Man, I don't know, but something in the way you explain things, the way you organize your thoughts, or maybe the way you confidently talk, makes your videos fun to watch. Not to mention the actual great information that you learn from them. Keep it up. You are really up for something great.
For some reason, the malware prevents itself from running if firefox is newer than version 55. Probably, the developers wanted to make the challenge more difficult.
It would be amazing if you started a 0 to hero series explaining the basics of reverse engineering malware, as someone who also enjoys malware I find your videos fascinating but I would always love to learn more from you.
Well... This is neat. Not entirely sure why youtube decided this is my jam, but I do appreciate a good explanation and seeing someone put a lot of effort towards something.
There is a function to get version of ur firefox in that .dll file. Btw, ur way to solve this challenge is awesomeeeee =]] i never imagine u can solve this challenge in ur way =]]]] amazing video
@@LiveOverflow SPOILER ALERT: blog.attify.com/flare-on-5-writeup-part2/ "This method adds browserassist.dll to the AppInit_DLLs registry key. The AppInit_DLLs are a set of Dynamic Linked Libraries (DLL) that are loaded upon startup into the address space of every executable that links with user32.dll. Essentially, this means everytime a GUI application is run, browserassist.dll"
@@tripplefives1402 There is a similar feature on Linux that works globally-- /etc/ld.so.preload -- I've seen Linux malware utilize this to hide themselves from process and file listings.
You can try shutdown -a when you boot the VM. Also Ctrl + Alt + Del when shutting down and opening task manager from there actually interrupts the shutdown... I found the last one myself testing the very combination on shutdown
The installer drops the dll and sets a registry key. My educated guess is that newer Firefox versions does not take that registry key into consideration when loading dlls, whereas the older version does. I solved the entire challenge statically, it was interesting to bypass a few checks and analyze all the dll requests. If I recall correctly, the dll has some checks then it does 2-3 HTTP requests, retrieves some encrypted data and after a few decryption stages and data manipulation it is possible to extract the javascript inserted into the browser alongside the JSON you observed in the stack trace. At this point, I manually injected the javascript code into my browser (after deobfuscation), ran the commands and got the flag. :)
6:45 Hmm. First thing which came to my mind after I heared that the challenge surrounds around a Firefox maleware was: "Better use an older firefox version for the analysis. They might have patched something"
I love this chall, because like in real case technique at banking malware, it will injection with external dll, which means it hooking the PR_Write function and this only work at old firefox version, CMIIW
4:45 Oh wow, the old Office 2003 UI kit thing. -5:57-- That was there since Windows 8, and I believe Internet Explorer is still in Windows 10 only for backward compatibility with older applications that use the Trident engine (which IE uses) in order to render Web content.- 6:15
I think that if you find what is the vulnerability by analyzing the dll, you can search for something like "dll injection Firefox", etc. And you'll see approximately in what version it was fixed.
Really enjoy your videos despite not really getting everything. Guess I need to start learning c#, .net etc. I follow along but I would really get stuck if it was me doing the task.
@LiveOverflow doesn't work in newer FF as web extensions don't allow JS injection (from FF Quantom on-wards). Was actually one of the big motivations of why we moved over. Too bad FF Quantum messed up multiple tab handler, it is annoying. We're finally getting it backed in.
10:00 'su' doesnt mean switch user, it means super user (root). The Linux command which switches to the root user. That's why sudo runs a command as root (super user do).
So if you update your Firefox because of some vulnerability, the old injected code may work on the latest version? It sounds like the upgrade should clear the cache every time you upgrade.
bit late, but laughed that it uses ConfuserEx to obfuscate the application. Easy to tell by the "ConfusedByAttribute" as well as the decrypting, decompressing method. Also, dnspy is a lot better for reversing .NET applications. It has a clean GUI, stable, gets updated a bit, a IL Viewer; which can be handy in removing anti-debugging calls, such as CheckRemoteDebuggerPresentEx, and more functionality.
I don't recall the exact details of the code but the DLL does do version check of Firefox. If I recall correctly, it's any version before or equals to 40 that works. After the check, the DLL downloads the encrypted javascript from a pastebin and decrypts it.
Hey, ich studiere auch an der TU und wollte fragen ob du bei der IT-Sicherheits AG? Jeden Dienstag im TEL-Gebäude. Ich glaube die AG heißt Enoflag. Wäre richtig cool dich zu sehen :D
JAJJAAJAJAJAJ 11:21 "Awghh... F!" so funny. I'm just discovering your videos! All of these things you explain are amazing! Even to devs like with some years on the back! :D Super pedagogical, fun, talking pretty advanced shit (I come from the XSS video series you made, so rad) looks like a pretty deserved subscribe, that material must be assimilated by my mind. Greetings from Argentina!
This stuff looks really fun, but totally out of my skill level at the moment. Do you have / know of any places to find beginner reverse engineering challenges?
Hallöle ^^ Ich interessiere mich schon seit einigen Jahren für das Thema... Nun, da ich jetzt weiß, dass man "einfach" an solchen CTF's teilnehmen kann: Könntest du mir "Beginner"-CTF's vorschlagen, um in das Thema noch besser rein zu kommen? Mit freundlichen Grüßen, R00T
My guess is they knew you needed to use an older version of Firefox because the malware is installed as an extension and in one of their updates Mozilla removed support for most of the old extension apis.
Yeah but if you open browserassist.dll in a disassembler you will find it checks if Firefox version is higher than 55, if it is it just jumps to the end
Weird. I've never seen someone exploring the start menu links with the file explorer before. People normally just use the start menu to look at start menu entries.
Can someone explain why the dll was loaded to Firefox's memory map? I mean surely firefox did not request that dll and that dll wasn't even in the firefox folder. How does it get loaded with firefox?
The DLL loading behaviour if due to Firefox dropping support for native NPAPI (Netscape) style plugins. You cannot load them anymore since Firefox 52 I think. Browser extensions nowadays are written in JS.
About using old version of firefox, just ask yourself a question - would they publish a malicous code that would be harmfull to current version of highly used browser? I think they are not that evil.
Could you have just set the model root to 1 and bypassed the need for reversing the password, or did the dll inject the extra stuff after the password was right?
Well, I don't know how they found out that it works on old firefoxes, but I just casually use firefox... Around 38, I'm not sure; so that thing would have worked for me, and then, if I saw someone struggling to make it work, I would hint them. I assume this is a possible scenario
I cant speak for the .exe as i skipped that during my run. However there was no easy way to figure out the version needed for the .dll other than realizing that it must have been patched. Personally I found twitter to be fairly useful and not really giving away anything.
5:48 when a Mac/Linux user first encounters modern IE
LOL
I send a smile, not a frown.
@@Anti-i25 Microsoft does this in many products, including Office
Firefox had the smile feature for a long time...
windows users too, noone opens IE on purpose :D
Man, I don't know, but something in the way you explain things, the way you organize your thoughts, or maybe the way you confidently talk, makes your videos fun to watch.
Not to mention the actual great information that you learn from them.
Keep it up. You are really up for something great.
man, I was thinking exactly the same thing!!
The funniest thing about that IE smiley is the keyboard shortcut for sending a frowny face.
Linux user being paranoid on Internet Explorer
stop WINEing
@Alfie Yes, though it's just a program, not an apt package (apt does package it though).
:eyes:
5:51
LiveOverflow: "Is this a virus?"
Lol
"I decided to approach it again with logic" 😂👍
Maybe it was an NPAPI plugin, those stopped being supported in FF 52.
All new addons have to use the WebExtensionsApi now, which is quite limiting in some ways, so they probably wrote the addon on the old api
For some reason, the malware prevents itself from running if firefox is newer than version 55. Probably, the developers wanted to make the challenge more difficult.
It would be amazing if you started a 0 to hero series explaining the basics of reverse engineering malware, as someone who also enjoys malware I find your videos fascinating but I would always love to learn more from you.
Vouch
a bit late, but check out his binary exploitation videos. this should get you started.
Well... This is neat. Not entirely sure why youtube decided this is my jam, but I do appreciate a good explanation and seeing someone put a lot of effort towards something.
wow, didn't know about flare vm! Might get into analysing malware soon as well! thanks for the great video, as always!
I dont understand shit here but i feel a lot smarter now, thanks @LiveOverflow.
There is a function to get version of ur firefox in that .dll file. Btw, ur way to solve this challenge is awesomeeeee =]] i never imagine u can solve this challenge in ur way =]]]] amazing video
This is very complex but interesting, ty for your contents
Ty😠
LEECHERS!!!!!
This not that complicated look at his other stuff
i have little to no idea what youre talking about but im loving every second of it
ur videos are amazingggg!!Thanks for bringing such quality content
6:00
*open IE
*see the smile thing
*OK this actually exist!
firefox changed the way they deal with addons in quantum, including dropping support for (i believe) dll/native code based plugins (java, flash, etc.)
What was the mechanism by which the browserassist.dll got loaded into the Firefox process? Did I miss something?
I have no clue 🤷♀️
@@LiveOverflow SPOILER ALERT:
blog.attify.com/flare-on-5-writeup-part2/
"This method adds browserassist.dll to the AppInit_DLLs registry key. The AppInit_DLLs are a set of Dynamic Linked Libraries (DLL) that are loaded upon startup into the address space of every executable that links with user32.dll. Essentially, this means everytime a GUI application is run, browserassist.dll"
It's like LD_PRELOAD on Linux, just using the registry :)
@@tripplefives1402 I was saying that it's the same principle. It both instructs the dynamic linker to load certain modules, no matter the scope
@@tripplefives1402 There is a similar feature on Linux that works globally-- /etc/ld.so.preload -- I've seen Linux malware utilize this to hide themselves from process and file listings.
You can try shutdown -a when you boot the VM. Also Ctrl + Alt + Del when shutting down and opening task manager from there actually interrupts the shutdown... I found the last one myself testing the very combination on shutdown
I don't understand most of the things you say but I'm sitting here enjoying your videos hoping one day I do understand.
The installer drops the dll and sets a registry key. My educated guess is that newer Firefox versions does not take that registry key into consideration when loading dlls, whereas the older version does.
I solved the entire challenge statically, it was interesting to bypass a few checks and analyze all the dll requests.
If I recall correctly, the dll has some checks then it does 2-3 HTTP requests, retrieves some encrypted data and after a few decryption stages and data manipulation it is possible to extract the javascript inserted into the browser alongside the JSON you observed in the stack trace.
At this point, I manually injected the javascript code into my browser (after deobfuscation), ran the commands and got the flag. :)
The registry key is used by all windows software. (iirc user32.dll injects these dlls from the registry) the dll simply checks the firefox version
how can you people check a whole pe file statically? :/ I give up if it is longer than two screen-fulls. teach me, sensei!!
Microsoft does the smiley thing with ALL of their windows products (And some open source ones too) as far as I am aware.
Ye I think I saw it in Excel as well. It kind of tickled my virey-sense but apparently it belongs there.
I'm sure you're busy.. but... You should totally still make your handwriting into a font ❤
I watch this video with no knowledge of hacking, but I really feel entertained and educated by your content ;'3
6:45 Hmm. First thing which came to my mind after I heared that the challenge surrounds around a Firefox maleware was: "Better use an older firefox version for the analysis. They might have patched something"
This video gave me the missing clue to solve my first CTF (a different one of course) on my own! Thanks a lot! :D
I like puzzles. I want to obfuscate a whole bunch of code that, when deobfuscated, literally just congratulations you for solving the puzzle.
12:37
laughed my head off :D
Sadly, he's right. Adults ain't got time for solving problems and enjoying the challenge of it; we've got stuff to get done!
I love this chall, because like in real case technique at banking malware, it will injection with external dll,
which means it hooking the PR_Write function and this only work at old firefox version, CMIIW
Wow your analysis skill is so good bro
4:45 Oh wow, the old Office 2003 UI kit thing.
-5:57-- That was there since Windows 8, and I believe Internet Explorer is still in Windows 10 only for backward compatibility with older applications that use the Trident engine (which IE uses) in order to render Web content.- 6:15
i am addicted to watching your videos
your content is great, looking forward to see the next one!
I got such a nostalgic feeling when you opened PEid.
I think that if you find what is the vulnerability by analyzing the dll, you can search for something like "dll injection Firefox", etc. And you'll see approximately in what version it was fixed.
Right since every infection has a condition to meet.
this is such a great content!
you deserve more subscribers. subscribed!
Flare-on 2018 was so hard. The hardest ever :-0. Took me a month to complete.
wow! what valuable material 👍👍👍👍
I'm a simple man. I get notification of LiveOverFlow uploading a video. I watch.
PS ~ F
Same here.
A reminder that IE is not broken per se. It's designed like that.
Really enjoy your videos despite not really getting everything. Guess I need to start learning c#, .net etc. I follow along but I would really get stuck if it was me doing the task.
Great Job man
idk w a single thing in this video but they are fun to watch
@LiveOverflow doesn't work in newer FF as web extensions don't allow JS injection (from FF Quantom on-wards). Was actually one of the big motivations of why we moved over.
Too bad FF Quantum messed up multiple tab handler, it is annoying. We're finally getting it backed in.
Holy shit that was awesome. There is so much out there that i don't know!
I love your work!
10:00 'su' doesnt mean switch user, it means super user (root). The Linux command which switches to the root user. That's why sudo runs a command as root (super user do).
Yes but su can switch to other user too. It doesn't need to be root
Also, su stands for substitute user
@LiveOverflow you might already know this, to solve complicated key comparisons/generation, we can use Z3
modelling this in z3 would have taken the at elast the sameamount or longer ;)
Also: ruclips.net/video/TpdDq56KH1I/видео.html
@@LiveOverflow ok, i was practicing z3 this week, totally forgot about that video, thanks again
So if you update your Firefox because of some vulnerability, the old injected code may work on the latest version?
It sounds like the upgrade should clear the cache every time you upgrade.
Nice content! Kudos
bit late, but laughed that it uses ConfuserEx to obfuscate the application. Easy to tell by the "ConfusedByAttribute" as well as the decrypting, decompressing method. Also, dnspy is a lot better for reversing .NET applications. It has a clean GUI, stable, gets updated a bit, a IL Viewer; which can be handy in removing anti-debugging calls, such as CheckRemoteDebuggerPresentEx, and more functionality.
5:48 me laughing my ass off knowing that I have been using Windows for years
This was really interesting!
As I remember the dll hooking some function to inject the javascript. In newer version of firefox those functions don't exist so it failed :)
Congrats ! You are one smart puppy :)
Dont really understand, but it was interesting :)
Me, a Firefox user: *I'm in danger*
Off the top of my head, maybe using the latest Firefox version matching any datestamp found inside the binaries/strings?
That was awesome! I'd love to be able to de this some day, is there a place where I can start learning the basics?
Damn that’s such a complex challenge! Feeling dumb :( But at least learnt something. Gong to need a few more attempts to learn this well...
I could imagine someone just had the old Firefox because he didn't use a virtual machine as advised.
I don't recall the exact details of the code but the DLL does do version check of Firefox. If I recall correctly, it's any version before or equals to 40 that works. After the check, the DLL downloads the encrypted javascript from a pastebin and decrypts it.
1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111
Hey, ich studiere auch an der TU und wollte fragen ob du bei der IT-Sicherheits AG? Jeden Dienstag im TEL-Gebäude. Ich glaube die AG heißt Enoflag. Wäre richtig cool dich zu sehen :D
Thanks for the video =)
Very Thanks !!
Impressive :-)
Thanks!
What are some other websites you guys recommend for challenges like flare-on.com?
overthewire.org, hackthebox.eu
root-me.org is also great
o
JAJJAAJAJAJAJ 11:21 "Awghh... F!" so funny. I'm just discovering your videos! All of these things you explain are amazing! Even to devs like with some years on the back! :D Super pedagogical, fun, talking pretty advanced shit (I come from the XSS video series you made, so rad) looks like a pretty deserved subscribe, that material must be assimilated by my mind.
Greetings from Argentina!
5:16
>this entry point
It must be encrypted
This stuff looks really fun, but totally out of my skill level at the moment. Do you have / know of any places to find beginner reverse engineering challenges?
vulnhub.com hackthebox.eu are good places to start. Helps to know basic linux commands and a little kali knowledge.
Do you have a Discord channel? You should definitely make one!
Hallöle ^^
Ich interessiere mich schon seit einigen Jahren für das Thema...
Nun, da ich jetzt weiß, dass man "einfach" an solchen CTF's teilnehmen kann:
Könntest du mir "Beginner"-CTF's vorschlagen, um in das Thema noch besser rein zu kommen?
Mit freundlichen Grüßen,
R00T
My guess is they knew you needed to use an older version of Firefox because the malware is installed as an extension and in one of their updates Mozilla removed support for most of the old extension apis.
Would you please make a video (or post) at least listing all the software you use? (and preferably what you find them most useful for)
When the CTF was created the older version was the newest actually so they didn't tell about older versions.
Yeah but if you open browserassist.dll in a disassembler you will find it checks if Firefox version is higher than 55, if it is it just jumps to the end
nothing understood, but super cool video
Nice video....I love your videos...
what would we do if the web shell didn't have sl
Google for solutions?
A trainer wants to battle:
You were challenged by elder Internet Explorer
So if you want to still use this exploit on Firefox just write to the cache.
Good idea. I wonder it has any mechanism to prevent this. Because if you could just write your js into the cache, no exploit is needed.
The smiley face got me LOL
Weird. I've never seen someone exploring the start menu links with the file explorer before. People normally just use the start menu to look at start menu entries.
You say Character correctly, so why the blank do you use a soft 'ch' for functions NAMED AFTER THAT WORD????
Can someone explain why the dll was loaded to Firefox's memory map? I mean surely firefox did not request that dll and that dll wasn't even in the firefox folder. How does it get loaded with firefox?
Why does Firefox load a DLL that is stored in Internet Explorer's folder?
Can you include all the softwares and tools you used there in the vid description? Thanks a lot 😁
The DLL loading behaviour if due to Firefox dropping support for native NPAPI (Netscape) style plugins. You cannot load them anymore since Firefox 52 I think. Browser extensions nowadays are written in JS.
but there is still Adobe Flash capability back then .. so how does that work?
but there is still Adobe Flash capability back then .. so how does that work?
Does the requirement for the older version relate to Firefox x64 vs x86 ?
15:06 When you have watched entire Taran Van Hemert's BIG TUTORIAL
He is missing the multiple layers of effects and transitions and his screen looks much cleaner.
About using old version of firefox, just ask yourself a question - would they publish a malicous code that would be harmfull to current version of highly used browser? I think they are not that evil.
well the malware in this case seems pretty harmless- it doesnt steal your bank or anything..
.NET isn't necessarily C#... it could be Managed C++, for instance.
Hi, I recommend the OALabs youtube channel for some great video tutorials on RE!
Could you have just set the model root to 1 and bypassed the need for reversing the password, or did the dll inject the extra stuff after the password was right?
Any good suggestions of a good /r/ for this community?
Dual booting windows and linnux is fun
Well, I don't know how they found out that it works on old firefoxes, but I just casually use firefox... Around 38, I'm not sure; so that thing would have worked for me, and then, if I saw someone struggling to make it work, I would hint them. I assume this is a possible scenario
I cant speak for the .exe as i skipped that during my run. However there was no easy way to figure out the version needed for the .dll other than realizing that it must have been patched. Personally I found twitter to be fairly useful and not really giving away anything.
which also beg an important question, should browser update also invalidate the cache
1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111
Wow! Are you a hacker? 😳
:flushed: