There are few minor fixes:
There are few minor fixes:
Ox777h's crackme was posted on Tuts4You forum in October 2022. Description said that it uses simple anti-debugging and code virtualization, so I decided to take a look.
In this post I'll describe how the protection works and steps I took to defeat it.
Read More
Few weeks ago I wrote an article about misunderstood security in Autoplay Media Studio plugins. Two days later, author of DCrypto plugin released an updated version of the plugin. And just recently, he started to sell his plugin by making some pretty bold claims:
I present to you DCrypto with an advanced encryption that allows you to obfuscate your LUA 1.5 code in 256 Bit encryption with one of the best encryptions on the market, in addition to optimizing your source code, it will be protected with super protection.
Let's see how super this protection really is! smile
Read More
Every once in a while I encounter a strange anti-reverse engineering protection. Protection authors are so focused on improving one specific aspect of the protection that completely overlook other, much easier ways how the system can be defeated.
Their logic is like this - someone stole my code, I better protect it. I've heard that cryptography is good, so I'll use that. Oh no, someone stole my code again! Let me add another layer of encryption over it! Few days/weeks/months later - Those bloody hackers won't stop! Let me protect my encryption code with another encryption!
Facepalm.
What the authors should do instead is stop and think. What do I want to protect? Against whom? For how long? What kind of loss is acceptable to me?
Last September Fireeye organized 8th edition of Flare-On reverse engineering challenge. And today I finally received my prize for completing all challenges. Hooray!
This year I did not make detailed writeups but I can wholeheartedly recommend writeups made by Washi - they are awesome! smile
There are plenty of changes.
MemoryEx is a plugin released by Imagine Programming, allowing for more advanced operations from within the Lua environment you will find in Autoplay Media Studio 8.
While it's not a very common plugin, there are several niche programs which use this plugin. For example, most programs from dindroid.com use it.
When you unpack such file, please pay attention to the "Found protected file" messages:
As you can see, unpacker created some .luac files.
Next, you will need to find a LUA decompiler and decompile these files. I suggest you try unluac, luadec or whichever LUA decompiler you prefer.
Decompiler should produce .lua file which contains all the interesting stuff. For example, part of G-Nerator code looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
return { info = { name = "Anderson M Santos", author = "dindroid.com", contact = "andersonnsantos36@gmail.com" }, functions = { Install = function() function Stile_Sonbre_P() sHandl = Application.GetWndHandle() DLL.CallFunction(_SystemFolder .. "\\User32.dll", "SetClassLongA", sHandl .. ",-26," .. 131072, DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL) if Label.GetText("local") == "C:\\" then Label.SetText("local", _ProgramFilesFolder .. "\\Dindroid") end Image.Load("imico", _TempFolder .. "\\icon.tmp") Image.Load("imc", _TempFolder .. "\\bts_01.tmp") end function Install() Folder.Create(_ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator") File.Copy(_SourceFolder .. "\\Install\\*.*", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator", true, true, false, true, nil) sP = System.EnumerateProcesses() for j, file_path in pairs(sP) do file = String.SplitPath(file_path) if file.Filename .. file.Extension == "GNerator.exe" then File.Copy(file_path, _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\") end end Shell.CreateShortcut(String.Replace(_WindowsFolder, "Windows", "") .. "\\Users\\Public\\Desktop", "G-Nerator", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\GN.exe", "", "", _ProgramFilesFolder .. "\\Dindroid\\G-Nerator\\GN.exe", 0, SW_SHOWNORMAL, nil, "") .... |
That's all folks, have fun using it!
As always - if you notice any bugs, please report them. And most importantly - Happy New Year everybody! smile
Today in my web server logs I noticed repeated scans for "fancy-product-designer" - a WordPress plugin which I most definitely don't have installed.
|
1 2 3 4 |
82.165.187.17 - - [22/Jun/2021:20:09:11 +0200] "GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 404 12664 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 0 0.430 82.165.187.17 - - [22/Jun/2021:20:11:21 +0200] "GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 404 12664 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 0 0.490 82.165.187.17 - - [22/Jun/2021:21:09:55 +0200] "GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 404 12664 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 0 0.482 82.165.187.17 - - [22/Jun/2021:21:12:48 +0200] "GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 404 12664 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 0 0.515 |
Few Google searches later, I found an article by Wordfence titled "Critical 0-day in Fancy Product Designer Under Active Attack". As usual, all the important details were missing from their article, so I decided to fill-in the gaps. smile
Yesterday, an alert describing vulnerability in Kaswara Modern VC Addons was published on WPScan.
The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Alert explicitly warns that the bug is actively being exploited. Alert also provided a very limited indicators of compromise - incomplete but at least something..
Later that day, "WordPress security vendor" Wordfence published their article Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately.
They repeated what was already said in the alert mentioned above and gave 2 extremely "useful" suggestions. First suggestion is in the post title - remove the plugin. Second suggestion is to pay for Wordfence services. Because Wordfence free version will start protecting users only in end of May 2021:
May 21, 2021 – Wordfence Free users receive the firewall rules.
Think about it for a moment..
Wordfence knows the issue is actively being exploited. They know exactly what the issue is. But they don't care about you or your security! All they care about is their profit. So, unless you pay a hefty sum for their "services", you're screwed.
I think it's wrong, so let's fix that! smile
Earlier this month, my friend Washi invited me to take a part in a small CTF competition. It was a first time his team was making something like that, so I did not know what to expect. I must say that RTN CTF was a great success and I really really enjoyed it.
Challenges and official solutions have already been published on RTN Github and few people have already made great and detailed writeups:
https://github.com/CodeOfDark/CTF-Writeups/tree/master/RTN/2021
https://holly-hacker.github.io/ctf-writeups/2021-01_RTNCTF/Index.html
https://zsr2531.github.io/writeups/RTN_2021/
I have no intention of repeating what's already been said and done, so I'll just add a few personal notes about how I solved the most interesting challenges. smile