β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Process injections in action- examples :
1) DoublePulsar
An analysis of the kernel mode payload of the famous DoublePulsar code by F-Secure revealed that it utilizes a form of DLL injection to load a DLL into a target process (in this case, lsass.exe) using an Asynchronous Procedure Call (APC). It did not utilize the standard Windows API commands such as LoadLibrary and did not write the DLL to disk, making it stealthier.
2) Cobalt Strike
Cobalt Strike is a penetration testing software that was designed to execute targeted attacks and emulate post-exploitations actions of advanced threat actors through a listener called a beacon.
> Cobalt Strike commands such as keylogger, screenshot and so on were designed to be injected into another process for it to work. The listener is injected into a specific process (a personal favorite is explorer.exe because the process is always running in a GUI environment) and the keystroke logger will monitor all keystrokes via the infected process. It then reports them to the beacon console without writing to disk. This only stops when the process terminates or the keystroke logger job is terminated by the user.
3) Lazarus Group
The Lazarus Group (also known as βHidden Cobraβ) is a threat group headquartered in North Korea whose malicious activities span across multiple years, as far back as 2009. Since 2016, the group has been conducting βFASTCashβ attacks β stealing money from ATMs from target banks in Africa and Asia. The target bankβs network is compromised and a malware known as Trojan.Fashcash is deployed on the network.
> An analysis of the malware reveals that malicious Advanced Interactive eXecutive (βAIXβ) executable files are injected into legitimate processes on the payment application servers used in handling ATM transactions. The executable allows the group to monitor, intercept and generate responses to fraudulent transaction requests using fake ISO 8583 (standard used for financial transaction messaging) messages. This allows attempts to withdraw cash via an ATM to be successful.
4) APT41
APT41 is a threat group headquartered in China and known for carrying out Chinese state-sponsored espionage campaigns dating as far back as 2012.
π¦The group is known for its software supply chain attacks, where TTPs developed from accessing video game production environments are utilized. These TTPs are used to compromise software companies and malicious codes are injected into software updates distributed to victim organizations.
5) WINTERLOVE is a backdoor used by the group to load and execute remote code in a running process (e.g., iexplorer.exe) and can be used to enumerate system files and directories.
6) Mitigation/prevention
DLL injection is not necessarily a bad technique as many applications use it for legitimate purposes such as your Antivirus/Endpoint Detection and Response (βEDRβ)7 solutions which inject their own codes/agents into running processes in order to monitor the process and detect abnormal activities. Therefore, making it hard to detect especially since it runs under a legitimate process.
> Powered by wiki source
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Process injections in action- examples :
1) DoublePulsar
An analysis of the kernel mode payload of the famous DoublePulsar code by F-Secure revealed that it utilizes a form of DLL injection to load a DLL into a target process (in this case, lsass.exe) using an Asynchronous Procedure Call (APC). It did not utilize the standard Windows API commands such as LoadLibrary and did not write the DLL to disk, making it stealthier.
2) Cobalt Strike
Cobalt Strike is a penetration testing software that was designed to execute targeted attacks and emulate post-exploitations actions of advanced threat actors through a listener called a beacon.
> Cobalt Strike commands such as keylogger, screenshot and so on were designed to be injected into another process for it to work. The listener is injected into a specific process (a personal favorite is explorer.exe because the process is always running in a GUI environment) and the keystroke logger will monitor all keystrokes via the infected process. It then reports them to the beacon console without writing to disk. This only stops when the process terminates or the keystroke logger job is terminated by the user.
3) Lazarus Group
The Lazarus Group (also known as βHidden Cobraβ) is a threat group headquartered in North Korea whose malicious activities span across multiple years, as far back as 2009. Since 2016, the group has been conducting βFASTCashβ attacks β stealing money from ATMs from target banks in Africa and Asia. The target bankβs network is compromised and a malware known as Trojan.Fashcash is deployed on the network.
> An analysis of the malware reveals that malicious Advanced Interactive eXecutive (βAIXβ) executable files are injected into legitimate processes on the payment application servers used in handling ATM transactions. The executable allows the group to monitor, intercept and generate responses to fraudulent transaction requests using fake ISO 8583 (standard used for financial transaction messaging) messages. This allows attempts to withdraw cash via an ATM to be successful.
4) APT41
APT41 is a threat group headquartered in China and known for carrying out Chinese state-sponsored espionage campaigns dating as far back as 2012.
π¦The group is known for its software supply chain attacks, where TTPs developed from accessing video game production environments are utilized. These TTPs are used to compromise software companies and malicious codes are injected into software updates distributed to victim organizations.
5) WINTERLOVE is a backdoor used by the group to load and execute remote code in a running process (e.g., iexplorer.exe) and can be used to enumerate system files and directories.
6) Mitigation/prevention
DLL injection is not necessarily a bad technique as many applications use it for legitimate purposes such as your Antivirus/Endpoint Detection and Response (βEDRβ)7 solutions which inject their own codes/agents into running processes in order to monitor the process and detect abnormal activities. Therefore, making it hard to detect especially since it runs under a legitimate process.
> Powered by wiki source
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ What is the system shutdown/reboot attack technique?
1) System shutdown and reboot is something that everyone who has touched a PC is at least familiar with. Attackers can use this feature to cause interruption to system access or in furtherance of target system destruction.
2) For the most part, when attackers use this technique, they are not using the shutdown/reboot button located in the Windows Start menu (unless they are remoted into a system unbeknownst to the user) but rather use commands to shutdown/reboot. No matter which method is used, the result is the same β disrupting access to computer-based resources of target system users.
3) Attackers may incorporate this attack technique after other techniques are used to impact the target system, such as with the inhibit system recovery and disk structure wipe attacks. When system shutdown/reboot is used in this way, it is intended to quicken denial of system availability in order to support these previously used attack techniques β sort of like a supplementary attack technique. The system shutdown/reboot attack technique is useful for adversaries and can be frustrating for legitimate users (to say the least!).
π¦ The danger of abuse of system features :
1) Before we discuss the shutdown attack in any detail, we first should discuss what makes it so dangerous.
2) This attack technique is considered an abuse of system features technique. What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. Unfortunately for compromised user systems, there is no counter-move to system shutdown/reboot because it is about as essential as information input through a keyboard or mouse.
@UndercodeTesting
> sourcewiki
1) System shutdown and reboot is something that everyone who has touched a PC is at least familiar with. Attackers can use this feature to cause interruption to system access or in furtherance of target system destruction.
2) For the most part, when attackers use this technique, they are not using the shutdown/reboot button located in the Windows Start menu (unless they are remoted into a system unbeknownst to the user) but rather use commands to shutdown/reboot. No matter which method is used, the result is the same β disrupting access to computer-based resources of target system users.
3) Attackers may incorporate this attack technique after other techniques are used to impact the target system, such as with the inhibit system recovery and disk structure wipe attacks. When system shutdown/reboot is used in this way, it is intended to quicken denial of system availability in order to support these previously used attack techniques β sort of like a supplementary attack technique. The system shutdown/reboot attack technique is useful for adversaries and can be frustrating for legitimate users (to say the least!).
π¦ The danger of abuse of system features :
1) Before we discuss the shutdown attack in any detail, we first should discuss what makes it so dangerous.
2) This attack technique is considered an abuse of system features technique. What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. Unfortunately for compromised user systems, there is no counter-move to system shutdown/reboot because it is about as essential as information input through a keyboard or mouse.
@UndercodeTesting
> sourcewiki
π¦What is MITRE ATT&CK?
1) MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base β including cybersecurity.
2) To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use
1) MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base β including cybersecurity.
2) To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Real-world examples of system shutdown/reboot attack techniqu
Different attack groups and threats have used this attack technique in different ways, all toward the same end β interrupting system availability during the course of an attack.
1) APT37
This cyber-espionage group is suspected of being North Korea-based and has been around since 2012, with its targets being mainly in Asia. In their βAre you Happy?β campaign, they used a Master Boot Record (MBR) wiping technique followed by the command shutdown /r /t 1 to reboot target systems as the proverbial icing on the cake.
2) LockerGoga
LockerGoga is ransomware that has been wreaking havoc on industrial and manufacturing organizations in Europe. This relatively new ransomware has been observed shutting down infected systems. Because it targets high-stakes and critical infrastructure, shutdown is even more damaging than for non-critical infrastructure organizations.
4) NotPetya
Originally categorized as a type of ransomware, it appears that its attackers never planned on making the data it encrypts recoverable, making it more of a wiper malware. First spotted in June of 2017, NotPetya is known to reboot systems one hour after infection.
5) The problem with mitigation
As mentioned earlier in this article, this attack is an abuse of system features attack. Abuse of system features-based attacks cannot be effectively mitigated because they take advantage of legitimate, necessary features.
6) Detection of system shutdown/reboot
Unlike mitigation, system shutdown/reboot can be detected by a couple of methods. First, process monitoring should be used to monitor command line parameters involved in this attack technique and execution. Second, Windows event logs are capable of capturing evidence of this attack technique: monitor for Window event IDs 1074 and 6006.
> Powered by wiki source
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Real-world examples of system shutdown/reboot attack techniqu
Different attack groups and threats have used this attack technique in different ways, all toward the same end β interrupting system availability during the course of an attack.
1) APT37
This cyber-espionage group is suspected of being North Korea-based and has been around since 2012, with its targets being mainly in Asia. In their βAre you Happy?β campaign, they used a Master Boot Record (MBR) wiping technique followed by the command shutdown /r /t 1 to reboot target systems as the proverbial icing on the cake.
2) LockerGoga
LockerGoga is ransomware that has been wreaking havoc on industrial and manufacturing organizations in Europe. This relatively new ransomware has been observed shutting down infected systems. Because it targets high-stakes and critical infrastructure, shutdown is even more damaging than for non-critical infrastructure organizations.
4) NotPetya
Originally categorized as a type of ransomware, it appears that its attackers never planned on making the data it encrypts recoverable, making it more of a wiper malware. First spotted in June of 2017, NotPetya is known to reboot systems one hour after infection.
5) The problem with mitigation
As mentioned earlier in this article, this attack is an abuse of system features attack. Abuse of system features-based attacks cannot be effectively mitigated because they take advantage of legitimate, necessary features.
6) Detection of system shutdown/reboot
Unlike mitigation, system shutdown/reboot can be detected by a couple of methods. First, process monitoring should be used to monitor command line parameters involved in this attack technique and execution. Second, Windows event logs are capable of capturing evidence of this attack technique: monitor for Window event IDs 1074 and 6006.
> Powered by wiki source
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ EDU ACCOUNTS β
β
:
sandra.ley@asu.edu:sandraley:imap.asu.edu
jtodt@nd.edu:maddux:imap-mail.nd.edu
jtbarott@ncsu.edu:molly:imap.ncsu.edu
matthew-kimsey@utc.edu:kmznooga:imap-mail.utc.edu
jth97001@uconn.edu:celtic:imap.uconn.edu
jta5y7@umsl.edu:miller:imap.umsl.edu
[matthew-brown@utc.edu](http://matthew-brown@utc.edu/):7777777:imap-mail.utc.edu
matthew-sanders@utc.edu:mrsdb03:imap-mail.utc.edu
matthew-pewsey@utc.edu:timex441:imap-mail.utc.edu
jtd0717@ecu.edu:j599223:imap.ecu.edu
jtjohns@bgnet.bgsu.edu:footbal$:imap.bgnet.bgsu.edu
[johnkkim@usc.edu:carnekaitlynkeyes@aol.com](http://johnkkim@usc.edu:carnekaitlynkeyes@aol.com/):allison:imap.aol.com
makmoo11@ku.edu:wer:imap.ku.edu
coff0076@umn.edu:sashadog84:imap.umn.edu
matthew-palumbo@utc.edu:aug1987:imap-mail.utc.edu
mcuster1@utk.edu:gladiator4:imap.utk.edu
jtrogers@usc.edu:beinboy:imap-mail.usc.edu
matt\brammer@baylor.edu:chevelle:imap-mail.baylor.edu
mcgillk@udel.edu:3510:imap.udel.edu
matt_giadrosich@baylor.edu:matt420:imap-mail.baylor.edu
coffeyma@email.uc.edu:heather:imap.email.uc.edu
coffett@auburn.edu:island:imap-mail.auburn.edu
coffeya@uwec.edu:1tagger.:imap.uwec.edu
coffeya@msoe.edu:drunken :imap.msoe.edu
juagardn@indiana.edu:9th47th:imap.indiana.edu
coffeya@msoe.edu:drunken:imap.msoe.edu
coffeyc@mville.edu:decaf2:imap.mville.edu
π¦ lOGIN HERE > https://www.office.com/
> non cracked by us
sandra.ley@asu.edu:sandraley:imap.asu.edu
jtodt@nd.edu:maddux:imap-mail.nd.edu
jtbarott@ncsu.edu:molly:imap.ncsu.edu
matthew-kimsey@utc.edu:kmznooga:imap-mail.utc.edu
jth97001@uconn.edu:celtic:imap.uconn.edu
jta5y7@umsl.edu:miller:imap.umsl.edu
[matthew-brown@utc.edu](http://matthew-brown@utc.edu/):7777777:imap-mail.utc.edu
matthew-sanders@utc.edu:mrsdb03:imap-mail.utc.edu
matthew-pewsey@utc.edu:timex441:imap-mail.utc.edu
jtd0717@ecu.edu:j599223:imap.ecu.edu
jtjohns@bgnet.bgsu.edu:footbal$:imap.bgnet.bgsu.edu
[johnkkim@usc.edu:carnekaitlynkeyes@aol.com](http://johnkkim@usc.edu:carnekaitlynkeyes@aol.com/):allison:imap.aol.com
makmoo11@ku.edu:wer:imap.ku.edu
coff0076@umn.edu:sashadog84:imap.umn.edu
matthew-palumbo@utc.edu:aug1987:imap-mail.utc.edu
mcuster1@utk.edu:gladiator4:imap.utk.edu
jtrogers@usc.edu:beinboy:imap-mail.usc.edu
matt\brammer@baylor.edu:chevelle:imap-mail.baylor.edu
mcgillk@udel.edu:3510:imap.udel.edu
matt_giadrosich@baylor.edu:matt420:imap-mail.baylor.edu
coffeyma@email.uc.edu:heather:imap.email.uc.edu
coffett@auburn.edu:island:imap-mail.auburn.edu
coffeya@uwec.edu:1tagger.:imap.uwec.edu
coffeya@msoe.edu:drunken :imap.msoe.edu
juagardn@indiana.edu:9th47th:imap.indiana.edu
coffeya@msoe.edu:drunken:imap.msoe.edu
coffeyc@mville.edu:decaf2:imap.mville.edu
π¦ lOGIN HERE > https://www.office.com/
> non cracked by us
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 Best free office :
https://microsoft-us.evyy.net/c/221109/190407/3327?subId1=trd-8953582031285387000&u=https%3A%2F%2Fproducts.office.com%2Fen-us%2Foffice-online%2Fdocuments-spreadsheets-presentations-office-online
https://www.google.co.uk/docs/about/
https://www.freeoffice.com/
https://www.wps.com/
https://www.libreoffice.org/download/download/
https://www.polarisoffice.com/en/office
https://www.zoho.com/workplace/pricing.html
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 Best free office :
https://microsoft-us.evyy.net/c/221109/190407/3327?subId1=trd-8953582031285387000&u=https%3A%2F%2Fproducts.office.com%2Fen-us%2Foffice-online%2Fdocuments-spreadsheets-presentations-office-online
https://www.google.co.uk/docs/about/
https://www.freeoffice.com/
https://www.wps.com/
https://www.libreoffice.org/download/download/
https://www.polarisoffice.com/en/office
https://www.zoho.com/workplace/pricing.html
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Microsoft
Free Microsoft Office online, Word, Excel, PowerPoint, formerly Office Online
With Microsoft 365 for the web (formally Office 365) you can edit and share Word, Excel, PowerPoint, and OneNote files on your devices using a web browser.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 popular ide & code editor for android :
https://play.google.com/store/apps/details?id=com.aor.droidedit&hl=en > free
https://play.google.com/store/apps/details?id=xyz.iridiumion.enlightened > free
http://sololearn.com/
https://play.google.com/store/apps/details?id=com.foxdebug.acode >paid
https://play.google.com/store/apps/details?id=com.ashvin777.apps.jsitor&hl=en >paid
https://github.com/jecelyin/920-text-editor-v2 > free
https://spck.io/
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 popular ide & code editor for android :
https://play.google.com/store/apps/details?id=com.aor.droidedit&hl=en > free
https://play.google.com/store/apps/details?id=xyz.iridiumion.enlightened > free
http://sololearn.com/
https://play.google.com/store/apps/details?id=com.foxdebug.acode >paid
https://play.google.com/store/apps/details?id=com.ashvin777.apps.jsitor&hl=en >paid
https://github.com/jecelyin/920-text-editor-v2 > free
https://spck.io/
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Troubleshooting Slow Networks with Wireshark 956 MB
https://www.pluralsight.com/courses/troubleshooting-slow-networks-wireshark
>Download<
https://www.pluralsight.com/courses/troubleshooting-slow-networks-wireshark
>Download<
Pluralsight
Troubleshooting Slow Networks with Wireshark
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 Best Game Hacker Android Apps 2020 (No Root)
https://gamekiller.co/
https://sbgamehacker.net/
https://creehacks.net/
https://www.luckypatchers.com/
http://leoplaycard.info/
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 Best Game Hacker Android Apps 2020 (No Root)
https://gamekiller.co/
https://sbgamehacker.net/
https://creehacks.net/
https://www.luckypatchers.com/
http://leoplaycard.info/
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Advanced dork Search & Mass Exploit Scanner
> rooted termux/linux
π¦FEATURES :
Engines: Google apis cache Bing Ask Yandex Sogou Exalead Shodan
β Mass Dork Search
β Multiple instant scans.
β Mass Exploitation
β Use proxy.
β Random user agent.
β Random engine.
β Mass Extern commands execution.
β Exploits and issues search.
β XSS / SQLI / LFI / AFD scanner.
β Filter wordpress & Joomla sites.
β Wordpress theme and plugin detection.
β Find Admin page.
β Decode / Encode Base64 / MD5
β Ports scan.
β Collect IPs
β Collect E-mails.
β Auto detect errors.
β Auto detect forms.
β Auto detect Cms.
β Post data.
β Auto sequence repeater.
β Validation.
β Post and Get method
β IP Localisation
β Issues and Exploit search
β Interactive and Normal interface.
β And more...
π¦INSTALLISATION & RUN :
1) git clone https://github.com/AlisamTechnology/ATSCAN
2) cd ATSCAN
3) chmod +x ./atscan.pl
4) chmod +x ./install.sh
5) ./install.sh
6) Portable Execution: perl ./atscan.pl
Installed Tool Execution: atscan
Menu: Applications > Web Application analysis > atscan
β vERIFIED BY uNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Advanced dork Search & Mass Exploit Scanner
> rooted termux/linux
π¦FEATURES :
Engines: Google apis cache Bing Ask Yandex Sogou Exalead Shodan
β Mass Dork Search
β Multiple instant scans.
β Mass Exploitation
β Use proxy.
β Random user agent.
β Random engine.
β Mass Extern commands execution.
β Exploits and issues search.
β XSS / SQLI / LFI / AFD scanner.
β Filter wordpress & Joomla sites.
β Wordpress theme and plugin detection.
β Find Admin page.
β Decode / Encode Base64 / MD5
β Ports scan.
β Collect IPs
β Collect E-mails.
β Auto detect errors.
β Auto detect forms.
β Auto detect Cms.
β Post data.
β Auto sequence repeater.
β Validation.
β Post and Get method
β IP Localisation
β Issues and Exploit search
β Interactive and Normal interface.
β And more...
π¦INSTALLISATION & RUN :
1) git clone https://github.com/AlisamTechnology/ATSCAN
2) cd ATSCAN
3) chmod +x ./atscan.pl
4) chmod +x ./install.sh
5) ./install.sh
6) Portable Execution: perl ./atscan.pl
Installed Tool Execution: atscan
Menu: Applications > Web Application analysis > atscan
β vERIFIED BY uNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Hack News by Undercode
> The report shows that the botnet will use Baidu Tieba and other common services for management
1) Relevant research reports show that the botnet of the double-gun malicious program is managed by domestic commonly used services.
2) The number of botnets exceeds 100,000. The researchers observed that the double-gun malicious program used Baidu Tieba pictures to distribute configuration files and malware, used Alibaba Cloud storage to host configuration files, and used Baidu statistics to manage the activity of infected hosts. Tencent was also found in malware samples many times. URL of Weiyun.
3) For the first time, it integrates the services of the three major manufacturers of BAT into its own programs. Baidu has taken action to block download links for malicious code.
4) From May 14, we contacted the Baidu security team and took joint action to measure the spread of the malicious code and take countermeasures. As of this writing, the related malicious code download links have been blocked.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Hack News by Undercode
> The report shows that the botnet will use Baidu Tieba and other common services for management
1) Relevant research reports show that the botnet of the double-gun malicious program is managed by domestic commonly used services.
2) The number of botnets exceeds 100,000. The researchers observed that the double-gun malicious program used Baidu Tieba pictures to distribute configuration files and malware, used Alibaba Cloud storage to host configuration files, and used Baidu statistics to manage the activity of infected hosts. Tencent was also found in malware samples many times. URL of Weiyun.
3) For the first time, it integrates the services of the three major manufacturers of BAT into its own programs. Baidu has taken action to block download links for malicious code.
4) From May 14, we contacted the Baidu security team and took joint action to measure the spread of the malicious code and take countermeasures. As of this writing, the related malicious code download links have been blocked.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Hack News by Undercode
> The report shows that the botnet will use Baidu Tieba and other common services for management
1) Relevant research reports show that the botnet of the double-gun malicious program is managed by domestic commonly used services.
2) The number of botnets exceeds 100,000. The researchers observed that the double-gun malicious program used Baidu Tieba pictures to distribute configuration files and malware, used Alibaba Cloud storage to host configuration files, and used Baidu statistics to manage the activity of infected hosts. Tencent was also found in malware samples many times. URL of Weiyun.
3) For the first time, it integrates the services of the three major manufacturers of BAT into its own programs. Baidu has taken action to block download links for malicious code.
4) From May 14, we contacted the Baidu security team and took joint action to measure the spread of the malicious code and take countermeasures. As of this writing, the related malicious code download links have been blocked.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Hack News by Undercode
> The report shows that the botnet will use Baidu Tieba and other common services for management
1) Relevant research reports show that the botnet of the double-gun malicious program is managed by domestic commonly used services.
2) The number of botnets exceeds 100,000. The researchers observed that the double-gun malicious program used Baidu Tieba pictures to distribute configuration files and malware, used Alibaba Cloud storage to host configuration files, and used Baidu statistics to manage the activity of infected hosts. Tencent was also found in malware samples many times. URL of Weiyun.
3) For the first time, it integrates the services of the three major manufacturers of BAT into its own programs. Baidu has taken action to block download links for malicious code.
4) From May 14, we contacted the Baidu security team and took joint action to measure the spread of the malicious code and take countermeasures. As of this writing, the related malicious code download links have been blocked.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Exclusive sharing, STM32 series ID number encryption cracking method -For Experts @UndercodeTesting
1) Read the complete program segment, search the keyword section "E8F7FF 1F", because the unique
96-bit (12 byte) ID base address of STM32 is located at 0x1FFF7E8, if the ID
verification is involved in the program segment , the ID index in the chip will be read The address. .
2) Read the 96-bit (12-byte) ID code of the address of this chip with an anal device, find the empty area,
3) write to this address, and change the index address: for example, the chip ID code is "34 FF DA 05 4E50 38
31 19 65 18 43 "select the starting address area 0x80000020, enter" 34
FF 1843 " in the first four bytes , and enter" 34 FF DA 05 4E 50 38 31 19 65 18 43 "in the last 12 bytes
, the index" E8F7FF1F "in the chip All are changed to "20000008"
> This is a common method of removing soft encryption
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Exclusive sharing, STM32 series ID number encryption cracking method -For Experts @UndercodeTesting
1) Read the complete program segment, search the keyword section "E8F7FF 1F", because the unique
96-bit (12 byte) ID base address of STM32 is located at 0x1FFF7E8, if the ID
verification is involved in the program segment , the ID index in the chip will be read The address. .
2) Read the 96-bit (12-byte) ID code of the address of this chip with an anal device, find the empty area,
3) write to this address, and change the index address: for example, the chip ID code is "34 FF DA 05 4E50 38
31 19 65 18 43 "select the starting address area 0x80000020, enter" 34
FF 1843 " in the first four bytes , and enter" 34 FF DA 05 4E 50 38 31 19 65 18 43 "in the last 12 bytes
, the index" E8F7FF1F "in the chip All are changed to "20000008"
> This is a common method of removing soft encryption
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦For Experts-Case analysis DS28E01 typical application and cracking method by undercode > 2 parts
π¦Case DS28E01 Typical Application and Cracking Method
ο»Ώο»Ώ
The DS28E01 series of chip decryption has always been consulted by customers. For this reason, our company's engineering technology department decrypted the DS28E01 chip as a typical case to explain it to our customers.
At present, our company specializes in providing
1. Various types of software dog cracking such as: parallel port dongle, USB dongle, license cracking;
2. Modify the software function without source code, encrypt the software after cracking, and repackage;
3. Crack the registration code and enjoy it for life for once;
4. Provide encryption lock revision service;
5. One-stop service for PCB copy board, production and processing.
π¦DS28E01 is generally used in encryption protection to prevent products from being easily copied and pirated.
1) The first most popular one is disassembly, decompile the code of the main control chip, and then find the code of encryption verification, jump directly over, or force the verification of the modified memory RAM to be legal.
2) This method is very effective but complicated, and requires The cracker's assembly instructions, chip architecture, encryption chip usage, and development tools for various microcontrollers and controllers are well-versed.
3) Another is that it is not operable from a commercial point of view, because no one can complete it until the crack is completed. It is guaranteed that it can be cracked, but the decrypted machine code must be obtained first, and the customer needs to get the cost of cracking the chip to get the machine code.
4) Finally, the decryption cost of the customer is spent regardless of whether it is successful or not. The second method is to simulate the communication waveform at the time of verification. The slow speed can be simulated by the single-chip microcomputer. The high-speed communication protocol can only use CPLD. However, before this method, one task is to make the main control chip The same random number is generated every time.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦For Experts-Case analysis DS28E01 typical application and cracking method by undercode > 2 parts
π¦Case DS28E01 Typical Application and Cracking Method
ο»Ώο»Ώ
The DS28E01 series of chip decryption has always been consulted by customers. For this reason, our company's engineering technology department decrypted the DS28E01 chip as a typical case to explain it to our customers.
At present, our company specializes in providing
1. Various types of software dog cracking such as: parallel port dongle, USB dongle, license cracking;
2. Modify the software function without source code, encrypt the software after cracking, and repackage;
3. Crack the registration code and enjoy it for life for once;
4. Provide encryption lock revision service;
5. One-stop service for PCB copy board, production and processing.
π¦DS28E01 is generally used in encryption protection to prevent products from being easily copied and pirated.
1) The first most popular one is disassembly, decompile the code of the main control chip, and then find the code of encryption verification, jump directly over, or force the verification of the modified memory RAM to be legal.
2) This method is very effective but complicated, and requires The cracker's assembly instructions, chip architecture, encryption chip usage, and development tools for various microcontrollers and controllers are well-versed.
3) Another is that it is not operable from a commercial point of view, because no one can complete it until the crack is completed. It is guaranteed that it can be cracked, but the decrypted machine code must be obtained first, and the customer needs to get the cost of cracking the chip to get the machine code.
4) Finally, the decryption cost of the customer is spent regardless of whether it is successful or not. The second method is to simulate the communication waveform at the time of verification. The slow speed can be simulated by the single-chip microcomputer. The high-speed communication protocol can only use CPLD. However, before this method, one task is to make the main control chip The same random number is generated every time.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Brief introduction to DS28E01:
1) The DS28E01 communicates with the MCU through a single bus.
Not much to say about the single bus, the time is very strict and accurate to us level.
DS28E01 has four storage areas:
2) Data memory (EEPROM) (4 pages, 32 bytes per page)
Key storage (secret) (8 bytes)
Register page containing specific functions and user bytes
Volatile scratchpad (scratchpad) (8 bytes)
3) The MCU can only read and write temporary registers through a single bus, but cannot directly read and write other storage areas.
4) When writing data to the data memory, loading the initial key, or writing data to the register page, first write the data to the scratchpad, and then use the corresponding command to let the chip copy the data from the scratchpad to the destination address.
5) working principle:
There is a SHA-160 encryption module inside the chip. The 55 bytes of data in a specific format participating in the SHA algorithm,
6) These data include 8 bytes of key, 5 bytes of user-specified random number, 32 bytes of EEPROM content, 7 bytes of ROMID, 2 bytes of fixed data (0xFF) and 1 byte of EEPROM address TA1.
The MCU can read the 20-byte hash value encrypted by the chip through SHA, and compare it with the hash value calculated by the MCU itself through the same algorithm.
7) Since the MCU wants to perform the same encryption operation, or it must generate 55-byte messages that are exactly the same as inside the chip, how can it be obtained?
The 8-byte key is generated and written by itself.-> OK
The 5-byte random number is the value written into the scratchpad before the chip performs SHA.-> OK
The 32-byte EEPROM data, before reading back the 20-byte hash value, the chip will return the 32-byte content. -> OK
7 bytes ROMID, you can read the ROMID of the chip at any time.-> OK
2 bytes fixed value, see the manual to know-> OK
1 byte TA1, write it in yourself.-> OK
π¦Typical application process:
Process 1: Initialize the DS28E01 key
The initialization key is only operated at the factory before the product is produced, and only needs to be operated once.
Procedure flow chart:
1. Read the chip ROMID
2. Generate a unique 64-bit key through a certain algorithm to ensure that the key generated by each motherboard is different.
3. Write the key to the chip temporary storage area, and read back to verify whether the writing is correct
4. Execute the chip load key command to let the chip save the 64-bit key in the temporary storage area to the key storage area
5. Finish.
Process 2: verify the DS28E01 key
The verification key is carried out in the product application. Every time the product is started, the DS28E01 key is verified to be correct.
If the verification is passed, it runs normally. If the verification is not correct, the product will not work properly through certain means.
Procedure flow chart:
1. Read the chip ROMID
2. Generate the 64-bit key by the same algorithm as in the initialization process
3. Write an 8-byte random number to the chip temporary storage area (only 5 bytes are used), and read back to verify
4. Send encrypted authentication commands to the chip, you can read back 32 bytes of EEPROM data and 20 bytes of hash value
5. Use the data read above to generate a 55-byte digest message and perform SHA1 operations
6. Compare whether the calculated hash value is consistent with the hash value read back from the chip
.
π¦Brief introduction to DS28E01:
1) The DS28E01 communicates with the MCU through a single bus.
Not much to say about the single bus, the time is very strict and accurate to us level.
DS28E01 has four storage areas:
2) Data memory (EEPROM) (4 pages, 32 bytes per page)
Key storage (secret) (8 bytes)
Register page containing specific functions and user bytes
Volatile scratchpad (scratchpad) (8 bytes)
3) The MCU can only read and write temporary registers through a single bus, but cannot directly read and write other storage areas.
4) When writing data to the data memory, loading the initial key, or writing data to the register page, first write the data to the scratchpad, and then use the corresponding command to let the chip copy the data from the scratchpad to the destination address.
5) working principle:
There is a SHA-160 encryption module inside the chip. The 55 bytes of data in a specific format participating in the SHA algorithm,
6) These data include 8 bytes of key, 5 bytes of user-specified random number, 32 bytes of EEPROM content, 7 bytes of ROMID, 2 bytes of fixed data (0xFF) and 1 byte of EEPROM address TA1.
The MCU can read the 20-byte hash value encrypted by the chip through SHA, and compare it with the hash value calculated by the MCU itself through the same algorithm.
7) Since the MCU wants to perform the same encryption operation, or it must generate 55-byte messages that are exactly the same as inside the chip, how can it be obtained?
The 8-byte key is generated and written by itself.-> OK
The 5-byte random number is the value written into the scratchpad before the chip performs SHA.-> OK
The 32-byte EEPROM data, before reading back the 20-byte hash value, the chip will return the 32-byte content. -> OK
7 bytes ROMID, you can read the ROMID of the chip at any time.-> OK
2 bytes fixed value, see the manual to know-> OK
1 byte TA1, write it in yourself.-> OK
π¦Typical application process:
Process 1: Initialize the DS28E01 key
The initialization key is only operated at the factory before the product is produced, and only needs to be operated once.
Procedure flow chart:
1. Read the chip ROMID
2. Generate a unique 64-bit key through a certain algorithm to ensure that the key generated by each motherboard is different.
3. Write the key to the chip temporary storage area, and read back to verify whether the writing is correct
4. Execute the chip load key command to let the chip save the 64-bit key in the temporary storage area to the key storage area
5. Finish.
Process 2: verify the DS28E01 key
The verification key is carried out in the product application. Every time the product is started, the DS28E01 key is verified to be correct.
If the verification is passed, it runs normally. If the verification is not correct, the product will not work properly through certain means.
Procedure flow chart:
1. Read the chip ROMID
2. Generate the 64-bit key by the same algorithm as in the initialization process
3. Write an 8-byte random number to the chip temporary storage area (only 5 bytes are used), and read back to verify
4. Send encrypted authentication commands to the chip, you can read back 32 bytes of EEPROM data and 20 bytes of hash value
5. Use the data read above to generate a 55-byte digest message and perform SHA1 operations
6. Compare whether the calculated hash value is consistent with the hash value read back from the chip
.