Friday, May 22, 2020
How Block Chain Technology Can Help Fight Wuhan Corona Virus Outbreak
As the death toll and the infected cases of widespread coronavirus continue to increase, global organizations and the tech industry has come forward with technology like blockchain to fight coronavirus.
Along with the equipment and monetary support, technology also withstands against the virus with better plans and solutions. Hence, tech industries have started leveraging blockchain technology in the wake of a global health emergency.
Blockchain Helps In Real-Time Online Tracking
The Center for Systems Science and Engineering has already set up an online platform to track coronavirus and visualize the growing number of infected patients in real-time.
But Acoer, an Atlanta-based blockchain app developer, has also launched an alternative online data visualization tool to easily trail and depict the Cororanvirus outbreak using blockchain technology.
Acoer platform, named HashLog, is more advanced and clear as it pulls the data from the Hedera Hashgraph database using the HashLog data visualization engine.
Hedera Hashgraph is an immutable, transparent and decentralized database based on distributed ledger technology that provides synchronized and unchangeable data from the public networks.
Moreover, researchers, scientists, and journalists can use the HashLog dashboard to understand the spread of the virus and act against it swiftly.
For data sources, Johns Hopkins CSSE extracts data from WHO, CDC, ECDC, NHC, and DXY. On the other hand, Acoer maps the public data, including data from the Center for Disease Control (CDC) and the World Health Organization (WHO). Therefore, data may differ on both platforms.
Blockchain Can Help Monitor And Control Money Flow
To fight the further spread of the coronavirus (2019-nCoV) outbreak globally, China has also received abundant monetary support from the international community to create better action plans.
China's govt-led organization and charities are responsible for overseeing and utilizing the influx of money to research and generate a solution for coronavirus. But due to the lack of coordination and mismanagement among the various organization, money is not being laid out to curb the crisis.
Recently, a paper published by Syren Johnstone, from the University of Hong Kong, discusses the problems encountered by charities, in China and elsewhere. It argues that the present crisis should be seen as a call to arms.
Syren urges for a borderless solution with better management of donations and implementation using the emerging tech like Blockchain and Artificial Intelligence.
Keeping that in mind, Hyperchain, a Chinese company, also announced blockchain-based charity platform to streamline the donation from all over the world.
Since the Hyperchain platform is based on the blockchain, it offers more transparency among the sender and receiver of funds to bring trust and immutability to restrict the transaction data deletion.
Overall, Hyperchain improves administrative function for the money and also extends the logistics actions.
@HACKER NT
More info- Capture The Flag Hacking
- Que Hace Un Hacker
- Tecnicas De Ingenieria Social
- Hacking Simulator
- Hacking Tor Whatsapp
- Growth Hacking Marketing
- Google Hacking Database
- Curso De Ciberseguridad Y Hacking Ético
The RastaLabs Experience
Introduction
It was 20 November, and I was just starting to wonder what I would do during the next month. I had already left my previous job, and the new one would only start in January. Playing with PS4 all month might sound fun for some people, but I knew I would get bored quickly.
Even though I have some limited red teaming experience, I always felt that I wanted to explore the excitement of getting Domain Admin – again. I got my first DA in ˜2010 using pass-the-hash, but that was a loooong time ago, and things change quickly.
While reading the backlogs of one of the many Slack rooms, I noticed that certain chat rooms were praising RastaLabs. Looking at the lab description, I felt "this is it, this is exactly what I need." How hard could it be, I have a whole month ahead of me, surely I will finish it before Christmas. Boy, was I wrong.
The one-time fee of starting the lab is 90 GBP which includes the first month, then every additional month costs 20 GBP. I felt like I was stealing money from Rastamouse and Hackthebox... How can it be so cheap? Sometimes cheap indicates low quality, but not in this case.
My experience
Regarding my previous experience, I already took OSCP, OSCE, SLAE (Securitytube Linux Assembly Expert), and PSP (Powershell for Pentesters), all of which helped me a lot during the lab. I also had some limited red teaming experience. I had more-than-average experience with AV evasion, and I already had experience with the new post-exploit frameworks like Covenant and Powershell Empire. As for writing exploits, I knew how a buffer overflow or a format string attack worked, but I lacked practice in bypassing ASLR and NX. I basically had zero experience with Mimikatz on Windows 10. I used Mimikatz back in 2012, but probably not since. I also had a lot of knowledge on how to do X and Y, on useful tools and hot techniques, but I lacked recent experience with them. Finally, I am usually the last when it comes to speed in hacking, but I have always balanced my lack of speed with perseverance.
RastaLabs starts in 3,2,1 ...
So I paid the initial entry fee, got the VPN connection pack, connected to the lab, and got my first flag after ... 4 days. And there were 17 of them in total. This was the first time I started to worry. I did everything to keep myself on the wrong track, stupid things like assuming incorrect lab network addresses, scanning too few machines, finding the incorrect breadcrumbs via OSINT, trying to exploit a patched web service (as most OSCPers would do), etc. I was also continually struggling with the tools I was using, as I never knew whether they were buggy, or I was misusing them, or this is just not the way to get the flag. I am sure someone with luck and experience could have done this stage in 2-3 hours, but hey, I was there to gain experience.
During the lab, whenever I got stuck with the same problem for more than 30-40 hours and my frustration was running high, I pinged Rastamouse on the official RastaLabs support channel on https://mm.netsecfocus.com/. I usually approached him like "Hi, I tried X, Y, and Z but no luck", then he replied "yeah, try Y harder". This kind of information was usually all I needed, and 2-3 hours later I was back on track again. His help was always enough, but never too much to spoil the fun. The availability and professionalism of Rastamouse was 10/10. Huge multi-billion dollar companies fail to provide good enough support, this one guy here was always there to help. Amazing. I highly recommend joining the Mattermost channel – it will help you a lot to see that you are not the only one stuck with problems. But please do not DM him or the channel if you have not already tried harder.
What's really lovely in the lab is that you can expect real-world scenarios with "RastaLabs employees" working on their computer, reading emails, browsing the web, etc. I believe it is not a spoiler here that at some point in time you have to deliver malware that evades the MS Defender AV on the machine. Yes, there is a real working Defender on the machines, and although it is a bit out of date, it might catch your default payload very quickly. As I previously mentioned, luckily I had recent experience with AV evasion, so this part was not new to me. I highly recommend setting up your own Win10 with the latest Defender updates and testing your payload on it first. If it works there, it will work in the lab. This part can be especially frustrating, because the only feedback you get from the lab is that nothing is happening, and there is no way to debug it. Test your solution locally first.
Powershell Empire turned out to be an excellent solution for me, the only functionality it lacked was Port Forwarding. But you can drop other tools to do this job efficiently.
A little help: even if you manage to deliver your payload and you have a working C&C, it does not mean your task with AV evasion is over. It is highly probable that Defender will block your post-exploit codes. To bypass this, read all the blog posts from Rastamouse about AMSI bypass. This is important.
Lateral movement
When you finally get your first shell back ...
A whole new world starts. From now on, you will spend significant time on password cracking, lateral movement, persistence, and figuring out how Windows AD works.
In the past, I played a lot of CTF, and from time to time I got the feeling "yeah, even though this challenge was fun, it was not realistic". This never happened during RastaLabs. All the challenges and solutions were 100% realistic, and as the "Ars poetica" of RastaLabs states:
...which is sooooo true. None of the tasks involve any exploit of any CVE. You need a different mindset for this lab. You need to think about misconfigurations, crackable passwords, privilege abuse, and similar issues. But I believe this lab is still harder to own than 90% of the organizations out there. The only help is that there are no blue-teamers killing our shells.
About the architecture of the lab: When connecting to the lab with VPN, you basically found yourself in a network you might label as "Internet", with your target network being behind a firewall, just as a proper corporate network should be.
There are a bunch of workstations – Win10 only, and some servers like fileserver, exchange, DC, SQL server, etc. The majority of servers are Windows Server 2016, and there is one Linux server. The two sites are adequately separated and firewalled.
As time passed, I was getting more and more flags, and I started to feel the power. Then the rollercoaster experience started. I was useless, I knew nothing. Getting the flag, I was god. One hour later, I was useless.
For example, I spent a significant amount of time trying to get GUI access to the workstations. In the end, I managed to get that, just to find out I did not achieve anything with it. For unknown reasons, none of the frameworks I tried had a working VNC, so I set up my own, and it was pain.
On December 18, I finally got Domain Admin privileges. So my estimation to "finish the lab" in one month was not that far off. Except that I was far from finishing it, as I still had to find five other flags I was missing. You might ask "you already have DA, how hard could it be to find the remaining five?". Spoiler alert, it was hard. Or to be more precise, not hard, just challenging, and time-consuming. This was also a time when connections on Mattermost RastaLabs channel helped me a lot. Hints like "flag X is on machine Y" helped me keep motivated, yet it did not spoil the fun. Without hints like this, I would not have written this post but would have been stuck with multiple flags.
About exploitation
And there was the infamous challenge, "ROP the night away." This was totally different from the other 16. I believe this image explains it all:
If you are not friends with GDB, well, you will have a hard time. If you don't have lots of hands-on experience with NX bypass - a.k.a ROP - like me, you will have a hard time with this challenge. The binary exploit challenges during OSCP and OSCE exams are nowhere near as complex as this one. If you have OSEE, you will be fine. For this challenge, I used GDB-Peda and Python pwntools – check them out in case you are not familiar with them. For me, solving this challenge took about 40 hours. Experienced CTF people could probably solve it in 4 hours or less.
Conclusion
I would not recommend taking this lab for total beginners *. I also do not recommend doing the lab if you only have limited time per day, which is especially true if you are working on your home computer. I probably would have saved hours or even days if I had set up a dedicated server in the cloud for this lab. The issue was that the lab workstations were rebooted every day, which meant that I always lost my shells. "Persistence FTW", you might say, but if your C&C is down when the workstation reboots, you are screwed. "Scheduled tasks FTW", you might say, but unless you have a strict schedule on when you start your computer, you will end up with a bunch of scheduled tasks just to get back the shell whenever you start your computer. Day after day I spent the first hour getting back to where I had been the day before. And I just figured out at the end of the lab why some of my scheduled tasks were not working ...
I would be really interested to see how much time I spent connected to the lab. Probably it was around 200–250 hours in total, which I believe is more than I spent on OSCP and OSCE combined. But it was totally worth it. I really feel the power now that I learned so many useful things.
But if you consider that the price of the one-month lab is 20 GBP, it is still a very cheap option to practice your skills.
* It is totally OK to do the lab in 6 months, in case you start as a beginner. That is still just 190 GBP for the months of lab access, and you will gain a lot of experience during this time. You will probably have a hard time reaching the point when you have a working shell, but it is OK. You can find every information on Google, you just need time, patience and willingness to get there.
Anyway, it is still an option not to aim to "get all the flags". Even just by getting the first two flags, you will gain significant experience in "getting a foothold". But for me, not getting all the flags was never an option.
If you are still unconvinced, check these other blog posts:
Or see what others wrote about RastaLabs.
Footnote
In case you start the lab, please, pretty please, follow the rules, and do not spoil the fun for others. Do not leave your tools around, do not keep shared drives open, do not leave FLAGs around. Leave the machine as it was. If you have to upload a file, put it in a folder others won't easily find. This is a necessary mindset when it comes to real-world red teaming. Don't forget to drop a party parrot into the chat whenever you or someone else gets a new flag. And don't forget:
OSCP has no power here. Cry harder!
I will probably keep my subscription to the lab and try new things, new post-exploit frameworks. I would like to thank @_rastamouse for this great experience, @superkojiman for the ROP challenge. Hackthebox for hosting the lab with excellent uptime.
As for @gentilkiwi and @harmj0y, these two guys probably advanced red-teaming more than everyone else combined together. pwntools from @gallopsled was also really helpful. And I will be forever grateful to Bradley from finance for his continuous support whenever I lost my shells.
Related articles
Thursday, May 21, 2020
Contratar Hackers Profesionales Para Hackear WhatsApp, La Universidad Y Espiar A Tu Pareja: La Estafa.
Durante muchos años he hablado de los que confunden hackers con cibercriminales, y he publicado a lo largo de los años artículos del tipo "Buscas criminales, no hackers", en el que he publicado algunos de los mensajes que me llegaban por múltiples sitios. Mensajes para Espiar el WhatsApp, el Facebook, el teléfono móvil de personas. Por si acaso, léete el artículo de Proteger WhatsApp a prueba de balas, y luego sigue con este post para que veas qué mundo tenemos hoy en día.
 |
| Figura 1: Contratar hackers profesionales para hackear WhatsApp, la universidad y espiar a tu pareja: La estafa. |
A día de hoy sigo recibiendo estos mensajes, sobre todo por mi cuenta de Instagram, donde dejé de leer los mensajes que me enviaban hace tiempo, debido a la cantidad ingente de cosas que me preguntaban - desde se me ha roto el PowerPoint hasta quiero hackear un Fabebook -.
Pero hoy os quería hablar de varios mensajes que me han llegado por mi cuenta de MyPublicInbox, donde me han preguntado varias personas por unas webs de "Hackers for Hire". Es decir, de webs que ofrecen servidos de "Hackers Profesionales" para hacer lo que muchos siempre sueñan. Pero es una estafa y por supuesto ni los iconos de Twitter, Linkedin o números de teléfono funcionan. Son más falsos que una moneda de madera.
 |
| Figura 3: Página de Hackers Profesionales for Hire |
Estas páginas - y esta en concreto - se presentan como una página de una empresa de verdad, con profesionalidad y como si fuera un servicio, pero no es más que una fachada para conseguir lo importante, el contacto de la persona que quiere contratarlos para sacarle dinero. Para ello, la web está llena de los términos y cadenas de búsqueda que las personas utilizan en Google y otros buscadores para localizar a estos "Hackers for Hire".
 |
| Figura 4: Servicios de Hackers |
El dinero a las le van a sacar de dos formas. Primero por el servicio que su víctima - que es la persona que los quiere contratar - solicita. Es decir, el coste que negocian por cambiar notas de la universidad, por borrarlo de un fichero de morosos, de hackear y espiar un WhatsApp, etcétera. Lo que la persona que los quiera contratar quiera. ¿Quieres hackear una base de datos del gobierno para borrar una multa? No te preocupes, ellos tienen ese servicio. Siempre que pagues por anticipado el dinero.
 |
| Figura 5: "Buscas contactar un Hacker Informatico en Barcelona" o en Madrid |
Las webs están llenas de cadenas de SEO utilizadas por los que buscan este tipo de servicios. Y esta concretamente está orientada a estafar a personas de España, por eso posiciona términos con España, Madrid, Barcelona, Toledo, Vigo, Mallorca, y otras ciudades de por aquí, pero se ve claramente que el lenguaje no es 100% del que utilizamos por aquí, ya que utiliza expresiones y forma de escribir no comunes en España.
 |
| Figura 6: Algunas cosas en las que somos geniales!! |
Esta parte me ha encantado. El título de la Figura 6 "Algunas cosas en las que somos geniales!!" es muy cercano y juvenil. El texto después es serio y profesional. La parte de universidades es absolutista, dejando claro que su sistema es efectivo para hackear universidades, cuando los sistemas de cada universidad son diferentes. De esto ya os hablé en un artículo hace tiempo en el artículo de "La estafa del hacker para cambiar notas de las universidades".
 |
| Figura 7: "Metodo hackear Whatsapp" |
Por supuesto, la estrella en esta web es el hacking para Espiar WhtatsApp, algo que otras webs han hecho con el hacking de Facebook. Os dejó el ejemplo antiguo de "Cómo hackear Facebook en un minuto con chiringuito".
A pesar de parecer la página de una empresa, cuando se ven los textos en detalle, se puede observar que no están cuidados, ya que están mal puntuados, mal acentuados y con expresiones que parecen no tener mucho sentido. Solo se trata de poner cadenas de texto que hagan que llegue tráfico desde los buscadores.
 |
| Figura 9: Servicios Hacker Profesional |
En la web hay un par de partes que me han impactado especialmente. La primera esta de "Client Testimonials" que es una mala traducción al inglés porque entiendo que están utilizando esta misma estafa para países angloparlantes. En ella se ven fotos de supuestos clientes, satisfechos con sus servicios.
 |
| Figura 10: "No confíe en nuestra palabra: esto es lo que dicen nuestros clientes" |
Sorprendentemente, basta con hacer una búsqueda en Google Images con la primera de las fotos y ver que estos tipos no han tenido ningún miramiento, ya que han utilizado la foto del obituario de una persona fallecida en el año 2016 en Florida (Estados Unidos), que por supuesto no se llama Carlos Manrique.
 |
| Figura 11: Uno de los supuestos clientes es una persona fallecida |
Y lo mismo para el equipo de la empresa. Donde todos son guapos, profesionales, y con puestos de lo más variopintos. Por supuesto, los enlaces a Twitter, Linkedin, etcétera, no funcionan. Son solo decoración para hacer parecer más profesional esta página de "Hackers for Hire". Eso sí, el vídeo al principio de la web es de Anonymous, pero luego están los perfiles de los "Hackers Profesionales".
 |
| Figura 12: El supuesto equipo de "Hackers Profesionales" |
Por supuesto, siendo tan guapos no me extrañó que la buscar algunas de las fotos en Google Images apareciera que eran modelos. Uno de ellos, en concreto Andrés Ferrari, que es el supuesto CEO y Fundador de este grupo de hackers profesionales guapos, es un modelo de barbas.
 |
| Figura 13: Andrés Ferrari es un modelo de barbas |
Por supuesto, para cubrir todo el abanico a la hora de convencer a sus "clientes", esta web pone el puntito técnico, añadiendo información de un bug descubierto por el equipo de Project Zero de Google que afectaba a iOS (iPhone) y que fue arreglado el año pasado. Por supuesto, estos exploits tienen un alto valor - ya vimos lo que se podía pagar por un exploit remoto de iPhone - y por supuesto la gente que los tiene los vende a los "vendors" de seguridad y no los usa para hackear el WhatsApp de las parejas de la gente.
 |
| Figura 14: Supuesto exploit usado |
Como se puede ver la expresión de "¿Qué tan grave es..." tampoco es una expresión muy común por aquí en España. Y lo curioso es que la letra pequeña explica que la vulnerabilidad está parcheada. En el siguiente vídeo os dejo una visita explicada a la web de estos "Hackers for Hire".
Figura 15: Hackers for Hire "La estafa"
Por último, os había dicho que una de las formas con las que sacaban dinero era con vender el servicio - que no van a hacer porque se jugarían un problema legal más gordo -. Lo que hacen es pedir dinero y más dinero a su cliente hasta que este se enfada y deja de enviarles dinero. Entonces, a veces, amenazan al cliente con denunciarle y hacer públicos los datos y las conversaciones que han tenido con él, extorsionando al contratante de los "hackers for hire".
 |
| Figura 16: Cómo protegerse de los peligros en Internet de José Carlos Gallego Cano |
Y si consiguen datos suficientes, pues se pueden dar los mismos problemas que comentaba en la estafa de la venta fraudulenta, si ellos han conseguido datos suficientes de quién los contrata. A todos los demás, os recomiendo que os leáis el libro de "Cómo protegerse de los peligros en Internet" porque esta estafa de "hackers for hire" existe debido a que hay una demanda muy grande por parte de las personas. Triste, pero es así.
Related articles
- Brain Hacking
- Como Convertirse En Hacker
- Master Growth Hacking
- Hacking Gif
- Certificacion Hacking Etico
- Hacker Significado
- Cracker Informatico
- Raspberry Pi Hacking
- Hacking Software
- Hacking Language
What Is Cybersecurity And Thier types?Which Skills Required To Become A Top Cybersecurity Expert ?
What is cyber security in hacking?
The term cyber security refers to the technologies and processes designed to defend computer system, software, networks & user data from unauthorized access, also from threats distributed through the internet by cybercriminals,terrorist groups of hacker.
The term cyber security refers to the technologies and processes designed to defend computer system, software, networks & user data from unauthorized access, also from threats distributed through the internet by cybercriminals,terrorist groups of hacker.
Main types of cybersecurity are
Critical infrastructure security
Application security
Network Security
Cloud Security
Internet of things security.
These are the main types of cybersecurity used by cybersecurity expert to any organisation for safe and protect thier data from hack by a hacker.
Top Skills Required to become Cybersecurity Expert-
Problem Solving Skills
Communication Skill
Technical Strength & Aptitude
Desire to learn
Attention to Detail
Knowledge of security across various platforms
Knowledge of Hacking
Fundamental Computer Forensic Skill.
These skills are essential for become a cybersecurity expert.
Cyber cell and IT cell these are the department in our india which provide cybersecurity and looks into the matters related to cyber crimes to stop the crime because in this digitilization world cyber crime increasing day by day so our government of india also takes the immediate action to prevent the cybercrimes with the help of these departments and also arrest the victim and file a complain against him/her with the help of cyberlaw in our constitution.
More information
- Hacking Tutorials
- Hacking Etico Pdf
- Tools Hacking
- Bluetooth Hacking
- Hacking Wifi Android
- Linux Hacking Distro
- Hacker En Español
- Hacker Definicion Informatica
- Brain Hacking
Reversing Pascal String Object
There are many goodware and malware developed in pascal, and we will see that the binary generated by the pascal compilers is fascinating, not only because the small and clean generated binaries, or the clarity of the pascal code, but also the good performance. In Linux we have Lazarus which is a good free IDE like Delphi and Kylix the free pascal IDE for windows.
The program:
program strtest;
var
cstr: array[0..10] of char;
s, s2: ShortString;
begin
cstr := 'hello world';
s := cstr;
s2 := 'test';
WriteLn(cstr + ' ' + s + ' ' + s2);
end.
We are going to compile it with freepascal and lazarus, and just the binary size differs a lot:
lazarus 242,176 btytes 845 functions
freepascal 32,256 bytes 233 functions
turbopascal 2,928 bytes 80 functions (wow)
And surprisingly turbopascal binaries are extremely light.
Lets start with lazarus:
And our starting point is a function called entry that calls the console initialization and retrieve some console configurations, and then start a labyrinth of function calls.
On functions 10000e8e0 there is the function that calls the main function.
I named execute_param2 because the second param is a function pointer that is gonna be executed without parameters, it sounds like main calling typical strategy.
And here we are, it's clearly the user code pascal main function.
What it seems is that function 100001800 returns an string object, then is called its constructor to initialize the string, then the string is passed to other functions that prints it to the screen.
This function executes the method 0x1c0 of the object until the byte 0x89 is a null byte.
What the hell is doing here?
First of all let's create the function main:
Simply right button create function:
After a bit of work on Ghidra here we have the main:
Note that the struct member so high like 0x1b0 are not created by default, we should import a .h file with an struct or class definition, and locate the constructor just on that position.
The mysterious function was printing byte a byte until null byte, the algorithm the compiler implemented in asm is not as optimized as turbopascal's.
In Windbg we can see the string object in eax after being created but before being initialized:
Just before executing the print function, the RCX parameter is the string object and it still identical:
Let's see the constructor code.
The constructor address can be guessed on static walking the reverse-cross-references to main, but I located it in debugging it in dynamic analysis.
The constructor reads only a pointer stored on the string object on the position 0x98.
And we have that the pointer at 0x98 is compared with the address of the literal, so now we know that this pointer points to the string.
The sentence *string_x98 = literal confirms it, and there is not memory copy, it only points reusing the literal.
There are two ways to follow the references in Ghidra, one is [ctrl] + [shift] + F but there is other trick which is simply clicking the green references texts on the disassembly.
At the beginning I doubted and put the name possible_main, but it's clearly the pascal user code main function.
The char array initialization Is converted by freepascal compiler to an runtime initialization using mov instructions.
Reducing the coverage on dynamic we arrive to the writeln function:
EAX helds a pointer to a struct, and the member 0x24 performs the printing. In this cases the function can be tracked easily in dynamic executing the sample.
And lands at 0x004059b0 where we see the WriteFile, the stdout descriptor, the text and the size supplied by parameter.
there is an interesting logic of what happens if WriteFile() couldn't write all the bytes, but this is other scope.
Lets see how this functions is called and how text and size are supplied to figure out the string object.
EBX helds the string object and there are two pointers, a pointer to the string on 0x18 and the length in 0x18, lets verify it on windbg.
And here we have the string object, 0x0000001e is the length, and 0x001de8a68 is the pointer.
Thanks @capi_x for the pascal samples.
The program:
program strtest;
var
cstr: array[0..10] of char;
s, s2: ShortString;
begin
cstr := 'hello world';
s := cstr;
s2 := 'test';
WriteLn(cstr + ' ' + s + ' ' + s2);
end.
We are going to compile it with freepascal and lazarus, and just the binary size differs a lot:
lazarus 242,176 btytes 845 functions
freepascal 32,256 bytes 233 functions
turbopascal 2,928 bytes 80 functions (wow)
And surprisingly turbopascal binaries are extremely light.
Lets start with lazarus:
Logically it imports from user32.dll some display functions, it also import the kernel32.dll functions and suspiciously the string operations of oleaut32.dll
On functions 10000e8e0 there is the function that calls the main function.
And here we are, it's clearly the user code pascal main function.
What it seems is that function 100001800 returns an string object, then is called its constructor to initialize the string, then the string is passed to other functions that prints it to the screen.
What the hell is doing here?
First of all let's create the function main:
After a bit of work on Ghidra here we have the main:
Note that the struct member so high like 0x1b0 are not created by default, we should import a .h file with an struct or class definition, and locate the constructor just on that position.
The mysterious function was printing byte a byte until null byte, the algorithm the compiler implemented in asm is not as optimized as turbopascal's.
In Windbg we can see the string object in eax after being created but before being initialized:
Just before executing the print function, the RCX parameter is the string object and it still identical:
Let's see the constructor code.
The constructor address can be guessed on static walking the reverse-cross-references to main, but I located it in debugging it in dynamic analysis.
The constructor reads only a pointer stored on the string object on the position 0x98.
The sentence *string_x98 = literal confirms it, and there is not memory copy, it only points reusing the literal.
Freepascal
The starting labyrinth is bigger than Lazarus so I had to begin the maze from the end, searching the string "hello world" and then finding the string references:
There are two ways to follow the references in Ghidra, one is [ctrl] + [shift] + F but there is other trick which is simply clicking the green references texts on the disassembly.
At the beginning I doubted and put the name possible_main, but it's clearly the pascal user code main function.
The char array initialization Is converted by freepascal compiler to an runtime initialization using mov instructions.
Reducing the coverage on dynamic we arrive to the writeln function:
EAX helds a pointer to a struct, and the member 0x24 performs the printing. In this cases the function can be tracked easily in dynamic executing the sample.
And lands at 0x004059b0 where we see the WriteFile, the stdout descriptor, the text and the size supplied by parameter.
there is an interesting logic of what happens if WriteFile() couldn't write all the bytes, but this is other scope.
Lets see how this functions is called and how text and size are supplied to figure out the string object.
EBX helds the string object and there are two pointers, a pointer to the string on 0x18 and the length in 0x18, lets verify it on windbg.
And here we have the string object, 0x0000001e is the length, and 0x001de8a68 is the pointer.
Thanks @capi_x for the pascal samples.
Related word
- Hacking Pages
- Hacking Madrid
- Hacking Background
- Curso Hacking Etico
- Hacking Quotes
- Hacking Tutorials
- Growth Hacking Pdf
- Hacking Traduccion
- Pagina Hacker
- Hacking Movies
- Hacking Web Sql Injection
