Saturday, August 4, 2007

Dissecting the GoDaddy email notifier - Part 4

Ok, this is hopefully the last part of my Dissecting series for the email notifier. I last left you with the fact that I had reverse engineered the encryption and decryption algorithm. I simply poked around the calls to the registry key write function calls and found the encryption and decryption routines. I will list them here:

004046D7 /$ 55 PUSH EBP ; Main Encrypter
004046D8 |. 8BEC MOV EBP,ESP
004046DA |. 51 PUSH ECX
004046DB |. 51 PUSH ECX
004046DC |. 837E 14 00 CMP DWORD PTR DS:[ESI+14],0
004046E0 |. 8BC6 MOV EAX,ESI
004046E2 |. 0F84 CC000000 JE 004047B4
004046E8 |. 53 PUSH EBX
004046E9 |. 8B5E 14 MOV EBX,DWORD PTR DS:[ESI+14]
004046EC |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004046EF |. 57 PUSH EDI
004046F0 |. 4B DEC EBX
004046F1 |. 8BFB MOV EDI,EBX
004046F3 |. E8 A0010000 CALL 00404898
004046F8 |. 0FB608 MOVZX ECX,BYTE PTR DS:[EAX]
004046FB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004046FE |. 6A 05 PUSH 5
00404700 |. 33D2 XOR EDX,EDX
00404702 |. 5F POP EDI
00404703 |. F7F7 DIV EDI
00404705 |. 8BFB MOV EDI,EBX
00404707 |. C1E2 08 SHL EDX,8
0040470A |. 66:0FB68411 4>MOVZX AX,BYTE PTR DS:[EAX+ECX+427F48]
00404713 |. 0FB7C0 MOVZX EAX,AX
00404716 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00404719 |. 8BC6 MOV EAX,ESI
0040471B |. E8 78010000 CALL 00404898
00404720 |. 66:8B00 MOV AX,WORD PTR DS:[EAX]
00404723 |. 66:25 00FF AND AX,0FF00
00404727 |. 66:0B45 FC OR AX,WORD PTR SS:[EBP-4]
0040472B |. 0FB7C0 MOVZX EAX,AX
0040472E |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00404731 |. 8BC6 MOV EAX,ESI
00404733 |. E8 60010000 CALL 00404898
00404738 |. 66:8B4D FC MOV CX,WORD PTR SS:[EBP-4]
0040473C |. 66:8908 MOV WORD PTR DS:[EAX],CX
0040473F |. 8BC6 MOV EAX,ESI
00404741 |. E8 52010000 CALL 00404898
00404746 |. 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
00404749 |. 6A 05 PUSH 5
0040474B |. 99 CDQ
0040474C |. 59 POP ECX
0040474D |. F7F9 IDIV ECX
0040474F |. 33FF XOR EDI,EDI
00404751 |. 85DB TEST EBX,EBX
00404753 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00404756 |. 76 58 JBE SHORT 004047B0
00404758 |> 8BC6 /MOV EAX,ESI
0040475A |. E8 39010000 |CALL 00404898
0040475F |. 0FB600 |MOVZX EAX,BYTE PTR DS:[EAX]
00404762 |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
00404765 |. C1E1 08 |SHL ECX,8
00404768 |. 66:0FB68408 4>|MOVZX AX,BYTE PTR DS:[EAX+ECX427F48]
00404771 |. 0FB7C0 |MOVZX EAX,AX
00404774 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX
00404777 |. 8BC6 |MOV EAX,ESI
00404779 |. E8 1A010000 |CALL 00404898
0040477E |. 66:8B00 |MOV AX,WORD PTR DS:[EAX]
00404781 |. 66:25 00FF |AND AX,0FF00
00404785 |. 66:0B45 F8 |OR AX,WORD PTR SS:[EBP-8]
00404789 |. 0FB7C0 |MOVZX EAX,AX
0040478C |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX
0040478F |. 8BC6 |MOV EAX,ESI
00404791 |. E8 02010000 |CALL 00404898
00404796 |. 66:8B4D F8 |MOV CX,WORD PTR SS:[EBP-8]
0040479A |. 66:8908 |MOV WORD PTR DS:[EAX],CX
0040479D |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004047A0 |. 47 |INC EDI
004047A1 |. 6A 05 |PUSH 5
004047A3 |. 40 |INC EAX
004047A4 |. 33D2 |XOR EDX,EDX
004047A6 |. 59 |POP ECX
004047A7 |. F7F1 |DIV ECX
004047A9 |. 3BFB |CMP EDI,EBX
004047AB |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX
004047AE |.^ 72 A8 \JB SHORT 00404758
004047B0 |> 5F POP EDI
004047B1 |. 8BC6 MOV EAX,ESI
004047B3 |. 5B POP EBX
004047B4 |> C9 LEAVE
004047B5 \. C3 RET

The code above is for the Encrypter and the code below is the Decrypter:

004047B6 /$ 55 PUSH EBP ; Main Decrypter
004047B7 |. 8BEC MOV EBP,ESP
004047B9 |. 51 PUSH ECX
004047BA |. 51 PUSH ECX
004047BB |. 53 PUSH EBX
004047BC |. 8B5E 14 MOV EBX,DWORD PTR DS:[ESI+14]
004047BF |. 85DB TEST EBX,EBX
004047C1 |. 8BC6 MOV EAX,ESI
004047C3 |. 0F84 CC000000 JE 00404895
004047C9 |. 57 PUSH EDI
004047CA |. 4B DEC EBX
004047CB |. 8BFB MOV EDI,EBX
004047CD |. E8 C6000000 CALL 00404898
004047D2 |. 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
004047D5 |. 6A 05 PUSH 5
004047D7 |. 99 CDQ
004047D8 |. 59 POP ECX
004047D9 |. F7F9 IDIV ECX
004047DB |. 33FF XOR EDI,EDI
004047DD |. 85DB TEST EBX,EBX
004047DF |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004047E2 |. 76 58 JBE SHORT 0040483C
004047E4 |> 8BC6 /MOV EAX,ESI
004047E6 |. E8 AD000000 |CALL 00404898
004047EB |. 0FB600 |MOVZX EAX,BYTE PTR DS:[EAX]
004047EE |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
004047F1 |. C1E1 08 |SHL ECX,8
004047F4 |. 66:0FB68408 4>|MOVZX AX,BYTE PTR DS:[EAX+ECX+428448]
004047FD |. 0FB7C0 |MOVZX EAX,AX
00404800 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX
00404803 |. 8BC6 |MOV EAX,ESI
00404805 |. E8 8E000000 |CALL 00404898
0040480A |. 66:8B00 |MOV AX,WORD PTR DS:[EAX]
0040480D |. 66:25 00FF |AND AX,0FF00
00404811 |. 66:0B45 F8 |OR AX,WORD PTR SS:[EBP-8]
00404815 |. 0FB7C0 |MOVZX EAX,AX
00404818 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX
0040481B |. 8BC6 |MOV EAX,ESI
0040481D |. E8 76000000 |CALL 00404898
00404822 |. 66:8B4D F8 |MOV CX,WORD PTR SS:[EBP-8]
00404826 |. 66:8908 |MOV WORD PTR DS:[EAX],CX
00404829 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
0040482C |. 47 |INC EDI
0040482D |. 6A 05 |PUSH 5
0040482F |. 40 |INC EAX
00404830 |. 33D2 |XOR EDX,EDX
00404832 |. 59 |POP ECX
00404833 |. F7F1 |DIV ECX
00404835 |. 3BFB |CMP EDI,EBX
00404837 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX
0040483A |.^ 72 A8 \JB SHORT 004047E4
0040483C |> 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14]
0040483F |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00404842 |. 8BFB MOV EDI,EBX
00404844 |. 8BC6 MOV EAX,ESI
00404846 |. E8 4D000000 CALL 00404898
0040484B |. 0FB608 MOVZX ECX,BYTE PTR DS:[EAX]
0040484E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00404851 |. 6A 05 PUSH 5
00404853 |. 33D2 XOR EDX,EDX
00404855 |. 5F POP EDI
00404856 |. F7F7 DIV EDI
00404858 |. 8BFB MOV EDI,EBX
0040485A |. C1E2 08 SHL EDX,8
0040485D |. 66:0FB68411 4>MOVZX AX,BYTE PTR DS:[ECX+EDX+428448]
00404866 |. 0FB7C0 MOVZX EAX,AX
00404869 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040486C |. 8BC6 MOV EAX,ESI
0040486E |. E8 25000000 CALL 00404898
00404873 |. 66:8B00 MOV AX,WORD PTR DS:[EAX]
00404876 |. 66:25 00FF AND AX,0FF00
0040487A |. 66:0B45 F8 OR AX,WORD PTR SS:[EBP-8]
0040487E |. 0FB7C0 MOVZX EAX,AX
00404881 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00404884 |. 8BC6 MOV EAX,ESI
00404886 |. E8 0D000000 CALL 00404898
0040488B |. 66:8B4D F8 MOV CX,WORD PTR SS:[EBP-8]
0040488F |. 66:8908 MOV WORD PTR DS:[EAX],CX
00404892 |. 8BC6 MOV EAX,ESI
00404894 |. 5F POP EDI
00404895 |> 5B POP EBX
00404896 |. C9 LEAVE
00404897 \. C3 RET

I will leave you with the python source code for the encryption and decryption routines so that you can look at the algorithm and get a feel for what was going on. You will need the static data which can be found in the .rdata section. This is the cipher text that is looked up during the encryption and decryption phase. I have included it in the tool as a separate file.
I may decide to start developing a Linux variant for checking my GoDaddy mail, but don’t hold your breath. Mail me any questions you may have. If you’re interested.

The tool can be found here.

No comments: