gallant/site
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
site/content/blog/reverse.md

2.6 KiB
Raw Permalink Blame History

+++ title = "Reverse Engineering a Toy" date = 2023-05-15 +++

Disclaimer: This write-up is not professional at all, and I will leave details out

alright, check it

So I was just chilling at school when all of a sudden, I get a message from my pal in Canada. It was a discord attachment named ClickMe.exe Now I ain't no fool, so I decided to examine it in a closed environment, the events that happened are as follows in sequential order.

  1. I opened the executable in "Ghidra"
  2. I ran the executable in a VM without network access
  3. Then, I opened the thing in a text editor

Ghidra is a software analysis and reverse engineering tool created by the NSA. Ghidra was made in Java, but don't put it down because of that; it is POWERFUL. As I was scrolling mindlessly through the assembly code, I noticed a repeated term in the function names.

"PYZ"

Now I looked this term up, and it belongs to a library of compiling python code into a single executable. Next I checked what internal libraries the application was using (he didn't strip symbols) and it was using the win32's network and file API's.

Next, I threw that shenaniganizer into a virtual machine to study its behavior. I had a few SysInternal tools up as I launched the program. So I gingerly double-clicked on its icon and...

An Error popped up. This wasn't entirely unexpected since I had the internet off, and it was using network protocols, but still. I examined the popup error and noticed that it was a Python trace-back. The trace-back essentially said that it couldn't access a website known for grabbing IP's and the geolocation of the IP.

Here's what we know so far:

  • This is an application made in Python to be bundled into an executable for accessibility
  • It was messing with my files and was connecting to external servers
  • One of the network operations was grabbing my IP address and is probably sending it somewhere

The last thing I did was a bit of a desperate measure, I know I could've searched through the assembly or decompile back to python code (which I tried and failed to do) but it was a little too tedious. So I popped it into a text editor, I don't know what I was expecting, but I was glad I did it. Among the garbage of binary code being converted to UTF-8, there was a Discord webhook for the info they got from me, so they had a place to send it to. Below the link was a template for sending my information, based on the template they were grabbing my:

  • MAC address
  • IP address
  • My GPU and CPU info
  • and other computer ID info...

From here I kind of just said 'yipee!' and laid the software to rest...

I can provide a sample if you contact me through my email.