python
Reversing ARM Cortex-M Bit Band addresses
· β˜• 3 min read · ✍️ suidroot
While reverse-engineering the firmware on the Digoo DG-HOSA device which I have a couple of posts on already. I ran across some memory addresses that did not directly map to peripherals. I found the address ranges are called the Bit-band range and had special functionality allowing direct access to individual bits on peripherals. This post will give a quick summary of what these addresses are and how to unmap them to the normal peripheral addresses.

Flare-on 3 - Challenge 2
· β˜• 4 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The archive for this challenge included 2 files. BusinessPapers.doc: data DudeLocker.exe: PE32 executable (console) Intel 80386, for MS Windows I first took a look at the .doc file and it looks to be random data. After doing some initial analysis on the executable file, I found many references to encryption routines in the imports.

Flare-on 2 - Challenge 5
· β˜• 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge includes two files, a packet capture formatted in PCAP format and a Windows binary. Opening up the PCAP in Wireshark, I found multiple HTTP streams submitting POST requests. I looked at each of these POST requests and saw they all have a few bytes of content.

Reversing Revil Malware – Part 2 - String Obfuscation and Configuration Setup
· β˜• 8 min read · ✍️ suidroot
This is the second in a series looking at part of the Revil malware. The first post covered a triage and unpacking of the first stage. The post will look at the high-level flow and look in-depth at the configuration embedded in the sample and some options. Revil Process Diagram Looking at the flow diagram (shown above), there is a pretty straightforward flow to the sample. It initially sets itself up by resolving the import table, reading the embedded configuration data, and command-line arguments.

Flare-on 2 - Challenge 3
· β˜• 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the third challenge, you are greeted with a nice goat named Elfie that when you are typing characters show up on the screen. As always I start off by checking out what kind of binary I am looking at Ξ» file elfie elfie: PE32 executable (console) Intel 80386, for MS Windows As I said we are greeted by thie goat that eats magic keys

Reversing Revil Malware - Part 1 - Stage 1 Unpacker
· β˜• 3 min read · ✍️ suidroot
This is the first in a series looking at part of the REvil malware. I will start off by showing a brief triage overview of the sample and then dive into the initial details of the stage 1 unpacker. Let us get into it! Initial Triage The Revil (aka Sodinokibi) malware is ransomware that encrypts files on a victim’s disk and leaves a note to head to a Tor link to send payment to decrypt your files.

Flare-on 2 - Challenge 2
· β˜• 3 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The second challenge from this season built on the first challenge. It was another password entry challenge but with a more complicated password encoding scheme. First things first I validated what kind of file I was looking at. Ξ» file very_succes very_succes: PE32 executable (console) Intel 80386, for MS Windows When running the file I entered some test data to see how it looked to a user.

Flare-on 2 - Challenge 1
· β˜• 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The first challenge in the 2015 season on Flare On was a pretty easy enter the password type of challenge. I started off by opening the extracted file in IDA and running it in the debugger. I stepped to the section of code that evaluates the input versus the input

Flare-on 1 - Challenge 4 - Sploitastic
· β˜• 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from Didier Stevens PDF-tools pdf-parser.py -f APT9001.orig.pdf > apt5.txt Looking through the content I find a block of Javascript code that looks interesting

Flare-on 1 – Challenge 2 - Javascrap
· β˜• 5 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In Challenge 2 the zip file extracts a html and png file. From the top of the HTML file to looks pretty normal until you see the PHP tag located near the bottom of the code including the PNG file in the img directory. The file looks to be a normal PNG file and displays image data when loaded.