Dissecting the GoDaddy email notifier – Part 4
August 3, 2007 Leave a comment
Ok, this is hopefully the last part of my Dissecting series for the email notifier. I last left you with the fact that I had reverse engineered the encryption and decryption algorithm. I simply poked around the calls to the registry key write function calls and found the encryption and decryption routines. I will list them here:
004046D7 /$ 55 PUSH EBP ; Main Encrypter 004046D8 |. 8BEC MOV EBP,ESP 004046DA |. 51 PUSH ECX 004046DB |. 51 PUSH ECX 004046DC |. 837E 14 00 CMP DWORD PTR DS:[ESI+14],0 004046E0 |. 8BC6 MOV EAX,ESI 004046E2 |. 0F84 CC000000 JE 004047B4 004046E8 |. 53 PUSH EBX 004046E9 |. 8B5E 14 MOV EBX,DWORD PTR DS:[ESI+14] 004046EC |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX 004046EF |. 57 PUSH EDI 004046F0 |. 4B DEC EBX 004046F1 |. 8BFB MOV EDI,EBX 004046F3 |. E8 A0010000 CALL 00404898 004046F8 |. 0FB608 MOVZX ECX,BYTE PTR DS:[EAX] 004046FB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004046FE |. 6A 05 PUSH 5 00404700 |. 33D2 XOR EDX,EDX 00404702 |. 5F POP EDI 00404703 |. F7F7 DIV EDI 00404705 |. 8BFB MOV EDI,EBX 00404707 |. C1E2 08 SHL EDX,8 0040470A |. 66:0FB68411 4>MOVZX AX,BYTE PTR DS:[EAX+ECX+427F48] 00404713 |. 0FB7C0 MOVZX EAX,AX 00404716 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00404719 |. 8BC6 MOV EAX,ESI 0040471B |. E8 78010000 CALL 00404898 00404720 |. 66:8B00 MOV AX,WORD PTR DS:[EAX] 00404723 |. 66:25 00FF AND AX,0FF00 00404727 |. 66:0B45 FC OR AX,WORD PTR SS:[EBP-4] 0040472B |. 0FB7C0 MOVZX EAX,AX 0040472E |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00404731 |. 8BC6 MOV EAX,ESI 00404733 |. E8 60010000 CALL 00404898 00404738 |. 66:8B4D FC MOV CX,WORD PTR SS:[EBP-4] 0040473C |. 66:8908 MOV WORD PTR DS:[EAX],CX 0040473F |. 8BC6 MOV EAX,ESI 00404741 |. E8 52010000 CALL 00404898 00404746 |. 0FB700 MOVZX EAX,WORD PTR DS:[EAX] 00404749 |. 6A 05 PUSH 5 0040474B |. 99 CDQ 0040474C |. 59 POP ECX 0040474D |. F7F9 IDIV ECX 0040474F |. 33FF XOR EDI,EDI 00404751 |. 85DB TEST EBX,EBX 00404753 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 00404756 |. 76 58 JBE SHORT 004047B0 00404758 |> 8BC6 /MOV EAX,ESI 0040475A |. E8 39010000 |CALL 00404898 0040475F |. 0FB600 |MOVZX EAX,BYTE PTR DS:[EAX] 00404762 |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 00404765 |. C1E1 08 |SHL ECX,8 00404768 |. 66:0FB68408 4>|MOVZX AX,BYTE PTR DS:[EAX+ECX427F48] 00404771 |. 0FB7C0 |MOVZX EAX,AX 00404774 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX 00404777 |. 8BC6 |MOV EAX,ESI 00404779 |. E8 1A010000 |CALL 00404898 0040477E |. 66:8B00 |MOV AX,WORD PTR DS:[EAX] 00404781 |. 66:25 00FF |AND AX,0FF00 00404785 |. 66:0B45 F8 |OR AX,WORD PTR SS:[EBP-8] 00404789 |. 0FB7C0 |MOVZX EAX,AX 0040478C |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX 0040478F |. 8BC6 |MOV EAX,ESI 00404791 |. E8 02010000 |CALL 00404898 00404796 |. 66:8B4D F8 |MOV CX,WORD PTR SS:[EBP-8] 0040479A |. 66:8908 |MOV WORD PTR DS:[EAX],CX 0040479D |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 004047A0 |. 47 |INC EDI 004047A1 |. 6A 05 |PUSH 5 004047A3 |. 40 |INC EAX 004047A4 |. 33D2 |XOR EDX,EDX 004047A6 |. 59 |POP ECX 004047A7 |. F7F1 |DIV ECX 004047A9 |. 3BFB |CMP EDI,EBX 004047AB |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX 004047AE |.^ 72 A8 \JB SHORT 00404758 004047B0 |> 5F POP EDI 004047B1 |. 8BC6 MOV EAX,ESI 004047B3 |. 5B POP EBX 004047B4 |> C9 LEAVE 004047B5 \. C3 RET
The code above is for the Encrypter and the code below is the Decrypter:
004047B6 /$ 55 PUSH EBP ; Main Decrypter 004047B7 |. 8BEC MOV EBP,ESP 004047B9 |. 51 PUSH ECX 004047BA |. 51 PUSH ECX 004047BB |. 53 PUSH EBX 004047BC |. 8B5E 14 MOV EBX,DWORD PTR DS:[ESI+14] 004047BF |. 85DB TEST EBX,EBX 004047C1 |. 8BC6 MOV EAX,ESI 004047C3 |. 0F84 CC000000 JE 00404895 004047C9 |. 57 PUSH EDI 004047CA |. 4B DEC EBX 004047CB |. 8BFB MOV EDI,EBX 004047CD |. E8 C6000000 CALL 00404898 004047D2 |. 0FB700 MOVZX EAX,WORD PTR DS:[EAX] 004047D5 |. 6A 05 PUSH 5 004047D7 |. 99 CDQ 004047D8 |. 59 POP ECX 004047D9 |. F7F9 IDIV ECX 004047DB |. 33FF XOR EDI,EDI 004047DD |. 85DB TEST EBX,EBX 004047DF |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 004047E2 |. 76 58 JBE SHORT 0040483C 004047E4 |> 8BC6 /MOV EAX,ESI 004047E6 |. E8 AD000000 |CALL 00404898 004047EB |. 0FB600 |MOVZX EAX,BYTE PTR DS:[EAX] 004047EE |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 004047F1 |. C1E1 08 |SHL ECX,8 004047F4 |. 66:0FB68408 4>|MOVZX AX,BYTE PTR DS:[EAX+ECX+428448] 004047FD |. 0FB7C0 |MOVZX EAX,AX 00404800 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX 00404803 |. 8BC6 |MOV EAX,ESI 00404805 |. E8 8E000000 |CALL 00404898 0040480A |. 66:8B00 |MOV AX,WORD PTR DS:[EAX] 0040480D |. 66:25 00FF |AND AX,0FF00 00404811 |. 66:0B45 F8 |OR AX,WORD PTR SS:[EBP-8] 00404815 |. 0FB7C0 |MOVZX EAX,AX 00404818 |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX 0040481B |. 8BC6 |MOV EAX,ESI 0040481D |. E8 76000000 |CALL 00404898 00404822 |. 66:8B4D F8 |MOV CX,WORD PTR SS:[EBP-8] 00404826 |. 66:8908 |MOV WORD PTR DS:[EAX],CX 00404829 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 0040482C |. 47 |INC EDI 0040482D |. 6A 05 |PUSH 5 0040482F |. 40 |INC EAX 00404830 |. 33D2 |XOR EDX,EDX 00404832 |. 59 |POP ECX 00404833 |. F7F1 |DIV ECX 00404835 |. 3BFB |CMP EDI,EBX 00404837 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX 0040483A |.^ 72 A8 \JB SHORT 004047E4 0040483C |> 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14] 0040483F |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00404842 |. 8BFB MOV EDI,EBX 00404844 |. 8BC6 MOV EAX,ESI 00404846 |. E8 4D000000 CALL 00404898 0040484B |. 0FB608 MOVZX ECX,BYTE PTR DS:[EAX] 0040484E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00404851 |. 6A 05 PUSH 5 00404853 |. 33D2 XOR EDX,EDX 00404855 |. 5F POP EDI 00404856 |. F7F7 DIV EDI 00404858 |. 8BFB MOV EDI,EBX 0040485A |. C1E2 08 SHL EDX,8 0040485D |. 66:0FB68411 4>MOVZX AX,BYTE PTR DS:[ECX+EDX+428448] 00404866 |. 0FB7C0 MOVZX EAX,AX 00404869 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040486C |. 8BC6 MOV EAX,ESI 0040486E |. E8 25000000 CALL 00404898 00404873 |. 66:8B00 MOV AX,WORD PTR DS:[EAX] 00404876 |. 66:25 00FF AND AX,0FF00 0040487A |. 66:0B45 F8 OR AX,WORD PTR SS:[EBP-8] 0040487E |. 0FB7C0 MOVZX EAX,AX 00404881 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00404884 |. 8BC6 MOV EAX,ESI 00404886 |. E8 0D000000 CALL 00404898 0040488B |. 66:8B4D F8 MOV CX,WORD PTR SS:[EBP-8] 0040488F |. 66:8908 MOV WORD PTR DS:[EAX],CX 00404892 |. 8BC6 MOV EAX,ESI 00404894 |. 5F POP EDI 00404895 |> 5B POP EBX 00404896 |. C9 LEAVE 00404897 \. C3 RET
I will leave you with the python source code for the encryption and decryption routines so that you can look at the algorithm and get a feel for what was going on. You will need the static data which can be found in the .rdata section. This is the cipher text that is looked up during the encryption and decryption phase. I have included it in the tool as a separate file.
I may decide to start developing a Linux variant for checking my GoDaddy mail, but don’t hold your breath. Mail me any questions you may have. If you’re interested.
The tool can be found here.