Windows 8 ate my cookie

Modern OSes have a feature that mitigates the exploitation of stack based buffer overflows. It basically works by writing a "cookie" value before the return address in the stack in the prologue of a function and checking it before the function returns (for further information, see [1] and [2]). This article talks about how this mitigation has been enforced in Windows 8.

more ...

TCP backdoor 32764 or how we could patch the Internet (or part of it ;))

Eloi Vanderbéken recently found a backdoor on some common routers, which is described on his GitHub here. Basically, a process that listens on the 32764 TCP port runs, sometimes accessible from the WAN interface. We scanned the v4 Internet to look for the routers that have this backdoor wild open, and gathered some statistics about them. We will also present a way to permanently remove this backdoor on Linksys WAG200G routers.

more ...

An Angular introduction, and things to keep in mind

Angular is a client side framework aimed at creating rich web applications. It adds logic declaration to the normally static HTML in order to provide a dynamic user experience. Built at Google, it is a perfect tool for building one page applications, and is made to be really accessible for the standard web developper. But some of the magic going on underneath can be tricky, doing things outside the box can be much more difficult. This article has no tutorial or introduction vocation, it just tries to shed some light on some unexpected behaviours of angular.

more ...

Have you ever played with Domino?

IBM Lotus Domino is an email client rather common in companies like Microsoft Outlook. This article proposes to observe a small part of the application engine, namely one method used to store the user's password. In a second step, we will conduct a brief analysis of all used algorithms then we will see how to implement a plugin for John The Ripper to bruteforce discovered digests.

more ...

IDA processor module

Writing a disassembler is a tedious task. You have to decode the opcode, interpret the meaning of the operands and, finally, print the instruction correctly. Fortunately, you can count on IDA to provide modules with mapping executable, a colorful GUI, control flow graphs and so on. In this article, I'll share my feedbacks on developing an IDP module for IDA.

more ...

iMessage Privacy

iMessage is probably one of the most trendy instant messaging systems. Apple presents it as very secure, with high cryptographic standards, including end-to-end encryption preventing even Apple from reading the messages. Is this true?

more ...

Unique random number set computation

In one of Quarkslab's projects, we came across the issue of randomizing a large set of integers, described as a list of disjoint intervals. These intervals can be represented as a sorted list of integers couples, like this one: $[1,4],[10,15],[17,19],...$. The idea is to randomly and uniquely select numbers across these intervals, giving a shuffled list of numbers that belong to them. For instance, $[1,10,18,4,3,11,15,17,19,12,14,13,2]$ is a possible output. Moreover, each possible permutation of the integers set should have equal probability of appearance. If you're just interested in the final library that "do the job", go directly to the implementation section to download the leeloo C++ open-source library on Github !

more ...

Evasi0n Jailbreak: Precisions on Stage 3

The new jailbreak for iOS 6.1, named Evasi0n, is detailed in this article, thanks to Braden Thomas. A few more details are needed regarding the very end on the page signing cancelation. Actually, in order to evade code signed verification, the amfi.dylib is cleverly structured. The idea is as follow: force the MISValidateSignature (which returns the status of code signing verification) to always return 0. That way, one will be able to execute any unsigned code. Hence, this raises 2 questions: How to force MISValidateSignature to always return 0? How to pass the code signed verification for amfy.dylib?

more ...

Visual C++ RTTI Inspection

C++ is well-known to be tedious to analyze, the use of both inheritance and polymorphism (i.e. virtual method) makes the compiler generate indirect calls. Usually, this kind of assembly code forces the reverse engineer to execute the code in order to figure out the destination of a call. In fact, we are looking for the VFT (Virtual Function Table). This table contains all virtual methods for a specific instance of a class. This article shows how to retrieve this information to make the analysis of a C++ software easier.

more ...

qb-sync v2

Ok, here it is, the new version of qb-sync with lots of new features: new commands, sync multiple IDBs (and thus modules) with a debugger, Windbg remote control shortcuts in IDA, etc.

more ...