برنامه کمکی: تولید سریال فایل: gen_serial.c
برای راحتی کار و تمرین یک برنامه C ساده که همون الگوریتم رو اجرا میکنه و سریال برای یک اسم میسازه
// gen_serial.c
// برنامه ساده برای تولید سریال بر اساس اسم
نحوه ساخت Build
با MinGW (در ویندوز):
برای hotspot_sim.c:
mwindows برای حذف پنجره کنسول و ساخت GUI
برای gen_serial.c:
با MSVC (Developer Command Prompt):
hotspot_sim.c:
cl /EHsc hotspot_sim.c user32.lib gdi32.lib
gen_serial.c:
cl /EHsc gen_serial.c
چجوری تست و استفاده کنید
داخل VM ویندوزی حتما VM و snapshot برای فایل hotspot_sim.exe رو اجرا کنید
اسم دلخواه بزنید مثلا Ali حالا یا سریال رو با gen_serial.exe Ali بسازید و در فیلد Serial پیست کنید یا داخل دیباگر تابع تولید رو اجرا و مقدار expected را بخونید
اگر سریال درست باشه MessageBox موفقیت نمایش میده
راهنمای کوتاه آنالیز در x64dbg / IDA
جستجوی رشتهها
: "Name:", "Serial:", "%04X-%04X-%04X", "Activate & Play" → رفرنسها معمولا توابع مهم رو نشون میدن
IsDebuggerPresent: breakpoint
روی IsDebuggerPresent یا آدرسی که اون رو صدا میزنه اگر 1 برگرده برنامه مسیر خطا رو میزنه
GetWindowTextA: breakpoint
بذارید تا مقدار name و serial رو داخل حافظه ببینید
ثابتها: جستجوی ثابتهای XOR (0xA5A5A5A5, 0x5A5A5A5A, 0x3C3C3C3C) یا قالب %04X-%04X-%04X شما رو به تابع تولید سریال میرسونه
مقایسه: breakpoint روی stricmp تا قبل از مقایسه دو بافر رو ببینید
MessageBoxA:
گذاشتن breakpoint اینجا سریع میگه کدوم شاخه اجرا شده موفق یا خطا
Auxiliary program: Serial generation File: gen_serial.c)
For convenience and practice, a simple C program that implements the same algorithm and creates a serial for a name
// gen_serial.c
// Simple program to generate serial based on name
برای راحتی کار و تمرین یک برنامه C ساده که همون الگوریتم رو اجرا میکنه و سریال برای یک اسم میسازه
// gen_serial.c
// برنامه ساده برای تولید سریال بر اساس اسم
#include <stdio.h>
#include <stdint.h>
#include <string.h>
// تولید سریال مثل gen_expected_serial در باینری
void gen_expected_serial(const char *name, char *out, size_t outlen)
{
uint64_t s = 0;
// s = s*31 + ch
for (size_t i = 0; i < strlen(name); ++i) {
unsigned char ch = (unsigned char)name[i];
s = s * 31 + ch;
}
unsigned g1 = (unsigned)((s ^ 0xA5A5A5A5ULL) & 0xFFFF);
unsigned g2 = (unsigned)(((s >> 3) ^ 0x5A5A5A5AULL) & 0xFFFF);
unsigned g3 = (unsigned)(((s << 7) ^ 0x3C3C3C3CULL) & 0xFFFF);
// فرمت AAAA-BBBB-CCCC (حروف بزرگ هگز)
snprintf(out, outlen, "%04X-%04X-%04X", g1, g2, g3);
}
int main(int argc, char **argv)
{
char name[256] = {0};
char serial[64] = {0};
if (argc >= 2) {
strncpy(name, argv[1], sizeof(name)-1);
} else {
printf("Enter name: ");
if (!fgets(name, sizeof(name), stdin)) return 1;
name[strcspn(name, "\r\n")] = 0;
}
if (strlen(name) == 0) {
fprintf(stderr, "Name is empty\n");
return 1;
}
gen_expected_serial(name, serial, sizeof(serial));
printf("Name: %s\nSerial: %s\n", name, serial);
return 0;
}
نحوه ساخت Build
با MinGW (در ویندوز):
برای hotspot_sim.c:
gcc hotspot_sim.c -o hotspot_sim.exe -mwindows
mwindows برای حذف پنجره کنسول و ساخت GUI
برای gen_serial.c:
gcc gen_serial.c -o gen_serial.exe
با MSVC (Developer Command Prompt):
hotspot_sim.c:
cl /EHsc hotspot_sim.c user32.lib gdi32.lib
gen_serial.c:
cl /EHsc gen_serial.c
چجوری تست و استفاده کنید
داخل VM ویندوزی حتما VM و snapshot برای فایل hotspot_sim.exe رو اجرا کنید
اسم دلخواه بزنید مثلا Ali حالا یا سریال رو با gen_serial.exe Ali بسازید و در فیلد Serial پیست کنید یا داخل دیباگر تابع تولید رو اجرا و مقدار expected را بخونید
اگر سریال درست باشه MessageBox موفقیت نمایش میده
راهنمای کوتاه آنالیز در x64dbg / IDA
جستجوی رشتهها
: "Name:", "Serial:", "%04X-%04X-%04X", "Activate & Play" → رفرنسها معمولا توابع مهم رو نشون میدن
IsDebuggerPresent: breakpoint
روی IsDebuggerPresent یا آدرسی که اون رو صدا میزنه اگر 1 برگرده برنامه مسیر خطا رو میزنه
GetWindowTextA: breakpoint
بذارید تا مقدار name و serial رو داخل حافظه ببینید
ثابتها: جستجوی ثابتهای XOR (0xA5A5A5A5, 0x5A5A5A5A, 0x3C3C3C3C) یا قالب %04X-%04X-%04X شما رو به تابع تولید سریال میرسونه
مقایسه: breakpoint روی stricmp تا قبل از مقایسه دو بافر رو ببینید
MessageBoxA:
گذاشتن breakpoint اینجا سریع میگه کدوم شاخه اجرا شده موفق یا خطا
Auxiliary program: Serial generation File: gen_serial.c)
For convenience and practice, a simple C program that implements the same algorithm and creates a serial for a name
// gen_serial.c
// Simple program to generate serial based on name
#include <stdio.h>
#include <stdint.h>
#include <string.h>
// Generate serial like gen_expected_serial in binary
void gen_expected_serial(const char *name, char *out, size_t outlen)
{
uint64_t s = 0;
// s = s*31 + ch
for (size_t i = 0; i < strlen(name); ++i) {
unsigned char ch = (unsigned char)name[i];
s = s * 31 + ch;
}
unsigned g1 = (unsigned)((s ^ 0xA5A5A5A5ULL) & 0xFFFF);
unsigned g2 = (unsigned)(((s >> 3) ^ 0x5A5A5A5AULL) & 0xFFFF);
unsigned g3 = (unsigned)(((s << 7) ^ 0x3C3C3C3CULL) & 0xFFFF);
// format AAAA-BBBB-CCCC (hex uppercase letters)
snprintf(out, outlen, "%04X-%04X-%04X", g1, g2, g3);
}
int main(int argc, char **argv)
{
char name[256] = {0};
char serial[64] = {0};
if (argc >= 2) {
strncpy(name, argv[1], sizeof(name)-1);
} else {
printf("Enter name: ");
if (!fgets(name, sizeof(name), stdin)) return 1;
name[strcspn(name, "\r\n")] = 0;
}
if (strlen(name) == 0) {
fprintf(stderr, "Name is empty\n");
return 1;
}
gen_expected_serial(name, serial, sizeof(serial));
printf("Name: %s\nSerial: %s\n", name, serial);
return 0;
}
❤1
How to Build
With MinGW (on Windows):
For hotspot_sim.c:
mwindows to remove the console window and build the GUI
For gen_serial.c:
With MSVC (Developer Command Prompt):
hotspot_sim.c:
cl /EHsc hotspot_sim.c user32.lib gdi32.lib
gen_serial.c:
cl /EHsc gen_serial.c
How to test and use
Inside a Windows VM, be sure to run the VM and snapshot for the hotspot_sim.exe file
Give it a name of your choice, for example Ali. Now either create the serial with gen_serial.exe Ali and paste it in the Serial field, or run the generation function inside the debugger and read the expected value
If the serial is correct, the MessageBox will display success
A short guide to analyzing in x64dbg / IDA
Search Strings
: "Name:", "Serial:", "%04X-%04X-%04X", "Activate & Play" → References usually indicate important functions
IsDebuggerPresent: breakpoint
On IsDebuggerPresent or the address that calls it, if it returns 1, the program will hit the error path
GetWindowTextA: breakpoint
Put it to see the value of name and serial in memory
Constants: Search for XOR constants (0xA5A5A5A5, 0x5A5A5A5A, 0x3C3C3C3C) or the pattern %04X-%04X-%04X will take you to the serial generation function
Comparison: breakpoint on stricmp to see the two buffers before comparing
MessageBoxA:
Putting a breakpoint here will quickly tell you which branch was executed successfully or failed
@reverseengine
With MinGW (on Windows):
For hotspot_sim.c:
gcc hotspot_sim.c -o hotspot_sim.exe -mwindows
mwindows to remove the console window and build the GUI
For gen_serial.c:
gcc gen_serial.c -o gen_serial.exe
With MSVC (Developer Command Prompt):
hotspot_sim.c:
cl /EHsc hotspot_sim.c user32.lib gdi32.lib
gen_serial.c:
cl /EHsc gen_serial.c
How to test and use
Inside a Windows VM, be sure to run the VM and snapshot for the hotspot_sim.exe file
Give it a name of your choice, for example Ali. Now either create the serial with gen_serial.exe Ali and paste it in the Serial field, or run the generation function inside the debugger and read the expected value
If the serial is correct, the MessageBox will display success
A short guide to analyzing in x64dbg / IDA
Search Strings
: "Name:", "Serial:", "%04X-%04X-%04X", "Activate & Play" → References usually indicate important functions
IsDebuggerPresent: breakpoint
On IsDebuggerPresent or the address that calls it, if it returns 1, the program will hit the error path
GetWindowTextA: breakpoint
Put it to see the value of name and serial in memory
Constants: Search for XOR constants (0xA5A5A5A5, 0x5A5A5A5A, 0x3C3C3C3C) or the pattern %04X-%04X-%04X will take you to the serial generation function
Comparison: breakpoint on stricmp to see the two buffers before comparing
MessageBoxA:
Putting a breakpoint here will quickly tell you which branch was executed successfully or failed
@reverseengine
❤1
تحلیل استفاده از ابزارهای RMM برا بایپس EDR در حملات گروه های باج افزاری Medusa و DragonForce
Analysis of the use of RMM tools to bypass EDR in Medusa and DragonForce ransomware attacks
https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks
@FUZZ0x
Analysis of the use of RMM tools to bypass EDR in Medusa and DragonForce ransomware attacks
https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks
@FUZZ0x
Zensec
How RMM abuse fuelled Medusa & DragonForce attacks - Zensec
If you are reading this because you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.
❤1
Bootloader to Iris: A Security Teardown of a Hardware Wallet
https://hhj4ck.github.io/en/iris-wallet-security-teardown.html
@reverseengine
https://hhj4ck.github.io/en/iris-wallet-security-teardown.html
@reverseengine
Guanxing’s Blog
Bootloader to Iris: A Security Teardown of a Hardware Wallet
Recently, I got my hands on a hardware wallet that features iris recognition as a selling point. The novelty of the iris component sparked my curiosity, so I decided to take a deep dive into its implementation. Since the wallet’s hardware and software design…
❤1
Malware Development Evading Diaries
NTFS Files Attributes:
FuncIn
Code Cave
Stolen Certificate
Redirect Antivirus Website Evading Techniques:
Shortcut Hiding
Disabling Antivirus
Adding Antivirus Exception
Fake Signature
Mark-Of-The-Web (MOTW) Bypass
Return Address Spoofing
Runtime Function Decryption
DLL Unhooking
How DLL Unhooking works
Unhooking Strategies
Evasion Using Direct Syscalls
Key Aspects of This Technique
Operational Mechanis
Featured Windows APIs
Unloading Module With FreeLibrary
Operational Overview
Key Aspects of This Technique
Featured Windows APIs
References
@reverseengine
NTFS Files Attributes:
FuncIn
Code Cave
Stolen Certificate
Redirect Antivirus Website Evading Techniques:
Shortcut Hiding
Disabling Antivirus
Adding Antivirus Exception
Fake Signature
Mark-Of-The-Web (MOTW) Bypass
Return Address Spoofing
Runtime Function Decryption
DLL Unhooking
How DLL Unhooking works
Unhooking Strategies
Evasion Using Direct Syscalls
Key Aspects of This Technique
Operational Mechanis
Featured Windows APIs
Unloading Module With FreeLibrary
Operational Overview
Key Aspects of This Technique
Featured Windows APIs
References
@reverseengine
❤5
❤1
Reversing Microsoft Defender's Signatures for Evasion
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
@reverseengine
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
@reverseengine
❤1
Exploiting Windows Kernel
CVE-2023–28218
https://theori.io/blog/exploiting-windows-kernel-wild-copy-with-user-fault-handling-cve-2023-28218
@reverseengine
CVE-2023–28218
https://theori.io/blog/exploiting-windows-kernel-wild-copy-with-user-fault-handling-cve-2023-28218
@reverseengine
theori.io
Exploiting Windows Kernel Wild Copy With User Fault Handling (CVE-2023–28218) - Theori BLOG
At Hexacon 2023, we presented our Windows kernel security research, uncovering CVE-2023-28218, a heap overflow in afd.sys. Read our exploit analysis and methodology. | Vulnerability Research
❤1