01 November 2009, 23:36 | #1 |
Zone Friend
|
Decoding algorithm(s) for virus encoded disk sectors (ADOS)
Yeah coders, I'm a bit stuck in this...
You know SADDAM virus, which finds it very entertaining to occasionally replace the $00000008 long word by 'IRAK' at the beginning of a block, and then EOR (or like some other virus: EORI-)encode the rest of the block. I wouldn't need to open this thread, if my assembly knowledge was good enough - but unfortunately I feel more at home in high-level languages Mr. Schneegold's fantastic 'VT-knows' file (which, by the way, has meanwhile spawned some wiki-like sites on the net, but you can still see it's HIS work!) tells about the algorithm used, but all this register stuff is Greek to me: The following snippet was taken from an infected Colossus Chess disk ($6FE000 ff.; 0x4952414b = 'IRAK') Code:
49 52 41 4B 00 06 FD 7D 00 06 FE 01 00 06 FF E8 00 06 FC FD 5C 1E 74 E6 AC 35 01 FE 00 06 DE 2D 19 05 FC 00 06 07 C9 4B 03 00 FE D8 00 30 B4 01 05 06 FA 00 3F 54 FF EE 00 FD FE 36 2D 04 14 00 Code:
eor.b d0,(a0)+ subq.l #2,d0 dbra d1,loop Id Est: what do I have to do to decode this block?! Last edited by andreas; 05 December 2009 at 01:30. |
01 November 2009, 23:45 | #2 |
Registered User
Join Date: Oct 2008
Location: EU
Posts: 163
|
Not exactly an answer about the algo, but if you try to find "SIEGFRIED Antivirus Professional" somewhere, it contains an "IRAK-Recover" module...
|
02 November 2009, 00:24 | #3 |
Registered User
Join Date: Nov 2006
Location: Stockholm, Sweden
Posts: 237
|
Literal asm-to-C translation of that code:
Code:
int d0 = ???; int d1 = ???; int offset = ???; char* buffer = ???; do { buffer[offset++] ^= d0; d0 -= 2; } while (--d1 >= 0) |
02 November 2009, 00:25 | #4 | |
Zone Friend
|
Quote:
First of all, this is NOT a boot block but a DATA block, where the T_DATA identification long word has been overwritten by the virus with its 'IRAK' signature. At any rate: I have my doubts that tools which can decode these blocks can wildly test through all starting values there are? Maybe the 'IRAK' word *is* the starting value already?! Well, I'll have to try it out. Thanks so far. Only problem I can see is finding out how to get the value for d1?! Why did you post then? If I wanted a tool to decode these blocks, I'd have picked "Apps req", not this programmer's corner. I need the 'HOW', the technique - that's why I'm here. Last edited by andreas; 02 November 2009 at 00:46. |
|
02 November 2009, 01:07 | #5 | |||
Registered User
Join Date: Nov 2006
Location: Stockholm, Sweden
Posts: 237
|
Quote:
Quote:
Quote:
So the problem then is how to find the starting value for d0. It might either be a constant (0 .. 255), the same for each block on the disk, or the starting value is generated in some fashion. (perhaps from the block number) One way to find this out is to create a blank disk, get it infected, and make it encrypt a bunch of blocks. Then you know that the payload part of each block was originally all zeroes, so you should see a pattern like FE FC FA F8 F4 F6 F2 F0 EE ... etc there, and then it may become evident how the starting value is calculated for each block. |
|||
02 November 2009, 01:32 | #6 | |
Zone Friend
|
Quote:
OK, FWIW, I've done a hardcopy from my disk editor with the virus-encoded block on the upper half, and the decoded clean block on the lower. I hope this rings some bells now... To fit on the algorithm found on the info-file, the values seem to diverge too much IMHO... HOWEVER, it really pops into the eye that the MSB and LSB of every long word is untouched!! So the virus does not encode *every* byte. (at least it seems so) Last edited by andreas; 02 November 2009 at 01:38. |
|
02 November 2009, 03:13 | #7 |
Registered User
Join Date: Oct 2009
Location: UK
Posts: 41
|
All of the encrypted longs in that block are simply XORed with $0078c00 (which is why the first and last bytes are unaffected).
There were many variants of Saddam, are you sure you're looking at a description of the same one that's infected your sample block? This one just seems to be using a straight XOR. The infected disk-validator is relevant, because that's where the decryption key will be stored (when Saddam is memory-resident, it decrypts infected data on request, so the data still looks valid on an infected system). The different Saddam variants each had slightly altered decryption schemes to confuse virus checkers, so there's no way of decrypting just looking at a single block - you have to examine disk-validator. So in other words: the "decoding algorithm" you posted is the algorithm used by one variant of Saddam to decode its own infected data, and the running virus already has the key needed to perform the decryption - it's not an algorithm that you can use to decrypt infected blocks (unless you know which particular encryption scheme has been used, and have retrieved the encryption key from disk-validator). |
02 November 2009, 09:42 | #8 |
Zone Friend
|
Ah, thanks so much mosfet!!
Yes, I think I understand. Yet it seems we can do without the disk validator (at least here, that is)! Your XOR hint led me on the right path. It's SO SIMPLE! After checking 5 infected disks, I'm pretty sure: only FIRST DATA blocks get infected with IRAK! SADDAM looks at the first entry in the file header and infects the block where it points to, so it's even more simple than I thought: - First data blocks must have sequence number 0x00000001. - So seemingly I just need to subtract 1 from the encoded 3rd long word (#2) and I have the long word for decryption right there; thus the only thing left to do is merely XOR'ing the remaining long words with the long word I found!!! (- And if I want to be on the safe shore, I could XOR the encoded file header ptr with the decoding long word and check whether the first data block pointer in the file header block [77th long word; #76] is identical to the current block number! Coolish!) Caveat though: It must be proved whether all the SADDAM variants can be handled the same way. This can only be achieved by trial and error: write decoded disk image, and recheck for errors. Heh, at least I'll be busy for the next days then! Last edited by andreas; 02 November 2009 at 16:03. |
02 November 2009, 17:50 | #9 |
Registered User
Join Date: Oct 2009
Location: UK
Posts: 41
|
Yes, that will work
Even if it infects random blocks and the header is trashed, this gives a brute-force method for finding the key: if you have some infected blocks but don't know the sequence-numbers, you can try each of the few thousand valid sequence-numbers, work out which xor-key matches that sequence-number, decode the block then see if the block checksum is valid. A lot easier than trying all 4 billion possible 32-bit numbers... |
02 November 2009, 18:18 | #10 | |
Registered User
Join Date: Jan 2002
Location: Germany
Posts: 7,009
|
Quote:
|
|
02 November 2009, 22:18 | #11 |
Zone Friend
|
Point taken, thanks.
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Overzealous Kickstart ROM - address decoding? | robinsonb5 | Hardware mods | 3 | 30 June 2013 11:09 |
ADFCHK (ADF checker for ADOS disk images) - v0.2.1 released | andreas | News | 8 | 03 December 2009 15:22 |
Need some information with strange disk format (mixed ADOS/NDOS?) | andreas | support.Other | 1 | 25 September 2009 10:55 |
jpeg decoding in full asm | meynaf | Coders. General | 111 | 27 March 2008 18:40 |
Blitter MFM decoding | Photon | Coders. General | 14 | 16 March 2006 11:24 |
|
|