The Reverse Challenge
- Identify and explain the purpose of the binary.
This banary is primarily a drone that allows a remote user to launch several different kinds of denial-of-service (DOS) attacks. It also gies the remote user acdess to commands on the local machine including a root shell.
- Identify and explain the different features of the binary. What are its capabilities?
THe binary is a pure server program -- that is, after it starts it does nothing until it receives input from the outside. The first thing the program does is to check if it is running as root. If not, it will promptly exit. Next, it goes through a standard daemonising process - forking, disassociating itself from a controlling terminal and closing the standard I/O descripters. A this point it enters its main loop, waiting for and processing commands.
The commands are recieved encoded in the body of packets marked at IP protocol 11. The commands provide the following functions:
The binary uses a network data encoding process. Identify the encoding
process and develop a decoder for it
The encoder is located at 0x804a194. The first element in the buffer is increased by a coding constant (0x17 = 23). Each elemnent thereafter is the sum of the previous encoded byte, the current byte and the coding constant. In C it looks like this.
#define ENC_CONST 0x17
typedef unsigned char byte;
void enc(int n, byte *in, byte *out)
out = in + ENC_CONST;
for(i=0; i<=n; i++)
out[i] = (in[i] + out[i-1] + ENC_CONST);
The decoder, then, needs to go through the reverse process. The decoder can work either going forward or backward through the buffer, but the is slightly more straight forward in the reverse direction.
#define ENC_CONST 0x17
typedef unsigned char byte;
void dec(int n, byte *in, byte *out)
for(i=n-1; i>0; i--)
out[i] = in[i] - in[i-1] - ENC_CONST;
out[i] = in[i] - ENC_CONST;
Identify one method of detecting this network traffic using a method
that is not just specific to this situation, but other ones as well.
There are several aspects of the packets used by this binary that are suitable for detections purposes. The commands to the binary, plus any responses use IP protocol number 12. A generic criterieon then, would look for any packets with IP protocol other then 1 (ICMP), 6 (TCP), and 17 (TCP). Other protocols that may be in use must also be exempted. One common exemption is GRP (47) for VPN.
The various attacks are harder to identify since random values are used for port numbers, ids and ttl values. However, there are a few things we can look for. As discussed above, the udp and icmp attacks make use of malformed IP headers. We can therefore look for packets with the fragment bit clear and the fragment offset not equal zero. Other forms of invalid header values can also be used.
One other consistent pattern is that the connection to the shell server is always on port 23???. To generalization this, on could look for incoming tcp connections to high number port (> 16000). This could pick up active ftp connections and p2p programs.
Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
There are a number of factors that contributed to its "protection" from analysis. First, as expected, the binary was statically linked and stripped. This meant that none of the functions in the binary where identified by name. Matching functions from the binary to those in the standard C library was made more diffuclt by the old version of the library used. A slackware 3.5.0 distribution (kernel 2.0.33) I had acquired in summer 1998 has a newer library version (5.4.44 ) that that in the exectable (5.3.12). Similarly the the compiler is a correspondingly old version ( 2.7.2 vs. slackware's 2.90.29 )
There are number small feature that make it more diffult to analise. All parameters are passed
byte by byte (i.e 4 bytes for an ip address). There are a number of awkward programming sequences,
and the decode routine appears much longer than a straight forward one.
For the most part, these feature don't really increase the skill required to investigate the
program, but just makes it more tedious.
Identify two tools in the past that have demonstrated similar functionality.
Bonus Questions: The bonus questions are open ended questions. It
is used when submissions are too close together to tell apart. The bonus
question is then used to identify a winner when entries are tied for a position.
What kind of information can be derived about the person who developed this tool? For example, what is their skill level?
As mentioned in the question on protections from reverse engineering, there are number of features
that add to the effort required but not the conceptual difficulty. There are two ways to view these.
Either they are simply a result of an inexperience programmer or they were intended for obfuscation.
If the latter, the author has not achived much except for making it a little tedious. Certainly no
barriers were place to simply prevent slogging through the disassembly listing. Either case points
to a mediocre programmer.
- What advancements in tools with similar purposes can we expect in the future?