On the last episode of Hacking Livestream (#10: Medium-hard RE challenge - see below) I've shown how to approach a medium-hard reverse-engineering challenge. The example I used was the oxfoo1m3 challenge found in the "Level5-professional_problem_to_solve" directory of crackmes.de archive (this one), which I picked using such complex criteria as "something that runs on Ubuntu" and "something 32-bit so people with the free version of IDA can open it". As expected (and defensively mentioned several time during the stream), I was not able to complete this challenge during the livestream itself (which is only one hour, and that includes news and updates, and Q&A). However I did finish the task two days ago. It turned out I was close to the goal - took only around 30 minutes of additional work (which makes me wonder if Level5 is actually close to an RE300 challenge; probably it's closer to RE200). Anyway, here is the promised part 2 of the solution.
Note 1: While I'll write down a short recap of the initial steps and discoveries, please take a look at the recording of the episode #10 for details (crackme starts at 15m40s). If you've already seen it, just jump to part 2 in the second half of this post.
Note 2: Since this post is meant to have some education value I'll assume that the readers have only basic knowledge on RE techniques, and therefore I'll try to be verbose on some topics which are most likely well known amongst the more senior folks.
Dragon Sector zakończył sezon 2016 na drugim miejscu - czyli udało nam się powtórzyć rezultat z 2015 :). Trochę więcej rozpisałem się kilka dni temu na moim FB, więc wspomnę jedynie, że na piątym miejscu sezon zakończył inny polski zespół - p4 - gratulacje!
Wyszedł Sekurak/Offline #3, czyli darmowy e-zin o bezpieczeństwie (głównie webowym) prowadzony przez ekipę serwisu sekurak.pl. Link do linków ;)
Na ten moment tyle. "Słoniem w pokoju", jak to lubią mawiać nasi zachodni znajomi, jest pytanie kiedy kolejny stream - prawdopodobnie dopiero w następnym tygodniu, ale jeszcze zobaczymy jak wyjdzie.
Adobe Reader 9.5.1 and 10.1.3 multiple vulnerabilities - 62 unique crashes, from that 31 trivially exploitable and 9 more potentially exploitable, 11 CVE's assigned (CVE-2012-4149 to CVE-2012-4160). Some of these bugs were fixed for Windows and OSX releases of Adobe Reader in APSB12-16.
Contributed to discovery of multiple low-to-high vulnerabilities in Google Chrome (CVE-2012-2851, CVE-2012-2855, CVE-2012-2856, CVE-2012-2862, CVE-2012-2863 and some other) - some of these were mentioned in this post.
A lot of bugs in ffmpeg and libav which resulted in 892 (sic!) patches in ffmpeg and 299 patches in libav (CVE-2011-3930 to CVE-2011-3952 and some other).
Mozilla Firefox 18.104.22.168 and Opera 9.50 information leak, also midly affected Safair, Konqueror and some other products (CVE-2007-6524, CVE-2008-0420, CVE-2008-0894, CVE-2008-1573). A demo video is also available.
PiXieServ is a simplified PXE (network boot) server for Windows and Linux-based OS, created for testing of very small home-made OS. See also the post about it.
ExcpHook, a system-wide exception monitor for Windows XP 32-bit. Useful if you're fuzzing something that doesn't like having a debugger attached.
Ent is an entropy measuring tool for reverse engineering reconnaissance (see also a post explaining how to use it).
HiperDrop is a simple command line process memory dumper for Windows, with a few different work modes.
asmloader - this little app executes headerless machine code (compiled assembly code). It's meant to be an aid in learning/teaching and playing with assembly, as well as the right tool when you just need to execute some machine code.
NetSock is a simple socket/networking lib/wrapper for C++ I've wrote back in 2003 and update from time to time - I use it for most of my network-enabled projects.