Posts

IDA Pro 6.8 bug when handling Java .class files

Image
We will be studying the following file,
If you try to fire up IDA Pro 6.8 and open the given .class file, and also if you take a look into "I" method, you will notice that it contains an exception handler.
If you switch to the Text view and look at the bottom of the "I" method, you should have something that looks like the following:


The phrase given at the end of the method is not correct:
;met001_slot000                                ; DATA XREF: I+23 r ...     .var 0 is a Ljava/lang/String; from met001_begin to met001_end ;met001_slot001                                ; DATA XREF: I+11 r ... .var 1 is a Ljava/lang/String; frommet001_begin to met001_end   .end method
Because, if you take a look at the very first instruction of the exception handler you will find:
met001_37:                                     ; DATA XREF: I:met001_50 i     astore_1 ; met001_slot001 .line 253     new java/lang/Exception     dup     aload_1 ; met001_slot001     invokevirtual java/lang/Excepti…

Playing with VMProtect - Sample devirtualizeme32_vmp_3.0.9_v2

Update: this blog post has an error, I have mistakenly labeled NOR instruction as NAND, fornication with broken condom ...

Proof courtesy of wolframalpha:
http://www.wolframalpha.com/input/?i=not+a+and+not+b
http://www.wolframalpha.com/input/?i=a+nor+b
They are the representing the same thing, stay tuned for an update.

In this blog post, I'm going to show you the manual approach I used to generate a text based representation of the executed instructions of VMProtect (I've only studied devirtualizeme32_vmp_3.0.9_v2) for a specific function (or code portion?).
The first step was to manually create a file containing all yara rules for all handlers, this will allow us to automatically detect a specific handler and classify it. The automatic handler detection step is essential because it will allow you to save some time when you are dealing with targets, but that approach is not guaranteed to work for every target, because of the (unique?) algorithm used to decrypt the bytecode (that …

CTF.ma - Interesting CTF Challenges

A few days ago I noticed that some people created a platform for CTF challenges that turned out to be very interesting, It looks like that the author is attracted to the kernel ring tather than the user land ring, and I exploited that opportunity to learn more about Windows Drivers, which is something you can say I do for the first time.
I suggest you to try those challenges and try to solve them, and I hope that you will enjoy them, specifically the RE challenges.

CTF website: http://www.ctf.ma

rtcore now is in the leaderboard, I will be very excited to see more people enjoying those challenges.

Ahead PDF Password Remover Keygen

Image
A simple keygen for Ahead PDF Password Remover, written in javascript (even paranoids can use it).

Update: fixed a hidden check after clicking the add files button, the application was closing quickly.

Download

Download (non stable)

PS: It did not take much time to crack the first hash, there are many other hashes but cracking just one is enough.


PPS: A Good to listen audio :D.

Received the Labyrenth 2017 prize

Image
This was the first CTF Challenge I ever tried. So those things mean a lot for me.
Thanks to those mp3, mp3, playing them in loop mode make me don't get tired of stepping.



Why should I play Subway Surfers using mouse ? isn't keyboard cool !

Image
Let's assume that someone forced to work under some circumstances, where no internet access will be available to him (not forever but just for a duration like one week), he will probably click Ctrl+F, write subway, Great, he found a game where he can burn his time.

Let's play for 30 min - 1 hour, probably that person will not be able to reach more high score, his hand will hurt.

I want to make the life of this person easier and better by adding keyboard support to that game (the game is for childs or not that is another story, and not important for me).

I want this feature to become built-in, so the end don't want to do anything other than double click the exe.

Great, It looks like that I'm lucky, UnityEngine is used along with Mono, which is a .NET framework-compatible.

Found something interesting in Assembly-CSharp.dll, Game.HandleControls method, we must add arrow keys support there.


So I modified the IL to get something like that


Great, but unfortunately after runn…