Showing posts tagged #decompiling

Return Home

Previous analysis:

We are presented with a Word document that has macros. The VBA code for the macros is obfuscated but we can clearly see that it is using some interesting Win32 API calls like VirtualAlloc and CallWindowProc, which later renames.

Thus, we can just set a breakpoint on the renamed CallWindowProc function to trace shellcode. (This is explained more in depth by the Minerva guys).


Shellcode

The shellcode first resolves LdrLoadDLL:

Then resolves Kernel32.dll

Resolves ExpandEnvironmentStringsA:

And calls it with %TMP%\\bg618.exe.

Then resolves CreateFileA, VirtualAlloc, VirtualFree and CreateWindowProcA, ReadFile, CloseHandle and

Read More

Today I came across this post that states that it is not possible to get a hard-coded password out of a binary by using the strings command.
But a while back I also remember reading another article saying that it is indeed possible.

So, is it?

I grabbed the code from the linked article, compiled it and executed strings on the binary only to get the same results as the original author.

$ strings pass
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
strncmp
puts
printf
strlen
__libc_start_main
__gmon_start__
GLIBC_2.2.5
yomaf <---
AWAVA
AUATL

Read More

Notice: This post does not endorse piracy. It's purpose is merely educational. Decompiling and cracking software is illegal in most cases.

OS X native software is written in Objective-C, a superset of C which is not very hard to hack away. In this post I will try to demonstrate the basics of reverse engineering in said platform.

The goal

Sublime Pop Up

Our goal will be to stop the annoying Sublime Text pop-up from reminding you to buy a license each now and then (but you totally should if you are going to use it). I will be using Sublime Text latest build

Read More