Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

April 24, 2019

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 [Defining “foreign” government]

Filed under: Cybersecurity,Government,Hacking,Radare2 — Patrick Durusau @ 12:30 pm

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 by Itay Cohen.

The Ocean Lotus group, also known as APT32, is a threat actor which has been known to target East Asian countries such as Vietnam, Laos and the Philippines. The group strongly focuses on Vietnam, especially private sector companies that are investing in a wide variety of industrial sectors in the country. While private sector companies are the group’s main targets, APT32 has also been known to target foreign governments, dissidents, activists, and journalists.

APT32’s toolset is wide and varied. It contains both advanced and simple components; it is a mixture of handcrafted tools and commercial or open-source ones, such as Mimikatz and Cobalt Strike. It runs the gamut from droppers, shellcode snippets, through decoy documents and backdoors. Many of these tools are highly obfuscated and seasoned, augmented with different techniques to make them harder to reverse-engineer.

In this article, we get up and close with one of these obfuscation techniques. This specific technique was used in a backdoor of Ocean Lotus’ tool collection. We’ll describe the technique and the difficulty it presents to analysts — and then show how bypassing this kind of technique is a matter of writing a simple script, as long as you know what you are doing.

The deobfuscation plugin requires Cutter, the official GUI of the open-source reverse engineering framework – radare2. Cutter is a cross-platform GUI that aims to expose radare2’s functionality as a user-friendly and modern interface.  Last month, Cutter introduced a new Python plugin system, which figures into the tool we’ll be constructing below. The plugin itself isn’t complicated, and neither is the solution we demonstrate below. If simple works, then simple is best.

Way beyond my present skills but I can read and return to it in the future.

I don’t know how Cohen defines foreign government but for my purposes, a foreign government is one that isn’t paying me. Simple, direct and to the point. That may be a U.S.-centric definition. The U.S. government spends $billions on oppressing people around the world but cybersecurity sees it with a begging cup out for volunteer assistance. On a scale of volunteer opportunities, the U.S. government and its fellow travelers should come out dead last.


April 1, 2019

radare2 r2-3.4.0

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:59 pm
https://www.radare.org/r/

Now there’s a bold claim! Is that true? Only one way for you to know for sure! Well, what are you waiting for? Download r2-3.4.0 today!

February 18, 2019

r2con 2019 – A Sensible Call for Papers

Filed under: Conferences,Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 2:20 pm

r2con 2019 – Call for Papers

The call for papers in its entirety:

Want to give a talk in r2con? Please send your submission to r2con@radare.org with the following information in plain-text format:

  • Your nick/name(s)
  • Contact information (e-mail, twitter, telegram)
  • Talk title and description with optional speaker bio
  • Length: (20 or 50 minutes)

Such a contrast from conferences with long and tiresome lists of areas included, implying those not listed are excluded. You know the type so I won’t embarrass anyone by offering examples.

For more details, check out r2con 2018, 22 videos, r2con 2017, 16 videos, or r2con 2016, 25 videos.

If after sixty-three (63) videos you are uncertain if your talk is appropriate for r2con 2019, perhaps it is not. Try elsewhere.

January 12, 2019

Reversing C code … Radare2 part I

Filed under: Radare2,Reverse Engineering — Patrick Durusau @ 9:42 pm

Reversing C code in x64 systems with Radare2 part I by Pau Muñoz.

Starting with a very basic C program, Muñoz walks you through compiling the C program and then analyzing it with Radare2.

Interested to see where this series goes.

October 30, 2018

r2con 2018 – videos [Dodging Political Ads]

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:56 pm

r2con 2018 – videos

Avoid the flood of political ads this final week before the US mid-term elections! May I suggest the videos from r2con 2018?

Unlike with political ads and news coverage, laced with false information, r2con videos won’t make you dumber. May not make you smarter but you will be better informed about r2 topics.

Should you accidentally encounter political news coverage or a political ad, run to your computer and watch an r2con video. You will feel better.

Enjoy!

September 16, 2018

Radare2 – Perils of e – 492 Settings in 32 Namespaces

Filed under: Hacking,Radare2 — Patrick Durusau @ 10:31 am

If you are new to Radare2 (that includes me), you will execute the e command at an r2 prompt, and be overwhelmed by 492 possible settings.

The manual helpfully says that you can use e (namespace). to see all the setting within a namespace.

e cfg.

returns:

cfg.bigendian = false
cfg.debug = false
cfg.editor = emacs
cfg.fortunes = true
cfg.fortunes.clippy = false
cfg.fortunes.tts = false
cfg.fortunes.type = tips,fun
cfg.hashlimit = 0x00a00000
cfg.log = false
cfg.newtab = false
cfg.plugins = true
cfg.prefixdump = dump
cfg.r2wars = false
cfg.sandbox = false
cfg.user = pid386
cfg.wseek = false

But if you don’t know the namespaces, that’s not very helpful advice.

The namespaces as of 16 September 2018 are:

  1. anal
  2. asm
  3. bin
  4. cfg
  5. cmd
  6. dbg
  7. diff
  8. dir
  9. emu
  10. esil
  11. file
  12. fs
  13. graph
  14. hex
  15. http
  16. hud
  17. io
  18. key
  19. lines
  20. magic
  21. pdb
  22. prj
  23. rap
  24. rop
  25. scr
  26. search
  27. stack
  28. str
  29. tcp
  30. time
  31. zign
  32. zoom

The use of namespaces with e produces more manageable setting listings. Ping me if you find this useful.

August 5, 2018

Color and Size Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 8:46 pm

I mentioned in First Steps with Radare2 on Ubuntu 18.04 that I needed to reset the default colors in Radare2, along with making the font larger.

Itay Cohen, @megabeets_, quickly responded:

Hi Patrick! I read that you had a bit of a struggle with the font colors. Did you know you can change the color theme? Just use “eco “. Screenshots of the different themes are available here: https://r2wiki.readthedocs.io/en/latest/home/themes/#themes. You can also use the Visual Color editor “VE”. Try ‘ec?’

Great way to change displays!

Since I am running XFCE as a desktop, ctrl + and ctrl -, don’t change the terminal font size. (Or at least I’m missing now to make that work in XFCE.)

For the time being, I’m starting r2 in an Emacs shell, which allows me to reset the font size quite easily. With the added advantage of being in Emacs!

Now to try out “eco “.

Several people mentioned that I should try Cutter, the new GUI for Radare2. Going to but I’m comfortable with command line interfaces. Not to mention that experience with the command line will enable me to notice groupings in the GUI.

August 4, 2018

First Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 3:19 pm

If you read Reverse Engineering With Radare2, Part 1 by Sam Symons, you will be hot to jump in and start using Radare2!

Of course, like me, you will ignore most of the introduction and quickly search for Radare2, only to encounter an array of installation options, most of which don’t concern you.

Avoid that mistake, follow this link, http://radare.org/r/down.html (yes, same one that Symons has in his post, and follow these directions:

git clone https://github.com/radare/radare2
cd radare2
sys/install.sh # just run this script to update from r2 from git

OK, you need to:

sudo sys/install.sh if you aren’t in a root shell.

Symons points you to course materials for a Modern Binary Exploitation course and their website.

Starting with ./crackme0x00a, you are introduced to the r2 command to open the first challenge.

Presented in a different order, you will encounter:

  • ? – help (append to any command)
  • aa – analyze all
  • cd – change directories
  • pdf – Print disassemble function – pdf@main (simple example)
  • pwd – identify working directory
  • s – seek
  • x – print

I’m working on resetting the colors! Even in a much larger size, this is terribly difficult to read!

That reminds me, there is a book on radare2, imaginatively titled: R2 “Book.” (There is truth to the claim that naming is one of the hardest problems in computer science.)

I got to the end of the first exercise and have some confidence that the Radare2 installation is working properly.

Before going any further, I’m going to experiment with and fix the color display. It’s painful to look at. More on its way!

Enjoy!

Powered by WordPress