20 May

Beautiful code

After making quite a few unpackers and other RE-related tools, publishing sources for them and having to maintain and bugfix them, all I can say is: “Read this. Remember this. Worship this.

All code is born ugly.

It starts disorganized and inconsistent, with overlaps and redundancies and gaps.

We begin working it into an imperfect solution for an often poorly defined problem.

As we start building up like clay, a solution starts taking form. The feedback guides us in moving, removing and adding material. It allows us to add and remove details. We learn from our mistakes.

Thank you, Dennis, you made my day so much better.

16 May

Quickpost: application reversing becoming legal in USA?

Last Friday authors of Dotfuscator made quite an interesting blogpost, claiming that reverse engineering applications in USA is becoming a legal means for acquiring intellectual property, thanks to the Defend Trade Secrets Act of 2016.

I am not a lawyer, and such statements coming from authors of obfuscator should be taken with a grain of salt – but it’s an interesting read nevertheless. What’s your take on that?

03 May

CFF bugs in processing managed resources

Users on tuts4you quite often ask questions like “Can you identify which obfuscator was used”. When I was analyzing one such assembly, my CFF Explorer started to act erratically. New tabs would not open and on exit CFF Explorer crashed with access violation.
CFF acting up
That’s weird, I said to myself and decided to figure out what’s causing it.

Uninitialized buffers and unchecked return values

First bug is a classic. In pseudo-code it looks like this:

First issue is that nobody initialized ResourcesInfo structure, so all fields will initially contain random garbage. As soon as ReadResourceHeader fails to read or validate something, it returns, and lots of fields will still contain random garbage.

It wouldn’t be a big problem, if Daniel checked the return value of the function. But his code just continues processing even if the data initialization failed. And, to make matters worse, it just hides all exceptions by putting try-except handlers around most of the code. No wonder CFF is occasionally acting weird! :)

This bug is quite hard to demonstrate, as it needs to have few lucky coincidences in the uninitialized data. But I’m sure that a skilled person would convert it into arbitrary code execution in no time. Not me, though… :)

Buffer overflow

Second bug is also a classic. In pseudo-code it looks like this:

So, what’s wrong here? Daniel takes a fixed-size buffer and initializes it with all zeros (unlike previous case). Then he reads size of data (NameSize). And then he copies NameSize bytes into a fixed-size buffer – without checking if that’s gonna overflow or not.. Yikes!

Example file demonstrating this bug: https://www.mediafire.com/?x4idsa21toh0t36 (you need to click on Resource Editor -> .NET Resources to trigger the buggy code. Afterwards, CFF Explorer will start acting weird).

Solution

Just like in a previous case where I added support for ConfuserEx and undocumented fields, I had to make few binary patches to CFF Explorer.

Fixed exe file is here: https://www.mediafire.com/?5eg1bs9a9bv39ge

Have fun and stay safe!

29 Apr

I bought a software today…

I never buy software. Not sure why is that, probably I just don’t see a point in doing that. To me, most of the software seems ridiculously overpriced.

  • Paying 30 euros for a copy of WinRar? Are you kidding me?
  • Paying 70 euros for latest Need for Speed racing simulator I’m not even sure I’ll like? I’m not a hardcore gamer, I’m just looking for a good fun for a rainy evening.

And subscription-based software is even worse:

Do I look like a f*ing Rockefeller to you?

Hello Adguard!

Imagine my surprise when yesterday I noticed that my beloved Adguard actually has very reasonable prices. And they are offering 40% discount for all licences until May 4th, 2016. Lifetime license for less than a cup of Chai Latte in Starbucks? I’ll take that, thank you very much!

license purchased

Well, it’s actually half-true. If you just open their main page in the browser and go to “Purchase”, you’ll probably see that a lifetime license costs $14.97. Not exactly a cup of Chai Latte.

Hacking Adguard pricing

To get those extra nice prices, you’ll need to perform a little trick. Open the mobile version of the same page in your browser: m.adguard.com. Now go to purchase. And now switch to prices in Russian roubles. 179RUB for a lifetime license! :D

According to Paypal, I just got my lifetime license for:

Payment: 179.40 RUB
Payment sent to: pr@adguard.com
From amount: $2.94 USD

Cheers!

Summary

If you’re interested in a decent adblocker for Android device, I recommend that you give Adguard a chance. No root required! They also have adblockers for Windows and Mac but I haven’t tested those.

Full disclosure: the link above is my affiliate link with Adguard. If 4 people will follow this link, install and use Adguard for 30 minutes, I will get a free 1-year license. In that case, I will donate this license to LCF-AT to help with ad-filtering issues.

If you hate affiliate links of any kind, please feel free to visit using a direct link: adguard.com – it’s well worth it.

Have fun blocking the ads! :)

21 Apr

JS-boobytrapped ZIP files, or why morons shouldn’t be writing about security

This morning I noticed Softpedia article titled “How to Prevent ZIP Files from Executing Malicious JavaScript Behind Your Back“.

Here’s the beginning of the story in all it’s glory:
softpedia

Let me repeat that:

When unzipping the file, the JavaScript file would execute, automating various operations.

Naturally, I was curious about the cause of this issue and why I haven’t heard about it before.

Little bit of reading, little bit of Googling and here’s the original post from F-Secure: “How-To Disable Windows Script Host“. They write:

And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.

Somehow Softpedia authors managed to convert “user clicking on a JS file” into “JS file being launched automatically when unzipped”.

Dear Mr. Catalin Cimpanu, please stop writing about security. Open a hotdog stand or something, that’s much more suitable for your skill level.

19 Apr

One month with Avast

I’ve written about my troubles with Bitdefender AV solution before.. XXXX So, when my Bitdefender license expired, I was happy to switch to a different solution. I picked AVAST. In this post I’ll try to summarize my my impressions after using it for one month.

Setup

Bitdefender 2016 insisted on me creating user account for their cloud management crapshoot before I was actually able to get installer and install the software.

On the contrary, Avast’s setup was a snap. One, two, pick components, done.
01-setup
One minor issue I noticed – I’m quite sure Avast setup did not respect my choices and installed more components than I selected in the setup dialog. Or maybe I mis-clicked one checkbox. I’ll give them a benefit of doubt.

Avast – 1 : Bitdefender – 0.

User Interface

After all-dark-and-depressing Bitdefender UI, Avast feels much more brighter, colourful and cheerful. It feels much snappier and faster as well. Everything seems to be intuitive and easy to find.

Avast – 1 : Bitdefender – 0.

Configuration

Avast has all its settings in one place. Bitdefender requires you to open each component separately to access its settings. Avast would be a clear winner here, but..

But good luck trying to find which apps are allowed or blocked by Avast firewall!

Firewall configuration is under “Settings”, just like you would expect. From there you can configure “System rules” and “Packet rules”. However, you won’t find allowed/blocked applications there. Instead, you need to go to Tools->Firewall and locate teeny tiny “Application rules” hidden between “Firewall logs” and “Settings”. WTF?
02-firewall-apps

Taking that into account: Avast – 1/2 : Bitdefender – 1/2

Updates

Both antiviruses handle normal updates very well. No ads, no popups, no annoyances of any kind. Avast seems to have sort of ad hoc streaming updates 24/7 – or at least, that’s what the Statistics tabs shows:
03-stats

However… Today my Avast received a different kind of update that required restart. From what I can tell, this update replaced most of EXE/DLL files in the %PROGRAMFILES%\AVAST Software\Avast\ folder. After restart, my PC got stuck in semi-working state, services.exe and svchost.exe eating most of the CPU resources and Avast showing “try our new-and-cool-whatever-thing-I-don’t-give-a-crap-about” advertisement. In addition to that, Avast claimed that it’s firewall module cannot be started.

Few “repair installation” and Windows restarts later the problem disappeared. As a side effect – all my carefully set privacy settings were reset to defaults, “show offers for other Avast products” was enabled again and all File System Shield exceptions are gone.

Even though I really enjoy invisible 24/7 updates of Avast, I have to reduce Avast’s score due to this major f*ckup.

Avast – 0 : Bitdefender – 1

Bugs and issues

As I described earlier, Bitdefender was far from being perfect. On the contrary, my first impressions of Avast were extremely positive. Great setup, aesthetically pleasing UI, plenty of user-configurable settings. Everything I could ask for!

However, first few weeks of using Avast has been nothing but a source of frustration.

Issue #1 – I’ve configured File System Shield to scan files only on execute. All scans on write or access are disabled for executable files using Avast’s UI.
04-avast-no-write-scan
05-avast-no-access-scan
However, any time I copy-paste suspicious executable files from one PC to another using Remote Desktop Client, Avast File System shield pops up and blocks the copy operation. WTF?!

06-detect-on-copy-paste

Issue #2 – There is no “Beggar off, I know what I’m doing” option in the detection dialog, even for heuristic detections. The previous issue wouldn’t be a big one, if I had a possibility to dismiss detections dialog and continue copying files. But I can’t.
07-no-ignore
So, the only option for me is to disable File System Shield completely. That kinda defeats the purpose of having the antivirus, doesn’t it?

Issue #3 – Myriad of “Win32:Malware-gen” and “Win32:Evo-gen [susp]” detections.
In effort to reduce number of false positives, I’ve set the heuristics and HIPS sensitivity to “Low”. But even then Avast keeps producing plenty of detections on clean files like Goliath obfuscator, ScyllaHide and other reversing tools.

Issue #4 – Leaving statistics tab open for a long time will cause the CPU usage to go high. No idea what causes it, probably the braindead decision to use embedded Chromium and Flash to show the pretty graphs and stuff.

Taking all that into account: Avast – 1/2 : Bitdefender – 1/2

Summary

Avast is a great product – for your grandma’s or neighbour’s PC. But if you ever work with malware, cracked files or anything remotely suspicious, Avast’s super-sensitive File System Shield will drive you mad.

I’ll give it one more shot and try to tweak configuration files manually. But if I can’t make it play nice, I’ll be looking for a different solution for my PC.

24 Mar

MoleBox goes out of business

Molebox as it used to be

A bit of history

MoleBox 2 was released in year 2003 and it was one of the first file virtualization solutions in the market. It bundled executable with the DLL and data files into a single EXE file. At that time that was something new and innovative.

They had quite a success and released another product (MoleBox Ultra, later renamed to MoleBox Virtualization Solution) in year 2009. Apparently it was very hard to fight in the increasingly more competitive market of application virtualization solutions and the last version of MoleBox Virtualization Solution was released in 2013.

Game over

In February 2016 domain molebox.com was sold for $1526. Yesterday their web server started serving generic WordPress page with dating-related spam. And that is just sad. :(
MoleBox dating advice

Release of static unpacker

However, both editions of MoleBox are still very popular with private game server owners, as they allow to bundle patched EXE files together with their custom data files. It’s not a bullet-proof security but stops newbies from stealing their valuable data.

Since the MoleBox company is officially out of business now, I have no more reasons to keep my static Molebox unpacker private. It supports most versions of MoleBox 2.x including the external box files.

Have fun guys! Download link: https://www.mediafire.com/?4mbxycgd8qisq03

P.S. This post was made just because I noticed changes in MoleBox web, I wasn’t planning to release the unpacker today. So, please keep in mind this code was written in year 2009 and has had only one small fix applied in 2015. It’s likely that you’ll encounter some bugs and quirks – please send me the problematic file and I’ll fix the bug. :)

P.P.S. I have static unpacker for MoleBox Virtualization Solution as well. But it doesn’t have a nice UI yet, so it will be released on a later day.

11 Mar

About .NET, googling and lazy programmers.

Delphi fail. .NET win.

Recently, several people sent me bug reports where my EnigmaVB unpacker failed to extract files. In all cases, the problem was caused by really large files, like 3.5GB in size. So, what’s causing the problem?

EnigmaVB unpacker is a 32bit application written in Delphi. And Delphi streams are retarded. They look like they’ve been written in 1990s and were never updated. TMemoryStream uses a continuous memory range, so it can never support anything larger than 2GB. TFileStream internally uses longint, so it doesn’t properly support files larger than 2GB. WTF?

So, I have two choices. I can either make a custom stream class in Delphi, or I can pick another framework and rewrite my tool to use that.

I’m not a programmer, I’m a reverser. I don’t want to spend my time developing custom stream classes. I’d very much rather use this time breaking some code. So, say hello to .NET framework – my next version of EnigmaVB unpacker will be made in C#.. :)

Am I a programmer or a googler?

While researching all the Delphi limitations and possible workarounds, I ran into this great article by Scott Hanselman. Reading both the post and the comments made me think a lot.

Does using Google to solve your programming tasks makes you less of a programmer? I don’t think so.

In fact, I’m just lazy. Most people are. Why should I spend 30 minutes remembering basic algorithms for converting string to hex, if Google query can solve it in 10 seconds? Why reinvent the wheel and write CRC calculation from scratch? I’ll just open StackOverflow and have a solution that’s already tried and tested. It doesn’t mean I can’t do those boring tasks – I just don’t want to.

How about you? Would you be able to write some tools without using Google and StackOverflow?