You are browsing the archive for Archaeology.

Enter Sandbox part 24: Intercepting Buffers #3 – The Punto H & magic points

January 19, 2019 in Archaeology, Batch Analysis, Sandboxing

I mentioned that monitoring buffers is the key to quickly understand the software inner workings. It doesn’t work all the time, but in majority of cases it does. More so, in ‘desperately’ challenging cases it may help to gain access to the internals of a highly obfuscated code, sometimes even virtualized, and may help to understand large, bulky programs that are really hard to analyze using ‘static’ tools.

Now, we are so used to primarily monitor APIs, and the buffers that these APIs handle, that we often forget that there are many additional places where the monitoring could take place.

I listed a lot of examples in the past. And there are always more ideas. Think of it – your sandbox is your baby. You know every single bit of it. You control its existence. You can extract hard-coded addresses for certain functions, or patch some code. You can modify the OS any way you want. You can even replace every OS single file, disable OS anti-tampering code, introduce clever redirections, callbacks – sky is the limit really. It is a controlled environment. Let’s be adventurous with that.

And yes, this is hard, and perhaps sounds like a very abstract idea, but these are many of available possibilities that may actually work well, if applied to modern sandboxes leveraging techniques that typically focus on inspecting the guest system from the outside (as opposed to old API monitors).

You may ask – it all sounds nice, why don’t I provide some more specific example? I am glad you asked. This is the topic of this post.

I personally find the Punto.H / Point.H trick to be one of the best examples of such cleverly placed breakpoints. The trick was developed by a community mainly focused on an art of software cracking and…. very looooooong time ago (the trick is often attributed to Ricardo Narvaja). And yes, it sounds archaic, and it really is.

How does it work?

The old shareware applications usually asked for a serial key. Most of them, especially in the early days, would just ask for a string provided by the user. Once entered, the serial would be retrieved from the UI control (edit box), and would be tested with the program’s serial verification routine. If the serial was OK, program would be reconfigured as ‘registered’.

Shareware programs were very popular back then, but many of them were quite bulky, plus there was no decompilers yet, and it was quite a pain to analyze them. The observant reversers noticed that by intercepting the calls to the internal function called ‘hmemcpy’ they could see all the data being sent between the program UI and its internals. The first letter of the function gave the name to the actual technique: ‘Punto.H’ (since it was very popular among Spanish-speaking crackers, I opted to use the Spanish name in this article, instead of English ‘Point.H’).

So, catching these buffers pretty much was the first step to crack serials. Once you got the buffer, you could track it and eventually reach the actual routine that was processing it. And then, either patch the code to bypass the serial check, or more advanced reversers would write a serial generator, one that would generate strings that the program would accept. It sounds pretty simple, but typically required many hours of work. The Punto.h trick simplified the cracking process a lot.

Again, it’s really different now with regards to software protection, but this technique still illustrates the point: you need to look for good places where you can add breakpoints for monitoring. Punto.h was so popular that even today there are still many plug-ins that implement this technique and its clones, often introducing many other and additional breakpoints for other software platforms, for example:

advpack.dll ! DelNodeRunDLL32 and its flags

November 24, 2018 in Archaeology, Living off the land, LOLBins

It’s one of these “I was looking at something else, and as usual, came across something else” cases. In this particular instance it was the good ol’ DelNodeRunDLL32 function exported by the advpack.dll.

A quick search followed, and I soon discovered that @bohops twitted about it a while ago, so there was not that much to add…

However…

Looking closer at the DelNodeRunDLL32W function I noticed that it tries to take two arguments, not one, as originally assumed. If the second argument is not present, it is assumed to be 0.

Why not checking what the second argument is all about though? And here we are…

A few more Google searches later we can (re-)discover that DelNodeRunDLL32 function can delete both individual files, and whole directories + change its behavior if we ask it too.

How?

Via its flags. Ones that we can choose to pass via a command line argument (the second one, as you guessed by now).

Again, googling around I came across this header file that lists all the flags that are documented:

// FLAGS:
#define ADN_DEL_IF_EMPTY 0x00000001 // delete the directory only if it's empty
#define ADN_DONT_DEL_SUBDIRS 0x00000002 // don't delete any sub-dirs; delete only the files
#define ADN_DONT_DEL_DIR 0x00000004 // don't delete the dir itself
#define ADN_DEL_UNC_PATHS 0x00000008 // delete UNC paths

Running

  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test” – will wipe out the whole ‘test’ directory
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test\file” – will delete the ‘file’ only
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test”,4 – will wipe out the whole ‘test’ directory except the ‘test’ directory itself
  • rundll32.exe advpack.dll,DelNodeRunDLL32 “c:\test”,1 – will wipe out the whole ‘test’ directory only if it is empty

Little trivia, but always…