I will not write the manual, to tell the approximate course of my investigations, and will give hint...
what happens when we put this in a server external ip?
correctly, the server starts to swear that the certificate was not found ...
remove the ";" in section [CA info], and again run the server ...
Now the server writes that he did not have the correct certificate ...
and what to do? way, two -
1. to find a valid certificate
2. correct hands server code ...
I went the second way ...
section [CA info] immediately attracts the attention of "certificate = D07000066 ...."
run IDA (our mother), disassemble code and try to find something like "D07000066", and really we were lucky?
very interesting, the beginning of this line same with the certificate that we have in the configuration file...
maybe it is true the certificate?
substitute into the file this line, run the server ...
bolt in your motherboard ... server again, swearing on the certificate ... but there's something ... Look at the code and see the next
valid certificate? ... two bolts in the motherboard ...
but very interesting, both lines have the same length and overlap of bytes ... immediately pleasing to the eye can see the line
very interesting, who is Jay Huang
appear to Chinese programmers are not so stupid that would lay out in the code like this just a certificate ... Okay, let's see what is in the code
here and the poor Jay Huang that something should not happy, and DC070000662A2...
apparently there is a check of the certificate, and maybe not then...
something like a sloth to delve into the code ... can dig some lines about the certificate?
so they line who swear server...
see what is it?
wow, everywhere a procedure sub_402610
oh, well, a procedure ... asking why the server does not start...
but stop, and what kind of an interesting word helloalex? first Jay Huang dissatisfied, then welcome Alex... some Chinese garbage, but let's still see a piece of code where Alex welcome ...
and what We can see?
Oh my God, this is nothing more than .....
further will not tell, from this point becomes clear, and who make little effort into making that would understand the last piece of code that gets the online server ... (pump your brain)
with love from Russia
what happens when we put this in a server external ip?
correctly, the server starts to swear that the certificate was not found ...
remove the ";" in section [CA info], and again run the server ...
Now the server writes that he did not have the correct certificate ...
and what to do? way, two -
1. to find a valid certificate
2. correct hands server code ...
I went the second way ...
section [CA info] immediately attracts the attention of "certificate = D07000066 ...."
run IDA (our mother), disassemble code and try to find something like "D07000066", and really we were lucky?
Code:
.rdata:00585118 00000FC9 C DC070000662A284E8EE6C4CF059CB690E33393D4059CB690E33393D4059CB690E33393D49035605D8926209B8259607A5D7688D401C0504F90D0E060D245A042B5AA811D059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D49D8A6FEAF51FFF5BFD23193A3365069B5418DCA103487962D5EC5A8AD7D3FC8E905EDD68F5AFBC8A74DE1BF94E707A7DBB889976C0E33BDB2151F235A4BD1B8A1131F4823E4929BB624063D2944A49593AD4F2219D348747B13B801C1A932FF163AEB7372BE86F89293A81E213B84223A24A0A686AC961ED849DDA4ABCDBBEF23AEAF72A05E5A843539D909B82FDF17D29A22EFB3A66086D96F7481AEDCE3C0D13B35986A4DA20E72EA30976FA1E0C265F7B816CF8566A354E56730DD3F8
maybe it is true the certificate?
substitute into the file this line, run the server ...
bolt in your motherboard ... server again, swearing on the certificate ... but there's something ... Look at the code and see the next
Code:
.rdata:005860F8 000009B9 C D8040000051FEF3BB33F4631059CB690E33393D4059CB690E33393D4059CB690E33393D4FA1E40896B3450EAF655E16931CE10EA9AE6E125CBA28DE1059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4059CB690E33393D4836F5D0AABED0DB1FD23193A3365069B5418DCA103487962D5EC5A8AD7D3FC8E905EDD68F5AFBC8A74DE1BF94E707A7DBB889976C0E33BDBD81CFE39833305BA97D61A541B903E52CF0683244DE220780206CBE880E6FA648E4B6464C40EC06DE70F03823FBF35271DFD12B0051B74367E4848006B72313C19F717D5DE76354AB80CAF23C4C969D50F3516DFD88169D5423B2B88C99CE0611D394A17F21DD2AC08F80D56DF496FFE743CAA53608C9CB9FCC0FE853868116C4F6276D54601
but very interesting, both lines have the same length and overlap of bytes ... immediately pleasing to the eye can see the line
Code:
.rdata:00586AB4 00000017 C Jay Huang is not happy
appear to Chinese programmers are not so stupid that would lay out in the code like this just a certificate ... Okay, let's see what is in the code
Code:
loc_4034B8:
lea ecx, [esp+174h+var_160]
push ecx
push eax
call sub_407460
add esp, 8
push offset aJayHuangIsNotH ; "Jay Huang is not happy"
lea ecx, [esp+178h+var_80]
mov esi, eax
call ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *)
lea edx, [esp+24h]
push edx
mov byte ptr [esp+15Ch], 2
push esi
mov esi, [esp+17Ch+var_160]
mov edx, esi
lea ecx, [esp+17Ch+var_80]
call sub_407000
push esi
mov ebx, eax
call ??3@YAXPAX@Z ; operator delete(void *)
add esp, 0Ch
lea eax, [esp+174h+var_160]
push eax
push offset aDc070000662a28 ; "DC070000662A284E8EE6C4CF059CB690E33393D"...
call sub_407460
mov esi, [esp+17Ch+var_160]
lea ecx, [esp+17Ch+var_154]
push ecx
push eax
mov edx, esi
lea ecx, [esp+184h+var_80]
call sub_407000
push esi
call ??3@YAXPAX@Z ; operator delete(void *)
mov esi, [esp+188h+var_154]
mov edx, [esi+758h]
lea eax, [esi+488h]
add esp, 14h
push edx
push eax
lea ecx, [esp+17Ch+var_48]
call ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *,uint)
mov byte ptr [esp+158h], 3
push ebx
mov ebx, [esp+180h+var_158]
push ebx
lea ecx, [esp+184h+var_168]
lea edx, [esp+134h]
call sub_406500
push esi
call ??3@YAXPAX@Z ; operator delete(void *)
add esp, 0Ch
push ebx
call ??3@YAXPAX@Z ; operator delete(void *)
mov eax, dword_5B9014
mov ecx, [eax+200h]
add esp, 4
push ecx
add eax, 138h
push eax
lea ecx, [esp+118h]
call ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *,uint)
mov byte ptr [esp+158h], 4
mov ebx, [esp+14h]
push 80h
lea edx, [ebx+75Ch]
push edx
lea ecx, [esp+18Ch+var_15C]
call ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *,uint)
mov byte ptr [esp+158h], 5
cmp [eax+18h], edi
jb short loc_4035D7
apparently there is a check of the certificate, and maybe not then...
something like a sloth to delve into the code ... can dig some lines about the certificate?
Code:
.rdata:0058296C 0000000D C Step0_Client
.rdata:0058297C 0000000D C Step1_Server
.rdata:0058298C 0000000D C Step2_Client
.rdata:0058299C 0000000D C Step3_Server
.rdata:005829AC 00000024 C Failed to load local certificate.\r\n
.rdata:005829D0 0000001A C Not client certificate.\r\n
.rdata:005829EC 00000023 C Not consistent with certificate.\r\n
.rdata:00582A10 0000001B C Certificate out of date.\r\n
.rdata:00582A2C 0000001D C Wrong certificate version.\r\n
.rdata:00582A4C 0000001C C Failed to load blacklist.\r\n
.rdata:00582A68 0000001F C Certificate is black listed.\r\n
.rdata:00582A88 0000001C C Cannot connect to center.\r\n
.rdata:00582AA4 0000001C C Error in setting timeout.\r\n
.rdata:00582AC0 00000013 C Error in step 0.\r\n
.rdata:00582AD4 00000021 C Failed to send data to center.\r\n
.rdata:00582AF8 0000001A C Failed to receive data.\r\n
.rdata:00582B14 00000021 C Unexceptional server response.\r\n
.rdata:00582B38 00000014 C Failed in step 3.\r\n
.rdata:00582B4C 0000001F C Failed to check center info.\r\n
.rdata:00582B6C 0000001B C Server is in black list.\r\n
.rdata:00582B88 00000017 C Failed to send data.\r\n
.rdata:00582BA0 00000017 C Failed receive data.\r\n
.rdata:00582BB8 0000001A C Unexceptional response.\r\n
.rdata:00582BD4 0000001A C Failed to check server.\r\n
.rdata:00582BF0 0000000B C Success!\r\n
.rdata:00582BFC 0000000C C %s@%s@%u@%u
.rdata:00582C08 0000000A C helloalex
.rdata:00583657 00000005 C 691)!
.rdata:00583668 00000005 C ;3+#\x1B
.rdata:00583670 00000008 C <4,$?7/'
.rdata:0058367B 00000005 C \a>6.&
see what is it?
Code:
.rdata:005829AC aFailedToLoadLo db 'Failed to load local certificate.',0Dh,0Ah,0
.rdata:005829AC ; DATA XREF: sub_402610+9Do
.rdata:005829D0 ; char aNotClientCerti[]
.rdata:005829D0 aNotClientCerti db 'Not client certificate.',0Dh,0Ah,0
.rdata:005829D0 ; DATA XREF: sub_402610+BAo
.rdata:005829EA align 4
.rdata:005829EC ; char aNotConsistentW[]
.rdata:005829EC aNotConsistentW db 'Not consistent with certificate.',0Dh,0Ah,0
.rdata:005829EC ; DATA XREF: sub_402610+F4o
.rdata:00582A0F align 10h
.rdata:00582A10 ; char aCertificateOut[]
.rdata:00582A10 aCertificateOut db 'Certificate out of date.',0Dh,0Ah,0
.rdata:00582A10 ; DATA XREF: sub_402610:loc_402AF0o
.rdata:00582A2B align 4
.rdata:00582A2C ; char aWrongCertifica[]
.rdata:00582A2C aWrongCertifica db 'Wrong certificate version.',0Dh,0Ah,0
.rdata:00582A2C ; DATA XREF: sub_402610+15Co
.rdata:00582A49 align 4
.rdata:00582A4C ; char aFailedToLoadBl[]
.rdata:00582A4C aFailedToLoadBl db 'Failed to load blacklist.',0Dh,0Ah,0
.rdata:00582A4C ; DATA XREF: sub_402610+190o
oh, well, a procedure ... asking why the server does not start...
but stop, and what kind of an interesting word helloalex? first Jay Huang dissatisfied, then welcome Alex... some Chinese garbage, but let's still see a piece of code where Alex welcome ...
and what We can see?
Code:
.text:00402DE0 ; --------------- S U B R O U T I N E ---------------------------------------
.text:00402DE0
.text:00402DE0
.text:00402DE0 sub_402DE0 proc near ; CODE XREF: sub_402610+70p
.text:00402DE0
.text:00402DE0 var_38 = dword ptr -38h
.text:00402DE0 var_30 = dword ptr -30h
.text:00402DE0 var_2C = dword ptr -2Ch
.text:00402DE0 var_10 = dword ptr -10h
.text:00402DE0 var_C = dword ptr -0Ch
.text:00402DE0 var_8 = dword ptr -8
.text:00402DE0
.text:00402DE0 push 0FFFFFFFFh
.text:00402DE2 push offset loc_5605D9
.text:00402DE7 mov eax, large fs:0
.text:00402DED push eax
.text:00402DEE sub esp, 24h
.text:00402DF1 mov eax, dword_5A3F98
.text:00402DF6 xor eax, esp
.text:00402DF8 mov [esp+30h+var_10], eax
.text:00402DFC push esi
.text:00402DFD mov eax, dword_5A3F98
.text:00402E02 xor eax, esp
.text:00402E04 push eax
.text:00402E05 lea eax, [esp+38h+var_C]
.text:00402E09 mov large fs:0, eax
.text:00402E0F call ds:GetCommandLineA
.text:00402E15 test eax, eax
.text:00402E17 jz short loc_402E71
.text:00402E19 mov ecx, eax
.text:00402E1B lea esi, [ecx+1]
.text:00402E1E mov edi, edi
.text:00402E20
.text:00402E20 loc_402E20: ; CODE XREF: sub_402DE0+47j
.text:00402E20 mov dl, [ecx]
.text:00402E22 add ecx, 1
.text:00402E25 test dl, dl
.text:00402E27 jnz short loc_402E20
.text:00402E29 sub ecx, esi
.text:00402E2B jz short loc_402E71
.text:00402E2D push eax
.text:00402E2E lea ecx, [esp+3Ch+var_2C]
.text:00402E32 call ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *)
.text:00402E38 push 0
.text:00402E3A push offset aHelloalex ; "helloalex"
.text:00402E3F lea ecx, [esp+40h+var_2C]
.text:00402E43 mov dword ptr [esp+3Ch], 0
.text:00402E4B call ds:?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::find(char const *,uint)
.text:00402E51 xor ecx, ecx
.text:00402E53 cmp eax, 0FFFFFFFFh
.text:00402E56 setnz cl
.text:00402E59 mov [esp+40h+var_C], 0FFFFFFFFh
.text:00402E61 mov esi, ecx
.text:00402E63 lea ecx, [esp+0Ch]
.text:00402E67 call ds:??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
.text:00402E6D mov eax, esi
.text:00402E6F jmp short loc_402E73
.text:00402E71 ; ---------------------------------------------------------------------------
.text:00402E71
.text:00402E71 loc_402E71: ; CODE XREF: sub_402DE0+37j
.text:00402E71 ; sub_402DE0+4Bj
.text:00402E71 xor eax, eax
.text:00402E73
.text:00402E73 loc_402E73: ; CODE XREF: sub_402DE0+8Fj
.text:00402E73 mov ecx, [esp+38h+var_C]
.text:00402E77 mov large fs:0, ecx
.text:00402E7E pop ecx
.text:00402E7F pop esi
.text:00402E80 mov ecx, [esp+30h+var_10]
.text:00402E84 xor ecx, esp
.text:00402E86 call sub_55736C
.text:00402E8B add esp, 30h
.text:00402E8E retn
further will not tell, from this point becomes clear, and who make little effort into making that would understand the last piece of code that gets the online server ... (pump your brain)
with love from Russia