1833

functii de (de)criptare BORGChat

Intr-o zi, neavind ce face (inainte de apararea tezei de licenta), am analizat putin chatul BORGChat, versiunea 0.9.8.369, pentru a-i gasi algoritmul de criptare/decriptare.Asa cum borgchat.exe e initial compresat cu UPX, iar semnatura UPX este stearsa, am incercat mai multe unpackere (nu prea am experienta in despachetarea manuala), dintre care a lucrat doar unul - UPX Ripper(http://www.wasm.ru/all.php?mode=tool).Dupa obtinerea fisierului original, am recurs la "dezinsectie", cu ajutorul bunului debugger OllyDbg.Ca si toate chaturile, BORGChat trimite un mesaj tuturor, astfel instiintind restul clientilor de conectarea sa. Pachetele se trimit cu functiile send() si sendto(), in cazul BORGChat-ului se trimite la o adresa de broadcast, adica se apeleaza functia sendto(), la care am si pus breakpoint(CTRL-G, sendto, la adresa obtinuta F2) si am rulat programul (F9). Dupa initializare, s-a ajuns la breakpoint, la inceputul functiei sendto.Dupa iesirea din sendto am pus un breakpoint mai sus de punctul de apelare a acestei functii (0x4BE6A8, inceputul subprogramului in care se trimit pachetele). Dupa putina analiza a continutului memoriei la adresele indicate de registri, am inteles ca criptarea (scuze de cacofonie) se face pina la acest subprogram.Tot iesind din subprograme si analizind call-urile si continutul registrilor, am gasit secventa:005B4066 . 68 90425B00 PUSH BORGChat.005B4290005B406B . 64:FF30 PUSH DWORD PTR FS:[EAX]005B406E . 64:8920 MOV DWORD PTR FS:[EAX], ESP005B4071 . 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]005B4074 . 66:BA 1800 MOV DX, 18005B4078 . 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C] ; in eax adresa bufferului005B407B . E8 3054FFFF CALL BORGChat.005A94B0 ; apelarea functiei de criptare005B4080 . 8B55 DC MOV EDX, DWORD PTR SS:[EBP-24]005B4083 . 8D45 F4 LEA EAX, DWORD PTR SS:[EBP-C]am sarit la adresa 005A94B0:005A94B0 /$ 53 PUSH EBX005A94B1 |. 56 PUSH ESI005A94B2 |. 57 PUSH EDI005A94B3 |. 55 PUSH EBP005A94B4 |. 51 PUSH ECX005A94B5 |. 8BE9 MOV EBP, ECX005A94B7 |. 8BF2 MOV ESI, EDX005A94B9 |. 890424 MOV DWORD PTR SS:[ESP], EAX005A94BC |. 8B0424 MOV EAX, DWORD PTR SS:[ESP]005A94BF |. E8 F4BAE5FF CALL BORGChat.00404FB8005A94C4 |. 8BD0 MOV EDX, EAX005A94C6 |. 8BC5 MOV EAX, EBP005A94C8 |. E8 77BEE5FF CALL BORGChat.00405344005A94CD |. 8B0424 MOV EAX, DWORD PTR SS:[ESP]005A94D0 |. E8 E3BAE5FF CALL BORGChat.00404FB8005A94D5 |. 8BF8 MOV EDI, EAX005A94D7 |. 85FF TEST EDI, EDI005A94D9 |. 7E 3A JLE SHORT BORGChat.005A9515005A94DB |. BB 01000000 MOV EBX, 1; inceputul algoritmului005A94E0 |> 8BC5 /MOV EAX, EBP005A94E2 |. E8 29BDE5FF |CALL BORGChat.00405210005A94E7 |. 8B1424 |MOV EDX, DWORD PTR SS:[ESP]005A94EA |. 0FB6541A FF |MOVZX EDX, BYTE PTR DS:[EDX+EBX-1]005A94EF |. 0FB7CE |MOVZX ECX, SI005A94F2 |. C1E9 08 |SHR ECX, 8005A94F5 |. 33D1 |XOR EDX, ECX005A94F7 |. 885418 FF |MOV BYTE PTR DS:[EAX+EBX-1], DL005A94FB |. 8B45 00 |MOV EAX, DWORD PTR SS:[EBP]005A94FE |. 0FB64418 FF |MOVZX EAX, BYTE PTR DS:[EAX+EBX-1]005A9503 |. 0FB7D6 |MOVZX EDX, SI005A9506 |. 03C2 |ADD EAX, EDX005A9508 |. 71 05 |JNO SHORT BORGChat.005A950F005A950A |. E8 6DA8E5FF |CALL BORGChat.00403D7C; sfirsitul algoritmului005A950F |> 8BF0 |MOV ESI, EAX005A9511 |. 43 |INC EBX005A9512 |. 4F |DEC EDI005A9513 |.^75 CB \JNZ SHORT BORGChat.005A94E0005A9515 |> 5A POP EDX005A9516 |. 5D POP EBP005A9517 |. 5F POP EDI005A9518 |. 5E POP ESI005A9519 |. 5B POP EBX005A951A \. C3 RETNAr fi logic ca functia de decriptare sa fie pe aproape, deci m-am uitat mai jos:005A951C /$ 53 PUSH EBX005A951D |. 56 PUSH ESI005A951E |. 57 PUSH EDI005A951F |. 55 PUSH EBP005A9520 |. 51 PUSH ECX005A9521 |. 890C24 MOV DWORD PTR SS:[ESP], ECX005A9524 |. 8BF2 MOV ESI, EDX005A9526 |. 8BF8 MOV EDI, EAX005A9528 |. 8BC7 MOV EAX, EDI005A952A |. E8 89BAE5FF CALL BORGChat.00404FB8005A952F |. 8BD0 MOV EDX, EAX005A9531 |. 8B0424 MOV EAX, DWORD PTR SS:[ESP]005A9534 |. E8 0BBEE5FF CALL BORGChat.00405344005A9539 |. 8BC7 MOV EAX, EDI005A953B |. E8 78BAE5FF CALL BORGChat.00404FB8005A9540 |. 8BE8 MOV EBP, EAX005A9542 |. 85ED TEST EBP, EBP005A9544 |. 7E 37 JLE SHORT BORGChat.005A957D005A9546 |. BB 01000000 MOV EBX, 1; inceputul algoritmului005A954B |> 8B0424 /MOV EAX, DWORD PTR SS:[ESP]005A954E |. E8 BDBCE5FF |CALL BORGChat.00405210005A9553 |. 33D2 |XOR EDX, EDX005A9555 |. 8A541F FF |MOV DL, BYTE PTR DS:[EDI+EBX-1]005A9559 |. 0FB7CE |MOVZX ECX, SI005A955C |. C1E9 08 |SHR ECX, 8005A955F |. 33D1 |XOR EDX, ECX005A9561 |. 885418 FF |MOV BYTE PTR DS:[EAX+EBX-1], DL005A9565 |. 33C0 |XOR EAX, EAX005A9567 |. 8A441F FF |MOV AL, BYTE PTR DS:[EDI+EBX-1]005A956B |. 0FB7D6 |MOVZX EDX, SI005A956E |. 03C2 |ADD EAX, EDX005A9570 |. 71 05 |JNO SHORT BORGChat.005A9577005A9572 |. E8 05A8E5FF |CALL BORGChat.00403D7C005A9577 |> 8BF0 |MOV ESI, EAX005A9579 |. 43 |INC EBX005A957A |. 4D |DEC EBP005A957B |.^75 CE \JNZ SHORT BORGChat.005A954B; sfirsitul algoritmului005A957D |> 5A POP EDX005A957E |. 5D POP EBP005A957F |. 5F POP EDI005A9580 |. 5E POP ESI005A9581 |. 5B POP EBX005A9582 \. C3 RETNRealizarea in limbajul C++ a acestor algoritmi:BOOL crypt (UCHAR *buf,UINT length){ if (!buf || length==0)return FALSE; UINT ind=0,t2; UINT cr=0x18;// valoare setata pina a fi apelata functia de criptare while (ind>8); t2=buf[ind]+cr; if (t2>8); if (t2
0