20 Jun

Six-factor authentication (it’s not)

Today I read an article in The Register called Tor torpedoed! Tesco Bank app won’t run with privacy tool installed.

It’s a fun read about Tesco’s Android banking app and how it refuses to run when Tor application is installed on your mobile. But what really caught my attention, is this comment to the article:

I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.

  • Initial Customer code
  • Security password as there is no cookie so PC is not recognised
  • pre-agreed image
  • pre-agreed phrase
  • Customer Number
  • Security code

and if I use a Windows PC it whinges that I don’t have cRapport which would ‘improve my security’
So 6-Factor security isn’t good enough and you want an extra package to help???????

Sir, if you ever read what a multi-factor authentication is, you wouldn’t be stating such nonsense. All six of the steps you mentioned are of the same factor – “something you know”. As such, they provide no additional security, as one keylogger/screengrabber will capture them all.

Why your bank insists on you jumping over so many redundant hoops, remains a mystery..

08 Jun

What’s wrong with this file – ASLR is tricky!

I love magic tricks. My absolute favorites are “there’s nothing up my sleeve” kind of tricks. You can look at the equipment, you can examine magicians outfit, everything seems fine – yet the rabbit magically appears and disappears.

Here’s a similar reversing challenge for you: https://www.mediafire.com/?38evlc6gmyieskn

This EXE file contains relocations. It has all the necessary necessary flags in PE header. And it gets ASLR support in Windows 10, as you can see in picture:
win10_has_aslr
But on Windows 7/8.1 this poor executable will be always loaded at it’s preferred imagebase 0x400000, and doesn’t get ASLR support:
win7_no_aslr
Can you figure out what’s so special about it? :)

I will provide the correct answer in one week. Or you can provide your opinions in comments. Extra respect awarded for detailed answers and explaining how you figured that out. Extra extra respect if you knew the answer even before looking at the executable. :)

06 Jun

CFF bug in RVA2Offset

Yes, this is yet another post about bugs in CFF Explorer. So far I’ve described:

Today, I’ll describe an issue with CFF Explorer’s RVA2Offset function and provide a solution to the problem (patched executable).

And no, I really don’t hate CFF Explorer. In fact, it’s one of my favorite tools and I use it every day – that’s why I keep noticing more and more issues with it. ;)

Introduction

Here is an executable that demonstrates the bug: https://www.mediafire.com/?9ju0cfm36b32ys9

If you open it in CFF Explorer and try to check Import Directory. In this case, CFF will show that it’s empty.

cff_bug_empty_imports

That’s incorrect, import directory of this executable is present and valid. It contains 2 DLLs and 3 APIs:

actual_imports

In other executables, it can get stuck into eternal loop or – even worse – show incorrect data.

Also, CFF’s Address Converter feature is affected. In my demo executable, try convert RVA 0x2000 to file offset. It will return 0:

CFF_address_converter_bug

So, what’s happening here?

Background of the bug

To put it simply, bug is triggered when one section in executable has SizeOfRawData much larger than VirtualSize. In my crafted executable it looks like this:

CFF_cause_of_bug

Nitpickers corner: it’s actually more complicated. The exact condition is ALIGN_UP(sec.SizeOfRawData, pe.FileAlignment) > ALIGN_UP(sec.VirtualSize, pe.SectionAlignment). But who cares about those small details, anyway?

And the offending pseudo-code in CFF Explorer looks something like this:

Fixing the bug

Since I’m doing binary patches to CFF Explorer, I’m quite limited to what I can do and how. In the end, I chose the following pseudocode:

While it doesn’t look like much (and it doesn’t cover edge cases, for example, when PE file is truncated), in general it should work just fine.

Download link for fixed CFF Explorer: https://www.mediafire.com/?5eg1bs9a9bv39ge
It also includes all my previous fixes.

Conclusion

While writing this post, I noticed that PE viewer in ExeinfoPE v0.0.4.1 has very similar bug. And ProtectionID v6.6.6. And PETools 1.5 Xmas edition. And Stud_PE 2.1. And LordPE. And then I ran out of tools to test. :D

Obviously, I can’t fix them all. All I can say – use PE editing/viewing tools that actually work, for example, HIEW or IDA. And when you’re writing your own PE parser library, make sure you test it on weird executables.

Have fun and stay safe!

Further reading

03 Jun

Quickpost: addicted to meaningless jargon

This is a great article about one journalist’s experiences in the RISE conference.

“We visually organize your email and cloud-based content for ultra fast access,” says Kalpesh, reading from his promotional materials. “It’s visual storytelling with any type of content.”

Say what? What does this thingy do? I have no clue.

Apparently I’m not alone. Luckily, article author translated it to plain English:

Translation: Cubes is actually an app that pinpoints anything that’s not plain-Jane text in your email or Dropbox accounts (a photograph, an excel file, a YouTube video), takes snapshots of those things, and then bundles them together in a standalone app.

OK, now I get it. Thanks! :)

However, the sad thing is, it’s not just startups. If you’re working in a large company, you’ve probably seen these kinds of emails sent by your pointy-haired bosses. They are stuck in their bubbles talking about “disruption”, “alignment” and “engagement”. How about this:

To ensure synergies and alignment between the finance strategy and business needs, Mr.X will co-operate closely with all finance functional leads, including aligning closely with Mr.Y and his team to ensure the consistent dissemination of financial information.

No, I really don’t know why our company is going to pay $100k a year to this guy. Do you?

31 May

BTVStack.exe requesting access to Skype on every startup

Background

At home I’m using a desktop computer. It has ASUS motherboard with Atheros Bluetooth chip. I have all the drivers installed but I’m not using Bluetooth at all.

Problem

Some time ago I started getting these notifications every single time I started Windows:
btvstack_skype

btvstack.exe is requesting access to Skype. Only allow access to programs downloaded from a trusted source as they will be able to use information such as your Skype contacts and messages.

No matter what option I selected, it would ask me again on next reboot. Bloody hell!

If you google for the solution, you’ll notice that:

  1. It’s a quite common problem;
  2. Most common solution is to deny/allow access either using the dialog above, or Tools->Options->Advanced->Advanced Settings->Manage other programs’ access to Skype;
  3. Another solution for Windows 8+ is to deselect “Allow Bluetooth devices to send you PIM items such as business cards, calendar items, e-mail messages, and notes. ” in Bluetooth Control Panel applet;

Unfortunately, first solution was not working for me. And second solution is not feasible because there is no such option in Windows 7 Control Panel.

Solution

Since I don’t need Bluetooth but I don’t like to have broken drivers, I decided to disable just the offending DLL. From the elevated command-prompt I ran

and the problem has disappeared. Great success! :)

Hope this helps someone else too.

20 May

Beautiful code

After making quite a few unpackers and other RE-related tools, publishing sources for them and having to maintain and bugfix them, all I can say is: “Read this. Remember this. Worship this.

All code is born ugly.

It starts disorganized and inconsistent, with overlaps and redundancies and gaps.

We begin working it into an imperfect solution for an often poorly defined problem.

As we start building up like clay, a solution starts taking form. The feedback guides us in moving, removing and adding material. It allows us to add and remove details. We learn from our mistakes.

Thank you, Dennis, you made my day so much better.

16 May

Quickpost: application reversing becoming legal in USA?

Last Friday authors of Dotfuscator made quite an interesting blogpost, claiming that reverse engineering applications in USA is becoming a legal means for acquiring intellectual property, thanks to the Defend Trade Secrets Act of 2016.

I am not a lawyer, and such statements coming from authors of obfuscator should be taken with a grain of salt – but it’s an interesting read nevertheless. What’s your take on that?

03 May

CFF bugs in processing managed resources

Users on tuts4you quite often ask questions like “Can you identify which obfuscator was used”. When I was analyzing one such assembly, my CFF Explorer started to act erratically. New tabs would not open and on exit CFF Explorer crashed with access violation.
CFF acting up
That’s weird, I said to myself and decided to figure out what’s causing it.

Uninitialized buffers and unchecked return values

First bug is a classic. In pseudo-code it looks like this:

First issue is that nobody initialized ResourcesInfo structure, so all fields will initially contain random garbage. As soon as ReadResourceHeader fails to read or validate something, it returns, and lots of fields will still contain random garbage.

It wouldn’t be a big problem, if Daniel checked the return value of the function. But his code just continues processing even if the data initialization failed. And, to make matters worse, it just hides all exceptions by putting try-except handlers around most of the code. No wonder CFF is occasionally acting weird! :)

This bug is quite hard to demonstrate, as it needs to have few lucky coincidences in the uninitialized data. But I’m sure that a skilled person would convert it into arbitrary code execution in no time. Not me, though… :)

Buffer overflow

Second bug is also a classic. In pseudo-code it looks like this:

So, what’s wrong here? Daniel takes a fixed-size buffer and initializes it with all zeros (unlike previous case). Then he reads size of data (NameSize). And then he copies NameSize bytes into a fixed-size buffer – without checking if that’s gonna overflow or not.. Yikes!

Example file demonstrating this bug: https://www.mediafire.com/?x4idsa21toh0t36 (you need to click on Resource Editor -> .NET Resources to trigger the buggy code. Afterwards, CFF Explorer will start acting weird).

Solution

Just like in a previous case where I added support for ConfuserEx and undocumented fields, I had to make few binary patches to CFF Explorer.

Fixed exe file is here: Please get latest version from this post

Have fun and stay safe!

29 Apr

I bought a software today…

I never buy software. Not sure why is that, probably I just don’t see a point in doing that. To me, most of the software seems ridiculously overpriced.

  • Paying 30 euros for a copy of WinRar? Are you kidding me?
  • Paying 70 euros for latest Need for Speed racing simulator I’m not even sure I’ll like? I’m not a hardcore gamer, I’m just looking for a good fun for a rainy evening.

And subscription-based software is even worse:

Do I look like a f*ing Rockefeller to you?

Hello Adguard!

Imagine my surprise when yesterday I noticed that my beloved Adguard actually has very reasonable prices. And they are offering 40% discount for all licences until May 4th, 2016. Lifetime license for less than a cup of Chai Latte in Starbucks? I’ll take that, thank you very much!

license purchased

Well, it’s actually half-true. If you just open their main page in the browser and go to “Purchase”, you’ll probably see that a lifetime license costs $14.97. Not exactly a cup of Chai Latte.

Hacking Adguard pricing

To get those extra nice prices, you’ll need to perform a little trick. Open the mobile version of the same page in your browser: m.adguard.com. Now go to purchase. And now switch to prices in Russian roubles. 179RUB for a lifetime license! :D

According to Paypal, I just got my lifetime license for:

Payment: 179.40 RUB
Payment sent to: pr@adguard.com
From amount: $2.94 USD

Cheers!

Summary

If you’re interested in a decent adblocker for Android device, I recommend that you give Adguard a chance. No root required! They also have adblockers for Windows and Mac but I haven’t tested those.

Full disclosure: the link above is my affiliate link with Adguard. If 4 people will follow this link, install and use Adguard for 30 minutes, I will get a free 1-year license. In that case, I will donate this license to LCF-AT to help with ad-filtering issues.

If you hate affiliate links of any kind, please feel free to visit using a direct link: adguard.com – it’s well worth it.

Have fun blocking the ads! :)