OpenRCE: Blog

oSpy is back

Thu, 20 Aug 2009 18:45:47 -0500

It started out as a quick and dirty tool to scratch an itch while reverse-engineering ActiveSync. From that point on it just kept growing, but I thought it was okay as I wasn't going to publish it anyway. Was just one of those tools that you whip up to help you reverse one specific thing, and then forget about it forever.
Time went by, moved on to reversing other things, and hey, I could just add some more hacks to this SocketSpy thing (which later became oSpy) and I'd save some time. Anyhow, eventually it seemed this tool could be useful for a few things, so I decided I'd publish it, even if I was far from proud of the code.
Moving a little forward in time, about three years ago I decided it was time to start working on a rewrite in order to do things properly and make my dreams come true. I had this pile of ideas that I was dying to implement, but that I felt didn't fit in oSpy1.
Still limited to spare-time hacking there was only so much I could get done, but I got the "backend" bits pretty much done and working. But my hacking sprints were many months in between, and I barely even had a UI yet. It got as far as http://oleandre.wordpress.com/2008/06/23/ospy-and-jit-x86-machine-code-generation/, but I eventually realized that this wasn't going to help anyone anytime soon, it was just too ambitious, I needed a full-time job doing this if it was ever going to happen.

So coming to realize that I have finally abandoned the rewrite efforts and decided to brush the dust off oSpy1 and start fixing bugs, improving the UI, adding new features and try to make it suck less with every release. Also rewrite some bits here and there as I go along.

oSpy 1.10.0 marks the beginning of this era, and there's a summary of changes here:
http://www.openrce.org/downloads/details/231/oSpy

Please don't hesitate to file bugs, send me feature requests, flames, rants, contribute code, contribute artwork -- any contribution is very much appreciated! Let's make 1.10.1 suck even less! :)

Stressful but interesting days

Wed, 27 Sep 2006 19:37:12 -0500

The last days have been stressful, as I've been actively trying to track down an apartment on the other side of the country, where I'll be moving shortly to get started in my new job at Tandberg.

On the bright side I got a little reverse-engineering done on Windows Live Messenger and a few features added to oSpy. But, today's been a great day as it marks the day when oSpy got its first community member -- Frode Hus joined in on the development and contributed an Oracle TNS parser, awesome!
Another thing worth mentioning is that the newly released 1.8.7 release (those of you who didn't know should subscribe to OpenRCE's Downloads feed) also features IDA integration, as demonstrated by the screencast published immediately after releasing 1.8.7:

Screencast: IDA integration

Basically you can right-click on a row and choose "Go to return address in IDA", which automatically finds the relevant IDA window, shows it and jumps to that offset. This is a very common use-case, at least for me, when tracing an application and wanting to peek at the code surrounding a particular function-call.

Enjoy!

MSNP15 authentication scheme REd

Sun, 24 Sep 2006 13:15:41 -0500

Just finished reverse-engineering the new authentication scheme introduced by MSNP15 (which appeared in the Windows Live Messenger 8.1 betas). No decompiled code was touched at all, oSpy was used exclusively to figure out everything. So here you go, a tiny python implementation that should be fairly self-explanatory.



import struct

from base64 import standard_b64encode, standard_b64decode

from Crypto.Hash import HMAC, SHA

from Crypto.Cipher import DES3

from Crypto.Util import randpool



CRYPT_MODE_CBC = 1

CALC_3DES      = 0x6603

CALG_SHA1      = 0x8004



def mbi_encrypt(key, nonce):

    def derive_key(key, magic):

        hash1 = HMAC.new(key, magic, SHA).digest()

        

        hash2 = HMAC.new(key, hash1 + magic, SHA).digest()

        hash3 = HMAC.new(key, hash1, SHA).digest()

        

        hash4 = HMAC.new(key, hash3 + magic, SHA).digest()

        

        return hash2 + hash4[0:4]



    #

    # Read key and generate two derived keys

    #

    

    key1 = standard_b64decode(key)

    key2 = derive_key(key1, "WS-SecureConversationSESSION KEY HASH")

    key3 = derive_key(key1, "WS-SecureConversationSESSION KEY ENCRYPTION")

    

    #

    # Create a HMAC-SHA-1 hash of nonce using key2

    #

    

    hash = HMAC.new(key2, nonce, SHA).digest()

    

    #

    # Encrypt nonce with DES3 using key3

    #

    

    # IV: 8 bytes of random data

    iv = randpool.KeyboardRandomPool().get_bytes(8)

    obj = DES3.new(key3, DES3.MODE_CBC, iv)

    

    # XXX: win32's Crypt API seems to pad the input with 0x08 bytes to align on 72/36/18/9 boundary

    ciph = obj.encrypt(nonce + "\x08\x08\x08\x08\x08\x08\x08\x08")



    #

    # Generate the blob

    #



    blob = struct.pack("<LLLLLLL", 28, CRYPT_MODE_CBC, CALC_3DES, CALG_SHA1,

                       len(iv), len(hash), len(ciph))

    blob += iv + hash + ciph

    

    return standard_b64encode(blob)

So the new authentication scheme basically goes like this:
1. Connect to the notification server as usual, but when sending the initial USR, you should send:
>> USR 19 SSO I foo@hotmail.com
and in the reply you get the nonce as the last parameter, and the policy parameter should be set to MBI:
<< USR 19 SSO S MBI <nonce>
2. Authenticate with Passport 3.0 (documented in MSNPiki), requesting a token for "messengerclear.live.com" with policy URI set to "MBI". In the response, store the security-token (RequestedSecurityToken.BinarySecurityToken) and proof-token (RequestedProofToken.BinarySecret).
3. Call mbi_encrypt() with key=proof-token and nonce=nonce, and store the base64-encoded blob returned.
4. Send the final USR to the notification server:
>> USR 20 SSO S <security-token> <blob>
and, if successful you should receive:
<< USR 20 OK foo@hotmail.com 1 0

oSpy 1.8.2 -- all your hashes are belong to us

Sat, 23 Sep 2006 21:41:36 -0500

I've been working on reverse-engineering Windows Live Messenger's newer authentication scheme lately, which was introduced with MSNP15 and implemented by the WLM 8.1 betas. This lead me to hooking the Crypt API to make it easy to pin down the code responsible for the new funky stuff. So here's 1.8.2 with quite a few changes:

UI:
- Made the HTTP parser smarter.
- Temporarily don't clear the messagequeue when starting a capture.
- Implemented scrolling in ASCII view mode.
- Minor improvements to the MSN parser.

Agent:
- Hooked parts of the Crypt API:
    CryptImportKey
    CryptExportKey
    CryptGenKey
    CryptGetKeyParam
    CryptDestroyKey

    CryptGenRandom

    CryptCreateHash
    CryptDestroyHash
    CryptHashData
    CryptGetHashParam
    CryptSetHashParam

- Implemented hooking of WLM's Passport DLL to get the debug messages. Not all of the internal debugging functions are currently hooked. This is temporarily disabled because it's work in progress, but can be easily enabled for those interested (just check out the code and build).
- Logging bugfixes.
- Extended FunctionName field from 16 to 32 characters.

oSpy 1.8.1 released

Fri, 15 Sep 2006 20:17:00 -0500

Just released oSpy 1.8.1. Fixed a "bug" in the parser that resulted in streams not getting fully parsed in case of really long lines for line-based protocols like HTTP and MSN.