Thursday, 8 October 2015

Phishing and their "obfuscated" code



I usually receive a lot of phishing and sometimes i get a mail where they attach a zip file.
after giving that zip to the antivirus, i opened it. i found this 2 files:

Now the .txt file tells you to double click the .js which is a WSH script and is what we are going to "reverse".

Ok, so this is the .js file.

now it looks like a mess.. or maybe not?
if you look closely you'll see something interesting:
There are 2 vars, one long which looks like a key then a longer one which looks like an encrypted message.
After that there is a for loop and what looks like a XOR operation:

Now the most simple cryptographic method is XOR and we have at the start something that looks like a key; So let's clean the code!
To do that, I simply use the search and replace function in Notepad++ (most of the text editors have this function).
So we have our key and our encrypted data (enc_data) and then the loop code

As you can see I commented the eval function since it exec a JavaScript code which is written as a string; since we do not know what there is in out_data (which is our decrypted data) it's better to place a console.log() (yes, I used the browser JavaScript console to exec this because it's more secure then WSH..) which will print what there will be in that out_data.
Before executing that just a few notes:
  1. I changed a little the code to make it more understandable, since there was a long inline code. 
  2. As you can see it takes enc_data and do the XOR operation with the key char by char; when the index i is equals to the length of the key, it will be updated to zero (what it essentially does is the module operation with the length of the key string).

So this is the output of that console.log():

Let's make again some clean up because it looks messy, but as you can see, this is already readable..

Ok this is quite simple:
  • There is a value which I suppose is a date (because i received that the 7 of October and the language of the mail was Italian).
  • Then a declaration of a function which is called 2 times at the end of the code.
  • Inside the function there is an encrypted list (it's a list because there is a .split() at the end of the string which is a method that returns an array of strings)
  • They checks if arg is empty or not and set the extension name which will be used later.
  • There is a for where for each element of the enc_list will do some stuff.
  • At the end, it will call the function 2 times (you'll understand why, later).
This is how the function works:
  1. Allocates a Windows Script Shell object, then it will compose a disk location (i called the variable where); it will be filled with something like: C:\Users\<username>\AppData\Local\Temp\<random number><extension>, where username is the name of the current user and extension is the file extension (".exe" and ".pdf").
  2. Initialize the variable ok to false.
  3. Initialize a XHR object (which is used to download a file from the web).
  4. Tells to the XHRObj that once downloaded the data, place it inside the file C:\Users\<username>\AppData\Local\Temp\<random number><extension> and then execute it.
  5.  Then it decrypts the enc_list one by one and once decrypted it concatenate some strings to make an URL and then tries to download the file.
  6. if it doesn't fail it stops the loop, if not then it changes the list entry and tries again.
Now the reason of that encrypted list is to have different hosts where to get that data. if I decrypt that I get these hosts: 


which I expect to be exploited websites where they uploaded their shit (aka those files + some other stuff).

If you clean all the code, removing all the obfuscation you'll get original code:

Now I'll explain the purpose of this "mess" if not clear yet:

What it does is decrypting it's internal data which download 2 file from a host; those 2 files are: an EXE and a PDF which are fetched and executed by calling download_data("") (which will fetch the exe) and download_data("&pdf=FhbanGAKJrjHEGz") (which will fetch the pdf).

Now I do not know what those files are, because i haven't executed that script; I can assume they are harmful programs (since this comes from a phishing mail).

So be always aware of what you are going to execute, because it can be really harmful like this WSH file.

if you do not know what you downloaded, delete it! do not trust what you do not know.

Tuesday, 21 July 2015

Java is Javascript (with demonstration and files)

Yes it's true, i can show you that is actually true.
JavaScript and Java are the same thing.
This will demonstrate that I'm not joking.
This is the output if executed with Java.

This is the output if opened with Firefox.

Yes, it's the same thing, so STOP saying that Java is NOT JavaScript.

These are the files i used to build that! [ZIP]

Sunday, 19 April 2015

Release - South Park Unofficial

Hi, this is my first Addon i hope you will like it!

  • Ability to play all the South Park content from and
  • Ability to play a random episode.
  • Ability to see the featured episodes.
  • German/English audio support (Spanish support will be available soon)

Download and Install:
You can manually download and then install the add-on from
Change your language from the addon settings

  • all

Release History:
  • 0.1.0 - Initial version
  • 0.1.3 - added langs and fixed geolocation
  • 0.2.1 - added support to

  • Add addon translation
  • Search
  • Add the spanish language to the script (they added it today: 04/17/2015)



Wednesday, 18 February 2015

Homemade Weather Station [PT 1]

This time i've decided to build an homemade weather station.

I've ordered a month ago a few Dallas DS18B20 one wire digital thermometer and a welded DHT11 (Hygrometer + Thermometer) from an eshop. When i started this project i forgot to buy some matrix boards so i took some really old broken boards (they were mostly old FM radio) and i have unwelded the components. After some PCB modifications i used the old board to weld the DS18B20 with a 4.7K resistor and 3 old cables got from an old (and broken) PC.

I took an old Liquorice metal box and i've isolated the components with the wire tape.

While i was searching for boards, i found an old mini engine for a model railway locomotive and welded it with 2 cables. My future plan for this engine is to use it as an Anemometer.

What's next? Well i found also a solar panel from a broken Chinese calculator (those given as gadgets in the fairs) and i've decided to use it to get the light intensity, but since i have also a photoresistor, i'll probably use both to check the light. The Anemometer (aka the engine) ,the solar panel and the photoresistor will be attached to a MCP3008 (an 8 channel ADC that i got for free).
Photoresistor  |  MCP3008 | 3.3V Solar panel
Now i'm waiting for some components like my Arduino nano v3.0 and some other parts like the raindrops sensor.

For now i've spent less then €2 (less then €1 for the DHT11, €1 for 2 DS18B20).
To test the components (for now) i've used my raspberry pi and my HD44780.

Saturday, 20 September 2014

Raspberry PI + YwRobot Arduino LCM1602 IIC V1 HD44780 LCD

Finally i have some time to write a new post.

Let's start:
I bought a YwRobot Arduino LCM1602 IIC V1 HD44780 LCD from amazon for 6,57 €

It has a I2C interface (so it will use just 2 cables, SDA & SCL, + 2 for VCC & GND).

I found some tutorials online, but they were for Arduino or python... NOTHING FOR C!!
So i decided to write a damn C lib for this component.
I had to cross check various codes/datasheets to understand how it works, but at the end i wrote it.
So, this is my lib! Enjoy it ;)
You can grab from the link at the end of the post.

    #include "stdio.h"  
    #include "string.h"  
    #include "i2c.h"  
    #include "lcd.h"  
    #define I2C_FILE_NAME "/dev/i2c-0"  
    const char* txt[]  = {  
        "I work on the PI",  
        "via liblcm1602.a"  
    int main(){  
        int i2c_dev;  
        lcd lcd0;  
        // 0x27 is the address of the i2c device  
        i2c_dev = open_i2c(I2C_FILE_NAME, 0x27);  
        if(i2c_dev <0){  
           printf("Error: %d\n", i2c_dev);  
           return 1;  
        lcd_init(&lcd0, i2c_dev);  
        lcd_print(&lcd0, txt[0], strlen(txt[0]), 0);  
        lcd_print(&lcd0, txt[1], strlen(txt[1]), 1);  
        return 0;  

Wednesday, 9 July 2014

Just a simple shell disassembler for ppc64 elfs

I had more the an hour and i decided to write a concept of shell disassembler for the ppc64 elfs, and i used capstone disassembler (capstone [git])

this was the result:

An advice: DO NOT USE MY CODE! it's buggy and has errors!


Tuesday, 14 January 2014

Reversing Wii U Executables

First thing to say, Wii U uses Executable and Linkable Format (ELF) with dynamic linking (since Wii U has a real OS), but they are different from the normal ones:

  • Wii U libraries are called RPL
  • Wii U executables are called RPX, but these are actually RPL.
The only difference between RPX and RPL is that the first one has the main entry point, but both are ELFs.Ok, so this is what i understood about the header:
/* Total size 0x500 -> elf + section table */
typedef struct __cafe_elf {
 uint8_t  e_ident[0x10]; // {0x7f,0x45,0x4c,0x46, <-- 'elf'
       // 0x01,     <-- one
       // 0x01,0x05,    <-- sdk version ?
       // 0xca,0xfe,    <-- 0xcafe
       // 0x00,0x00, ... ,0x00} 
 uint16_t e_type;  // 0xfe01 = rpl
 uint16_t e_machine;  // 0x0014 PPC
 uint32_t e_version;  // 0x00000001
 uint32_t e_entry;  // 0x02000000
 uint32_t e_phoff;  // 0x00000000
 uint32_t e_shoff;  // 0x00000040
 uint32_t e_flags;  // 0x00000000
 uint16_t e_ehsize;  // 0x0032 (54)
 uint16_t e_phentsize; // 0x0000
 uint16_t e_phnum;  // 0x0000
 uint16_t e_shentsize; // 0x0028 (40)
 uint16_t e_shnum;  // 0x0015 (19)
 uint16_t e_shstrndx; // 0x0012 (16)
 uint8_t  _pad[0xC];  // zero filled
 uint8_t  zero[0x28]; // zero filled
 uint32_t one_0;   // 0x00000001
 uint32_t one_1;   // 0x00000001
} cafe_elf;

typedef struct __cafe_elf_section_tbl {
 uint32_t flags;  // 0x08000006 <-- example
      // 0x08000000 <-- z
      // 0x00000001 <-- w
      // 0x00000002 <-- a
      // 0x00000004 <-- x
 uint32_t address; // 0x02000000 <-- memory addr (.text)
 uint32_t offset; // 0x0019D740 <-- file offset
 uint32_t size;  // 0x00003EC8 <-- compressed size
 uint32_t data0;  // 0x00000000 <-- unknown
 uint32_t data1;  // 0x00000000 <-- unknown
 uint32_t align;  // 0x00000020 (32) <-- data align
 uint32_t data3;  // 0x00000000 <-- unknown
 uint32_t data4;  // 0x00000007 <-- unknown
 uint32_t data5;  // 0x80000001 <-- unknown
} cafe_elf_section_tbl;
Each section is compressed through ZLIB and has this structure:
typedef struct __cafe_elf_section_data {
 uint32_t decompressed_size;
 uint16_t zlib_compression_hdr;
 uint8_t data[];
} cafe_elf_section_tbl;