Four hours later, unpack and deobfuscation mostly done. Still some control flow obfuscation in place, though.

This seems to be a confuserex mod, the constant deobfuscation functions interestingly call into native x86 code to do some xoring. I ended up patching my nofuserex mod to find the constant used by the xor functions and replace the native code with equivalent CIL.

Also, dnspy 4.x crashed hard trying to debug the sample. I had to find dnspy 3.0.2, which worked first time.

Show thread

holy shit that's a lot of junk code in the module cctor. 10k lines of disassembled CIL...

so <PUP bundler network> seems to actually rotate C2 IPs every 30 minutes.

At least I've modified my sample-obtainer to work around that now. It's not that hard to get the latest C2 IP.

The DLL being dropped is cdfd36551ab68b3c54637c833155ba9c5be452bdb3e2956c42aaa89a4b2c7ff7 ; it deobfuscates, decompresses and loads another DLL, which is 33890b20d8c58a8137b3eff9caf4eb5c01cdcc02e4f05d954a35a5e2f0db195f.

Both have 8/66 detection rates on VT; 2 of the detections are different vendors.

Show thread

So I'm checking <PUP bundler network> again, after a period of absense.

Seems they now rotate their C2 IPs every hour. I'm going to have to modify my sample-obtainer to work around that.

Right now I'm looking into an interesting sample. Autohotkey downloader => downloads two samples.
Still getting one of the samples: 27MB at 10kb/sec, feels like 2001 :P

The other sample is an NSIS installer that drops stuff. It uses legitimate TeamViewer and DLL-hijacking.

Oh, brilliant.

So Windows 10 now has the ability for any application to get system-unique tracking identifiers that persist across reinstalls by storing them in the TPM or UEFI firmware variables...

Look at these APIs: docs.microsoft.com/en-us/uwp/a

To add insult to injury, the APIs lead into clipc!GetOfflineDeviceUniqueID, which calls into a licensing-related service which would be obfuscated by Warbird...

#infosec #tracking

This is an excellent writeup by SciresM (I wish he was on Mastodon rather than birdsite...): redd.it/7rq0cu

(getting code execution in TrustZone on Nintendo Switch, firmware 1.0.0)

Found a stack overflow in one of the webserver FastCGI binaries of an Epson projector firmware. In a file, that according to the lighttpd conf, is accessible without any authentication needed.

Not only that, but I've found an authentication bypass for accessing the firmware update endpoint, not that I know how to use it yet.

authbypass PoC:

GET /cgi-bin/./sender.exe?q=getProjectorInfo&/nwupdate/cgi-bin/nwdownload.dll HTTP/1.1

Show thread

EPSON projector firmware images are encrypted with DES-CBC, using key 3437303530300000 ("470500") IV 3732313434370000 ("721447"). (They may be encrypted with DES-ECB using the same key.)

This was found by reversing EasyMP Network Updater. The above keys are stored encrypted with AES-128-ECB with a static key (5ead10f71251e43b0635f8bf3a594c83).
Hilarity: the block mode is discovered by decrypting the first 0x30 bytes and checking the first byte (if 01/02/03/04/10/20 then ECB, else CBC).

of course, I forgot the other two fun problems. "programs now crash" and "my computer no longer boots"

Show thread

I'm currently super pissed off at #Intel/#Linux/#Microsoft.

So many of the shipping "fixes" for #Meltdown and #Spectre are causing noticeable problems such as "programs aren't starting" and "things take 30x longer".

I'm afraid this will kick off another round of "nobody should install updates!" We had *just* gotten out of that habit :/.

Oh my god, this is hilarious.

Some spambot or whatever, aimed at tech support scammers.

Their demo available from their website also comes with some license key or such.

Said "license key" is actually an Empire stager encrypted with a key derived from your public IP. And clicking the "register" button decrypts and executes said Empire stager. (rather sloppily...)

And to add insult to injury, the software itself appears to be snake oil.

LOL, the addition of Clippy to the win95 theme.

A shame its eyes don't follow your mouse pointer around (a la xeyes) though...

@chr

tired: running applications in ring 3
wired: running applications in ring -3

lol, "NULL-SHIELD".

"stop-unpacking", "you_can_not_unpack". Riiiight.

Faking other obfuscators (only .NET obfuscator i've seen that does this).

Two functions in module-static constructor. Gets PE base address, does some PE parsing, eventually VirtualProtect as RWX and a XOR loop.

Unpacking steps: run under debugger, step over those two functions, dump, de4dot -p un.

If you want to do more than just static analysis, remove that ctor body.

With all the taunting, I'd expect something harder.

I really should think about continuing to disassemble the GEM S3 ROM someday.

It's a nice piece of hardware, and it uses an m68k!

I kinda gave up on documenting things soon after I got a PoC of code execution (which can be found in pocorgtfo11 as part of the 'keep hacking' memorandum of bushing).

IIRC, that PoC was done simply using the messagebox syscall...

I was wondering how to get a pointer to the PEB for ARM64 NT.

This turned into wondering how to get a pointer to the PEB for every architecture that NT was ported to (and where a build of said port was leaked/released).

This turned into some C code (using MS compiler intrinsics) that can get the PEB pointer for all those architectures.

gist.github.com/Wack0/849348f9

It's interesting how for two architectures (Alpha AXP and IA64), there's a _rdteb() intrinsic.

#reversing #infosec #nt #teb #peb

'The "Administrator" account is a temporary "feature" that will not be present in the final retail product.'
- release notes, Windows NT 3.1 beta, July 1992

Show more
Cybrespace

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!