Copy Link
Add to Bookmark
Report
4x02 Symbian OS - Polymorphic MDL
...................
...::: phearless zine #4 :::...
.................>---[ Symbian OS - Polymorphic MDL ]---<................
...........................>---[ by argv ]---<...........................
argv.cpp[at]gmail[dot]com
Sadrzaj:
[1] Intro
[2] mdlz
[3] mdl loader
[4] mdl encryption
////////////////////////////////////////////////////////////////////////////
--==<[ 1. Intro
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Ukoliko zelite da se odredjeni malware boota pri startu telefona, onda
je neophodno koristiti .mdl fileove. mdl fileovi imaju jednostavnu strukturu,
a koriste najobicnije userland funkcije. Kako bi sto bolje zamaskirali nase
mdl-ove, koristit cemo odredjene Symbianove DLL entry metode. Naravno, startup
metode postoje i u kernelu uz pomoc .ini fileova, ali to cemo ostaviti za
slijedeci txt. Odma moram napomenuti da ovo nije klasicni win32 polymorphizam,
vec nacin kako od 2 MDL-a napraviti vise razlicitih varijanti uz pomoc CRC-a
i mijenjanja UID-a (najvise zbog mijenjanja UID-a, a CRC samo kod enkripcije
SIS fileova).
////////////////////////////////////////////////////////////////////////////
--==<[ 2. mdlz
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Ovdje se nema sta previse govoriti. MDL-ovi imaju samo jednu (korisnu)
funkciju, a to je bootanje aplikacija pri startu telefona. Nalaze se u
C://RECOGS// direktoriju, ali mogu se nalaziti i na drugim mjestima ako se
napravi pointer koji ce ukazivati na neki virtualni folder te emulirati
defaultni folder.
////////////////////////////////////////////////////////////////////////////
--==<[ 3. mdl loader
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Kako bi uspjesno podizali i mijenjali nase MDL-ove, potreban nam je
loader jer se MDL-ovi rucno ne mogu mijenjati (vrte se u protected modu).
Loader je relativno jednostavan. Koristi konzolu kao storage za sve messagee
koji regulirati rad loadera. Zvuci jednostavno, ali nije -> ta konzola je
direktno povezana sa CleanupStack-om i jedan krivi potez i ode sve kvragu.
Takodjer sadrzi i virtualni FileServer za mijenjanje UID-a i CRC-a. Sigurno
najjaci feature je KernelModeProcess koji ce se kombinirati sa fnMemBlock
kako bi dosao do Protected moda. Ali najbolje da pogledate source koji je
fino komentiran. Nakon compilea dobit cete mdlloader.exe koji je bootable.
Sve sto je onda potrebno je staviti polymdl1.mdl i polymdl2.mdl u RECOGS
direktorij i restartati telefon. Dalje loader sam radi i pri svakom restartu
telefona, MDL-ovi ce imati drukciji UID generiran od strane loadera preko
CommonFramerowka (Avkon::UidValue).
////////////////////////////////////////////////////////////////////////////
--==<[ 3. mdl encryption
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
slijedecu funkciju mozete iskoristiti za kreiranje .SIS CRC16 enkripcije za
vase MDL fileove. Detalje i offsete ove funkcije pogledajte na:
http://homepage.ntlworld.com/thouky/software/psifs/sis.html
unsigned short int MDLLoader::CRC16
( unsigned short int crc16, unsigned char *string, unsigned int stringsize )
{
unsigned int table[256], i;
table[0] = 0;
for (i = 0; i < 128; i++)
{
unsigned int carry = table[i] & 0x8000;
unsigned int temp = (table[i] << 1) & 0xFFFF;
table[i*2 + (carry ? 0 : 1)] = temp ^ 0x1021;
table[i*2 + (carry ? 1 : 0)] = temp;
}
for (i = 0; i < stringsize; i++)
{
crc16 = ((crc16 << 8) ^ table[(( crc16 >> 8) ^ string[i]) & 0xFF]);
}
return crc16;
}
--
Greetz
svim Blackhatzima ;)
Placebo - tnx za dll entry metode
Cykke @ Cafe Mobil - tnx za binarye [bit ce snarf, bit ce ;)]
