Flag: Tornado! Hurricane!


Article Abstract This article will give you an overview on how I reverse engineered the encryption (well, obfuscation really but we will refer to it is encryption for the remainder of this article) routine of WINLDRA.EXE, an unknown binary that was used in a large scale identity theft ring. This is a beginner/intermediate level article and assumes only that the reader has an understanding of basic x86 assembly and how operations such as AND, OR, SHL and SAR work. I will walk the reader through the operations, but it will help if you understand what they are doing.

Full Article ...    Printer Friendly ...

Article Comments
lostit Posted: Saturday, August 27 2005 12:16.14 CDT
It was a well written article, that goes into sufficient detail about what you did. One thing that bugged me was that  you refer to it as encryption, but I think encoding would have been a better word. Also it appears you spent your time reversing a base64 implementation. You may have been able to benefit by keeping a set of such implementations around for testing, and then you could have simply scanned the executable for crypto signatures. You probably would have had a hit for a base64 table at which time you could check the address and see where it's referenced then possibly toss some of it's output through your known base64 code. Of course keeping all of that information around is really only useful if you reverse a lot of things that may end up with some cryptography involved. There's a lot of information that can be gathered at the 50,000 foot level before you go as deep into the code as you did. Hope you run into some more interesting reversing challenges to share.

Gerry Posted: Monday, August 29 2005 10:07.46 CDT
Lostit,
Yes it was a Base64 encoding, thank you for pointing that out.   Why I didnt see that sooner is beyond me.

Thanks for the comments,
/gerry

rfreeman Posted: Thursday, October 13 2005 00:31.41 CDT
Actually, I looked at several malicious applications last year to see if their B64 implementations were similar, dissimilar, and or off-the-shelf. In all cases, the implementations did not appear off-the-shelf, and there was too much variance to make a direct connection. My hypothesis was that malware that might have been previously been thought of as unrelated might have reused B64 code. In the specific examples I had looked at, I did not find evidence to support my hypothesis. Nevertheless, I haven't abandoned the likelihood that my hypothesis can be correct.

-Robert

Flow Posted: Friday, February 10 2006 17:55.02 CST
I'm also looking at a variant of winldra. Can you tell if you removed the scrambled upx compression ? Headers tell me it's upx 1.08 but obfuscated with some xor routines ?


Add New Comment
Comment:










There are 31,055 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit