Jump to content
xisto Community
Sign in to follow this  
tansqrx

Yahoo! Protocol: Part 16 - Assembly Analysis

Recommended Posts

Overview

 

To truly understand why a booter or any other types of exploits function, an investigator must have a look at the program’s source code. In the case of Yahoo! Messenger which is a closed source program, I am forced to dive into the dark and sometimes mystical realm of assembly debugging. By exploring the Yahoo! Messenger assembly code and the machine state at the time of a crash I can reveal why, on the machine level, how a booter works. Perhaps more importantly, is it possible to run arbitrary code from a remote attack.

 

Tools

 

In order to explore the assembly and machine states of Yahoo! Messenger, I used several assembly debuggers. The most used program is OllyDbg [http://www.t-online.de/top-themen/]. OllyDbg shows all the machine instructions that make up a program and also allows attachment to a currently running program. Two other tools that I used were Microsoft’s WinDbg [https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit] and DataRescue’s IDA Pro [http://www.datarescue.com/idabase/]. Each program has its strong points and I used knowledge gained from each program to complete an overall assessment of the crash. Figure 36 shows OllyDbg open and attached to Yahoo! Messenger just after a crash.

 

Posted Image

Figure 36 - OllyDbg

Edited by tansqrx (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.