JavaScript deobfuscation a little start

So I’ve been trying to get more information about the funky world of JavaScript deobfuscation. It’s really fascinating what kind of protective measures and obfuscation JavaScript can reach. So whith what kind of stuff have i been playing around?

SpiderMonkey FTW!

No really, it’s easy, it’s proven and it works.  Installing is really easy…lotsa documentation also. The best part of it was that…spidermonkey does not have default support for things like document.write(); After googling I found out about 2 ways to achieve it. The first method involved changing the C files and recompiling and such…the other method was so much easier. Have a look:

part1 for a nice introduction

part2 with the solution to add document.write(); support.

For the ones interested here is the method where you need to recompile spidermonkey and such.

There are a lot more of interesting deobfuscation tools out there to play with though.

Ultimate deobfuscator

malzilla

So this has been my little introduction to javascript deobfuscation I will certainly keep playing it’s fun, I never thought javascript could be used for so much evil but fun things.

Reversing, grasping the big picture

So no reversing section but still a reversing post. My personal opinion is that reversing is part of a forensic research in some way or an other…you could state that reversing is like a very specific forensic investigator. Most people asociate reversing with copyright infringements and bypassing security measures to access forbidden goodies(game cheats for example). Reversing can also be used for legal purposes just to name a few:

  • perform a blackbox audit on an executable
  • perform a investigation on a piece of malware
  • help develop a quick patch until the official one is released
  • learn and understand compiler optimization

I love reversing, I also hate reversing. Yet I keep practicing it and trying to learn. Why ? Because it really is a beautifull way to learn new things and to relax(this depends on the person reversing of course).

Continue reading “Reversing, grasping the big picture”

Finding crypto containers

So here I was relaxing and watching Friends…when suddenly one of my old and almost forgotten ideas popped in my head. The problem context is as follow:

Let’s say you image(or you just want to search) a harddisk and want to know if the person  has any crypto containers on his/her harddisk? How would you go about this?

Continue reading “Finding crypto containers”

Truecrypt Update & Speeds

Well truecrypt 6.1 has been released and I thought it was time to update my machine. Since I’ve started using truecrypt I’ve kept screenshot of the benchmarks so for the ones who love numbers here they are. I’ve also made volume headers backup and disabled the boot message that states the machine is encrypted with truecrypt. I have to admit I’m totally fond of truecrypt it’s easy and good for free. Oh and YES I’ve made volume header backups and rescuedisks, you never know when bad luck strikes.

Continue reading “Truecrypt Update & Speeds”

ubuntu 8.10 mobile support

w000t :D

I love it. It was like so easy to get my internet connection going on my ubuntu through my mobile phone. All I had to do was connect the mobile to my laptop using a mini-usb cable. Ubuntu then automatically recognized it all and all I had to do was choose my provider and it WORKED!!!

I’ve installed ubuntu 8.10 on my laptop just to see how it goes and well I have to admit it works pretty good. Until now I haven’t had any problem with it.

Well so much for my ubuntu experience, I’ll keep you posted because somehow I always screw up when I use linux. So I really hope I hang on to it this time.

busy busy?!?

Ah man…beeing busy really ***** (sucks). I don’t like censoring words….

Lucky for me this time it was pleasure busy. I’ve been away for a few days in one of the cities famous for their diamonds. It was really impressive to see a whole street with only juwel stores. The funny thing was that the local building for diamond exchange seemed to have better security measure then the bank that was next door. Just to clarify things up , I wasn’t there for the diamonds. Those are boring. They just shine and well shine. So what’s next? I’ve been thinking about posting my todo list but then again…if I do that people will actually see that I never get it done.

So I’ll just post stuff when it’s done.

For the moment beeing I’m concentrating on the latest burp release which is comming up in december I can’t wait till I can hit the download button. Got some nice ideas to expand the current poc’s I’ve written and hopefully abuse the new and improved API.

If you get the impression this was written in a hurry , yes it was. I’m tired and want to sleep but I also wanted to write so this is the end result, I’m now going to sleep.

IDE Sniffing || Detect WDE/FDE

Maybe “IDE Sniffing” is a bit misleading…but I was not sure how to call it otherwise. So this is the problem context: You need to know if a harddisk is encrypted but you are not allowed to disconnect or move the computer. You have no access to the computer, like no login,no firewire to exploit and no vulnerable services running. Let’s also assume that this computer is using normal IDE ( I know it’s a bit outdated) disks. How on earth are we going to find out?

Continue reading “IDE Sniffing || Detect WDE/FDE”

Extending burp proxy

Intercepting proxies and other intercepting software like tamperdata are ideal tools to modify a http request or response when you are taking a peek into the nice world of web application hacking.

Burp suite is not free like webscarab but I like it because the interface is more intuitive. It seems though that wescarab-ng is doing a pretty good job on the interface part. So what is burp suite exactly?

From the burp suite website:

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

The best thing? It can be extended!

Continue reading “Extending burp proxy”

It’s not always technical

Well like the title says you can’t always dedicate your time to technical things. I’ve always loved art…it didn’t really mather to me what kind of art it was as long as it really speaks to me.

So lateley I’ve encountered a art form I really like. Abstract expressionism. It’s wonderfull you can imagine all you want there is nothing defined and it really speaks to me.

I’ve encountered an artist who’s art I really like. It’s so full of color and so different. The only down part is , that her page is only in spanish for the moment beeing, I’ve emailed her and the english portion of her website will be published soon. I’ve added a non-technical categorie in the links section so you can all visit her page and enjoy her art just like I did.

FDE / WDE spiced up

So you got your harddisks encrypted and feel totally secure? Think again.

Investigators have got some nifty devices which are capable of moving your pc without disconnecting it. Effectively bypassing FDE/WDE encryption if you are not used to lock your computer. Although locking doesn’t seem to be the answer nowadays with all those firewire hacks. So what’s left to do?

First of all disable firewire and make sure you always lock your pc. In the strange case that you do not lock your pc I made some easy yet (this hasn’t been tested in a real life situation) effective code to frustrate the investigator. This is just some quick POC (forgive me the messy code) I wrote. In a lab environment this works, so don’t blaim me if this doesn’t work in a real life situation.

Continue reading “FDE / WDE spiced up”

Bypassing ip restrictions with a backdoor

This idea popped in my head a while back and is still on my todo list (note: my todo list never shrinks). The following context/problem applies.

Suppose you want to steal information but the server you want to backdoor has got all ports ip restricted on an application level. Like a IIS instance which restricts users based on their ip address. How could this be bypassed without adjusting the IIS configuration or using a complicated rootkit. I thought of the following (note: this can also be implemented in ring0):

Continue reading “Bypassing ip restrictions with a backdoor”

Trusting Java Applets

abusing the trust people have in signed applets.

It’s been blogged before but oh well I always learn by example so here is an example. The thing I’m talking about is trusting signed java applets. In short when you trust a java applet it can do whatever it wants. So what could you do with a java applet? The java source code will steal your mac address, rather useless but it serves the example purpose good enough. The stolen mac address get’s submitted to a page in this case it will be google which will look like this:

Continue reading “Trusting Java Applets”