ultrasurf analysis by zhang lei (in chinese)
DESCRIPTION
UltraSurf analysis by Zhang Lei (in Chinese). UltraSurf 分析由张磊(中国). Original title: 硕士论文-UltraSurf软件的逆向分析技术研究.TRANSCRIPT
UltraSurf 20090101
UltraSurf
Research and Analysis of UltraSurf Software by Reverse Engineering
ABSTRACT
UltraSurf is a well-know client application on the Internet. With the help of its private communication protocols and remoting servers as agents, it can be used to penetrate through the network control available, so as to make it accessible to remote information. This thesis analyzes the UltraSurf (version 8.8) by using tools, such as Ollydbg, Ethereal and Iptables. The main method includes White Box and Black Box of the software reverse engineering. The analysis concentrated on the working process, methods and algorithms of encryption and decryption, Internet connection of the software, and the analysis result includes the working principle of the software, the way to encrypt the communication between the machine and the proxy servers, and dynamic methods to get the IP address of the proxy servers.IV
UltraSurf
From the analysis result, a scheme to control the behavior of the UltraSurf was set up. We validate it by deploying the system in the lab network environment. The rest result of the current control system indicates that the current control system could make the users in the test environment unable to use UltraSurf, but browse other websites as usual. We also summarize the characteristics of this kind of software and raise a general analytical method based on the analysis of UltraSurf.
KEY WORDS:Network Monitoring, Disassembly, Secure Proxy
V
UltraSurf
57
UltraSurf
1.1 21 -
FreeGate Garden
IE
UltraSurf
-
-
1.2 90 DNS IP - 2002 / / UltraSurf 1
IP
-
UltraSurf
-
- -
1.3
1.3.1 UltraSurf 1 2 3 4 -
UltraSurf UltraSurf
1.3.2 1 - ,
EXE DLL
2
UltraSurf
,-
2 3
UltraSurf -
4
-
UltraSurf IP -
IP IP 5 1.3.3 1 - - - -
- - - 2 - - 3
UltraSurf
-
-
-
3
-
1.4
UltraSurf8.8 ( UltraSurf) - UltraSurf -
4
UltraSurf
2.1 PE PE (Portable Executable File Format) VAX/VMS COFF Windows EXE DLL PE EXE DLL [3] PE 2-1 PE DOS 1 2 MS-DOS exe dll
PE
n
[3 ] 2-1 PE Fig.2-1 PE File Structure DOS MZ HEADER DOS 5
DOS
MZ HEADER DOS STUB
UltraSurf
PE
DOS
PE HEADER PE IMAGE_NT_HEADERS PE PE PE DOS MZ HEADER PE HEADER SECTION
PE HEADER
PE
/ / -
PE
SECTION TABLE
PE HEADER
PE DOS MZ HEADER PE PE
PE HEADER PE HEADER
PE HEADER
PE PE HEADER AddressOfEntryPoint RVA
2.2
2.2.1 EXE DLL
-
- - 2-2
6
UltraSurf
-
- exe
- exe
EXE -
2-2
[3]
Fig. 2-2 Execute Process of Shell
ASPack UPX PECompact
ASProtect tElock
2.2.2
1 PEiD 400 2-1 FileInfo PEiD Gtw PEiD
7
UltraSurf
2-1
[1]
UPX ASPack Petite PECompact Neolite PE-PACK ASProtect
UPX upx d FS ProcDump AspackDie CASPR un-ASPack DeASPack Anti-ASPack ProcDump Unpetite ProcDump PeunCompact tNO-Peunc UnPECompact ProcDump Neolite ProcDump DePEPACK UnPEPack ProcDump AsprStripperXP CASPR Asprotect Deprotector Anti Aspr
2
[2] -
OEP
PE
1 PE AddressOfEntryPoint DWORD -
--
D.boy AsprLoader PE-
JMP TRW2000
Scan IceDump 2
- TRW2000 OEP 3 IAT() API Windows IAT IAT - 8
-
ImportREC Revirgin
UltraSurf
2.3 Reverse Engineering
-
: [5][6][7]-
-
IDA Pro W32dasm OllyDbg IDA w32dasm OllyDbg API
[14][19]
2.3.1
[4][21]
0 1
--
9
UltraSurf
2.3.2 Windows Windows 16 Dos windows API MFC PE
VCL [17]
Windows
Windows
[13][15]
OllyDbg OllyMachine
OS OllyDbg 1.10
10
UltraSurf
UltraSurf
3.1 UltraSurf
3.1.1 UltraSurf
UltraSurf UltraReach Internet Corp. - UltraSurf
3.1.2 UltraSurf UltraSurf 3-1 - 3
4
IE
http://www.ultrareach.net/wujie.htm ( 3-2 UltraSurf )
3-1 UltraSurf Fig. 3-1 Start-up of UltraSurf11
UltraSurf
3-2
UltraSurf
Fig . 3-2 Homepage of UltraSurf
3-3 ,20 IE
3-3 UltraSurf Fig. 3-3 warning of UltraSurf when exit IE http://www.ultrareach.net/wujie.htm IE DNS windows cmd nslookup ( IP ) http://www.ultrareach.net/wujie.htm IP
3.1.3 UltraSurf UltraSurf 12
UltraSurf
-
UltraSurf
http://127.0.0.1:9666/
UltraSurf 9666
Cookie HTTP
3.2 UltraSurf 3.2.1 UltraSurf PEiD UltraSurf 3-3 .13
UltraSurf
3-3 Fig
UltraSurf
. 3-3 The Information of UltraSurf
UPX
UPX
3.2.2
Windows
Windows API 9666 UltraSurf 3-4
UltraSurf IE http://127.0.0.1:9666 IE
Internet
14
UltraSurf
3-4
UltraSurf
hange d LAN Setting
Fig. 3-4 The C
UltraSurf
UltraSurf cookie
3.2.3 Win 32
-
-
UltraSurf UPX - 106K UPX upx -d u88c.exe PEiD VC++ 6.0 3 5 15
UPX
UPX
UltraSurf
3-5 UltraSurf Fig . 3-5 The Information of Unpacked UltraSurf
UltraSurf
3.3 UltraSurf
3.3.1 OllyDbg 1 OllyDbg [10] OllyDbg 1.10 ZIP OllyDbg.exe 3-6 1 HEX
OllyDbg.exe RAR
OllyDbg
-> 2 CPU EAX EBX ECX EDX16
UltraSurf
ESP EBP 3
ESI
EDI EIP
4 5
3-6 OllyDbg Fig. 3-6 The Debugging Window of OllyDbg 2 OllyDbg OllyDbg -> ->
17
UltraSurf
-
F2 F8 F7 F4 F9
F2
F2
(F8) CALL
CALL
CTR+F9 ret () ALT+F9
18
UltraSurf
3.3.2
3-7 Fig. 3-7 Character String Information - OllyDbg
3-7 IP 3.3.3 0x400000
19
UltraSurf
F8
CALL CALL CALL
UltraSurf exit
GetStartupInfo GetModuleHandle - MSDN
exit F2
F7
F9 0x400000[12]
0x400000 DLL
MFC
MFC42.dll USER32.dll JMP CALL
- OllyDbg
USER32,KERNEL32 DLL
3.3.4 MFC 004173F6|. E8 43000000 CALL
MFC MFC Windows MFC Windows API Windows C++ UltraSurf MFC
20
UltraSurf
MFC Windows API
Windows API [9]
MFC
MFC AfxWinMain 0040538E MSDN .E8 MFC42.dll CF190100 CALL
; // MFC - MFC - UltraSurf MFC DoMal() 3-8 MFC 73D3CF6D 73D3CF71 004050D4 EAX [11][20][22]
UltraSurf
EAX 58
3-8 MFC
From MFC
Fig . 3-8 Return
3.3.5
AfxBeginThread UI
AfxBeginThread MSDN AfxBeginThread worker
21
UltraSurf
UltraSurf 9 worker AfxBeginThread 1 UI AfxBeginThread UI worker 9 - A: B: UDP C: D: E: F: 443 G: H: I:
3.3.6 UltraSurf 8 Filemon fopen,fwrite,fread,fseek,ftell
-
ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\" " ADMINI~1 " C:\Document and Settings\\Locals and Settings\Temp 22
Filemon
UltraSurf
8
-
-
-
OllyDbg 00405C31 00405C36 00405C3B 00405C40 00405C45 CALL fopen CALL CALL GetTempPath EBX CALL ASCII C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ CALL - CALL GetVolumeInformation C:\Windows C:\Windows GetWindowsDirectory GetVolumeInformation MSDN vol GetWindowsDirectory Windows ->->cmd ( 3-9 ) ALL EAX C C05F0611 vol C fopen CALL u.0040CF1A CALL u.0040D166 CALL u.0040CD8E CALL u.0040D04C CALL u.0040D2A6 fopen . E8 E4720000 . E8 2B750000 . E8 4E710000 . E8 07740000 . E8 5C760000 fopen,fread,ftell,fwrite
GetVolumeInforation
23
UltraSurf
3-9
vol vol
Fig. 3-9 Get Disk serial by
windows
C++ CALL CALL 1 8 2 ADD,DIV,SHR,XOR
3 strcat - 2
CALL 0
CALL CALL
24
UltraSurf
UltraSurf 3 3 -
3
1 2 1 2
1 2
1 2
2 8
2)
RegOpenKey,RegQueryValue,RegCloseKey. \HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings IE 127.0.0.1 UltraSurf IE IE
25
UltraSurf
UltraSurf
IE cookie UltraSurf Windows 3) UltraSurf UltraSurf 3 -
0 04000000 3 IP IP
ASCII IP IP 5-8 40 IP IP IP IP 0000
040000 3 IP 4-
3.5.2 C++ 9 3
DNS IP IP
IP
26
UltraSurf
3.3.7 UltraSurf 1) UltraSurf - IP
Etheral Outpost Etheral 3 TCP SSL - IP 3 TCP SSL Outpost IP 3 IP IP 3 3 DNS DNS IP ns2.d79872fb4.net IP DNS IP IP IP IP 3
TCP SSL 3
DNS IP DNS
IP
DNS IP
3 DNS IP
DNS
1 2 27
UltraSurf
1 2
IP IP IP 1 2 IP
- 1 2
1 2 2)DNS
1 2 UltraSurf
UltraSurf DNS IP DNS DNS ql.1y.~{z(,*{1qzk - 3 40 May-21-13:50:05 | 929453: Send IDURL Query ns1.062efa01c.net to node 71.229.238.191. IP IP IP DNS IP UltraSurf DNS Etheral DNS 3 3 IP DNS DNS DNS UltraSurf DNS -- ns1.flade735d.net DNS ns1.flade735d.net DNS DNS
28
UltraSurf
3 3 IP
Outpost
Outpost
3 IP 3 IP 3 -> DNS
DNS
IP - DNS IP
3 IP
DNS IP IP IP
IP IP DNS IP IP IP IP IP IP Outpost
DNS UltraSurf UltraSurf IP IE IE ->
3)IE
-
IE IE 127.0.0.1:9666
- > LAN UltraSurf setInternetOption 127.0.0.1:9666
IE IE
4) 13 13 13 11 11
29
UltraSurf
rand()
srand()
0 0x20
CreateFile MSDN
DeviceIOControl API
API
API UltraSurf CreateFile, DeviceIOControl 3.5.6 IP UltraSurf
3.4 UltraSurf -UltraSurf -
30
UltraSurf
3.4.1 UltraSurf 3-10 UltraSurf IP
IE
127.0. 0.1:96 66
Ul tra Su rf
Ul tra Su rf
3-10 UltraSurf Web Fig. 3-10 Browse web through UltraSurf UltraSurf - 3.4.2 UltraSurf IP 3-10 UltraSurf 4 IP 1) IP 3.5.1 2) DNS 31
IP IP
UltraSurf
DNS IP DNS
DNS
:ns1.flade753d.net
DNS DNS IP IP IP IP 3) gdoc Google doc google doc HTTP 1-8 13 20
https://docs.google.com/View?docid=dd4gbd38_6c8fpk2 DNS http://docs.google.com
IP [8]
4) : IP IP IP 5 IP: 211.74.78.17 66.245.217.9 66.245.217.227 66.245.196.247 118.168.50.105 UltraSurf (1) (3) (1),(2),(3)(4) 3-11
(2)
32
UltraSurf
3-11 UltraSurf
Fig. 3-11 working process of UltraSurf 3-11
DNS 40
DNS IP 351
IP
IE 127.0.0.1:9666
DNS ns1.f1ade735d.net UDP
IP 40 DNS IP
DNS DNS
IP - IP,33
DNS
UltraSurf
IP IP , IP UltraSurf UltraSurf IP IP
3-11 IP IP IP -
DNS ,gdoc IP DNS IP IP
- IP IP IP 3.4.3 UltraSurf UltraSurf UltraSurf 1 1) UltraSurf 3 3.3.6 2 UltraSurf 2
1 2) 3) 4) 5) 6) 7) 8) 9) 10) IE 1
DNS UltraSurf
127.0.0.1:9666 TCP
2 IP
127.0.0.1:9666 IP
3 3 IP 3 (15) UDP DNS 10
3 IP TCP DNS
34
UltraSurf
IP
11) 12) 13) 14) 15) 16) 17)
IP IP IP IP IP (15) (15) URL,
IP , 443 IP IP 3 1 2
IE
3.5 UltraSurf UltraSurf 1) 2) 3) DNS 4) RC4 5) 6 UltraSurf
3.5.1 UltraSurf UltraSurf 8 4 8 9 35
2 3 2
UltraSurf
1
2 8
9
4
UltraSurf IE C vol [i] C
F( A B) = C C G C i 0 7
D[i], 8 D[i] para 32 vol 32 num
char 6
file_name 1 2 3 4 5 6 7 para vol vol = vol ^ 2 4 8
char 8 9
API C para * 32
vol = vol ^ 0x801 vol = vol + para vol file_name[0] 0x41 0x7E
vol / 2 26 8 9
num vol i vol num 0x61 vol 26
[i - 1]
26
0x61
36
UltraSurf
3.5.2 UltraSurf UltraSurf IP 3 UltraSurf 8 DNS IP
8
8
F([i], [j]) = t, t t 1 2 3 0xFABEBABE - 8
8
4) 3 8 5) 0x3F6CB254 0xAE985D36 6) 0 0x78B4FEAE 0 : - 0x3DCF578A
7) - 7.1) index 0 7.2) index
7.3) - counter
table_[index] ^= (counter / 16) | ((counter / 16) * 16) ; 7.4) - counter - - 37
UltraSurf
plain_[counter] = table_[index] ^ cipher_[counter]; 7.5 7.6 7.2 8 - index index = (cipher_[counter] % 7) ^ index;
3.5.3 UltraSurf NS D 0x00 32 0 ASCII 3.5.4 UltraSurf 32
32 1F
2008-05-05 18:40:00,send UDP query to 58.9.3.4, - RC4 RC4 256 - UltraSurf 256 00-FF
-
38
UltraSurf
3.5.5 UltraSurf UltraSurf 443 8 6
14
8 6 1 2 2 3
malloc -
- 1 3 1
2
1 2 3 4 5 6 7 8 9 10 11 12 -
1
- 1 1 1 1 2 2 -
- 3 2 3 7 9 1 1 1 1
10
8 6 -
3.5.6 UltraSurf UltraSurf 13
39
UltraSurf
08 01 11 rand
1 2 3 4 CreateFile
mac WD-WMAM9DZ12046" WD
DeviceIOControl
SMART_RCV_DRIVE_DATA -
netbios 10 0A+"
0x1E 10 3 WMAM9DZ12046" ),ECX( 0xF8C9) 5 EDI EAX*ECX+EDI ECX=ECX*0x5C6B7, - EAX 8 EAX 11 EAX UltraSurf UltraSurf 20 " EAX( 0 0xF8C9
ESI 0
EDI
3.6 UltraSurf - (1) - UltraSurf Visual C++ 6.0
40
UltraSurf
(2) - UltraSurf UPX (3) - (4) - - (5) DNS IP - IP (6) IP URL - IP URL DNS (7) - (8) UltraSurf DNS DNS UltraSurf Winsock2 API TCP UDP UltraSurf MFC Windows UltraSurf
41
UltraSurf
4.1 ltraSurf U IP 4.1.1 4 1
4 1 Fig. 4-1 The Flow Chart of Encrypting-Agent Technology
42
UltraSurf
4.1.2
-
4-2 Fig. 4-2 The Flow Chart of Software Analysis43
UltraSurf
4-2
-
IP
4.2 - IP [16]
1
IP IP 90 IP IP
IP IP 2
IP
2002
ACK-FIN
IDS
[18]
5-15 IP IP
44
UltraSurf
3
IP
IP
IP IP IP
4.3 UltraSurf DNS IP DNS IP - UltraSurf DNS IP
IP
UltraSurf DNS
DNS
UltraSurf
DNS
DNS IP UltraSurf 1 2 3 IP IP DNS IP IP URL
45
UltraSurf
4.4 4.3 4-3
4-3 Fig. 4- 3 Network Topology PC Fedora 6 Linux
Linux
Linux iptables
IP URL IP Linux
IP
UltraSurf IP UltraSurf
IP
46
UltraSurf
IP
UltraSurf IP iptables
IP
IP
4.4.1 1 UltraSurf 2 UltraSurf IP IP
www.yahoo.com spaces.msn.com www.qxbbs.org www.dajiyuan.com cn.profiles.yahoo.com spaces.live.com www.msn.com flikcr.com
47
UltraSurf
4.4.2 UltraSurf
4-1 4-2 4-1 UltraSurf / / 4-2 UltraSurf
4.4.3 P I UltraSurf IP 4512
6000 IP IP
IP
4-3 4-3 IP 1360 442 103 22 12
6
48
UltraSurf
UltraSurf IP UltraSurf 1 2 3 IP -
49
UltraSurf
[1] ,
2003 2004 2006 A taxonomy
[2] , [3] , [4]
- 7(1)
[] 2001
[5] E Chikofsky, J Cross IEEE Software, 1990
Reverse engineering and design recovery
[6] Hassan, A.E., Holt, R.C. The small world of software reverse engineering, Reverse Engineering, 2004.Proceedings. 11th Working Conference on 8-12, 2004.11. [7] Rainer Koschke. Software Visualization for Reverse Engineering, Lecture Notes in Computer Science. Volume 2269, 2002. [8] Andritsos, P., Miller, R.J. Reverse engineering meets data analysis, Program Comprehension, 2001. IWPC 2001. Proceedings. 9th International Workshop on1213, 2001.05. [9] Moise, D.L., Wong, K., Sun, D. Integrating a reverse engineering tool with Microsoft Visual Studio .NET Software Maintenance and Reengineering, CSMR 2004. Proceedings, 2004. [10] Kris Kaspersky, Hacker disassembling uncovered, 2004 [11] Kip R. Irvine [12] 2003 [14] 2004.6 [15] , , [16] 2003.550
Assembly language for intel-based computers
2004 Windows 32
2006 Vol.2 No.2 .
[13] , ,
, ,
2001.
VPN
UltraSurf
[17] ,, 2004.4 [18]
Vol.14 No.4
- 2000.1
[]
[19]
Vol.36 No.8 1999.8 [20] Vol.20 No.4 2000.12 [21] 80X86 1999 [22] 2003.7 40 7
51