[ISN] Re: France puts a damper on flaw hunting (Part II)

InfoSec News isn at c4i.org
Wed Mar 30 01:35:12 EST 2005


Forwarded from: Kitetoa at Kitetoa.com <kitetoa at kitetoa.com>

(Part I of Kitetoa translation on this ruling is at: 
http://www.attrition.org/pipermail/isn/2005-March/001312.html  - WK]

How many bytes do have to copy to counterfeit a software in France and
stop being a bug hunter...?

The computer expert report, which was heavily used by the judges to
condamn Guillermito, clearly indicates that he "disassembled, then
reassembled some parts of Viguard software". The court condamned
Guillermito for counterfeiting and publishing counterfeit data.

In my precedent post, about possible consequences of this legal
precedent on bug hunting and full disclosure, I ended by a question :

\u201eFinally, after reading this excellent comment by Maitre Eolas,
we can - as computer specialists - wonder about the amount of bytes
reproduced in the POCs, which transform them into counterfeiting.
Viguard is probably around several megabytes of data. For how many
reproduced bytes we have a counterfeiting, if we don't have a valid
licence ? And what about if we do have a valid licence ?\u201c

Let's try to answer this question, by simply looking a little bit
closer to Guillermito's analysis of Viguard software.

The computer expert report clearly mentions an "utilisation and
adaptation of the source of Viguard"

Let's see how many lines of source code Guillermito used or adapted.

According to the bug hunter, not a single one. He says he never
decompiled the software, and never published any source code. Neither
did he published any disassembled listing.

So what did he actually publish ? A few signatures used in boot virus
detection, the precise boot verification routine but without any code,
a few keywords considered as dangerous that Viguard detects inside
scripts, all from memory.

During the justice investigation, it seems that all the attention
focused on a Proof of Concept named VGNaked.

This program takes care of database files, called certify.bvd, created
in each directory by Viguard, which store some information about each
programs on this directory. If you run it, you will get two new files
: certify.dec which is in the same binary format except that it is now
decrypted, and certify.dmp, which is a dump, a sort of human readable
version of the content of the original database file. Guillermito
needed to know the content of these database files to find some
vulnerabilities. For example, because Viguard only stored the first 16
bytes of code in the executable section of a Windows PE file, any
virus which was going to modify more than these 16 bytes couldn't
possibly be repaired by Viguard. He needed to show the proof of this
affirmation, hence his Proof of Concept program.

These certify.bvd database files created by Viguard are encrypted by a
fixed XOR key, obviously found in the memory when Viguard is run.
Guillermito got these keys from the memory and used it to decrypt
these databases as said above. This knowledge, in turn, was used later
to find subsequent vulnerabilities (for example, a trojan could create
on the fly a tailored database file for himself and immediately become
certified and so, not detected by the anti-virus).

In the assembler source of his program, "VGNaked.asm", you can see all
the code. Including, close to the beginning, in the data area, the
infamous XOR key (so important that actually, in the next versions of
Viguard, these keys are no more used and the database files aren't
encrypted anymore).

It looks like that (obviously, the exact values of bytes were changed,
I would not like Tegam to accuse me of publishing anything counterfeit
;)):

stupid_xor:
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0

stupid_xor_for_docs:
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0

There are two keys. One for executables, and one for documents.

35 and 30 bytes (plus 15 bytes in another key in another PoC).

And that's it. All of what Guillermito "stole" from Viguard. 80 bytes
from the memory, not even executed code.

More or less, Viguard weighting around 8 Mb, Guillermito cited
1/100.000 th of this program. Ten millionths.

Isn't that a beautiful example of counterfeiting ? Computer experts
who may be reading us now know that very often their own research
could now be considered as "counterfeiting" in France, and they can be
sued for 80 bytes.

You can check what is written above by reading yourself the archived
version of Guillermito's analysis page which detailed his research.

You can check what is written above by reading yourself the archived
version of Guillermito's analysis page which detailed his research.

Tegam filed a complaint on june 6th 2002. Here is Guillermito's page
as archived on june 1st.

http://web.archive.org/web/20020601124224/http://www.pipo.com/guillermito/viguard/index.html

You can also play to "The Game of Counterfeiting" by clicking here, to
have some fun (find the red X which is **the** ten millionths cited
above.

http://www.kitetoa.com/Pages/Textes/Textes/25012005-Tegam_versus_Guillermito/Documentation/17032005-contrefacon-le-jeu.shtm





More information about the ISN mailing list