In the past 1,5 year I have been playing a bit with Home Automation (or Domotics / Domotica) systems. I initially bought the HomeWizard, but was pretty disappointed in it. When the HomeWizard domotica system was introduced I expected a lot of it, sadly enough it has not been as great as I hoped and I am currently moving over to another system. One of the things that annoyed me of the HomeWizard is the inability to add other sensors to the setup which were not part of the supported hardware (which is pretty limited). I moved to the HomeWizard from a different (alarm) system which contained a lot of 433Mhz sensors which I could not hook up to the HomeWizard. Because I did not want to throw all these sensors away I built a middle-ware system with an Arduino and some code which can convert the non-supported codes in to HomeWizard supported codes (KaKu / CoCo style codes). The middle-ware receives a code and then translates that to a code which can be understood by the HomeWizard. Initially designed for usage with HomeWizard this same approach also worked with HomeSeer, Domotiga and Domoticz, which all did not support my sensors directly (most of them because of the usage of the RFXCOM).
Two years ago I published my Perl2Exe back to Perl article in Digital Forensics Magazine, more information can be found in my post here. Since I published this article in a magazine I was not allowed to post it on my own website as well, but since enough time has passed I am now allowed to publish the full article which can be found below.
Reverse engineering Perl2Exe back to Perl
Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier.
This video shows one hundred fake profiles on the dating website Badoo. Most of these profiles were encountered in just a couple of days during normal usage of the website. Most of them are still active at the time of the release of this video (and long after that).
These profiles are probably a combination of scammers, catfish and people hiding behind other peoples pictures.
If something is too good to be true, it is probably too good to be true, also in the e-dating world.
Crypto hardware Plug-over attack
Hiding your data in plain sight – USB hardware hiding
Convert cheap 433Mhz sensors to KaKu/CoCo with an Arduino convertor
Repair a broken HP LaserJet printer by baking it
iPod dock adapter for the Motorola Droid/Milestone
Bypassing Apple’s Video Out protection for less than $5
Forensic hardware – Don’t just blindly trust it
Motorola Droid 4 – Broken screen and data recovery
Soon: Home automation setup
ASIS CTF 2015 write-ups
Eindbazen ebCTF write-ups
Swiss Cyber Storm
Swiss Cyber Storm write-up 1: CarGame Challenge 4
Swiss Cyber Storm write-up 2: CarGame Challenge 5
Swiss Cyber Storm write-up 3: Social Challenge
Soon: How to organize a good CTF
Reverse Engineering Perl2Exe back to Perl
Perl2Exe back to Perl – 2014
Perl2Exe back to Perl – 64-bit (with x64_dbg)
Getting rid of the Buma Stemra ransomware malware
Getting rid of the Buma Stemra ransomware malware – Windows 7
A friend of me asked me if I wanted to take a look at his Garmin Edge 500 GPS bike computer, since it was missing some of his tracks. After opening the flash drive of the device in FTK Imager I noticed that the Activities directory did not contain any of the track data (.fit files) for 2014. Since I could not find the data on the device as lost or deleted items or something I decided to try some file carving. The first thing I did was creating an image of the full flash drive (which also included the currently present .fit files) with FTK Imager, the resulting image (uncompressed) was just 56MB big. There does not seem to be a lot of storage in the unit.
To be able to carve you need to know some specific information from the file type the device uses, such as the header, footer and filesize. If you are lucky this information is present in the config file of the carving tool you use (Scalpel in this case), however .fit files are not in that config file.
This is a column in Dutch I wrote for Deloitte in February 2013 about ‘ethical hacking’, stored here for archiving purposes.
In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.
Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.
This article describes a vulnerability I found over two years ago in certain external USB and eSATA data carriers (hard drives, USB sticks) which use cryptography to help protect the data they carry. This vulnerability has been found during the evaluation of multiple data carriers of different manufacturers and it seems to be quite common. Since this vulnerability doesn’t seem device specific this paper has been written to be able to spread some knowledge and to warn the general public about it. All the manufacturers of the devices I tested which were vulnerable to this attack have been notified long ago. The vulnerability described in this paper has been named the ‘plug-over attack’.
Word reached me that my approach to get rid of the Buma Stemra Ransomware malware did not work on Windows 7. I initially only tested the approach on Windows XP, but I now took the time to test it on Windows 7 as well. The video below will show that the approach worked fine on Windows 7 in my test environment. While the approach is mostly the same there are some small differences.
Since a week or so a new Dutch version of some ransomware malware is active in the Netherlands. This malware claims to be from The Buma Stemra, but of course has nothing to do with the real Buma Stemra. The malware successfully takes over the system by replacing the start of explorer.exe with itself, so as soon as the system starts the malware will be loaded instead of the normal Windows environment. The malware further disables editing the registry, accessing the task manager and getting access to the system in any way. When infected with the malware you can not access your own system anymore, the only thing the system will do is show the screen below.