|
ChubbyThePhat posted:drat this actually looks fun. It did until I managed to figure out that the blob sent in the JSON is the plugin that actually does the encryption. I've never done reversing before, now I'm stuck. I have reason to believe that it's a modified stream cipher (most likely RC4)... I also have four variables sent in another JSON (seed_key_arg[1-3] and seed_key, but not obvious what to do with them yet. code:
|
# ? Jul 27, 2017 15:10 |
|
|
# ? May 18, 2024 12:24 |
|
lol that's pretty neat, drop that into a unicorn engine script. you can set up a stack and memory in unicorn, put the seed argument bytes into locations in the memory, and then set the arguments to that function(on the stack where you'll set rbp to point in this situation) to the memory address where you put each respective argument buffer. then tell unicorn to run it and you'll have the decrypted result in unicorns memory region, probably. really cool challenge, what CTF is this for? edit: or you could try to reverse and break the cipher but that's probably harder I'm sorry my unicorn description sucked but it's like * make a big memory buffer with unicorn api * decide the stack is at like... 0x1000 * decide to put the bytes for each arg at like... 0x5000, 0x5200, 0x5400 * set ebp to 0x1000 * set esp to 0x1000-4 * other registers don't really matter * set the memory at 0x1000+8 to the address of where the bytes for arg1 are, in this example it would be 0x5000 * same for 0x1000+12, and 0x1000+16... * one arg is just a numerical seed, so 0x1000+whatever should be set to that * run it up to the leave instruction and you'll probably have something decrypted at 0x5000ish I might've switched up plus and minus up there, so beware. but you get the idea. btw it looks like it might be x86 that got decompiled by r2 as x86-64 so watch out for that Daman fucked around with this message at 10:28 on Jul 28, 2017 |
# ? Jul 28, 2017 09:53 |
|
Daman posted:lol that's pretty neat, drop that into a unicorn engine script. you can set up a stack and memory in unicorn, put the seed argument bytes into locations in the memory, and then set the arguments to that function(on the stack where you'll set rbp to point in this situation) to the memory address where you put each respective argument buffer. then tell unicorn to run it and you'll have the decrypted result in unicorns memory region, probably. I've figured out some more stuff. I'm sure that the crypto algorithm is RC4 with modified constants. The server also sends a key generator function in machine code, which generates the key used for the modified RC4. I think that the RC4 is easy to recreate in Python, but beginner at reversing that I am, I'm currently stuck at the key generator... I'm trying to figure this out by debugging in in r2 or edb. I'll let you know if there's any success. Since the task sounds easy (running machine code with known input arguments) , here's the details if you want to give it a shot. Key arguments as integers: 1095923727, 3459613537, and 2312051101. Machine code: code:
edit: the problem could be phrased like this: how can i execute the shellcode above and get the output? Mopp fucked around with this message at 14:20 on Jul 28, 2017 |
# ? Jul 28, 2017 13:00 |
|
Mopp posted:I've figured out some more stuff. You're probably better off quickly re-implementing it, unless there's more code than what you just pasted. What's there is missing at least one function (probably malloc) which it calls immediately upon entry. Marked it up a little bit, it looks equivalent to ~10 lines of C: http://i.imgur.com/bmxPzmL.png.
|
# ? Jul 28, 2017 15:19 |
|
ComWalk posted:You're probably better off quickly re-implementing it, unless there's more code than what you just pasted. What's there is missing at least one function (probably malloc) which it calls immediately upon entry. That's way better decompiling than what I managed, thanks. Now to get it to a working example... edit: something like this maybe? code:
code:
Mopp fucked around with this message at 18:49 on Jul 28, 2017 |
# ? Jul 28, 2017 16:09 |
|
Mopp posted:edit: the problem could be phrased like this: how can i execute the shellcode above and get the output? sooo unicorn engine literally does this. either way, you shouldn't be trying to reverse it to C. you should write C to copy the shellcode to a buffer and call it, or you should emulate it. there's just no reason to reverse it and too much room to gently caress it up. for example I wrote a script to run the key generation algorithm (with the malloc call at the beginning nop'd out). my result: a@ubuntu:~$ python lol.py D5333EC5 E94E7277 BAB1FE3D 86CCB28F you can use the commented out parts and change the argument loading to use the same script to emulate the decryption algorithm (the other shellcode you posted). good luck! edit: i've been informed that i hosed it up, the +0xca in emu_start should be +0xc6 edit2: ok, i probably hosed up my unicorn usage. reimplemented it in C to verify it was correct and got a different result. welp. i verified this disassembles to the correct call of the shellcode. code:
edit3: well, i fixed the unicorn script. ESP should be set to stack_base+4 on function call, not stack_base-4. stack frames r hard https://gist.github.com/5af52a4dafd95e8261186f5b1b4bc440 code:
Daman fucked around with this message at 00:19 on Jul 29, 2017 |
# ? Jul 28, 2017 21:14 |
|
Daman posted:edit3: well, i fixed the unicorn script. ESP should be set to stack_base+4 on function call, not stack_base-4. stack frames r hard Thanks for the awesome help. It's actually way more fun than expected trying to get this to work, I should pick up a book or two on reversing. I glanced over unicorn at first and saw that r2 used it for debugging, so I tried to go the r2 way. Now when I see unicorn in action this seems way easier. If you have time to help me out with some questions, it'd be awesome. edit: i am a dumbass and don't know how to nop. now it works. code:
Test data would then be: code:
Mopp fucked around with this message at 10:29 on Jul 29, 2017 |
# ? Jul 29, 2017 10:04 |
|
Mopp posted:I'll try the modified RC4 in Python first, but if there's no obvious success a Unicorn emulation will be next up. When looking at the disassembled crypto code it's currently not clear on where to add the ciphertext data and the key. I'll update if there's any progress. It should just be a matter of enough reversing to figure out what the arguments the blob takes are, then setting up a stack frame like what Daman did for the keygen code. You'll want to switch over to x86 disassembly. What you've pasted was disassembled as x64 which is why it looks wrong. EDIT: Curiously, there are 4 input arguments, and I'm not sure what the last one comes from. I tried every possibility (it's a uint8_t), and there's one decryption that happens to be 35 bytes of ASCII, 34 of which are a hexdump followed by 'L'. I could've botched the reimplementation (I'm not pulling unicorn out) but getting something that intelligible by chance seems unlikely. EDIT2: Oh, it's got your expected plaintext in it also. So that's your ticket. Set up your stack frame, figure out where the last argument comes from (or brute force it), should pop right out of unicorn. ComWalk fucked around with this message at 12:25 on Jul 29, 2017 |
# ? Jul 29, 2017 11:22 |
|
ComWalk posted:It should just be a matter of enough reversing to figure out what the arguments the blob takes are, then setting up a stack frame like what Daman did for the keygen code. Yes, I noticed that as well. Here's the hexdump and (hopefully correct) disassembly of it: https://gist.github.com/anonymous/09a2d49e5341518524dd46df71ad6355 I'm not sure on the input arguments either. Key and message obviously, but what else? edit: mind posting what you did?
|
# ? Jul 29, 2017 12:30 |
|
Mopp posted:Yes, I noticed that as well. Here's the hexdump and (hopefully correct) disassembly of it: https://gist.github.com/anonymous/09a2d49e5341518524dd46df71ad6355 The arguments are message, key, message length, and then the uint8_t. The uint8_t is used to determine how much the initial RC4 keystate is rotated. Rather than an initial RC4 keystate of {0 .. 255} it's {arg4, arg4 + 1, ..}. Looks to be standard RC4 outside of that. I just re-implemented the blob you posted in C after pulling out the opcode bytes from the r2 dump. It's worth noting that there might be a flag in the binary. It builds a string where the keystate goes and then immediately writes over it. Trying to avoid spoiling too much of it. I can dump more later if you'd like.
|
# ? Jul 29, 2017 12:43 |
|
ComWalk posted:The arguments are message, key, message length, and then the uint8_t. The uint8_t is used to determine how much the initial RC4 keystate is rotated. Rather than an initial RC4 keystate of {0 .. 255} it's {arg4, arg4 + 1, ..}. Looks to be standard RC4 outside of that. Still a beginner at reversing so I appreciate the help and patience. I'm assuming that you changed the constants in RC4 to get it to work as well? There is one (stated) remaining, but I've been assuming that it's hidden in an encrypted file download and that file contains the flag. It is possible that there is a hidden flag as well... I've been working with Daman's unicorn script and try to update it for the crypto code, but no success in getting it to run so far. Updated version is here: https://gist.github.com/anonymous/fffd160ad759cc0914cbf13f51d70811 Probably something wrong with the stack frames. Doing a mem_read(stack_base + 0x8, msg_len + 16 + 1 + 1) where the key is 16 bytes, the msg_len is 1 byte and the rotation variable is 1 byte. The output is: code:
|
# ? Jul 29, 2017 15:49 |
|
Mopp posted:Still a beginner at reversing so I appreciate the help and patience. I'm assuming that you changed the constants in RC4 to get it to work as well? I see several problems. First, the stack frame is wrong. The 4 input arguments are going to be 4 bytes each. Instead of dumping the key and input message directly on the stack you want to store pointers to those things. The length and rotation value should each be padded up to 32 bits. Place the two things behind a pointer somewhere else in memory (say, 0x6000 and 0x7000 or similar), then make those two args be the values 0x00006000 and 0x00007000. Also, the endianness for your key is wrong (but otherwise looks correct). Keep in mind that it was printed as 4 32-bit integers and that x86 is little endian. The RC4 code accesses key bytes directly, it doesn't load dwords. RC4 doesn't really have constants to change -- I didn't have to do anything but change the key scheduling algorithm during init as described above.
|
# ? Jul 29, 2017 16:27 |
|
ComWalk posted:RC4 doesn't really have constants to change -- I didn't have to do anything but change the key scheduling algorithm during init as described above. ComWalk posted:Rather than an initial RC4 keystate of {0 .. 255} it's {arg4, arg4 + 1, ..}. Looks to be standard RC4 outside of that. Thanks for the help. The learning curve for getting this to work with unicorn is too high compared with trying to get it to work with RC4 implementation, since you mentioned getting it to work with the standard RC4 algorithm by modifying the KSA. If I understand you correctly then, the KSA should be initialized with an array ranging from {n, n+1, ..., n+255} mod 256, yes? If I interpeted the machine code correctly, there is a constant integer referenced (268) which I assumed was a change in the modulo and length of the key state, maybe that was a mistake then. I tried to make the change above, but no success in finding the cleartext anywhere. Is the key/cipherdata inputted wrong? Are we using the same data? RC4 implementation here: https://gist.github.com/anonymous/bf4931559758f9ada33077fe773eb6e6 Output here where I cycle through n={0, 255} and try to decrypt the text. https://gist.github.com/anonymous/abcbf122bb7e93ad18cd5b0337d02397
|
# ? Jul 29, 2017 18:58 |
|
Mopp posted:Thanks for the help. The learning curve for getting this to work with unicorn is too high compared with trying to get it to work with RC4 implementation, since you mentioned getting it to work with the standard RC4 algorithm by modifying the KSA. Your key endianness is still wrong. EDIT: So, I switched it and ran your script, and got a run of 7 bytes of correct output for one of them. Not sure exactly where the issue is. ComWalk fucked around with this message at 19:07 on Jul 29, 2017 |
# ? Jul 29, 2017 19:00 |
|
(Just want to say that this sequence of posts is amazing.)
|
# ? Jul 29, 2017 19:08 |
|
Disregard that, your script is completely correct, only your key endianness is wrong. I missed that you switched out the message ciphertext. For reference, my mostly equivalent code is here: https://gist.github.com/anonymous/909e6af6a5d98985779887cbd1d1cbca EDIT: Offset 74 in your script is what the valid output comes out of. In mine, offset 182. We rotated different directions. EDIT2: Your only mistake is fixed with code:
ComWalk fucked around with this message at 19:15 on Jul 29, 2017 |
# ? Jul 29, 2017 19:12 |
|
ComWalk posted:Disregard that, your script is completely correct, only your key endianness is wrong. I missed that you switched out the message ciphertext. edit: nvm this. I am such a dumbass for messing up the key endianness. I got the correct answer as well. edit2: holy poo poo at actually getting the right answer. this was fun. i'll try to decode the rest of the session now. Mopp fucked around with this message at 20:07 on Jul 29, 2017 |
# ? Jul 29, 2017 19:59 |
|
https://twitter.com/Scott_Helme/status/891456060502024192
|
# ? Jul 30, 2017 01:36 |
|
Mopp posted:edit: nvm this. Got the last flag! Huge thanks to both Daman and ComWalk for the help.
|
# ? Jul 30, 2017 17:25 |
|
Months ago someone in one of the IT threads was saying there was a problem with fingerprint scanning as security on a cell phone. He didn't specify why, though. What's the problem with it? I got a new phone a few days ago and I know I should probably disable the Touch ID unlocking, but I'm wondering why.
|
# ? Jul 30, 2017 21:26 |
|
22 Eargesplitten posted:Months ago someone in one of the IT threads was saying there was a problem with fingerprint scanning as security on a cell phone. He didn't specify why, though. What's the problem with it? I got a new phone a few days ago and I know I should probably disable the Touch ID unlocking, but I'm wondering why.
|
# ? Jul 30, 2017 21:31 |
|
22 Eargesplitten posted:Months ago someone in one of the IT threads was saying there was a problem with fingerprint scanning as security on a cell phone. He didn't specify why, though. What's the problem with it? I got a new phone a few days ago and I know I should probably disable the Touch ID unlocking, but I'm wondering why. Some lovely android phones literally stored bitmaps of all your fingerprints unencrypted on the phone. https://www.theguardian.com/technology/2015/aug/10/htc-fingerprints-world-readable-unencrypted-folder The iPhone actually stores them properly and there's no issue with using touch id
|
# ? Jul 30, 2017 21:35 |
|
anthonypants posted:It is easy to collect a fingerprint from something else you've touched and use it to unlock your phone. Cops (in the US) can legally force you to fingerprint-unlock your phone without a subpoena, but don't have the same right to coerce you into revealing the PIN or password for your phone. That makes sense. I mean, the cops could probably still get away with beating me until I unlocked my phone anyway, but the first part makes sense.
|
# ? Jul 30, 2017 21:49 |
|
Another problem is if someone has your fingerprint data, it's not like you can change that like you can a compromised password.
|
# ? Jul 30, 2017 22:00 |
|
Coxswain Balls posted:Another problem is if someone has your fingerprint data, it's not like you can change that like you can a compromised password. An infosec "expert" on some TV news just suggested you use a different finger if thieves steal your fingerprint biometrics.
|
# ? Jul 30, 2017 22:02 |
|
Trabisnikof posted:An infosec "expert" on some TV news just suggested you use a different finger if thieves steal your fingerprint biometrics. Yeah, I could see myself using a different finger, all right.
|
# ? Jul 30, 2017 22:05 |
https://twitter.com/JennaMagius/status/891434286212984832
|
|
# ? Jul 30, 2017 22:34 |
|
Biometrics should never be used in lieu of passwords; they should be used as a username and nothing more.
|
# ? Jul 30, 2017 22:39 |
|
What if the only thing I care about is the 10 minutes between a random thief or losing it and me locking/deleting it?
|
# ? Jul 30, 2017 22:48 |
|
Is it possible to make the fingerprint scanner unlock to just a still image of Goatse/Pain.whateverthefucktheeextensionwas? Not that I would go to the effort, honestly.
|
# ? Jul 30, 2017 23:41 |
|
22 Eargesplitten posted:Is it possible to make the fingerprint scanner unlock to just a still image of Goatse/Pain.whateverthefucktheeextensionwas? Most sensors are capacitive but besides that it should be possible.
|
# ? Jul 31, 2017 00:01 |
|
Absurd Alhazred posted:Yeah, I could see myself using a different finger, all right. I thought the goon standard was the head of your dick?
|
# ? Jul 31, 2017 00:23 |
|
I think the question is about what you get after you perform the unlock, replacing access to the phone.
|
# ? Jul 31, 2017 01:10 |
|
Uhh so long-time CISSPs, when should I expect to be audited for some of these podcast CPEs I've been dumping onto my report? I throw SecurityNow on whenever it comes out just because I'm bored at work and at this rate my entire annual CPE report will be SN podcasts and one tech conference.
|
# ? Jul 31, 2017 02:07 |
|
apseudonym posted:Most sensors are capacitive but besides that it should be possible. I meant so that instead of actually unlocking my phone it just pops up a still image of a shock site. Or a video starting in the middle of kids in the sandbox or one man one jar. RFC2324 posted:I thought the goon standard was the head of your dick? The sensor has a minimum area of contact.
|
# ? Jul 31, 2017 03:35 |
|
Martytoof posted:Uhh so long-time CISSPs, when should I expect to be audited for some of these podcast CPEs I've been dumping onto my report? I throw SecurityNow on whenever it comes out just because I'm bored at work and at this rate my entire annual CPE report will be SN podcasts and one tech conference. Never? I've had mine since 2003(?) and never had my CPEs audited. For myself it's usually books and conferences/seminars.
|
# ? Jul 31, 2017 04:10 |
|
Proteus Jones posted:Never? I've had mine since 2003(?) and never had my CPEs audited. For myself it's usually books and conferences/seminars. Welp, I'll be happy to keep dumping podcasts on there then I guess
|
# ? Jul 31, 2017 12:27 |
|
Martytoof posted:Welp, I'll be happy to keep dumping podcasts on there then I guess Dump away. I put Security Weekly and Risky Business on there all the time and only 1 hour has ever been audited, which was eventually approved after i wrote a recap of the pod.
|
# ? Jul 31, 2017 14:07 |
|
CNN posted:A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. Great with the cyber. Not so great with the spearphishing, apparently. http://www.cnn.com/2017/07/31/politics/white-house-officials-tricked-by-email-prankster/index.html
|
# ? Aug 1, 2017 05:45 |
|
|
# ? May 18, 2024 12:24 |
|
Martytoof posted:Uhh so long-time CISSPs, when should I expect to be audited for some of these podcast CPEs I've been dumping onto my report? I throw SecurityNow on whenever it comes out just because I'm bored at work and at this rate my entire annual CPE report will be SN podcasts and one tech conference. Did you log them all right up at the end of the period? That seems to be a flag that increases your likelihood of getting audited. My boss told me when you listen to something for CPEs that doesn't have a proper audit/record to email yourself the info on it and jam it in a folder somewhere, that made the process a lot less painful for someone who got it over here. A put them in on a regular basis, obviously. You might get asked to give a summary of the ones they are asking about.
|
# ? Aug 1, 2017 13:34 |