TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... The ZDI has published over 1100 high-risk vulnerabilities since the inception of the program.

MindshaRE: Public Toolkits

This entry marks the first in a new weekly post I will be doing about general reverse engineering tips and tricks.  The focus of this blog will be to relay some simple tricks we apply here at TippingPoint that others might find useful while reverse engineering.  My goal is to be short and concise in these examples.  If you have any ideas, or suggestions (possibly to improve on something I posted) please email me, or leave a comment, and I'd be happy to share them in future postings.  Without further adu...
    
Often times when reversing a binary we get the idea stuck in our head that everything we are looking at is closed source; a secret.  In most cases I this is true, let's take a look at an example where the application of some lateral thinking provides a huge shortcut.
    
Recently I was looking at the Rhapsody Media Player.  Upon initial inspection I noticed (like most media players these days) that it provided a UPnP service.  This of course is used to stream media and control the music software from various clients.  The whole home media network dream.
    
When I began looking at the UPnP code in the binary I noticed something strange.  It was really uniform, and solid.  This was odd as Real doesn't exactly have a great history for their software.  However, I just put it in the back of my mind and carried on.  After a short while I had a client that could make the proper discovery request to the Rhapsody player and retrieve its offered services.
    
    If you are familiar with UPnP you know the requests are simply HTTP and include some valuable header information.  The rhapsody header looked like so.
    
    HTTP/1.1 200 OK
    LOCATION: http://127.0.0.1:62916/
    EXT:
    SERVER: WINDOWS, UPnP/1.1, Intel MicroStack/1.0.1868
    USN: uuid:UYKYNYWJDVTCJRJTMHJ::urn:schemas-upnp-org:service:ConnectionManager:1
    CACHE-CONTROL: max-age=1800
    ST: urn:schemas-upnp-org:service:ConnectionManager:1
    
    Right off I noticed the SERVER header in particular and the string "Intel Microstack/1.0.1868".  This of course reminded me of the earlier patterns I noticed in the Rhapsody binary.  So I went to the best source of information on the Internet, Google.  After  digging through a few links I came across the "Intel Digital Home Device Code Wizard" SDK/Builder.
    
    Downloading and unpacking this zip started to confirm some suspicions.  Looking through the code I generated from the Intel SDK/Builder further confirmed everything.  Real had used the Intel software to build their UPnP stack and service engines.  I can confirm this by comparing the source to the binary.
    
    Source: ILibSSDPClient.c
    314:    for(i=0;i<RetVal->NumIPAddress;++i)
    315:    {
    316:        ILibAsyncUDPSocket_JoinMulticastGroup(RetVal->SSDPListenSocket, \
RetVal->IPAddress[i], inet_addr(UPNP_GROUP));
    317:    }
    318:    
    319:    buffer = (char*)malloc(105+RetVal->DeviceURNLength);
    320:    bufferlength = sprintf(buffer,"M-SEARCH * HTTP/1.1\r\nMX: 3\r\nST: \
%s\r\nHOST: 239.255.255.250:1900\r\nMAN: \"ssdp:discover\"\r\n\r\n", \
RetVal->DeviceURN);
    
    Binary: rhapsody.exe
    005264E5  mov     edx, [ebp+var_1C]
    005264E8  add     edx, [ebp+arg_8]
    005264EB  mov     byte ptr [edx], 0
    005264EE  mov     eax, [ebp+arg_8]
    005264F1  add     eax, 105   <--- Key 1
    005264F4  push    eax
    005264F5  call    ds:__imp_malloc
    005264FB  add     esp, 4
    005264FE  mov     [ebp+buf], eax
    00526501  mov     ecx, [ebp+var_1C]
    00526504  push    ecx
    00526505  push    offset aMSearchHttp1_2 ; "M-SEARCH * HTTP/1.1...    <--- Key 2
    0052650A  mov     edx, [ebp+buf]
    0052650D  push    edx
    0052650E  call    ds:__imp_sprintf

    There are many more similarities than just this line, but for brevity I exclude them.  Clearly there is a link between the Intel code generator and Rhapsody binary.  Further investigations proves this.  With this information in hand I can use the source to augment my investigation of the UPnP code.  One might even go so far as to simply look at the source from Intel, but I wouldn't rely on just that method as version skew and any added code would be missed.  Having the source obviously makes things a lot easier, especially when adding structures and data types to IDA!
    
    As previously mentioned it's easy to get into the mindset that when reversing, everything is a secret and you must start from scratch.  In reality this can be a mistake, as in many cases developers use public tools and libraries to implement features.  Doing this saves them precious time and allows them to quickly add a feature such as UPnP to their product.
    
    So there it is.  Our first tip.  Always be thinking about the code you are looking at.  Little clues can pay off big.  I hope this was interesting and helpful, keep checking in every Thursday for more of our little tips and tricks.
Tags: reverse engineering,assembly,MindshaRE
Published On: 2008-06-05 19:12:15

Comments post a comment

  1. Anonymous commented on 2008-06-09 @ 00:43

    please let us know if you are aware of any way to automatically convert the C source structure into IDA structure ?

  2. Cody Pierce commented on 2008-06-09 @ 09:58

    Anonymous:

    That is a good idea, but I do not currently know of an existing script. It does not seem that hard to write though. You can automate structure creation through IDC so all you would need was a parser of struct declarations for the source code.

  3. Dennis Elser commented on 2008-06-13 @ 07:18

    This is achieved using "File-Load file-Parse C header file..." (or CTRL-F9).

    Nice write-up, I like the way you work through a binary ;)

  4. Ero Carrera commented on 2008-06-14 @ 06:29

    I think that can be achieved by:

    File-"Load file"-"Parse C header File..."

    Then, go to the structures window and create a structure with the same name as in the file and IDA will create it as specified in the header file.

  5. Cody Pierce commented on 2008-06-16 @ 09:59

    Dennis/Ero,

    Thanks guys! Awesome tip.

  6. Anonymous commented on 2008-06-18 @ 06:50

    sorry guys..forgot to reply to this...

    Cody Pierce ,Dennis Elser,Ero Carrera,

    Yes..i am aware of this technique...but if i have a nested structure it wont work out right ?
    Especially when i was reversing a linux kernel module i had to import lot of structure from the kernel code but i got bored when i finished importing one big structure itself.

    is there anyway to use compilers to create a full expanded structure(for nested structure's) from the header files and then use the IDA future to import it ?


Links To This Post

  1. Interesting Information Security Bits for June 17th « Infosec Ramblings
    linked on 2008-06-17 @ 10:32 Show Comment

    From the Blogosphere. DVLabs put a post up yesterday that is the first in a weekly feature that Cody is starting regarding reverse engineering tips and tricks. The first post takes a look at the Rhapsody Media Player. Interesting stuff.


Trackback