Posts

RTCDbg Announcement: Progress after 6 months

Image
I would like to share something with my few fellow people.
6 Months before, I started developing my own Debugger, RTCDbg, which is a tool that will allow for debugging x64 Windows applications. The main goal was to create something that is visually compatible with OllyDbg as well as to maintain the debugger portable, so copy paste and fire.
Progress Progress for the Graphical User Interface: From the beggining, I was developing the GUI controls without the High DPI in mind. That is because the computer that I was using for development does not support such a functionality so I was not really aware of it. Now that I got another computer that supports that High DPI, so I can test the interface on both computer. We will talk about the main menu, what was done ? what is half-done ? what is waiting to be done ?
File menu:
Open : Needs more code to be written.Attach : Not implemented.Exit : Needs more code to be written.View menu:

Log: Not implemented Executable modules: Not implementedMemory …

FlareOn 5 Prize

Image
After successfully finishing Flare-On 5 challenges, I have received the prize.


Looking forward to something exciting (this one is not -at least for me- we want something huge) next year.

IDA Pro 6.8 bug when handling Java .class files

Image
We will be studying the following file,
If you try to fire up IDA Pro 6.8 and open the given .class file, and also if you take a look into "I" method, you will notice that it contains an exception handler.
If you switch to the Text view and look at the bottom of the "I" method, you should have something that looks like the following:


The phrase given at the end of the method is not correct:
;met001_slot000                                ; DATA XREF: I+23 r ...     .var 0 is a Ljava/lang/String; from met001_begin to met001_end ;met001_slot001                                ; DATA XREF: I+11 r ... .var 1 is a Ljava/lang/String; frommet001_begin to met001_end   .end method
Because, if you take a look at the very first instruction of the exception handler you will find:
met001_37:                                     ; DATA XREF: I:met001_50 i     astore_1 ; met001_slot001 .line 253     new java/lang/Exception     dup     aload_1 ; met001_slot001     invokevirtual java/lang/Excepti…

Playing with VMProtect - Sample devirtualizeme32_vmp_3.0.9_v2

Update: this blog post has an error, I have mistakenly labeled NOR instruction as NAND, fornication with broken condom ...

Proof courtesy of wolframalpha:
http://www.wolframalpha.com/input/?i=not+a+and+not+b
http://www.wolframalpha.com/input/?i=a+nor+b
They are the representing the same thing, stay tuned for an update.

In this blog post, I'm going to show you the manual approach I used to generate a text based representation of the executed instructions of VMProtect (I've only studied devirtualizeme32_vmp_3.0.9_v2) for a specific function (or code portion?).
The first step was to manually create a file containing all yara rules for all handlers, this will allow us to automatically detect a specific handler and classify it. The automatic handler detection step is essential because it will allow you to save some time when you are dealing with targets, but that approach is not guaranteed to work for every target, because of the (unique?) algorithm used to decrypt the bytecode (that …

CTF.ma - Interesting CTF Challenges

A few days ago I noticed that some people created a platform for CTF challenges that turned out to be very interesting, It looks like that the author is attracted to the kernel ring tather than the user land ring, and I exploited that opportunity to learn more about Windows Drivers, which is something you can say I do for the first time.
I suggest you to try those challenges and try to solve them, and I hope that you will enjoy them, specifically the RE challenges.

CTF website: http://www.ctf.ma

rtcore now is in the leaderboard, I will be very excited to see more people enjoying those challenges.

Ahead PDF Password Remover Keygen

Image
A simple keygen for Ahead PDF Password Remover, written in javascript (even paranoids can use it).

Update: fixed a hidden check after clicking the add files button, the application was closing quickly.

Download

Download (non stable)

PS: It did not take much time to crack the first hash, there are many other hashes but cracking just one is enough.


PPS: A Good to listen audio :D.

Received the Labyrenth 2017 prize

Image
This was the first CTF Challenge I ever tried. So those things mean a lot for me.
Thanks to those mp3, mp3, playing them in loop mode make me don't get tired of stepping.