reverse engineering
Reversing ARM Cortex-M Bit Band addresses
· β˜• 3 min read · ✍️ suidroot
While reverse-engineering the firmware on the Digoo DG-HOSA device which I have a couple of posts on already. I ran across some memory addresses that did not directly map to peripherals. I found the address ranges are called the Bit-band range and had special functionality allowing direct access to individual bits on peripherals. This post will give a quick summary of what these addresses are and how to unmap them to the normal peripheral addresses.

Compiling Ghidra Plugins
· β˜• 4 min read · ✍️ suidroot
Recently I found a Ghidra plugin that did not have a build for the current version for Ghidra I was using, and this motivated me to figure out how to build a plugin from its source. After looking around, I did not find many writeups on building existing plugins. This writeup covers both building out the development environment that could be used for writing plugins and extending Ghidra itself and then how to compile the plugin.

Flare-on 5 - 1
· β˜• 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Starting off the 5 series of challenges we have a very simple password challenge, when extracting the archive you have one file extracted. MinesweeperChampionshipRegistration.jar: Java archive data (JAR) When running the file, you are prompted for an invitation code. I unzipped the jar file finding the metadata and a class file.

Flare-on 3 - Challenge 2
· β˜• 4 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The archive for this challenge included 2 files. BusinessPapers.doc: data DudeLocker.exe: PE32 executable (console) Intel 80386, for MS Windows I first took a look at the .doc file and it looks to be random data. After doing some initial analysis on the executable file, I found many references to encryption routines in the imports.

Flare-On 3 - Challenges 1
· β˜• 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge is like a lot of the first levels is a password challenge decoding challenges. In the next screenshot, you can see what happens when you run the executable. I opened the binary up in IDA and found the main function. The Main function starts off setting up handles to read input and loading a string from the .

Flare-on 2 - Challenge 5
· β˜• 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge includes two files, a packet capture formatted in PCAP format and a Windows binary. Opening up the PCAP in Wireshark, I found multiple HTTP streams submitting POST requests. I looked at each of these POST requests and saw they all have a few bytes of content.

Reversing Revil Malware – Part 2 - String Obfuscation and Configuration Setup
· β˜• 8 min read · ✍️ suidroot
This is the second in a series looking at part of the Revil malware. The first post covered a triage and unpacking of the first stage. The post will look at the high-level flow and look in-depth at the configuration embedded in the sample and some options. Revil Process Diagram Looking at the flow diagram (shown above), there is a pretty straightforward flow to the sample. It initially sets itself up by resolving the import table, reading the embedded configuration data, and command-line arguments.

Flare-on 2 - Challenge 3
· β˜• 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the third challenge, you are greeted with a nice goat named Elfie that when you are typing characters show up on the screen. As always I start off by checking out what kind of binary I am looking at Ξ» file elfie elfie: PE32 executable (console) Intel 80386, for MS Windows As I said we are greeted by thie goat that eats magic keys

Reversing Revil Malware - Part 1 - Stage 1 Unpacker
· β˜• 3 min read · ✍️ suidroot
This is the first in a series looking at part of the REvil malware. I will start off by showing a brief triage overview of the sample and then dive into the initial details of the stage 1 unpacker. Let us get into it! Initial Triage The Revil (aka Sodinokibi) malware is ransomware that encrypts files on a victim’s disk and leaves a note to head to a Tor link to send payment to decrypt your files.

Flare-on 2 - Challenge 2
· β˜• 3 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The second challenge from this season built on the first challenge. It was another password entry challenge but with a more complicated password encoding scheme. First things first I validated what kind of file I was looking at. Ξ» file very_succes very_succes: PE32 executable (console) Intel 80386, for MS Windows When running the file I entered some test data to see how it looked to a user.

Flare-on 2 - Challenge 1
· β˜• 1 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The first challenge in the 2015 season on Flare On was a pretty easy enter the password type of challenge. I started off by opening the extracted file in IDA and running it in the debugger. I stepped to the section of code that evaluates the input versus the input

Flare-on 1 - Challenge 5 - 5get_it
· β˜• 3 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file. 5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the C:\windows\system32 directory as svchost.

Flare-on 1 - Challenge 4 - Sploitastic
· β˜• 2 min read · ✍️ suidroot
This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from Didier Stevens PDF-tools pdf-parser.py -f APT9001.orig.pdf > apt5.txt Looking through the content I find a block of Javascript code that looks interesting