China Merchants Bank's Online Banking Professional Edition
A few days ago for a bank of China Merchants Bank USB disk drive, spent 88 yuan, last night idle boring, simple analysis, found some problems,
Specific content please refer to: Http://www.liveaa.com/categories/120-Software-internal-analyze.
First of all, about USB reading, mainly in the beginning of the use of the landing, when the exit will be detected (secondary), in the use of the process, do not need this USB (in the transfer, I did not detect). Can do a software dog, Analog USB.
Second, it uses 2 DLLs, Cmbpb40.ocx (ICBC development) and HttpComm.dll (OEM), the Internet does not have any of their hash values, here I give:
Cmbpb40.ocx, Md5:e957b7602d97f09a503a0f85435204a5
HttpComm.dll, Md5:f3231b0a74d79853eb37914f8bd47bf6
And there is no signature, so if you hack the code, it's easy to put some of the wrong code.
ICBC's Online Banking Professional Edition, the Communications module part, not using their own company developed independently of the control, but the use of a small company in Zhejiang products,
The general idea is that the data goes from Httpcomm.dll to Httpcomm.dll rather with a local proxy server. Some of the following words can be consulted:
Software/hexin corp/hexin SSL Secure proxy/comm 127.0.0.1 installed
Software/hexin corp/hexin SSL Secure proxy/settings proxyserver proxyenable
Software/microsoft/windows/currentversion/internet settings HTTPS//Read set
And it's very dependent on WinInet functions, such as the following tables, which can be easily obtained by using the data from these functions.
Httpaddrequestheadersa
Httpopenrequesta
Httpqueryinfoa
Httpsendrequesta
InternetCloseHandle
Internetconnecta
Internetgetlastresponseinfoa
Internetopena
Internetquerydataavailable
InternetReadFile
Internetsetfilepointer
Internetsetoptiona
Internetsetstatuscallback
InternetWriteFile.
As for invoking Winsock, the following functions of WSock32.dll are used:
Recvfrom
SetSockOpt
Inet_addr
Inet_ntoa
SendTo
Socket
gethostbyname
WSAStartup
WSACleanup
Recv
Accept
Bind
Closesocket
Connect
Getpeername
GetSockName
Htonl
Htons
Ioctlsocket
Ntohs
Send
WSAAsyncSelect
WSAGetLastError
Wsasetlasterror
As for Cmbpb40.ocx, it is a control developed with Delphi, before often crash. Now basically stabilized, here are some of the files it uses:
About.dfm
About.pas
Accountmgr.dfm
Accountmgr.pas
Agrcreateagc.dfm
Agrcreateagc.pas
Agrselectagc.dfm
Applyfunctionofcard.dfm
Assignrpt.dfm
Backupprompt.dfm
Batchtransfer.dfm
Batchtransfergetpwd.dfm
Batchtransferinfoedit.dfm
Batchtransferresult.dfm
Calendar.dfm
Cardtemplate.dfm
Cashflowrpt.dfm
Certcancel.dfm
Certcardrelationremove.dfm
Certexport.dfm
Certhistoryquery.dfm
Certquery.dfm
Certsetquestion.dfm
Certsetquestionconfirm.dfm
Changeuserpassword.dfm
Checksys.dfm
CmbPb40.ocx.dpr
Commsetting.dfm
Confirminfo.dfm
Creditautocontact.dfm
Customersetup.dfm
Customizerpt.dfm
Dblogdlg.dfm
Dbpwdlg.dfm
Deleteuser.dfm
Detailrpt.dfm
Edittransferdetail.dfm
Edittransferrecord.dfm
Events.txt
Fpbook.dfm
Fpbookadd.dfm
Fpbookcondition.dfm
Fpbookmodify.dfm
Fpdebt.dfm
Fpdebtadd.dfm
Fpdebtcondition.dfm
Fpdebtmodify.dfm
Fppayment.dfm
Fppaymentadd.dfm
Fppaymentcondition.dfm
Fppaymentlog.dfm
Fppaymentmodify.dfm
Fxexchange.dfm
Fxshowmarketinfo.dfm
Getrelatecardauth.dfm
Getrelatedcardpassword.dfm
Getuserpassword.dfm
Guide.dfm
Hardcertformatkey.dfm
Hardcertweblogin.dfm
Hardcertwizard.dfm
Incomevsspendrpt.dfm
Ivlogin.dfm
Log.dfm
Login.dfm
Main.dfm
Netpay.dfm
Payeeinfowizard.dfm
Pbactivexproj.dfm
Pbtemplate.dfm
Pbtemplate1.dfm
Popuptemplate.dfm
Programlogin.dfm
Promptandinput.dfm
Protocolaccountmgr.dfm
Qrlabled.dfm
Qrprev.dfm
Qrprgres.dfm
Querycredit.dfm
Querycreditcondition.dfm
Querypaymentcondition.dfm
Querypaymentrecord.dfm
Querytransfercondition.dfm
Querytransferrecord.dfm
Receiverinfo.dfm
Rptcard.dfm
Selectreceiverinfo.dfm
Splitdata.dfm
Status.dfm
System.dfm
Transferaddressbook.dfm
Transferinframe.dfm
Transferinsideregion.dfm
Transferoutframe.dfm
Transferoutsideregion.dfm
Transfertoownedaccount.dfm
Viewtransdetail.dfm
Wealthaccounttransfer.dfm
Wealthlogin.dfm
Weblogin.dfm
Wizardmain.dfm
Wzd_certapply.dfm
Wzd_certimport.dfm
Wzd_ok.dfm
Wzd_select.dfm
Wzd_user.dfm
Wzd_userbyname.dfm
The entire analysis process is not very long, if the information by the malicious friend of the detailed analysis, then the bank's network security level may be downgraded.