All your binaries are belong to us
-
Upload
nullbyte-security-conference -
Category
Technology
-
view
90 -
download
1
Transcript of All your binaries are belong to us
DISCLAIMER
ALL THE INFORMATION PROVIDED ON THIS TALK ARE FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OF THE INFORMATION!
MOTIVATION
• REVERSE ENGINEERING ROCKS • YOUR COMPUTER, YOUR RULES • AND ABOVE ALL, CURIOSITY! • JUST TO CLARIFY, NOT A TYPO! • AT LEAST NOT MY TYPO
• INSPIRED IN ZERO WING FAMOUS MISTRANSLATION MEME
OLLYDBG
• OLLYDBG IS A 32-BIT ASSEMBLER LEVEL ANALYZING DEBUGGER FOR WINDOWS. • PRETTY USEFUL TOOL FOR DEBUGGING ON WINDOWS • SUPPORTS PLUGINS, WHICH CAN EXTEND IT’S FEATURES
ANTI-DEBUG
• TOO MANY TECHNIQUES TO DESCRIBE ALL • DEBUGGER DETECTION
• NTSETINFORMATIONTHREAD - THREADHIDEFROMDEBUGGER • ISDEBUGGERPRESENT
• TIMING HOOKS • GETTICKCOUNT • NTQUERYPERFORMANCECOUNTER
• BREAKPOINT DETECTION • GETTHREADCONTEXT • INT3 (0XCC) AND INT 3 (0XCD03)
• …
ENCODER /* Parte 1 */ tmp = (data2 << 4) ^ (data2 >> 5); tmp += data2;
j = local2 & 3; tmp2 = c[j] + local2;
data1 += (tmp ^ tmp2);
/* Atualiza local2 */ local2 += local3;
/* Parte 2 */ tmp = (data1 << 4) ^ (data1 >> 5); tmp += data1;
j = (local2 >> 0xb) & 3; tmp2 = c[j] + local2;
data2 += (tmp ^ tmp2);
ROGUE AUTH $state = $_GET["state"]; $name = $_GET["name"]; $pass = $_GET["pass"];
if ($state == "syn") { $session = md5(time()); if (strpos($name,'nullbyte') !== false) { print "ack|" . $session; } else { print "bad|Invalid username or password!"; } } elseif ($state == "synack") { $what1 = md5(time()); $what2 = md5(time() + 1);
print "good|" . $what1 . "|" . $what2 . "|ALL YOUR B1N4R13S ARE BELONG TO US!!!";
}