OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, July 19 2010 17:38.27 CDT

Direct Link, View / Make / Edit Comments

Live x86 Code Instrumentation with Frida

Author:

oleavr

# Views: 926

Thought this might be of interest to you fellow reversers:

http://blog.kalleberg.org/post/833101026/live-x86-code-instrumentation-with-frida

If you want to dive straight in and play with the code, you'll need:
- MS Visual Studio 2010
- Mercurial: http://mercurial.selenic.com/

Then:
- hg clone https://frida-ire.googlecode.com/hg/ frida-ire
- Open frida-ire\zed\zed.sln
- Build in Debug|Win32
- Launch the "zed" project
- Log in using any Jabber account, like GMail, or create a new one at https://register.jabber.org/
- Start typing the name of the process you want to attach to, and off you go

PS: There are some knowns issues with Stalker on pure 32 bit systems, so for now, please make sure you're running 64 bit Windows -- but only attach to 32 bit processes for now :-)

Created: Thursday, August 20 2009 18:45.47 CDT

Direct Link, View / Make / Edit Comments

oSpy is back

Author:

oleavr

# Views: 2154

It started out as a quick and dirty tool to scratch an itch while reverse-engineering ActiveSync. From that point on it just kept growing, but I thought it was okay as I wasn't going to publish it anyway. Was just one of those tools that you whip up to help you reverse one specific thing, and then forget about it forever.
Time went by, moved on to reversing other things, and hey, I could just add some more hacks to this SocketSpy thing (which later became oSpy) and I'd save some time. Anyhow, eventually it seemed this tool could be useful for a few things, so I decided I'd publish it, even if I was far from proud of the code.
Moving a little forward in time, about three years ago I decided it was time to start working on a rewrite in order to do things properly and make my dreams come true. I had this pile of ideas that I was dying to implement, but that I felt didn't fit in oSpy1.
Still limited to spare-time hacking there was only so much I could get done, but I got the "backend" bits pretty much done and working. But my hacking sprints were many months in between, and I barely even had a UI yet. It got as far as http://oleandre.wordpress.com/2008/06/23/ospy-and-jit-x86-machine-code-generation/, but I eventually realized that this wasn't going to help anyone anytime soon, it was just too ambitious, I needed a full-time job doing this if it was ever going to happen.

So coming to realize that I have finally abandoned the rewrite efforts and decided to brush the dust off oSpy1 and start fixing bugs, improving the UI, adding new features and try to make it suck less with every release. Also rewrite some bits here and there as I go along.

oSpy 1.10.0 marks the beginning of this era, and there's a summary of changes here:
http://www.openrce.org/downloads/details/231/oSpy

Please don't hesitate to file bugs, send me feature requests, flames, rants, contribute code, contribute artwork -- any contribution is very much appreciated! Let's make 1.10.1 suck even less! :)

Created: Wednesday, September 27 2006 19:37.12 CDT

Modified: Wednesday, September 27 2006 19:48.01 CDT

Direct Link, View / Make / Edit Comments

Stressful but interesting days

Author:

oleavr

# Views: 6523

The last days have been stressful, as I've been actively trying to track down an apartment on the other side of the country, where I'll be moving shortly to get started in my new job at Tandberg.

On the bright side I got a little reverse-engineering done on Windows Live Messenger and a few features added to oSpy. But, today's been a great day as it marks the day when oSpy got its first community member -- Frode Hus joined in on the development and contributed an Oracle TNS parser, awesome!
Another thing worth mentioning is that the newly released 1.8.7 release (those of you who didn't know should subscribe to OpenRCE's Downloads feed) also features IDA integration, as demonstrated by the screencast published immediately after releasing 1.8.7:

Screencast: IDA integration

Basically you can right-click on a row and choose "Go to return address in IDA", which automatically finds the relevant IDA window, shows it and jumps to that offset. This is a very common use-case, at least for me, when tracing an application and wanting to peek at the code surrounding a particular function-call.

Enjoy!

Created: Sunday, September 24 2006 13:15.41 CDT Modified: Sunday, September 24 2006 19:13.29 CDT

Direct Link, View / Make / Edit Comments

MSNP15 authentication scheme REd

Author:

oleavr

# Views: 13408

Just finished reverse-engineering the new authentication scheme introduced by MSNP15 (which appeared in the Windows Live Messenger 8.1 betas). No decompiled code was touched at all, oSpy was used exclusively to figure out everything. So here you go, a tiny python implementation that should be fairly self-explanatory.



import struct

from base64 import standard_b64encode, standard_b64decode

from Crypto.Hash import HMAC, SHA

from Crypto.Cipher import DES3

from Crypto.Util import randpool



CRYPT_MODE_CBC = 1

CALC_3DES      = 0x6603

CALG_SHA1      = 0x8004



def mbi_encrypt(key, nonce):

    def derive_key(key, magic):

        hash1 = HMAC.new(key, magic, SHA).digest()

        

        hash2 = HMAC.new(key, hash1 + magic, SHA).digest()

        hash3 = HMAC.new(key, hash1, SHA).digest()

        

        hash4 = HMAC.new(key, hash3 + magic, SHA).digest()

        

        return hash2 + hash4[0:4]



    #

    # Read key and generate two derived keys

    #

    

    key1 = standard_b64decode(key)

    key2 = derive_key(key1, "WS-SecureConversationSESSION KEY HASH")

    key3 = derive_key(key1, "WS-SecureConversationSESSION KEY ENCRYPTION")

    

    #

    # Create a HMAC-SHA-1 hash of nonce using key2

    #

    

    hash = HMAC.new(key2, nonce, SHA).digest()

    

    #

    # Encrypt nonce with DES3 using key3

    #

    

    # IV: 8 bytes of random data

    iv = randpool.KeyboardRandomPool().get_bytes(8)

    obj = DES3.new(key3, DES3.MODE_CBC, iv)

    

    # XXX: win32's Crypt API seems to pad the input with 0x08 bytes to align on 72/36/18/9 boundary

    ciph = obj.encrypt(nonce + "\x08\x08\x08\x08\x08\x08\x08\x08")



    #

    # Generate the blob

    #



    blob = struct.pack("<LLLLLLL", 28, CRYPT_MODE_CBC, CALC_3DES, CALG_SHA1,

                       len(iv), len(hash), len(ciph))

    blob += iv + hash + ciph

    

    return standard_b64encode(blob)

So the new authentication scheme basically goes like this:
1. Connect to the notification server as usual, but when sending the initial USR, you should send:
>> USR 19 SSO I foo@hotmail.com
and in the reply you get the nonce as the last parameter, and the policy parameter should be set to MBI:
<< USR 19 SSO S MBI <nonce>
2. Authenticate with Passport 3.0 (documented in MSNPiki), requesting a token for "messengerclear.live.com" with policy URI set to "MBI". In the response, store the security-token (RequestedSecurityToken.BinarySecurityToken) and proof-token (RequestedProofToken.BinarySecret).
3. Call mbi_encrypt() with key=proof-token and nonce=nonce, and store the base64-encoded blob returned.
4. Send the final USR to the notification server:
>> USR 20 SSO S <security-token> <blob>
and, if successful you should receive:
<< USR 20 OK foo@hotmail.com 1 0

Created: Saturday, September 23 2006 21:41.36 CDT

Direct Link, View / Make / Edit Comments

oSpy 1.8.2 -- all your hashes are belong to us

Author:

oleavr

# Views: 5096

I've been working on reverse-engineering Windows Live Messenger's newer authentication scheme lately, which was introduced with MSNP15 and implemented by the WLM 8.1 betas. This lead me to hooking the Crypt API to make it easy to pin down the code responsible for the new funky stuff. So here's 1.8.2 with quite a few changes:

UI:
- Made the HTTP parser smarter.
- Temporarily don't clear the messagequeue when starting a capture.
- Implemented scrolling in ASCII view mode.
- Minor improvements to the MSN parser.

Agent:
- Hooked parts of the Crypt API:
    CryptImportKey
    CryptExportKey
    CryptGenKey
    CryptGetKeyParam
    CryptDestroyKey

    CryptGenRandom

    CryptCreateHash
    CryptDestroyHash
    CryptHashData
    CryptGetHashParam
    CryptSetHashParam

- Implemented hooking of WLM's Passport DLL to get the debug messages. Not all of the internal debugging functions are currently hooked. This is temporarily disabled because it's work in progress, but can be easily enabled for those interested (just check out the code and build).
- Logging bugfixes.
- Extended FunctionName field from 16 to 32 characters.

Archived Entries for oleavr

Subject	# Views	Created On
oSpy 1.8.1 released	5881	Friday, September 15 2006
oSpy released	4402	Wednesday, September 13 2006

Active in Last 5 Minutes
	timtoady

There are 21,677 total registered users.

Recently Created Topics
PyEmu error when cal...	Sep/02
Restore Themida/Winl...	Sep/02
Anti-olly technique	Aug/30
RAR Password	Aug/29
Heap protection on W...	Aug/23
Why Inline asm in C+...	Aug/20
Bypassing OllyAdvance	Aug/17
Error in logic for g...	Aug/17
Has anyone seen this...	Aug/17
ARM Executable - Pat...	Aug/16

Recent Forum Posts
reverse engineering ...	raiden56
pydbg, memory breakp...	Researc...
RAR Password	Ineedhelp
RAR Password	cod
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	psylocn
Why Inline asm in C+...	ronnie2...

Recent Blog Entries
	meshmesh	Sep/01
Is it legal??
	waleedassar	Aug/30
Anti-olly technique
	QvasiModo	Aug/24
WinAppDbg 1.4 is out!
	artemblagodarenko	Aug/18
Dataflow-0.2.0 released. Ne...
	grzonu	Aug/17
Bypassing OllyAdvanced
More ...

Recent Blog Comments
	tosanjay on:	Sep/02
PyEmu 0.0.2
	GynvaelColdwind on:	Sep/01
Is it legal??
	PeterFerrie on:	Aug/31
Anti-olly technique
	dennis on:	Aug/26
Dr. Gadget IDAPython plugin
	halsten on:	Aug/19
Dataflow-0.2.0 released. Ne...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit