Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08

Key Takeaways

we can use static analysis and reverse engineer the license check algorithm and write a key again to generate valid Keys obviously this algorithm also can become very complex but generally if you put a lot of work in it you can figure it out now you tell her that your manager but he's a smartass and tells you then you should stop people from being able to reverse Eng the binary uh then you direct yourself back to the desk and you come up with a new creative way how to stop somebody from debugging and reversing it because you are a pro you understand that an executable is a very complicated file format with object dump we have seen that this executable has a lot of information in there that is needed to load and execute it but you also realized that a program like GDB has to parse the executable to be able to disassemble and debug it as as well and radara has to read and part the executable file to show us stuff so could you modify the executable in a way that you can still execute it with Linux but GDB and radar tell you that something is broken what we are looking for is a parcel differential we hope that the parcel from XX from Linux differs from GDB parcel we hope that the parsel from execve and Linux differs from the GDB parsel in an ideal world every program that reads input would do it in the exact same way but every tool implements a parsing algorithm a bit different so if you screw with the input a Linux might see a valid file and executes it while the GDB says it's broken and cannot be disassembled let me show you a very naive way how to find something like that with fuzzing so let's create a new python script called f.p first we import some modules we need import random and and import OS first function you'll write is called flip bite as a parameter it takes a big string which will be the whole executable file later then we select the random index I between zero and the maximum length of this input then we select a random character that we will use to overwrite the bite in the program so character bite from a random number between zero and FF which is 255 then we return the original bytes up to this index I the next character will be the random created one instead of the original character I at this point and we append the remaining original bytes if you want to understand this fancy bracket colon index stuff in Python just Google python list so just a quick example of this function print flip bytes and a string with Yi you can copy this line and with P you can paste it multiple times and now you can see that a random character got changed to something else with TD you can delete those lines again now we want a function that copies the original binary but flips a bite and saves it in another file we call this function copy binary so we open the normal license 2 and a copy license 2 fuzz with right access now we read the whole original file pass those bytes to the flip bite function now this returns a copy of all license 2 executable just with a random bite flip and then we write this to the new copy now obviously we flip weird stuff and the file might not be executable anymore so we should check if the program still works the same way this means that it should print access granted with a valid key so this output should be the same for the original and the first program that's why I redirect this output to a file called Original output now let's write a python function that runs the fuss binary once a bite got flipped and let's check if its output is the same thing a really ugly way how I do this now just because it's less code I execute the same command like I just did just pipe the output into fuss output now I add a function to compare the original output with the fuss output and also let the result return from the check output function okay so this function checks if the binary still executes normally now let's think about how we can check if GDB still works basically we don't want people to disassemble main so you can use Echo and pipe the disassemble main command into GDB to get the output so this Echo basically just types the command and with the PIP we redirect this into the input of GDB this looks good so let's simply redirect this output also to a file uh that I will call original GDB now let's basically create the same function with check GDB and then we compare those two files again now let's do the same for RAR 2 here we just use commands AA then seek to the main function and PDF and also store this output in a file and now again we create a check radar function you can use shift V which you can use to highlight multiple lines and with Y you can copy it and paste it with P again okay almost there now let's create an endless loop where we first create a new copy then we check if the executable still works if that works we want radara and GDP to fail so not check GDB and not check radara if you we reach this here we print success and we also print the tail of the radara and GDB output just to have a visual check if the dis assembly really failed with raw input we can hold the Python program until we hit enter now let's run it um another small mistake this should be F1 instead of fn1 and I just discovered another mistake okay it found something but we clearly see disassembly there so let's continue until we find an output without disassembly ooh that looks good let's investigate the binary still works GDB can't find the main function and radara also has problems H that's cool admit this is very ugly this is not a real good technique you should use in practice but that is basically how fuzzing works and how you might discover cool new tricks to hide your malware and make it harder for people to analyze it if you want to learn more about this you can read this one block here which calls this a novel technique but it's not really new and there's a bit more in-depth research on L file format from ioactive and you can go even deeper and read even more crazy elf file format tricks in the Holy International Journal of proof of concept or get the out issue zero my binary can be found in in the GitHub repository and you can try different tools like Hopper or Ida and see if they still analyze it automatically but I suspect they do so this is just one small trick which can annoy somebody trying to analyze it now you can go back to your manager and tell him that he should hire some web developers and move the product into the cloud so that the code only runs on the servers you control [Music] [Applause] [Music]