5/15 Reverse Engineering a Toy
This commit is contained in:
parent
f44044b946
commit
78e244f81d
45
content/blog/reverse.md
Normal file
45
content/blog/reverse.md
Normal file
|
@ -0,0 +1,45 @@
|
|||
+++
|
||||
title = "Reverse Engineering a Toy"
|
||||
date = 2023-05-15
|
||||
+++
|
||||
|
||||
## Disclaimer: This write-up is not professional at all, and I will leave details out
|
||||
----
|
||||
alright, *check it*
|
||||
|
||||
So I was just chilling at school when all of a sudden, I get a message from my pal in Canada. It was a discord attachment named `ClickMe.exe`
|
||||
Now I ain't no fool, so I decided to examine it in a closed environment, the events that happened are as follows in sequential order.
|
||||
|
||||
1. I opened the executable in "Ghidra"
|
||||
2. I ran the executable in a VM without network access
|
||||
3. Then, I opened the thing in a text editor
|
||||
|
||||
Ghidra is a software analysis and reverse engineering tool created by the NSA. Ghidra was made in Java, but don't put it down because of that; it is **POWERFUL**.
|
||||
As I was scrolling mindlessly through the assembly code, I noticed a repeated term in the function names.
|
||||
|
||||
"PYZ"
|
||||
|
||||
Now I looked this term up, and it belongs to a library of compiling python code into a single executable. Next I checked what internal libraries the application was using (he didn't strip symbols) and it was using the win32's network and file API's.
|
||||
|
||||
Next, I threw that shenaniganizer into a virtual machine to study its behavior. I had a few SysInternal tools up as I launched the program. So I gingerly double-clicked on its icon and...
|
||||
|
||||
An Error popped up. This wasn't entirely unexpected since I had the internet off, and it was using network protocols, but still. I examined the popup error and noticed that it was a Python trace-back. The trace-back essentially said that it couldn't access a website known for grabbing IP's and the geolocation of the IP.
|
||||
|
||||
Here's what we know so far:
|
||||
- This is an application made in Python to be bundled into an executable for accessibility
|
||||
- It was messing with my files and was connecting to external servers
|
||||
- One of the network operations was grabbing my IP address and is probably sending it somewhere
|
||||
|
||||
|
||||
The last thing I did was a bit of a desperate measure, I know I could've searched through the assembly or decompile back to python code (which I tried and failed to do) but it was a little too tedious.
|
||||
So I popped it into a text editor, I don't know what I was expecting, but I was glad I did it. Among the garbage of binary code being converted to UTF-8, there was a Discord webhook for the info they got from me, so they had a place to send it to. Below the link was a template for sending my information, based on the template they were grabbing my:
|
||||
- MAC address
|
||||
- IP address
|
||||
- My GPU and CPU info
|
||||
- and other computer ID info...
|
||||
|
||||
From here I kind of just said 'yipee!' and laid the software to rest...
|
||||
|
||||
|
||||
|
||||
I can provide a sample if you contact me through my email.
|
|
@ -33,9 +33,15 @@ hr {
|
|||
border-radius: 2px;
|
||||
}
|
||||
|
||||
li {
|
||||
list-style-type: "\03BB";
|
||||
list-style-position: outside;
|
||||
ol {
|
||||
list-style-position: inside;
|
||||
color: #78B892;
|
||||
padding-left: 10px;
|
||||
//font-size: 17px;
|
||||
}
|
||||
ul {
|
||||
list-style-type: "\03BB ";
|
||||
list-style-position: inside;
|
||||
color: #78B892;
|
||||
padding-left: 10px;
|
||||
//font-size: 17px;
|
||||
|
|
Loading…
Reference in a new issue