SlideShare a Scribd company logo
Introduction
  Verification algorithm
            Obfuscation
      Encryption layers
  Direct native API call
                 Anti-X
        How to break it
     Possible evolutions




Hackito Ergo Sum Crackme

            ´
            Eloi Vanderb´ken
                        e

 eloi.vanderbeken (at) ens-cachan.fr


               09 April 2011




      ´
      Eloi Vanderb´ken
                  e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                   Verification algorithm
                             Obfuscation
                       Encryption layers
                   Direct native API call
                                  Anti-X
                         How to break it
                      Possible evolutions


About me



     Last year of master’s degree in cryptology and software
                 ´
     security at Ecole Normale Sup´rieure of Cachan
                                    e
     Reversing software protection for 6 years
     Participate to several Capture The Flags in my spare time




                       ´
                       Eloi Vanderb´ken
                                   e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                      Verification algorithm
                                Obfuscation
                          Encryption layers
                      Direct native API call
                                     Anti-X
                            How to break it
                         Possible evolutions


Some facts and numbers


      First crackme
      2 months
      6000 lines of python
      Use TTASM and BeaEngine
      Randomly generated
      Only 3 valid solutions




                          ´
                          Eloi Vanderb´ken
                                      e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                    Verification algorithm
                              Obfuscation
                        Encryption layers
                    Direct native API call
                                   Anti-X
                          How to break it
                       Possible evolutions


Algorithm



      Custom RC4 (initial table changed, starts with ”HESFTW”)
      Serial is used as a 256-byte key
      Generate the first 7 DWORDs
      Combine them with 0xDEADBEEF to generate a DWORD
      Use it as a constant to calculate the length of the last layers




                        ´
                        Eloi Vanderb´ken
                                    e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers    Instruction mutation
                       Direct native API call   Control Flow Graph (CFG) obfuscation
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                     Verification algorithm
                               Obfuscation
                         Encryption layers    Instruction mutation
                     Direct native API call   Control Flow Graph (CFG) obfuscation
                                    Anti-X
                           How to break it
                        Possible evolutions


Plan

   1 Introduction


   2 Verification algorithm


   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation

   4 Encryption layers


   5 Direct native API call
                         ´
                         Eloi Vanderb´ken
                                     e        Hackito Ergo Sum 2011
Introduction
                    Verification algorithm
                              Obfuscation
                        Encryption layers    Instruction mutation
                    Direct native API call   Control Flow Graph (CFG) obfuscation
                                   Anti-X
                          How to break it
                       Possible evolutions


Instruction mutation



      Make a static analysis to get freely modifiable registers
      Use them to mutate instructions
      Main rule: if your code use an instruction, it has to be used
      everywhere ⇒ no difference between the useful code and the
      garbage one




                        ´
                        Eloi Vanderb´ken
                                    e        Hackito Ergo Sum 2011
Introduction
                     Verification algorithm
                               Obfuscation
                         Encryption layers    Instruction mutation
                     Direct native API call   Control Flow Graph (CFG) obfuscation
                                    Anti-X
                           How to break it
                        Possible evolutions


Plan

   1 Introduction


   2 Verification algorithm


   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation

   4 Encryption layers


   5 Direct native API call
                         ´
                         Eloi Vanderb´ken
                                     e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers    Instruction mutation
                       Direct native API call   Control Flow Graph (CFG) obfuscation
                                      Anti-X
                             How to break it
                          Possible evolutions


Control Flow Graph (CFG) obfuscation

   Before instruction mutation:
        Duplicate some piece of code
        Add a fake or non determinist test to choose which block will
        be executed
   After:
        Make a static analysis to know which flags are set/unset for
        each instruction
        Add conditional jump which are never/always taken according
        to the flags
        Shuffle blocks

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Figure: (incomplete) CFG of a layer made by IDA
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Layers




   How to make a layer the most annoying possible?
         Hide the end address of the encryption layer
         Hide the size of the encrypted code




                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                   Verification algorithm
                             Obfuscation
                       Encryption layers
                   Direct native API call
                                  Anti-X
                         How to break it
                      Possible evolutions


Layers (continued)

      Use Linear Feedback Shift Register (LFSR) to encrypt n times
      both end address and a dword counter
      At execution, decrypt them one time at each loop execution
      When the dword counter has been decrypted, jump to the
      decrypted address
      Use indirect jump to avoid breakpoint:
      cmp counter, CST       setz cl     jmp [ecx +
      addresses]
      Bonus: LFSR having the biggest possible period, you can add
      as many fake comparison as you want

                       ´
                       Eloi Vanderb´ken
                                   e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                     Verification algorithm
                               Obfuscation
                         Encryption layers
                     Direct native API call
                                    Anti-X
                           How to break it
                        Possible evolutions


Direct native API call



       Get syscall numbers at initialisation
       Use sysenter (do not work on 64bit systems)
       Make random invalid or non invasives (ZwYieldExecution)
       syscalls to prevent conditional breakpoints on
       KiFastSystemCallRet




                         ´
                         Eloi Vanderb´ken
                                     e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                     Verification algorithm
                               Obfuscation
                         Encryption layers
                     Direct native API call
                                    Anti-X
                           How to break it
                        Possible evolutions


Classical anti-debuggers tricks



   Well known anti-debuggers trick made difficult to bypass because
   of direct use of sysenter:
       NtQueryInformationProcess + ProcessDebugPort
       NtSetInformationThread + ThreadHideFromDebugger
       NtSetContextThread to delete hardware breakpoints




                         ´
                         Eloi Vanderb´ken
                                     e        Hackito Ergo Sum 2011
Introduction
                    Verification algorithm
                              Obfuscation
                        Encryption layers
                    Direct native API call
                                   Anti-X
                          How to break it
                       Possible evolutions


Anti-instrumentation framework



      Detect hook on KiUserExceptionDispatcher and
      KiUserCallbackDispatcher
      Detect stack reuse by instrumentation code: place a constant
      in esp-4, execute a sysenter, check if esp-4 has been changed




                        ´
                        Eloi Vanderb´ken
                                    e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Anti data-tainting
   After execution of each part of the algorithm, result is copied using
   indirect dependance
   AntiTaintMemcpy (BYTE* source, BYTE *dest, int size)
   {
       for (int t =0 t < size ++t) {
           BYTE val = 0
           do {
               BOOL isDiff = FALSE
               if (source[t] != val)
                   isDiff = True
               if (! isDiff)
                   dest[t] = val
               ++val
           } while (val != 0)
       }
   }

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                    Verification algorithm
                              Obfuscation
                        Encryption layers
                    Direct native API call
                                   Anti-X
                          How to break it
                       Possible evolutions


So how to solve it?


      API init Set memory breakpoint on ntdll PE
     Anti-Dbg Don’t use debugger, inject a DLL and use
              VectoredExceptionHandler to set HBP
     Anti-HBP Replace ZwSetThreadContext syscall number by an
              harmless or invalid one
      ReadFile Use kernel debugger or replace syscall numbers by a
               GDI one which will call KiUserCallbackDispatcher
   Obfuscation Step the code :)


                        ´
                        Eloi Vanderb´ken
                                    e        Hackito Ergo Sum 2011
Introduction
                     Verification algorithm
                               Obfuscation
                         Encryption layers
                     Direct native API call
                                    Anti-X
                           How to break it
                        Possible evolutions


How to find a valid serial



       Bruteforce (JB B´drune)
                       e
       Use of the RC4 internal table created with the key published
       (Kyriakos Economou and Mark Wodrich)
       Generate a valid keystream, use a backward algorithm to find
       an internal table which generate this keystream, find a key
       which generate this table (Me :) )




                         ´
                         Eloi Vanderb´ken
                                     e        Hackito Ergo Sum 2011
Introduction
                       Verification algorithm
                                 Obfuscation
                           Encryption layers
                       Direct native API call
                                      Anti-X
                             How to break it
                          Possible evolutions


Plan
   1 Introduction
   2 Verification algorithm
   3 Obfuscation
       Instruction mutation
       Control Flow Graph (CFG) obfuscation
   4 Encryption layers
   5 Direct native API call
   6 Anti-X
   7 How to break it
   8 Possible evolutions

                           ´
                           Eloi Vanderb´ken
                                       e        Hackito Ergo Sum 2011
Introduction
                        Verification algorithm
                                  Obfuscation
                            Encryption layers
                        Direct native API call
                                       Anti-X
                              How to break it
                           Possible evolutions


Some ideas for the next year ;)


       Recode all the crackme generation in C
       Use XED (by intel) to disassemble and reassemble instruction
       Multi-thread
       Virtualisation
       More mutation rules, more complex instructions (FPU, MMX,
       SSE etc.)
       More anti-X



                            ´
                            Eloi Vanderb´ken
                                        e        Hackito Ergo Sum 2011
Introduction
         Verification algorithm
                   Obfuscation
             Encryption layers
         Direct native API call
                        Anti-X
               How to break it
            Possible evolutions


Thanks




                  Thank you !




             ´
             Eloi Vanderb´ken
                         e        Hackito Ergo Sum 2011
Introduction
              Verification algorithm
                        Obfuscation
                  Encryption layers
              Direct native API call
                             Anti-X
                    How to break it
                 Possible evolutions


Questions ?




                        Questions ?




                  ´
                  Eloi Vanderb´ken
                              e        Hackito Ergo Sum 2011

More Related Content

Similar to HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflows
Akbar Romadhoni
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlation
amiable_indian
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
Johann-Peter Hartmann
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
Yury Chemerkin
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability Development
Dan H
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Denim Group
 

Similar to HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme (8)

B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Detecting and exploiting integer overflows
Detecting and exploiting integer overflowsDetecting and exploiting integer overflows
Detecting and exploiting integer overflows
 
Intrusion Alert Correlation
Intrusion Alert CorrelationIntrusion Alert Correlation
Intrusion Alert Correlation
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
 
Dmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentationDmitriy evdokimov. light and dark side of code instrumentation
Dmitriy evdokimov. light and dark side of code instrumentation
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Materi Vulnerability Development
Materi Vulnerability DevelopmentMateri Vulnerability Development
Materi Vulnerability Development
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
 

More from Hackito Ergo Sum

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
Hackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
Hackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
Hackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
Hackito Ergo Sum
 

More from Hackito Ergo Sum (8)

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
 

Recently uploaded

Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 

Recently uploaded (20)

Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 

HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme

  • 1. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Hackito Ergo Sum Crackme ´ Eloi Vanderb´ken e eloi.vanderbeken (at) ens-cachan.fr 09 April 2011 ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 2. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 3. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions About me Last year of master’s degree in cryptology and software ´ security at Ecole Normale Sup´rieure of Cachan e Reversing software protection for 6 years Participate to several Capture The Flags in my spare time ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 4. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 5. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some facts and numbers First crackme 2 months 6000 lines of python Use TTASM and BeaEngine Randomly generated Only 3 valid solutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 6. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 7. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Algorithm Custom RC4 (initial table changed, starts with ”HESFTW”) Serial is used as a 256-byte key Generate the first 7 DWORDs Combine them with 0xDEADBEEF to generate a DWORD Use it as a constant to calculate the length of the last layers ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 8. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 9. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 10. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Instruction mutation Make a static analysis to get freely modifiable registers Use them to mutate instructions Main rule: if your code use an instruction, it has to be used everywhere ⇒ no difference between the useful code and the garbage one ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 11. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 12. Introduction Verification algorithm Obfuscation Encryption layers Instruction mutation Direct native API call Control Flow Graph (CFG) obfuscation Anti-X How to break it Possible evolutions Control Flow Graph (CFG) obfuscation Before instruction mutation: Duplicate some piece of code Add a fake or non determinist test to choose which block will be executed After: Make a static analysis to know which flags are set/unset for each instruction Add conditional jump which are never/always taken according to the flags Shuffle blocks ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 13. Figure: (incomplete) CFG of a layer made by IDA
  • 14. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 15. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers How to make a layer the most annoying possible? Hide the end address of the encryption layer Hide the size of the encrypted code ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 16. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Layers (continued) Use Linear Feedback Shift Register (LFSR) to encrypt n times both end address and a dword counter At execution, decrypt them one time at each loop execution When the dword counter has been decrypted, jump to the decrypted address Use indirect jump to avoid breakpoint: cmp counter, CST setz cl jmp [ecx + addresses] Bonus: LFSR having the biggest possible period, you can add as many fake comparison as you want ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 17. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 18. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Direct native API call Get syscall numbers at initialisation Use sysenter (do not work on 64bit systems) Make random invalid or non invasives (ZwYieldExecution) syscalls to prevent conditional breakpoints on KiFastSystemCallRet ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 19. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 20. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Classical anti-debuggers tricks Well known anti-debuggers trick made difficult to bypass because of direct use of sysenter: NtQueryInformationProcess + ProcessDebugPort NtSetInformationThread + ThreadHideFromDebugger NtSetContextThread to delete hardware breakpoints ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 21. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti-instrumentation framework Detect hook on KiUserExceptionDispatcher and KiUserCallbackDispatcher Detect stack reuse by instrumentation code: place a constant in esp-4, execute a sysenter, check if esp-4 has been changed ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 22. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Anti data-tainting After execution of each part of the algorithm, result is copied using indirect dependance AntiTaintMemcpy (BYTE* source, BYTE *dest, int size) { for (int t =0 t < size ++t) { BYTE val = 0 do { BOOL isDiff = FALSE if (source[t] != val) isDiff = True if (! isDiff) dest[t] = val ++val } while (val != 0) } } ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 23. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 24. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions So how to solve it? API init Set memory breakpoint on ntdll PE Anti-Dbg Don’t use debugger, inject a DLL and use VectoredExceptionHandler to set HBP Anti-HBP Replace ZwSetThreadContext syscall number by an harmless or invalid one ReadFile Use kernel debugger or replace syscall numbers by a GDI one which will call KiUserCallbackDispatcher Obfuscation Step the code :) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 25. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions How to find a valid serial Bruteforce (JB B´drune) e Use of the RC4 internal table created with the key published (Kyriakos Economou and Mark Wodrich) Generate a valid keystream, use a backward algorithm to find an internal table which generate this keystream, find a key which generate this table (Me :) ) ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 26. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Plan 1 Introduction 2 Verification algorithm 3 Obfuscation Instruction mutation Control Flow Graph (CFG) obfuscation 4 Encryption layers 5 Direct native API call 6 Anti-X 7 How to break it 8 Possible evolutions ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 27. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Some ideas for the next year ;) Recode all the crackme generation in C Use XED (by intel) to disassemble and reassemble instruction Multi-thread Virtualisation More mutation rules, more complex instructions (FPU, MMX, SSE etc.) More anti-X ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 28. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Thanks Thank you ! ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011
  • 29. Introduction Verification algorithm Obfuscation Encryption layers Direct native API call Anti-X How to break it Possible evolutions Questions ? Questions ? ´ Eloi Vanderb´ken e Hackito Ergo Sum 2011