Changes in the blog

kao

My last posts about Unity3D/Mono protections gained a lot of attention. Unfortunately, they gained the wrong kind of attention and low quality comments. So, I decided to make changes in a way these posts are made.

This is a place to describe HOW the protection works.

I have no agenda against game authors or any of the Android MOD teams. They just happen to use interesting protection mechanisms. And I like to take protections apart and describe HOW they work. So, the posts will be even more focused on HOW the protection works and how it can be defeated. Sometimes I'll make some code snippets available. But in any case, you will have to do your work to defeat the protection.

This is NOT a place for script-kiddies.

I made a big mistake releasing compiled executable. It attracts crowds of asian kids who are only able to drop DLL on the compiled executable and complain that it did not magically fix everything. They have absolutely no interest in how the protection actually works.

To fix that, there will be no more ready-made tools. If you care about the protection, my blog has all the information you need to make your own tool. But if you need a ready-made, compiled tool, go somewhere else.

This is NOT a place for crack requests.

Yes, I'm always interested in new and innovative protections. If you tell me about such protection, I will be very happy. When I get some free time, I will look at it. If it's interesting enough, I will write about it.

But I will not crack the protection for you. And most certainly I will not do it on your schedule. So, don't bug me about that.

I work on this blog in my free time.

My free time is limited. I will read all comments and all emails. Someday. When I have free time.

So, do NOT bump your comments or your emails. If you haven't received a reply, your message was stupid and I decided to ignore it. Or perhaps I just haven't had time to read it and respond to it.

You need to do your homework.

I got plenty of comments like "how do I use your tool?" or "I can't open file in dnSpy. Help!!!111".

First, read the bloody posts, they explain how my tools work and what the limitations are. Second, use Google. Third, read "How to Report Bugs Effectively". I can't magically solve all your problems - I need to see the actual file first.


I hate using ban-hammer. So, first time you do something stupid, I will warn you. But if you continue doing that, I'll ban you. As simple as that.

Thank you for reading to the end, I really appreciate that. Please enjoy your stay here.

Changes in Chrome 71 break Gmail.

kao

I've complained about Chrome automatic updates before. I actually stayed on outdated Chrome 45 for a long time because I really needed NPAPI support to perform certain tasks.Β 

But few months ago I decided to bite the bullet and "live a normal life". So, I enabled Google Chrome updates and crossed my fingers. It worked for some time. I got the awful "modern UI" and managed to turn it off. I got the automatic Chrome sign-in that nobody actually wants and Google retracted later. And I was able to turn it off too.

But now Chrome cannot open my Gmail account. WTF?

Can't sync to account.

When logging into Gmail it just pops up this message "Can't sync to account. Request cancelled."

Read More

Why morons shouldn’t be writing about security, part 4

kao

Yesterday I read an article on ZDNet called "Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months" and it made my laugh hysterically.

Why? Because it's a bloody nonsense from start to end.

Let's just look at the main claim in the article.

... in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

What. The. Fuck.
Read More

About City of Atlanta and ransomware

kao

I just read the article on ZDNet: "Atlanta projected to spend at least $2.6 million on ransomware recovery". Yes, you read it right - $2'600'000 to clean up the Atlanta city network from ransomware. And, of course, taxpayers will pay the bill. πŸ™‚

Dear City of Atlanta, this situation will not magically resolve itself. Your IT guys must take the responsibility for this failure. Fire your CIO. Fire your entire IT staff. Sue them all for the damages. And let them rot in prison for a few years for gross negligence.

You hold an architect accountable for making your house blueprints right. You hold the builders accountable for building your house right and your doctor for taking a proper care of you.

IT guys are not special snowflakes, they don't do magic, and they must be held accountable for their (in-)actions just like everyone else. Only then we'll see some improvements in security.

 
But I'm sure City of Atlanta knows better. After all, they decided $600'000 on advisory services from Ernst & Young on how to handle security incidents. That's a money well spent! </irony>

F00F bug or why morons shouldn’t be writing about security (again)

kao

Every once in a while, I read an article about security which is so incredibly bad that I just have to comment on it.

This time, it's an article from iTWire called "When F00F bug hit 20 years ago, Intel reacted the same way". It's written by Sam Varghese who claims to have decades of experience in the field. Let's see..

Make Intel CPU to hang remotely and anonymously?

Let me write that down!

Any Intel Pentium/Pentium MMX could be remotely and anonymously caused to hang, merely by sending it the byte sequence "F0 0F C7 C8".

This statement is incorrect in so many ways!

Yes, there was a bug in Pentium CPUs. CPU would freeze when executing instruction lock cmpxchg8b eax which has the opcode "F0 0F C7 C8". Can you see the difference?

  1. CPU doesn't hang on merely seeing the data sequence "F0 0F C7 C8". It hangs when trying to execute these bytes. Big difference! And if someone is able to run arbitrary instructions on your CPU, you have much bigger problems than just a simple hang.
  2. There is no f*ing way to run any code on any CPU remotely and anonymously. You can remotely exploit a bug in firmware/OS/software to execute some code - that's called remote code execution. But that is not specific to Intel CPUs and have nothing to do with the F00F bug in particular.

Dear Sam Varghese, please stop writing about security. Open a hotdog stand or do anything else that doesn't involve computers. You just don't get them.

Cybellum – next gen cyber company (it’s not)

kao

2 days ago everybody started talking about DoubleAgent attack that Cybellum supposedly invented and how every Windows OS since Windows XP is screwed. As soon as I read about it, I said "hmmm, where have I seen it before?".

While the rest of the world went on writing sensational news articles, Alex Ionescu summed up it all up in one nice tweet:

Have fun and don't believe in everything you read - too many morons are writing about security these days..

Recovering data from faulty HDD

kao

I'm extremely lucky. In my 15+ years of messing with computers, I've never lost data due to HDD developing bad blocks and dying. Never! πŸ™‚

Other people are not that fortunate. So, last weekend I was asked to look at an Acer laptop that just won't start. Windows startup screen shows up, stays for 5-10 minutes and computer reboots. Safe mode doesn't start, Alt-F10 Acer Recovery Console won't show up, nothing. At least I got Windows Memory Diagnostics to show up - and it didn't find anything wrong with RAM.

After I disabled Automatic Restart on System Failure (and waited 10+ minutes for Windows to crash), I got this nice error UNMOUNTABLE_BOOT_VOLUME (STOP: 0x000000ED):

Considering how much time it takes to get to the error, it's probably a bad hard disk.

[fruitful_alert type="alert-info"]Disclaimer: data recovery is a very delicate science. If you value your data, I suggest that you use a specialized data-recovery service. But if you are short on cash or just want to have some fun with dying HDD, please read on! Just remember that each HDD issue is different and what worked for me might not work for you.[/fruitful_alert]

Disassembly time!

I removed 2 screws to get access to HDD. First thing I saw was this huge scratch all over HDD bracket and cover plastic.

Apparently Mr.Awesome Neighborhood PC Repair Dude has tried to remove HDD with a screwdriver and failed. He had also broken few plastic clips on HDD cover - but who cares about those, right? At least, he did no visible damage to the electronic parts of HDD. πŸ™‚

Let's try to attach disk to another PC and see if it's really bad.

Windows hates bad disks

Let me tell you, attaching it to my Windows computer was a bad idea. When disk was plugged in, Windows took 5 minutes to start. Any program took 1-2 minutes to start. To be honest, I have no idea why Windows were acting so weirdly, but hey, kids, don't try this at home! πŸ™‚

At least I got an output from Crystal Disk Info which confirmed my suspicions - bad HDD:

On the side note, Internet is full of really stupid advices. If you suspect that your disk might be physically damaged and dying, never ever use "chkdsk" or similar tools on it! They will likely fail and/or corrupt your data even more. Make a full disk copy and try to fix data there.

Lesson learned - don't use Windows if your HDD is dying. Linux is much safer and data-recovery friendly!

Clonezilla

After some Googling, I found Clonezilla. It's a free Linux-based software that helps with disk imaging/cloning. Reviews were nice, so I made a bootable USB with Clonezilla and tried it out.

It failed.

After enabling "Expert options" and enabling ––rescue flag, it started to do something. However, estimated completion time of 40+ hours wasn't exactly exciting. Apparently, Clonezilla/partclone is slow! I'd love to have a solution that actually works, preferrably today.

Ddrescue and open-source stupidities

Few more Google searches later I learned about ddrescue. It's yet-another-Linux-software that can do almost anything - iff you can master its arcane command-line arguments. As their "manual" tells it succinctly:

This tutorial is for those already able to use the dd command. If you don't know what dd is, better search the net for some introductory material about dd and GNU ddrescue first.

Dude, I AM reading the ddrescue manual. What other introductory material about ddrescue should I search for? πŸ™

Since ddrescue is included in clonezilla USB image, I launched bash and tried the simplest possible version:

user@debian:$ ddrescue /dev/sdc3 /home/partimag/hdimage.img /home/partimag/rescue.log

It failed with error "Can't open input file: Permission denied". Apparently, you need to use sudo. My next attempt was actually successful!

user@debian:$ sudo ddrescue /dev/sdc3 /home/partimag/hdimage.img /home/partimag/rescue.log

So, here we are, after 5 hours of running.. Estimated remaining run time is 25 minutes and it has recovered everything but 100MB of data from the HDD... Fingers crossed!

18 hours later my fingers were still crossed.. WTF?

Well... Hidden in the ddrescue manual is this great note:

The 'remaining time' is calculated using the average rate of the last 30 seconds and does not take into account ... Therefore it may be very imprecise, may vary widely during the rescue, and may show a non-zero value at the end of the rescue. In particular it may go down to a few seconds at the end of the first pass, just to grow to hours or days in the following passes.

Holy fuck, why on earth would you show "remaining time" if you very well know that it's "very imprecise"? Does it make your program go any faster? No. Does it help your user in any way? No. It just pisses everyone off.

All in all, ddrescue ran for around 48 hours - recovering 99.98% of data. There were still 45MB of non-scraped data left but I decided that it's not worth to wait 40-50 more hours to rescue mere 20-30 megabytes.

Lesson learned - reading data from unreadable sectors is really slow. Prepare to wait for days!

Analyze the rescued image

Recovering data is great. But what to do with the 0.02% of data that were unreadable? ddrescue log can tell you that sector 0x12345000 was unreadable - but you will have no idea which file occupied that sector. Since I'm a Windows guy, I decided to modify ddrescue's suggested approach a bit and used Windows tools when possible.

First, run ddrescue with ––fill-mode argument:

printf "BABEC0DE" > tmpfile
ddrescue --fill-mode=l- tmpfile /home/partimag/hdimage.img /home/partimag/rescue.log
rm tmpfile

It will take the image file and mark all unreadable sectors with "BABEC0DE" and relevant sector/position information based on the log file. The affected part of file will look like this:

You can pick whatever text you want - I didn't want to use suggested "DEADBEEF" constant, as it is much more commonly used and might actually appear in some valid files.

Second, reboot into Windows and use OSFMount to mount the created hdimage.img:

Finally you can see files and folders from the damaged disk. Now use whichever Windows tool you like to search for "BABEC0DE". In my case, there were 16 files affected - 12 videos and 4 log files. So, nothing of value was lost! πŸ™‚

Write the rescued image to the new hard drive

If you have Acronis or other Windows cloning software, you could use that to write HDD image to new disk. Since I didn't have any, I use Clonezilla's bootable USB and Linux standard dd command:

sudo dd if=/home/partimag/hdimage.img of=/dev/sdb3 bs=1M status=progress

After an hour and a half all the data were transferred to the new disk. Now I just needed to put HDD back into the laptop, boot up the system and run chkdsk to make sure that everything is fixed.

After 3 evenings and plenty of swear words, it's a great success! πŸ™‚

Final words

There are two kinds of people, those who back up their stuff and those who have never lost all their data. Be smart and make sure you have proper backups! Otherwise, be prepared to spend few evenings learning Linux disk management tools and cursing their command-lines.

Till next time!

NetBalancer: should you trust it?

kao

Last few months people kept bashing antivirus and security software in general. Like on Twitter or their personal pages. Sure, Twitter is full of opinionated idiots who just love to complain about everything that doesn't match their point of view. On a few occasions they are right and even I have written about some of the issues with antiviruses before.

But!

But you'd be f*king stupid to delete your antivirus just because it has some bugs. Doorlocks get picked by criminals every day and people still use them. Professional lockpickers do exist - it's their job to break lock's security mechanism and get you back in the house when you lose your keys. Tavis Ormandy is a professional lockpicker - only he works in the digital world. It's his job to break digital security mechanisms and help vendors to fix the issues.

Having said that, not all software is created equal. Sometimes new and dangerous features get added to an otherwise great software. These features look good on paper but they can really ruin someone's day. Today, I'll demonstrate one such feature.

Introducing SeriousBit NetBalancer

NetBalancer is a Windows application for local network traffic control and monitoring. It shows you the network traffic on your computer and helps you to set limits, priorities and rules for that traffic. Some sort of a firewall - but better. It can prioritize your traffic, schedule it for specific times, do statistics, make graphs and charts and what not. And it looks really good!

Predefined Priorities

NetBalancer's Predefined Priorities is a feature that looks great on paper.

For those of you who are not sure what priorities are best for your PC we decided in NetBalancer 8.5 to add some predefined priorities.
These priorities include the most used programs and processes, currently about 1700 total (and counting), and are set to match the needs of most users

It could be used for virtually everything:

  • giving high priority to VoIP applications and games
  • making sure background processes (eg. software updaters) don't interrupt your Youtube experience
  • and even blocking malware

The possibilities are endless. In fact, virtually all of the antivirus products use similar databases to preconfigure their firewalls. It makes total sense after all!

However, the devil is in the details. All such databases must be maintained. New version of Skype comes out, you need to update database. League of Legends releases new update, you must update the database. And you must do it very fast, so that your users don't suffer from misbehaved firewall. It's a lot of work.

Since NetBalancer is made by a small company called SeriousBit SRL, I was naturally curious how they manage to do that. πŸ™‚

Inside Predefined Priorities

First, I needed to obtain the complete database of the priorities. You could try to find something in C:\ProgramData\SeriousBit\NetBalancer\ but it would be more interesting to find and download correct files for the official servers, right? πŸ™‚ After a quick string search, I learned that priorities can be downloaded from https://netbalancer.com/api/internal/predefinedpriorities. It's a huge JSON file but isn't encrypted or signed in any way.

That's a serious red flag right there. Security companies vigorously protect their databases - it's their know-how, their crown jewels. And they use digital signatures to make sure that the databases aren't tampered with. After all, which developer wants to see his product in news like "MalwareBytes: multiple security issues"? πŸ™‚

OK, in this case JSON file is downloaded over HTTPS, therefore it's slightly harder to intercept traffic and modify it. So, let's ignore this issue for a moment and look at the JSON data instead.

In a minute or two, I was in the full "WTF?" mode.

Here's an excerpt from the JSON, prettified for easier viewing:

{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 1772190657,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": -1521929413,
      "ExecutablePath": "driver.okaya.g200l.rar",
      "DownloadPriority": "High",
      "UploadPriority": "Normal",
      "DownloadLimit": 30000,
      "UploadLimit": 30000,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },
...
{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 3944917558,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": 2089926557,
      "ExecutablePath": "msi1f5.tmp",
      "DownloadPriority": "High",
      "UploadPriority": "Normal",
      "DownloadLimit": 30000,
      "UploadLimit": 30000,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },

Setting high priority for RAR and TMP files.. More than 2000 entries like that? WTF?

How about this?

{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 4213633860,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": -118159810,
      "ExecutablePath": "sexual babe receives screwed - xnxx.com.flv",
      "DownloadPriority": "High",
      "UploadPriority": "Normal",
      "DownloadLimit": 30000,
      "UploadLimit": 30000,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },

Yes, I want to download my porn with a high priority, thank you very much!

But how on earth that got through the QA process? Is there any QA process in SeriousBit SRL? I highly doubt that..

Unsolicited user data gathering

All those entries made me think - how is it possible that NetBalancer's database contains such crap information? Most obvious answer was - it's submitted by users. To verify the guess, I took a sneak peek inside SeriousBit.NetBalancer.Core.dll. And there it was:

  public static void smethod_1(bool bool_0)
  {
    try
    {
      ...
      using (WebClient webClient = new WebClient())
      {
        NameValueCollection expr_77 = new NameValueCollection();
        expr_77["priorities"] = gparam_.smethod_0(true);
        NameValueCollection data = expr_77;
        bytes = webClient.UploadValues("https://netbalancer.com/api/internal/predefinedpriorities", "POST", data);
      }
    catch (Exception arg_126_0)
    {
      GClass48.smethod_11(arg_126_0, "LoadFromWww", "C:\\wrk\\seriousbit\\netb\\deskapp\\src\\SeriousBit.NetBalancer.Core\\Priorities\\PredefinedPrioritiesTable.cs", 91);
      if (bool_0)
      {
        throw;
      }
    }
    finally
    {
      GClass51.smethod_1("LastPredefinedPrioritiesLoaded", DateTime.Now);
    }
  }

The call is coming from here:

        if (GClass51.smethod_0("PredefinedPrioritiesEnabled", false, true) && GClass51.smethod_0("LoadPredefinedPrioritiesAutomatically", true, true) && GClass51.smethod_0("LastPredefinedPrioritiesLoaded", DateTime.MinValue, true) < DateTime.Now.AddDays(-7.0))
        {
          GClass30.smethod_1(false);
        }

There you have it - if you have enabled "Predefined Priorities", NetBalancer will also silently upload all your priorities to their servers.

Want to wreak some havoc with unsuspecting users of NetBalancer? Post your own JSON file that blocks all traffic for all the browsers - apparently NetBalancer doesn't validate user submissions and will happily distribute them to other users. πŸ˜€

Abusing existing database

I was also wondering what is the meaning of ExeNameCrc field. πŸ™‚ Turns out that NetBalancer uses CRC32 of filename as a key in the dictionary that manages process priorities To make matters easier, they also supply you with a proper filename in ExecutablePath field. So, if you want to make sure your malware has unlimited traffic and high download priority, just name it swarm.exe:

{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 1475648703,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": 1630508967,
      "ExecutablePath": "swarm.exe",
      "DownloadPriority": "High",
      "UploadPriority": "High",
      "DownloadLimit": 0,
      "UploadLimit": 0,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },

Indeed, CRC32("swarm.exe") = 1475648703, as you can verify in some online CRC32 calculator..

A quick test confirms that too:

Conclusion

Trust is a delicate subject. On the one hand, all the Cloud and Connected things make your life much easier. On the other hand, you must choose wisely who you trust and what data he/she can access. I doubt that SeriousBit intentionally created such buggy and dangerous feature in NetBalancer. But that doesn't mean I would ever want it to be running on my machine!

Have fun and stay safe!

Moving to a new host

kao

Last week MaxXor suggested that I should add HTTPS support to my blog. My existing free host (bplaced) doesn't offer HTTPS, so I decided to finally switch to paid hosting. After thinking a bit, reading customer references, I chose Active24 - and so far the experience has been overwhelmingly positive.

  • Webhost was set up within minutes, including self-signed HTTPS certificate;
  • As soon as you update your DNS entries, Let's Encrypt certificate is issued automatically. You don't need to do anything yourself!
  • Unlimited disk space;
  • Unlimited traffic;
  • Unlimited cron jobs;
  • And everything "just works™";

For now HTTPS is optional (try https://lifeinhex.com/), I'll start enforcing HTTPS in a few days after fixing all the mixed-content warnings. πŸ™‚

Have fun and stay safe (and let me know if you notice any issues)!

Blog not dead

kao

I just noticed that I haven't published a full-length post for almost 2 months already. πŸ™ Let me assure you, this blog is not dead, I just had a peaceful Christmas vacation. Here's what else is new..

Domain renewal

I'm still having fun writing this blog. So, I've renewed the domain for one more year. Since I'm using a free shared hosting, HTTPS is not an option. But if you would really like to see that (or any other improvements to the site), please let me know in the comments.

WordPress update

As you probably have noticed, this blog is running on WordPress. And since my webhost has really tough restrictions on what can be done with shared hosting accounts, automatic update of WordPress is not possible. So, I updated the engine manually to the latest version 4.7.1.

Last night there was some short outage but it was more likely caused by maintenance on the webhost. But please do let me know if you notice any issues with the site!

Improved Enigma Virtual Box unpacker

One of the most requested features for Enigma Virtual Box unpacker was support for large files. I had to rewrite quite a lot of stuff to make it happen but now it works fine for files up to 4GB (and possibly more). πŸ˜‰ It's finished but I need to test the unpacker properly before making it public.

Improved Molebox unpacker

Again, one of the most requested features is to support huge files (500MB+). Since the original unpacker was written in 2009, compiled only with Delphi 4 and was intended to unpack regular EXE files, I had to rewrite pretty much everything from scratch - so I'm happy to say that it's 90% done. I should be able to wrap it up in a few weeks and then make it public.

Blog post about video-to-exe DRM protections

Every once in a while someone in Tuts4You asks about video-to-exe or pdf-to-exe "protections". Every single one I've seen so far has been just a snake oil. In the article I'll document the methods used by these "protections" to encrypt video/PDF and prevent user from extracting original file out of EXE. You won't believe how much time and effort goes into preparing a single technical blog post - so don't expect it to be finished any time soon. πŸ˜‰

Have fun and talk to you all later!