Reversing iGo Navigation

I got a call from a close friend on Friday and the reason for the call was related to some possibly compressed file’s reversing and here is the  reversing session I’have performed for him.
Let’s first talk a little about the environment because i generally use Kernel Debugger instead of a user one. Main reason behind is “I am used to kernel debugging and I really like the power of pausing the  whole  OS  with just two keys:)” Don’t you think it’s great?

Actually my system is fine tuned for kernel debugging and I have all I need in place while using KD (all that scripts, symbols, paths and the other stuff).

So, first thing I generally do is placing a breakpoint at the OEP, which makes my target OS to break into KD as soon as it executes Entry point of the executable.

Following is the screen shot using CFF Explorer :

After running the executable, we find ourselves in the WinDBG. In order to fix what we did, replace the CC (int 3) with the original instruction (0xE8 in our case).

eb . 0xE8

Then we note the filename. What does this file have and how the Application uses it? This was the main question I was asked.

In  order to be sure, I traced the application with Rohitab API Monitor and saw that everything is OK with a minor detail :

“ALL CreateFile calls return to same address 0x52E910” which means in our language : App has a wrapper function for CreateFile.

Most of the time I use IDA with WinDBG and support one with the other. They are both “best” in the field but when combined they become best of the best! Following script exports my current position in IDA as a well defined windbg break point.

After setting my break points for CreateFile I wrote a conditional break point command for properly stopping at “Turkey.poi” file access since there are a lot of CreateFile calls and then combined the IDA generated break point with my conditional windbg script file.

Following is the result of my conditional break point :

I let the CreateFile complete and noted down the file handle residing in EAX which was 0x1d4 in our case.

Then performed the same technique for ReadFile API.

Following is the call stack of ReadFile. There are a total of 12 stack frames. Our guy who is responsible for parsing that POI file must be residing somewhere here??? I have marked all these return addresses in the IDA for possible future use.

OK, now we need to get the buffer of ReadFile which is 0x15a9000

Just like CreateFile, read file also has a wrapper function :

Buffer was being saved into ECX. So ECX was my next target, after tracing ECX for some time, I noticed it was being saved into EAX.

As you can see from the image, App was trying to read and write some offsets of the buffer and surprise : XOR:)

I let the app modify the buffer and following is the result :

After digging a little bit deeper, I was persuaded that I found the decryptor function and So I renamed it 🙂

I then dumped the first 0x1000 bytes by issuing the following command :

.writemem C:\\decrypted.dmp 0x15a9000 L1000

The decryption block uses multiple XOR’s which gives us clues about the underlying algorithm : It must be something similar to Blowfish because RC4 uses only one XOR.

Then I checked the encryption algo. To tell the truth, I should have checked this before starting all this pain but I was told that the file was compressed which is why i did not check it with KANAL.


That is it for this week:) Thanks for reading!

Burned out mainboard, had to have fun with jQuery + PHP!

Low level blog with jQuery? Am I kidding? Unfortunately no 🙂  This one will not be that much low level due to bad luck. As a matter of fact, I was planning to write some sniffer for KdSendPacket / KdReceivePacket and it was probably going to be some POC related to !chkimg interference but all the plans ended in smoke after hearing  that my mainboard was burned out on Wednesday morning :):)

From a system programmer’s point of view, It’s quite tough to get yourself up and running with a fresh install of Windows. It was the same for me  but , developer is the one who develops even in the worst scenario coz I believe it’s a way of thinking, not a job only… So, here is some code I have developed for one of my friends : PHP Translation Engine.

First of all, why do we need a translation engine?

If you are heading a big project and need to support lots of languages believe it or not, translation suddenly becomes a big problem. Biggest problem generally faced is translating some word without knowing the context word is used, which results in gibberish words 🙂 People generally use CSV files but I do not like them which is why I started to write something new for one of my friends.

Translation Module with jQuery + PHP 

1

You see the admin panel in the screenshot above. Red dashed borders shows that the text inside it is Translatable. But how? Actually it’s all jQuery… Whenever you want to add something translatable, here are the steps you need to perform :

1. Open up your HTML, include translator.js

2. Place some div inside the HTML with the following syntax :

<div id=”<?=$keyword?>” class=”Translatable”><?=$value?></div>

3. Call PrepareForTranslation whenever you are ready!

That’s it! It’s that much simple 🙂 But how does it work?

First of all, we need to have some database layout to make it work. Simplest form is as follows :

2

DB with 4 columns is enough for us. We need to enter some keywords into our database, with the appropriate values in one of 3 languages (en, ru, tr).

3

Alright, now you know what is keyword and what is value. What about class Translatable?  It’s just a marker for translatable elements which will be used by jQuery to draw a read dashed  border around them and make them clickable (translatable). Following is the code I used for marking Translatable elements :

4

Why mouseenter / mouseleave? Because, I wanted to support clickable elements with the others.

Whenever document is ready, function PrepareForTranslation is called and it loops all the items which has class Translatable and adds TranslationActive class to each of them which makes the the element have a red dashed border and a hand / pointer cursor. Click handler is directly calling ShowTranslationDialog, and the other two handlers mouseleave / mouseenter are setting a global variable for future use but when? Global var is used for clickable items like <a href=”…..”> </a>. When ever you hover your mouse over something clickable, element is saved into g_Element and when ever you press Q it calls ShowTranslationDialog which in turn uses global to show translation dialog. Do not  get confused, all the handlers are used for the same purpose, call ShowTranslationDialog!

5

Want to take a look at the source code itself? Here it is : SOURCE CODE for translator.js

This is the source code for displaying following Translator UI :

6

Whenever user clicks the Save button, jQuery serializes the form like :

?keyword=Label&en=Label&tr=Etiket&ru=этикетка   and posts it to ajax.php.

8

ajax.php saves the updated values and echoes the new values.

9

See you next week!

DeadChar Dead ???

What is a dead char? According to MSDN :

Dead-Character Messages

Some non-English keyboards contain character keys that are not expected to produce characters by themselves. Instead, they are used to add a diacritic to the character produced by the subsequent keystroke. These keys are called dead keys. The circumflex key on a German keyboard is an example of a dead key. To enter the character consisting of an “o” with a circumflex, a German user would type the circumflex key followed by the “o” key.

 

So, it is just a modifier rather than being a character on its own. Put into practice,  following screen shot is taken from a Windows 7 x64 machine while trying to write ê in notepad.

 

spy

 

Too many messages just for an ê char huh? Actually no! You should only take WM_KEY messages into account because only those messages are sent to your Notepad’s GUI Thread. Others? In this case WM_DEADCHAR and WM_CHAR are being sent by TranslateMessage.

What TranslateMessage does here is : “Seeing that Shift + 3 (^ symbol in my locale) is pressed, it sends a WM_DEADCHAR message to window and internally sets a flag in the kernel part. You may think it’s app spesific but no, just try running two instances of notepad and pressing the dead char (1 time) on the left and some other char (like e) on the right instance, you will see that notepad on the right gets accented e which proves that DEADCHAR status is saved into kernel.

 

two-windows

 

So what? Story begins here… I have been testing our new product which will be released shortly and going crazy about a possible bug in the source code. Problem is related to printing chars with diacritics in Turkish Keyboard locale when one of our keylogger simulators is active. In order to get a better understanding of the problem, take a look at the folowing snip :

 

3

 

That little “Start” button on the right was messing up with my keyboard and I was not able to write the first letter of my name 🙂  I can hear you saying :”What do you expect dude? It’s a keylogger simulator and can easily mess the messages received by Notepad’s message pump!??”  But no, it can’t, because it uses RegisterRawInputDevices in order to simulate a simple keylogger and this can not break some other windows message pump. RIDEV_INPUTSINK means “Send me a WM_INPUT message whenever a key is pressed whether or not I am the foreground window” Looks promising right? Yes it does, which makes it preferrable by most of the keyloggers around.

 

4

 

Why? Because the technique itself is free from DLLs, Hooks and etc. which simply works with WM_INPUT messages and it’s holy safe based on my experiences.  And only way to stop it is hooking win32k!NtUserRegisterRawInputDevices. Eventhough I did not have the source code for simulator , i have written something alike and guess what? Result is exactly the same!

I decided to perform some cross check with DEADCHAR + A and result is as follows :

 

1

 

But why? There was nothing in the address space of Notepad It couldn’t be me breaking the system! Never say never, I started tracing the function top to bottom and saw that returning before ToAsciiEx was soving the problem!!!??? Why? I opened up MSDN and started searching “dead char bla bla”. Most significant excerpt was :

The parameters supplied to the ToAsciiEx function might not be sufficient to translate the virtual-key code, because a previous dead key is stored in the keyboard layout.

Definitely yes! But where was “WARNING : ToAsciiEx clears previously stored dead-char from the keyboard layout”? It was in IDA + WINDBG 🙂

 

7

9

10

11

 

Actually, branching 3 levels deep in windbg, I was just changing my mind and opening IDA but saw something shiny!

win32k!ComposeDeadKeys

Who was calling it? win32k!NtUserTranslateMessage. This is the normal behaviour but who else was calling it is shown in the following two snips :

 

17

19

 

Digging a little further resulted with the following :

 

20

23

 

Voila! It was so close the the source of problem (which was already apparent at this point).

 

25

 

Further digging the ComposeDeadKeys showed that it was clearing the DeadChar flag whenever a new key was pressed!!! Just take a look at the following screenshot (I admit my hand writing is more messy than ComposeDeadKeys:))

 

cleared_if_finally

 

To sum up :

“Do not call ToUnicodeEx or ToAsciiEx for the same dead char key twice or do not use these functions because they clear that magic flag :):)“

See you on next post!