Running a malware lab in VirtualBox is a bit of a pain if you’re new to virtual networks. It’s taken me hours to get this thing working right. I had my webserver working internally on my network (Apache2 on a Debian VM hosted by Win8) but couldn’t get Inetsim to work.

Anyway, here’s my settings now, with no special router configuration since it’s all internal:

• I created a new Group in VirtualBox consisting of my WinXP and Debian VMs.
• Each one has network adapter 1 as Bridged over my ethernet/internet NIC and adapter 2 as “NAT Network”. Note that this isn’t just the “NAT” option; it’s the NAT Services thing that’s new to VirtualBox and currently “experimental” according to the documentation
• I edited the Inetsim conf file (/etc/inetsim/inetsim.conf) for the IP binding and set it to the 192.168.200.* address assigned by VirtualBox.

Voila!

No other configuration would work for some reason even though I could get Apache to serve throughout the network in a few configurations.

I’ve decided to start doing some code kata.

I can understand C++ code by reading through it, referencing Google and/or running it to double-check what the variables come out to but I haven’t been actively coding enough to keep up with it.

100 doors in a row are all initially closed. You make 100 passes by the doors. The first time through, you visit every door and toggle the door (if the door is closed, you open it; if it is open, you close it). The second time you only visit every 2nd door (door #2, #4, #6, ...). The third time, every 3rd door (door #3, #6, #9, ...), etc, until you only visit the 100th door.
Question: What state are the doors in after the last pass? Which are open, which are closed?
[From Rosetta Code]

Here’s my solution. It’s pretty straightforward but, to be honest, it took me way too damn long. I had forgotten how to do a few things and I also thought that the inner for loop with its statement was all considered one statement, meaning I didn’t need brackets for the outer one with i<PASSES. Took me a bit to fix that. I also really need to work on my mathematics a bit… I know there’s a mathematical way to calculate which doors end up which way because of some property but I don’t know anything about that. Ho-hum.

Luckily, I found an online C++ interpreter to run quick lines through when I want to test things out. I messed up with ++ operator because I forgot it actually saves the incremented value to the variable and is not the same as “x + 1” in an expression; it’s “x+=1”.

#define DOORCOUNT 100
#define PASSES 100

int main() {
	bool doors_open[DOORCOUNT];

	//close doors
	for(int i=0; i < DOORCOUNT; ++i)
		doors_open[i] = false;

	for(int i=0; i < PASSES; i++)
	{
		for(int x=i; x < DOORCOUNT; x+=i+1)
		doors_open[x] = !doors_open[x];
	}
}

I’m working on some reverse engineering for work. Specifically, I need to head into the malware analysis arena to be useful but, for now, I’m working on the basics.

I’ve had a few books on my Amazon Wish List forever and never pulled the trigger because I didn’t have time to actually sit down with them and I’d rather wait around for newer prints and updates when I do need them. I went ahead and picked up two today: Malware Analyst’s Cookbook and Practical Malware Analyst. They cover some of the reversing stuff but are obviously centered around malware analysis and forensics. I haven’t seen too many great books on reversing that I’m comfortable buying yet due to the prerequisite knowledge… but there’s some great tutorials online.

I’ve got some experience with IDA Pro, OllyDbg and several programming languages, including x86 ASM so I decided to start with www.crackmes.de. I’d worked on a few of these months ago just for kicks but I’m actually trying to learn more about it now. I was able to knock out this one relatively easily.

While I usually get irritated with trial and error and the long process of making mistakes and taking forever to realize I’ve made a mistake, I understand the value in it. This one, I was looking at in OllyDbg and could not for the life of me figure out what the hell was going on. I started Googling some of the modules it was pulling up assuming it was hooked into some OS code or (and fuck me sideways if it’s true) was actually malware and I was discovering it trying to break things. Anywho, I eventually realized that it’s a .NET assembly… I should probably have read the instructions first. I checked out some of the comments on the page to get a clue and decided to try a decompiler like one of the commenters mentioned. Eventually, I did learn that you can easily tell whether an assembly is .NET by running it and using Process Explorer to search for references to mscorlib.dll to see if it’s hooked in.

I tried out ILSpy first. It was pretty good but doesn’t offer the ability to alter code. I could have just rewritten the relevant code in a custom app but I hadn’t yet installed VS Studio since my last reformat. I pulled up Telerik’s JustDecompile app (free trial) and loaded the Reflexil plugin (auto-download and install can be found in the Plugins dropdown menu). It took me a while of screwing around to figure out how to do things but I was able to insert a “call” instruction right after a string was loaded on the the stack… I’d worked out that this particular string was the finalized dynamic password. The password is recalculated every time you attempt to “log in” based on some system settings and the time.

Anywho, I could see that just by viewing it in the decompiler. The real cheese for newbies like me is actually cracking the app so that you’re always right or it just doesn’t bother you for the password. I simply changed the assembly instruction for the wrong answer to do the same thing as instruction for the right answer and voila! I was all set.