About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
OpenRCE Article Comments:
WINLDRA.EXE: Reversing a Basic Encryption Algorithm
Article Abstract
This article will give you an overview on how I reverse engineered the encryption (well, obfuscation really but we will refer to it is encryption for the remainder of this article) routine of WINLDRA.EXE, an unknown binary that was used in a large scale identity theft ring. This is a beginner/intermediate level article and assumes only that the reader has an understanding of basic x86 assembly and how operations such as AND, OR, SHL and SAR work. I will walk the reader through the operations, but it will help if you understand what they are doing.
Full Article ...
Printer Friendly ...
Article Comments
lostit
Posted: Saturday, August 27 2005 12:16.14 CDT
It was a well written article, that goes into sufficient detail about what you did. One thing that bugged me was that you refer to it as encryption, but I think encoding would have been a better word. Also it appears you spent your time reversing a base64 implementation. You may have been able to benefit by keeping a set of such implementations around for testing, and then you could have simply scanned the executable for crypto signatures. You probably would have had a hit for a base64 table at which time you could check the address and see where it's referenced then possibly toss some of it's output through your known base64 code. Of course keeping all of that information around is really only useful if you reverse a lot of things that may end up with some cryptography involved. There's a lot of information that can be gathered at the 50,000 foot level before you go as deep into the code as you did. Hope you run into some more interesting reversing challenges to share.
Gerry
Posted: Monday, August 29 2005 10:07.46 CDT
Lostit,
Yes it was a Base64 encoding, thank you for pointing that out. Why I didnt see that sooner is beyond me.
Thanks for the comments,
/gerry
rfreeman
Posted: Thursday, October 13 2005 00:31.41 CDT
Actually, I looked at several malicious applications last year to see if their B64 implementations were similar, dissimilar, and or off-the-shelf. In all cases, the implementations did not appear off-the-shelf, and there was too much variance to make a direct connection. My hypothesis was that malware that might have been previously been thought of as unrelated might have reused B64 code. In the specific examples I had looked at, I did not find evidence to support my hypothesis. Nevertheless, I haven't abandoned the likelihood that my hypothesis can be correct.
-Robert
Flow
Posted: Friday, February 10 2006 17:55.02 CST
I'm also looking at a variant of winldra. Can you tell if you removed the scrambled upx compression ? Headers tell me it's upx 1.08 but obfuscated with some xor routines ?
Add New Comment
Comment:
There are
31,313
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}