Category Archives: chuymich

What is SafeFinder/OperatorMac campaign?

chuymich, forensic, Uncategorized, vietnamese, ,

 

A new variant of adware was just discovered yesterday. It’s going viral on Twitter and other media, since they use valid Apple developer certificate to sign all packed samples. I’m quite overbusy these days but it got my interest when seeing the name stated in that certificate: “Quoc Thinh”, quite a unique Vietnamese name. So why not take a break from desperate thesis, toss adware in my lame automated MacOS analysis framework and see what our ‘countryman’ doing?

Continue reading What is SafeFinder/OperatorMac campaign?

An toàn tính toán đa thành viên

chuymich, crypto, research, vietnamese

Multi-Party Computation (MPC) là một khái niệm được các nhà mật mã học đắn đo nghiên cứu tận những thập niên 80 thế kỷ trước. Xuất phát tự nhiên từ những bài toán học búa trong cuộc sống phải đặt ra một giao thức hay ho hơn để đánh đố nhau. Ví dụ năm 1982 đó là bài toán triệu phú của anh Yao (1982 Andrew Yao  1), diễn Nôm đơn giản là anh Bin có số A tiền, còn anh Job có số B tiền. Hai anh trong một cuộc nhậu lỡ thách nhau xem ai có nhiều tiền hơn ai surrender. Nhưng hai anh đều không muốn lộ ra tổng số tiền mình có cho nhau biết. Do đó mới nảy sinh bài toàn chứng minh bất đẳng thức A ≥ B mà không lộ thông tin nào của A và B cho bất cứ ai, kể cả 2 anh Bin và anh Jobs. Giải quyết xong bài toàn này đã mở ra một kỷ nguyên mới cho bảo mật thông tin đặc biệt là thương mai điện tử, data mining khi muốn so sánh các giá trị, tính toán cộng trừ nhân chia mà vẫn bảo vệ được thông tin mật như số tiền, tổng tiền trong tài khoản khách hàng, thông tin nhân khẩu học v.v.

Continue reading An toàn tính toán đa thành viên

Malware Analysis Overview for beginners

chuymich, re, research

 

 

The malware threat landscape is continuously evolving. In this blog post, I would like to introduce the basic concept of malware and malware analysis, the ideas of both static and dynamic malware analysis. Besides, malware evasive techniques and novel solutions will be introduced as well as modern research such as automatic protocol RE and Android malware behavior analysis will be mentioned in last sections.

Continue reading Malware Analysis Overview for beginners

BackdoorCTF Writeup

chuymich, , ,

backdoor CTF 2015: NONAME

Category: Exploit Points: 200 Author: Amanpreet Singh Difficulty: Solves: 25 Description:

Intrestingly enough, even though it was not expected, Chintu found a cool website to play with, though he can't get the flag. Can you? Visit this. Submit the SHA-256 hash of the flag obtained.

Gaylord : At first, (str (all-ns)) to get all namespaces. And then (clojure.repl/dir noname.people.admin) to see what inside. There is including flag and secret. Used (noname.people.admin/flag) to get the  a half of the flag.

Chuymichxinhdep: However secret is a private variable variable, I used ((noname.people.admin/secret)) to obtain the other half of the flag. Problem solved.

backdoor CTF 2015: QR

Category: Misc Points: 70 Author: Abhay Bir Singh Rana Difficulty: Easy Solves: 84 Description:

Decode some QR codes at nc hack.bckdr.in 8010

 

chuymichxinhdep:

from subprocess import Popen, PIPE
i = 0
import socket

sock = socket.socket()
sock.connect(("hack.bckdr.in", 8010))
s= sock.recv(1024)
print(s)
while True:
	i=i+1
	string = ""
	s= sock.recv(65535)
	data= s.replace("\x20\x20","0").replace("\xe2\x96\x88\xe2\x96\x88","1")
	file = open('qr','w')
	for line in data.split("\n"):
		string = string+line[1:len(line)-1]+"0"*(47-len(line))+"\n"
	file.write(string[46:len(string)-1-46])
	file.close()
	output = Popen(["python", "sqrd.py", "qr"], stdout=PIPE).communicate()[0]
	print i, output.strip()
	sock.send(output.strip())

Convert the QR to binary only and use Strong QR to decode. After 50 submissions we've got the flag.

backdoor CTF 2015: RAPIDFIRE

Category: Misc Points: 500 Author: Amanpreet Singh Difficulty: TODO Solves: 0 Description:

I am enjoying it really. Are you? nc hack.bckdr.in 8007. Submit the SHA-256 hash of the flag obtained.

Chuymichxinhdep: Just use a brilliant source code from gaylord.

import socket, hashlib, time, requests
from geopy import GoogleV3
import re
import shelve
import omdb

host = '128.199.107.60'
port = 8008
rep_countrycode = False

def fib(n):
    i = h = 1
    j = k = 0
    while (n > 0) :
        if (n%2 == 1) : # when n is odd
            t = j*h
            j = i*h + j*k + t
            i = i*k + t
        t = h*h
        h = 2*k*h + t
        k = k*k + t
        n = int(n/2)
    return j

def get_country(place_name):
    gapi = shelve.open('googly_cache', writeback=True)
    try:
        wat = place_name.encode('base64')
    except UnicodeEncodeError:
        wat = u' '.join(place_name).encode('utf-8').strip().encode('base64')
    if (wat in gapi):
        print('[*] Found in shelf')
        loc = gapi[wat]
    else:
        print('[*] Request from GGAPI')
        loc = geolocator.geocode(place_name).raw
        gapi[wat] = loc
        gapi.sync()
    gapi.close()
    for comp in loc['address_components']:
        if 'country' in comp['types']:
            if rep_countrycode:
                return comp['short_name'] # TODO: not short_name but something else
            else:
                return comp['long_name']

def get_release(movie_name):
    gapi = shelve.open('moviee_cache', writeback=True)
    try:
        wat = movie_name.encode('base64')
    except UnicodeEncodeError:
        wat = u' '.join(movie_name).encode('utf-8').strip().encode('base64')
    if (wat in gapi):
        print('[*] Found in shelf')
        loc = gapi[wat]
    else:
        print('[*] Request from OMDB')
        s = omdb.title(movie_name)
        loc = s['year']
        gapi[wat] = loc
        gapi.sync()
    gapi.close()
    return loc
    
def read_until(wat):
    buf = ''
    while not (wat in buf):
        buf += sock.recv(1)
    return buf
    
def read_for_fun(sz):
    d = ''
    while (sz > 0):
        tmp = sock.recv(sz)
        sz -= len(tmp)
        d += tmp
    return d

# init connection
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
geolocator = GoogleV3()
pii = requests.get('http://www.angio.net/pi/digits/pi1000000.txt').text
# read & answer
while True:
    s = sock.recv(8192)
    if ('code is in CAPS' in s): rep_countrycode = True
    if (s == ''): sleep(10)
    print(s)
    n = 'wat'
    res = n
    if ('sum' in s):
        n = int(re.findall(r'first\ (\d+)\ ', s)[0])
        if ('odd' in s):
            res = n * n
        elif ('fibonacci' in s):
            res = fib(n+2) - 1
        elif ('natural number' in s):
            res = (n * (n + 1) // 2)
        res = str(res)
    elif ('prime' in s):
        n = int(re.findall(r'the\ (\d+)(st|nd|rd|th)', s)[0][0]) + 1
        n = str(n)
        page = requests.get('http://numbersofprime.com/prime/' + n)
        res = re.findall(r'
', page.text)[1]
        res = res.replace(',', '')
        res = res.strip()
    elif ('md5' in s):
        n = re.findall(r'of\ (.*)\n', s)[0]
        res = hashlib.md5(n).hexdigest()
    elif ('pi' in s):
        n = int(re.findall(r'the\ (\d+)(st|nd|rd|th)', s)[0][0])
        res = pii[n+1]
    elif ('fibonacci' in s):
        n = int(re.findall(r'the\ (\d+)(st|nd|rd|th)', s)[0][0])
        res = str(fib(n))
    elif ('binary' in s):
        n = int(re.findall(r'of\ (\d+)\ in', s)[0])
        res = bin(n)[2:]
    elif ('country' in s):
        n = re.findall(r'of\ (.*)\n', s)[0]
        res = get_country(n)
    elif ('release year' in s):
        n = re.findall(r'of\ (.*)\n', s)[0]
        res = get_release(n)
    print '[*] n = ', n
    print '[*] res = ', res
    sock.sendall(res+'\n')

 

I added pycountry to get the alpha-2 code of country. After 199 submissions we will get the flag. Not a fun challange because of slow server and too many stupid questions.

-chuymichxinhdep.

phd

BabyPhD.