Reversing and Exploiting Green Dam by Anthony Lai 賴灼東 2009.07.21

1. Reversing and
Exploiting
Green Dam
[0xdf]
Valkyrie-X Security Research Lab
VXRL 2009 1

2. Special Thank You
• Mr. Byoungyoung Lee from PLUS and
who is the mentor/advisor of Valkyrie-X
VXRL 2009 2

3. Background
• Focus on research and studies on
software/system exploitation, vulnerability
and reverse engineering, penetration test
and crypto problems.
• Activity:We joined CTF and ranked at 68 in
DefCon 17 Prequalifying Round out 230
teams.
VXRL 2009 3

4. 4

5. Agenda
• Reversing a few critical modules in Green
Dam.
• Exploitation Possibility
VXRL 2009 5

6. Let us start 
VXRL 2009 6

7. Reversing
• XNet2.exe
– It is the major Green Dam service
– It is for installation and register software key
to the system
– It is responsible for password check and reset
– Commander of XDaemon.exe and gn.exe
– Kick start a number of processes with the
following executables:
• Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG,
HH, Looklog and LookPic
VXRL 2009 7

8. Prepare and set up processes
8

9. Installation
• Installation – Software Key Registration To
Registry.
9

10. More Interesting stuff is…
VXRL 2009 10

11. 11

12. Prepare a list of processes
12

13. Installation Password
• After Green Dam converts the password
using the MD5 algorithm, it saves it in text
format within the kwpwf.dll file located in
the C:WINDOWSsystem32 directory.
When opened using Notepad, if the
content is then replaced with
"D0970714757783E6CF17????????????
????????" and saved, the password can
then be restored to the original
"1122??????". VXRL 2009 13

14. Easy Password
VXRL 2009 14

15. Green Dam – Data File
• Decrypted file content
– Contain keywords for filtering
• The data file naming convention and
filtering classification are exactly the same
as Cybersitter from Solid Oak.
VXRL 2009 15

16. Green Dam – Data File
16

17. VXRL 2009 17

18. Green Dam – Connected IPs
• Connected IPs
– Connected to ISP in USA?
– Connected to NIST’s time server?
VXRL 2009 18

19. VXRL 2009 19

20. 20

21. VXRL 2009 21

22. Green Dam – Monitored Software
• Monitored software
– We could find it from injlib32.dll
– Injlib32.dll is injected to every critical process.
– Handle.dll is to create process/thread to
monitor any messages received from injected
DLL. (as it supports transmitstring).
Handler.dll Injlib32.dll
Notepad.exe
VXRL 2009 22

23. 23

24. 24

25. 25

26. Green Dam – Exploitation
• Possible vulnerabilities in Green Dam
version 3.1.7
– As Green Dam is injected to the browser
process and it cannot handle long URL
– Stack Buffer Overflow is found.
• The exploit is published in Milw0rm.com. It
should be the same
VXRL 2009 26

27. What is Stack Buffer Overflow?
VXRL 2009 27

28. What is Stack Buffer Overflow?
(from Wikipedia.org)
VXRL 2009 28

29. How can we exploit?
• We try out input 2048 ‘A’s and submit it as
an URL.
• We attach OllyDbg to the process of
Internet Explorer named as iexplore.exe
for debugging purpose in runtime.
VXRL 2009 29

30. Demo
VXRL 2009 30

31. Exploitation Summary
• Successfully overwritten with our input.
• Deploying shellcode will be our next
mission.
• No patch is provided 
VXRL 2009 31

32. Our Conclusion
VXRL 2009 32

33. Conclusion
• We strongly suggest not installing this
software.
• It gives vulnerability, it is not just filtering
but monitor the use of software and the
content you typing into.
VXRL 2009 33

34. Thank you for your listening
• Anthony Lai (0xdf)
• 0xdarkfloyd@gmail.com
VXRL 2009 34

35. Reference
• Technical Analysis of Green Dam
– http://wikileaks.org/wiki/
A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-
Escort'_censorship_software
• Analysis of Green Dam Censorware System
– http://www.cse.umich.edu/~jhalderm/pub/gd/
VXRL 2009 35

36. Tools
• MD5 Decryption
– http://www.md5decrypter.com/
• IDA Pro (Get a free version)
– http://www.hex-rays.com/idapro/
– http://www.amazon.com/exec/obidos/ASIN/1593271786/
datarescuesanv
VXRL 2009 36