Reverse

A static analysis tool for extracting XXTEA encryption keys in ARM64 Cocos apps.

github.com/zboralski/reverse

It disassembles ARM64 functions, tracks register values and stack objects, recognizes std::string patterns (inline and heap), finds calls to XXTEA functions, extracts encryption keys and signatures, and shows annotated assembly code.

Demo

Features encryption and decryption of files once keys are extracted, including files with signatures:

./reverse libcocos2djs.so
./reverse --encrypt --key "KEY" --signature "SIG" file.lua
./reverse --decrypt --key "KEY" --signature "SIG" encrypted.luac

SpiderMonkey Dumper

A reverse engineering tool for analyzing JavaScript bytecode files (.jsc) compiled with the SpiderMonkey engine. Features bytecode disassembly and optional LLM-powered JavaScript reconstruction.

In Cocos apps the encryption key sits in the rodata section of the library and the original source code can be recovered. Ironically, when a Cocos app omits encryption it was harder to reverse because the JavaScript ships as bytecode and no disassembler existed.

github.com/zboralski/spidermonkey-dumper

Works with SpiderMonkey 33.1.1 and Cocos2d-JS v3.17.

Here is an example where you can see an uncloaking check in the disassembly:

00031  getprop      "country"
00036  string       "VN"
0003B  ne
0003C  ifeq         loc_00056 (+26)                         ; if (!=)

And here is the LLM decompilation:

// SplashScene.checkGame/<
SplashScene.prototype.checkGame$ = function () {
    if (this.country !== "VN") return cc.game.loadGame();
    var success = true;
    this.checkUpdate(success);
    return !success;
};

Tinder Social Engineering Attack

Tinder Social Engineering Attack

A proof-of-concept demonstration of a man-in-the-middle social engineering attack using fake Tinder profiles to intercept and manipulate conversations between strangers.

This article is part of the research and development effort conducted by HERT (Hacker Emergency Response Team). It is not a production tool for either attack or defence within an information warfare setting. Rather, it is a project demonstrating proof of concept.

Using our own Tinder profile, we are going to look for males within 2km. The attack will be too slow if you live in a big town and extend the range.

The initial target has to be a male, the attack is less likely to succeed if we pick a female. Men propose, women dispose…

We swipe left until we find our target. We will call him, Bob.

We have to make sure Bob is attractive or the attack will probably not work. If in doubt we can ask a female friend.

We take a screenshot of Bob’s profile pictures and write down his biography.

Now we’ll create a fake Facebook profile for Bob. We’ll use the same first name and the same age.

Then we register our fake Bob on Tinder.

Let’s swipe right and super like every girl within 2km. In a big town like London, this step can take ages. Luckily, we can use a Chrome Extension called Flamite by @mrP1ng which will auto-like everyone.

Pick an attractive match or a super like response. We’ll call our second target Alice.

We create another fake facebook profile and register her on Tinder.

We’ll limit the search to 2km and swipe right until we find the original Bob.

We super like Bob and wait patiently for a reply.

“[…] conversations initiated by a Super Like last 70% longer.”

Bob “Hello :)”

Success! Our fish has taken the bait.

This is called a man in the middle attack.

“In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.”

Bob “How are you?” => Fake Alice => Fake Bob => Alice

Alice “I’m fine. You?” => Fake Bob => Fake Alice => Bob

Bob “Always good :) Where are you?” => Fake Alice => Fake Bob => Alice

Alice “Shoreditch, you?” => Fake Bob => Fake Alice => Bob

Bob “I live next to Piccadilly Circus Any plans for tonight?” => Fake Alice => Fake Bob => Alice

Not only we can eavesdrop on the conversation of two strangers, we can also change their reality.

Let’s decide where they will meet!

We can add some spice.

At some point people exchange phone numbers and the Tinder convo stops. That’s not a problem..

We’ll need two SIM cards and two extra phones.

Register both phones for Messages, Facetime and Whatsapp… (we must not forget to add a profile picture for Whatsapp.)

When Alice or Bob exchange phone numbers… just substitute the numbers for the phone numbers you control.

That’s it, now we can relay SMS, iMessage, Whatsapp and even voice calls.

Relaying voice conversation is a bit tricky. The easiest solution is to reject the calls and only relay the voice mail messages. We can also answer the call and tell the person “can you just wait two seconds please?” Mute the call, call the other party and conference them with the speaker phones.

The simplest solution is to forward all incoming call but we won’t be able to eavesdrop anymore. If you are a tech, you can use two GSM cards and configure Asterisk, a free and open source communication server, to route and record the calls.

We can imagine all kinds of crazy scenarios… If we know Bob in real life and he’s cheating on his girlfriend, we can send her the logs or invite her to the same date. We could also play jokes to our friends and make them believe they have a really hot date.

Disclaimer: This article is for educational purposes only. This type of attack is illegal in many jurisdictions and violates privacy and identity theft laws. Do not attempt this attack in real life.

The Internet is a digital shanty town

The Internet is a digital shanty town

The land belongs to Google, Facebook, Amazon… They own the data centres.

You can build all you want, but you never know who owns what and for how long… and your corner looks like this:

Imagine your Facebook profile or your twitter account as a hut, a dwelling or one of these blue tents.

The walls don’t belong to you and they can change appearance at any time. The lock on your door? Sometimes it works. Sometimes it doesn’t. Sometimes you come home to find some stranger in your bed reading your private messages…. That’s the internet for you.

The only things that belongs to you is your data but to be on that land you have to give up your commercial rights to it. When there is an ad next to your profile page… you get nothing! If you find yourself on top of a search results page, surrounded by ads… you get zero! and worse, if you don’t pay Google a rent, your competitor jumps on top of you with an ad…

You’re either a squatter or a renter. You are nothing more than a slum dweller of the digital world.

Sure, you’d like to leave. And good luck to you. This is where your friends and family live too. Even if you don’t like Facebook, closing your account excommunicates you from their memories, out of sight, out of mind. So you stay, and suffer.

The solution? Land titling.

Land titling is a form of land reform in which private individuals and families are given formal property rights for land which they have previously occupied informally or used on the basis of customary land tenure. Proponents argue that providing formal titles increases security of land tenure, supports development of markets in land, and allows better access to credit (using land titles as collateral).

My friend, Syahfirie Manaf introduced me to the concept. The World Bank, his employer, brought land titling to Indonesia forty years ago.

The same idea worked in Ecuador, Vietnam, Bahia, Kabul, Mauritania, India… What were once economic slums grew to become billion euro economies.

As soon as you get land titles, you are not in a slum anymore! You are now free to sell your land, pass it to your children, or improve your home and local infrastructures.

That’s what Belua is trying to do with the Internet. Instead of land titles, you’ll own shares of the relevance, fame and other realities you helped create.

I am a bank robber

I am a bank robber

[pause]

I don’t use guns, just computers and that’s really how I earned a living, legally, for 18 years. Banks, telcos and government would pay me to try to steal money from them.

Everyone tells me this is the coolest job and then ask how I got into hacking and security.

Here is the story…

I’m eight years old. I am watching Matthew Broderick play a computer hacker in the movie WarGames.

I don’t really know what a computer is then… All I know is that I really want one!

A year later, I am in front of a Thomson MO5, teaching myself how to program for the first time.

After that, everything goes super fast, the Minitel, the Amiga, x25, modems, Blue-boxing, bbs’ and finally the internet, linux, and everything that followed.

The police are still using typewriters, punching keys with two fingers and my parents, well, they think i am playing video games.

I am looking for trouble, even my nickname is Frantic.

Fast forward a few years, I am standing in front of Judge Francis Bruty and he’s calling me “a computer genius with a lamentable morality.” I should probably shut up at this point but I have a big mouth so I reply in French: “N’y a-t-il pas de difference entre moralité, légalité et honnêteté”. Isn’t there any difference between morality, legality and honesty?…

Epilogue

I got away with a slap on the wrist. Some jurisprudence was named after me… and the FBI.

I remember getting a one year ban from touching a computer. That didn’t discourage me. Right in front of the tribunal, I told a TV reporter that the judge’s order was anti-constitutional and thus null and avoid… We went straight to an Internet Café to resume the interview in front of a PC…

The media gave me a reputation and everyone started offering me projects.

“You’re the kid who £$%&ed the Americans? … I got a job for you!” My first clients were Canal Plus, Total, Alcatel, Aerospatiale… In France, projects are called “missions”…

People kept calling me a genius… and looking back, this undeserved title was really my luck as it forced me to study and work so much more just to get to the level of expectation of everyone around me.

Understanding and breaking into systems became second nature. Like Cook Ting, I seem to always find the perfect place to insert the blade and make whole systems fall apart.

Working for dozens of Fortune 500 companies, I got a unique chance to see how all the “big data” we talk about is structured, how beautiful and fragile it is… and I am kidding… There is no beauty, everything is so ugly you want to puke

And to illustrate how I feel about computer security let me tell you another little story from my childhood.

I am five. My mother is working for an air transport company whose main business is to move cargo in and out of Algeria, eggs in, wood out. We live at the Hotel Mazafran in Zeralda near Alger.

Comes new year, my mother asks permission to cook a big turkey for the crew in the restaurant. No problem they say… I am holding my mother’s hand, we are visiting the kitchen… everything is black — the walls, the counter top, literally everything is black. Something is wrong but you can’t really pinpoint what it is… It can’t be just the colour of the walls that makes you feel so dizzy. And then the cook turns around and starts making space for a plate — and now we see it!! Everything is moving, and the black on the walls, the black stuff on the counter tops! Cockroaches — all of it!! The horror — we ate the food from this place nearly every day for over a year…

What does this tale have to do with security? Well, behind all the shiny websites we all use everyday, you’ll find the exact same kitchen… bugs everywhere and cockroaches feeding off the scraps of data you leave behind.