Overview

To truly understand why a booter or any other types of exploits function, an investigator must have a look at the program’s source code. In the case of Yahoo! Messenger which is a closed source program, I am forced to dive into the dark and sometimes mystical realm of assembly debugging. By exploring the Yahoo! Messenger assembly code and the machine state at the time of a crash I can reveal why, on the machine level, how a booter works. Perhaps more importantly, is it possible to run arbitrary code from a remote attack.

Tools

In order to explore the assembly and machine states of Yahoo! Messenger, I used several assembly debuggers. The most used program is OllyDbg [http://home.t-online.de/home/Ollydbg/]. OllyDbg shows all the machine instructions that make up a program and also allows attachment to a currently running program. Two other tools that I used were Microsoft’s WinDbg [http://www.microsoft.com/whdc/ddk/debugging/] and DataRescue’s IDA Pro [http://www.datarescue.com/idabase/]. Each program has its strong points and I used knowledge gained from each program to complete an overall assessment of the crash. Figure 36 shows OllyDbg open and attached to Yahoo! Messenger just after a crash.