Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.

Slides:

Advertisements

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Advertisements

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,

Sample chapter from Reverse Engineering Course.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Week 3. Assembly Language Programming  Difficult when starting assembly programming  Have to work at low level  Use processor instructions >Requires.

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders

Lab6 – Debug Assembly Language Lab

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Table 1. Software Hierarchy Levels.. Essential Tools An assembler is a program that converts source-code programs into a machine language (object file).

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

OllyDbg Debuger.

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Activity 1 - WBs 5 mins Go online and spend a moment trying to find out the difference between: HIGH LEVEL programming languages and LOW LEVEL programming.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

ITEC 352 Lecture 11 ISA - CPU. ISA (2) Review Questions? HW 2 due on Friday ISA –Machine language –Buses –Memory.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

There are different types of translator. An Interpreter Interpreters translate one instruction at a time from a high level language into machine code every.

Debugging a Program … Using the PC/370 Emulator Interactively !

Instruction Set Architecture

Bill's Amazing Content Rotator jQuery Content Rotator.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

ZONG Wen Department of Computer Science and Engineering The Chinese University of Hong Kong

Analysis of the Fimbel Keylogger and Pace University Converter Christopher Funk, Sheryl Hanchar, and Ned Bakelman.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

The Agent Based Crypto Protocol The ABC-Protocol by Jordan Hind MSE Presentation 3.

CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

Win32 Programming Lesson 2: The Tools of the Trade.

Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June,

PHY 201 (Blum)1 Microcode Source: Digital Computer Electronics (Malvino and Brown)

Chapter 1.4 Programming Languages and Programming.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

1.4 Representation of data in computer systems Instructions.

Introduction to Eclipse Programming with an Integrated Development Environment.

MD5 & Hash Encryption By Alex Buzak. Overview Purpose of MD5 and Hash Encryptions Examples MD5 Algorithm Explanation of Possible Security Risks Practical.

Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July,

Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.

Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.

Representation of Data - Instructions Start of the lesson: Open this PowerPoint from the A451 page – Representation of Data/ Instructions How confident.

How to Fix Missing WMVCore.dll Error in Windows 10

First Foray into Programming (the hard way). A reminder from last lesson: A machine code instruction has two parts:  Op-code  Operand An instruction.

Fix: Windows 10 Error Code 0x in Mail App u/6/b/ /alexwaston14/reimage-system-repair/ /pages/Reimage-Repair-Tool/

Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.

GDB Introduction And Lab 2

Reverse Engineering Contemporary Countermeasures By: Joshua Schwartz.

HOW TO FIX MSVCR100. DLL IS MISSING ERROR? missing-error.

GOT overwrites and IAT hooks. What is this?  The GOT hijack was a key exploit technique for me, it was the first time I internalized that we are overwriting.

Semi-Automatic Unpacking on IA-32 Using OllyBonE Joe Stewart.

Basic Concepts: computer, program, programming …

Lab assignments Follow each lab walkthrough in textbook

14 Compilers, Interpreters and Debuggers

Live Phishing Attack Authentication Activity from a Foreign Address.

Chapter 1. Basic Static Techniques

Techniques, Tools, and Research Issues

Malware Incident Response  Dynamic Analysis - 2

Computer Architecture “Bomb Lab Hints”

TRANSLATORS AND IDEs Key Revision Points.

Lab assignments Follow each lab walkthrough in textbook

Operating Systems Chapter 5: Input/Output Management

The Assembly Language Level

Debugging “Why you were up till 2AM”

Homework Reading Programming Assignments Finish K&R Chapter 1

Real-World File Structures

In Today’s Class.. General Kernel Responsibilities Kernel Organization

Software Testing Software Testing is a process of evaluating a system by manual or automatic means and verify that it satisfies specified requirements.

Presentation transcript:

Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun

A little bit about Genesis  The new version of ZeroCraft  Contains two main pieces:  (1) Launcher.exe  (2) Genesis.dll

Our adventure 1 - Launcher.exe part 1st try: Load the EXE file with Ollydbg directly. We got the following error message from Ollydbg

Our adventure 1 - Launcher.exe part Maybe this file is self-extracting or self-modifying

Our adventure 1 - Launcher.exe part Try again to load the.exe file with IDA directly. We got the following error message too.

Our adventure 1 - Launcher.exe part

Our hypothesis : The software has been packed !

Our adventure 1 - Launcher.exe part 2nd try: Unpack the EXE file with the existed unpackers (1) upx Didn’t work (2) GUW Didn’t work (3) ProcDump By using this universal unpacking approach, got Good News!

Our adventure 1 - Launcher.exe part

We also tried to unpack DLL file with ProcDum too. But it didn’t work. At this point, our conclusion is: the EXE file and the DLL file may be packed by different packers.

Our adventure 1 - Launcher.exe part 3rd try: Load the unpacked EXE file with IDA Everything seems good

Our adventure 1 - Launcher.exe part

However, things appear to be not that “normal” then…. Problems we got: By looking at the assembly code and checking the contents in the registers, we saw some invalid address acesses (2) We set the breakpoint and let the debugger run step by step At “add ss:dword_4093DB[ebp], ebx” line, we get error message. At the same time, the debugger is disabled.

Our adventure 1 - Launcher.exe part Launcher_unpacked.exe:The instruction at 0x7C referenced memory at 0x7CC01D77. The memory could not be read

Our adventure 1 - Launcher.exe part After directly running the unpacked EXE file, we also got an error message.

Our adventure 1 - Launcher.exe part

Our hypothesis : The PE file may have been damaged when we unpacked the EXE file Our Solution: Use ProcDump “Rebuild PE” function to rebuild the PE file

Our adventure 1 - Launcher.exe part

Run the unpacked file directly after PE rebuilder, get the following error message :

Our adventure 2 - Launcher.exe part (1) We finally realized that the unpack process done by Procdump actually may not be finished successfully as we were informed. (2) We decided to manually unpack it instead.

Our adventure 1 - Launcher.exe part Use PeiD for the last try before we start to manual unpack the Software. Luckily it offers us the information about the packing tools used – PEcompact 1.56

Our adventure 2 - Launcher.exe part

Our adventure 2 – Laucher.exe Using Ollydbg - locate ESP - full dump ESP - set breakpoint at the first dword pointed by ESP - run code - step into - got OEP Using LordPE, full-dump the binary in memory Using Imprec to relocate Virtual Address in PE

Our adventure 2 – Laucher.exe Step in until we get here Dump

Our adventure 2 – Laucher.exe Run(F9) code in Ollydgb and step in(F7) until …

Our adventure 2 – Laucher.exe OEP

Our adventure 2 – Laucher.exe

Step1 Step2 Step3 Step4

Our adventure 2 – Laucher.exe Fix PE

Our adventure 2 – Laucher.exe Strings the unpacked PE

Our adventure 2 – Laucher.exe We manually unpacked EXE file successfully

Our adventure 3 – Genesis.dll Then We tried to unpack the DLL file - Only one significant difference from the EXE file

Our adventure 3 – Genesis.dll Change to 010E

Our adventure 3 – Genesis.dll We unpacked DLL successfully We tried to launch unpacked.exe and.dll Unpacked genesis.dll does not work Something must be wrong

Our adventure 3 – Genesis.dll Checksum failure

Our adventure 3 – Genesis.dll We tried to fix checksum

Our adventure 3 – Genesis.dll Problem is still there Have to resort another way From PE specification, we got: - Authenticode PE image hash relating to the integrity of a file - In an Authenticode signature, the file hash is digitally signed by using a private key known only to the signer of the file

Conclusion Reverse engineering is hard Too many tools, too many software versions, many ways to anti-reversing For unpacking, the key point is to locate OEP Launcher.exe is coded in VB - call - msvbvm60.dll is VB virtual machine runtime library - ThunRTMain is VB code entry point However we believe genesis.dll is programmed in C or C++