diff --git a/content/blog/reverse.md b/content/blog/reverse.md new file mode 100644 index 0000000..356089b --- /dev/null +++ b/content/blog/reverse.md @@ -0,0 +1,45 @@ ++++ +title = "Reverse Engineering a Toy" +date = 2023-05-15 ++++ + +## Disclaimer: This write-up is not professional at all, and I will leave details out +---- +alright, *check it* + +So I was just chilling at school when all of a sudden, I get a message from my pal in Canada. It was a discord attachment named `ClickMe.exe` +Now I ain't no fool, so I decided to examine it in a closed environment, the events that happened are as follows in sequential order. + +1. I opened the executable in "Ghidra" +2. I ran the executable in a VM without network access +3. Then, I opened the thing in a text editor + +Ghidra is a software analysis and reverse engineering tool created by the NSA. Ghidra was made in Java, but don't put it down because of that; it is **POWERFUL**. +As I was scrolling mindlessly through the assembly code, I noticed a repeated term in the function names. + +"PYZ" + +Now I looked this term up, and it belongs to a library of compiling python code into a single executable. Next I checked what internal libraries the application was using (he didn't strip symbols) and it was using the win32's network and file API's. + +Next, I threw that shenaniganizer into a virtual machine to study its behavior. I had a few SysInternal tools up as I launched the program. So I gingerly double-clicked on its icon and... + +An Error popped up. This wasn't entirely unexpected since I had the internet off, and it was using network protocols, but still. I examined the popup error and noticed that it was a Python trace-back. The trace-back essentially said that it couldn't access a website known for grabbing IP's and the geolocation of the IP. + +Here's what we know so far: +- This is an application made in Python to be bundled into an executable for accessibility +- It was messing with my files and was connecting to external servers +- One of the network operations was grabbing my IP address and is probably sending it somewhere + + +The last thing I did was a bit of a desperate measure, I know I could've searched through the assembly or decompile back to python code (which I tried and failed to do) but it was a little too tedious. +So I popped it into a text editor, I don't know what I was expecting, but I was glad I did it. Among the garbage of binary code being converted to UTF-8, there was a Discord webhook for the info they got from me, so they had a place to send it to. Below the link was a template for sending my information, based on the template they were grabbing my: +- MAC address +- IP address +- My GPU and CPU info +- and other computer ID info... + +From here I kind of just said 'yipee!' and laid the software to rest... + + + +I can provide a sample if you contact me through my email. diff --git a/sass/style.scss b/sass/style.scss index dff5f9f..da831c6 100644 --- a/sass/style.scss +++ b/sass/style.scss @@ -33,9 +33,15 @@ hr { border-radius: 2px; } -li { - list-style-type: "\03BB"; - list-style-position: outside; +ol { + list-style-position: inside; + color: #78B892; + padding-left: 10px; + //font-size: 17px; +} +ul { + list-style-type: "\03BB "; + list-style-position: inside; color: #78B892; padding-left: 10px; //font-size: 17px;