Jeep SRT8 keyfob analysis

I own a Jeep and recently got my hands on an awesome Hackrf Jawbreaker from a friend at Brainsilo.

Hackrf Jawbreaker Jeep SRT8 key

I checked the Jeep manual from their website and fonud out that the keyfob operate at 433.92MHz which I found to be wrong after testing. It might’ve been because I own an 06 or maybe mine is just different than the one that comes from the manifacture. I found that it works at 316567000Hz (316.567MHz). I wrote a code that uses hackrf and record data at that frequency with 8Mhz sampling and read more

QVM32 solution and virtualization-obfuscation

Don’t read this post if you’re still in the processes of solving the previous challenge posted here. This post contains the solution and general information on virtualized code. Virtualization-obfuscations are techniques I’ve seen many times implemented in various malwares and rarely some software. Many times seen implemented in some reverse engineering challenges. Qvm32 the challenge I posted does follow a similar concept with an extra obfuscation part added to harden the process of reverse engineering the virtual read more

CSAW u-boot

Unforunatly I didn’t have the time to participate in CSAW. When I get time I’ll check out the rest of CSAW and will see if there’s anything interesting for a writeup (this one isn’t interesting). A friend of mine sent me an archive from the challenge to inspect before the game ended and find the flag for. The archive contained 5 files.

this is a universal bootloader I will analyse only the u-boot file.  Running the image in an ARM emulator.

csaw command caught my attention. Das read more

Krypto solution

This is a solution for Krypto the crack me I posted a while back at here. This crackme was shiped in two versions a 32bit, 64bit I bet that no one bothered with the 64bit. Anyway, they’re both similar. Let’s talk a little bit about it.

It starts at sub_804A170 aka main, takes input from argv[1], 12 characters are taken from that input each 4 are put togeather.  Then a call is made to sub_08048E10 once for each part of the input aka encrypt with a key used ‘for encryption’ the key is read more

Snuker’s crack1

Found a nice Linux crackme at crackmes.de by Snuker. The crackme uses two things, a key which is read here

and the username taken from getlogin() function and the limit length for this user
is always < 10. Then we have the loop that xor username characters with 137h and add+multiply the results at ebx.

And as soon as this loop is done we xor the result the result in ebx with the input key as such

The above loop and xoring parts translate to something like this in C.

Anyway, read more

IDA Pro cyclic patterns.

I saw that IDA Pro is lacking some plugin that create, search for cyclic patterns within IDA. These patterns are sometimes useful in some cases to speed up exploitation development so I have written three plugins. Pattern_create which creates cyclic patterns, Pattern_offset which find the offset of specific pattern, Pattern_search which searches the registers and all writeable memory of a process for any patterns. The plugins are open source and can be found here (github).

pattern_create_offset read more

Debugging kernel modules

Debugging is an essential part to know. It can help you further understand in the low level and how things work step by step. You will be able to see more. Debugging the kernel or its modules seem like black magic at the beginning but when you get used to it the black part goes away. In this post I will talk a little about my current virtual solution setup to debug. To make it simple I will debug the module in the previous post in Archlinux running Qemu running Archlinux with kernel 3.2.9.

Getting things ready in the Host

First get qemu, create read more

Kernel stack overflows (basics)

panic

In linux virtual memory is segregated into two parts kernel space and user space. Kernel space is intended to be used by kernel and reaching the kernel data structures or having control there can allow you to do all kind of crazy things. What I’m interested in, in this post is privilege escalation. Jumping from nothing to everything w00t!

Stack overflows exists in kernel too and we will talk basically about how they can happen and how they can be exploited. I have written a simple read more

a qubit in a quantum processor