//sectors_per_track = 56
[511-512](1fe~1ff): 55 AA
[447-510] 1BE - 1FD : partition table
partition 1(0x0):
.bt0 = 0x80 = Active
/* .bt1 = disk_hdr_idx = 01
.bt2&0x3f = sector_id = 01
((.bt2&0xc0) >> 6) + (.bt3 << 2) = cylinder_idx = 0
.bt4: file system id( NTFS = 0x07 )
.dw8: sector_addr = 0x38// byte_addr = 0x7000
partition 2(0x1):
.bt0 = 0 = not Active/*
disk_hdr_idx = 0
sector_id = 1
cylinder_idx = 1023*/
file system id = 0f = extend partition
.dw8: 42911400 // byte_addr = 42911400 * 512 = 0x51D8D5000 ,
//extend partition can have its own partition table, it's 0x51D8D51be here
//here we only have one logic partition inside, it's D:
D.Active = false
D.byte_addr = 0x7000
//byte_addr is relative, the abs byte_addr is 0x51D8Dc000, at this addr we can find the (logic) partition's boot record
Tuesday, March 27, 2018
Tuesday, March 13, 2018
evaluation of VMAttack IDA plugin
My evaluation for this plugin is: it's too young but promising.
I firstly introduce the plugin, then evaluate it from two aspects: Automated and Manual Analysis.
Introduction
VMAttack is an IDA plugin which generates and analyses trace log of PE. If trace is not validly produced, the plugin is useless.
Trace generation is automatic and upon completion it will produce a success notification in IDAs output window.
Traversed paths will be colored in a shade of blue, where a darker shade represents a higher number of traversals. We can get a global distribution of traced code with a glance.
Initially it shows system and customer calls and args, this is useful when the PE has explicit function boundaries and give gross view. VMAttack can STEP over system funcs while extract args, which save sapce for trace.
As the best way to understand this plugin is to practice it, so I also collected ALL the tools and writed installer( install.bat ) for praticing.
The demo samps include the obfuscated binary and source binary of an add function:
addvm_3AE2BABAA4920BEF3E466F34B0075FFB.exe addvm_B4E34E39CFDD13E65D070E9FB9717620.vmp.exe
They are available at https://github.com/anatolikalysch/VMAttack/tree/master/Example/addvmp . In the team discuss, I send an email titled as 'decode vmprotect is possible?', that email tell constuction of that vmp sample detailed, debug it with my mimic program, then practice VMAttack after perform install.bat. by this way it's easy to understand this plugin, in this way, we can better evaluate it.
Automated Analysis
Automated Analysis extract useful informations from the trace log automatically or semi-automatically. It includes Input / Output Analysis, Clustering Analysis, Grading Snalysis, Dynamic Trace Optimization, Static deobfuscate.
Input / Output Analysis
The input/output analysis could provide leads as to how the input arguments of the VM function are used and whether there is a connection between function input and function output.
evaluation: for realworld samples, connection between function input and output can be exposed, but not obviously, not very clear.
Clustering Analysis
If a group of insts executed more than one time, they may be taken as cluster. For example, if Cluster Heuristic Threshold set as 3, then if an address is encountered more than twice, it's taken as start of a cluster.
evaluation:Clustering is a good feature, it can folder and reduce trace by a lot, especially Greedy Clustering option is set. VMAttack can quickly remove unnecessary clusters. It can also rollback wrongly removed clusters. If basic block detection was not deactivated in the settings, the clusters themselves are additionally subdivided into basic blocks.The basic block description is a good summary, further more, instructions whose computations are simply overridden are not displayed, which is good feature of in-block deobfuscation.
Grading Analysis
Each inst, block of insts, cluster of insts has different importance. The grade of an inst is affected by Memory usage Importance, Clustering Importance, Input/Output Importance, and so on.
At the end of the grading analysis the now graded trace will be presented in the grading viewer. The trace can now be filtered either by double clicking a grade or via context menu where the user will be prompted to input the grade threshold to display.
evaluation:Clustering Analysis is useful. For example, if you decide Input/Output Analysis is very very important, then inst having largest grade should be the inst do the add op on two adders.
Dynamic Trace Optimization
Dynamic Trace Optimizations which make the trace easier to read.
evaluation:Foldering constants, Folding not used operand are good feature of deobfuscations.
Static deobfuscate
The static deobfuscate function tries to statically determine the instructions that will be executed by the byte code in the provided virtual machine function. The semi-automatic version of this analysis tries to determine all necessary values(later will introduce the values) automatically.
evaluation:refer to the Manual Analysis version of Static deobfuscate for the evaluation.
Manual Analysis
most Manual Analysis features are depending on following VM Context model:
- Code Start - the byte code start, vm_insts, exactly vm_insts_start
- Code End - the byte code end, vm_insts_end
- VM Addr - the start address of the virtual machine function(Protect Func, for short, pf);
- Base Addr - the base address of the jump table(the dispatch table, or , insts_engine), for vmp:
.vmp0:00404339 8A 06 mov al, [esi] .vmp0:0040433B 0F B6 C0 movzx eax, al ; op code .vmp0:0040433E 83 C6 01 add esi, 1 .vmp0:00404341 FF 24 85 9C 43 40 00 jmp dword ptr ds:inst_engines[eax*4]
There are three ways to decide VM Context:
- by the Settings menu entry
- by Manual_Analysis->VM_Context's 'find statically' or 'find dynamically' entry.
Following are so called Manual Analysis features:
- Find VM Function(Protect Func, pf) Input Parameter, the plugin will print "BABE5 , OFFSET WORD_40489A , AFFE1 “, BABE5 and AFFE1 are passed from Protected Func(pdf), WORD_40489A are vm_insts.
evaluation: useful - Find VM Function Output Parameter, for the demo sample addvmp:
.text:0040102E ; .text:00401000 .text:0040102E ; .text:00401000 55 push ebp .text:0040102E ; .text:00401001 89 E5 mov ebp, esp .text:0040102E ; .text:00401003 8B 55 08 mov edx, [ebp+arg_0] .text:0040102E ; .text:00401006 8B 45 0C mov eax, [ebp+arg_4] .text:0040102E ; .text:00401009 01 D0 add eax, edx .text:0040102E ; .text:0040100B 5D pop ebp .text:0040102E ; .text:0040100C C3 retn edi:0 eax:16ABC6 //affected ebp:28FF88 esp:28FF60 edx:AFFE1 //affected ebx:7EFDE000 esi:0 ecx:76728E8A
evaluation: very useful - Find Virtual Reg to Reg mapping, for the demo sample addvmp:
.vmp0:0040432C 89 E5 mov ebp, esp ; vms_top .vmp0:0040432E 81 EC C0 00 00 00 sub esp, 0C0h ; vmd , vm data, virtual registers edi:28FF3C eax:28FF58 ebp:28FF4C edx:28FF50 ebx:28FF44 esi:28FF48 ecx:28FF54
evaluation: not checked, I will not trust this feature - Follow Virtual Register: This provides a manual interface to the register tracking functionality.
evaluation: not useful, will not use this feature - The address count reads in a trace and returns in IDAs output window the ratio: (Address (disasm): frequency of occurrence)
evaluation: not useful; except when used as counter of condition breakpoint
Except for previous features, the plugin provide an "Deobfuscate from..." menu, it seems it try to deobfuscate vm byte code, but I believe this feature is not realized.
decode_vmprotect_blog
It may sound weird that I say decoding vmprotect instead of emulating it. Considering a packer as simple as UPX, we take it as archiver and decompress it; well, SOMETIMES, for vmprotect samples, decoding is also an option.
Last week I was asked to give an evaluation of IDA plugin VMAttack( https://github.com/anatolikalysch/VMAttack ), under this project there is a vmprotect sample addvm.vmp (md5 = B4E34E39CFDD13E65D070E9FB9717620 ); by analysing it, I found decoding vmprotect sample is possible when:
- The protector is weakly obfuscating the sample.
- can find ProtectedFunc(s).
- can find ProtectFunc(s)
With condition 1, WE can easily find ProtectedFunc(s) and ProtectFunc(s). After found ProtectFunc, vm inst stubs can also be found, group of vm insts then can be decoded and restored one by one to its ProtectedFunc( note: ProtectedFunc is inplaced protected ).
fundamentals of vmprotect
There are researchers in the internet researching vmprotect, by following them, one may become a vmprotecter, or we have option to analyse it ourself.
If you have analysed vmprotect, or you wanna follow internet researchers, simply skip this section.
Given a program, vmprotect can protect many funcs|slices of the code. For here, I am assuming there is only one ProtectedFunc, for short, pdf:
.text:0040102E ; .text:00401000
.text:0040102E ; .text:00401000 55 push ebp
.text:0040102E ; .text:00401001 89 E5 mov ebp, esp
.text:0040102E ; .text:00401003 8B 55 08 mov edx, [ebp+arg_0]
.text:0040102E ; .text:00401006 8B 45 0C mov eax, [ebp+arg_4]
.text:0040102E ; .text:00401009 01 D0 add eax, edx
.text:0040102E ; .text:0040100B 5D pop ebp
.text:0040102E ; .text:0040100C C3 retn
.text:0040102E ; .text:0040100C sub_401000 endp
protection is performed in an inplace-hack way. inplace-hack begins with an inline hook which hook to protect func caller(pfc). the values of changed remain bytes(here, 8 bytes) are explained by ProtectFunc (for short, pf):
.text:00401000 E9 F2 38 00 00 jmp pfc
.text:00401005 00 00 00 00 pdf_remains dd 0
.text:00401009 4F 0D 1D db 4Fh, 0Dh, 1Dh
.text:0040100C 2E db 2Eh
pfc simply push vm insts and call pf:
004048F7 pfc:
.vmp0:004048F7 68 9A 48 40 00 push offset vm_insts
.vmp0:004048FC E8 13 FA FF FF call ProtectFunc
.vmp0:004048FC ; ---------------------------------------------------------------------------
.vmp0:00404901
pf firstly accept CPU registers(if you research into the pf, you found it's not saving them, but accepting them, by push then pop to data slots), then set stack, data, then run vm insts one by one:
.vmp0:00404314 ProtectFunc proc near
.vmp0:00404314 arg0_insts_at_40489A= dword ptr 4
.vmp0:00404314 50 push eax
.vmp0:00404315 51 push ecx
.vmp0:00404316 52 push edx
.vmp0:00404317 55 push ebp
.vmp0:00404318 56 push esi
.vmp0:00404319 53 push ebx
.vmp0:0040431A 9C pushf
.vmp0:0040431B 57 push edi ;
.vmp0:0040431C 57 push edi
.vmp0:0040431D FF 35 05 10 40 00 push pdf_remains
.vmp0:00404323 68 00 00 00 00 push 0 ; next inst(here is the first) offset, some said the 0 here will be imagebase fixup, it's reasonable but I am not sure.
.vmp0:00404328 8B 74 24 30 mov esi, [esp+2Ch+arg0_insts_at_40489A] ; insts
.vmp0:0040432C 89 E5 mov ebp, esp ; vms_top
.vmp0:0040432E 81 EC C0 00 00 00 sub esp, 0C0h ; vmd num of bytes
.vmp0:00404334 89 E7 mov edi, esp ; vmd
.vmp0:00404336
.vmp0:00404336 loc404336_inst_to_next:
.vmp0:00404336 03 75 00 add esi, [ebp+0]
.vmp0:00404339
.vmp0:00404339 loc404339_query_inst_engine:
.vmp0:00404339 8A 06 mov al, [esi]
.vmp0:0040433B 0F B6 C0 movzx eax, al ; op code
.vmp0:0040433E 83 C6 01 add esi, 1
.vmp0:00404341 FF 24 85 9C 43 40 00 jmp dword ptr ds:inst_engines[eax*4]
...
protected inst 0(push ebp):
vm inst 0
vm inst 1
...
vm inst i
protected inst 1(mov ebp, esp):
vm inst i+1
vm inst i+2
...
details of vmprotect
I have created minic source code to tell the details of vmprotect, the minic is not full support of all vm insts, but made small and suitable for this sample. the mimic contains following modules:
- vm stack
- vm data
- vm insts
- vm context
- vmp
Also, a windbg trace log will be attached, debugging the source code and refering the windbg log, one may understand vmprotect better.
AT LAST , VERY IMPORTANT, IF VM INSTS INSIDE FOLLOWING MIMIC SRCS CAN BE IDENTIFIED, WE CAN THEN FULLY DECODE THIS PDF(PROTECTED FUNC):
pdf_401000_push_ebp();
pdf_401001_mov_ebp_esp();
pdf_401003_mov_edx_adder0();
pdf_401006_mov_eax_adder1();
pdf_401009_add_eax_edx();
pdf_40100B_pop_ebp();
pdf_40100C_ret();
Thanks.
Sunday, March 4, 2018
tuition_education__and__textbook_amounts
tuition here is regarding job training.
The education amount was a tax credit based on the number of months you spent studying full-time or part-time in a qualifying educational program during the tax year.
If you were eligible for the education amount, you were also eligible for the textbook credit.
residency_status
When preparing your tax return, you may need to refer to other guides, or complete some schedules and other forms that have more detailed information. To get any other documents that you need, go to Previous-year forms and publications listed by number and by title: https://www.canada.ca/en/revenue-agency/services/forms-publications/previous-year-forms-publications/forms-publications-listed-reference-number.html
this document are extracting info mainly from tax package for BC :
https://www.canada.ca/en/revenue-agency/services/forms-publications/previous-year-forms-publications/archived-previous-year-tax-packages/archived-general-income-tax-benefit-package-2013/archived-british-columbia-general-income-tax-benefit-packages-2013.html :
- General Income Tax and Benefit Guide - 2013
- Schedule 1 - Federal Tax
- Schedule 2 - Federal Amounts Transferred From Your Spouse or Common-law Partner
- Schedule 3 - Capital Gains (or Losses) in 2013(For us, we do not invest, or buy sell stocks this year)
- Schedule 5 - Amounts for Spouse or Common-Law Partner and Dependants
- Schedule 6 - Working Income Tax Benefit - British Columbia
-
- Provincial Worksheet
- Form BC428 - British Columbia Tax
- Form BC479 - British Columbia Credits
- Schedule BC(S2) - Provincial Amounts Transferred From Your Spouse or Common-Law Partner
view_stock_option_history
from www.schwab-global.com , found a link tagged as "log in", input user id then entered the logged-in state.
from the left top drop-list, select Equity Awards Center.
At Equity Awards Center, select My Equity Awards's History_and_Statements tab.
Subscribe to:
Posts (Atom)