Author Archives: joxean

About joxean

Basque security researcher and reverse engineer.

A simple activity monitor with /dev/random

Today I was performing some tests in the random number generators of some browsers and found, by chance, this mail sent to Bugtraq by Michal Zalewsky called “Unix entropy source can be used for keystroke timing attacks”. While the idea of Michal is very good, I failed to find a reliable way of doing it in my house computer after some time (well, honestly, after just 1 hour…). However, a more simpler idea come to my mind: if /dev/random blocks when the entropy pool is empty and most of the events are generated when mouse or keyboard events happens, at least, I can write quite easily an activity monitor based on /dev/random.

Continue reading

Patching old linux binaries to work with recent libc versions

From time to time I need to use some old binary created for older Linux versions like Redhat 6.2, for example. The problem with those binaries is that they were compiled with a very old version of the glibc and they cannot be run ‘like this’ in newer systems. Sometimes, just making a symbolic link from the new library to the old name can be enough but not always. In this brief post I will talk about how to workaround the typical relocation errors and undefined symbols problems with old binaries.

Continue reading

A simple PIN tool unpacker for the Linux version of Skype

Some time ago I wanted to take a look to Skype to see how it works and get the classes diagram of this program but, surprise: It’s packed. The Windows version is protected with a crypter of their own, (UPDATE: this statement was wrong: the last time I checked it, was protected with Themida. It was Spotify the application protected with Themida). However, as I expected, the Linux version was simply packed (not protected) and with something easy to unpack. To unpack Skype and be able to analyse it in IDA and, also, to learn a bit how Intel PIN works, I have written a PIN tool to “automatically” unpack Skype.

Continue reading

Finding malware & spam in Twitter

Some months ago I had the feeling that, probably, some social networks like Facebook or Twitter would be a good source to find both malware & spam and, as so, I decided to write a quick honeypot to try to catch as much malware & spam as possible as soon as they become available on the internet. You can find the daily updated files of URLs gathered by this tool here, under the section “Malicious URLs”.
Continue reading

Simple Bug Finding Tools: Fugue (I)

It’s been a while since I started writing, as a personal ‘research’ project, a tool to automatically find bugs (that could lead to vulnerabilities) performing static code analysis and, even when it will take a very long while until I have something decent to release to the general public, I have some -I hope interesting- thoughts about the tool I’m writing: Fugue.

This tool uses CLang as the parser (as I do not have a rich uncle to get a license for EDG) and everything else is being written in Python: the translator to convert the CLang AST to my internal representation, the translator to convert other tools generated ASTs to that internal representation, the builder of the CFG, the SSA code generator, etc… Its in the very early stages at the moment but, more or less, it works for writing very simple scanners, as in the following example.

Continue reading