https://whereisr0da.github.io/blog/ Recent content on r0da's Blog Hugo -- gohugo.io en-us r0da Sun, 09 Jan 2022 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-04-09-toka/ Sun, 09 Jan 2022 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-04-09-toka/ 🙁 Oops work in progress This thread is not available. https://whereisr0da.github.io/blog/posts/2022-01-01-ww-intro-f/ Sat, 01 Jan 2022 17:40:00 +0000 https://whereisr0da.github.io/blog/posts/2022-01-01-ww-intro-f/ Hello word If you see this, well you’re fucked https://whereisr0da.github.io/blog/posts/2021-02-16-vmp-3/ Tue, 15 Jun 2021 10:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-02-16-vmp-3/ 0 - ⚠️ IMPORTANT NOTE This article explain how VMProtect works, not how to crack a VMP protected software. I’m not talking about any kind of Licensing System provided by VMP, or a developped one using VMP. I DON’T SUPPORT PIRACY in any way. This protection (cracked / leaked version of it) is used to protect malwares, and my objective with this article is to improve the commun knowledge of it to help and simplify the analysis of this type of malware. https://whereisr0da.github.io/blog/posts/2021-05-11-android-vuln-lock/ Tue, 11 May 2021 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-05-11-android-vuln-lock/ 🙁 Oops work in progress This thread is not available. https://whereisr0da.github.io/blog/posts/2021-03-10-quick-vac/ Sun, 11 Apr 2021 11:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-03-10-quick-vac/ I already taked about VAC and how useless it is. And recently I decided to take a closer look to it, so this is my quick analysis. My goal will be to understand how VAC execute its modules, and in a Part 2, understand those modules. NOTE : I’m not a game hacker in the first place, so if something is not accurate, feel free to tell it. What is it ? https://whereisr0da.github.io/blog/posts/2021-03-12-emulator-write-up/ Fri, 12 Mar 2021 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-03-12-emulator-write-up/ Hi. Last day I did a CTF called BTSCTF, and a challenge called BtS emulator. As I’m still working on VMP virtualization currently, I’m kind good with VM stuff. First I noticed that the binary has all its symbols in it, so easier to reverse. Then I saw that the dispatcher routine seems pretty clean. We found the opcode related to it : const uint8_t opcode_buffer[256] = { 0xf2, 0x72, 0x45, 0x8a, 0x72, 0xf2, 0x72, 0x6e, 0x8a, 0x72, 0xf2, 0x72, 0x74, 0x8a, 0x72, 0xf2, 0x72, 0x65, 0x8a, 0x72, 0xf2, 0x72, 0x72, 0x8a, 0x72, 0xf2, 0x72, 0x20, 0x8a, 0x72, 0xf2, 0x72, 0x70, 0x8a, 0x72, 0xf2, 0x72, 0x61, 0x8a, 0x72, 0xf2, 0x72, 0x73, 0x8a, 0x72, 0xf2, 0x72, 0x73, . https://whereisr0da.github.io/blog/posts/2021-03-05-crackme-metaprog/ Fri, 05 Mar 2021 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-03-05-crackme-metaprog/ https://whereisr0da.github.io/blog/posts/2021-01-07-forza-check/ Wed, 03 Feb 2021 10:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-01-07-forza-check/ Hi Today I will show you how I’ve bypassed Forza 3 savegame encryption. Long story short, an Xbox 360 emulator, Xenia, is currently in dev on PC, and I’ve tried my favorite game on it. But there is a problem, Forza 3 cipher its savegames, and as Xenia is in dev, Forza 3 crash when you try to load a savegame. As I did worked a lot on Forza when I was young, I tried to look around the issue and I successfully bypass the savegame encryption. https://whereisr0da.github.io/blog/posts/2021-01-27-lumina/ Wed, 27 Jan 2021 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-01-27-lumina/ Available here : https://github.com/whereisr0da/Lumina-Cheat IMPORTANT UPDATE Since people definitly don’t know how to use this, things will change from now. Why ? Because the non-mutated version of the cheat is now detected by AV’s as HackTool:Win32/GameHack.*, this mean that the NON-MUTATED VERSION was injected using bad injectors in CSGO. But the point of the cheat is to use mutation to maintain a changing signature. If you don’t know how to use it with VMProtect, you should not use it at all. https://whereisr0da.github.io/blog/posts/2021-01-26-vmp-2/ Tue, 26 Jan 2021 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-01-26-vmp-2/ Hi Here is my short research about VMP mutation engine. VMProtect is a well known protection with a lot of features, its core one is its virtualization engine. It’s a very good and optimized one, even if elite crackz say that it’s not at the level of Themida. Cracking its virtualization engine is time consuming, so I’m not specialy focused on it right now. But there is another feature of VMP that is interesting for me, its code mutation engine. https://whereisr0da.github.io/blog/posts/2021-01-05-vmp-1/ Tue, 05 Jan 2021 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2021-01-05-vmp-1/ Hi This is my exploration around VMProtect security. VMP is a well known protection with a lot of features, main ones are Code Mutation and Virtualization, and compared to them, this part is the simplest regarding VMP. I will talk about all of those in future posts, but now I will focuse myself on the Packing and the Import Obfuscation. Unpacking Packing is about compressing / ciphering executable’s sections to prevent static analysis. https://whereisr0da.github.io/blog/posts/2020-10-21-inject-code/ Wed, 21 Oct 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-10-21-inject-code/ Hi, all. Last year, I thought it could be a great idea to combine all possible ways to modify code of an executable in a thread. And one year later this is it ! the post is out ! (thanks to caffeine) There is a lot of reason why modify / inject code in an assembled executable : Inject a shellcode in a legit program to make it a malware Modify a program to patch a vulnerability while the update is not available (cc 0patch) Crack a program to bypass a check Make a malware or a protection signature change to be “FUD” Code a cheat for a game (more about runtime modification) Just make a “strong” security (assembly level, more about runtime modification again) Here is what you can do in function of each perspective. https://whereisr0da.github.io/blog/posts/2020-09-13-kernel-write-up/ Sun, 13 Sep 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-09-13-kernel-write-up/ Hi This is my write up for the challange Cuba of CSAW CTF 2020 : So this challenge is a CUBA program wrapped in a Windows Executable. CUBA is a GPU langage created by NVIDIA to work around GPU with high performance langage. https://docs.nvidia.com/cuda/cuda-c-programming-guide/index.html Luckily there is a public SDK for it, with a disassembler : https://docs.nvidia.com/cuda/cuda-binary-utilities/index.html Using a tool called cuobjdump, we can extract the assembly code : To extract ptx text from a host binary, use the following command: cuobjdump -ptx <host binary> And after reversing the output, we can see that it’s a simple xor looping through a ciphered flag https://whereisr0da.github.io/blog/posts/2020-08-20-crackme-qrcode/ Thu, 20 Aug 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-08-20-crackme-qrcode/ https://whereisr0da.github.io/blog/posts/2020-08-06-vuzzer/ Thu, 06 Aug 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-08-06-vuzzer/ Hi, this is my report of my academic internship at the University of Bristol’s Cyber security group. This Cyber security group works on many projects to protect computer systems. One of them is Vuzzer, a program that tries to discover vulnerabilities independently within applications. This project helped the cyber security community, but there is still a lot of features that could be added to make it more powerful. It’s in this context that I was charged to improve the existing software, in order to make it more effective. https://whereisr0da.github.io/blog/posts/2020-08-09-vuzzer++/ Thu, 06 Aug 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-08-09-vuzzer++/ Vuzzer64++ I made a post on my blog about my research and all details of my improvements : Improvements of fuzzing techniques in Vuzzer Context : Vuzzer is a program that tries to discover vulnerabilities independently within applications. This project helped the cyber security community, but there is still a lot of features that could be added to make it more powerful. It’s in this context that I was charged to improve the existing software during my internship. https://whereisr0da.github.io/blog/posts/2020-06-30-vac-useless/ Tue, 30 Jun 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-06-30-vac-useless/ A couple of days ago, Valve released a new update for CSGO, that “improve” its already pointless anticheat. And I decided to make a thread about it because it’s stupidly funny. The article blur In this article, they detail : I will analyse this by paragraphs. So let’s start with the second one, they will “restricts” the types of programs and files that can interact with the game. If you don’t know CSGO, and common programs behaviour, know that some programs that have overlays like Discord, OBS, Nvidia stuff, need to inject DLLs (see my post about hooking functions) to execute code in the CSGO process, for overlay purposes. https://whereisr0da.github.io/blog/posts/2020-05-10-crackme-vm1/ Sun, 10 May 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-05-10-crackme-vm1/ https://whereisr0da.github.io/blog/posts/2020-04-11-perandomizer/ Sat, 11 Apr 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-04-11-perandomizer/ 🙁 Oops work in progress This thread is not available. https://whereisr0da.github.io/blog/posts/2020-02-01-jar2exe/ Sat, 01 Feb 2020 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-02-01-jar2exe/ Hi Today I will show how I unpacked Jar2Exe protection 3. I made a tool called Exe2Jar that unpack Jar2Exe protection 1 and 2. It was a school project so I didn’t look that much to the protection 3, and someone shown me an issue about the output of my program regarding protection 3. So I decided to rework on it, and implement the protection 3 support. Exe2Jar : https://github.com/whereisr0da/exe2jar https://whereisr0da.github.io/blog/posts/2020-09-28-obfu.1-lock/ Sat, 28 Sep 2019 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2020-09-28-obfu.1-lock/ 🙁 Oops work in progress This thread is not available. https://whereisr0da.github.io/blog/posts/2019-07-08-serana/ Mon, 08 Jul 2019 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2019-07-08-serana/ Hi Today I will present my current project Serana. What is it ? Serana is a .NET library that can parse windows executables This library interpret all elements of the executable and represent them in a Object Programming way So you can get any informations of a PE structure and modify each one of them (in the future) These objects could be exported (raw file buffers) separately after modifying them or export the entire executable https://whereisr0da.github.io/blog/posts/2019-06-29-encrypt-func/ Sat, 29 Jun 2019 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2019-06-29-encrypt-func/ This is a part of my tutorial on how to protect windows executables, so is a little bit disconnected from my others posts, but in wait of my big tutorial I publish this anyway. Something that you can apply with the others encryption tricks in PE files is the encryption of function, and decrypting at calling time. I found this trick with the Zer0Mem0ry post originaly made to bypass memory signatures checks by encrypt functions at runtime. https://whereisr0da.github.io/blog/posts/2019-06-28-exe2jar/ Fri, 28 Jun 2019 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2019-06-28-exe2jar/ Today I will share a little tool called Exe2Jar This is an Jar2Exe executable unpacker Jar2exe is a wrapper cross platform for JAR files that allows the execution of JAR files through a windows, linux or mac executable while the JRE is installed. My unpacker recover the main JAR file from these executable. I did it for school project with the goal to make a Java program using Object Programming. https://whereisr0da.github.io/blog/posts/2019-06-25-xref/ Tue, 25 Jun 2019 17:14:00 +0000 https://whereisr0da.github.io/blog/posts/2019-06-25-xref/ One of the usefull thing in reverse engenering is xrefs (cross-references), with a complet analyse of all the PE, variables and function addresses can be linked to functions where they are called or used. This simplify drasticly the reverse engenering, but xrefs can be a problem in case of security check. If you have a big executable and you want to look at the license check system, a string like “Check License” or “Enter License” can be find easily and the xrefs associated to him will show you directly what you wanted to find. https://whereisr0da.github.io/blog/posts/2019-06-24-function-hooking/ Mon, 24 Jun 2019 15:14:00 +0000 https://whereisr0da.github.io/blog/posts/2019-06-24-function-hooking/ Aujourd’hui j’ai voulu faire un petit thread sur le hooking. Le hooking de fonction est le fait de rediriger l’exécution d’une fonction d’un exécutable vers du code qui n’est pas le sien. Ceci peut être fait en deux étapes : L’injection de notre code dans le process (en runtime) La redirection de la fonction quand elle est appelée Pour l’injection de notre code, je vais utiliser une technique appelée injection de DLL, c’est une technique très utilisée quand on doit injecter du code dans un exécutable en runtime, et le rendre plus ou moins caché (exemple cheat, malware). https://whereisr0da.github.io/blog/posts/2019-02-27-korean-ctf/ Wed, 27 Feb 2019 17:41:00 +0000 https://whereisr0da.github.io/blog/posts/2019-02-27-korean-ctf/ Hi people Starting a blogspot by reversing a .Net PE sound weird to me, but I need to start somewhere :p This a Write Up about a Korean CTF challenge, the one is named CSHARP It’s not really hard (because of .net) but I found it interresting MD5 : E8B0B5173B14D118FFD687D37F1A6F06 What I used : DIE (Detect It Easy) DNSpy Part 1 : Post analyse The first thing to do is identify what is this PE https://whereisr0da.github.io/blog/posts/2017-06-06-bitcoinnotify/ Tue, 06 Jun 2017 17:40:00 +0000 https://whereisr0da.github.io/blog/posts/2017-06-06-bitcoinnotify/ A simple windows desktop notification app to keep you aware of Bitcoin evolution Features Create a desktop notification each 15 minutes (default settings) Show the current price of the Bitcoin Show the difference with the last checked Bitcoin price (value, percent) Show investment rentability regarding the current Bitcoin price (value, percent) Investment You can add an investment record to be informed about the rentability of your investment, by specifing your investments as follow in the investments. https://whereisr0da.github.io/blog/about/ Wed, 24 Aug 2016 17:51:42 +0000 https://whereisr0da.github.io/blog/about/ Whoami I’m a reverser, I love to crack things by doing reverse engineering. I’m Doing RE since 2015 (mainly dataminig and PPC re on Xbox 360), but practicing serioucly since 2018. In this blog, I try to share my research / work I’m doing during my free time. Currently Looking for a job in re I’m a ctf player in: r2s team Links Find me on : XMPP: r0da(at)jix(dot)im Github: whereisr0da Twitter: @r0da__ RootMe: r0da Some IRCs