Wednesday, June 6, 2012

Double Obfuscation (continued)


People are suckers for many things: Spurs, Cowboys, Man United, Rush, Preacher Curls, M&M's, etc.  You name it, there's a sucker for it.  And I happen to be one for obfuscation.  That's why I marvel at the technique I'm about to show you.  Like my previous post, it too involves a double layer of obfuscation, but with a few more interesting twists so let's check it out.

Below is the hex editor display of 272 bytes extracted from a nefarious file. As you can see, the embedded binary begins at offset 6A16, right?

       
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00006A10   A5 8F 8A C0 05 C3 3B 83  E8 C7 F1 83 A6 C7 61 83   ¥ŠÀ.Ã;ƒèÇñƒ¦Çaƒ
00006A20   A1 38 61 83 5A C7 61 83  1D C7 61 83 A5 C7 61 83   ¡8aƒZÇaƒ.Çaƒ¥Çaƒ
00006A30   E5 C7 61 83 A5 C7 61 83  A5 C7 61 83 A5 C7 61 83   åÇaƒ¥Çaƒ¥Çaƒ¥Çaƒ
00006A40   A5 C7 61 83 A5 C7 61 83  A5 C7 61 83 A5 C7 61 83   ¥Çaƒ¥Çaƒ¥Çaƒ¥Çaƒ
00006A50   A5 C7 61 83 4D D8 61 8D  AB 73 DB 4E A5 7F 68 CF   ¥ÇaƒMØa«sÛN¥hÏ
00006A60   84 E6 60 EB 68 B4 35 F3  CC A8 41 F1 D7 AA 06 E0   „æ`ëh´5ǫ́Añת.à
00006A70   C4 A9 41 EC C4 E7 0F E6  D1 B5 03 ED 85 AE 14 A3   Ä©AìÄç.æѵ.í…®.£
00006A80   85 88 0F A3 E1 A8 32 E6  C8 CA 05 89 8B C7 6C 83   …ˆ.£á¨2æÈÊ.‰‹Çlƒ
00006A90   81 C7 61 83 A5 6D 61 0A  8A 0C 65 59 CE 0C 0B 59   Çaƒ¥ma.Š.eYÎ..Y
00006AA0   CE 0C 0B 59 CE 13 0B 59  AC 0C 18 59 CC 10 0B 59   Î..YÎ..Y¬..YÌ..Y
00006AB0   4D 0C 05 59 CF 13 0B 59  A1 0C 01 59 C5 13 0B 59   M..YÏ..Y¡..YÅ..Y
00006AC0   A1 0C 0F 59 CC 2A 0B 59  F8 0C 00 59 CD 2A 0B 59   ¡..YÌ*.Yø..YÍ*.Y
00006AD0   F8 0C 0F 59 CD 0C 0B 59  CE 0C 0A 59 95 13 0B 59   ø..YÍ..YÎ..Y•..Y
00006AE0   26 0C 00 59 CC AE 0B EB  F7 0C 02 59 CE C7 0B 83   &..YÌ®.ë÷..YÎÇ.ƒ
00006AF0   A5 C7 61 83 A5 C7 61 83  A5 C7 61 83 A5 82 61 83   ¥Çaƒ¥Çaƒ¥Çaƒ¥‚aƒ
00006B00   F5 C6 61 83 E9 32 62 CC  28 C7 34 83 A5 C7 61 83   õÆaƒé2bÌ(Ç4ƒ¥Çaƒ
00006B10   A5 C7 61 82 45 C6 6E 83  AE D7 67 83 A5 F5 61 83   ¥Ça‚EÆnƒ®×gƒ¥õaƒ

Okay, in actuality, this probably looks like gibberish, but a closer look reveals a four-byte XOR key (0x6183A5C7).  So XOR decoding this with that four-byte key should yield a nice little executable.  Let's XOR it and see what happens...


Offset         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
00006A10   00 48 EB 43 A0 04 5A 00 4D 00 90 00 03 00 00 00   HëC  Z M
00006A20   04 FF 00 00 FF 00 00 00 B8 00 00 00 00 00 00 00   ÿ ÿ ¸
00006A30   40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   @
00006A40   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00006A50   00 00 00 00 E8 1F 00 0E 0E B4 BA CD 00 B8 09 4C   è ´ºÍ ¸ L
00006A60   21 21 01 68 CD 73 54 70 69 6F 20 72 72 6D 67 63   !! hÍsTpio rrmgc
00006A70   61 6E 20 6F 61 20 6E 65 74 72 62 6E 20 69 75 20   an oa netrbn iu
00006A80   20 4F 6E 20 44 6F 53 65 6D 0D 64 0A 2E 00 0D 00   On DoSem d .
00006A90   24 00 00 00 00 AA 00 89 2F CB 04 DA 6B CB 6A DA   $ ª ‰/Ë ÚkËjÚ
00006AA0   6B CB 6A DA 6B D4 6A DA 09 CB 79 DA 69 D7 6A DA   kËjÚkÔjÚ ËyÚi×jÚ
00006AB0   E8 CB 64 DA 6A D4 6A DA 04 CB 60 DA 60 D4 6A DA   èËdÚjÔjÚ Ë`Ú`ÔjÚ
00006AC0   04 CB 6E DA 69 ED 6A DA 5D CB 61 DA 68 ED 6A DA   ËnÚiíjÚ]ËaÚhíjÚ
00006AD0   5D CB 6E DA 68 CB 6A DA 6B CB 6B DA 30 D4 6A DA   ]ËnÚhËjÚkËkÚ0ÔjÚ
00006AE0   83 CB 61 DA 69 69 6A 68 52 CB 63 DA 6B 00 6A 00   ƒËaÚiijhRËcÚk j
00006AF0   00 00 00 00 00 00 00 00 00 00 00 00 00 45 00 00   E
00006B00   50 01 00 00 4C F5 03 4F 8D 00 55 00 00 00 00 00   P Lõ O U
00006B10   00 00 00 01 E0 01 0F 00 0B 10 06 00 00 32 00 00   à 2


At first glance, this didn't seem to help much, did it?  However, if you keep staring at it, like one of those "magic eye" 3d pictures, a pattern should begin to appear.  Notice the byte at offset 6A16, it's 0x5A.  Two bytes to the right is 0x4D, and two bytes to the right of that is x90.  Basically a "byte shift" loop is used in this manner.  With offset 6A16 being byte 0, it pops byte 2 off and inserts it at byte 0.  This causes all other bytes to shift one byte.  The then moves two bytes to the right, making that byte 0.  It then pops byte 2 off and inserts it at byte 0.  The loop is then repeated until the executable is correctly assembled.  Below is play-by-play depiction of the first eight loop iterations.
 
 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
5A 00 4D 00 90 00 03 00 00 00 04 FF 00 00 FF 00     #offset 2 (0x4D) moves to offset 0
4D 5A 00 00 90 00 03 00 00 00 04 FF 00 00 FF 00     #offset 4 (0x90) moves to offset 2
4D 5A 90 00 00 00 03 00 00 00 04 FF 00 00 FF 00     #offset 6 (0x03) moves to offset 4
4D 5A 90 00 03 00 00 00 00 00 04 FF 00 00 FF 00     #offset 8 (0x00) moves to offset 6
4D 5A 90 00 03 00 00 00 00 00 04 FF 00 00 FF 00     #offset A (0x04) moves to offset 8
4D 5A 90 00 03 00 00 00 04 00 00 FF 00 00 FF 00     #offset C (0x00) moves to offset A
4D 5A 90 00 03 00 00 00 04 00 00 00 FF 00 FF 00     #offset E (0xFF) moves to offset C
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00     #the first 16 bytes of the executable are now assembled

With the binary intact, we're ready begin reversing it, but that's a topic for another day...


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)