OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, May 18 2006 14:37.02 CDT Modified: Friday, May 19 2006 07:51.27 CDT

Printer Friendly ...

cssrt- lu malware contest

Author: anonymouse

# Views: 2578

i was reading the analysis of the elf file in the blog by sp about this contest

i had looked at this unrunnable and corrupt file and didnt
find a motive to dig deeper

like he correctly says this file has been tampered by replacing all the 0x00 bytes to 0x20

and it wasnt loading and showing any usefull information
in any of the usual tools

like objdump,ndisasm,hte,idafree,ald,gdb,readelf

all spewed some garbage like corrupt unidentified etc etc strings :)

elfsh was able to load the file but it too wasnt able to
go any further apart from spitting the header details :)

but the elfshs header details gave an inkling about the replace :)

and like he says i did a mass replace of 0x20, to 0x00

some perl oneliner i forgot already
perl -pi -e 's/\20/\00/g' < newelf > modelf

the purpose of this blog being thats not the right way :)
this mass replace though making it loadable in all the utilities :)

just wont let you see the virus that is embedded inside that file aka RST.B

here is a log of elfsh-> hdr details



 [*] Started logging session in session.log



(elfsh-0.7-a7p1-brz) load /home/bluffer/seclist/elf



 [*] Thu May 18 21:14:37 2006 - New object loaded : /home/bluffer/seclist/elf



(elfsh-0.7-a7p1-brz) elf



 [ELF HEADER]

 [Object /home/bluffer/seclist/elf, MAGIC 0x464C457F]



 Architecture : type 00002003   ELF Version : 538976257

 Object type  : type 00002002   SHT strtab index : 8218

 Data encoding: Little endian   SHT foffset :  0538999716

 PHT foffset  : 0538976308      SHT entries number : 8221

 PHT entries number: 8198       SHT entry size : 8232

 PHT entry size: 8224           ELF header size : 8244

 Runtime PHT offset:1179403657  Fingerprinted OS:Unknown

 Entry point:0x0804C2A5   [?]

 {OLD PAX FLAGS = 0x20202020}

 PAX_PAGEEXEC : Disabled

 PAX_EMULTRAMP: Not emulated

 PAX_MPROTECT : Restricted

 PAX_RANDMAP  : Randomized

 PAX_RANDEXEC : Not randomized  

 PAX_SEGMEXEC : Disabled



(elfsh-0.7-a7p1-brz) get 1.hdr.entry

0x0804C2A5



(elfsh-0.7-a7p1-brz) print 1.hdr.machine

00002003 (8195)



(elfsh-0.7-a7p1-brz) exit



 [*] Unloading object 1 (/home/bluffer/seclist/elf) *

now elfsh gave me an inkling that some thing is absolutely corrupt the machine cant be 8195 which means efi-32
and pax flags all showed 0x20202020 which normally would have been 000000

loading the modified on hte now loaded the file without problems
hte normally shows the disassembly right from entry point

but this time it was showing me disassembly from the end of hdr

so i wanted to see whats at the ep :)

and hte shows me this

There are 31,316 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit