Conferences, conferences...

Wed 10 February 2010 by jj

A quick post on the Recon CFP and our CansecWest dojo on metasm

The CFP for the Recon security conference is out since the beginning of the week.

You may notice a strange source in there.It is a simple wrapper in C around a shellcode given as an hex string.If you try to disassemble it, you'll be faced with a crude but nevertheless effective protection: a xor decoder.

But do not worry, metasm has the solution, as shown in this simple script:

#!/usr/bin/ruby

# http interaction
require 'open-uri'
# the savior
require 'metasm'

# show a few information on what's going on
$VERBOSE = true

# retrieve the CFP source code
puts "retrieving source code..."
html = open('http://recon.cx/2010/cfp.html').read
source = html[ /unsigned.*\}/m ]
abort "no source found :(" if not source

# assemble the ELF file and prepare it for disassembly
elf = Metasm::ELF.compile_c(Metasm::Ia32.new, source)
# uncomment this to generate an executable file
# elf.encode_file('recon-cfp')
elf.encode_string ; elf.decode

# load the selfmodify plugin, which can handle trivial decoding loops as this one
elf.disassembler.load_plugin 'selfmodify'

# run the GUI, disassemble the shellcode stored in the variable 'buf'
w = Metasm::Gui::DasmWindow.new('recon-cfp', elf.disassembler, 'buf')
Metasm::Gui.main

If you run this script, it will fetch the CFP source from the web, compile it in memory and load it in the metasm disassembler.

When it encounters the self-modifying stub, it will emulate its behaviour to generate a new virtual section holding the decoded data.

You can jump to it by issuing the goto command (type 'g') to jump to the 'smc0' label ("self-modified code nr.0"), or simply double-click this label (on the right of the 'loop' instruction).

You can then see the code is genuine ; as a matter of fact it will simply dump the CFP on the console of all loggued users of the machine.

We want more: the DOJO !

If you are interested in this type of manipulation on obfuscated binaries, do not miss our dojo at CansecWest 2010 by the end of march (inscription).

There we'll talk and teach how to harness the power of metasm to do this kind of manipulations, among many others.

We hope to see you there !