream, use a backward algorithm to find an internal table which generate this keystream, find a key which generate this table (Me :) ) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 26. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 27. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some ideas for the next year ;) Recode all the crackme generation in C Use XED (by intel) to disassemble and reassemble instruction Multi-thread Virtualisation More mutation rules, more complex instructions (FPU, MMX, SSE etc.) More anti-X ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 28. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Thanks Thank you ! ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 29. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Questions ? Questions ? ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011