Hi Andrew,

Just some comments about the "decompiled" code. Usually, it's easier to make it more readable as proper standard C code for the reader - using user defined structures, high-level functions (RtlUshortByteSwap), etc.
I attached an example below for the "stage1" function as an example.

I also name structure as "MYSTRUCT1" when I don't know what they do or "UCHAR u0C[0x10];" when I know the offset (0xC) but don't know what they do either, until I figure out and rename them later. It's quite a useful methodology when working on large project, that's what makes the difference between a human and Hex-Rays :-)

typedef struct _DECRYPTDATA {

UCHAR DecryptionRoutine[0x1f]; // Contains Stage1 code

USHORT EncodedCode[0x900]; // Contains the "encoded" code to be executed

} DECRYPTDATA, *PDECRYPTDATA;

VOID

DecodeData(

)

{

INT i;

// PDECRYPTDATA Input points to the current address. Or the equivalent of &Stage1.

for (i = 0; i < sizeof(Input->EncodedCode)); i++)

{

Input->EncodedCode[i] = RtlUshortByteSwap(Input->EncodedCode[i]);

}

// What's following the decryption routine is the encoded code (Input->EncodedCode)

// Soon to be decrypted, by the above routine.

_asm _emit 0xEE

_asm _emit 0xD9

_asm _emit 0x74

_asm _emit 0xD9

// [...]

}

Matthieu Suiche

On Tue, Apr 8, 2014 at 2:31 PM, Andrew Case <atcuno@gmail.com> wrote:

Hello All,

I have published a new blog post analyzing the encrypted shellcode from
the main CVE-2014-0502 attack:

http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html

It goes through some functionality of the malicious Flash file followed
by analysis of the shellcode used within the encrypted GIF.

This attack's particular use of a malicious Flash file along with an
"encrypted" GIF shows some of the complexity of modern attacks, and
highlights the diverse set of skills needed to analyze the attacks
(Flash reversing, binary shellcode reversing, and understanding
exploitation techniques, such as ROP, ALSR bypass, etc.). This
particular attack was also noticeable because of how many different
companies published public research on it (I have references in the blog).

I hope that you enjoy the blog post and potentially learn something from
it. I am happy that my anonymous friend allowed me to publish the research.

--
Thanks,
Andrew (@attrc)

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users