R2con 2016 reverseme challenge

Poster by Hackerstrip

Back in September 2016 I attended R2con, the first public and international congress about Radare. Needless to say, it was pretty awesome 😀 and I recommend everyone interested in reverse engineering to go there next year. During the conference, Riscure proposed a simple reversing challenge using Radare to play with. You can find the challenge here. This is my (very short and dumb) writeup of it.

The challenge consisted of reversing an ELF binary and figuring out a password. When running the binary, you had to enter the password to get a message saying that you won the challenge. No modifying was allowed, just reversing. Now, this in itself was super easy since it was meant as an introduction, but I didn’t know how to use r2 well enough so it took me a while to solve it. 😀

The first problem I ran into was that it used a different version of libcrypto than my distro so I had to set up a VM. I suppose I could have installed another libcrypto and have them coexist, or used a chroot jail or whatever, but just firing up a VM seemed like the easiest choice to me – especially since I’m already used to Vagrant for this kind of thing.

After that, it was time to fire up Radare:

$ chmod +x RHme2_prequalification_challenge # (did not have the +x bit in Github)
$ ./r2 ./RHme2_prequalification_challenge

Then analyzed everything with the “aaaa” command and launched the UI with “=H” (because I’m lazy). Using the UI I quickly listed the strings, found the relevant ones, then looked for references to them. Turns out everything was right there in main() so this step wasn’t really needed! 😀

So, going back to the console, using visual mode we can see the code right away:

Gotta love ASCII art graph view

There was some code before the AES decryption that may be some kind of obfuscation, but I didn’t bother with it statically because it was easier to just put a breakpoint at the memory compare after decryption to see what the hardcoded password was.

Turns out to run Radare as a debugger you need to specify -d before opening the file. I got stuck there for a while because I’m such a n00b. #shame 😀

So, after running “r2 -d”, setting the breakpoint with “db 0x0040081d” then executing the program with “dc”, I got prompted for a password. Just typed anything and continued, after that the breakpoint was hit.

From the code I knew the argument with the decoded password should be in the rbx register, so using the “dbr” command to show the registers, then the “s” command to change the pointer (another odd concept for those of us coming from gdb!) and finally using the “x” command I could see the memory contents:

Gotcha!

Running the program again and trying out that password confirmed it was correct. TA-DA!

Well, now that I’ve made you waste your time reading this, here’s a much better writeup for it. Enjoy! 😉 #trolling

Cheating on XKCD

In case you missed it, today’s XKCD comic titled Click and Drag is simply amazing! Go check it out first, spend a few hours lost in it, and come back only when you’re done having fun. I’ll wait here. 🙂

…

Ok, you’re back. Naturally you’ll want to cheat on it at some point, to make sure you didn’t miss out on any hidden easter eggs! So let’s take a look at the web page.

The easiest route is loading the comic on Google Chrome, or Chromium. Just right click on the image and select “inspect element”. This quickly reveals how the neat trick works.

Taking a peek under the hood…

The “world” is divided into tiles of fixed size, and at all times the page loads the tile you’re currently viewing and the surrounding ones, in order to seamlessly stitch them together when scrolling. The clickable area is a map and the coordinates are used to build the URL to the images, which always follows the same pattern (north, south, and east and west coordinates). Trying out a few numbers reveals the “north” coordinate goes from 1 to 5, the “east” coordinate goes from 1 to 48 and the “west” coordinate goes from 1 to 33. Not all coordinates seem to work around the edges of the world (north 2 west 5 doesn’t work for example) and I couldn’t get south to work with manual tries. I suppose a couple empty images are used for those (one for black and one for white) but I didn’t confirm it.

The first thing I tried was just accesing the parent directory to see if directory indexing was enabled, but no such luck. Instead, I wrote this quick and dirty script in Python to download all images, using urllib to download them and shutil to write them to disk. Missing tiles are simply skipped.

This should be enough to check for easter eggs, but it’d be interesting of someone assembles a big image containing all the tiles. Let me know if you do! 🙂

Update 1: I originally missed the east coordinate, so the script was updated to try and bruteforce in all directions 1 to 10 north and south, and 1 to 50 east and west. This means a lot more HTTP requests, so I also added a pause between them as good netizens should.

Update 2: This seems to be the complete list of valid image URLs.

Update 3: A commenter pointed out somebody did assemble the entire world image! Check it out here.

Update 4: @prigazzi on Twitter pointed out this fully navegable map as well, based on Google Maps. Check it out! It’s IMHO the best one yet. 🙂

Update 5: The previous link no longer works, but this works pretty much the same way: xkcd-map.rent-a-geek.de

(more…)

A dual screen hack: x2vnc

Today I just had to use two laptop computers simultaneously, and switching back and forth was driving me insane. Then I remembered an old trick I used to pull back at my old job: the dual screen hack.

Most of you probably know it already, but just in case, here goes the explanation. You can connect two computers and simulate what would happen if you had two monitors instead: when the mouse leaves the screen in one computer, it “enters” the other computer on the opposite side of the screen. For example, if you have two laptops on your table and you move the mouse to the right, after reaching the border of the screen you see it coming out on the left side of the other computer. 🙂

The magic is done by using a remote desktop protocol like VNC, which lets you send keystrokes and mouse events, but discarding the framebuffer updates. That is, a program that connects to the remote desktop, but instead of showing you the remote screen, it monitors mouse movements locally and when the mouse reaches the screen limits, it captures the mouse and starts sending mouse events to the remote system. Similarly, when the mouse reaches the opposite limit on the remote system, it stops capturing the mouse so you can use it on the local system.

Since I use Linux my choice was x2vnc, the Linux cousin of the more famous Win2VNC, also by the same author. But unlike Win2VNC which is now actively maintained at SourceForge, x2vnc seems to have been abandoned.

x2vnc supports SSH tunneling, which is just perfect since VNC is a plaintext-only protocol and insecure by design. However there’s no easy way to tell x2vnc to which port to connect or which username to login as – it defaults always to the current local user and port 22.

I also had a problem with my other laptop, which had Windows 7. When the mouse cursor leaves the screen, it is “parked” to a corner of the screen so it doesn’t show (it’d be confusing to see two mouse cursors as you wouldn’t know which one is active). But the corner chosen by x2vnc is always the lower right corner, causing Windows 7 to hide all active windows… very annoying.

So I did what any other geek would do in my situation – branch it! 😀

The patched code is now at Google Code Github. The new command line switches I added were:

-sshuser: Log in to the SSH tunnel using the given username.

-sshport: Connect to the given TCP port number instead of the SSH default (22).

-restingx and -restingy: Tell x2vnc where to park the mouse cursor. A value of 0 means left or top, a value of -1 means right or bottom. Then for example, -restingx 0 -restingy -1 means the top right corner of the screen.

Enjoy! 🙂

Download

Source code: https://github.com/MarioVilas/x2vnc/archive/master.zip

“Hiding” your Python source with ROT13

First of all I want to make something clear: this is an absolutely lame way to obfuscate your code. I guess some antivirus, IDS or other kind of security scanner may fail to properly analyze the code if it’s encoded like this, but you can’t really fool a human.

Anyway, it was fun 🙂 and that’s my main motivation to write this blog in the first place, soooo… here it is! A Python source code obfuscator that uses ROT13.

How does it work? Simply put, by misusing the Python source encodings feature. I stumbled upon this idea while reading a thread in Stack Overflow. Python allows us to use any supported form of text encoding for our source code, by placing a magic comment in either the first or second line of the script:

    #!/usr/bin/env python
    # -*- coding: <codec-name-goes-here> -*-

This is useful for example to use UTF-8 and other encodings that allow non-english characters. But Python also has some other fun encodings, like ROT13 (the ancient Roman empire encryption system). The following snippet from Stack Overflow shows how to do it:

    #!/usr/bin/env python
    # -*- coding: rot13 -*-

    cevag "Uryyb fgnpxbiresybj!".rapbqr("rot13")

The only caveat is, ASCII strings are not decoded when you run the script, so you have to do it yourself. Unicode strings on the other hand are decoded automatically.

    #!/usr/bin/env python
    # -*- coding: rot13 -*-

    cevag h"Uryyb fgnpxbiresybj!"

There are some other fun encodings like “base64”, “uuencode”, “zlib” or “bz2” that you can experiment with too. If you try them let me know how it went. 🙂

I wrote a quick script to use the ROT13 trick. Naturally the source code itself is also encoded in ROT13, decoding it is left as an exercise for the reader. Enjoy!

Download

Source code: rot13src.py

Topo Facts!

WARNING: Inner jokes, just skip ahead to read the next post please 😉

Here they are, the infamous Topo Facts!

• Topo can own your box by just staring at the monitor screen.
• Topo never did his homework as a kid. He had a botnet to do it for him.
• When Topo needs some ice for his whisky, there’s a hailstorm in Buenos Aires.
• Topo taught Don Corleone all he knows.
• Topo knows the Meaning of Life, the Universe and Everything, but he refuses to share it. He says the world is not ready for that knowledge yet.
• When Mankind reached the Moon, there was a Topo flag there already.
• Topo never pays his bills. It’s the governments of the world that pay him.
• God created the Universe in one week. Topo created God one boring sunday afternoon after he ran out of mate and biscuits.
• Topo can walk under the rain without getting wet. Raindrops are just too scared of touching him.
• Topo built the Pyramids one day he was playing soccer and needed something to mark the goals.
• No, Elvis is not dead. He just went home… to Topo’s home.
• Topo was the real cause of the end of the Cold War. He wanted to make a garage sale with all his nuclear submarines.
• Topo taught Maradona how to play soccer, because he felt sorry to see the poor guy play so bad.
• Topo can tell the difference between modern art and pop subculture with just one glance.
• Topo can calculate the integral of e ^ (t ^ 2) dt in his head.
• Topo doesn’t sign NDAs to corporations. Corporations sign NDAs to him.
• Clippo never dares to pop up when Topo uses MS Word.
• When the Third World War comes, the only survivors will be roaches and Topo.
• Topo coded DOS in five minutes but didn’t like it, so he gave it away to some guy named Bill… Doors or something.
• When Mankind reached the Moon, besides the Topo flag, there was also a post-it saying “NASA, don’t leave your shit here. Topo”. Since they disobeyed, fights to the Moon were canceled decades ago.
• Chuck Norris was jealous of Topo and stole some of his Facts.
• Secret x86 instructions inserted by Topo:
  

  JT: Jump if Topo
  TTS: Test if Topo, then Surrender
  HLTN: HALT, Topo is Near
  SPT: Send Password to Topo
  CRS: Call Russian Submarine
  SCTR: Store Credit Card in Topo Register
  AYBABTT: All Your Base Are Belong To Topo

Credits go to the cool people at Core. But only the cool ones… you know who you are. 🙂

Ouroboros.py

This is a little nonsense I just wrote after reading the Wikipedia entry for Ouroboros. Turns out this kind of programs already have a name too, Quine.

In this case it’s a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to… well, you get the point. 🙂

Yeah, I know this is not really about computer security, but what the hell. It’s got Python and shellcode somewhere anyway.

A real Ouroboros!

Ouroboros.py

#!/usr/bin/python from sys import argv, stdout from inlineegg.inlineegg import InlineEgg, Linuxx86Syscall from inlineegg.exelib import Elf32Program script = open(argv[0], 'r').read() egg = InlineEgg(Linuxx86Syscall) egg.write(1, script, len(script)) egg.exit(0) prg = Elf32Program() prg.arch = prg.ARCH_I386 prg.addCode(str(egg)) stdout.write(prg.bytes())

Hello world!

Hello there, welcome to my blog. I’ll begin with some useless welcome post, like most blogs do 🙂 and make it worse with an incredibly nerdy thing to do:

31 db 43 68 21 0a 00 00 68 6f 72 6c 64 68 6f 2c 20 77 68 48 65 6c 6c 89 e1 6a 0e 5a 6a 04 58 cd 80 31 db 31 c0 40 cd 80

Nope, it’s not a Cthulhu chant in some strange and ancient Unicode encoding. I admit it might have been though – we all know Unicode is evil.

No… It’s nothing but a… green-and-black Matrix themed “Hello World” Linux shellcode! 😀