Reversing iGo Navigation

I got a call from a close friend on Friday and the reason for the call was related to some possibly compressed file’s reversing and here is the  reversing session I’have performed for him.
Let’s first talk a little about the environment because i generally use Kernel Debugger instead of a user one. Main reason behind is “I am used to kernel debugging and I really like the power of pausing the  whole  OS  with just two keys:)” Don’t you think it’s great?

Actually my system is fine tuned for kernel debugging and I have all I need in place while using KD (all that scripts, symbols, paths and the other stuff).

So, first thing I generally do is placing a breakpoint at the OEP, which makes my target OS to break into KD as soon as it executes Entry point of the executable.

Following is the screen shot using CFF Explorer :

After running the executable, we find ourselves in the WinDBG. In order to fix what we did, replace the CC (int 3) with the original instruction (0xE8 in our case).

eb . 0xE8

Then we note the filename. What does this file have and how the Application uses it? This was the main question I was asked.

In  order to be sure, I traced the application with Rohitab API Monitor and saw that everything is OK with a minor detail :

“ALL CreateFile calls return to same address 0x52E910” which means in our language : App has a wrapper function for CreateFile.

Most of the time I use IDA with WinDBG and support one with the other. They are both “best” in the field but when combined they become best of the best! Following script exports my current position in IDA as a well defined windbg break point.

After setting my break points for CreateFile I wrote a conditional break point command for properly stopping at “Turkey.poi” file access since there are a lot of CreateFile calls and then combined the IDA generated break point with my conditional windbg script file.

Following is the result of my conditional break point :

I let the CreateFile complete and noted down the file handle residing in EAX which was 0x1d4 in our case.

Then performed the same technique for ReadFile API.

Following is the call stack of ReadFile. There are a total of 12 stack frames. Our guy who is responsible for parsing that POI file must be residing somewhere here??? I have marked all these return addresses in the IDA for possible future use.

OK, now we need to get the buffer of ReadFile which is 0x15a9000

Just like CreateFile, read file also has a wrapper function :

Buffer was being saved into ECX. So ECX was my next target, after tracing ECX for some time, I noticed it was being saved into EAX.

As you can see from the image, App was trying to read and write some offsets of the buffer and surprise : XOR:)

I let the app modify the buffer and following is the result :

After digging a little bit deeper, I was persuaded that I found the decryptor function and So I renamed it 🙂

I then dumped the first 0x1000 bytes by issuing the following command :

.writemem C:\\decrypted.dmp 0x15a9000 L1000

The decryption block uses multiple XOR’s which gives us clues about the underlying algorithm : It must be something similar to Blowfish because RC4 uses only one XOR.

Then I checked the encryption algo. To tell the truth, I should have checked this before starting all this pain but I was told that the file was compressed which is why i did not check it with KANAL.


That is it for this week:) Thanks for reading!

Burned out mainboard, had to have fun with jQuery + PHP!

Low level blog with jQuery? Am I kidding? Unfortunately no 🙂  This one will not be that much low level due to bad luck. As a matter of fact, I was planning to write some sniffer for KdSendPacket / KdReceivePacket and it was probably going to be some POC related to !chkimg interference but all the plans ended in smoke after hearing  that my mainboard was burned out on Wednesday morning :):)

From a system programmer’s point of view, It’s quite tough to get yourself up and running with a fresh install of Windows. It was the same for me  but , developer is the one who develops even in the worst scenario coz I believe it’s a way of thinking, not a job only… So, here is some code I have developed for one of my friends : PHP Translation Engine.

First of all, why do we need a translation engine?

If you are heading a big project and need to support lots of languages believe it or not, translation suddenly becomes a big problem. Biggest problem generally faced is translating some word without knowing the context word is used, which results in gibberish words 🙂 People generally use CSV files but I do not like them which is why I started to write something new for one of my friends.

Translation Module with jQuery + PHP 

1

You see the admin panel in the screenshot above. Red dashed borders shows that the text inside it is Translatable. But how? Actually it’s all jQuery… Whenever you want to add something translatable, here are the steps you need to perform :

1. Open up your HTML, include translator.js

2. Place some div inside the HTML with the following syntax :

<div id=”<?=$keyword?>” class=”Translatable”><?=$value?></div>

3. Call PrepareForTranslation whenever you are ready!

That’s it! It’s that much simple 🙂 But how does it work?

First of all, we need to have some database layout to make it work. Simplest form is as follows :

2

DB with 4 columns is enough for us. We need to enter some keywords into our database, with the appropriate values in one of 3 languages (en, ru, tr).

3

Alright, now you know what is keyword and what is value. What about class Translatable?  It’s just a marker for translatable elements which will be used by jQuery to draw a read dashed  border around them and make them clickable (translatable). Following is the code I used for marking Translatable elements :

4

Why mouseenter / mouseleave? Because, I wanted to support clickable elements with the others.

Whenever document is ready, function PrepareForTranslation is called and it loops all the items which has class Translatable and adds TranslationActive class to each of them which makes the the element have a red dashed border and a hand / pointer cursor. Click handler is directly calling ShowTranslationDialog, and the other two handlers mouseleave / mouseenter are setting a global variable for future use but when? Global var is used for clickable items like <a href=”…..”> </a>. When ever you hover your mouse over something clickable, element is saved into g_Element and when ever you press Q it calls ShowTranslationDialog which in turn uses global to show translation dialog. Do not  get confused, all the handlers are used for the same purpose, call ShowTranslationDialog!

5

Want to take a look at the source code itself? Here it is : SOURCE CODE for translator.js

This is the source code for displaying following Translator UI :

6

Whenever user clicks the Save button, jQuery serializes the form like :

?keyword=Label&en=Label&tr=Etiket&ru=этикетка   and posts it to ajax.php.

8

ajax.php saves the updated values and echoes the new values.

9

See you next week!