#100DaysOfCode Challenge — Part1

Photo by Chris Ried on Unsplash

Rules

What do I plan to work on?

What if I fail?

The journal

Here we go!

Day #1: Diving into Big O

Name                           BigO
Constant O(1)
Linear O(n)
Quadratic O(n²)
Cubic O(n³)
Exponential O(2^n)
Logarithmic O(log(n))
Log Linear O(nlog(n))

O(1)

def PrintFirstElementOfArray(list):
print(list[0])

O(n)

def printElementsOfArray(list):
for i in list:
print(i)

O(n²)

def printAll(list):
for i in list:
for j in list:
print(i)
print(j)

O(2^n)

def fibonacci(num):
if num <= 1:
return num
return fibonacci(num - 2) + fibonacci(num - 1)

Day #2: Building an Arduino Timer

Source: Hackster.io
Arduino Timer

Day #3: Unprotect Project — Detecting Registry Keys

Registry keys detection

Day #4: Unprotect Project — Detecting Drive Size

BOOL GetDiskFreeSpaceExW( 
LPCWSTR lpDirectoryName,
PULARGE_INTEGER lpFreeBytesAvailableToCaller,
PULARGE_INTEGER lpTotalNumberOfBytes,
PULARGE_INTEGER lpTotalNumberOfFreeBytes );
Retrieve drive size

Day #5: Coding a Plugin Feed for the YETI platform

Test Feed of New Plugin in YETI
New Plugin in Dataflows Page
Yeti Feeds

Day #6: Reviewing some Programming Concepts

# Python dictionary 
my_dict = {'country': 'Scotland', 'region':'Highland', 'Distillery': "Glenmorangie", 'Whisky_age': 25}

# Accessing the dictionary with its key
print(my_dict['Distillery'])
print(my_dict['Whisky_age'])
# Output:
>>> print(my_dict['Distillery'])
Glenmorangie
>>> print(my_dict['Whisky_age'])
25
my_array = ["glenmorangie", "balvenie", "macallan", "balblair"]
Method       Description
append() Adds an element at the end of the list
clear() Removes all the elements from the list
copy() Returns a copy of the list
count() Returns the number of elements with the specified value
extend() Add the elements of a list (or any iterable), to the
end of the current list
index() Returns the index of the first element with the
specified value
insert() Adds an element at the specified position
pop() Removes the element at the specified position
remove() Removes the first item with the specified value
reverse() Reverses the order of the list
sort() Sorts the list

Day #7: Python Ctypes Library

BOOL CreateProcessA( 
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation);
# Import the kernel32 lib
kernel32 = windll.kernel32

# creation flag
CREATE_NEW_CONSOLE = 0x00000010
CREATE_SUSPENDED = 0x00000004
creation_flags = CREATE_NEW_CONSOLE | CREATE_SUSPENDED

startupinfo = STARTUPINFO()
processinfo = PROCESS_INFORMATION()
startupinfo.cb = sizeof(startupinfo)
try:  
kernel32.CreateProcessA(None, exe, None, None, None, creation_flags, None, None, byref(startupinfo), byref(processinfo))
print("Process started as PID: {}".format(processinfo.dwProcessId))
kernel32.CloseHandle(processinfo.hProcess)
kernel32.CloseHandle(processinfo.hThread)
except Exception as (e):
print(e)
kernel32.GetLastError()
Running calc.exe in suspended mode with python ctypes

Day #8: Binary Disassembling with Capstone Engine

python capdis.py 771f5b0dfe59d6fafc705ca3712af5db7e479695f16ffee9626e1b7687912fdd[+] Sample is 64 bit
[+] Number of imported functions: 216
[+] List of imported function:
b’setstdhandle’
b’exitthread’
b’getcommandlinew’
b’exitprocess’
b’getmodulehandleexw’
[Truncated]b’wsaioctl’
b’closesocket’
b’wsasend’
b’shutdown’
b’wsasocketw’
b’socket’
b’wsarecv’
b’getsockopt’
b’ioctlsocket’
b’setsockopt’
b’freeaddrinfow’
b’getaddrinfow’
b’htonl’
b’htons’
[+] Binary disassembled:
0x1000: dec eax
0x1001: sub esp, 0x28
0x1004: call 0x1834
0x1009: dec eax
0x100a: add esp, 0x28
0x100d: jmp 0xe84
0x1012: int3
0x1013: int3
0x1014: inc eax
0x1015: push ebx
0x1016: dec eax
0x1017: sub esp, 0x20
0x101a: dec eax
0x101b: mov ebx, ecx
0x101d: xor ecx, ecx
0x101f: call dword ptr [0x87aef]
0x1025: dec eax
0x1026: mov ecx, ebx
0x1028: call dword ptr [0x87ade]
0x102e: call dword ptr [0x87650]
0x1034: dec eax
0x1035: mov ecx, eax
0x1037: mov edx, 0xc0000409
0x103c: dec eax
0x103d: add esp, 0x20
[Truncated]0x1349: dec ebp
0x134a: xor ebx, ebx
0x134c: dec esp
0x134d: lea edx, [esp + 0x18]
0x1351: dec esp
0x1352: sub edx, eax
0x1354: dec ebp
0x1355: cmovb edx, ebx
0x1358: dec esp
0x135a: mov ebx, dword ptr [0x10]
0x1361: dec ebp
0x1362: cmp edx, ebx
0x1364: bnd jae 0x137e
0x1367: inc cx
0x1369: and edx, 0x8d4df000
0x136f: wait
0x1370: add al, dh

Day #9: Unprotect Project — Detecting Files

Detect file on the system

Day #10: Unprotect Project — Detecting Screen Resolution

Sorry for the low resolution :D

Day #11: PE Summary Extraction

python3 pe_info.py calc.exe 
File type: b’PE32 executable (GUI) Intel 80386, for MS Windows’
File name: calc.exe
File size: 114688 Bytes
Compile time: 2001–08–17 22:52:32
Entry point: 0xcc00ffee
Image base: 0x01000000
Hash MD5: 456acd3b82700c3cf60b8e4e477e128f
Hash SHA2: 3f272a69536934a38ab379f1ab40ac3016a54d334758f9e6548dad9a9c20f404
Import hash: 08f6a1b121da8cedde2d1089d0906ed8
Ssdeep: 1536:QEl14rQcWAkN7GAlqbkfAGQGV8aMbrNyrf1w+noPvLV6eBsCXKc:QYmZWXyaiedMbrN6pnoXL1BsC

Day #12: IDA Python Script

from idautils import *
from idc import *
from idaapi import *
# PE Entry Point
start_add = BeginEA()
# Check the function of the binary
for func in Functions(SegStart(start_add), SegEnd(start_add)):
func_name = GetFunctionName(func)
func_start = func

# Print address and function name
print(“%08x ” % func_start)
print(“%s\n” %str(func_name))

Day #13: Learning Go

package mainimport (
"encoding/base64"
"fmt"
"os"
)
func main() {arg1 := os.Args[1]encoded := base64.StdEncoding.EncodeToString([]byte(arg1))
fmt.Println(encoded)
decoded, err := base64.StdEncoding.DecodeString(encoded)
if err != nil {
panic("error")
}
fmt.Println(string(decoded))
}
$ go run go64.go "encode in base64"
ZW5jb2RlIGluIGJhc2U2NA==
encode in base64

Day #14: Caesar Cipher in Golang

$go run caesar.go “this is my secret text”
[+] Clear text: this is my secret text
[+] Encoded: qefp fp jv pbzobq qbuq
[+] Decoded: this is my secret text

Day #15: Unprotect Project — Detect VM Mac address with GO

C:\Go\bin\go.exe run .\macdetect.go
VM detected!
1 00:0C:29

Day #16: Learning Go — Variables and Types

bool

string

int int8 int16 int32 int64
uint uint8 uint16 uint32 uint64 uintptr

byte // alias for uint8

rune // alias for int32 represents a Unicode code point

float32 float64

complex64 complex128
// Declare a string
var toto string
// Assign a string
toto = "This is my var"
// Add to the string var
toto += "!!!"
// Declare another string
var tata string = "This is my seconf var"
// Assign a var without declaring the type
reminder := "Pratice is important!"

Day #17: Qiling Framework for binary emulation

# setup Qiling engine
ql = Qiling("file.exe", "place/of/Windows/dll/")#, output = "debug")
# disable strace logs
ql.filter = []
# now emulate the EXE
ql.run()
# hook GetProcAddress() on exit
ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)
{‘hModule’: 270073856, ‘lpProcName’: ‘FlsAlloc’}
{‘hModule’: 270073856, ‘lpProcName’: ‘FlsGetValue’}
{‘hModule’: 270073856, ‘lpProcName’: ‘FlsSetValue’}
{‘hModule’: 270073856, ‘lpProcName’: ‘FlsFree’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘DecodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘DecodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘DecodePointer’}
{‘hModule’: 270073856, ‘lpProcName’: ‘IsProcessorFeaturePresent’}
# Hook to IsProcessorFeaturePresent
ql.hook_address(stop, 0x0042B726)

Day #18: Unprotect Project — IsDebuggerPresent

IsDebuggerPresent

Day #19: Using Frida for binary instrumentation

HANDLE CreateMutexA( 
LPSECURITY_ATTRIBUTES lpMutexAttributes,
BOOL bInitialOwner,
LPCSTR lpName
);
frida-trace.exe --file mutex.exe -i CreateMutexA -X kernel32.dll
Instrumenting…
CreateMutexA: Loaded handler at “C:\\Users\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateMutexA.js”
Started tracing 1 function. Press Ctrl+C to stop.
-f: your executable-i: the function you want to intercept-X: the dll where the function is
{
onEnter: function (log, args, state) {
log(‘CreateMutexA()’);
log(‘lpName: ‘ + Memory.readUtf8String(args[2]));
},
onLeave: function (log, retval, state) {
}
}
frida-trace.exe --file mutex.exe -i CreateMutexA -X kernel32.dll
Instrumenting…
CreateMutexA: Loaded handler at

/* TID 0x1408 */
187 ms CreateMutexA()
187 ms lpName: COUCOU
Process terminated

Day #20 & Day #21: Mishmash Code & Update

Arduino Timer

Day #22: Frida Python Binding

C:\Users\> test_frid.py mutex.exe
[!] Process mutex.exe was not running!
[+] Running process mutex.exe!
[+] CreateMutex addr: 0x75f53589
[+] Entering to createMutex
[+] lpName: COUCOU

Day #23: Unprotect Project — Checking Sample Name

Day #24: Mach-O loader in Golang

go run main.go
[+] ../file/macho.a.out opened
[+] Mach-O 64 bit

Day #25: Using Pandas to explore Malware Trends

Emotet, Trickbot, Lokibot activity combined
Emotet, Trickbot, Lokibot activity per day

Day #26: Golang on Codecademy

Day #27: Unprotect Project Landing Page

unprotect.it

Day #28: Unprotect Project — TLS Callback as Anti-Debug

Day #29: Unprotect Project — TimeBomb

Day #30: Unprotect Project — Wiping Mechanisms

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store