Bitcoin QT console commands

Analysis of CoinThief/A "dropper"

setter_getter_exampleThe strings are also a good starting point to start understanding the puzzle. It’s easy to spot base64 encoded strings, confirmed by the presence of base64 methods.

bGFzdENocm9tZVBha1BhdGNoZWRWZXJzaW9u L0FwcGxpY2F0aW9ucy9Hb29nbGUgQ2hyb21lLmFwcC9Db250ZW50cy9WZXJzaW9ucw== q24@?0@"NSString"8@"NSString"16 R29vZ2xlIENocm9tZSBGcmFtZXdvcmsuZnJhbWV3b3JrL1Jlc291cmNlcw== RXh0ZW5zaW9uU2V0dGluZ3MucmV0dXJuRXh0ZW5zaW9uc0RhdGEgPSBmdW5jdGlvbihleHRlbnNpb25zRGF0YSkgewogICAgLy8gV2UgY2FuIGdldCBjYWxsZWQgbWFueSB0aW1lcyBpbiBzaG9ydCBvcmRlciwgdGh1cyB3ZSBuZWVkIHRvCiAgICAvLyBiZSBjYXJlZnVsIHRvIHJlbW92ZSB0aGUgJ2ZpbmlzaGVkIGxvYWRpbmcnIHRpbWVvdXQuCiAgICA= RXh0ZW5zaW9uU2V0dGluZ3MucmV0dXJuRXh0ZW5zaW9uc0RhdGEgPSBmdW5jdGlvbihleHRlbnNpb25zRGF0YSkgewpmb3IodmFyIGE9MCxiPWV4dGVuc2lvbnNEYXRhLmV4dGVuc2lvbnMsYz0wO2M8Yi5sZW5ndGg7YysrKWlmKCIlQCI9PWJbY10uaWQpe2E9YztiLnNwbGljZShhLDEpO2JyZWFrfQo=

mutex_creationAt this point we know we have a binary with obfuscated strings and class/method names. Different strategies are possible to continue analysis and reversing. DTrace and similar utilities can be used to have a general overview of what the binary is trying to do, or we can go directly into IDA and start making sense of the code. In the second option we can start reversing at main or we can start checking what the obfuscated methods are trying to do and rename to something meaningul. I am a great fan of the second so I started checking each method sequentially.

obfuscated_namesThe getter and setter methods are easy to spot. The setter methods start with set in the name because they are automatically generated via property keyword, and getters because their code just retrieves the instance variable. The obfuscator is probably a script that modifies the names before compilation (I don’t think a define is enough for this), a LLVM pass, or just developed with those names.

Now let me show you a very simple method that writes a “mutex” to “~/Library/Preferences/fsdiskquota1″. In this file is present it means that the dropper code was previously executed and it should not happen again.

The base64 string is decoded, tilde expanded to the full path and fsdiskquota1 mutext written. Nothing very complicated. obfuscated_mutex_creation renamed_methods startbackdoor_1 startbackdoor_2

Source: reverse.put.as June 3, 2014 – 05:52

Related Posts

Bitcoin QT debug commands

Bitcoin QT solo mining

Bitcoin QT not Opening

Bitcoin QT my address

Bitcoin QT new address