How the Hell is possible to use the HASH value in a more useful situation?
For example, masking some data inside your code (i.e. a crypto key or some kind of default values).
Download, unpack and build yaadt.2.01.tgz
$ tar xvzf yaadt.2.01.tgz
yaadt.2/
yaadt.2/md5.c
yaadt.2/hiddenyzer.c
yaadt.2/hiddenvalues.c
yaadt.2/md5.h
yaadt.2/hidden.h
$ cd yaadt.2
$ # BUILD
$ gcc hiddenvalues.c md5.c -o hiddenvalues
$ gcc hiddenyzer.c md5.c -o hiddenyzer
|
Considernig the previous LINKER explaination, my idea is based on the HASH of the whole RO area.
Deepening the analysis of this ( hiddenvalues) file.
$ objdump -h hiddenvalues
hiddenvalues: file format elf32-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 00000013 08048154 08048154 00000154 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.ABI-tag 00000020 08048168 08048168 00000168 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .hash 0000002c 08048188 08048188 00000188 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .gnu.hash 00000020 080481b4 080481b4 000001b4 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .dynsym 00000060 080481d4 080481d4 000001d4 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynstr 00000051 08048234 08048234 00000234 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .gnu.version 0000000c 08048286 08048286 00000286 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version_r 00000020 08048294 08048294 00000294 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rel.dyn 00000008 080482b4 080482b4 000002b4 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rel.plt 00000020 080482bc 080482bc 000002bc 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .init 00000017 080482dc 080482dc 000002dc 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
11 .plt 00000050 080482f4 080482f4 000002f4 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .text 00001094 08048350 08048350 00000350 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .fini 0000001c 080493e4 080493e4 000013e4 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .rodata 000000a0 08049400 08049400 00001400 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .eh_frame 00000004 080494a0 080494a0 000014a0 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .ctors 00000008 0804af0c 0804af0c 00001f0c 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .dtors 00000008 0804af14 0804af14 00001f14 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .jcr 00000004 0804af1c 0804af1c 00001f1c 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .dynamic 000000d0 0804af20 0804af20 00001f20 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .got 00000004 0804aff0 0804aff0 00001ff0 2**2
CONTENTS, ALLOC, LOAD, DATA
21 .got.plt 0000001c 0804aff4 0804aff4 00001ff4 2**2
CONTENTS, ALLOC, LOAD, DATA
22 .data 00000024 0804b010 0804b010 00002010 2**2
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000004 0804b034 0804b034 00002034 2**2
ALLOC
24 .comment 00000130 00000000 00000000 00002034 2**0
CONTENTS, READONLY |
so:
Starting File Offset : 0x00000154
Starting VMA Area : 0x08048154
Incredible isn't it?
Size File Area : 0x000014a0 - 0x00000154 + 0x00000004 = 0x00001350
Size VMZ Area : 0x080494a0 - 0x08048154 + 0x00000004 = 0x00001350
|
How my tool works?
In both hiddenyzer and hiddenvalues executables we use the common initialized struct:
struct hiddenized_s{
char * p;
int len;
int numbers[4]; /* Here a hidden message will be stored */
} hiddenizerator = {
.p = 0 ,
.len = 0 ,
.numbers = { 0x00000001 , /* This is the public unmasked message. */
0x00000002 , /* After processed by "hiddenyzer" */
0x00000003 , /* these values will be masked with the */
0x00000004 } /* machine code MD5 Hash sum value */
}
(hidden.h)
This struct is used in:
hiddenvalues as default message value and pointer marker for the MD5 checksum.
hiddenyzer as default marker useful to find the message offset inside hiddenvalues file.
More or less this is the working procedure of hiddenyzer
Execute it: ( colors are manually added)
$ # THIS SCRIPT EXTRACT THE READ_ONLY VMA MEMORY FROM THE ELF EXECUTABLE
$ # AND USE THESE VALUES AS hiddenyzer INPUT PARAMETERS
$ objdump -h hiddenvalues | grep -e interp -e eh_frame \
| awk '{print "0x" $3 " 0x" 0x$4 " 0x" 0x$6}' | xargs \
| awk '{print strtonum($2) " " strtonum($3) " " strtonum($6) - strtonum($3) + strtonum($4)}' \
| xargs ./hiddenyzer hiddenvalues ;
Hiddenyzer:
SRC File: hiddenvalues
Outfile: hiddenvalues.hid
read 11272
MD5 = 1c46f25976ffc65934a269c144c6639c
hiddenizerator found at: 0x0000201c
$ ls -l
total 112
-rw-r--r-- 1 root root 2014 Feb 22 17:13 hidden.h
-rwxr-xr-x 1 root root 11272 Feb 23 08:07 hiddenvalues
-rw-r--r-- 1 root root 2746 Feb 22 17:13 hiddenvalues.c
-rwxr-xr-x 1 root root 11272 Feb 23 08:07 hiddenvalues.hid
-rwxr-xr-x 1 root root 16112 Feb 23 08:07 hiddenyzer
-rw-r--r-- 1 root root 6633 Feb 22 17:12 hiddenyzer.c
-rw-r--r-- 1 root root 11096 Feb 22 16:32 md5.c
-rw-r--r-- 1 root root 2984 Feb 22 16:32 md5.h
|
An Hexdump of the two executables can show the results of the previous operation: ( colors are manually added)
+ +--2049 lines: 0000000: 7f45 4c46 .ELF--|+ +--2049 lines: 0000000: 7f45 4c46 .ELF-
0002004: 1a83 0408 .... | 0002004: 1a83 0408 ....
0002008: 2a83 0408 *... | 0002008: 2a83 0408 *...
000200c: 3a83 0408 :... | 000200c: 3a83 0408 :...
0002010: 0000 0000 .... | 0002010: 0000 0000 ....
0002014: 0000 0000 .... | 0002014: 0000 0000 ....
0002018: 18af 0408 .... | 0002018: 18af 0408 ....
000201c: 0000 0000 .... | 000201c: 5481 0408 T... 0x08048154
0002020: 0000 0000 .... | 0002020: 5013 0000 P... 0x00001350
0002024: 0100 0000 .... 0x00000001 | 0002024: 1d46 f259 .F.Y
0002028: 0200 0000 .... 0x00000002 | 0002028: 74ff c659 t..Y
000202c: 0300 0000 .... 0x00000003 | 000202c: 37a2 69c1 7.i.
0002030: 0400 0000 .... 0x00000004 | 0002030: 40c6 639c @.c.
0002034: 0047 4343 .GCC | 0002034: 0047 4343 .GCC
0002038: 3a20 2847 : (G | 0002038: 3a20 2847 : (G
000203c: 4e55 2920 NU) | 000203c: 4e55 2920 NU)
0002040: 342e 312e 4.1. | 0002040: 342e 312e 4.1.
0002044: 3220 2847 2 (G | 0002044: 3220 2847 2 (G
0002048: 656e 746f ento | 0002048: 656e 746f ento
+ +--752 lines: 000204c: 6f20 342e o 4.---|+ +--752 lines: 000204c: 6f20 342e o 4.--
hiddenvalues [+] 1,1 All hiddenvalues.hid [+] 1,1 All
:%!xxd -c 8
|
As you can notice the message is unreadable inside the raw executable.
How the unmasking process works?
Barely a simple XOR is used to unmask the XORmasked data.
|
|
0 -> 0x00000001
1 -> 0x00000002
2 -> 0x00000003
3 -> 0x00000004
Mmmmmmm
Interesting!!!
|
|
And, as explained in the previous article.
Any modification of the hiddenvalues.hid machine code or the static libraries machine code will change this MD5 Hash value and the output message as effect.
|
|
0 -> 0xc1704f2e
1 -> 0x2d82b74d
2 -> 0x2d66d920
3 -> 0xf38e9c15
AAAAAAAHHH!!!
|
|
Debug it: ( colors are manually added)
$ gdb ./hiddenvalues.hid
GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting program: /root/Eugenio/crypt/pubblicazione/yaadt.2/hiddenvalues.hid
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
0 -> 0x00000001
1 -> 0x00000002
2 -> 0x00000003
3 -> 0x00000004
Program exited with code 04.
|
(gdb) break main
Breakpoint 1 at 0x8048402
(gdb) run
Starting program: /root/Eugenio/crypt/pubblicazione/yaadt.2/hiddenvalues.hid
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Breakpoint 1, 0x08048402 in main ()
(gdb) c
Continuing.
0 -> 0xc1704f2e
1 -> 0x2d82b74d
2 -> 0x2d66d920
3 -> 0xf38e9c15
Program exited with code 04.
(gdb) quit |
< Previous - UP - Next >
|
ď Eugenio Parodi, 6 Mar 2011 23:29 ď Eugenio Parodi, 6 Mar 2011 23:29 ď Eugenio Parodi, 6 Mar 2011 23:28 ď Eugenio Parodi, 22 Feb 2011 23:22
|
