5/15 Reverse Engineering a Toy
This commit is contained in:
parent
f44044b946
commit
78e244f81d
45
content/blog/reverse.md
Normal file
45
content/blog/reverse.md
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
+++
|
||||||
|
title = "Reverse Engineering a Toy"
|
||||||
|
date = 2023-05-15
|
||||||
|
+++
|
||||||
|
|
||||||
|
## Disclaimer: This write-up is not professional at all, and I will leave details out
|
||||||
|
----
|
||||||
|
alright, *check it*
|
||||||
|
|
||||||
|
So I was just chilling at school when all of a sudden, I get a message from my pal in Canada. It was a discord attachment named `ClickMe.exe`
|
||||||
|
Now I ain't no fool, so I decided to examine it in a closed environment, the events that happened are as follows in sequential order.
|
||||||
|
|
||||||
|
1. I opened the executable in "Ghidra"
|
||||||
|
2. I ran the executable in a VM without network access
|
||||||
|
3. Then, I opened the thing in a text editor
|
||||||
|
|
||||||
|
Ghidra is a software analysis and reverse engineering tool created by the NSA. Ghidra was made in Java, but don't put it down because of that; it is **POWERFUL**.
|
||||||
|
As I was scrolling mindlessly through the assembly code, I noticed a repeated term in the function names.
|
||||||
|
|
||||||
|
"PYZ"
|
||||||
|
|
||||||
|
Now I looked this term up, and it belongs to a library of compiling python code into a single executable. Next I checked what internal libraries the application was using (he didn't strip symbols) and it was using the win32's network and file API's.
|
||||||
|
|
||||||
|
Next, I threw that shenaniganizer into a virtual machine to study its behavior. I had a few SysInternal tools up as I launched the program. So I gingerly double-clicked on its icon and...
|
||||||
|
|
||||||
|
An Error popped up. This wasn't entirely unexpected since I had the internet off, and it was using network protocols, but still. I examined the popup error and noticed that it was a Python trace-back. The trace-back essentially said that it couldn't access a website known for grabbing IP's and the geolocation of the IP.
|
||||||
|
|
||||||
|
Here's what we know so far:
|
||||||
|
- This is an application made in Python to be bundled into an executable for accessibility
|
||||||
|
- It was messing with my files and was connecting to external servers
|
||||||
|
- One of the network operations was grabbing my IP address and is probably sending it somewhere
|
||||||
|
|
||||||
|
|
||||||
|
The last thing I did was a bit of a desperate measure, I know I could've searched through the assembly or decompile back to python code (which I tried and failed to do) but it was a little too tedious.
|
||||||
|
So I popped it into a text editor, I don't know what I was expecting, but I was glad I did it. Among the garbage of binary code being converted to UTF-8, there was a Discord webhook for the info they got from me, so they had a place to send it to. Below the link was a template for sending my information, based on the template they were grabbing my:
|
||||||
|
- MAC address
|
||||||
|
- IP address
|
||||||
|
- My GPU and CPU info
|
||||||
|
- and other computer ID info...
|
||||||
|
|
||||||
|
From here I kind of just said 'yipee!' and laid the software to rest...
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
I can provide a sample if you contact me through my email.
|
|
@ -33,9 +33,15 @@ hr {
|
||||||
border-radius: 2px;
|
border-radius: 2px;
|
||||||
}
|
}
|
||||||
|
|
||||||
li {
|
ol {
|
||||||
list-style-type: "\03BB";
|
list-style-position: inside;
|
||||||
list-style-position: outside;
|
color: #78B892;
|
||||||
|
padding-left: 10px;
|
||||||
|
//font-size: 17px;
|
||||||
|
}
|
||||||
|
ul {
|
||||||
|
list-style-type: "\03BB ";
|
||||||
|
list-style-position: inside;
|
||||||
color: #78B892;
|
color: #78B892;
|
||||||
padding-left: 10px;
|
padding-left: 10px;
|
||||||
//font-size: 17px;
|
//font-size: 17px;
|
||||||
|
|
Loading…
Reference in a new issue