I'm a big fan of education...a Masters will help you with some of the soft-skills at the executive level of companies. I've found that people with undergraduate and graduate degrees are better at client deliverables and generally getting stuff done.
If you want to do vulnerability research, I'd recommend Reverse Engineering malware now...you don't need a degree for this. Check out Ghidra: https://ghidra-sre.org
Honestly, VBox and VMware take care of most of that for you. That's the beauty of it. Only things I can really think of to double check are your client's network is unattached, usb for the client are disabled, you DO NOT have a shared folder setup, and (I cant stress this part enough) dont run malware with a sandbox escape for your desired virtualization software. Most of those are in your general client machine settings.
Also take a snapshot of your client in the event that, you know, it gets nuked.
I recommend SIFT or good ole Kali for the client. And if you rock with SIFT, pretty sure they have a .ova for you to import, so no real need to mess with settings.
Most of all, do your research on your malware and be smart about it. If you're looking at a network worm, keep client off network. If you're looking at ransomware, take a snapshot and keep it out of your host file system. Just use some common sense and you should be good.
PS. Gotta plug for Ghidra cause it's free and doesn't require a license
Edit: Go nuts https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis-environment.html
The only way to get it back is to decompile it. The 2 big ones are ghidra and ida pro. Ghidra is free and ida pro will run you a couple grand. It’s a very long and complicated process that is going to be really painful.
For the future I would suggest offsite version control like git.
You can use a program like Ghidra to decompile a piece of software and reconstruct the source code it was built from. I don’t know exactly how OP did it, but that’s the main way I’m familiar with.
> You can get the free version of IDA Pro 5 from Scummvm's site
There's also the NSA's Ghidra. I'm not positive it will work for real 16-bit executable files, but with a little effort I think I may have produced a .com file using NASM, and Ghidra did open it and with some manual instruction was able to disassemble the two instructions I put into it.
Learn a bit of PowerPC assembly then use something like Ghidra or IDA to disassemble the game looking for timing functions to patch.
> I can send you the link from the apple website if you want
What's in it for me?
There's plenty tools, quite literally an endless list, like Ghidra, Process Explorer, Process Monitor etc. etc. that can help you figure out what's going on. You don't need anyone for that.
This is amazing! Tons of wealthy and very useful information that is very helpful for anyone. Thank you so much for this very detailed post.
I should have bought plane ticket to Defcon early this year. I forgot about it. I'm sure the airfare at this time is higher. I'm going to look for local meetups.
I forgot to mention, I sometimes join loocal OWASP meetups where we do CTF. It is really fun! :) I'll definitely ask if they've presented to local OWASP meetup before. I'll subscribe to OWASPGLOBAL you linked above.
I'll definitely check the Network Break Podcast as well as ghidra-sre.org.
Thank you so much! :)
Are you trying to install Ghidra for one user, or Ghidra server for multi user collaboration?
That link is for the latter. For the former just download the release zip from https://ghidra-sre.org/.
If you find an application compiled from a typical programming language like C, Rust or Swift easy (or difficult) to reverse (Ghidra is an amazing tool), then AOT-compiled Dart will be as easy (or as difficult) to reverse, I guess. It might be a bit more difficult for UI-heavy application because you don't have as many hooks as with an application that uses native libraries because you don't find code that will create windows or buttons or input fields as easily by just looking for library calls.
Well, sometimes. Like this is a site owned by the NSA that’s a .org for their open-source reverse engineering software they released recently to get some goodwill in the hacking community.
Last time I used it, Python had the dis
module. It was nice and allowed me to recreate proprietary code that was filled with bugs: https://docs.python.org/3/library/dis.html
For C++ you have IDEA which is expensive, or https://ghidra-sre.org/ which seems nice and is free.
For Java you had jad
but it died or something.
True but that's also totally different from the perspective of someone used to decompiling. That's not my expertise but still there are dedicated tools and community with progressing research for that specific purpose so I'd be very cautious about saying what can't be done based on what I know about my own limits. Tools like Chidra https://ghidra-sre.org or events like the Chaos Communication Congress or DEFCON show that the perspective changes everything. It's very very different to hide against someone who knows what they are actually looking for.
Sure. There is Doldrums for example. And I don't know whether there's a plugin for Ghidra yet, but you could use it to analyse "normal" mobile apps.
> Umm that’s also not true in regards they’ve never been caught with their hand in the cookie jar.
I... didn't say that? Just that within the report from the UK intelligence agencies checking on their 5G hardware, "CCP backdoors" were not the issue reported.
> Their products (maybe no every single one) are spyware.
Yes. Precisely. That is my point. That "not every single one" line. That. Right. There.
The NSA is a spy agency that routinely spies on American citizens. They also released Ghidra, one of the best programs out there for reverse-engineering other programs - exactly the opposite of what the NSA would want you to do! - and it's open sourced, with no backdoors in it.
A group doing something shady once does not mean all their products are shady. The products should be evaluated on their own merit, rather than what they're associated with. That is literally all I have been saying in this entire thread.
Also, real weird choice to cite Epoch Times, the news outlet for a far-right reactionary cult, just sayin'.
The code is not really encrypted. Usually you end up with binaries, which ist just a translation of the code to a more machine frienldy language. You basically still have the code, but it's unreadable for humans.
There is tools to make sense out of all this stuff... tools like ghidra or other reverse engineering tools make ot possible to see what is going on in compiled programs.
Sorry for taking so long to reply.
The tool I used for reverse engineering is Ghidra. The reverse engineering centered around the ovr_getInputState function, with the contents of the data structure it returns being in that link. It is fairly easy to find the function's assembly code in the Oculus runtime DLL (I forgot exactly which file) as it is exported with a corresponding name.
I currently don't have access to the reverse engineering files/project I had, but the structure returned is an aligned 120 byte structure. The size of the input state contents are 8 bytes for doubles, 4 bytes for integers, 4 bytes for floats and 8 bytes for ovrVector2f (as it is a struct of two floats). The order of the contents of the structure in memory are identical to the order in which it is presented in the documentation.
I am unsure if modifying the function to have it overwrite the smoothed data with the raw data before it returns is a viable method of solving the problem, but if it is then that would likely be the easiest. Otherwise you would need to follow the code further down and find out how the smoothing is implemented in the first place in order to remove it.
Ensure you have Java 11, no older, no newer. You must use Java 11. It also must be the JDK (ie, you need to have 'javac' sitting next to 'java')
If you need to you can point it at a specific JAVA_HOME in case you want to just extract AWS Corretto 11 into a directory and not use Java11 for your whole system. Works flawlessly for me.
Note in the document the small section starting with "In some cases, you may want Ghidra to launch with a specific version of Java instead of the version that Ghidra automatically locates" - I recommend you this method.
The only official sites are ghidra-sre.org and the GitHub page. I really wish they'd host their docs on their site since there is clearly a demand for it, but unfortunately they don't.
Using tools like Ghidra or IDA that take a program and help with figuring it out how they work. They give you a best guess of what the original code used to make the bit you're looking at was, so it's not just a pile of hex numbers anymore...
In this case, opening it up and searching for references to "AuthenticAMD" will find the relevant code for you.
Dan here: One suggestion would be the Flare VM from our FireEye friends: https://github.com/fireeye/flare-vm . It’s pretty good and really helpful for what you need. Regarding Cuckoo sandbox, it’s a good tool and I use it together with static analysis tools like IDA Pro or the free counterpart Ghidra, developed by NSA (https://ghidra-sre.org/).
Since IDA Pro is prohibitively expensive for someone trying to break into reverse engineering, I'd like to plug Ghidra as a zero-cost alternative!
...although I completely understand why it wouldn't be Kaspersky's favorite.
Also the fatumbot app was apparently made by the original devs when they got in conflict with the company when the company wanted to monitize it while the devs wanted to keep it free with ads to support the team with expenses
If you don't trust the app you can backup using a tool for that e.g lucky patcher then copy it over to pc and use apktool or something equivalent to extract it then use ghidra which was made by the nsa to reverse engineer it and look through the code
Apktool: https://ibotpeaches.github.io/Apktool/install/
Ghidra: https://ghidra-sre.org/
Luckypatcher: https://www.luckypatchers.com/
Please don't do anything illegal. Anyway what is in the Main
method that is listed there? Was that one successfully decompiled?
Also consider Ghidra as well if a .net decompiler isn't working for you. Note you'll need Java runtime for Ghidra. I'm not endorsing any shady stuff but if there is a legit bug that is where you want to start.
Just as a note, decompiling and patching is no joke. If you are a beginner to reverse engineering this could take dozens or more hours of labor, especially if the devs used obfuscation techniques (looks like they did).
He could use Ghidra to decompile it. Of course, Ghidra won't provide all the appropriate function or variable names, but if it's your code I'd expect you could still make sense of it with a little effort.
Sorry, but please observe Rules 1, 3, and 4:
As to your question - we cannot answer this accurately, but you have the Youtube channel of the creator. If you go into the file he provides for the game, it even has a README that states:
> If you encounter a bug, or just want to ask something, please send me an e-mail! :)
> E-mail:
Otherwise you can decompile the exe in Ghidra and either hope for some debug info left in, or check for fingerprints of a compiler. I took a really quick look - not Java or C#, no debug info so I'm just going to say C/C++ off the top of my head.
Decompilation is not exact, as much information is thrown away during compilation.
The best free tool for this is Ghidra. It is not easy to use as it is designed for experienced reverse engineers.
Thank you for the tip, I will change my code tomorrow to not print out the variables this way.
I tried disassembling the Rust code with Ghidra but it that all goes a little over my head and beyond the scope of the research.
Oh no, I haven't seen a whisper of Wacom's source on the Internet, and I had Googled for a lot of their code identifiers just in case I found some snippets, public libraries, or crash reports. I was expecting to at least run into a Stack Overflow question or two, but I guess these drivers were written before SO existed, lol.
I reverse-engineered it using IDA Pro (for debugging) and Ghidra (for decompilation).
A few comments:
First parrot os would be a fine daily driver. They have two versions I believe. One is just a privacy version which is like any other distro but comes with a few additions to make things a bit more secure. The other version is their pen testing focused one which has a ton of security tools pre installed.
"Kali is not meant as a daily driver" is in my opinion false. Sure, out of the box it is not a good daily driver because it only gives you a root account, but it is easy to add another user account with lessened priveledges. If you are new to Linux maybe it is not a good daily driver because it requires some additional configuration to make more secure and so you do not do stupid things while running as a root account.
Like others have said any distro can run pen testing and reverse engineering tools. The distros that normally get recommended are that way because they come stock with said tools and you do not have to manually install them. Some may argue it is better to start with no tools then slowly install them as you need them rather than having a huge toolbox without proper knowledge of each tool.
One tool you may want to look at for reverse engineering is Ghidra. The NSA released an open source version of their reverse engineering tool and it is pretty good considering it is free. There are a lot of videos on it that came out last year as well that should help give you a quick start into how to use it. There is an expensive tool called IDA pro that is the gold standard and did not really have many competitors until ghidra was released.
I poked on it for you.
You need to look at the decompiled ELF, after that it should be pretty easily discovered. I used Ghidra to load the passcode ELF. Jump into the 'main' function, and pay attention to the fgets variable, and what follows, as well as the specific 'if' check.
Have fun :)
$ ./passcode Please enter your passcode: <numbers go here> [ACCESS GRANTED]
This is software widely used in the cybersecurity field to reverse engineer software, so should be of interest to the RPISEC-types.
The educational version is better than the freeware edition as it supports IDAPython and ARM as well.
Likely in response to the NSA releasing Ghidra this month.
I agree with you there! Back when Wow was released I used a bot and it actually got me into cyber security!
I'll keep it brief, and if you have a IT background or Software Engineering I can link a few good resources. But to keep is less technical, most anticheats for mmo's are actually really non intrusive. And it's not to hard to avoid detection. If were talking about something like Honorbuddy, or something in the public eye. Then it's really hard. But if you largely make your own stuff for fun and you learn the tips and tricks. You can do pretty well making some basic bots, that won't be banned.
The basic tools of the trade are a debugger, x64 debug (https://x64dbg.com/#start) is a good versatile one to start with. I would then download https://ghidra-sre.org/ or hit the seven seas and become jiang ying in IDA. Ghidra is really new though and I don't have much experience with it, but it has alot of good features and is FOSS.
If your really interested, I suggest messing around with the windows xp minesweeper on a guide like this. https://0x00sec.org/t/game-hacking-winxp-minesweeper/1266 (I havn't read this one specifically, but instead of ollydbg use x64dbg).
And then another really easy practice would be to make an "undetected" cheat engine. That will send you down a decent noobie rabbit hole of some methods they use.
It's honestly not that hard, I know it looks scary, but it's just a bunch of big words for simple concepts. It's going to be hard without some base operating systems knowledge. If you don't know how to code, it might be more beneficial to mess around making some profiles for whatever bot you use.
Track the IPs of every one who downloads it maybe, to keep a list of people they might be worried about. Think about it: They made a Github page for it, but its just some text files and a read me. They say that the actual code is on a site called ghidra-sre.org. My conspiracy theory is that they did that on purpose so they can track who is downloading their tool, and from where.