▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑UPX Unpacking Process
T.me/UndercOdeTesting
🦑Before we begin with unpacking exercise, lets try to understand the working of UPX.
1) When you pack any Executable with UPX, all existing sections (text, data, rsrc etc) are compressed.
2) Each of these sections are named as UPX0, UPX1 etc.
3) Then it adds new code section at the end of file which will actually decompress all the packed sections at execution time.
🦑Here is what happens during the execution of UPX packed EXE file..
1) Execution starts from new OEP (from newly added code section at the end of file)
2) First it saves the current Register Status using PUSHAD instruction
3) All the Packed Sections are Unpacked in memory
4) Resolve the import table of original executable file.
5) Restore the original Register Status using POPAD instruction
6) Finally Jumps to Original Entry point to begin the actual execution
🦑 Manual Unpacking of UPX
1) Here are the standard steps involved in any Unpacking operation
2) Debug the EXE to find the real OEP (Original Entry Point)
3) At OEP, Dump the fully Unpacked Program to Disk
4) Fix the Import Table
5) Based on type and complexity of Packer, unpacking operation may vary in terms of time and difficulty.
6) UPX is the basic Packer and serves as great example for anyone who wants to learn Unpacking.
🦑we will use OllyDbg to debug & unpack the UPX packed EXE file.
> Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for Reverse Engineering with its useful plugins.
@UndercOdeOfficial
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑UPX Unpacking Process
T.me/UndercOdeTesting
🦑Before we begin with unpacking exercise, lets try to understand the working of UPX.
1) When you pack any Executable with UPX, all existing sections (text, data, rsrc etc) are compressed.
2) Each of these sections are named as UPX0, UPX1 etc.
3) Then it adds new code section at the end of file which will actually decompress all the packed sections at execution time.
🦑Here is what happens during the execution of UPX packed EXE file..
1) Execution starts from new OEP (from newly added code section at the end of file)
2) First it saves the current Register Status using PUSHAD instruction
3) All the Packed Sections are Unpacked in memory
4) Resolve the import table of original executable file.
5) Restore the original Register Status using POPAD instruction
6) Finally Jumps to Original Entry point to begin the actual execution
🦑 Manual Unpacking of UPX
1) Here are the standard steps involved in any Unpacking operation
2) Debug the EXE to find the real OEP (Original Entry Point)
3) At OEP, Dump the fully Unpacked Program to Disk
4) Fix the Import Table
5) Based on type and complexity of Packer, unpacking operation may vary in terms of time and difficulty.
6) UPX is the basic Packer and serves as great example for anyone who wants to learn Unpacking.
🦑we will use OllyDbg to debug & unpack the UPX packed EXE file.
> Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for Reverse Engineering with its useful plugins.
@UndercOdeOfficial
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Detailed usage of dumpsys command in android
Original
twitter.com/UndercOdeTC
> On an android phone, you can enter the android system shell by using the adb shell command. This shell supports some commonly used standard commands and other commands related to the android system. These commands can print the current status information of the system. . dumpsys is one such command.
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
Currently running services:
SurfaceFlinger
accessibility
account
activity
alarm
android.security.keystore
appops
appwidget
assetatlas
audio
backup
battery
batterypropreg
batterystats
bluetooth_manager
clipboard
commontime_management
connectivity
consumer_ir
content
country_detector
cpuinfo
dbinfo
device_policy
devicestoragemonitor
diskstats
display
display.qservice
dreams
drm.drmManager
dropbox
entropy
gfxinfo
hardware
input
input_method
iphonesubinfo
isms
location
lock_settings
media.audio_flinger
media.audio_policy
media.camera
media.player
media_router
meminfo
mount
netpolicy
netstats
network_management
nfc
notification
package
permission
phone
power
print
procstats
samplingprofiler
scheduling_policy
search
sensorservice
serial
servicediscovery
simphonebook
sip
statusbar
telephony.registry
textservices
uimode
updatelock
usagestats
usb
user
vibrator
wallpaper
wifi
wifip2p
window
🦑 Detailed usage of dumpsys command in android
Original
twitter.com/UndercOdeTC
> On an android phone, you can enter the android system shell by using the adb shell command. This shell supports some commonly used standard commands and other commands related to the android system. These commands can print the current status information of the system. . dumpsys is one such command.
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
Currently running services:
SurfaceFlinger
accessibility
account
activity
alarm
android.security.keystore
appops
appwidget
assetatlas
audio
backup
battery
batterypropreg
batterystats
bluetooth_manager
clipboard
commontime_management
connectivity
consumer_ir
content
country_detector
cpuinfo
dbinfo
device_policy
devicestoragemonitor
diskstats
display
display.qservice
dreams
drm.drmManager
dropbox
entropy
gfxinfo
hardware
input
input_method
iphonesubinfo
isms
location
lock_settings
media.audio_flinger
media.audio_policy
media.camera
media.player
media_router
meminfo
mount
netpolicy
netstats
network_management
nfc
notification
package
permission
phone
power
procstats
samplingprofiler
scheduling_policy
search
sensorservice
serial
servicediscovery
simphonebook
sip
statusbar
telephony.registry
textservices
uimode
updatelock
usagestats
usb
user
vibrator
wallpaper
wifi
wifip2p
window
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑Analysis of IP Fragmentation by UndercOde :
instagram.com/UndercOdeTestingCompany
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
1) in TCP / IP layering, the data link layer uses MTU (Maximum Transmission Unit) to limit the size of the data packets that can be transmitted.
2) MTU refers to the maximum length of data transmitted at one time, excluding data at the data link layer The frame header, such as the MTU of Ethernet, is 1500 bytes.
3) In fact, the maximum length of a data frame is 1512 bytes, of which the frame header of an Ethernet data frame is 12 bytes.
4) When the size of the sent IP datagram exceeds the MTU, the IP layer needs to fragment the data, otherwise the data will not be sent successfully.
🦑Analysis of IP Fragmentation by UndercOde :
instagram.com/UndercOdeTestingCompany
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
1) in TCP / IP layering, the data link layer uses MTU (Maximum Transmission Unit) to limit the size of the data packets that can be transmitted.
2) MTU refers to the maximum length of data transmitted at one time, excluding data at the data link layer The frame header, such as the MTU of Ethernet, is 1500 bytes.
3) In fact, the maximum length of a data frame is 1512 bytes, of which the frame header of an Ethernet data frame is 12 bytes.
4) When the size of the sent IP datagram exceeds the MTU, the IP layer needs to fragment the data, otherwise the data will not be sent successfully.
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Implementation of IP fragmentation
t.me/UndercOdeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
1) IP fragmentation occurs at the IP layer.
>Not only the source host will fragment, but intermediate routers may also fragment, because the MTU of different networks is different. If the MTU is small, the router may fragment the IP datagram again.
2) The reassembly of fragmented data can only occur at the IP layer of the destination.
3) There are 4 bytes in the IP header for fragmentation
> . The first 16 bits are the ID of the IP datagram.
4) The IDs of the fragments of the same datagram are the same.
5) The destination will determine whether the IP fragments belong to the same IP datagram based on this ID. The middle 3 bits are flag bits, of which 1 bit is used to indicate whether there are more fragments. If it is the last fragment, the flag bit is 0, otherwise it is 1.
6) The last 13 bits indicate the offset of the fragment in the original data. The original data here is the TCP or UDP data transmitted by the IP layer, and does not include the IP header.
🦑 Flag field: 16 bits. Used to uniquely identify each datagram sent by the host. Normally, every time a message is sent, its value is increased by 1.
> This is
the meaning of the three flag bits of IPID:
1) R: reserved unused;
2) DF: Don't Fragment, "No Fragment" bit. If this bit is set to 1, the IP layer will not fragment the datagram; instead, the data will be fragmented. discarding a packet and sends an ICMP error packet discarding and the source host causes
3) MF: more Fragment, "more on-chip", except the last one, the other piece of each constituent datagram should set the bit. 1;
4) Fragment Offset : The slice is offset from the beginning of the original packet. The number of bytes offset is the value multiplied by 8.
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Implementation of IP fragmentation
t.me/UndercOdeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
1) IP fragmentation occurs at the IP layer.
>Not only the source host will fragment, but intermediate routers may also fragment, because the MTU of different networks is different. If the MTU is small, the router may fragment the IP datagram again.
2) The reassembly of fragmented data can only occur at the IP layer of the destination.
3) There are 4 bytes in the IP header for fragmentation
> . The first 16 bits are the ID of the IP datagram.
4) The IDs of the fragments of the same datagram are the same.
5) The destination will determine whether the IP fragments belong to the same IP datagram based on this ID. The middle 3 bits are flag bits, of which 1 bit is used to indicate whether there are more fragments. If it is the last fragment, the flag bit is 0, otherwise it is 1.
6) The last 13 bits indicate the offset of the fragment in the original data. The original data here is the TCP or UDP data transmitted by the IP layer, and does not include the IP header.
🦑 Flag field: 16 bits. Used to uniquely identify each datagram sent by the host. Normally, every time a message is sent, its value is increased by 1.
> This is
the meaning of the three flag bits of IPID:
1) R: reserved unused;
2) DF: Don't Fragment, "No Fragment" bit. If this bit is set to 1, the IP layer will not fragment the datagram; instead, the data will be fragmented. discarding a packet and sends an ICMP error packet discarding and the source host causes
3) MF: more Fragment, "more on-chip", except the last one, the other piece of each constituent datagram should set the bit. 1;
4) Fragment Offset : The slice is offset from the beginning of the original packet. The number of bytes offset is the value multiplied by 8.
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑How to Avoid IP Fragmentation
t.me/UndercOdeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
> In network programming, we need to avoid IP fragmentation, so why should we avoid it?
1) The reason is that the IP layer does not have a timeout retransmission mechanism.
2) If the IP layer fragments a packet, as long as one fragment is lost, it can only rely on the transport layer to retransmit.
3) It's a bit expensive to retransmit. It can be seen that IP fragmentation will greatly reduce the success rate of data transmission at the transport layer, so we must avoid IP fragmentation.
4) For UDP packets, we need to limit the size of each packet at the application layer, and generally do not exceed 1472 bytes, that is, Ethernet MTU (1500)-UDP header (8)-IP header (20).
5) For TCP data, the application layer does not need to consider this issue, because the transport layer has already done it for us.
6) During the three-way handshake of establishing a connection, both parties of the connection will notify each other of the MSS (Maximum Segment Size).
7) The MSS is generally MTU—IP header (20) —TCP header (20). The data does not exceed the minimum value of MSS on both sides, so it is guaranteed that the IP datagram does not exceed the MTU, and IP fragmentation is avoided.
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑How to Avoid IP Fragmentation
t.me/UndercOdeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋
> In network programming, we need to avoid IP fragmentation, so why should we avoid it?
1) The reason is that the IP layer does not have a timeout retransmission mechanism.
2) If the IP layer fragments a packet, as long as one fragment is lost, it can only rely on the transport layer to retransmit.
3) It's a bit expensive to retransmit. It can be seen that IP fragmentation will greatly reduce the success rate of data transmission at the transport layer, so we must avoid IP fragmentation.
4) For UDP packets, we need to limit the size of each packet at the application layer, and generally do not exceed 1472 bytes, that is, Ethernet MTU (1500)-UDP header (8)-IP header (20).
5) For TCP data, the application layer does not need to consider this issue, because the transport layer has already done it for us.
6) During the three-way handshake of establishing a connection, both parties of the connection will notify each other of the MSS (Maximum Segment Size).
7) The MSS is generally MTU—IP header (20) —TCP header (20). The data does not exceed the minimum value of MSS on both sides, so it is guaranteed that the IP datagram does not exceed the MTU, and IP fragmentation is avoided.
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 IP fragmentation example by UndercOde Support
UDP
1) Send 3,000 bytes of UDP data from 10.224.142.166 to 10.137.133.101. The result of packet capture is shown below.
2) , this UDP data packet is divided into 3 IP fragments.
3) From the offset of each fragment, it can be seen that the size of the UDP data contained in the 3 fragments is 1480, 1480, 48 (plus the UDP header 8). Bytes), the size of each fragment plus the IP header is 1500, 1500, and 68 respectively, and the total UDP data size transmitted is 3008. It can also be seen that only one fragment contains the UDP header.
UDP
1) Send 3,000 bytes of UDP data from 10.224.142.166 to 10.137.133.101. The result of packet capture is shown below.
2) , this UDP data packet is divided into 3 IP fragments.
3) From the offset of each fragment, it can be seen that the size of the UDP data contained in the 3 fragments is 1480, 1480, 48 (plus the UDP header 8). Bytes), the size of each fragment plus the IP header is 1500, 1500, and 68 respectively, and the total UDP data size transmitted is 3008. It can also be seen that only one fragment contains the UDP header.
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 What About TCP ?
t.me/UndercOdeTesting
🦑 Send 2000 bytes of TCP data from 10.224.142.166 to 10.137.133.101. The result of packet capture is shown in Next Pi by UndercOde Support
> It can be seen from the figure that the TCP data is divided into 2 IP fragments, and the data sizes are 1448 and 552 respectively.
> From the three-way handshake, it can be seen that the MSS announced by both parties is 1460 bytes, which is exactly MTU (1500)-IP. Header (20)-TCP header (20), but in fact why the first fragment only sent 1448 bytes,
<> personally think it should be the TCP header and some options occupy 12 bytes. Please also know the master explain.
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 What About TCP ?
t.me/UndercOdeTesting
🦑 Send 2000 bytes of TCP data from 10.224.142.166 to 10.137.133.101. The result of packet capture is shown in Next Pi by UndercOde Support
> It can be seen from the figure that the TCP data is divided into 2 IP fragments, and the data sizes are 1448 and 552 respectively.
> From the three-way handshake, it can be seen that the MSS announced by both parties is 1460 bytes, which is exactly MTU (1500)-IP. Header (20)-TCP header (20), but in fact why the first fragment only sent 1448 bytes,
<> personally think it should be the TCP header and some options occupy 12 bytes. Please also know the master explain.
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Big hacker: how to use microchips to penetrate American companies
twitter.com/UndercOdeTC
1) To assist in due diligence, AWS, which is overseeing the acquisition, hired a third-party company to review Elemental's security, according to a person familiar with the process.
2) The first pass uncovered disturbing issues that prompted AWS to gain a deeper understanding of Elemental's main product: a customer's expensive server installed in its network to handle video compression. The server consists of Super Micro Computer Inc. to Elemental assembly . The San Jose-based company (commonly known as Supermicro) is also one of the world's largest suppliers of server motherboards. It is a fiberglass-installed cluster of chips and capacitors that act as neurons in large and small data centers, Elemental staff boxed several servers and sent them to Ontario, Canada for testing by third-party security companies.
3) Nested on the server's motherboard, testers found a tiny microchip that was no larger than a grain of rice, which was not part of the original design of the circuit board. Amazon reported the discovery to US authorities and shuddered the intelligence community. Elemental's servers can be found in DoD data centers, CIA drone operations, and naval warships' airborne networks. Elemental is just one of hundreds of Supermicro customers.
4) During a top-secret investigation that was still open three years later, investigators determined that the chips allowed attackers to create an invisible door in any network containing changed machines. People familiar with the matter said investigators found the chips had been inserted into factories made by Chinese manufacturing subcontractors.
5) This attack is more serious than the software-based incidents that the world is accustomed to. Hardware attacks are more difficult to implement and can be more disruptive, promising spy agencies willing to invest millions of dollars and years of long-term stealth access.
6) "Having a perfect, nation-level hardware implant surface is like witnessing a unicorn jumping over a rainbow"
7) Spy has two ways to change the internal organs of computer equipment. One of these is called blocking, and involves manipulating the device because they are on the way from the manufacturer to the customer. This method is favored by US spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden. Another method is to seed the change from the beginning.
8) One country in particular has an advantage in performing such attacks: China, which is estimated to have 75% of mobile phones and 90% of PCs. In reality, implementing a seed attack means gaining a deep understanding of the design of the product, manipulating components at the factory, and ensuring that the tampered device reaches the desired location through the global logistics chain-it's like throwing a stick on the upper reaches of the Yangtze River in Shanghai, ensuring that it is in Seattle ashore. "Having a comprehensive, state-level hardware nation witnessed the implant surface is like a unicorn skip rainbow," Joe Grand, he said he is a hardware hacker and Grand Idea Studio Inc. founder . "Hardware is far from radar, it's almost considered black magic."
9) But this is exactly what U.S. investigators found: Two officials said that chips had been inserted during the manufacturing process, said a member of a People's Liberation Army unit. At Supermicro, Chinese spies seem to have found a perfect channel, and US officials now call it the most important supply chain attack on US companies.
🦑 Big hacker: how to use microchips to penetrate American companies
twitter.com/UndercOdeTC
1) To assist in due diligence, AWS, which is overseeing the acquisition, hired a third-party company to review Elemental's security, according to a person familiar with the process.
2) The first pass uncovered disturbing issues that prompted AWS to gain a deeper understanding of Elemental's main product: a customer's expensive server installed in its network to handle video compression. The server consists of Super Micro Computer Inc. to Elemental assembly . The San Jose-based company (commonly known as Supermicro) is also one of the world's largest suppliers of server motherboards. It is a fiberglass-installed cluster of chips and capacitors that act as neurons in large and small data centers, Elemental staff boxed several servers and sent them to Ontario, Canada for testing by third-party security companies.
3) Nested on the server's motherboard, testers found a tiny microchip that was no larger than a grain of rice, which was not part of the original design of the circuit board. Amazon reported the discovery to US authorities and shuddered the intelligence community. Elemental's servers can be found in DoD data centers, CIA drone operations, and naval warships' airborne networks. Elemental is just one of hundreds of Supermicro customers.
4) During a top-secret investigation that was still open three years later, investigators determined that the chips allowed attackers to create an invisible door in any network containing changed machines. People familiar with the matter said investigators found the chips had been inserted into factories made by Chinese manufacturing subcontractors.
5) This attack is more serious than the software-based incidents that the world is accustomed to. Hardware attacks are more difficult to implement and can be more disruptive, promising spy agencies willing to invest millions of dollars and years of long-term stealth access.
6) "Having a perfect, nation-level hardware implant surface is like witnessing a unicorn jumping over a rainbow"
7) Spy has two ways to change the internal organs of computer equipment. One of these is called blocking, and involves manipulating the device because they are on the way from the manufacturer to the customer. This method is favored by US spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden. Another method is to seed the change from the beginning.
8) One country in particular has an advantage in performing such attacks: China, which is estimated to have 75% of mobile phones and 90% of PCs. In reality, implementing a seed attack means gaining a deep understanding of the design of the product, manipulating components at the factory, and ensuring that the tampered device reaches the desired location through the global logistics chain-it's like throwing a stick on the upper reaches of the Yangtze River in Shanghai, ensuring that it is in Seattle ashore. "Having a comprehensive, state-level hardware nation witnessed the implant surface is like a unicorn skip rainbow," Joe Grand, he said he is a hardware hacker and Grand Idea Studio Inc. founder . "Hardware is far from radar, it's almost considered black magic."
9) But this is exactly what U.S. investigators found: Two officials said that chips had been inserted during the manufacturing process, said a member of a People's Liberation Army unit. At Supermicro, Chinese spies seem to have found a perfect channel, and US officials now call it the most important supply chain attack on US companies.
10) An official said investigators found that it eventually affected nearly 30 companies, including a large bank, government contractor, and the world's most valuable company, Apple Inc. Apple is a significant customer for Supermicro and plans to order more than 30,000 in both companies A new global data center network of servers. Three senior Apple insiders said that in the summer of 2015, it also found malicious chips on Supermicro motherboards. Apple cut its ties with Supermicro the following year because it described unrelated reasons.
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
Written by UndercOde
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁