|
http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=81 [º¹»ç]
which funny story ** really hard when i was trying to do it demo
ÇÑ°¡Áö Àç¹Ô´Â ¾ê±â°¡ Àִµ¥¿ä, Á¦°¡ ½Ã¿¬ÇÏ·Á°í Çß´ø Code Red ´Â
** code red i manage to after working on me managed *** my demo on day *** still idle.
ÀÛ¾÷±â°£ÀÌ ³¡³µÁö¸¸ ¾ÆÁ÷µµ ¿Ï·áÇÏÁú ¸øÇß¾î¿ä.
the other reasons you wanna have good to assembly is that you can reuse the code fragments.
¿©·¯ºÐµéÀÌ ¾î¼Àºí¸®¸¦ Àß ÇÏ°í½Í¾îÇÏ´Â ´Ù¸¥ÀÌÀ¯´Â ¹ÙÀ̳ʸ® ³»¿¡ ÀÖ´Â ÄÚµå Á¶°¢µéÀ» ´Ù½Ã »ç¿ëÇÒ ¼ö ÀÖ°Ô µÈ´Ù´Â °Å¿¡¿ä.
It's meaning you can actually take pieces out of malicious? code.
ÀÌ ¸»Àº Áï, ¾Ç¼ºÄÚµå ³»¿¡ ƯÁ¤ ºÎºÐÀ» ²¨³»¿Ã ¼ö ÀÖ´Ù´Â ¸»À̵ÇÁÒ.
maybe there's a particular function that does some encryption / decryption doesn't communication routine
¾Æ¸¶ ±×Áß¿¡´Â ¹º°¡¸¦ ¾ÏÈ£ÈÇϰųª º¹È£ÈÇÏ´Â ÇÔ¼öµéÀÌ ÀÖÀ» ¼öµµ ÀÖ±¸¿ä,
and the if neccessary want you disassemble and identify ** piece you can poll **** if there's need to do that.
µð½º¾î¼Àºí Çϰųª ¾î¶² ·çƾÀÌ ¾î¶² ÀÏÀ» ÇÏ´ÂÁö ¾Ë¾Æ¾ß ÇÒ °æ¿ì¿¡µµ ²¨³» ¿Ã ¼ö ÀÖÁÒ.
I usually find there's not application we have added? it to pull the piece out and i wanna write it outside the program.
Àú´Â ¹º°¡ ¾µ¸¸ÇÑ ·çƾÀ» ´ã°íÀÖ´Â ÇÁ·Î±×·¥ÀÌ ÀÖ´ÂÁö ã¾Æº¸°ï ÇÕ´Ï´Ù.
You can also if you have a need to,
¶ÇÇÑ ¿©·¯ºÐµéÀº ÇÊ¿äÇÏ´Ù¸é,
I hopefully most of time you * , you can actually make modifications to a pieces of malicious code.
¿©·¯ºÐµéÀº ¾Ç¼ºÄÚµå ³» ƯÁ¤ ·çƾ¿¡ ¼öÁ¤À» °¡ÇÒ ¼öµµ ÀÖÀ»°Ì´Ï´Ù.
and in order to useful research purposes, I ** couple of times or I've taking a worm and i partially *** it?
±×¸®°í ¿¬±¸ÀûÀÎ ¸ñÀûÀ» À§Çؼ, ¿ú(¹ÙÀÌ·¯½º) ¸¦ Å×½ºÆ® ÇÒ ¶§µµ
in order to make a little bit safier work with
¾ÈÀüÇÏ°Ô ÀÛ¾÷Çϱâ À§Çؼ ¿úÀÇ ÀϺκи¸ ½ÇÇà ½Ãų ¼öµµ ÀÖ½À´Ï´Ù.
or so that i could run one piece of it and not have rest of the code and infected?? in the box or
ȤÀº ´ç½ÅÀÇ ½Ã½ºÅÛÀ» °¨¿°½ÃÅ°´Â ºÎºÐÀ» Á¦¿ÜÇÏ°í ƯÁ¤ ºÎºÐ¸¸ ¼öÇàÇÒ ¼öµµ ÀÖ°Ú±¸¿ä.
you know, that sort of things.
¹¹, ±×·±°ÍµéÀÌ °¡´ÉÇÕ´Ï´Ù.
so, hopefully most of time you have to do this , one problem to disassembly is often?? time its slowest method to get particular answer but it is most implete?.
¿©·¯ºÐµéÀÌ ÀÌ·±ÀÛ¾÷À» ÇÒ¶§¿¡, µð½º¾î¼Àºí¸µÀÇ ÇÑ°¡Áö ¹®Á¦´Â ¹º°¡ ´äÀ» ¾ò¾î³»±â À§Çؼ ±²ÀåÈ÷ ¿À·£ ½Ã°£ÀÌ °É¸°´Ù´Â°Å¿¡¿ä.
Is particular purpose to disassembly and this is un? and for piece of malicious code that's probably just? about the only reason you'll be looking at and you wanna know what it does.
µð½º¾î¼Àºí¸µÀÇ ÁÖµÈ ¸ñÀûÀº ¿©·¯ºÐµéÀÌ ÇØ´ç Äڵ尡 ¾î¶² ÀÏÀ» ¼öÇàÇÏ´ÂÁö ¾Ë°ÔµÇ´Â °ÍÀÔ´Ï´Ù.1
you now actully trying to run it. for example.
¾Æ¸¶ ±×·¯±â À§Çؼ ÇØ´ç ÇÁ·Î±×·¥À» ½ÇÇàÇغ¸°ÚÁÒ.
you trying to get the binary into you head, you trying to install this worm ** you brain you have some ideas how it works.
¿©·¯ºÐµéÀÌ ÇØ´ç ¹ÙÀ̳ʸ®¸¦ ¸Ó¸®¼Ó¿¡ Áý¾î³Ö°í ±×°É ¼³Ä¡Çϸé ÀÌ ¹ÙÀ̳ʸ®°¡ ¾î¶»°Ô µ¿ÀÛÇÏ´ÂÁö ¾Ë ¼ö ÀÖÀ»²¨¿¡¿ä.
if you work for company that does report to that's sort of things,
¸¸¾à¿¡ ¿©·¯ºÐµéÀÌ ¾Ç¼ºÄڵ尰Àº °Íµé¿¡ ´ëÇØ ·¹Æ÷ÆÃÇϴ ȸ»ç¿¡¼ ÀÏÇÑ´Ù¸é,
you trying to ** you had **** go back and do report? on or hand it off to the guys who wanna write? at this infector?
ÀÛ¼ºµÇ´Â ¾Ç¼ºÄÚµå °ü·Ã ·¹Æ÷Æ®µéÀ» °ø°ÝÀÚÇÑÅ× ³Ñ°ÜÁְųª, (???)
or you wanna be able to write some tools that can spot identify maybe some IDS and intrudes?
ȤÀº ħÀÔÀÚ¸¦ ŽÁöÇÏ´Â ÇÁ·Î±×·¥À» ÀÛ¼ºÇÒ ¼ö ÀÖÀ»°Ì´Ï´Ù.
Most of the time you are not trying to modify the binary. find a vulnerability in it. or fix and improve it.
¹ÙÀ̳ʸ®¸¦ ¼öÁ¤ÇÏÁö ¾Ê´Â´Ù¸é ±× ½Ã°£¿¡, ¿©·¯ºÐµéÀº Ãë¾àÁ¡À» ã°Å³ª Ãë¾àÁ¡À» °íÄ¥ ¼ö ÀÖ½À´Ï´Ù.
this is little bit different from a number of other type true reverse engineering you might do.
ÀÌ°ÍÀº ¿©·¯ºÐµéÀÌ ÇÏ°Ô µÉ ´Ù¸¥ ¸®¹ö½º ¿£Áö´Ï¾î¸µµé°ú Á» ´Ù¸¦°Ì´Ï´Ù.
this is ** someone's? been talked about someone's? is something else she might do my prefer example.
if you trying to crack the ** scheme or some other protection on a program, typically you can be modifying the binary as you in result.
¿©·¯ºÐµéÀÌ ÇÁ·Î±×·¥»ó¿¡ °É·ÁÀÖ´Â ¾î¶² º¸È£ÀåÄ¡¸¦ Å©·¢ÇÏ·Á°í ÇÑ´Ù¸é, °á°úÀûÀ¸·Î ¹ÙÀ̳ʸ® ÀÚü¸¦ ¼öÁ¤Çؾߵȴٴ °ÍÀ» ÀǹÌÇÕ´Ï´Ù.
we're not trying to do that with the worm as usually.
º¸Åë ¿ú¿¡ ´ëÇؼ ¼öÁ¤ÀÛ¾÷À» ÇÏÁø ¾ÊÁÒ.
for vulnerability researching , trying to find particular function calls , and the program trying check buffer sizes.
Ãë¾àÁ¡ ¿¬±¸¸¦ À§Çؼ´Â ƯÁ¤ÇÑ ÇÔ¼öÈ£Ã⸦ ã°Å³ª ¹öÆÛ»çÀÌÁ °è»êÇϰųª ÇÒ°Ì´Ï´Ù.
all those sort of things she was due to fuck find vulnerability in program or not trying to usually do that with the worm.
ÀÌ·¯ÇÑ ÀÛ¾÷Àº Ãë¾àÁ¡À» ã±âÀ§Çؼ ¼öÇàµÇ´Â °ÍÀÌÁö ÀϹÝÀûÀ¸·Î ¹ÙÀ̳ʽº¿¡ ´ëÇØ ¼öÇàµÇ´Â ÀÛ¾÷Àº ¾Æ´Õ´Ï´Ù.
[ **** ] you've been some interesting
A buffer overflows in the worms move * one of the worm took advantage of a overflow on ftp server of a previous worm.
¿ú¿¡¼ÀÇ ¿À¹öÇ÷ο찡 ÀǹÌÇÏ´Â °ÍÀº, ÀÌÀü ¿ú¿¡¼ ´Ù¸¥ ¿úÀ¸·Î ¿Å°Ü°¥¶§ ftp ¼¹ö¿¡¼ÀÇ ¿À¹öÇ÷οì Ãë¾àÁ¡À» ÀÌ¿ëÇϰųª Çؼ ´õ È¿À²ÀûÀÏ ¼ö ÀÖ´Ù´Â °ÍÀÌ´Ù.
You are not trying to bug *** , you are not trying to make work better.
¾î¶² Äڵ忡¼ ¹ö±×¸¦ ã¾Æ³»Áö ¾Ê´Â´Ù¸é, ±× ÄÚµå´Â ´õ ¾ÈÁ¤ÀûÀ¸·Î ¸¸µé¾îÁú ¼ö ¾ø´Ù´Â °ÍÀ» ÀǹÌÇÕ´Ï´Ù.
I'm giving example,
¿¹¸¦ Çϳª µé¾îº¼²²¿ä.
In the * nimda worms * couple years back,
¸î³âÀü¿¡ ´Ô´Ù ¹ÙÀÌ·¯½º°¡ À¯ÇàÇÑÀûÀÌ ÀÖ¾ú½À´Ï´Ù.
there was a routine in it where it would go through
ÀÌ ´Ô´Ù¹ÙÀÌ·¯½º´Â ¾î¶² ·çƾÀ» °¡Áö°í ÀÖ¾ú´Âµ¥,
and infect the bunch of the files or move the bunch of the files , drop itself , that sort of things.
ÀÌ ·çƾÀº ÆÄÀϵéÀ» °¨¿°½ÃÄѼ ÀÌ ÆÄÀϵéÀ» ¿Å±â°Å³ª ½º½º·Î Áö¿ö¹ö¸®°Å³ª ÇÏ´Â µîÀÇ ¾Ç¼ºÄڵ忴ÁÒ.
This aim routine was used to go through and delete everything on your hard drive.
ÀÌ ·çƾÀº °á°úÀûÀ¸·Î Çϵåµå¶óÀ̺êÀÇ ¸ðµç°ÍÀ» Áö¿ö¹ö¸®´Â ÀÏÀ» ¼öÇàÇß½À´Ï´Ù.
** called nimda ** actually did that that's because they was a fly-crew **** just dont do this
I guess the [ virus*** ] have nervous ** that particular feature off.
¾Æ¸¶ ±×·± ÀÌÀ¯·Î ƯÁ¤ÇÑ Virus¸Ó½Ã±â °¡ ÇØ´ç ±â´ÉÀ» ²¨¹ö·ÈÁÒ.
we're not neccesary trying to debug it and fix it turn the features back on .
¿ì¸®´Â ÀÌ°É ´Ù½Ã Å°±â À§Çؼ µð¹ö±ëÇϰųª ¼öÁ¤ÇÒ ÇÊ¿ä´Â ¾ø½À´Ï´Ù.
We are not trying to do usually for a piece of malicious code analyze it ** purposes of polling out * algorithms,
¿ì¸®´Â ƯÁ¤ÇÑ ¾Ë°í¸®ÁòÀ» »Ì¾Æ³»±â À§Çؼ ¾Ç¼ºÄڵ带 ºÐ¼®ÇÒ ÇÊ¿ä°¡ ¾ø½À´Ï´Ù.
we're not trying to reverse engineer so that we can inner-operate? properly.
¸®¹ö½º ¿£Áö´Ï¾î¸µ ÇÒ ÇÊ¿äµµ ¾øÁÒ.
we are not trying to figure out the legal? algorithms that it does so that we can [ ****** program ].
and these are some of reasons why malicious code analysis is easy.
Áö±Ý º¸½Ã´Â °ÍµéÀº ¾Ç¼ºÄÚµå ºÐ¼®ÀÌ ½¬¿î ÀÌÀ¯ÀÔ´Ï´Ù.
I think easy **** easier than , for example, reverse engineering attendendy? ask ***
we dont need to patch the binary typically
¿ì¸®´Â ±â¼úÀûÀ¸·Î, ¹ÙÀ̳ʸ®¸¦ ÆÐÄ¡ÇÒ ÇÊ¿ä°¡ ¾ø½À´Ï´Ù.
we already knows some of what it does this isn't important features.
¿Ö³ÄÇÏ¸é ¿ì¸®´Â ÀÌ¹Ì ¾î¶²ÀÏÀ» ¼öÇàÇÏ´ÂÁö ºÎºÐÀûÀ¸·Î¶óµµ ¾Ë°íÀÖ°í, ±×°ÍµéÀº Å©°Ô Áß¿äÇÑ ºÎºÐÀÌ ¾Æ´Ï±â ¶§¹®ÀÌÁÒ,
you have a suspicion ** that this piece of code we're looking at has ** charactors she knows piece of maliicious code or have strong suspicion in it is.
¿ì¸®´Â ¹ÙÀ̳ʸ® ³»¿¡ Àǽɽº·¯¿î ºÎºÐµéÀ» ÀÌ¹Ì ¾Ë°íÀÖÀ¸¸ç, ÀÌ ºÎºÐµéÀº ¸î°¡Áö ¾Ç¼ºÄڵ尡 ÀüÇüÀûÀ¸·Î °®°ÔµÇ´Â ¹®ÀÚ¿µéÀ» Æ÷ÇÔÇÏ°í ÀÖ½À´Ï´Ù.
and often times the way you got it tell you ** about how *** already , for example , if you aware of this worm out there, *** honey pot to ***** analyze it
you are ** that worm you know how spead someone *** what port number they uses , that sort of thing
so we can make big sweeping assumptions allow the time we ** malicious code. and this being step when we looking through steps into the binary
you can say 'oh ok i can see this routine looks like mailer?? ask HTTP client and talk gonna assume that allow the code below at [*******]
and the only *** by need to *** not piece |
Hit : 1663 Date : 2011/08/02 04:10
|
97, 
2/4 
CodeAche
