OpenRCE: Blog

Mocbot Command Decoding

Wed, 23 Aug 2006 08:44:39 -0500

I had someone ask me how I decoded the Mocbot command encryption. I thought I'd share the answer here - its not really article-worthy but someone may get some use out of it.

First I had to do a little RCE to figure out the command flow - in the case of an encrypted communication, I find the "recv" calls and work forward from there (and backwards from "send", if the client uses encryption as well). Eventually I saw that at 0x403062 there is a command parser that executes the functions received from the botmaster. I checked in to the channel to get a sample of the encrypted commands, and saw that the syntax was something like:

!Q gjcaekepejeocacdha

So, following the command parser to the "Q" command (0x51) I landed at 0x4031d9. At that point I saw a loop right below it starting at 0x403204, which contained some "sub" and "shl" instructions which seemed to be the focus of the loop. Sounds like a trivial encryption loop. So I just went line-by-line converting the ASM into a Perl script, because I like to have a command-line tool for decrypting strings from stuff like this in the future.

Sometimes its easy to see what is happening in the decryption loop just by looking at the code. Sometimes its a little harder, so when that happens I just step through the loop, observe registers and memory locations and comment *everywhere* so I get a grasp of what the ASM does and build up a picture of the loop's functionality. Even if I'm unfamiliar with the specific ASM instruction, observing registers and memory it is referencing can tell me what its purpose is.

Here is the decryption ASM from Mocbot along with my comments:



004031D9  |>MOV EAX,DWORD PTR SS:[EBP+8]             ;  code 51 = Q (arg)

004031DC  |>MOVSX EAX,BYTE PTR DS:[EAX+1]            ; decrypt command and process

004031E0  |>CMP EAX,20

004031E3  |>JNZ exe11554.004032A9

004031E9  |>MOV EAX,DWORD PTR SS:[EBP+8]             ; command

004031EC  |>INC EAX                                  ;  skip two chars

004031ED  |>INC EAX

004031EE  |>MOV DWORD PTR SS:[EBP-40C],EAX           ;  40c = ptr to start

004031F4  |>AND DWORD PTR SS:[EBP-408],0             ; offset

004031FB  |>AND DWORD PTR SS:[EBP-404],0

00403202  |>JMP SHORT exe11554.00403212

00403204  |>/MOV EAX,DWORD PTR SS:[EBP-408]          ; loop start

0040320A  |>|INC EAX

0040320B  |>|INC EAX

0040320C  |>|MOV DWORD PTR SS:[EBP-408],EAX

00403212  |> MOV EAX,DWORD PTR SS:[EBP-40C]          ;  ptr to start

00403218  |>|ADD EAX,DWORD PTR SS:[EBP-408]          ;  offset

0040321E  |>|MOVSX EAX,BYTE PTR DS:[EAX]             ;  got some content?

00403221  |>|TEST EAX,EAX

00403223  |>|JE SHORT exe11554.0040328C              ;  jump if not

00403225  |>|MOV EAX,DWORD PTR SS:[EBP-40C]          ;  ptr

0040322B  |>|ADD EAX,DWORD PTR SS:[EBP-408]          ;  +offset

00403231  |>|MOVSX EAX,BYTE PTR DS:[EAX]             ;  first dword

00403234  |>|SUB EAX,61                              ;  subtract 61

00403237  |>|SHL EAX,4                               ;  << 4

0040323A  |>|MOV ECX,DWORD PTR SS:[EBP-404]          ;  storage

00403240  |>|MOV BYTE PTR SS:[EBP+ECX-400],AL        ;  store lower byte

00403247  |>|MOV EAX,DWORD PTR SS:[EBP-40C]          ;  ptr

0040324D  |>|ADD EAX,DWORD PTR SS:[EBP-408]          ;  +offset

00403253  |>|MOVSX EAX,BYTE PTR DS:[EAX+1]           ;  +1

00403257  |>|SUB EAX,61                              ;  sub 61

0040325A  |>|MOVSX EAX,AL                            ;  get it

0040325D  |>|MOV ECX,DWORD PTR SS:[EBP-404]          ;  storage

00403263  |>|MOVSX ECX,BYTE PTR SS:[EBP+ECX-400]     ;  grab stored byte

0040326B  |>|ADD ECX,EAX                             ;  add result

0040326D  |>|MOV EAX,DWORD PTR SS:[EBP-404]

00403273  |>|MOV BYTE PTR SS:[EBP+EAX-400],CL

0040327A  |>|MOV EAX,DWORD PTR SS:[EBP-404]

00403280  |>|INC EAX

00403281  |>|MOV DWORD PTR SS:[EBP-404],EAX

00403287  |>\JMP exe11554.00403204

Here is the resulting perl script:



#!/usr/bin/perl



my $crypt = $ARGV[0];

die "Usage: $0 <Mocbot crypted command>\n" unless $crypt =~ /^[a-z]+$/;

for (my $i = 0; $i < length($crypt); $i+=2)

{

        print chr((ord(substr($crypt, $i, 1)) - 0x61 << 4) +

                (ord(substr($crypt, $i+1, 1)) - 0x61));

}

print "\n";

Last thing to do is test against our known encrypted command:



./decode.pl gjcaekepejeocacdha

i JOIN #p

So the decrypted command is "i", a raw IRC command and the arguments tell the bot to join a second channel.

That's about it - just a little short-duration but highly focused RCE and some scripting.

OllyBonE at DefCon

Mon, 07 Aug 2006 10:34:32 -0500

I've uploaded the OllyBonE unpacking plugin along with my presentation slides (in OpenDocument format) to:

http://www.joestewart.org/ollybone/

Also there is a 16-meg vcd-quality copy of the video demonstration I gave during the talk.

Back from ShmooCon

Mon, 16 Jan 2006 05:42:23 -0600

My talk on sandnets went pretty well, considering I had just finished running about a quarter-mile uphill shortly before walking into the room with three minutes to spare and a full audience waiting for me.

Although it's not strictly RCE, I thought I'd post the URL here for anyone who wanted to take a look.

http://www.lurhq.com/truman/

I'll be giving mostly the same talk at CodeCon 2006 in one month, so if you missed ShmooCon, you can always catch it at CodeCon.

BTW, if you were at ShmooCon and the ShmooBalls you were given were dented (both of mine were) you can microwave them for about 20 seconds to get rid of the dents.

OllyVBHelper

Wed, 16 Nov 2005 10:28:17 -0600

Here's a plugin I've been putting off writing for a while. A lot of times when disassembling compiled VB code, it takes a lot of manual labeling to get to a readable state. For instance, DllFunctionCall stubs are not labeled, so any calls/jumps to common Win32 API code will be unlabeled as well. Also, Olly names the MSVBVM import thunks by their import name, which is often just an ordinal number. This plugin searches the import thunks and relabels them by the MSVBVM export name instead. Source code is included.

https://www.openrce.org/repositories/users/joestewart/ollyvbhelper.zip

Update to AttachAnyway

Wed, 07 Sep 2005 11:05:56 -0500

I've updated my AttachAnyway plugin to be able to
attach to processes protected by Piotr's anti-debugger-attach method two.

http://www.joestewart.org/tools/attachanyway.zip

In it, we just find the PEB_LDR_DATA pointer and VirtualProtectEx the bytes back to PAGE_READWRITE - thus the exception handler will never alert that the page has been accessed by the debugger when attaching. This is harder than it first sounds; Windows XP SP2 no longer keeps the TEB/PEB at static locations, (you can't just do FS:[0] to find the PEB because you are not running in the context of that process) you have to search for the TEB/PEB blocks by signature.

There's probably a more elegant way (this would make a good tutorial if you have a better way to locate the TEB of another process), but it works. Once again, this is just PoC, no guarantees it'll work everywhere.

Update: anonymouse has suggested an alternative, more elegant way to find the PEB of another process using NtQueryInformationProcess, which you can check out on his blog:

https://www.openrce.org/blog/browse/anonymouse