How to get Strings which are stored in memory of a win32 application?

[i.zeid]

I have a win32 app which is c++ programmed with qt .

 

I tried to decompile it with boomerang but boomerang soddenly get closed when it reaches to 99% of decompilation progress.

 

Now I am trying to look in parameters that this program sends over SSL/TLS connection to its own server.

 

I found some articles about this and I found that actually the program stores Some valuable data in the memory in order to decrypting the SSL/TLS traffic using wire-shark witch is Session-id and Master-secret .

 

As i read , I found that actually there is a way to extract master-secret from the memory but I don't know how to do that. Is there any one that can direct me to a right direction and tell me with witch program and how I can do that ?

[kao]

1) Forget about Boomerang, it's a scientific experiment, not a real tool. You could try HexRays decompiler plugin for IDA - but it's not really necessary if you're only interested in strings.

2) Fiddler can intercept HTTPS traffic if the application doesn't validate server certificate (most apps don't).

[Aguila]

or use an API logger/monitor... look for winsock/ssl library calls like

 

openssl -> SSL_write -> plaintext will be encrypted

 

 

http://www.rohitab.com/apimonitor

[i.zeid]

1) Forget about Boomerang, it's a scientific experiment, not a real tool. You could try HexRays decompiler plugin for IDA - but it's not really necessary if you're only interested in strings.

2) Fiddler can intercept HTTPS traffic if the application doesn't validate server certificate (most apps don't).

 

 

tank you but there is a problem. it does not accept any proxy. I tried using proxifier to redirect traffic through fiddler but it didn't work. actually it is validating the traffic

[simple]

I'd start by learning how Qt handles SSL sockets - http://qt-project.org/doc/qt-4.8/network-securesocketclient-sslclient-cpp.html

 

It's very likely your app uses some combo of QtAbstractSocket, QString, QSslCipher. Learn how those look in asm, then hook whatever app specfic function is used for socket writes and write a code to log arguments to file.

 

edit - unless the coder rolled their own SSL libs from scratch, which is not likely, they had to use some 3rd party lib like curl, Qt, boost, etc (fyi - curl/boost can be used inside Qt code). Find which one and hook it.

Edited August 4, 2014 by simple

[i.zeid]

I'd start by learning how Qt handles SSL sockets - http://qt-project.org/doc/qt-4.8/network-securesocketclient-sslclient-cpp.html

 

It's very likely your app uses some combo of QtAbstractSocket, QString, QSslCipher. Learn how those look in asm, then hook whatever app specfic function is used for socket writes and write a code to log arguments to file.

 

edit - unless the coder rolled their own SSL libs from scratch, which is not likely, they had to use some 3rd party lib like curl, Qt, boost, etc (fyi - curl/boost can be used inside Qt code). Find which one and hook it.

 

These are some concepts that I'm not familiar with,  I'm not a pro. I'm a new be. If there is Some tutorials that I have to learn. Give me the link. I will follow it hard. 

 

Edited:  By the way it checks CRC So ... when there is even a bit change. Program Exits. 

Edited August 5, 2014 by i.zeid

[i.zeid]

or use an API logger/monitor... look for winsock/ssl library calls like

 

openssl -> SSL_write -> plaintext will be encrypted

 

 

http://www.rohitab.com/apimonitor

 

 

Thank you Aguila, Finally i was able to see the memory but I Could not find the master-secret yet...

 

I'm on it.... It will work soon..... thank you all for your time and help.

[simple]

You need to educate yourself. Try harder.

[Progman]

You simply need to decode the stack and dump the memory for the correct address based on the SSL_write documentation and the calling convention in use.