Analysis on the principle of bitcoin theft in one Trojan wallet

Analysis on the principle of bitcoin theft in one Trojan wallet
Recently, bitcoin security problems have occurred frequently. I wanted to find a wallet to steal bitcoin for analysis. At this time, the user smtp posted a post on the B forum to reveal the LTC Trojan wallet, I also provided an LTC Trojan wallet sample. I reverse the trojan wallet program and analyzed the principle of the wallet to steal LTC. The theft method can also be used for bitcoin and other shanty coins.

He posted a post on the Apsara stack bits forum at http://www.cybtc.com/thread-9367-1-1.html. He also reminded everyone to download money packages from the official website, not to download non-official website (various network disks) or unsigned wallets.

I. Principle Analysis

This LTC Trojan wallet steals the LTC in a simple way. when viewing the wallet's receiving address, the actual Receiving address of the wallet is hidden and the hacker's LTC address is displayed. When sending the LTC to this Receiving address, the LTC sent will naturally be in the hacker's wallet and will never be in it.

The verification process is very simple. First install the LTC Trojan wallet, create a new Receiving address, then uninstall the trojan wallet, install the wallet on the LTC official website, and view the Receiving address. The addresses displayed by the two are different, the official website wallet displays the real address, and the trojan wallet displays the hacker's LTC address.

The hacker's LTC address does not exist in the wallet, so exporting the private key fails. The LTC address displayed in the wallet on the official website exists. You can export the private key. The command dumpprivkey can be used for verification.

LTC official website wallet: Wallet.

The hacker's LTC Receiving address displayed in the Trojan wallet:

The actual LTC address displayed in the wallet on the official website:

The two-phase comparison shows that the displayed LTC Receiving address is different.

Ii. Wallet display Receiving address

The LTC code is open-source. hackers have downloaded the LTC Code, made some modifications, re-compiled the code, packaged the program, and placed it in the online disk for download, and stolen the Internet user's LTC.

Display the receipt address of the wallet. The LTC and BTC code are the same. The LTC address is displayed in the list. The Trojan wallet modifies the string of the LTC address to be displayed in the list, to hide the real address.

Display the LTC Receiving address. It mainly involves two modules: display the Receiving address when the program loads, and create a new Receiving address. Here we will briefly explain how to display an address in the address list.

The wallet's receiving address is saved in the mapAddressBook of the CWallet class, and the receiving address list is the QList <AddressTableEntry> cachedAddressTable control of the class AddressTablePriv.

1. The receiving address is displayed when the program is loaded:

During litcoin-qt loading, in the main function, create an object of the WalletModel class, create an object of the class AddressTableModel In the constructor of the WalletModel class, and then call the refreshAddressTable function of the class AddressTablePriv. The refreshAddressTable function traverses the wallet address book and displays it in the Receiving address list.

2. Create a New Receiving address:

After confirmation in the create address dialog box, submit it to the accept function of the EditAddressDialog class, call the saveCurrentRow function, and call the addRow function of the AddressTableModel class to add a new address row.

In the addRow function, call the SetAddressBook function of the CWallet class to set the address book.

In the SetAddressBook function, send the NotifyAddressBookChanged signal. In the signal processing function NotifyAddressBookChanged, call the method of WalletModel updateAddressBook to update the address book.

In the updateAddressBook function, call the updateEntry function of the AddressTableModel class, and then call the updateEntry function of the AddressTablePriv class to insert the new address to the address list.

Iii. Code modified by hackers

The trojan wallet is the refreshAddressTable function that modifies the class AddressTablePriv and the updateEntry function. The displayed Receiving address is modified before the display and insertion addresses.

1. Function refreshAddressTable

Add the code to modify the display address before calling the cachedAddressTable. append function.

2. Function updateEntry

When CT_NEW is used, after calling the function parent-> beginsertrows, add the code to modify the display address before calling the function cachedAddressTable. insert.

A total of 10 LTC addresses are displayed by hackers. These 10 addresses are displayed sequentially in the order of display and insertion addresses. If there are more than 10 addresses, they are displayed cyclically.

A Trojan wallet defines an array pointing to the 10 LTC addresses.

The trojan wallet defines an integer variable that identifies the address index, displays the LTC address pointed to by this index, and increments accordingly. When it is equal to 10, it is reset to 0.

This is the address array and index located by IDA. It is very easy for coders to implement this function.

The hacker's LTC address is not stored in plain text in the wallet program, but encrypted. It must be decrypted before the LTC address is displayed. Through Reverse Analysis, the decryption method is relatively simple, and reverse operations are encryption.

During encryption, 34 characters of the LTC address are traversed, with 0x32 ('2'), 0x3C ('<'), 0x57 ('W ') the three characters are the demarcation points, and are added or subtracted based on the different ranges of the characters.

Perform reverse operations during decryption.

Encryption and decryption rules:

1. When the character is greater than or equal to 0x0 and less than or equal to 0x32 ('2'), the encrypted character is added to 3, and the decrypted character is reduced to 3.
2. If the character is greater than 0x32 ('2') and less than or equal to 0x3C ('<'), add 3 characters to the encrypted character and 3 characters to the decrypted character.
3. When the character is greater than 0x3C ('<') and less than or equal to 0x57 ('W'), the encrypted character is reduced by 3, and the decrypted character is added to 3.
4. When the character is greater than 0x57 ('W'), the encrypted character is added to 3, and the decrypted character is reduced to 3.

Rules (1) and (2) are the same and can be merged.

The plaintext and ciphertext of the hacker's 10 LTC addresses are as follows:

LTCAddress	EncryptedLTCAddress
LLaVR8Ab5gb6ybgjGxu9D2qisEgUCtJGvN	'Iidso;> e8je9 | ejmD {x <A5tlvBjR @ wGDyK'
LNMuPLzrL2SpZrcwC8US5vQZ6cwC2CRaoL	'Ikjxmi} uI5PsWufz @; RP8yNW9fz @ 5 @ odri'
LRD63cfZu7Wqt5JSvEC4PDrKByA7YkiZ4z	'Ioa96fiwx: Ttw8GPyB @ 7 MAuH? |>: VnlW7 }'
Lmvwz1nqax56if8tdmqik2m3166pkxrv7wz	'Sz SZ} 4qN> U89lC; QAJtlH5pGT9MH {uS: zw'
Ld1WBZyPAhdxsmQ8xeFgMrLuTNGwoXAmo8	'Ig4t? W | M> kg {vpN; {hCjJuIxQKDzrU> pr ;'
LLHa7b4gz2U6BFKR9suztQQT35zbmoJbuF	'Iied: e7j} 5R9? CHO <vx} wNNQ68} eprGexC'
LfpkSrZWYAvyTWB1ko2k3njcZQjsQoeYaQ	'Isnpuwtv> y | QT? 4nr5n6qmfWNmvNrhVdN'
LdgYTrsTcKmyF9nVB4uWSXUhbbXVJhPC9P	'Igjvquv1_hp | C <qS? 7xTPURkeeUSGkM @ <m'
LU6QjPAEKnczUfhkxebpKYY6GQxTeXmoUY	'Ir9nmm> BHqf} Rikn {hesHVV9DN {QhUprRV'
LMkNreKBaztuAetjx9o17WmhwwAB7T2gSf	'Ijnkuhh? D} wx> hwm {<r4: Tpkzz>? : Q5jPi'

Using IDA disassembly, you can clearly see the encrypted LTC address of the hacker.

This is a function that uses IDA to reverse decrypt an address.

Iv. Conclusion

From this analysis, we can find that the coin-stealing wallet is relatively simple. Because Bitcoin and litecoin code are open source, it is easier to locate the key point in reverse engineering. However, the most important thing is to be familiar with Bitcoin code and commands, which can help analyze problems and implementation principles.

If you have lost or stolen the currency, you can send the software to me to briefly describe the theft process. I can help you analyze and reveal it to prevent others from being stolen, my mailbox address: 007longshao@gmail.com.

Later, I will gradually analyze hacker attacks, phishing, Trojans, and other attacks on various wallet, mine, and trading platforms, and write them into serialized articles.

Author: Long Shao

BTC donation address: 1CeeGr858xjLJQB3a9uLawHAdZ2qWjzTGT