Yahoo! Protocol: Part 16 - Assembly Analysis

[tansqrx 0]

Overview

 

To truly understand why a booter or any other types of exploits function, an investigator must have a look at the program’s source code. In the case of Yahoo! Messenger which is a closed source program, I am forced to dive into the dark and sometimes mystical realm of assembly debugging. By exploring the Yahoo! Messenger assembly code and the machine state at the time of a crash I can reveal why, on the machine level, how a booter works. Perhaps more importantly, is it possible to run arbitrary code from a remote attack.

 

Tools

 

In order to explore the assembly and machine states of Yahoo! Messenger, I used several assembly debuggers. The most used program is OllyDbg [http://www.t-online.de/top-themen/]. OllyDbg shows all the machine instructions that make up a program and also allows attachment to a currently running program. Two other tools that I used were Microsoft’s WinDbg [https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit] and DataRescue’s IDA Pro [http://www.datarescue.com/idabase/]. Each program has its strong points and I used knowledge gained from each program to complete an overall assessment of the crash. Figure 36 shows OllyDbg open and attached to Yahoo! Messenger just after a crash.

 

Figure 36 - OllyDbg

Edited March 5, 2009 by tansqrx (see edit history)