Showing posts tagged #assembly

Return Home

Goal

Analyze code re-use in binaries to attribute unknown samples to families / threat actors. To do this we can obtain the list of functions in an executable and hash each function's opcodes using a fuzzy hash algorithm (kind of what Diaphora does). For the fuzzy hashing I will be using ssdeep, and for the opcode extraction r2 (and r2pipe).

Data preparation

First, we need some data to work on (hashes + samples). I will be using a QuantLoader sample set, as it is a rather simple malware.

With that in mind, we need to identify some landmark functions in a Quant

Read More

On the most recent phishing attacks, PowerShell is usually employed to load and execute position-independant shellcode via a macro-enabled Office document.

Infection process

So, in order to know what actions are being carried away the truly interesting part here is the shellcode being executed. However, to slow down analysis or lower detection, shellcode is usually encoded, being shikata ga nai the most used encoder (for the samples I have observed at least).

Shikata ga nai

Shikata ga nai is a polymorphic encoder based on a decoder stub. The decoder stub XORs the encoded bytes with an incremental key. Having an incremental key

Read More

Today I came across this post that states that it is not possible to get a hard-coded password out of a binary by using the strings command.
But a while back I also remember reading another article saying that it is indeed possible.

So, is it?

I grabbed the code from the linked article, compiled it and executed strings on the binary only to get the same results as the original author.

$ strings pass
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
strncmp
puts
printf
strlen
__libc_start_main
__gmon_start__
GLIBC_2.2.5
yomaf <---
AWAVA
AUATL

Read More

Notice: This post does not endorse piracy. It's purpose is merely educational. Decompiling and cracking software is illegal in most cases.

OS X native software is written in Objective-C, a superset of C which is not very hard to hack away. In this post I will try to demonstrate the basics of reverse engineering in said platform.

The goal

Sublime Pop Up

Our goal will be to stop the annoying Sublime Text pop-up from reminding you to buy a license each now and then (but you totally should if you are going to use it). I will be using Sublime Text latest build

Read More