Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


766F6964 last won the day on October 25 2018

766F6964 had the most liked content!

Community Reputation

10 Good

About 766F6964

  • Rank

Profile Information

  • Gender

Previous Fields

  • Team
  1. 766F6964


    I think the main reason people like Ghidra is because the decompiling engine is pretty good.
  2. Title: Performing a MITM attack on the .NETGuard desktop application Authors: Washi, 766F6964 Originally released on: https://www.rtn-team.cc/board Abstract: Code obfuscation is a method of preventing third parties from reverse engineering the inner workings of software. One cloud-based service that provides this kind of protection for .NET applications is .NETGuard. .NETGuard distributes a desktop application that interacts with .NETGuard’s API. In this paper, we show that the protocol used by the desktop application has several security flaws. The most serious flaws include the possibility of leaking account credentials and/or the original binary being restored from the generated network traffic. Additionally, the protocol performs no verification on the network traffic, which allows a Man In the Middle (MITM) attack to modify packets and send malicious content back to the client. Disclaimer: The intent of this article is not to determine or conclude whether .NETGuard is a good or a bad obfuscator, nor as a means of attacking the developer personally. Rather, the content of this paper focuses on critical security issues found within the .NETGuard desktop client, and the communication between the desktop client and the .NETGuard servers. The main purpose of this paper is to raise awareness about the security concerns identified and inform .NETGuard's users that their data may be at risk. We have communicated these security issues to the .NETGuard team, but they have fallen on deaf ears. Other than changing the plain-text passwords to a double MD5 hash, no further action was taken. A month in, the vulnerabilities are still un-patched, so we took it upon ourselves to communicate our findings to the community. Now it is for the public to decide whether or not to continue using this software. Video Showcase: (The video is also referenced in the paper) [video=youtube] Sourcecode: The sourcecode of the attacking script can be found here. FAQ Q: I am a .NETGuard user, are my credentials and/or code leaked? A: If you are using the desktop client (not the browser), chances are someone might have sniffed your details and/or code, especially if you have been using (public) WiFi. To be safe, make sure your password is not shared with any other online service or you might risk becoming a victim of identity theft. Unfortunately, there is little we can do about the theft of your code. Q: Can I use this script to capture and modify traffic from anyone using .NETGuard? A: This script is a PoC only, and only works if you are able to reroute the traffic through your own machine. However, this can be achieved using various methods such as arpspoofing or configuring your router properly. Q: How do I obtain the password after sniffing the hash code? A: There are many publicly available tools to crack the hash within reasonable time. These tools include John the Ripper and HashCat. Make sure that it is configured to crack a double MD5 hashcode, i.e. hash = MD5(MD5(password)) Q: Can I capture any (un)obfuscated file being transferred from and to the .NETGuard server with this script? A: Yes, the script is generic enough to be able to capture any binary file being sent or received, so long the traffic goes through the machine running the script. Q: Can I modify any (un)obfuscated file being transferred from and to the .NETGuard server with this script? A: Currently, the framework allows it. However, the `main.py` script is set up to only modify the sample application provided in the repository. A few modifications are therefore required to make it work for other binaries. Q: After I ran the script I don't have internet anymore. What do I do? A: The script adds additional firewall rules of your system. Normally the script removes them upon shutdown, but if the script was somehow interrupted before this happened, you might need to manually remove them. You can check for the additional rules by running the following command as root: shiptables -LTo remove the entries, you can use the -D flag instead. E.g. to remove the first rule of the INPUT chain and the first of the OUTPUT chain, use: shiptables -D INPUT 1 iptables -D OUTPUT 1After that, the connection to the internet should be restored. Download: https://www81.zippyshare.com/v/7RNCs56x/file.html Credits: Thanks again to CodeBlue for proofreading the paper.
  3. Over a period of 7 months Washi and I wrote the Fundamentals of CIL paper (Originally released on RTN). This paper aims to be a compact and easy to understand reference for everyone who likes to learn more about the Common Intermediate Language (CIL) and about reverse engineering .NET software. It serves as a guideline for beginners, as well as a reference for more experienced people. The following content is covered: IntroductionWhat is CIL? What Is Next? Basic ConceptsThe Stack Hello World! Assembling IL Files Disassembling IL Files Basic ArithmeticLoading Numerical Values Arithmetic Operations Arithmetic Example Bitwise Operations Bitwise Example What Is Next? Intermediate ConceptsLocal Variables ArraysCreating Arrays Initializing Arrays Writing Data Into Arrays Reading Data From Arrays Summary Advanced ConceptsError Handling Type ConversionsNumber Types Reference Types Boxing/Unboxing PInvoke Summary Object-Oriented ProgrammingDefining Complex TypesAccess Modifiers Layout Modifiers Encoding Modifiers Basic PolymorphismExtending from Object Abstract classes Interfaces Interacting with objectsCreating objects Calling instance members GenericsDefining generic types Defining generic methods Using generic types and methods Uncommon InstructionsArgument iterators Typed references opcodes Memory related opcodes Prefix opcodes Invocation opcodes Closing WordsSummary Acknowledgments References Download Paper Feedback is appreciated. Enjoy. Local copy : FundamentalsOfCIL-V2.zip
  • Create New...