Hacking Livestream #33: Executable Packer

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Applause] [Music] [Applause] [Music] [Music] those hazy days [Music] next see watching season [Music] didn't keep us [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] hello hello and good evening does this thing work yes it seems to work at least I think I can hear myself so welcome everyone and today we are going to start on time and today I'm not going to do any news or any shoutouts Michelle tells actually moved to well verb very nice rotating bar feed bar and the idea is basically to save some time one thing I would note is that there is no mission today I burr my apology spirit actually the agent 156 managed to solve her mission without external help or at least that's the best excuse I've heard for why there is no mission today so I will try to make one for next week actually the reason there is no mission is I was too busy finalizing and very somber game deaf challenge the results are on my blog so if you care about it do check it out there are also some videos on my channel from the games so that's it and now let's move to today's topic today's topic is about making a simple Packer or protector for executable files so basically basically it's like this that's one of the most basic concepts in reverse engineering core actually anti reverse engineering and not only but what is somewhat related to it is trying to wrap the executable in mechanism which makes it unreadable the most basic idea is basically to make to prevent a simple simply well this is some blink executable and the idea is to obfuscate the code in some way as a whole basically not like individual instructions or anything but back taking the code as a whole obfuscating it and were for making it unreadable for this assembler at least parts of the code so and the idea is to make it in a universal way but basically you can use on any application or three application-specific so you're not making it inside one application but you're doing a program which can be used to do this for any application which is the mess actually was what's called a packer or a protector and there are quite a lot of Packers and protectors Alvar and I mean a lot when I was working for an antivirus company I guess like 10 years ago 11 years ago something ever I was making static and Packers for for this kind of protectors a static and Packer is basically an application which grabs such a executable file which is protected by a wrapped using such a packer a protector and it tries to somehow like unwrap it and get what was inside the original executable or whatever is closest to the original executable out of fur and put it in a separate file and it's called a static and packer because it doesn't run that executable itself it might do lose some emulation of some parts sometimes it was required and unavoidable but in general it would not run the executable infinitive system so apart from that were also dynamic and Packers which basically just run the application right until it unpacks in memory because you know CPU cannot execute encrypted code so in the end it does have to does have to actually you have to decrypt or decode the code so it's readable for the CPU somewhere in memory and therefore well you can basically grab the code afterward self unpacks after executing executable it's kind of risky right because you don't know what you're executing actually that's why anti-viruses back in the days didn't use dynamic and Packers were used static and Packers and not the dynamic and unpacker basically the most basic one would be like executing like several instructions and placing a memory breakpoint on one of the stack previously to what was executed and been waiting for the stack pointer to endure and all those basically a signal that probably it already unpacked and probably it it's ready to be dumped on third disk and when you to format your executable file they were also of course like ways to prevent automatic unpacking or try to prevent and ways to prevent prevention of an automatic unpacking and so on but we are not going to do to go first today I'm also not going to talk about similar ideas were you for example pack pieces of the code like each function separately and then when you want to execute a bank a function you unpack just this function and then and then basically executed and then you repack it at when leaving the function so in memory always have only a call stack warf of functions like 1 to 5 functions which are unpacked and everything else is encrypted in some way obviously the keys need to be very keys need to be in memory or algorithm to the code so it's not really cryptography is just a food station at the end and yeah that's basically so the question is is something like my rob program reverse engineering shown no actually like my Python rare rare and represent a big challenge but where I basically used but for us the guy at Def Con and black hat who made a compiler what changes all our code and to move operations yes but kind of think of who station was actually on to see TFS I did work on one of such challenges and playing with dragon sector we actually both with you did one and a side channel attack on that actually work worked really well and we will manage to solve it surprisingly vanmoof obfuscate removes move move oops ok I have no idea how to pronounce this way is if your interact onyx but like basically a really similar ideas to sometimes what we sometimes do with like we Tom remember River to store some values but Val so we're not going to talk about ever move obfuscate or today we are going to move into well creating a simple Packer for static f5 64-bit because you know it's 2017 so let's not do it for over 32 bit let's focus on 64-bit yeah elf specifications the first thing I'm actually interested in because and this is going to be funny because I somewhat an oval format but I don't know it by heart for example I do know a portable executable format by heart but by heart I could base well just out of my memory probably recall all the structures and the names I cannot do it for elf I'm also going to look for and Furcal can be out of 101 because that usually helps a lot I'm a person who likes you know images and graphs and posters for example and I'm Jean Albertini has usually a lot of them so that we find for sure where do you have your binary postures perfect English acute oh yeah here we go mmm it's probably going to be and that's okay but we'll work 32-bit though so well whatever it still shows as basically the basic structure rise over elver it has like an elf header of and verse also program header band there are segments and after the segments there are were also sections I'm going to basically be using such segments to denote sections but we'll get to but in a in a second I guess this is this is all I really need I guess I can give you a link to this yeah and a link to the L format specification also please let me know if you can hear me correctly because I actually tweaked my my microphone setting versus the last time so it should be a little better today I'm not sure if it actually is but well I did some the video recording the river we can tell it worked rather rubber fine though it was a little differently placed because I I currently have my microphone here like exactly next to my finger just of the screen cool I'm also going to be using Python today to do to do the packing because why not hmm so I will create backwards py and the size of a foetus okay today surprisingly so that's one thing we ever-- think I'm actually need basic program I'm going to pack so I'm going to do it for one program usually when you create a Packer you are using you you basically have to test it a lot because it's not a trivial thing to do it's trivial the concept it's trivial but it's all boils down to the edge cases and I would like not to handle edge cases today so I'm just going to make a trivial Packer which handles the most basic F file and only one file so I will not test it on purpose for on other files but keep please keep in mind that if you would like to create a real Packer you do have to test it a lot because it has a lot of cases what are the differences between elf and eggs like structure the differences are basically in structural names vivec Hall calls of this super similar with exception that there are no segments in the PE files in the elf files there are segments and sections and P files were only only sections the segment's are basically a way of telling a story well of telling the kernel how to structure by memory for the program you're loading and the best sections reside in the segments but the kernel uses the segment's to basically create a memory like memory places to allocate memory from executable file and peeve s sections are used for the same purpose even though in the elf file Pervis sections and segments could be used for it the segment service so that's one difference in the second difference is that import files are and imports are treated totally differently and in both cases but yes maybe not gallery cover today especially on linux but it's it's done in user land like the loading of imports and it's not part of Kara no it's part of veggie Lipsy which is quite surprising on windows is part of people older but of course a lot of minor differences as well all around all around and again all the structures are called differently but when you like go on a really high abstraction level in the end it's a really similar concept so very server two questions for faster performance does move up skater or moved with skate or make any difference like some hardware tweaks tweaks not working I actually don't know I didn't die with it too much so I don't know how how well it handles like different instructions and how does it how does it implement over all the instructions so I I'm not sure I can answer a question I guess you can email the offer or read the paper to look into it to check it out okay and I did also receive a question about F and P why does everyone use this editor vim the main reason I am using them is because it opens in 0.1 second and I I dislike dislike waiting for and like a text editor to open I just want to have it immediately and be able to type something and that's the main reason I'm using them you might laugh but that's actually the truth okay so this is the do I have this is the main application I will be testing this on and I will compile it with two options first I this is not going to be a position independent executable sorry no pie because I I don't want it to be moving around that's also a case which needs to be handled and and like full-blown backers and protectors but I don't want to be handing it today and static for making actually a static executable and is going to be apt a 64-bit executable let's do it like this now I need to compile it what's my opinion on sub lime I didn't I never use sublime so I have no opinion on it hmm and alright sorry too much - thank you their best advisor hmm so that's one feeling and vs code I don't know what is vs code is it like some visual studio thingy I did use the Udo Studio editor robot but it's so ok let's compile it now let's make sure everything is fine so check SEC is a bash script which you can find on the Internet and I'm going to use it to see basically if the file has any funky stuff but no Pi which is good the rest I don't care about too much mmm yep of the size of it can I strip that the strip that just for mistake of it stripping basically removed some sections which might contain some additional metadata it doesn't change the core of executable so it's safe to do and yeah and you can as you can see it well right as I said remove some stuff which is not really needed but Matt might help you during the bugging so Visual Studio code yeah so I never I never used it I did play with item for some time just okay launched to just though I did play with like notepad plus plus and so on and yeah I mean Envy and whatever whatever works for you right famous okay for me I'm sometimes looking at other editors because famous in VN someone limited for example even if you can buy create some other windows and so on you're limited to only ways like text buffer Fendi and you cannot do proper proper graphics for example if I would like to create a plugin which this place this place like the code as a graph I cannot do it so sorry so it has its limitations I used to like it for for other reasons services okay does it work it works I guess what I can do now is I can see it an i that you know creating a packer is all about low level stuff and if you're doing low level stuff you probably want to see what you're doing so let's just see it mmm okay so there are quite a lot of sections these are not segments we serve sections as you can see sums this is quite fine and this is something you should you should pay attention to especially on CTFs but these sections are actually yep these sections are read-only and executable they are not writable right and then we have a section which is raw data which basically like this section ends you can see the a to CAG address here and this section basically begins with with some minor padding but it's saying that the same it's still the same page and I tells you that it's read-only but there is no execution you cannot execute code in it and that's actually a lie because well even though there is no executable argument here well it still has to be on the same page in memory and on x86 the smallest page you can have is four kilobytes and this is not a 4 kilobyte boundary but which means that at least the beginning of this section is still executable so for example you can look for retro and oriented programming gadgets in that end of the section because you can still execute cover so my idea will be to basically grab the segment with our vest section of text so only the section I'm not going to touch any other section today and well encrypt the code with I don't know desks XOR it or whatever it doesn't really matter I'm not going to do anything with other sections in case of creating a professional Packer or professional protector we obviously need to handle all the sections and encrypt them as best as you can hmm which is which might be kinda tricky in some cases but but yep so I'll focus on this just for simplicity today now I don't think about the way or at least I don't know a way how in I dot who basically display segments but that doesn't really matter either now what's important is that what I'm going to do from a like faretta called point of view as you can see there is the application basically begins execution here from this address right and this address is what's called EP like entry point oh I can actually type here so EP now in terms of Packers and protectors or reverse engineering which is actually referred to as OTP like original entry point and the idea is that I'm going to change the ID that the real entry point to point to some other address to my code my shell code and my shell code will be when executed when this application is executed it will first decode the code because the code will be in a encoded form and then so this will be like decoded all of it obviously up to the end of a section and then I will jump to the OE P which is the original entry point and at that point the code will resume normal execution from this point like basically never have nothing happened it vaguely is that this code has cannot be aware but some other code executed before it the environment has to be identical but as Robert easy to do because in this case the environment is basically what's on the stack further away from from the stack pointer and also I'll be able registers so if we have a stack pointer here and it points well it actually grows this direction we can overwrite anything on the stack here because the application cannot assume that this part is you it anyway so we can overwrite stuff here and the idea is basically for our code to first dump all the registers to the stack and then do what it's supposed to do which is unpack the code then restore the registers from the stack back to the register banks and in the end in the end up here yeah so that's the idea basically and I need to create a purse or a Python script which basically and covers this section this is encoded encrypted for example that against is more application than actual encryption because the key has to be verb key has to be placed and executable or at least the algorithm with keyed Headey radiation has to be placed ler and so yeah so python has to look how eyes with us locate where the section is then encrypted and then inject somewhere the somewhere is the funny thing here my shell code redirect the epe store original entry points a more safe executable and and was basically it so that's the idea let's try to get to it why use the stack for dynamic memory allocation I'm not sure what what do you mean I mean that's not really I wouldn't call using using the stack dynamic memory allocation in all honesty is the entry point every time in the text section no but as I mentioned I am NOT going to it doesn't matter for our case actually where the entry point is because we jump to we don't jump to the beginning of a text section we jump to the original entry point whatever it was so we don't care and it's not always in the text section I believe it's the convention basically says to place it in the text section but it can be anywhere in the file and then executive executable place or in some cases even not not in the executable space cool so we have this I'm going to close it because this is no longer needed and this is basically my Packer so let's import some basic stuff which I'm going to to use today so from struck I'm going to be using and that can probably pack as well and the try fine if anything else today about now I was just import these two things that might be useful at some point language this yeah like basic - boiler plate code okay and I guess this service is fine first the question were in episode 17 on your publish where is episode 17 on my published channel was it delighted or what that's an excellent question I have absolutely no idea what episode 17 was I'm actually curious enough to check now PL apt is I don't know maybe there was no episode 17 and is just you know a mistake in there and how how we counted them like episodes basically it's pretty possible that there was never any episode 17 but we jump from like 16 to 18 by my mistake so I don't know I didn't delete any episodes so that's probably the most probable answer we should we should investigate okay cool so let's now I don't know I'm going to just check it whoops so I'm going to add the shebang with a nut bash user bent - of course and I'm going to change the file format to set file format - UNIX because I'm writing on windows so it uses the windows and the blinds and Linux kernel dislike just likes having four windows and in here so that's fine now I need to actually chmod executable my script and this will probably want to reload it now we don't like to reload it that's okay now it's executable anyway so never mind because I'm as you can see I monitor 12 box partition anyway yeah seems to work so now let's assume that I want at least one argument and the argument is going to be executable name so yeah I can write further boilerplate stuff I never remember so f and ography isn't equal to 2 then just to remind and say maybe music yes it's fine so now first we need to load it in memory serve night nor yeah let's go to elf elf is supposed to be equal to now let's do it properly with open our could be yeah let's just read it and we need to do let's do and buy it all right you do I want to bite our a I'm not sure I want to buy the right I might change it later on okay so now ahem sorry now I have the elfin memory and in the end I'm going to store it somewhere so let me create the name in a rather nasty where I like to start in act as the extension or a second extension that guys it really has one I'm going to write up I'm probably going to change this later up change call so now we have a copying program why do i why do I use coding and the women sort of paint that's an excellent question yeah it's just because I don't I'm not sure what kind of color power you should use for implementing the elf format now in the elf format itself I'm not going to do a proper elf parser because well you know one and a half hour stream right what I'm going to do is I'm going to basically jump into both structures like find the structure which I need as food as fast as possible and and work from from that so what do I need hmm I probably don't really need the elf header I'm not going to check valve is like a correct elf file if it's really a 64-bit x86 5 I'm going to skip it and I'm going to assume it actually is so this is van f header now I need a 64 bit of header I'm pretty sure very very somehow and I need to get above a section table and so he was like do I have yeah f 64 hmm I don't know check this check this is I need something really of specific 64 bit specific because the length of the section change and sorry so the first one is this the file header which I guess I should assume do I need anything from this field there is of these two things are probably interesting the program header offset and the section header offset having the section header offset already gives me the my section headers which contain information like well where this section is located in the file as well and memory and to find the univer dot text section I actually need to parse it so I do need to read at least at least this one for starters I'm probably going to need also the program header because I think it contains the offset of the segment table I might be lying but we'll get to that later on first also like sizes which I do probably need and verse so it seems like the name of sections are not also placed ver and the headers themselves but I do need to grab them from from the files and I'm going to read probably the whole to the whole structure anyway okay if we're supposed to be a question is that a different entry point address in West tract or the or wider you needed this one I probably do need it this is the original entry point for me so I am need to grab it as well so so for point too bad was your question so I need a couple I need to actually read this powers of this section because we're quite a lot of important things here for me so that's sorry let's move this here and smooth this here because we can see everything perfect so unpack of I have no idea what the sizes I'm going to check out collate it in a second and so file header so I think there's also a way for me to name the fields but I never never never remember it 16 bytes 16 anchor 16 D back truck format fad abide no value be assigned by Nelson no that's how be the rest should behind it should mean 16 guys I think yeah 10 seem in some characters anything you can sit here but yeah so this is the proper way to write it then we have 64 bits I think like you is the proper q q yeah q is an 8-bit unsigned integer so this is what I'm looking for how many cues our bearer was like nervous is half actually sorry my bad I was looking at 64 instead of first so half is what's half half is to always to word this always for and export or export is it okay perfect so then we have let me make it a little bigger so we have to have some award which is capital I and address okay was an address probably address is it yeah as I thought so address is going to be Q and I did it I could still ask you then to offsets offset it's probably eight as well yeah I I'm not sure if it it must be eight because have you ever seen like an executable which is more than like four gigabytes and actually maybe you have because if I remember correctly we compile like Ceylon for 64-bit it's actually two gigabytes so that's already pretty close for comfort so maybe I just not cover ok addressed to offsets when a war word which is I and quite out of house which is one two three four five six HHH yeah okay now what's the total size of it oh it's actually going to do from an ice exception having good but what the size should be leather blah 58 perfect 58 it's here as you can probably see okay now it works so let's see what it actually got for us and these are the episodes by elf like you know health letters and ask you all that wasn't really helpful then we have some more not interesting staff but we really don't care about the interpretation here what we do need is we basically need to let's do it the proper way so the proper way would be to actually give it a list of fields I guess I can copy the fields I do typing is faster you can obviously use like some elf library to do this but given that my live streams are somewhat low level always I refers to like show you that it's actually possible to power suppose by hand you don't have to use any libraries but you can if you like okay this is not going to work is it yeah like too many yeah too many because it is actually right you know what I'm going to do something like change this to s probably sorry which is us I think they're also way to actually tell it that I want six characters the ten bites drink sir see that's what should be fine there were some questions yeah I could use some power in DB g blob yeah I could use library to say it's a mitten is it is possible for any executable like dotnet each executable format has a different different format that's why it's called executable format I guess but yes packing is in general I do possible for most things not sure if for dotnet or Java because the reason is that you need to actually unpack it in memory like change the code in memory decrypt the code in memory and then executed if you can execute bytecode in.net then you can do it if you cannot when you cannot probably do it for example for Python the bytecode is supposed to be read only but using some tricks is possible to do it well I like overwrite things in memory like there is no tomorrow basically so I'm sure about dotnet but in general it should be possible for six half I gave only free yes and because I am stupid thank you so this should be 64 yeah all right perfect mouths words thank you demos so this works now what I need I need for example the address of this or but offset of this was also very 31 31 this is correct I don't know if it's correct maybe I'm interpreting is wrong I was actually expecting this to be offset every section name string table index I don't know maybe it's the index and the program header or something I'm going to get to it later let's start with the entry point I guess service what's the entry point and if it's the same thing which I see in I dump it's 400 90 oh I think that's the same as we saw in either write 409 TOS was the same thing so this is fine ABC says that you can do it in dotnet you can create and run code in the run time that's pretty cool I know you can do it in for example in the flash and you know ActionScript so this is the first thing original entry point right so I'm going to know to general and now the section header offset is it a real file offset or is it some some index and somewhere let's see DBF but actually sounds really reasonable let me open up a file the hello file in a hex editor here we go I was jumper yeah maybe I don't know so he does this have do I have a structure viewer static structure library is there elf here I don't have an elf just inferred that's the bet but this may be okay anyway so I'm going to assume this actually subsidies actually find and now I also need when number of section header entry so we think and I guess I'm going to print it and I'm going to check in either if it's correct thirty two sections that's quite a lot on in that's typical for elf file is where n PE executables where I usually like way less sections and as you compared with GCC 32 that's quite funny because this size 25 but maybe were some with sections which are escapable or something we will get to it in a second let's let's try to look for the proper structure when for it our various verbal descriptions of the fields so now i contains the number of entries that's okay contains the file of certain bytes of a section header table this is good news now what is in verse the index contains the section header table index of the section containing the names first if there's no section then it's undefined so there seem to be like a special section which actually contains the names of the sections that's fine so the sections blah blah what oh and there are special sections indeed there is a processor specific used so I'm probably going to like not use any of these but I do again need to implement the structure so let's do it I'm going to create a new function called by powers section and it takes some data and and it basically returns what does the return let's run a dictionary shall we or maybe not the dictionary let's just do this unpack and there are two words one export address offset X words towards + 2 X 4 so this should be fine I have apps that data obviously and I'm getting just returned it like this so for 4i and range the number of section 2 will do and now I want to basically powers the sections again retyping I could probably figure a way to copy a way to copy it but I probably it probably would take me the same amount of time that I actually do retype it sometimes I think about like programmers really like one skill a programmer needs is some patience to patience to basically do some stuff like this like just to type ten or fifteen fill the names or something alight do similar stuff so unpack and unpack our section I smell it here and the service is like proper formatting anyway masters okay so first section and I need to pass it what I don't know as the size of a section that that doesn't matter and at this point I need to pass it the D from starting from a D is my data now help is my data model my apologies from E as H of offset to e SH F and I have absolutely no idea how many say I'm going to do I'm going to give it too much and let's see how it crashes and it again will probably exception let's say 64 so nice 264 was fine I'm going to just for the sake of it would like 64 here as well cool and now I'm going to see what's an SH name but I already know my guess is written here right but is the offset in bytes to the section name relative to the start of a section containing for name yeah okay so it's a zero zero zero zero am I in the right location oh yeah it's zero zero zero because I actually messed up one thing here I actually need to add some offset and the offset is calculated like in a I times 64 over 64 is actually it's you know yeah this 64 is the same as the 60 for us is the size of this section can you actually see that Kody I was like I guess you can't see the code so yeah let's do it again now this looks much much much much better so I guess I can also having this fing oh no I first need to find the section which has the names but so I guess I'm going to display a couple of things but the most important thing for me is this which is the type of a section and the type of the section is zero seven seven four one one one blah blah blah now the type are in Table eight and the Table eight is here which is and so what what sections do I have again so I have section zero sections you marks and unused section why is there an unused section of the beginning I don't know about but yeah then seven seven is a note it contains information so section which contains information perfect then we have relocation entries which is quite weird because this isn't a relocatable executable at least it shouldn't be then we have section ones which our progress contains these are like real sections and then we have section 8 no bits contains an initialized space so that means in the file where is like it contains no information there it's just metadata but in memory it will it allows it allows like to tell the colonel to allocate some memory for for base and 0-8 and I'm going to use it for example as the data section and initialize the beta section then we have e e is e is 14 and I don't see 14 here why do not rise well not floating here mmm no seriously I have no idea I'm going to find it in a second I guess Epis is 14 right there is no 15 Ivor sir was wheeled I do have 707 I wrote ahead and I do have free free is the string table so the string table as in the name of the sections are actually in this last section here which is quite funny now I have absolutely no idea why I have another section here which is free never nervousness versus this is fine okay now this is fine because I actually thought I have this perfect so I guess I need to first find the section which is actually the text section I guess I should like pepper heaven a waste of sections and always in all this information I'm going to actually do something nasty please don't do it at home mm no now now I'm going to basically do it in two phases how does this help because it's the third tab string table is this fellow's the string table I'm looking for I'm not sure actually okay but I did have a like a resection name with a type 15 why is it in publish section header and if I have yeah we do have a which is like array of constructors as you can see it and F is our eye of destructors which is which is like a not really needed by the kernel is needed by the C library I guess mmm now what's the description here with the string table I guess the strength table is what I'm looking for let me get back here and actually check if the name contains the offset in the strength table yeah okay so that's that's exactly what I'm looking for section I don't know what is it so minus 1 and now if SH tied like the section type is equal to 3 that means that's my strength typo so my strength I built is equal to 3 now I'm making a mistake here on certain oh not this mistake and yeah I'm making a mistake here on purpose and my mistake here is but actually I'm not checking if this I'm not checking if this is - wait for this ok I'm not checking if this is a scienter ready because if it's if it's already assigned and I have a second string table things are a little weird but again as I said I'm not really verifying it versus a correct executable um like correct out of file right ok now I actually do have the names of the sections I'm going to see what I can do what I need to say I need a funny function which is basically like friend alright get see shrink it gets the data it gets offset and it grabs a C string which is basically a zero or no terminated string sorry yes it's bytom our Python come so now while it's an iterator is a is not equal to zero versus a strength right so I need manage this than some my typos okay perfect so now just master there's a question oh you can use e SH STR and X to check of if it's a correct section yeah sure but that's exactly what I'm writing now so I need no I don't even if I want to write out the section name server to write this and I want to get like get C string L and now the offset and offset I know where I made a mistake I made a mistake here this should be absolutely okay so gets the string of so yeah okay I'm sorry I'm making like writing really nasty code struct isn't a module for me because I actually used this I used from struct import blah blah blah which means that struct is not not a label I'm using in the global space so I can use it as a as a name of a variable I realize this might be confusing so I'm going to change it to s and and this should be fine now but it was okay yep this is just like a style change basically a correct style change to do so perfect so now I do still have this which is oh wait I know what was amendment he meant that he didn't matter he meant but I can check here if a section is actually equal to this if it's not that like right I guess I'm introducing some checking after all maybe I should like import a cert or something okay and now I need mmm I need fat offset in the file where are the strings so a third tab offset is going to be sections of a third tab section offset right now I'm doing it in an incorrect way should do it differently so I don't have to write this here because I Python scalping actually allows me to lie to us declare a variable here and it will be still visible outside of this of this blog and but I do have this habit from like C++ but I do declare variables but I want to use outside of the block I declare from outside of a block which isn't needed in Python again because Python scoping works differently but it's still correct like us and it will work and it will be fine I need to do the opposite here bicycling so let me put it here S is reserved for socket yeah before point so how do I get a bit offset of contains upsetting bytes from the beginning of a section perfect so now I have it so the section name should be a C string add a stir tab of surplus Sh neck I'll see if it works yeah it works perfect I have section names here as you can see and like some sections are actually right where the zero section is not used so it doesn't have a name my text section is here so this is what I'm looking for so perfect we can list sections and now a real name of the section is this and this is a part of the Packer which is specific to today's episode and probably normally should not be done like this but as I said I'm going to explicitly pack a section which is named text text obviously is not text it's code but for some reason and executables you called the Code section text one exception is the Borland compiler of the Borland compiler actually uses code like capital letters code for this so it this is it when text section is I and I do have the text section now now what do I need from the text section I do need from the text section a couple of things first thing I need is text offset and the second thing is text size again I do not need to write this variable in the cell label initialization here I could do it here but it's a habit I have which I believe is it's okay it's okay because the next record so this is easy is SH off so now the size I'm interested in is the size in the file resides in the file and the size of the memory are two different sizes so I need to be sure but SH size is actually size in the fat file yeah it is I don't know can you see it it's a in that file and the file this world here is really important mmm cool so a stretch size I can like write a happy message here a text section of sorry okay my apologies first looks more or less correctly I'm going to double-check if this is correct in Ida obviously so let's jump to either let's open this window again and we have free Bo this is obviously this free Bo is is not in fact this is in memory so I'm going to jump to it and here at the bottom this is the file offset and the file offset is you can probably see it free Bo as well so so this is correct at least now let's look at the size the size of a section I don't really see it here besides in the file but I can calculate the size in the memory and check if it's somewhat similar so it's like free Bo here and a six eight four here so that's I'm not going to even pretend I can do it in memory and I'm going to do it in Python elects a oh six eight four - Alex will be a vitally skip like that for at the beginning because I don't care and this is the size which somewhat looks somewhat similar right so this is actually identical in the file and in the memory which is somewhat weird but yeah usually in that in the file it's smaller because in the memory but it what I'm saying now it's specific to that portable executable format usually in the memory it's aligned to the section it's aligned to the whole page not always but usually and then that file is actually smaller because it's aligned to like 512 bits bytes or something okay we do have a read if an entry point we do have a text section now we can basically encrypt the text section so to do this do I need a little bit no I don't need it and to do this I'm going to create like a something call new is new a keyword and I can either thing is it may be packed like this packed packed isn't accurate and I can good good and this is going to be a byte array of health so I'm basically making the copy of a string out into a new byte array because I can provide array is modifiable is immutable while the string isn't and I do want to mutate it and I'm at the same time I'm basically keeping care like fresh unchanged copy of elf file in memory so and crypt with as you can see with quotes the basically with close because this isn't weak encryption versus well the eggs are isn't real encryption but doesn't I mean what I mean what I mean is that again it's up facin because the key for decryption has to be in that invest stop and the shell code which is basically one of the beginning to decrypted it has to be burned it has to be very or it has to be derived from verb because there's something called like a technique called the time lock which basically says not to include the key in the loader and the loading stub so that the shell code at the beginning is usually called the loader instead you for example if decryption key is like eight bytes you have six bytes in the in the file with two bytes missing and you have like some md5 of correctly decoded decrypted text section or like forever whatever section where and then you just brute force it because like missing two vices just 64 thousand tries since 6565 thousand tries and so just try but one by one and then and you can perv md5 of the coded section with the correct md5 and once you hit it you know it's well it's correct and why do you create a time lock like that it's actually like super fast when you just launch it but in that's what malware does when it tries to evade antivirus which waits for malware to unpack in memory before scanning it like in a universal way in a generic way basically because an emulators at least in the older days and it was the state now because the emulators in the antivirus would run for example 1 million cycles of of executable B before scanning the memory and seeing if there any signatures of malware and and therefore the time lock would basically take for example of 10 10 I don't know 10 billion cycles right which is again like I don't know 2 seconds on on the two and a half seconds on the PC or something but in an emulator of emulator you just give up and you didn't find a signature so that's why time locks were were used and that's why there are cases where you put just part of the decryption key verb but it's not meant to to stop executable from being unpacked it is just like a different form of obfuscation I would say ok cool so encryption right so for I in range and it's Python 2 but I guess I should use X range here because the range is going to probably be larger but I think it when you add a version of Python - it's actually X range and the range are similar that's right let's see if I can like how much RAM I can allocate one I'm actually quite curious range and a huge number here let's go for 64 because range nobody and other pythons return the list let's see if I can allocate a list of 32 gigabytes now 256 gigabytes if my stream dies I apologize for that has too many items so maybe it is faster to analysts yeah because I said I'm confused because I actually read the Python code for range and it does has some optimization there but I don't remember which version I did use for I know but in Python reason iterator button - - there is some optimization right as well was the tied for our thrones range there's no this list so maybe I'm mistaking maybe I was looking at Python 3 after oh yeah I'm going to use X range here where X range is actually you know and it - right - right so it doesn't allocate a little list of like 1 billion elements instead of instead of just a simple iterator I could probably use some like X range here as well but like for like 32 it hardly matters but I guess it's a good habit to have now the size of the section is what I am or iterating over now in the pack offset of the text section so technically so she resisted a mistake this would be text size text offset plus I I XOR everything with a magical randomly chosen number of I 5 I don't know if you know why a 5 is like a commonly or like five five or AAA where is it a commonly chosen pattern or number in such cases it's because if you look at it from a binary perspective it's actually like 1 0 1 0 or 0 1 0 1 so it's basically the same amounts of zeros and ones evenly spread across the number so that's why you like usually 5 I or a 5 you see you see in light the random crypto related situations or it doesn't matter but the number should be random but it should be somewhat somewhat mixed the best one storing for example okay with big Rangers just use while that's what their buzzer visor said why so why do you think it's better is is like actually adding faster than using an iterator it's a good question every if you know just let me know okay so we're encrypting it now and in the end we have and encrypt it executable and we writing it here but we should actually do back here and this is my to do I wonder if it will work or if I have to actually convert it to a string one way to find out and that is by running application now this file was created obviously so I am going to compare this files binary in a binary way using total commander to see where it where it actually changed and it changed starting from this offset I guess we're alike hmm yeah this looks looks okay let's see if it changed a lot of stuff like enough stuff it stopped changes around here which is kind of a correct place where it should stop the changes I guess if not we will get to it later I'm going to show you the file in either now if file doesn't work obviously but I still I'm going to show you it in tighter now so now it looks like this which is obviously like the start point this looks nothing like what we saw before like what is it but it's not yet in the final form but already back he'll disappear skated right doesn't work yet because I still need to add my load or my shellcode at the beginning which brings us to a funny question of where do I actually add my shellcode right yeah and this is where things get funny because the normal way to do it is to actually add an upper segment like or another section at the beginning called something like I don't know dot Packer or without much pack or something right and at the end you have it like readable executable and there it is your your code where there's a question from honourary but do you actually oh hang on the robot and do I actually analyze now we're never cooler bassist not anymore I used to do it in my previous company but fad was again that ten to seven years ago so so yeah not anymore anyway given this we do have yeah this is the correct way to do it but I'm not going to do it this way because I have 20 minutes left what I am going to do and I'm going to probably inject my code in someplace where we have a lot of space well just a lot of space isn't is not the correct word we have some space to inject my code and again usually in the Packer observer some questions oh yeah I answer it already this one justice that Python 2x range was less than half of time for a while thanks though the hunt for testing it that means that but yet but the X range is faster in the end a throw anyway so - so yeah but since I have 29 minutes left I would like to show you folks that it's actually running I am going to cheat a little and find a place in the executable that is not really used where I can place my code but where my code basically will just like well do what this has to do and I move forward now I can AG I guess I can see it's already some space here due to alignment and like text section ends up six eight four and this starts at six nine oh but actually means that there is like obviously bytes where oxidises is not enough but maybe at the end of the text section very some some place or some unused function which I can override again normally you'd add a new section or a new segment even for your code or what's even more probably would extend the last section or segment make it executable and right there okay so I was actually going to go at the end of the classic text section so we are here there is some funny function here and some other function here and business might be super important functions for the program I have no idea it was the truth I am going to test it by overwriting it so I'm going to comment out this encryption and I'm just going to overwrite it with with like CC and see if it's executed at all because again I'm testing it on just one application I can do cheese like that so let's go at the end and let's assume I need I think I need like around 256 bytes us at most so I'll go to this address let's yeah awesome here it's a little less than around 256 but it should be fine anyway so starting from this offset in the file a of 584 so that's you know by its if I'm counting correctly and that's a Oh 5 4 plus I obviously I'm going to just write c c VAR c CB in complicity right and 3 which is the break point so it will crash a little discussion and now it is close to it is actually 100 bytes I thought I had a different of sit here so my lab at 100 hexadecimal which is of course 256 okay so I'm going to run it again run it and now I should only have overwritten to this final section I am going to again check it here yes this is just my overwritten stuff with with C C's which is good so I'm going to execute it and see if it crashes never not hello sir yes hello back hello that back can you see something you can see something I guess you I'm going to make the console that was smaller above so and and I'm positive you can see it it didn't crash which means I can write at this offset I can put my code bearer and I can change their entry points to actually point to this to this location again this is not something you'd probably do in your normal executable but it's like I think acceptable given the time constraints we have and it does basically show the concept that being said since if you have any idea for the next stream of what what I should handle on the next string please put in my comments down under this stream and if it's for example making this Packer or protect or more like do it properly by adding a new section or segment you'd like me to continue working on it then please let me know in the comments down below otherwise I'm going to just choose a different topic assuming that I did I am going to finish this today and I think I am just the basic idea though cool so now I get to add this offset this is like magic offset okay I'm going to write my shellcode what shellcode you might ask and the shellcode I'm going to right now busy so I'm going to create a file called loader ordered in awesome because I'm going to write it and that white assembly which is my dialect of choice and 64 bytes not nice bit I'm going to assume that the offset or the origin actually is this with a four at the beginning and at the end I'm going to compile this so I'm going to do our system nurse and I can't even type elderness so I'm going to compile it once it's compiled please note that I do not do any error checking here which is incorrect obviously I'm going to do like just loaded weird and loader refinery yes I louder is supposed to be an byte array of freed so now I have it loaded and now I put my loader mmm can I do it let's see if I can do it like this at the magical offset plus magical of the slang for loader I'm going to put the loader ver hmm I think we should work I I think it actually is supported and rubber any questions no no questions perfect the Lord is there now I need to adapt I'm going to write the loader in the second every second actually why you know your sub process check output because I'm lazy but okay let's do sub process check out put a very real reason is that I didn't want to scroll my screen up okay and I actually need to change this light the hand you do know that I do not write digital code on my strings due to time constraints but it's yes this is the correct way to do it check output actually takes the exit code and if exit code is not zero when it actually exists with an error remain a frozen exception I should that's a good way to side cool now I need to change to this field entry to actually to point to my magical offset right or actually magical virtual address in memory because the entry point is not and the file is in the memory therefore where is it I need to count or is it count as encountered bytes actually so let me scroll it up here sixteen bars van four bytes here this is another four bytes so eight bytes total and then we have this so it's 24 bytes from the beginning of a file this is Rob array and it's packed 24 bytes I know but it's actually eight bits so I do plus eight and this is supposed to be equal to byte array of pack of one cue word I'm using native and the unless as you can see here and this is my new address which is magical offset was actually where it's loaded in memory is this wait wait wait I did this one two three four five years in this historical and this would overwrite my adventure finder and I can't think with correct is for eight yeah it should be fine cool so and now I need just to create the loader and instead of already writing the loader I'm just going to do something like this um do an infinite loop just to see if a placement of where placement of entry point works and otherwise if I don't check it now and if something crashes I will wonder who whoever it broke to do to this line or whoever it broke to my loader actually so let's try it again and I can actually do like this hello it attract yeah it's an infinite loop which means it actually no it's like good signal but there is a chance that it jumped into my loader so I need to verify it by changing the behavior 2 & 3 and it should crash now if they did crash a bit crash with that break point trap this isn't free which which is a software the bagger breakpoint which which is fine this is the correct think so now I have confidence but it actually jumps here Alvers talk about polymorphism polymorphism is it's basically when a piece of malware uses several things like polymorphism and metamorphism but the idea is basically that each time you run a packer it randomizes the packers loader code and also like van crypts and keys and so on therefore it's harder to if you have two different malware samples it's harder to actually analyze it because you have two different loader codes for above for both pieces of samples of malware which makes it harder to create an automated tool to actually and pac-man that being said when again when I was working for antivirus company like 11 years ago of a static and Packers which we're work King Khan were for polymorphic Packers and if you analyze that some staff and predict some stuff and it's actually pretty still pretty doable I'm not saying it's easy but yeah but it's pretty doable right writing a simple VM for protection server VM is the easy part but how it does is actually translating for code you have into a VM again let's write below there so what does below there has to do it that basically has to put on the stack for registers which I'm going to to change right and then unpack and then never been actually call em protect because I have to change the text section to be to be writable because it's not writable in memory now when I execute it then change it and then change it to be executable again about being said if I have if I do my trick which is actually placing my code at the end of a text section and I have like this kind of protection in the kernel kernel which basically means that a sorry w so xw x or x is when you the patron memory can never be both writable and executable and that means I have a problem because my code which is supposed to be executable cannot execute because I just said the text section to be writable so so yeah but it's not I do not have this protection enabled I'm visible to a machine I'm using so what you'd be fine okay cool so yeah I don't know what registers I'm going to push on the stack yet I will start the face just to have some boilerplate code here now starting from I don't have not now I need to do and protect so Linux 64-bit Cisco okay yeah it seems it thinks I'm about perfect I'm not about oh good I I like but it was confirmed like publicly or I'm a very good bot and protect here we go hmm what do we need to do we need to not about the register Luis oh yeah RSI RDX I don't know if I need anything else in them protect no island cool and rocks obviously so two rocks we move 10 is it it's not about them is decimal 10 to RDX we move our DX we move the flags I don't know what the facts are I will put them here in a second to RSA I move the size and the size of the text section I'm going to hard-coded here and normally in a lottery wouldn't hard-coded so what's the size of a text section the size of a text section is 3 B oh and so we start but Phoebe oh and we actually and our love there because we don't want to you know overwrite our load or right and our loader is magical salutes this I'm sister our loader actually begins so this is the size but the size needs to be also aligned to a page I don't think it has to be but it can be so if I wanted to align it to the page I just basically all right with with this under this will align it to a page now our da will it allow in it to a page now I have to still add one to this now it will align it to a page and end this case all right we'll just you know do this and this will work as well now our di is address in memory where I have it and the address of memory where I have it is actually really simple because this is valise in memory where I have it again I'm hard coding this normally in a packer you do need to read them from a file and put it here programmatically but I'm not going to do this with now if you do it programmatically you would actually have to put some magic value here like ABCD 154 or whatever else and find this magic value and stop substitute it with whatever you the value is but you have to put work okay this is fine now I need the flags man and protect and the flags are called for write three executable so I do I look for it and user include and we is visit now isn't it and you don't know here we go this file has it and well yeah no surprise totally no surprise we just put seven and that means readable writable and executable seven parallax and now we do a Cisco and after returning we actually should have our range of memory to be to be writable right so now we put in some register one of our already changed well resource I guess the address of the start of a section again I'm going to hard code it right and it's actually like this video of going to check an Ida you so then the size of the section and the size of a section is actually exactly the thing I kept sorry I calculated here worse worse my calculation here we go and somewhere I need to put back e5 or a five eight five actually now this is our TA I want the same value an RSA okay and now I can use you know like what was it called loads byte load a bite it actually loves a byte from here from this offset and puts it in I'll just put it and they yell right so I need to change this oh I actually need to do I go wait five and now I need to store it Stowe's B so they have this instruction basically wraps a byte from here but increments also this verse register I probably should do like CLD somewhere here which is clear direction flag though I think it's pretty much guaranteed but the direction flag is is cleared at this point and this does the same also you know not RG ILS I obviously so Stas V is basically store byte at VI register destination index first level register is called the destination index and and incremented as well so this is basically a nice loop and since it's a loop I can do like well of care I was just good I'm going to declare to loop to decrypt now loop is a an instruction which actually recommends a CX and checks if is nonzero and it's not than jumps or a viable way around simulate but it it will repeat this our CX x so this is fine I am going to clear the direction of like here after all and now I just need to see which registers I changed so I change our di I changed our si I changed our DX and I changed the attention anything else our six and now in the reverse order I do need to actually our the in Reverse or devices to top our CX of our DX our side of our di yeah the exotics okay this is fine and now in vient I do have to jump to to the original entry point now again I should probably put the original entry point here in some like in a proper way right as in programmatically from the Python script I am NOT going to do it today due to time constraints I'm just going to hard-coded freelee's X says that it first decrements and vent X okay yeah but that makes more sense so I'm going to push it on I'm going to return to the surface which is basically a way to jump to to an immediate value this actually even has a chance to work let's see so I'm going to actually as you can see I'm not returning if I correct permissions to my memory for it to be only like writable and executable a proper Packer should do it for example if I remember correctly you px doesn't do it which makes some some stuff easier to exploit which which is good funny ok that's how it helped I could work how Packer is work ok pack it and then run it sorry I do believe I have this and it works so it seems my my protector actually worked ok I think if I have a comment from physics appeared here as well so I'm going to leave it for for a second I am going to now open this this file and i dot to see if it if it actually be like did really work or the type forgets to like call the proper file of or something quite so this okay so we start here whereas here here is where we are supposed to start this is our magic opposite which I've chosen and this is my code which I just written so you should be really familiar with since you just saw it a second ago and in the end it should jump here so if we jump here obviously there is no no proper code here so what I'm going to do now is I'm going to actually test it in gdb so well this also means that in Ida until I actually decrypt this stuff I don't really know what's going on here I cannot analyze this code so the protector kinda works it's super easy obviously but it kind of works right so let's run that in gdb let's see if did you become places shouldn't complain actually okay and let's break entry point which is those venture point I actually don't care about breaking here because it first needs to the crib so that's maybe a mature suspect here okay and fun and broke it broke acid it hit the breakpoint and where is my coat I'm looking at this is the coat I'm looking at so now I'm going to look at the code and in the text section of the beginning of the text section that actually has the original entry point service here so this is us text I already don't see it what I'm typing my - take this off set of hardly our instructions yeah this is the incorrect code and now I'm going to like single step a couple of instructions of the loop which is the coding and I'm going to do it again and for some reason still the same stuff why is it the same stuff oh right because this is actually this is farther down the right line it's not at the beginning of of a section the vote for I'm just going to put another breakpoint at this return address continue it should be decrypted now so I can dump it in memory and as you can see this is like a normal prologue of over function services this is the decrypted code at the same address which I was looking for in a second ago and maps how-do-you-do maps like and maps talking yeah I don't remember like but those good way this doesn't share what they want to show I want to actually show that proper looks yeah okay here we go and as you can see the how this whole section of memory is actually writable and executable now because we changed it so this isn't a great idea from a security perspective and I mean like you know like the normal low level buffer overflow style security because it's easier to exploit and as I said some Packers do it but usually you should clean up after yourself so you should actually set the proper rights to all the sections after we're done unpacking them but again I'm not going to do today info prog map no VM map VM map via map perfect it look it even like underlined in the section which has really too permissive stuff so I guess this is it for today one and a half hour hit just like five minutes ago so we're on time surprisingly however any questions I am going to upload this code to get help unless I forget if I forget when to sting me so that's what do you have any questions - what happened here today if not when we we meet again next week for there is no polish stream tomorrow because I'm actually out so sorry about that if you were waiting for it however any questions if there are any questions does I guess like wait a couple minutes if now when I will finish my stream and we can round it up for today however any good resources how to do this for PE files or is it kind of the same way it's exactly the same way it's like the names of the fields are different but you do it in the same way there is a nasty thing but the import section usually is in but not usually sometimes is in the text section as well advent of it and this sometimes complicates stuff because you're in Perl import section will be totally destroyed by your your encryption right but apart from that is is rather similar and rubber rubber easier thing okay if Packers usually clean up can't you see what sections and when it's encrypted just by watching permission and change yes you can that was totally a good point were actually like several documented way I would say or known tricks where you can catch a loader after just after loading the file but before executing original entry point and like break points on like virtual protect on Windows or on the and protect Cisco on Linux it's one of them or aforementioned trick with doing a break point on the on the stack and the like because you can see so you can see even here right in my code but I do this so what you do is you basically allow this instruction to execute and when you have this rax and the stack and you do a memory breakpoint on it and when it returns and it will return here well when doing this you're just before jumping to the original entry point so doing a memory breakpoint on this item on the stack is another common idea then I remember there are some ideas on actually looking at what places in memory are attached if you see a like a whole sequential writes to to the text section and then two other sections when the aberrations are being decrypted and then suddenly a stop and like some very random different memory patterns that usually means that that between these two different patterns it stopped decrypting at some point so like you can you can basically at the end of a sequential pattern you can stab right point and dump dump the content as before reaching the original entry point so so yeah very basically use several ways to do it without even knowing how exactly the protector works if you do analyze the protector itself when you basically get do you get to exactly know what's it doing and after analysis you know exactly how to help to counteract it off we obviously the analysis might take several hours or days right depending convert complexity of it so Adriana says that look for push ad and pop-up ad but being set on 64 bits if I remember correctly there is no longer push a ad or pop ID unless understand mistaking obviously upx is upx is by the way one of the most common commonly use packers it's the main purpose is not protecting the executable from reverse engineering is it doesn't have any Antibes the bag of tricks or anything like that and fellow tour usually you like basically I put all all of the tricks you know and roll over to detect the buggers or or something but upx is basically just a compressive executable and it works for like I don't know every executable format outward is just amazing and and they actually a good homework is go to like pack your program of upx and analyze it later on analyze the Packer try to reverse-engineer it it's it's don't go into the compression routine but analyze everything else but a confessional routine is is rather hardcore but everything else is pretty readable I would say yeah it's called like the ultimate Packer for executables and seriously it's totally I think supports all of executable entries out there yeah for myself this were somewhere a list perhaps it's like a media entry network I guess this is like a like for example Atari format for some reason Maho obviously like my station that comme le vodka Malley was something which was used and all the DOS games which jumped into 32-bit protected mode for some reason like for obvious reasons okay so given that there are no more questions thank you very much for being here today and see you next week if you have any questions at any time just put them in the comment or send me an email I'll try to reply I cannot promise him anything because I actually get quite a lot of emails I'm usually and usually lagging behind so that's it thank you to Krakow for being my moderator today and happy hiking see you next weekend I'm going to leave you as always with some music I've no mission to thy servant bye bye bye bye [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] you [Music] you
Info
Channel: GynvaelEN
Views: 4,479
Rating: 4.9679999 out of 5
Keywords: hacking, security, programming, coding, code, assembler
Id: 5RK7sYTOeNk
Channel Id: undefined
Length: 119min 7sec (7147 seconds)
Published: Wed Sep 13 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.