Category Archives: Tools

31 May 2016

BTVStack.exe requesting access to Skype on every startup

Background

At home I'm using a desktop computer. It has ASUS motherboard with Atheros Bluetooth chip. I have all the drivers installed but I'm not using Bluetooth at all.

Problem

Some time ago I started getting these notifications every single time I started Windows:
btvstack_skype

btvstack.exe is requesting access to Skype. Only allow access to programs downloaded from a trusted source as they will be able to use information such as your Skype contacts and messages.

No matter what option I selected, it would ask me again on next reboot. Bloody hell!

If you google for the solution, you'll notice that:

  1. It's a quite common problem;
  2. Most common solution is to deny/allow access either using the dialog above, or Tools->Options->Advanced->Advanced Settings->Manage other programs’ access to Skype;
  3. Another solution for Windows 8+ is to deselect "Allow Bluetooth devices to send you PIM items such as business cards, calendar items, e-mail messages, and notes. " in Bluetooth Control Panel applet;

Unfortunately, first solution was not working for me. And second solution is not feasible because there is no such option in Windows 7 Control Panel.

Solution

Since I don't need Bluetooth but I don't like to have broken drivers, I decided to disable just the offending DLL. From the elevated command-prompt I ran

and the problem has disappeared. Great success! smile

Hope this helps someone else too.

03 May 2016

CFF bugs in processing managed resources

Users on tuts4you quite often ask questions like "Can you identify which obfuscator was used". When I was analyzing one such assembly, my CFF Explorer started to act erratically. New tabs would not open and on exit CFF Explorer crashed with access violation.
CFF acting up
That's weird, I said to myself and decided to figure out what's causing it.

Uninitialized buffers and unchecked return values

First bug is a classic. In pseudo-code it looks like this:

First issue is that nobody initialized ResourcesInfo structure, so all fields will initially contain random garbage. As soon as ReadResourceHeader fails to read or validate something, it returns, and lots of fields will still contain random garbage.

It wouldn't be a big problem, if Daniel checked the return value of the function. But his code just continues processing even if the data initialization failed. And, to make matters worse, it just hides all exceptions by putting try-except handlers around most of the code. No wonder CFF is occasionally acting weird! smile

This bug is quite hard to demonstrate, as it needs to have few lucky coincidences in the uninitialized data. But I'm sure that a skilled person would convert it into arbitrary code execution in no time. Not me, though... smile

Buffer overflow

Second bug is also a classic. In pseudo-code it looks like this:

So, what's wrong here? Daniel takes a fixed-size buffer and initializes it with all zeros (unlike previous case). Then he reads size of data (NameSize). And then he copies NameSize bytes into a fixed-size buffer - without checking if that's gonna overflow or not.. Yikes!

Example file demonstrating this bug: https://www.mediafire.com/?x4idsa21toh0t36 (you need to click on Resource Editor -> .NET Resources to trigger the buggy code. Afterwards, CFF Explorer will start acting weird).

Solution

Just like in a previous case where I added support for ConfuserEx and undocumented fields, I had to make few binary patches to CFF Explorer.

Fixed exe file is here: Please get latest version from this post

Have fun and stay safe!

24 Mar 2016

MoleBox goes out of business

Molebox as it used to be

A bit of history

MoleBox 2 was released in year 2003 and it was one of the first file virtualization solutions in the market. It bundled executable with the DLL and data files into a single EXE file. At that time that was something new and innovative.

They had quite a success and released another product (MoleBox Ultra, later renamed to MoleBox Virtualization Solution) in year 2009. Apparently it was very hard to fight in the increasingly more competitive market of application virtualization solutions and the last version of MoleBox Virtualization Solution was released in 2013.

Game over

In February 2016 domain molebox.com was sold for $1526. Yesterday their web server started serving generic WordPress page with dating-related spam. And that is just sad. sad
MoleBox dating advice

Release of static unpacker

However, both editions of MoleBox are still very popular with private game server owners, as they allow to bundle patched EXE files together with their custom data files. It's not a bullet-proof security but stops newbies from stealing their valuable data.

Since the MoleBox company is officially out of business now, I have no more reasons to keep my static Molebox unpacker private. It supports most versions of MoleBox 2.x including the external box files.

Have fun guys!

Download link: see October update to Molebox unpacker for an updated version.

P.S. This post was made just because I noticed changes in MoleBox web, I wasn't planning to release the unpacker today. So, please keep in mind this code was written in year 2009 and has had only one small fix applied in 2015. It's likely that you'll encounter some bugs and quirks - please send me the problematic file and I'll fix the bug. smile

P.P.S. I have static unpacker for MoleBox Virtualization Solution as well. But it doesn't have a nice UI yet, so it will be released on a later day.

16 Feb 2016

Updated Meltdown and EnigmaVB Unpacker

About Error Messages

Users can't read.

Or maybe they don't want to read. I don't know.

But one thing I know for sure - you must make your tools foolproof. If your tool is showing an error message, make sure even your grandma could understand it. Otherwise you'll be getting lots and lots of invalid bug reports.

For example, this is the error message my EnigmaVB unpacker used to show (as reported by ho3ein at Tuts4You):
enigmavb_error_message

It seemed to be very clear to me. First, tool tells user all the versions of Enigma Virtual Box it supports. Then tool explains that it expects to see a PE section with a name ".enigma2" but it found section with a name ".rsrc" instead. To me it's absolutely clear what happened: this file is not protected with Enigma Virtual Box (or it's hacked).

But you won't believe how many times this gets reported as a bug.

There was a similar problem with Meltdown. It clearly stated which versions of DeepFreeze it supports. Then it printed the detected DeepFreeze version. However, the error message didn't explicitly say "This version of DeepFreeze is not supported", it said "DeviceIoControl failed." It makes perfect sense from developer's point of view, but apparently is very confusing for users.

So, here are improved versions of my tools, fixing the error messages and some other stuff..

Improved EnigmaVB Unpacker

First of all, I fixed the error message. I also added detection and tested compatibility with the latest EnigmaVB v7.40. Hopefully, this will make users happier and less confused. smile
EnigmaVBUnpacker_v034

Improved Meltdown

Meltdown 1.7 fixes confusing error message with DeepFreeze Standard v8.x. Thanks to Alexander for reporting it.

I also took a closer look at DeepFreeze Enterprise versions and found a way to make Meltdown more user friendly. If DeepFreeze Enterprise v7.20+ is detected, Meltdown will get OTP Token automatically and immediately generate correct password.

meltdown17

Download links

Enigma Virtual Box Unpacker: Please get latest version from this post
Meltdown v1.7: https://www.mediafire.com/?b0bamd3t2d6bbkq

16 Jan 2016

Updated Faronics DeepFreeze and Meltdown

tl;dr - DeepFreeze is still buggy and one-time passwords can be easily generated. Download link: https://www.mediafire.com/?mtpaf3quaifwm3u

What was changed in DeepFreeze version 8.31?

Well, two things.

First, they made an attempt to stop Meltdown from generating correct One Time Passwords (OTP). While doing so, they added a new vulnerability - similar to the one that Meltdown used to obtain password for Deep Freeze Standard version 7.x and older.
Second, they added a licensing mechanism that requires each workstation to be activated. While doing so, they created a new local privilege escalation vulnerability.

What is this new (old) vulnerability?

The problem is in data exchange between driver and the UI component. It's done using DeviceIoControl calls and data are encrypted using changing XOR key. However, the overall communication protocol is badly designed.

So, let's start with the Deep Freeze Standard versions 5.x to 7.x. Communication between UI (frzstate2k.exe) and the driver goes like this:
DFS 7.x
Obviously, it's easy to extract password from the information provided by driver. That's what Meltdown originally did.

Faronics fixed that in Deep Freeze Standard v8.10:
DFS 8.x
Makes total sense, right? I looked at the communication protocol and concluded that the issue is fixed. End of story.

Deep Freeze Enterprise is a different story:
DFE 7.x
This communication makes sense. But all the information necessary to generate OTP was present in dfserv.exe and other executables. So, Meltdown didn't even have to communicate with the driver.

But in the latest version (v8.31) the information to generate OTP is not present in dfserv.exe or other executables. However, Faronics added a new feature to the driver:
DFE 8.31
Where have I seen this design before? smile So, I updated Meltdown to obtain information necessary for OTP generation from DeepFreeze driver. Easy as pie.

Local privilege escalation

It's so good, it deserves a separate blog post.

What do you think about Faronics?

I get this question a lot lately. People who see Meltdown ask that. IT managers who bought DeepFreeze ask that. And even some reverser friends have asked me that. But I'd rather not say anything and let the facts speak for themselves.

  • 2013-Mar-06 - Meltdown is published.
  • 2014-Mar-31 - Faronics closes the vulnerability in DeepFreeze Standard v8.10. No mention of any security issues in the changelog. No security bulletins published. This vulnerability had existed since very early versions of DeepFreeze and it suddenly got fixed. To me, it indicates that Faronics was aware of Meltdown at this moment of time.
  • 2014-Jun-24 - Changes in DeepFreeze Enterprise v8.11 break existing versions of Meltdown. Release notes say "Resolved a security issue that could result in the user accessing Deep Freeze without authorization." No security bulletins published.
  • 2015-May-11 - User reported that Meltdown wasn't working anymore. It took me few hours to add that new round of "extra secure" xor encryption.
  • 2015-Dec-31 - Changes in DeepFreeze Enterprise 8.31 break existing versions of Meltdown. Changelog says "Secured One-Time Password functionality from potential vulnerability." No security bulletins published. They introduce 2 new vulnerabilities in this version.
  • 2016-Jan-12 - Meltdown is updated with another round of xor encryption and 2 new calls to DeviceIoControl API.

You can compare Faronics' behavior and response time to other software companies and make your own conclusions.

Download link for Meltdown 1.6: https://www.mediafire.com/?mtpaf3quaifwm3u

05 Nov 2015

Keygen templates in Visual Studio

I'm lazy and I hate doing the same tasks over and over again. Making UI for my crackme solutions is one of such tasks. It always goes like this: open Visual Studio, create new Windows Forms project in C#, drop 2 labels, 2 edit boxes and one button on the form. Set label texts to "Name" and "Serial", set button title to "Generate..", set the project icon, etc., etc..

There must be a better way!

..and it's certainly not the way Blue Indian did his keygen template:

To build this template on your own, open the solution in Visual studio, comment out the calls for uFMOD and implement your own logic, after successful build of keygen, close the Visual studio, open the Form_Main.cs file in any text editor and uncomment those two calls to uFMod, save it. Now double click on the build.bat file to built it finally.
...
-To change the ICON and XM tune, edit the mini.res (resource file) with any resource editor like Restorator or any of your choice.

Open this, delete those, compile that, and what? I'm already confused, sorry.

Introducing Visual Studio project templates

I'm sure you know that when you click "New project" in Visual Studio, you're presented with number of choices, like "Windows Forms Application", "Console Application", "Class Library" and so on. All these are project templates that are installed by default.

They provide all the files that are required for a particular project type, include standard assembly references, and set default project properties and compiler options. Hmm, that's exactly what I needed! smile

This article at MSDN nicely explains that project template is simply a ZIP file that contains all the necessary files and a special .vstemplate file. This .vstemplate file is an XML file containing metadata Visual Studio needs to display the template in the "New Project" dialog.

Let's try to put it all together.

Making simple keygen template

Making a new template is actually very easy. You take an existing Visual Studio project, replace project-specific strings with template parameters and press File->Export Template.

Here is my keygen for Mr. eXoDia's simple crackme:
keygen_template1
Obviously, template should not contain code for specific crackme. Let's change that to something trivial and mark as FIXME:
keygen_template2
Now I need to remove all references to crackme name. I will replace them with template parameter $safeprojectname$ in all files. After this change, project won't compile anymore, so you need to be extra careful when changing stuff!
keygen_template3
Hardcoding year in the (c) string is not a good idea because I want to use this template in year 2016 as well:
keygen_template4
Now I just need to update AssemblyInfo.cs to make sure each project has correct name, (c) and GUIDs:
keygen_template5
Did it work? Let's see... File->Export Template, follow the wizard and...

It works. Kinda. The created template still has quite a few references to Mr eXodia's crackme, I'll need to modify project and solution files manually. Unzip the template, fix the files in text editor and ZIP them back. And now it works!

Few more cosmetic fixes (like using $projectname$ where possible), using $if$ and $targetframeworkversion$ to target all .NET framework versions, better namespace names and we have a template that's actually useful.

Download here: https://www.mediafire.com/?sx1i5ba1uijjkii

It's not particularly pretty but that's pretty much what I've been using for 2+ years now - and hopefully it can inspire you to do something similar with your own code. wink

Further reading

Reason→Code→Example : Creating Visual Studio project templates
Rebuilding template cache
How to: Manually Create Project Templates
How to: Create Multi-Project Templates

22 Oct 2015

Static unpacker for AutoPlay Media Studio files

tl;dr version - it unpacks stuff. Feel free to leech and reupload. Report bugs here.

Unpacker for AutoPlay Media Studio

Introduction

It all started with a topic on BlackStorm forums where whoknows posted a link to Reverzor - The first cloud based software that decompiles everything!.

Wow, a magic tool that does everything! Sounds too good to be true.. smile Soon enough, li0n posted a link to the trial executable and I started looking into it. I quickly found out that it's written in AutoPlay Media Studio, and that there is no working unpacker for that.

I should fix that - and have some fun in process!

Existing tools and research

First, I found a great blogpost by Xiaopang - I wholeheartedly recommend that you read it.

And then there's a AmsDec.exe by mohsen.
amsdec
Unfortunately, it only works for some files (supposedly - v8.1, v8.2) and shows weird messages in Persian language. And it's not really a decompiler, it just extracts _proj.dat file from the cdd file. And, of course, it didn't work for Reverzor.

How AutoPlay Media Studio works

So, let's see what we need to do to unpack it all properly. As the authors of AutoPlay Media Studio wrote in changelog:

As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!

Right... They are using ZIP files protected with randomly generated passwords and obviously have no clue how generic attacks work..

Unpacker needs to analyze EXE file, generate correct password and unzip files. If there's a cdd file, unzip that one too. And since it's that simple, I will use AutoPlay Media Studio as a target for a separate blogpost explaining how to write a static unpacker from scratch. smile

Since there are several options how you can distribute files built by AutoPlay Media Studio, here's a quick reference:

  1. you have just a single application.exe;

    2. Such files can be generated using "Publish -> Web/Email executable" feature in AutoPlay Media Studio. Example file would be CardRecovery v
    6.10 Build 1210 AIO Installer -nelly-.exe

    Drop the exe file on unpacker, it will unpack everything automatically. Then check the appropriate folder for extracted data files and _proj.dat for the installation script.

  2. you have a folder with application.exe and application.cdd in a subfolder AutoPlay;

    3. These files are created using "Publish -> Hard drive folder" in AutoPlay Media Studio. An example file can be, for example, Russian software (malware?) claiming to be a Photoshop installer.

    There is not much to unpack, as data files are in plain sight in folder AutoPlay and subfolders. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

  3. you have application.exe and application.cdd files in the same folder;

    4. This happens when "Rename resource files" feature is enabled in AutoPlay Media Studio. It's one of those features that add fake security to the product:

    This option is designed to obscure the filenames of your resource files during publishing.

    This is a case of Users Sniffer. Similar to previous case, there's not much to unpack. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

Advanced use cases

But sometimes things are not that easy. So, here are few possible scenarios how to deal with modified AutoPlay Studio:

  1. application.exe is packed and there is application.cdd file present.

    2. This is a case of official AMS studio challenge that Xiaopang mentioned on the blog. Good news - you don't need to be an unpacking wizard and properly unpack PCGuard to break their protection. It's enough to run the EXE in VMWare, dump process memory and drop dumped exe on my tool. As long as PE header and section table is correct, it should be fine.

    Step-by-step:
    1) Run and dump:
    challenge1
    2) When saving dump, keep the original filename. Otherwise my unpacker won't be able to find cdd file:
    challenge2
    3) Process dump with unpacker:
    challenge3

  2. application.exe is packed and there is no cdd file.

    3. This is the case of Reverzor. First you would need to unpack Enigma Virtual Box - for that you can use my other unpacker.. wink Now you have both exe and cdd files but exe file is still packed with ASPack. Again, you don't need to unpack ASPack properly, just run & dump process memory. Then process dumped exe with my unpacker.

  3. application.exe is hacked and the cdd file is renamed to something else;

    4. This is a case of Idler. Author hacked AutoPlay engine and replaced file extension cdd with dll.
    idler
    There is no way for my unpacker to cover all such scenarios automatically, sorry. Just rename idler.dll to idler.cdd and drop idler.exe on unpacker.

Conclusion

This was a small weekend project for me. If it also helps you in some adventures, I'm happy. If it doesn't help you at all, I don't care. smile

Download the unpacker from:


Note - due to technical reasons it's compiled against .NET 3.5, if you wish to run it on computer with only .NET 4.0 installed, create amsunpacker.exe.config with the following lines:


<?xml version="1.0"?>
<configuration>
 <startup>
  <supportedRuntime version="v4.0"/>
 </startup>
</configuration>


And stay tuned for the upcoming post, where I'll explain how to write such unpacker from scratch!

23 Jul 2015

Static Enigma Virtual Box unpacker, part 3

Here comes a new version. Again. smile

EnigmaVB_Unpacker_v033

I added support for Enigma Virtual Box 7.30, (hopefully) fixed all issues with very long filenames and fixed an issue with processing command-line.

Thanks to ManOfWar for constantly supplying new challenges and parrot for bringing my attention to a bug with command-line.

Download link: Please get latest version from this post

08 Jul 2015

Fun with encrypted VBScript

In the post on malicious LNK file analysis, I mentioned that malicious LNK file contained encrypted VBScript. Of course I wanted to check the script, so I started Googling for tools to decrypt VBScript files.

Existing tools

There is some research about the used encryption algorithm and few tools as well. The most useful to me seemed article explaining the algorithm behind script encoder. Its author also has released several versions of his scrdec tool which is supposed to decrypt VBE files.

But, as it usually happens, publicly available tools tend to blow up in the most unexpected ways on non-standard scripts.

I'm gonna fix that!

Cause of the problems

All publicly available tools assume that the encrypted file will be using ANSI encoding. But it doesn't have to! smile All the operations in vbscript.dll use wide chars and wide strings.

For example, here's a simple encrypted VBScript that is saved as a "unicode" file: https://www.mediafire.com/?cd98w73v12fpdq7. This one you can actually open in notepad, save as ANSI and then decode using scrdec.exe.

But how about this one? https://www.mediafire.com/?xdj6dfxsrcgbdr1. You can open it in text editor and save as ANSI - but after that it will not work anymore and script decoders will fail as well. How about that? wink

Writing my own script decoder

Taking into account these problems, I decided to write my own decoder in C#. C# seemed to be a logical choice as .NET uses wide strings internally and it has StreamReader class that can take care of ANSI/Unicode/UTF8 string encoding automatically - so that I can focus on the actual decryption algorithm instead.

Well, almost.

.NET Framework contains Base64 decoding functions. Unfortunately, VBE files use a nonstandard approach to Base64. So, I had to implement simple Base64 decoder from scratch, taking into account all the weirdness of the VBE files. But that's a very simple thing to do.

First version of decoder took me few hours to make. And it worked nicely! smile But I still wasn't satisfied because vbscript.dll disassembly showed me quite a few "weird" jumps. They were not taken in my examples but I was sure I could make up some test files that would force these jumps to be taken.

Oh boy, I rather wish I hadn't done that..

Bug-features of VBScript.dll

It turns out that not only you can use wide chars, you can do some other really hairy stuff:

  • you can mix encrypted code blocks with plain VBS in one file;
  • and you can put several encrypted code blocks in one file;
  • if encrypted code block length cannot be decoded or is larger than the filesize, this block will be considered to be plain VBS;
  • if encrypted code block checksum cannot be decoded or doesn't match the calculated one, this block will be considered to be plain VBS;

Having fun already?

It took me a few more hours to get my script decoder right. Now it should work almost the same way Microsoft's vbscript.dll works. But I wonder how many AV engines got this implementation right? We shall test and see!

Testing AV engines

OK, OK, I didn't really test AV engines. I just used VirusTotal to scan the files. This approach is really flawed (for many reasons that deserve a separate blog post) but it gives you some estimate how good or bad the situation really is.

I googled for some really common and easily detected VBScript malware. In few minutes I found this great example named aiasfacoafiasksf.vbs.

Let's see what VirusTotal says for the original file:

File name: aiasfacoafiasksf.vbs
Detection ratio: 38 / 56
Analysis date: 2015-06-30 12:10:06 UTC

OK, that's pretty decent. Should I try encrypting it using Microsoft's screnc.exe?

Hmm, VT results are 24/55. Looks like some antiviruses don't even know that VBScript can be encrypted..

Let's see what happens when we start pushing the limits:

  • Converting VBE to unicode we get: 19/55. Wide strings? Who needs that, the entire world speaks English;
  • VBE file consisting of multiple blocks: 12/55. I know, for loop is hard to implement;
  • Mixing plain text and encrypted VBE blocks: 10/55. Nah, that lonely jmp will never be taken;
  • Mixing plain/encrypted blocks and using unicode: 7/55. I feel really protected now;

Please note, I haven't modified a single byte in the plain-text representation of the malicious script. All I did is change the way the script is encoded.

Let's see what happens when I add some comments to the malicious script. Again, these are cosmetic changes, I am not changing a single variable name or functionality of the script. Any AV engine that normalizes input data before scanning should still detect malware.

  • Plain VBS with extra comments: 14/55. Apparently they don't normalize input data;
  • VBE with extra comments: 10/55. That's kinda expected;
  • Extra comment containing VBE start marker: 10/55. Suddenly getting "BehavesLike.JS.Autorun.mx" from McAfee. Excuse me? Are you using PRNG to generate those detections?

OK, so adding comments to VBScript is not that bad. But what happens when we put it all together?

Add extra comments + one VBE start marker in comment + one encrypted VBE block + use unicode: 3/53.

Hmmmm...

What can I say? Apparently some AV companies love to talk about their script engine features - but they don't implement these features properly. It would be extremely easy to detect most of my test files as malformed VBScript - as there is no way to generate such files using standard tools. But they don't do even that. Considering all this misery, I will not release any code that could be used to create super-duper-awesome-FUD VBScript encoder - even though it takes less than an hour to make one.

Note - it took me few weeks to get this post from a working draft to a published version. I'm sure that current VirusTotal results will be different, as most AV companies have had chance to process script files and make signatures for them. wink Also, any decent AV company should be able to get those samples from VirusTotal if they wish to fix their VBScript processing.

Have fun and keep it safe!

Useful links

Windows Script Encoder v1.0
My VBScript decoder: https://www.mediafire.com/?9pqowl05um4jums
I am not posting the source code but this is a non-obfuscated application made in C#. So feel free to use any decompiler you like..
Set of non-malicious VBE files demonstrating some edge cases of what you can do: https://www.mediafire.com/?bu3u62t858dn4id
Article in klaphek.nl, explaining the algorithm behind script encoder
scrdec.exe v1.8
scrdec.c v1.8
vbs_dec.pas by Andreas Marx