ALL-IN-ONE PLATFORM
esDynamic
Manage your attack workflows in a powerful and collaborative platform.
Expertise Modules
Executable catalog of attacks and techniques.
Infrastructure
Integrate your lab equipment and remotely manage your bench.
Lab equipments
Upgrade your lab with the latest hardware technologies.
PHYSICAL ATTACKS
Side Channel Attacks
Evaluate cryptography algorithms from data acquitition to result visualisation.
Fault Injection Attacks
Laser, Electromagnetic or Glitch to exploit a physical disruption.
Security Failure Analysis
Explore photoemission and thermal laser stimulation techniques.
EXPERTISE SERVICES
Evaluation Lab
Our team is ready to provide expert analysis of your hardware.
Starter Kits
Build know-how via built-in use cases developed on modern chips.
Cybersecurity Training
Grow expertise with hands-on training modules guided by a coach.
ALL-IN-ONE PLATFORM
esReverse
Static, dynamic and stress testing in a powerful and collaborative platform.
Extension: Intel x86, x64
Dynamic analyses for x86/x64 binaries with dedicated emulation frameworks.
Extension: ARM 32, 64
Dynamic analyses for ARM binaries with dedicated emulation frameworks.
DIFFERENT USAGES
Penetration Testing
Identify and exploit system vulnerabilities in a single platform.
Vulnerability Research
Uncover and address security gaps faster and more efficiently.
Malevolent Code Analysis
Effectively detect and neutralise harmful software.
Digital Forensics
Collaboratively analyse data to ensure thorough investigation.
EXPERTISE SERVICES
Software Assessment
Our team is ready to provide expert analysis of your binary code.
Cybersecurity training
Grow expertise with hands-on training modules guided by a coach.
INDUSTRIES
Semiconductor
Security Labs
Governmental agencies
Academics
ABOUT US
Why eShard?
Our team
Careers
FOLLOW US
Linkedin
Twitter
Youtube
Gitlab
Github
SWF file unpacking with esReven
(source: wikimedia commons)
Β
Recently we took a look at a new flash player exploit used by the Angler exploit kit. The sample was obfuscated using the well known βpackingβ technique: the dropped swf file embeds a second stage swf in the form of an encrypted blob that will be decrypted at runtime and then executed using the loader.loadbytes ActionScript API.
In order to extract the exploit code, we need to remove those multiple obfuscation layers. We could reverse engineer the ActionScript code to try and decrypt the second stage, or we could simply load the swf file in a flash player instance and let it unpack the sample for usβ¦
Letβs see how we could do the latter in esReven:
Β
Dynamic unpacking
Β
The idea behind dynamic unpacking is that in order to be executed, sooner or later the final stage code has to be decrypted and stored in memory. This is perfect as esReven provides a dead simple way to retreive memory chunks from an execution trace.
Once a trace of the swf file execution is generated, we extract a memory snapshot at the end of the trace and browse it β looking for swf content. According to the SWF File Format Specification, the uncompressed SWF file header contains an βFWSβ string followed by a version byte and the file size in a double-word integer. This is enough to find and dump all all swf files in the memory dump.
Enough theory, letβs code some esReven script.
Β
The first step is to choose an execution point at wich the memory will contain the final stage code. We might search for the last allocations done by the flash player binary but we will keep it simple and select the last instruction of the trace.
import reven # Connect to reven rvn = reven.reven_connection("localhost", 13371) # Get the last execution point of the trace run = "Execution run" sequence = rvn.run_get_sequence_count(run) -1 point = reven.execution_point(run, sequence, 0) # Get the base address of the (Windows) data segment ds = 0x23 address = reven.logical_address(ds, 0)
Then, we look for the βFWSβ string in the wall segment and for each matching address, we retreive the swf size from the header and dump the chunk to disk.
matches = rvn.memory_search_buffer(point, address, address + 0xffffffff, "FWS") for match in matches: # 0 4 8 # +---------------------+-------+ # | Signature | Version | Size | # +---------------------+-------+ try: size = rvn.memory_get_dword(point, match+4) swf = rvn.memory_get_buffer(point, match, size) except: # Memory accesses may throw exception if requested chunk isn't mapped continue filename = str(match.offset)+'.swf' f = open(filename, 'w') f.write(swf) f.close()
And we are done, with this tiny script we can easily extract all swf files from memory β avoiding boring manual unpacking. Of course malware authors have found contermeasures and for example, some malicious swf file may create hundreds of fake swf headers in memory, but this is another story.
Β
Tiny easy
Β
The goal of this short post was to show how esReven compares to other debuggers in the case of the well known task of object memory extraction. We hope we have demonstrated how easy it is to script esReven throught its python API.
Of course this is not the only way to extract packed flash objects. A much more accurate method is to directly intercept calls to the action script API β see the Timo Hirvonen sulo pin tool for example.
Β
