A Basic RSA Encrypter

This is a small post about implementing a basic RSA encrypter to encrypt sections in an exe. We can use this to exchange exes with people. We will encrypt the section using the public key and the user has to use his private key to decrypt the exe. This can be applied in evading anti-viruses too.

I will use multiplication instead of an exponent. Since it would be easy to implement in few lines in assembly. However, this will allow breaking the private key easily hence the complete scheme is broken.

$Enc = (m*e) \text{ mod } N$

$Dec = (c*d) \text{ mod } N$

The correctness of this scheme depends on the fact that

$Dec(Enc(m)) = (m*e*d) \text{ mod } N = m \text{ mod } N$

(more…)

Windows Kernel Exploitation: Stack Overflow

Introduction

This post is on exploiting a stack based buffer overflow in the HackSysExtremeVulnerableDriver.
There’s lot of background theory required to understand types of Windows drivers, developing drivers, debugging drivers, etc. I will only focus on developing the exploit while explaining some internal structures briefly. I would assume you have experience with assembly, C, debugging in the userland.
This driver is a kernel driver. A driver is typically used to get our code into the kernel. An unhandled exception will cause the famous BSOD. I will be using Windows 7 32-bit for this since it doesn’t support SMEP (Supervisor Mode Execution Prevention) or SMAP (Supervisor Mode Access Prevention). In simple words, I would say that when SMEP is enabled the CPU will generate a fault whenever the ring0 tries to execute code from a page marked with the user bit. Basically, due to this being not enabled, we can map our shellcode to steal the ‘System’ token. Check the Shellcode Analysis part for the analysis. Exploiting this vulnerability on a 64-bit system is different.
You can use the OSR Driver Loader to load the driver into the system.
If you want to debug the machine itself using windbg you can use VirtualKD or LiveKD

You can add a new serial connection using VirtualBox or VMware, so you can debug the guest system via windbg. I will be using a serial connection from VMware.
For kernel data structures refer to this. I have used it mostly to refer the structures.
After you have registered the driver you should see this in ‘msinfo32’.

If you check the loaded modules in the ‘System’ process you should see our kernel driver ‘HEVD.sys’.

(more…)

Lab01-02 Analysis

This program is packed using UPX and can be easily unpacked.

Lab01-02.exe – https://virustotal.com/en/file/8bcbe24949951d8aae6018b87b5ca799efe47aeb623e6e5d3665814c6d59aeae/analysis/

At the start we see a call to ‘StartServiceCtrlDispatcher’ which is used to implement a service and the service control manager will call the service entry point provided. In here I have labeled the service entry point as ‘ServiceMain’. The name of the service created would be ‘Malservice’.

(more…)

Patching Windows Media Player

I’m writing this post on the request of @rudr4_sarkar. This is a very simple patch in which you can open multiple instances of wmplayer. It basically uses the ‘CreateMutexW’ API to create a mutex object with the string “Local\Microsoft_WMP_70_CheckForOtherInstanceMutex”.

The pseudo code would be something like this

HANDLE hMutex = CreateMutex(NULL, FALSE, L"Local\Microsoft_WMP_70_CheckForOtherInstanceMutex");
if (GetLastError() == ERROR_ALREADY_EXISTS) {

}

You just need to patch the ‘JNZ’ to a ‘JMP’ instruction, that will always jump to the good boy 🙂

(more…)

Random CrackMe

This is an interesting crackme I found randomly. You can download it from here: http://www.mediafire.com/file/5r3a3uqsg1pbp4v/CrackMe1.zip

The algorithm uses the PID of the application for the serial key calculation. It also uses the ‘GetComputerName’ and ‘GetUserName’ win32 APIs in generating the serial key. The length of both results are used for the loops and each ascii value is added. These results are used in the final calculation in the serial key.
This graph is from the OllyGraph plugin.

(more…)

Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

$al < 2^{5}$
$bl < 2^{3}$

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits

Packing

; al < 2 ^ 5, bl < 2 ^ 3
mov al, bl
shl dl, 3
or  dl, bl  ; xor would also work fine

Unpacking

mov cl, dl   ; Make a copy of dl 
and dl, 111b ; Extract lowest 3 bits (b) 
mov bl, dl 
shr cl, 3    ; Extract highest 5 bits (a) 
mov al, cl

(more…)

Assault Cube Trainer

I recently wanted to explore the world of game hacking, which involves some cool reverse engineering tricks. This is a trainer written in C++.

Simply uses WriteProcessMemory to write the values into memory of the game.

Download game: https://assault.cubers.net/download.html

Download trainer: https://github.com/OsandaMalith/GameHacking/blob/master/AssaultCube/Hack.7z

🔐Blog of Osanda

Security Researching and Reverse Engineering

Reverse Engineering

A Basic RSA Encrypter

Windows Kernel Exploitation: Stack Overflow

Introduction

Lab01-02 Analysis

Patching Windows Media Player

Random CrackMe

Data Packing

Packing

Unpacking

Assault Cube Trainer