Imagine someone withdrew money from a company's account at night. The next morning panic breaks out, leading to yet more problems. The IT department can reinstall a compromised system from scratch or restore it from backup. Reinstalling from scratch will wipe out all traces left by the attackers, and external investigators will have to search for clues in other systems. Restoring from backup carries the risk of accidentally reinstating a compromised image. In this paper, we will describe common mistakes that experts make when responding to security incidents.
Reverse engineering *
Disassemble and understand how it works
Let’s deal with WeChat — the second most popular messenger in the world
- A short excursion into WeChat;
- About the platform, the version of the application, the utilities used and the decryption of the executable file;
- • About two protocols (old one and new one);
- About serialization of objects;
- Used cryptography and key exchange;
- About headers and hash-functions;
- About the exposures found.
On the recent vulnerability in Diebold Nixdorf ATMs
Hi there! A while ago, Positive Technologies published the news that ATMs manufactured by Diebold Nixdorf (previously known as Wincor), or more specifically, the RM3 and CMDv5 cash dispensers, contained a vulnerability which allowed attackers to withdraw cash and upload modified (vulnerable) firmware. And since my former colleague Alexei Stennikov and I were directly involved in finding this vulnerability, I would like to share some details.
How to see and save Instagram requests on an android device
Once I was asked to save a traffic dump of an Instagram app while viewing one particular user profile. Simply saving the traffic dump on the router didn't make sense because the app used TLS to communicate with the server. Existing solutions didn't work because they worked with an older version of Instagram.
Below I will describe how I managed to do it myself using mitmproxy, ghidra and frida.
GDB Tutorial for Reverse Engineers: Breakpoints, Modifying Memory and Printing its Contents
GDB is THE debugger for Linux programs. It’s super powerful. But its user-friendliness or lack thereof can actually make you throw your PC out of the window. But what’s important to understand about GDB is that GDB is not simply a tool, it’s a debugging framework for you to build upon. In this article, I’m gonna walk you through GDB setup for reverse engineering and show you all of the necessary commands and shortcuts for your debugging workflow.
How to Start Reverse Engineering in 2021
Reverse engineering might seem so complex, that not everyone has the bravery required to tackle it. But is it really that hard? Today we are gonna dive into the process of learning how to reverse engineer.
First of all, try to answer yourself, what are you hoping to achieve with reverse engineering? Because reverse engineering is a tool. And you should choose the right tool for your task. So when reverse engineering might be useful?
NSA, Ghidra, and Unicorns
This time, the PVS-Studio team's attention was attracted by Ghidra, a big bad reverse-engineering framework allowing developers to analyze binary files and do horrible things to them. The most remarkable fact about it is not even that it's free and easily extensible with plugins but that it was developed and uploaded to GitHub for public access by NSA. On the one hand, you bet NSA has enough resources for keeping their code base clean. On the other hand, new contributors, who are not well familiar with it, may have accidentally introduced bugs that could stay unnoticed. So, we decided to feed the project to our static analyzer and see if it has any code issues.
Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras
This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC with Xiaongmai firmware. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.
Writing a laptop driver for fun and profit, or How to commit to kernel even if you're not that smart
Where it all began
Let’s start with our problem statement. We have 1 (one) laptop. A new, gamer laptop. With some RGB-backlight on its keyboard. It looks like this:
Picture taken from lenovo.com
There’s also a program installed on this laptop. That’s the thing that controls our backlight.
One problem – the program runs under Windows, and we want everything to work on our favourite Linux. Want LEDs to flash and those pretty colours to blink on and off and such. A natural question arises, can we do all that without reverse-engineering and writing our own drivers?
A natural answer arises, no. Let’s open IDA and get cracking.
Technical analysis of the checkm8 exploit
Most likely you've already heard about the famous exploit checkm8, which uses an unfixable vulnerability in the
BootROM of most iDevices, including
iPhone X. In this article, we'll provide a technical analysis of this exploit and figure out what causes the vulnerability.
Bypassing LinkedIn Search Limit by Playing With API
Being a top-rated professional network, LinkedIn, unfortunately, for free accounts, has such a limitation as Commercial Use Limit (CUL). Most likely, you, same as me until recently, have never encountered and never heard about this thing.
The point of the CUL is that when you search people outside your connections/network too often, your search results will be limited with only 3 profiles showing instead of 1000 (100 pages with 10 profiles per page by default). How ‘often’ is measured nobody knows, there are no precise metrics; the algorithm decides it based on your actions – how frequently you’ve been searching and how many connections you’ve been adding. The free CUL resets at midnight PST on the 1st of each calendar month, and you get your 1000 search results again, for who knows how long. Of course, Premium accounts have no such limit in place.
However, not so long ago, I’ve started messing around with LinkedIn search for some pet-project, and suddenly got stuck with this CUL. Obviously, I didn’t like it that much; after all, I haven’t been using the search for any commercial purposes. So, my first thought was to explore this limit and try to bypass it.
[Important clarification — all source materials in this article are presented solely for informational and educational purposes. The author doesn't encourage their use for commercial purposes.]
Reverse engineering a high-end soldering station
(This is the translation of the original article performed by baragol)
We had a bunch of photographs of the main PCB, a YouTube video with drain-voltage waveforms of MOSFETs, a forum post with a breakdown of the capacitance values of LC circuit capacitors and also a number of unboxing videos showing the heating-up of the soldering tip. The only thing that really worried me was the video with the measurement of the peak power consumption during the heating-up. There is nothing in the world more helpless and irresponsible and depraved than burned cartridge newly bought for 60 bucks from Amazon. But let me start from the beginning.
How I discovered an easter egg in Android's security and didn't land a job at Google
But sometimes you can find an easter egg in the most unlikely of places. There’s even an urban legend that one day, a programmer Googled “mutex lock”, but instead of search results landed on foo.bar, solved all tasks and landed a job at Google.
The same thing (except without the happy ending) happened to me. Hidden messages where there definitely couldn’t be any, reversing Java code and its native libraries, a secret VM, a Google interview — all of that is below.
Writing a wasm loader for Ghidra. Part 1: Problem statement and setting up environment
This week, NSA (National Security Agency) all of a sudden made a gift to humanity, opening sources of their software reverse engineering framework. Community of the reverse engineers and security experts with great enthusiasm started to explore the new toy. According to the feedback, it’s really amazing tool, able to compete with existing solutions, such as IDA Pro, R2 and JEB. The tool is called Ghidra and professional resources are full of impressions from researchers. Actually, they had a good reason: not every day government organizations provide access to their internal tools. Myself as a professional reverse engineer and malware analyst couldn’t pass by as well. I decided to spend a weekend or two and get a first impression of the tool. I had played a bit with disassembly and decided to check extensibility of the tool. In this series of articles, I'll explain the development of Ghidra add-on, which loads custom format, used to solve CTF task. As it’s a large framework and I've chosen quite complicated task, I’ll break the article into several parts.
By the end of this part I hope to setup development environment and build minimal module, which will be able to recognize format of the WebAssembly file and will suggest the right disassembler to process it.
Making Git for Windows work in ReactOS
Good day to you!
My name is Stanislav and I like to write code. This is my first english article on Habr which I made due to several reasons:
- Habr is now in English
- Lack of technical articles in the ReactOS hub
- Recent return of Geektimes to Habr
- Possibility of building ReactOS in ReactOS
- Quite interesting case of fixing the problem in ReactOS in which I was directly involved
This article is an english version of my very first article on russian.
Let me introduce the main figures in this story who actually fixed the bug preventing Git from running in ReactOS — the French developer Hermès Bélusca-Maïto (or just Hermes with
hbelusca nickname) and of course me (with
The story begins with the following messages from the ReactOS Development IRC channel:
Jun 03 18:52:56 <hbelusca> Anybody want to work on some small problem? If so, can someone figure out why this problem https://jira.reactos.org/browse/CORE-12931 happens on ReactOS? :D Jun 03 18:53:13 <hbelusca> That would help having a good ROS self-hosting system with git support. Jun 03 18:53:34 <hbelusca> (the git assertion part only).
Chemistry lesson: how to expose a microchip's crystal for photography
If you have dabbled into microchip photographing before, then this article will probably not offer much to you. But if you want to get into it, but don’t know where to start, then it’s exactly for you.
Before we start, a fair warning: while the procedure is quite entertaining, at first it’ll probably be physically painful. The chemicals used during the process are toxic, so please handle them carefully – that way it’ll still hurt, but less so. Also, if you have even a slight amount of common sense, conduct the procedure in a fully-equipped chemical laboratory under supervision of trained professionals: we’ve had to deal with people who tried to do it at home immediately after reading the guide. And finally: if you don’t know whether you need to pour acid into water or water into acid without a Google search and don’t realize what this lack of knowledge will entail – stop reading this immediately and go to a chemistry 101 course in a local college or something.