Why do antiviruses suck, part 2

kao

In part 1, I tried to explain reasons behind some of the decisions anti-malware companies make when designing their products. In this part I'll touch some other side-effects of those decisions and what they mean for power-users.

This site has been blocked

In general, I need a very basic antivirus protection - when I make a mistake during my reversing session or web browsing, it should stop malware from:

  • becoming persistent on my computer;
  • sending any data to its C&C server

I'm not retarded and can read and think for myself - therefore I don't want "anti-phishing protection", "parental control", "safe banking", "vulnerability scan" or any other features aimed for persons who shouldn't be using Internet in the first place.

So, I always configure my antivirus to have just very basic on-access scan and firewall enabled, and all other components switched off. You can imagine my surprise when in last 2 days I have been greeted with these messages on 2 separate sites:
page blocked
WTF guys, I have switched off every component I could - why are you still active?! And why are you bugging me with this nonsense?

Make it more user-friendly

I'm very sure that the answer is very simple: somebody in the UI/UX department decided that Bitdefender UI needs to be simplified. So, they took the UI that actually made sense, and fucked it up.

Here's how settings looked like in year 2013 (image (c) Softpedia):
bitdefender 2013 settings

And here's how it looks in the Bitdefender 2016:
bitdefender 2016 settings
Antispam and Firewall have been moved to their corresponding module, but "Antimalware Filter" has disappeared altogether. After all, who would ever want to disable it, right?

To make matters worse, here's how the alert looked in Bitdefender 2015 (image (c) PCRisk):
bitdefender2015-website-blocked
See, there was "Settings" button right at the top of alert page and you could disable "Antimalware filter" from there. Well, they "simplified" that option away as well. Geniuses!

But I really want to disable it!

Luckily, you still can. ๐Ÿ™‚ All Bitdefender settings are stored in C:\Program Files\Bitdefender\Bitdefender 2016\settings\. However, to be able to modify files, you will need to start your computer in safe mode.

The file you're looking for is cloud.http.xml. Find your user name in it, and you'll see a section like this:

<user name="Administrator">
	<active>true</active>
	<timeout>400</timeout>
	<status value="default">false</status>
	<status value="malware">true</status>
	<status value="phishing">true</status>
	<status value="fraud">true</status>
	<status value="untrusted">true</status>
	<status value="bank">true</status>
	<bank>
		<add>
			<domain value="" option="ask"></domain>
		</add>
	</bank>
</user>

Apparently, there are more few settings which are hidden in the UI. I can only guess the exact meaning of them but - to be honest - I don't care. I just want this bugger to be gone from my machine. So, I changed "active" to "false" and for the good measure disabled each and every component as well. After a reboot, it all works the way I want, and I can access all the sites I want.

Great success! ๐Ÿ™‚

Keygen templates in Visual Studio

kao

I'm lazy and I hate doing the same tasks over and over again. Making UI for my crackme solutions is one of such tasks. It always goes like this: open Visual Studio, create new Windows Forms project in C#, drop 2 labels, 2 edit boxes and one button on the form. Set label texts to "Name" and "Serial", set button title to "Generate..", set the project icon, etc., etc..

There must be a better way!

..and it's certainly not the way Blue Indian did his keygen template:

To build this template on your own, open the solution in Visual studio, comment out the calls for uFMOD and implement your own logic, after successful build of keygen, close the Visual studio, open the Form_Main.cs file in any text editor and uncomment those two calls to uFMod, save it. Now double click on the build.bat file to built it finally.
...
-To change the ICON and XM tune, edit the mini.res (resource file) with any resource editor like Restorator or any of your choice.

Open this, delete those, compile that, and what? I'm already confused, sorry.

Introducing Visual Studio project templates

I'm sure you know that when you click "New project" in Visual Studio, you're presented with number of choices, like "Windows Forms Application", "Console Application", "Class Library" and so on. All these are project templates that are installed by default.

They provide all the files that are required for a particular project type, include standard assembly references, and set default project properties and compiler options. Hmm, that's exactly what I needed! ๐Ÿ™‚

This article at MSDN nicely explains that project template is simply a ZIP file that contains all the necessary files and a special .vstemplate file. This .vstemplate file is an XML file containing metadata Visual Studio needs to display the template in the "New Project" dialog.

Let's try to put it all together.

Making simple keygen template

Making a new template is actually very easy. You take an existing Visual Studio project, replace project-specific strings with template parameters and press File->Export Template.

Here is my keygen for Mr. eXoDia's simple crackme:
keygen_template1
Obviously, template should not contain code for specific crackme. Let's change that to something trivial and mark as FIXME:
keygen_template2
Now I need to remove all references to crackme name. I will replace them with template parameter $safeprojectname$ in all files. After this change, project won't compile anymore, so you need to be extra careful when changing stuff!
keygen_template3
Hardcoding year in the (c) string is not a good idea because I want to use this template in year 2016 as well:
keygen_template4
Now I just need to update AssemblyInfo.cs to make sure each project has correct name, (c) and GUIDs:
keygen_template5
Did it work? Let's see... File->Export Template, follow the wizard and...

It works. Kinda. The created template still has quite a few references to Mr eXodia's crackme, I'll need to modify project and solution files manually. Unzip the template, fix the files in text editor and ZIP them back. And now it works!

Few more cosmetic fixes (like using $projectname$ where possible), using $if$ and $targetframeworkversion$ to target all .NET framework versions, better namespace names and we have a template that's actually useful.

Download here: https://www.mediafire.com/?sx1i5ba1uijjkii

It's not particularly pretty but that's pretty much what I've been using for 2+ years now - and hopefully it can inspire you to do something similar with your own code. ๐Ÿ˜‰

Further reading

Reasonโ†’Codeโ†’Example : Creating Visual Studio project templates
Rebuilding template cache
How to: Manually Create Project Templates
How to: Create Multi-Project Templates

“Unlimited storage” Microsoft-style

kao

What do you think - how large is "unlimited storage"? To me, word "unlimited" means, well, unlimited. "All you can eat". No restrictions.

For a year, Microsoft was offering unlimited storage with their Office 365 package:

Today, storage limits just became a thing of the past with Office 365. Moving forward, all Office 365 customers will get unlimited OneDrive storage at no additional cost. Weโ€™ve started rolling this out today to Office 365 Home, Personal, and University customers.

It was not a bad deal - for $6.99/month you could have both Office and unlimited storage.

Of course, some people decided to take Microsoft up on their offer and use that storage. After all, why not?

Fast forward one year. New post from Microsoft OneDrive team tells us this:

Since we started to roll out unlimited cloud storage to Office 365 consumer subscribers, a small number of users backed up numerous PCs and stored entire movie collections and DVR recordings. In some instances, this exceeded 75 TB per user or 14,000 times the average.

Good job guys! ๐Ÿ™‚ If I had possibility to use unlimited storage, I'd use it as well!

But somehow Microsoft doesn't like it..

Weโ€™re no longer planning to offer unlimited storage to Office 365 Home, Personal, or University subscribers. Starting now, those subscriptions will include 1 TB of OneDrive storage.
...
Free OneDrive storage will decrease from 15 GB to 5 GB for all users, current and new.

So, now you know. "Unlimited" means "please, no more than 5 GB" in Microsoft-speak.

Solving “Find the flag” crackme by Extreme Coders

kao

Yesterday Extreme Coders posted a small crackme on Tuts4You. It's quite an easy one but solving it would require either lots of typing or some clever automation. Of course, being lazy I went for the automation route! ๐Ÿ™‚

Initial analysis

My preferred way is doing static analysis in IDA and - when necessary do dynamic analysis using OllyDbg. So, here is how it looks like in IDA:
extremecoders_cm1
As you can see, parts of code have been encrypted. 102 parts of code, to be exact. ๐Ÿ™‚

Decrypt the code

Since there is a lot of code that's encrypted, I need to automate decryption somehow. IDA scripting to the rescue!

auto ea;
auto addr;
auto size;
auto xorval;
auto x;
auto b;

ea = MinEA();
ea = FindBinary(ea, SEARCH_DOWN , "E8 00 00 00 00 5E 81 C6");
while (ea != BADADDR)
{
   addr = ea + 5 + 0x16;
   size = Dword(ea + 0xD);
   xorval = Byte(ea + 0x15);
   Message(form("Encrypted code parameters: start=%x size=%x key=%x\n", addr, size, xorval));
   for (x=0; x<size; x++)
   {
      b = Byte(addr + x);
      PatchByte(addr + x, b^xorval);
   }
   ea = FindBinary(ea +1, SEARCH_DOWN, "E8 00 00 00 00 5E 81 C6");
}

There's not much to comment. There's a big loop that's looking for the pattern of the decryption code. Then it extracts information about encrypted code address, size and used encryption key. Finally it decrypts the code.

Note - when you're patching binary data in IDA, it's always better to force IDA to reanalyze the affected fragment. I didn't do that here because changing end of _main() will force analysis automatically.

After decryption the code looks much better:
extremecoders_cm2

Well, it's better, but it still kinda sucks. We have 100 checks like this:

  movsx   edx, [esp+0B0h+enteredString+9]
  movsx   ecx, [esp+0B0h+enteredString+13h]
  add     ecx, edx
  movsx   edx, [esp+0B0h+enteredString+0Bh]
  lea     edx, [edx+ecx*2]
  movsx   ecx, [esp+0B0h+enteredString+1Dh]
  add     edx, ecx
  mov     ecx, dword ptr [esp+0B0h+enteredString]
  movsx   edi, ch
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+6]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+2]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+4]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+0Fh]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+0Ah]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+0Ch]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+11h]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+18h]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+0Eh]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+1Ah]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+17h]
  add     edx, edi
  movsx   edi, [esp+0B0h+enteredString+16h]
  movsx   ecx, cl
  add     edx, edi
  add     edx, ecx
  cmp     edx, 787h
  jnz     loc_40147B
  add     eax, 1    <--- increment number of passed checks
loc_40147B:

So, we're solving system of 100 linear equations with 32 variables. Great! Who wants to write down these equations based on disassembly and then solve them manually? Not me!

Decompile the code

Let's see if we can somehow make the problem easier for us. Hexrays decompiler provides nice output but it still needs a lot of cleanup:
extremecoders_cm3
Basically, the code responsible for encryption/decryption of checks is getting into our way.

Another IDA script to the rescue:

auto ea;
auto addr;
auto size;
auto xorval;
auto x;
auto b;

ea = MinEA();
ea = FindBinary(ea, SEARCH_DOWN , "60 E8 00 00 00 00 5E 81");
while (ea != BADADDR)
{
   for (x=0;x<0x1C;x++)
   {
      PatchByte(ea+x, 0x90);
   }
   MakeUnknown(ea, 0x1C, 0);
   MakeCode(ea);
   ea = FindBinary(ea +1, SEARCH_DOWN , "60 E8 00 00 00 00 5E 81");
}   

I took the previous script and modified it a bit. Now it finds both encryption and decryption loops and just nops them out. It also forces IDA to reanalyze the patched region - it's very important because otherwise IDA lost track of correct stack pointer and decompiled code was wrong.

Quick changes in Hexrays plugin options to use decimal radix and the decompiled code looks great!
extremecoders_cm4

Text editor magic

Beginning reversers commonly underestimate power of text editors. Sure, the Hexrays output we got is readable, but it's not really suitable for any sort of automated processing.

First, let's get rid of all extra spaces. Replace " " (2 spaces) with " " (one space). Repeat until no more matches. Now it looks like this:

 if ( enteredString[0]
 + enteredString[22]
 + enteredString[26]
 + enteredString[20]
 + enteredString[10]
 + enteredString[7]
 + 3 * enteredString[14]
 + 2
 * (enteredString[23]
 + enteredString[24]
 + enteredString[17]
 + enteredString[21]
 + enteredString[12]
 + enteredString[18]) == 2024 )
 v6 = 1;
 if ( enteredString[0]
 + enteredString[22]
 + enteredString[23]
... 98 more ifs...

Put each equation on one line. Replace "\r\n +" (new line,space,plus) with " +" (space,plus). Replace "\r\n *" (new line,space,star) with " *" (space,star).

 if ( enteredString[0] + enteredString[22] + enteredString[26] + enteredString[20] + enteredString[10] + enteredString[7] + 3 * enteredString[14] + 2 * (enteredString[23] + enteredString[24] + enteredString[17] + enteredString[21] + enteredString[12] + enteredString[18]) == 2024 )
 v6 = 1;
 if ( enteredString[0] + enteredString[22] + enteredString[23] + enteredString[26] + enteredString[14] + enteredString[24] + enteredString[17] + enteredString[12] + enteredString[10] + enteredString[15] + enteredString[4] + enteredString[2] + enteredString[6] + enteredString[1] + enteredString[29] + enteredString[11] + 2 * (enteredString[9] + enteredString[19]) == 1927 ) ++v6;
 if ( enteredString[14] + enteredString[10] == 148 ) ++v6;
 if ( enteredString[0] + enteredString[14] + enteredString[10] + enteredString[11] + enteredString[3] + enteredString[25] + 2 * (enteredString[22] + enteredString[27]) == 741 ) ++v6;
 if ( enteredString[24] + enteredString[29] == 229 ) ++v6;
... 95 more ifs ...

Get rid of those "if". Get rid of "++v6;". Replace "==" with "=".

enteredString[0] + enteredString[22] + enteredString[26] + enteredString[20] + enteredString[10] + enteredString[7] + 3 * enteredString[14] + 2 * (enteredString[23] + enteredString[24] + enteredString[17] + enteredString[21] + enteredString[12] + enteredString[18]) = 2024 )
enteredString[0] + enteredString[22] + enteredString[23] + enteredString[26] + enteredString[14] + enteredString[24] + enteredString[17] + enteredString[12] + enteredString[10] + enteredString[15] + enteredString[4] + enteredString[2] + enteredString[6] + enteredString[1] + enteredString[29] + enteredString[11] + 2 * (enteredString[9] + enteredString[19]) = 1927
enteredString[14] + enteredString[10] = 148
enteredString[0] + enteredString[14] + enteredString[10] + enteredString[11] + enteredString[3] + enteredString[25] + 2 * (enteredString[22] + enteredString[27]) = 741
enteredString[24] + enteredString[29] = 229
... 95 more equations ...

Finally, rename "enteredString" to "z" and get rid of those "[" and "]"

z0 + z22 + z26 + z20 + z10 + z7 + 3 * z14 + 2 * (z23 + z24 + z17 + z21 + z12 + z18) = 2024 )
z0 + z22 + z23 + z26 + z14 + z24 + z17 + z12 + z10 + z15 + z4 + z2 + z6 + z1 + z29 + z11 + 2 * (z9 + z19) = 1927
z14 + z10 = 148
z0 + z14 + z10 + z11 + z3 + z25 + 2 * (z22 + z27) = 741
z24 + z29 = 229
... 95 more equations ...

Congratulations, within one minute you got from ugly decompiled code to well-written system of equations!

And solve the problem

Nicely written system of equations is pointless, if you can't solve it. Luckily, there's an online solver for that right there! ๐Ÿ˜‰ Copy-pasting our cleaned system of equations into their webform gives us result:

This system has a unique solution, which is

{ z0 = 102, z1 = 108, z10 = 48, z11 = 108, z12 = 118, z13 = 101, z14 = 100, z15 = 95, z16 = 116, z17 = 104, z18 = 97, z19 = 116, z2 = 97, z20 = 95, z21 = 114, z22 = 49, z23 = 103, z24 = 104, z25 = 116, z26 = 33, z27 = 33, z28 = 33, z29 = 125, z3 = 103, z4 = 123, z5 = 89, z6 = 48, z7 = 117, z8 = 95, z9 = 115 }.

Converting character codes to ANSI string is an equally simple exercice, I'm not gonna bore you with that.

And that's how you solve a crackme with nothing but a few scripts in IDA and a text editor.. ๐Ÿ˜‰