AES CBC reverse analysis, exception handling, anti-debugging
AES CBC
Got to see a similar topic AES icons in IDA
KANAL plug into the PEID View
We found the AES S-boxes and S-boxes BASE64, initially identified as AES encryption algorithm inside and base64.
We came to the key functions
4020D0 here at the input string is encrypted. The function of the input string into the first and sctfsctfsctfsctf were XOR
And later in sycloversyclover were XOR encryption is a bit behind the black-box AES ECB mode.
Test data: 1234567890123456 and the data obtained as exclusive OR sctfsctfsctfsctf
42 51 47 52 46 55 43 5E 4A 53 45 54 40 57 41 50
After the encryption function again after 4013E0
5A CD 79 E5 2C B7 A8 EB FA 25 24 69 B9 B9 B7 A1
It is determined that the key sycloversyclover, 4013E0 is the AES encryption function, then the result of the encrypted data and the second set of XOR 16, XOR data is 0x10, the size of the filling. Therefore, we can conclude is PKCS5Padding
Last paragraph was base64 encoded.
Exception Handling
But the final result of the comparison is
>pvfqYc,4tTc2UxRmlJ,sB{Fh4Ck2:CFOb4ErhtIcoLo
Obviously not satisfied with the results of base64 encryption, the program will hang to see the last of a string comparison.
But a closer look
int v1; // eax
__int16 v2; // bx
const char *v3; // esi
signed int i; // edi
int v5; // eax
v1 = this[15];
v2 = *(_WORD *)((char *)this + v1 + 6);
v3 = (char *)this + v1 + 248;
for ( i = 0; i < v2; ++i )
{
v5 = strcmp(v3, ".SCTF");
if ( v5 )
v5 = -(v5 < 0) | 1;
if ( !v5 )
{
DebugBreak();
return;
}
v3 += 40;
}
}
In front of a function here DebugBreak have a function that is not triggered in the case debugger will trigger an exception.
So our next break to KiUserExceptionDispatcher, and did not call VEH, the program may call the SEH,
We break point, a context parameter structure Zwcontinue function at his B8 contains the address you want to continue in office Zwcontinue
We break down the value 0x72A83C79 address here.
To run here, until I met EH4_TransferToHandler place, here called SEH
Jump to 4023EF.
Anti-debugging
at 4023EF engaged in anti-debugging
StrongOD due to the effect of, we had lost IsDebuggerPresaent anti-debugging, but we have not been tested CheckRemoteDebuggerPresent function so we need to modify the jump flag, in order to achieve the purpose of anti-debugging through, and after the program was self decode, execute since the decoding 404000 function, here is the string comparison procedures were changed last
So we will decrypt strings
got the answer