20 Jan

Is your password ‘123456’? Mine too!

Last few days everyone is writing about passwords. How the most popular password last year was ‘123456’, how it’s all bad and that we all are idiots.

Let me tell you something – that’s bullshit.

There are 2 types of resources: few important ones (my internet bank, company login, some RE forums, my blog, etc.) and the ones I don’t really care about (2shared, codeproject and everyone else with mandatory registration).

For the important resources I have strong passwords. Unique ones with 8+ characters, mixed case letters, numbers and special symbols. You know the drill.

For everything else I’m using a throwaway email like Mailinator and password ‘123456’. Why? Because I don’t give a crap. You want to crack my Codeproject login to download few files? Please do so. Hijack my Kickass Torrent account and post childish comment or two? Please. Use my account to download something from 2shared? Yeah, why not! I don’t care! :)

So, next time someone runs around screaming about use of insecure passwords, ask yourself – where does this password list come from and who is this person making these statements? Maybe he just wants to sell you something?

Use a password manager such as {software_name} to organize and protect passwords, generate random passwords, and automatically log into websites

Right, let’s make more FUD in effort to sell your software. Genius!

Stay cool, stay safe!

16 Jan

Local Privilege Escalation Bug in Faronics Deep Freeze

While preparing update for Meltdown, I encountered a textbook error in Faronics Deep Freeze Enterprise v8.31. So, here goes..

Running With Unnecessary Privileges

frzstate2k.exe is application responsible for displaying Deep Freeze Workstation Configuration dialog. To do that, it sits in the system tray and communicates with DeepFreeze driver.

For reasons I really can’t understand, this simple UI component is executed under SYSTEM account. To make matters worse, it doesn’t even drop unnecessary privileges. All these are textbook errors and Microsoft has spent last 10+ years trying to educate programmers and eliminate these kinds of bugs.

Here’s the great presentation from Black Hat 2006 about this subject (slides 7-15): Security Engineering in Windows Vista

Abusing Common Dialogs

Microsoft Windows provide APIs for creating nice standard dialogs like “Open File..” and “Save As..” These dialogs are heavily integrated with Windows shell and offer much more than just file selection – within the dialog box you can do almost anything you can do using Windows Explorer. Like executing other applications..

Due to that, these dialogs are often used to break out of Terminal Server environment or to elevate local user privileges. Here is a quite good tutorial covering the basics: Breaking out of applications.

These attacks are also very old. Here’s nice presentation from year 2008: Hacking Internet Kiosk’s

Putting it all together

Here’s how any user can get SYSTEM privileges in 5 easy steps:

  1. user is logged on using low-privilege account,eg. belongs to “users” group;
  2. 1-user-privs

  3. user gains access to workstations DeepFreeze administration interface (eg. using password generated by Meltdown);
  4. 2-deepfreeze-ui

  5. user presses “Activate Now” -> “Activate Offline” -> “Next” -> and presses either of the 2 buttons that open “Save As” or “Open” dialogs;
  6. 3-create-activation

  7. since FrzState2k.exe is running under SYSTEM account, these dialogs give access to anything SYSTEM account has access to.
  8. user navigates to C:\Windows\System32\ , right-clicks cmd.exe, and chooses Open.
  9. 4-select-cmd

  10. cmd.exe is executed under SYSTEM account.
  11. 5-game-over

  12. game over.

Mitigating factors?

This attack was verified against 30-day evaluation version of Deep Freeze Enterprise. It is possible that after the workstation is activated, the “Activate Now” button is disabled and there’s not an easy way to access it. This would (accidentally) limit attacks only to workstations that haven’t been activated yet.


It’s hard to write anything here without using inappropriate language. Faronics positions itself as a security company, yet their products contain textbook errors like these. Make your own conclusions.

16 Jan

Updated Faronics DeepFreeze and Meltdown

tl;dr – DeepFreeze is still buggy and one-time passwords can be easily generated. Download link: https://www.mediafire.com/?mtpaf3quaifwm3u

What was changed in DeepFreeze version 8.31?

Well, two things.

First, they made an attempt to stop Meltdown from generating correct One Time Passwords (OTP). While doing so, they added a new vulnerability – similar to the one that Meltdown used to obtain password for Deep Freeze Standard version 7.x and older.
Second, they added a licensing mechanism that requires each workstation to be activated. While doing so, they created a new local privilege escalation vulnerability.

What is this new (old) vulnerability?

The problem is in data exchange between driver and the UI component. It’s done using DeviceIoControl calls and data are encrypted using changing XOR key. However, the overall communication protocol is badly designed.

So, let’s start with the Deep Freeze Standard versions 5.x to 7.x. Communication between UI (frzstate2k.exe) and the driver goes like this:
DFS 7.x
Obviously, it’s easy to extract password from the information provided by driver. That’s what Meltdown originally did.

Faronics fixed that in Deep Freeze Standard v8.10:
DFS 8.x
Makes total sense, right? I looked at the communication protocol and concluded that the issue is fixed. End of story.

Deep Freeze Enterprise is a different story:
DFE 7.x
This communication makes sense. But all the information necessary to generate OTP was present in dfserv.exe and other executables. So, Meltdown didn’t even have to communicate with the driver.

But in the latest version (v8.31) the information to generate OTP is not present in dfserv.exe or other executables. However, Faronics added a new feature to the driver:
DFE 8.31
Where have I seen this design before? :) So, I updated Meltdown to obtain information necessary for OTP generation from DeepFreeze driver. Easy as pie.

Local privilege escalation

It’s so good, it deserves a separate blog post.

What do you think about Faronics?

I get this question a lot lately. People who see Meltdown ask that. IT managers who bought DeepFreeze ask that. And even some reverser friends have asked me that. But I’d rather not say anything and let the facts speak for themselves.

  • 2013-Mar-06 – Meltdown is published.
  • 2014-Mar-31 – Faronics closes the vulnerability in DeepFreeze Standard v8.10. No mention of any security issues in the changelog. No security bulletins published. This vulnerability had existed since very early versions of DeepFreeze and it suddenly got fixed. To me, it indicates that Faronics was aware of Meltdown at this moment of time.
  • 2014-Jun-24 – Changes in DeepFreeze Enterprise v8.11 break existing versions of Meltdown. Release notes say “Resolved a security issue that could result in the user accessing Deep Freeze without authorization.” No security bulletins published.
  • 2015-May-11 – User reported that Meltdown wasn’t working anymore. It took me few hours to add that new round of “extra secure” xor encryption.
  • 2015-Dec-31 – Changes in DeepFreeze Enterprise 8.31 break existing versions of Meltdown. Changelog says “Secured One-Time Password functionality from potential vulnerability.” No security bulletins published. They introduce 2 new vulnerabilities in this version.
  • 2016-Jan-12 – Meltdown is updated with another round of xor encryption and 2 new calls to DeviceIoControl API.

You can compare Faronics’ behavior and response time to other software companies and make your own conclusions.

Download link for Meltdown 1.6: https://www.mediafire.com/?mtpaf3quaifwm3u

05 Dec

Since you asked.. How to obtain value of a field using WinDbg?

My friends occasionally ask me tricky questions – about PE file format, about .NET internals, usage of dnlib or WinDbg and what not. Even if I’m not an expert in some areas, I usually can figure out stuff pretty fast.

So, here’s a question that li0nsar3c00l asked me few days ago:

How to get the value of a static field using WinDbg?

To put the question in context – he is trying to debug a .NET assembly which is obfuscated and all names are unprintable. When all names look like “□”, it’s quite hard to find out which is which – and I doubt you can use those names when setting breakpoints.. So, we need to figure out a way that avoids using object names.

I will assume that you have very basic knowledge of using WinDbg with .NET applications. If you don’t, I suggest that you start by reading introductory tutorials, for example, Getting started with Windbg – part I and part II. You could also check WinDbg tutorial by netmatze. Or just go through the entire amazing collection of .NET Debugging Demos by Tess Ferrandez.

Quick answer

You can use !mx command to locate the class and field you need. Then you can use !mdt -e command to display values you need.

But if you have no idea how those commands work, please continue reading..

Long answer

Dealing with static classes and static fields is easier. After the corresponding .cctor is executed, you can get the values you need. But for non-static classes and fields you need to stop debugger at a place where an instance of the object is already created and values initialized.

So, we’ll take a scenic route from the very beginning till the end. Here’s a demo app you can test your skills with: https://www.mediafire.com/?wavmalk6sqhdcy6

  1. Load sos and sosex extensions. I’m using this one-liner for .NET 4.0 – you can use separate commands, if you prefer.
  2. Examine domain, find module
  3. Find the type you want
  4. Find the method you need
  5. Put breakpoint on the method and run
  6. Disassemble code, locate place where the interesting object will be already initialized.
  7. You need to put a breakpoint after the object is created and initialized.

    Unfortunately !U doesn’t show IL code. So, let’s use !mu output to confirm our findings:

    Command !mu doesn’t show call targets but interleaves IL code with x86 code. Combining both outputs we know that we should get to address 003f00cd.

  8. Execute code to the place where data are already initialized
  9. Use command !mx
  10. This command is little known but it’s bloody awesome!

    Usage: !sosex.mx <Filter String>

    Displays any matching type, method or field for <Filter String>, where <Filter String> is a string in module!metadataname format. If module! is not specified, all modules are searched for the specified metadata. Searched info includes types, methods and fields.

    In order to search globals, do not precede the field or method filter with a “.”. To enumerate all globals for a given module filter, use “globals” as the type filter. eg: “globals” “*!globals” “mymod!globals”, etc…

    So, let’s ask to show us all objects from our test application:

  11. Get the address of class
  12. Class Bla contains static field key1 which we’re interested in. Click on Bla hyperlink. You actually don’t care about the output, just the address of class.

  13. Use !mdt command to get address of the field
  14. Use provided hyperlinks to access data
  15. Clicking on “02722340” and then on “Expand” will get you the good stuff. Or you can enter “!mdt” command manually:

    Congratulations, this is the value of static field. Task #1 done! :)

  16. Locate instance of the class
  17. Remember, we put a breakpoint just after the class initialization. You can either use your x86 knowledge and check the proper register values, or just display managed stack objects:

  18. Use !mdt command to get the stuff just like before
  19. Congrats, this is value of non-static field. Task #2 done!

This concludes our journey. Hopefully you learned something new today!

12 Nov

Why do antiviruses suck, part 2

In part 1, I tried to explain reasons behind some of the decisions anti-malware companies make when designing their products. In this part I’ll touch some other side-effects of those decisions and what they mean for power-users.

This site has been blocked

In general, I need a very basic antivirus protection – when I make a mistake during my reversing session or web browsing, it should stop malware from:

  • becoming persistent on my computer;
  • sending any data to its C&C server

I’m not retarded and can read and think for myself – therefore I don’t want “anti-phishing protection”, “parental control”, “safe banking”, “vulnerability scan” or any other features aimed for persons who shouldn’t be using Internet in the first place.

So, I always configure my antivirus to have just very basic on-access scan and firewall enabled, and all other components switched off. You can imagine my surprise when in last 2 days I have been greeted with these messages on 2 separate sites:
page blocked
WTF guys, I have switched off every component I could – why are you still active?! And why are you bugging me with this nonsense?

Make it more user-friendly

I’m very sure that the answer is very simple: somebody in the UI/UX department decided that Bitdefender UI needs to be simplified. So, they took the UI that actually made sense, and fucked it up.

Here’s how settings looked like in year 2013 (image (c) Softpedia):
bitdefender 2013 settings

And here’s how it looks in the Bitdefender 2016:
bitdefender 2016 settings
Antispam and Firewall have been moved to their corresponding module, but “Antimalware Filter” has disappeared altogether. After all, who would ever want to disable it, right?

To make matters worse, here’s how the alert looked in Bitdefender 2015 (image (c) PCRisk):
See, there was “Settings” button right at the top of alert page and you could disable “Antimalware filter” from there. Well, they “simplified” that option away as well. Geniuses!

But I really want to disable it!

Luckily, you still can. :) All Bitdefender settings are stored in C:\Program Files\Bitdefender\Bitdefender 2016\settings\. However, to be able to modify files, you will need to start your computer in safe mode.

The file you’re looking for is cloud.http.xml. Find your user name in it, and you’ll see a section like this:

Apparently, there are more few settings which are hidden in the UI. I can only guess the exact meaning of them but – to be honest – I don’t care. I just want this bugger to be gone from my machine. So, I changed “active” to “false” and for the good measure disabled each and every component as well. After a reboot, it all works the way I want, and I can access all the sites I want.

Great success! :)

05 Nov

Keygen templates in Visual Studio

I’m lazy and I hate doing the same tasks over and over again. Making UI for my crackme solutions is one of such tasks. It always goes like this: open Visual Studio, create new Windows Forms project in C#, drop 2 labels, 2 edit boxes and one button on the form. Set label texts to “Name” and “Serial”, set button title to “Generate..”, set the project icon, etc., etc..

There must be a better way!

..and it’s certainly not the way Blue Indian did his keygen template:

To build this template on your own, open the solution in Visual studio, comment out the calls for uFMOD and implement your own logic, after successful build of keygen, close the Visual studio, open the Form_Main.cs file in any text editor and uncomment those two calls to uFMod, save it. Now double click on the build.bat file to built it finally.

-To change the ICON and XM tune, edit the mini.res (resource file) with any resource editor like Restorator or any of your choice.

Open this, delete those, compile that, and what? I’m already confused, sorry.

Introducing Visual Studio project templates

I’m sure you know that when you click “New project” in Visual Studio, you’re presented with number of choices, like “Windows Forms Application”, “Console Application”, “Class Library” and so on. All these are project templates that are installed by default.

They provide all the files that are required for a particular project type, include standard assembly references, and set default project properties and compiler options. Hmm, that’s exactly what I needed! :)

This article at MSDN nicely explains that project template is simply a ZIP file that contains all the necessary files and a special .vstemplate file. This .vstemplate file is an XML file containing metadata Visual Studio needs to display the template in the “New Project” dialog.

Let’s try to put it all together.

Making simple keygen template

Making a new template is actually very easy. You take an existing Visual Studio project, replace project-specific strings with template parameters and press File->Export Template.

Here is my keygen for Mr. eXoDia’s simple crackme:
Obviously, template should not contain code for specific crackme. Let’s change that to something trivial and mark as FIXME:
Now I need to remove all references to crackme name. I will replace them with template parameter $safeprojectname$ in all files. After this change, project won’t compile anymore, so you need to be extra careful when changing stuff!
Hardcoding year in the (c) string is not a good idea because I want to use this template in year 2016 as well:
Now I just need to update AssemblyInfo.cs to make sure each project has correct name, (c) and GUIDs:
Did it work? Let’s see… File->Export Template, follow the wizard and…

It works. Kinda. The created template still has quite a few references to Mr eXodia’s crackme, I’ll need to modify project and solution files manually. Unzip the template, fix the files in text editor and ZIP them back. And now it works!

Few more cosmetic fixes (like using $projectname$ where possible), using $if$ and $targetframeworkversion$ to target all .NET framework versions, better namespace names and we have a template that’s actually useful.

Download here: https://www.mediafire.com/?sx1i5ba1uijjkii

It’s not particularly pretty but that’s pretty much what I’ve been using for 2+ years now – and hopefully it can inspire you to do something similar with your own code. ;)

Further reading

Reason→Code→Example : Creating Visual Studio project templates
Rebuilding template cache
How to: Manually Create Project Templates
How to: Create Multi-Project Templates

03 Nov

“Unlimited storage” Microsoft-style

What do you think – how large is “unlimited storage”? To me, word “unlimited” means, well, unlimited. “All you can eat”. No restrictions.

For a year, Microsoft was offering unlimited storage with their Office 365 package:

Today, storage limits just became a thing of the past with Office 365. Moving forward, all Office 365 customers will get unlimited OneDrive storage at no additional cost. We’ve started rolling this out today to Office 365 Home, Personal, and University customers.

It was not a bad deal – for $6.99/month you could have both Office and unlimited storage.

Of course, some people decided to take Microsoft up on their offer and use that storage. After all, why not?

Fast forward one year. New post from Microsoft OneDrive team tells us this:

Since we started to roll out unlimited cloud storage to Office 365 consumer subscribers, a small number of users backed up numerous PCs and stored entire movie collections and DVR recordings. In some instances, this exceeded 75 TB per user or 14,000 times the average.

Good job guys! :) If I had possibility to use unlimited storage, I’d use it as well!

But somehow Microsoft doesn’t like it..

We’re no longer planning to offer unlimited storage to Office 365 Home, Personal, or University subscribers. Starting now, those subscriptions will include 1 TB of OneDrive storage.

Free OneDrive storage will decrease from 15 GB to 5 GB for all users, current and new.

So, now you know. “Unlimited” means “please, no more than 5 GB” in Microsoft-speak.

02 Nov

Solving “Find the flag” crackme by Extreme Coders

Yesterday Extreme Coders posted a small crackme on Tuts4You. It’s quite an easy one but solving it would require either lots of typing or some clever automation. Of course, being lazy I went for the automation route! :)

Initial analysis

My preferred way is doing static analysis in IDA and – when necessary do dynamic analysis using OllyDbg. So, here is how it looks like in IDA:
As you can see, parts of code have been encrypted. 102 parts of code, to be exact. :)

Decrypt the code

Since there is a lot of code that’s encrypted, I need to automate decryption somehow. IDA scripting to the rescue!

There’s not much to comment. There’s a big loop that’s looking for the pattern of the decryption code. Then it extracts information about encrypted code address, size and used encryption key. Finally it decrypts the code.

Note – when you’re patching binary data in IDA, it’s always better to force IDA to reanalyze the affected fragment. I didn’t do that here because changing end of _main() will force analysis automatically.

After decryption the code looks much better:

Well, it’s better, but it still kinda sucks. We have 100 checks like this:

So, we’re solving system of 100 linear equations with 32 variables. Great! Who wants to write down these equations based on disassembly and then solve them manually? Not me!

Decompile the code

Let’s see if we can somehow make the problem easier for us. Hexrays decompiler provides nice output but it still needs a lot of cleanup:
Basically, the code responsible for encryption/decryption of checks is getting into our way.

Another IDA script to the rescue:

I took the previous script and modified it a bit. Now it finds both encryption and decryption loops and just nops them out. It also forces IDA to reanalyze the patched region – it’s very important because otherwise IDA lost track of correct stack pointer and decompiled code was wrong.

Quick changes in Hexrays plugin options to use decimal radix and the decompiled code looks great!

Text editor magic

Beginning reversers commonly underestimate power of text editors. Sure, the Hexrays output we got is readable, but it’s not really suitable for any sort of automated processing.

First, let’s get rid of all extra spaces. Replace ” ” (2 spaces) with ” ” (one space). Repeat until no more matches. Now it looks like this:

Put each equation on one line. Replace “\r\n +” (new line,space,plus) with ” +” (space,plus). Replace “\r\n *” (new line,space,star) with ” *” (space,star).

Get rid of those “if”. Get rid of “++v6;”. Replace “==” with “=”.

Finally, rename “enteredString” to “z” and get rid of those “[” and “]”

Congratulations, within one minute you got from ugly decompiled code to well-written system of equations!

And solve the problem

Nicely written system of equations is pointless, if you can’t solve it. Luckily, there’s an online solver for that right there! ;) Copy-pasting our cleaned system of equations into their webform gives us result:

This system has a unique solution, which is

{ z0 = 102, z1 = 108, z10 = 48, z11 = 108, z12 = 118, z13 = 101, z14 = 100, z15 = 95, z16 = 116, z17 = 104, z18 = 97, z19 = 116, z2 = 97, z20 = 95, z21 = 114, z22 = 49, z23 = 103, z24 = 104, z25 = 116, z26 = 33, z27 = 33, z28 = 33, z29 = 125, z3 = 103, z4 = 123, z5 = 89, z6 = 48, z7 = 117, z8 = 95, z9 = 115 }.

Converting character codes to ANSI string is an equally simple exercice, I’m not gonna bore you with that.

And that’s how you solve a crackme with nothing but a few scripts in IDA and a text editor.. ;)

22 Oct

Static unpacker for AutoPlay Media Studio files

tl;dr version – it unpacks stuff. Download from here. Fell free to leech and reupload. Report bugs here.

Unpacker for AutoPlay Media Studio


It all started with a topic on BlackStorm forums where whoknows posted a link to Reverzor – The first cloud based software that decompiles everything!.

Wow, a magic tool that does everything! Sounds too good to be true.. :) Soon enough, li0n posted a link to the trial executable and I started looking into it. I quickly found out that it’s written in AutoPlay Media Studio, and that there is no working unpacker for that.

I should fix that – and have some fun in process!

Existing tools and research

First, I found a great blogpost by Xiaopang – I wholeheartedly recommend that you read it.

And then there’s a AmsDec.exe by mohsen.
Unfortunately, it only works for some files (supposedly – v8.1, v8.2) and shows weird messages in Persian language. And it’s not really a decompiler, it just extracts _proj.dat file from the cdd file. And, of course, it didn’t work for Reverzor.

How AutoPlay Media Studio works

So, let’s see what we need to do to unpack it all properly. As the authors of AutoPlay Media Studio wrote in changelog:

As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!

Right… They are using ZIP files protected with randomly generated passwords and obviously have no clue how generic attacks work..

Unpacker needs to analyze EXE file, generate correct password and unzip files. If there’s a cdd file, unzip that one too. And since it’s that simple, I will use AutoPlay Media Studio as a target for a separate blogpost explaining how to write a static unpacker from scratch. :)

Since there are several options how you can distribute files built by AutoPlay Media Studio, here’s a quick reference:

  1. you have just a single application.exe;
  2. Such files can be generated using “Publish -> Web/Email executable” feature in AutoPlay Media Studio. Example file would be CardRecovery v
    6.10 Build 1210 AIO Installer -nelly-.exe

    Drop the exe file on unpacker, it will unpack everything automatically. Then check the appropriate folder for extracted data files and _proj.dat for the installation script.

  3. you have a folder with application.exe and application.cdd in a subfolder AutoPlay;
  4. These files are created using “Publish -> Hard drive folder” in AutoPlay Media Studio. An example file can be, for example, Russian software (malware?) claiming to be a Photoshop installer.

    There is not much to unpack, as data files are in plain sight in folder AutoPlay and subfolders. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

  5. you have application.exe and application.cdd files in the same folder;
  6. This happens when “Rename resource files” feature is enabled in AutoPlay Media Studio. It’s one of those features that add fake security to the product:

    This option is designed to obscure the filenames of your resource files during publishing.

    This is a case of Users Sniffer. Similar to previous case, there’s not much to unpack. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

Advanced use cases

But sometimes things are not that easy. So, here are few possible scenarios how to deal with modified AutoPlay Studio:

  1. application.exe is packed and there is application.cdd file present.
  2. This is a case of official AMS studio challenge that Xiaopang mentioned on the blog. Good news – you don’t need to be an unpacking wizard and properly unpack PCGuard to break their protection. It’s enough to run the EXE in VMWare, dump process memory and drop dumped exe on my tool. As long as PE header and section table is correct, it should be fine.

    1) Run and dump:
    2) When saving dump, keep the original filename. Otherwise my unpacker won’t be able to find cdd file:
    3) Process dump with unpacker:

  3. application.exe is packed and there is no cdd file.
  4. This is the case of Reverzor. First you would need to unpack Enigma Virtual Box – for that you can use my other unpacker.. ;) Now you have both exe and cdd files but exe file is still packed with ASPack. Again, you don’t need to unpack ASPack properly, just run & dump process memory. Then process dumped exe with my unpacker.

  5. application.exe is hacked and the cdd file is renamed to something else;
  6. This is a case of Idler. Author hacked AutoPlay engine and replaced file extension cdd with dll.
    There is no way for my unpacker to cover all such scenarios automatically, sorry. Just rename idler.dll to idler.cdd and drop idler.exe on unpacker.


This was a small weekend project for me. If it also helps you in some adventures, I’m happy. If it doesn’t help you at all, I don’t care. :)

Download the unpacker from: https://www.mediafire.com/?cyb4kagdwey0j1b

Note – due to technical reasons it’s compiled against .NET 3.5, if you wish to run it on computer with only .NET 4.0 installed, create amsunpacker.exe.config with the following lines:

<?xml version="1.0"?>
  <supportedRuntime version="v4.0"/>

And stay tuned for the upcoming post, where I’ll explain how to write such unpacker from scratch!