Just documenting my attempts for my own learning at reversing Emotet unpacker.
This may not be correct, I'm just learning so I may be completely misunderstanding or missing things
sample:
hxxps://www.internationalabacus[.]com/calendar/Lr/
https://www.virustotal.com/gui/file/eac3cec9d0fcd2de926b66c0720bed7d8a38c092aa42089ac9a6e3a72002c5da/detection
ceb166362f11a7769b71a2bcb5eb0e31
Interesting APIs to maybe try to break on
MoveFileExA (kernel32)
CreateProcessInternalW (kernel32)
RtlIPv4StringToAddress (ntdll)
UrlCanonicalizeW (SHLWAPI)
GetAddressInfoExW (WS2_32)
HttpSendRequestW (WinInet)
Wednesday, January 29, 2020
Emotet failed attempt at Reversing
Labels:
emotet,
ida pro,
Malware,
reverse engineer,
reversing
Friday, January 24, 2020
assembly basics: strcmp ; test eax, eax
push eax (1st string to compare)
push ecx (2nd string to compare)
call strcmp (do the compare using C library ... if same EAX = 0, if different EAX = 1)
test eax, eax (same as 'and eax, eax' ... so if EAX = 0 ZF = 1 ... if EAX = 1 ZF = 0)
jz loc_40124C (so jump if zero jumps if ZF = 1 ... which is when EAX = 0)
------
In simpler terms
- compare the 2 strings
- if same
- EAX gets set to 0
- ZF gets set to 1
- JZ will jump because ZF = 1
- if different
- EAX gets set to 1
- ZF gets set to 0
- JZ will NOT jump because ZF = 0
------
In simplest terms
push ecx (2nd string to compare)
call strcmp (do the compare using C library ... if same EAX = 0, if different EAX = 1)
test eax, eax (same as 'and eax, eax' ... so if EAX = 0 ZF = 1 ... if EAX = 1 ZF = 0)
jz loc_40124C (so jump if zero jumps if ZF = 1 ... which is when EAX = 0)
------
In simpler terms
- compare the 2 strings
- if same
- EAX gets set to 0
- ZF gets set to 1
- JZ will jump because ZF = 1
- if different
- EAX gets set to 1
- ZF gets set to 0
- JZ will NOT jump because ZF = 0
------
In simplest terms
if you see " strcmp ; test ; jz "
JZ green if the 2 strings are the same (0)
JZ green if the 2 strings are the same (0)
JZ red if the 2 strings are different (non 0)
if you see " strcmp ; test ; jnz "
JNZ green if the 2 strings are different (non 0)
JNZ green if the 2 strings are different (non 0)
JNZ red if the 2 strings are the same (0)
if you see " strlen; test ; jz "
JZ green if empty string (0)
JZ green if empty string (0)
JZ red if non-empty string (non 0)
if you see " strlen ; test ; jnz "
JNZ green if non-empty string (non 0)
JNZ green if non-empty string (non 0)
JNZ red if empty string (0)
if you see " call; test ; jz "
JZ green if function call successful (0)
JZ green if function call successful (0)
JZ red if function call failed (non 0)
if you see " call ; test ; jnz "
JNZ green if function call failed (non 0)
JNZ green if function call failed (non 0)
JNZ red if function call successful (0)
if you see " cmp ; test ; jz "
JZ green if the 2 numbers are the same (0)
JZ green if the 2 numbers are the same (0)
JZ red if the 2 numbers are different (non 0)
if you see " cmp ; test ; jnz "
JNZ green if the 2 numbers are different (non 0)
JNZ green if the 2 numbers are different (non 0)
JNZ red if the 2 numbers are the same (0)
Jump arrows
Green: if condition is satisfied (JZ=0, JNZ=non-0) Red: if the condition is not satisfied (JZ=non-0, JNZ=0)
Wednesday, January 22, 2020
list all ips in a range, genip
> genip 10.0.0.1-10
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9
10.0.0.10
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9
10.0.0.10
openvpn error, write to TUN/TAP: Input/output error (code=5)
if getting error: write to TUN/TAP: Input/output error (code=5)
type
> dhclient tap0
then try again
this enabled dhcp on the tap0 interface
type
> dhclient tap0
then try again
this enabled dhcp on the tap0 interface
Monday, January 6, 2020
bettercap missing local to local traffic
issue i ran into
had 3 virtualbox vms
1.) linux running python SimpleHTTPServer, simulates a website, network set to "internal network"
2.) windows accessing the linux website in #1 above, simulates the victim, network set to "internal network"
3.) kali running bettercap, arp.spoof.targets = linux server #1 above and windows #2 above, will do MiTM (man-in-the-middle) against the 2 systems above, network set to "internal network"
Issue I ran into is that with ettercap (no 'b') it worked great, I could see the traffic going from windows box to linux web server ... BUT with bettercap the arp spoof seemed to work but the traffic was nowhere to be found when using tools like "net.sniff" or "https.proxy" on bettercap.
Root Cause:
By default ettercap (no 'b') captures all traffic (local & external)
By default bettercap only captures external traffic & ignores local to local traffic
Fix:
set arp.spoof.internal true
set net.sniff.local true
The enables capture of internal traffic and now I started seeing it!
had 3 virtualbox vms
1.) linux running python SimpleHTTPServer, simulates a website, network set to "internal network"
2.) windows accessing the linux website in #1 above, simulates the victim, network set to "internal network"
3.) kali running bettercap, arp.spoof.targets = linux server #1 above and windows #2 above, will do MiTM (man-in-the-middle) against the 2 systems above, network set to "internal network"
Issue I ran into is that with ettercap (no 'b') it worked great, I could see the traffic going from windows box to linux web server ... BUT with bettercap the arp spoof seemed to work but the traffic was nowhere to be found when using tools like "net.sniff" or "https.proxy" on bettercap.
Root Cause:
By default ettercap (no 'b') captures all traffic (local & external)
By default bettercap only captures external traffic & ignores local to local traffic
Fix:
set arp.spoof.internal true
set net.sniff.local true
The enables capture of internal traffic and now I started seeing it!
Subscribe to:
Posts (Atom)