Flag: Tornado!
Hurricane!
|
|
Topic created on: August 15, 2007 10:57 CDT by lag  .
Hello,
There is a client app which retrievs some information (ascii) from a server (HTTPS/SSL) after the user clicks on a button in the gui.
I want to be able to read this data, maybe by hooking some functions.
The problem (from my understanding) is to find the proper part of the code. I've never done RE before and the app is very big, so I wanted to ask if something like this is realizable by s.o. without expert knowledge in this area? Are there good articles describing something like this or which tools can help me here? How much time does this take fo a newbie (I am a c programmer w. little asm knowledge)?
misc:
- I cant read the information from a listview or the like...
- For the hooking part I would use a lib (detours , madshi..)
- Later I would like to trigger the "information retrieving"-code by my app (not just emulating a click on the clients gui). Is this possible?
Thanks in advance
lag
Are you looking to read the data that's sent or the data that's received? There are a few things if it is encrypted, you will have to determine what encryption lib that it imports to do it, then its trivial to hook that call, find the pointer to the unencrypted data and be done with it.
Use PyDBG for hooking, it's trivial:
dbg = pydbg()
hooks = utils.hook_container()
recv = dbg.func_resolve("ws2_32","recv")
hooks.add(dbg,recv,4,recvCallback,None)
Then in your callback you just read out the args that was passed into to recv.
For RE'ing a network app take a look at Cody's posting, it's kick ass:
http://dvlabs.tippingpoint.com/blog/2007/07/24/step-by-step-of-how-tpti-07-013-was-discovered
The Madshi library could be more helpful to you if you are a C programmer, but if you are going to be doing lots of RE/bughunting you gots to learn Python!
|
Thank you very much for your quick answer :)
I want to read the data that's received. I think the application uses OpenSSL.
I could hook wsock.recv but at this point the data is encrypted, right? So I have to hook some layers above.. How to find this?
And one other problem: the app is receiving some data all the time but I am only interested in the data received in response to the user's button click... Again I need to look some layers above wsock.recv or "openssl.recv" here, right?
And python is OK I think.. have done some ruby and perl before ;)
|
couldnt you just retrieve the cert ,sniff and decrypt everything yourself ?
and if you gonna go on with your onw method i recall matt miler published some polished stuff you better have a look
|
No problem! I'll help where I can. The first thing that happens is that recv() receives the data, then the data is decrypted. One of the arguments to recv is a pointer to the buffer it has received.
So following Cody's method try this:
1) Set a breakpoint on recv()
2) Single step until you hit the decryption routine in OpenSSL.
3) Hook decryption routine, but set the callback as the ending callback (after the routine has finished), so assuming that the decryption routine takes three parameters your hook call would look like:
hooks.add(dbg,decrypt,3,None,decryptFinishCallback)
I do know that Echo Mirage does some OpenSSL hooking, and that tool uses the Madshi DLL injection method.
Find the decryption routine and I can help you further.
|
|
If you don't want to code something up, this sounds like the ideal task for the point and click tool oSpy.
|
I dont make any progress ;-(
First I thought this app is using OpenSSL because I saw some corresponding strings in IDA. But then Echo Mirage didnt capture any ssl packages, so I'm not sure anymore... Ethereal doesnt help me, too..
And when I try to debug this app in OllyDbg or IDA after setting a BP at recv I get "AccessViolationExceptions" when making single steps, which makes it impossible for me to debug it....
Another question: I know some part of the data which is received, e.g. I know the client receives the string "xyz666" as *part* of the decrypted data. Is there a tool which can "scan" for this string while the app is running and then prints a call trace? I have to find the high level function, e.g. the user clicks on the button in the gui and then the function getData(char* buffer) is called to receive the data. I would like to hook that getData function...
@pedram I'll give oSpy a chance tomorrow, thanks for the tip..
|
Ok to start do this:
1) Load it up in Olly (or ImmuDBG), and hit Alt+E, this will tell you all of the loaded dlls, sort them by name and look for ones that are contained OUTSIDE of C:\WINDOWS\system32\ these are generally the DLL's shipped out with the app (also pay attention to the loaded modules after you send it some packets)
2) Pick the module you want to look at (you can also do the .exe if you like). Right-click and go "View Names". Now you have a list of imports and exports.
3) Find anything that says encrypt,decrypt,etc. Then set breakpoints on them, and run the program. Once you get a hit (you may have to filter them a bit) you are in business to begin hooking!
Is this a binary that you wish to share? You can email me privately if you like.
|
If it uses SSLEAY32 this may be of use.
import sys
import utils
from pydbg import *
pktc = 0
def SSL_read_hook (dbg, args, ret):
global pktc
pkt = dbg.read_process_memory(args[1], args[2])
f.write("[%d] Packet:\n" % pktc)
f.write(dbg.hex_dump(dbg.read_process_memory(args[1], args[2])))
f.write('\n')
pktc = pktc + 1
try:
pid = int(sys.argv[1])
except:
print "Usage: %s PID" % sys.argv[0]
sys.exit(-1)
filename = "ssldump_" + str(pid) + ".txt"
f = open(filename, 'w')
dbg = pydbg()
dbg.attach(pid)
addrSSL_read = dbg.func_resolve_debuggee("SSLEAY32", "SSL_read")
if not addrSSL_read:
print "Couldn't resolve SSL_read"
sys.exit(-1)
hooks = utils.hook_container()
print "Hooking SSL_read(0x%x)" % addrSSL_read
hooks.add(dbg, addrSSL_read, 3, None, SSL_read_hook)
print "Function hooked, logging to: %s" % filename
dbg.run()
f.close()
|
If it uses SSLEAY32, I should see the SSL_read import, right? Nothing like this there...
Now (again) I think it uses OpenSSL, and jms stated it might be compiled in, because there arent any specific imports.
I really dont know what to search for, and as I wrote above single step debugging is pain in the xxx within this app. This AccessViolationErrors are really annoying...
Now I want to test PaiMei and PStalker, maybe they can help me to filter the important parts.. Is it normal that pida_dump.py takes > 24h and 1.5GB memory? Does it terminate at some point? ;)
|
The pida_dump could take some time yes, and there is an entry in the PaiMei trac to speed it up a bit. They are moving to a SQL based backend in the near future, we'll see how that performs.
I am still unclear as to why you are getting access violations. I have successfully attached to the application, set breakpoints and everything appears to be good to go.
If you are getting the exception code E06D7363, this is the default exception code in VC++ (unless I am mistaken). Just pass it along to the app.
I set breakpoints at:
wsock32.recv
ws2_32.send
kernel32.IsDebuggerPresent
And it is hitting the IsDebuggerPresent call, so make sure you assemble at the:
7C813093 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C813099 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
7C81309C 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2] <---spacebar in Olly or ImmDbg, and enter XOR EAX,EAX
7C8130A0 C3 RETN
|
I have to test which exception code I get (cant use my windows machine, pida_dump is still running), but it said AccessViolationError...
The breakpoints work for me too, but when I step through the code (after hitting the BP) and if this takes awhile, I get those exceptions... I really think it is due to network timeouts, because the app reconnects to the server after the exception...
|
|
For the time being, when dealing with a massive PIDA dump, try doing a basic blocks only dump. The storing of instructions is what really spikes up the memory / CPU consumption.
|
|
Oh really? I usually use functions, is there a reason why you do BB's over funcs?
|
> MohammadHosein: couldnt you just retrieve the cert ,sniff and decrypt everything yourself ?
Is there a thread or tutorial about this? I'm trying to decrypt all incoming traffic for an application and would very much want to get my hands on the certificate.
/Johan
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,324 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}