Date Thu 19 December 2013
Author Sébastien Kaczmarek
Category Cryptography

IBM Lotus Domino is an email client rather common in companies like Microsoft Outlook. This article proposes to observe a small part of the application engine, namely one method used to store the user's password. In a second step, we will conduct a brief analysis of all used algorithms then we will see how to implement a plugin for John The Ripper to bruteforce discovered digests.

Date Wed 20 November 2013
Author Kevin Szkudlapski
Category Programming

Writing a disassembler is a tedious task. You have to decode the opcode, interpret the meaning of the operands and, finally, print the instruction correctly. Fortunately, you can count on IDA to provide modules with mapping executable, a colorful GUI, control flow graphs and so on. In this article, I'll share my feedbacks on developing an IDP module for IDA.

Date Thu 17 October 2013
Authors Cyril Cattiaux, gg
Category Cryptography

iMessage is probably one of the most trendy instant messaging systems. Apple presents it as very secure, with high cryptographic standards, including end-to-end encryption preventing even Apple from reading the messages. Is this true?

Date Mon 09 September 2013
Authors Adrien Guinet, Camille Mougey
Category Cryptography

In one of Quarkslab's projects, we came across the issue of randomizing a large set of integers, described as a list of disjoint intervals. These intervals can be represented as a sorted list of integers couples, like this one: [1,4],[10,15],[17,19],[1, 4], [10, 15], [17, 19], \ldots. The idea is to randomly and uniquely select numbers across these intervals, giving a shuffled list of numbers that belong to them. For instance, [1,10,18,4,3,11,15,17,19,12,14,13,2][1,10,18,4,3,11,15,17,19,12,14,13,2] is a possible output. Moreover, each possible permutation of the integers set should have equal probability of appearance. If you're just interested in the final library that "do the job", go directly to the implementation section to download the leeloo C++ open-source library on Github !

Date Fri 02 August 2013
Author Camille Mougey
Category Exploitation

The new jailbreak for iOS 6.1, named Evasi0n, is detailed in this article, thanks to Braden Thomas. A few more details are needed regarding the very end on the page signing cancelation. Actually, in order to evade code signed verification, the amfi.dylib is cleverly structured. The idea is as follow: force the MISValidateSignature (which returns the status of code signing verification) to always return 0. That way, one will be able to execute any unsigned code. Hence, this raises 2 questions: How to force MISValidateSignature to always return 0? How to pass the code signed verification for amfy.dylib?

Date Sat 13 July 2013
Authors Cyril Cattiaux, Kevin Szkudlapski
Category Reverse-Engineering

C++ is well-known to be tedious to analyze, the use of both inheritance and polymorphism (i.e. virtual method) makes the compiler generate indirect calls. Usually, this kind of assembly code forces the reverse engineer to execute the code in order to figure out the destination of a call. In fact, we are looking for the VFT (Virtual Function Table). This table contains all virtual methods for a specific instance of a class. This article shows how to retrieve this information to make the analysis of a C++ software easier.

Date Wed 13 March 2013
Author Alexandre Gazet
Category Reverse-Engineering

Ok, here it is, the new version of qb-sync with lots of new features: new commands, sync multiple IDBs (and thus modules) with a debugger, Windbg remote control shortcuts in IDA, etc.

Date Wed 15 August 2012
Author Fred Raynal
Category Cryptography

What was really stunning about Stuxnet and its cousins was it was "open source". Once the sample was captured, it was big to analyze, but none of its embedded secrets could escape a malware analyst. And it had many secrets! From an engineering point of view, the architecture and design are clean and efficient, which makes Stuxnet a good example to learn how to design malware. From an intelligence point of view, knowing what is targeted is valuable. For a money point of view, considering how governments are racing to buy 0 days, Stuxnet was above expensive. And all this was wasted because the payload was unprotected!

Date Mon 09 July 2012
Author Alexandre Gazet
Category Reverse-Engineering

qb-sync is an open source tool to add some helpful glue between IDA Pro and Windbg. Its core feature is to dynamically synchronize IDA's graph windows with Windbg's position.

Date Mon 14 May 2012
Author Sébastien Kaczmarek
Category Pentest

Quarks PwDump is new open source tool to dump various types of Windows credentials: local account, domain accounts, cached domain credentials and bitlocker. The tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or stability. It requires administrator's privileges and is still in beta test.