Some days ago, due to a task I’m still doing, I started using Frida. At first glance, it is a great option, specially the Python bindings, to develop quick scripts to instrument a program. It’s multi-platform, multi-arch, it has binding for Python, Node.js and .NET and many other benefits. After some days of usage, I… Continue reading Anti-instrumentation techniques: I know you’re there, Frida!
Unpacking Malware Series – Fixing Dharma IAT redirection and Unpacking Maze Ransomware
Hello!, just wanted to let you know that I wrote two new post on the “Unpacking Malware Series”. You can read them at the following links: Unpacking Malware Series – Fixing the (tiny) IAT redirection in Dharma ransomware Unpacking Malware Series – Maze Ransomware Enjoy!
Unpacking Malware Series: Venis Ransomware
Introduction The samples of Venis ransomware I’ve been analyzing implement some anti-debugging and anti-sandboxing tricks. Those tricks are the starting point for us to find the code in charge of unpacking the ransomware core. In particular, it implements the GlobalMemoryStatusEx trick and checks the presence of a particular DLL in the memory of the current process. GlobalMemoryStatusEx… Continue reading Unpacking Malware Series: Venis Ransomware
Unpacking Malware Series: Dharma Ransomware
I found two samples of Dharma ransomware that were packed with the same custom packer so I decided to take a look in order to unpack the core malware. In this case, it was very easy to obtain the real malware. As many other malware families, it creates a process and then it overwrites its… Continue reading Unpacking Malware Series: Dharma Ransomware
Unpacking Malware Series: NanoLocker Ransomware
This ransomware uses two decryption loops before getting the real code executed. Both versions, v1.27 and v1.29, have the same entry point: By tracing with F7, we get the first decryption loop: After the decryption, code looks like this: Marked in red, we can see the second decryption loop. If we trace the code using… Continue reading Unpacking Malware Series: NanoLocker Ransomware
Unpacking Malware Series: HDDCryptor Ransomware
Most of the HDDCryptor samples I saw weren’t packed, but I found one sample that at first sight didn’t look suspicious, however, if we look carefully, there are clues of malicious code activity. The main function code looks like this: We can see that there are a lot of calls to functions like tan()/cos()/pow()/sin()/ceil() that… Continue reading Unpacking Malware Series: HDDCryptor Ransomware
Unpacking Malware Series: ATLAS Ransomware
This time, we are going to see how to unpack ATLAS ransomware. The first thing it does, as many other malware, is to allocate memory regions to hold the decryption routines for the real ransomware core. Then, there is a loop where it changes the permissions of every memory page, included the PE header section,… Continue reading Unpacking Malware Series: ATLAS Ransomware
H4CK1T CTF 2016 Quals – Mexico Pentest – 150 pts – Write-up
Those who know me are aware that I don’t like web challenges. However, this time I decided to try it out. We were provided with the following information: Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their… Continue reading H4CK1T CTF 2016 Quals – Mexico Pentest – 150 pts – Write-up
H4CK1T CTF 2016 Quals – Argentina – r34n1m4710n – 100 pts – Write-up
This was an easy challenge. This were the instructions: Recover the password. h4ck1t{} We were provided with a .pcap file named top_secret_39af3e3ce5a5d5bc915749267d92ba43.pcap As I said, the task was very simple. I opened the file with Wireshark and did a manual examination of the packets, till I found a very suspicious FTP packet 🙂 flag: h4ck1t{i_G07_ur_f1l3s}
H4CK1T CTF 2016 Quals – Quiz Peru 10 pts – Madagascar Decode 3 10 pts – Cote d’Ivoire Internet 10 pts and more – Write-up
These were some very easy challenges from H4CK1T CTF 2016 Qualification Round Quiz Peru 10 pts Decode it: 68 101 99 105 109 97 108 h4ck1t{decode} Solution using Python: >>> s = “68 101 99 105 109 97 108″ >>> ”.join([chr(int(x)) for x in s.split(” “)]) Flag is: h4ck1t{Decimal} Madagascar Decode 3 10 pts What… Continue reading H4CK1T CTF 2016 Quals – Quiz Peru 10 pts – Madagascar Decode 3 10 pts – Cote d’Ivoire Internet 10 pts and more – Write-up
H4CK1T CTF 2016 Quals – Hex0gator – Paraguay – 250 – PPC – Write-up
This was an easy challenge but a tedious one. This was the provided information: EN: All Experts of The Silver Shield Project can’t decipher the intercepted data. Who knows, maybe you can do it? and a file named 100_00edb54bed7e46bd5cdb7c06059881c2 was also provided to us. Basically, it is a .zip file that, once you extract it, it contains… Continue reading H4CK1T CTF 2016 Quals – Hex0gator – Paraguay – 250 – PPC – Write-up
crackinglandia 