

a....
                       __    _                         __    _ 
 _      ______  ____  / /_  (_)  _      ______  ____  / /_  (_)
| | /| / / __ \/ __ \/ __ \/ /  | | /| / / __ \/ __ \/ __ \/ / 
| |/ |/ / /_/ / /_/ / /_/ / /   | |/ |/ / /_/ / /_/ / /_/ / /  
|__/|__/\____/\____/_.___/_/    |__/|__/\____/\____/_.___/_/   
                                                               
                           __          
    ____  ____ _____  ____/ /___ ______
   / __ \/ __ `/ __ \/ __  / __ `/ ___/
  / /_/ / /_/ / / / / /_/ / /_/ (__  ) 
 / .___/\__,_/_/ /_/\__,_/\__,_/____/  
/_/                                    

                                            Production
                                            


===[ Reversing the usb.exe Windows challenge
by [pandas] Tora


===[ Introduction

This challenge was part of the Codegate 2009 Hacking Festival, and running
the application only shows a big empty window without any further
instructions. 


===[ Reversing details

After a first look to the binary, we can see that in WinMain it only
creates a Window so we must deep into its WndProc placed at 004018C0:

LRESULT CALLBACK WindowProc( HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
    switch(uMsg)
    {
       case WM_CREATE:
         RegisterDeviceNotification(...)
         break;
       case WM_CLOSE:
         UnregisterDeviceNotification(...)
         break;
       case WM_DESTROY:
         PostQuitMessage(...);
         break;
       case WM_DEVICECHANGE:
         if (wParam == DBT_DEVICEARRIVAL)
         { ... }
    }
}

Ok, here we have the typical message handling switch, so when the window is
created, it asks the OS via RegisterDeviceNotification() to receive events/
notifications when a device of class MOUNTDEV_MOUNTED_DEVICE_GUID interacts
with the system. That means this window will be notified every time a device
has an status change, but if we look carefully at WM_DEVICECHANGE, the
window is only interested in the precise moment the new device is added
(DBT_DEVICEARRIVAL).

When a new device is added to the system, at 00401080 the binary checks the
device name looking for substrings of a RemovableMedia or a USBSTOR Disk
device. If the device is not a RemovableMedia or USBSTOR Disk, the program
ignores the device.

The next step is to create a new thread (00401760) passing the full device
name as parameter. This thread will use several times a call to a string
decryption routine (placed at 00401000). This function is a simple XOR
decryption and we will be pointing to the concrete password in every
call.

Once the thread starts, it parses the full device name to obtain its
DeviceID which has the following format: "%d&%08X&%d". Then the program
takes part of our full device name (characters 4 to 11, that always are
"STORAGE") to decrypt the string "SYSTEM\MountedDevices" and use it to
access the HKLM registry. The reason is simple, here the OS stores
information regarding the assigned drive letters to new devices, so the
program is looking for the drive letter assigned to a concrete DeviceID.
In MountedDevices we have the current assigned drive letters (keys starting
with "\DosDevices\") and an historic registry of mounted volumes represented
as "\??\Volume{GUID}", that's the reason the binary looks only for the
"DosDevices" keys.

Having the drive letter the binary next decrypts (using again the "STORAGE"
password) the string "%c:\" in order to build the path of the new arrived
device and then calls 00401520. Inside this function, first decrypts (using
"%c:\" as password) the string "sohot.txt"... maybe the author is a Wonder
Girls' fan xDD Whatever the reason for the name, the program opens the file
in the new arrived device and reads a string from it. This string is compared
with "sleepy.." (decrypted using "sohot.txt" as password) and if the strings
match, the program shows a final messagebox with the string "you win kkk"
decrypted using "sohot.txt sleepy.." as password.


===[ Closing summary

So in order to complete the challenge and get the "you win kkk" message you
only need to insert a Removable Media device with a file in its root folder
called "sohot.txt" that only contains the string "sleepy.." in its first
line. Easy, huh?

Woobi woobi pandas'09


