How to Use Old GSM Protocols/encodings to Know if a User Is Online on the GSM Network AKA PingSMS 2.0

In the last few months I’ve been playing with Android’s low level GSM API, a few years ago the (in)famous sendRawPdu API was available, allowing a developer to manually encode a SMS message at a very low level before sending it to the GSM baseband itself and quite a few applications sending all kind of weird SMS ( flash sms, silent sms, etc ) were born ( for a brief overview of PDU encoding refer to this page ).

(Un)fortunately Google decided to remove that API, it’s still not sure if they did it for security related purposes or during some refactoring of their IPC IBinder mechanism, but nowadays it’s no more available unless you use some very old phones/firmwares ( on most devices they removed the ttyUSB serial interfaces to send AT commands to the GSM modem as well ).

Until a couple of months ago, when I found the SmsManager.sendDataMessage API which, apparently, it’s not used anywhere ( if you search for it you’ll find only a few examples, but nothing regarding how to use it with manually encoded PDUs ).
Using this API we’re able to manually encode our SMS, moreover we can specific a “port” as one of its arguments which will identify what kind of sms we’re gonna send, in this post I’ll talk about port 2948, namely the port used to send WAP PUSH notifications.

Read More

Introducing FIDO, a Minimalistic, IDE-Agnostic C/C++ Project Generator.

I don’t know you, but I always find myself performing the same kind of stuff over and over again dozens of times per month, such as:

  • Create project folder.
  • Create src and include folders.
  • Fill them with a basic main.c(pp)
  • Create the Makefile, fill tue rules.

What about remembering all the times how to set the SYSROOT variable when I’m using the Android NDK?
Or maybe create the CMakeLists.txt and try to remember each directive, which I don’t, so I find myself googling for the same kind of stuff over and over … and btw it’s funny since I happen to use CMake for years now.

So I decided that I had enough of this, when I want to test just a simple line of C/C++ code it takes me more time to create all the project folder tree than to write the code itself … and FIDO was born.

Read More

Using ARM Inline Assembly and Naked Functions to Fool Disassemblers

On this post I want to share a simple trick I learned a while ago, it’s nothing special but if you think about it, it’s quite nice :)

Sometimes we want to obfuscate/hide strings in our program to make reversing more difficult and the more common approach is to encrypt them somehow and put them inside binary buffers instead of plain ASCII strings.
One downside of this naive approach is of course, once decompiled, the access to these binary buffers will easily be noticed by a seasoned reverser, he would assume some sort of obfuscation/encryption/whatever and start reversing the algorithm to unobfuscate the strings in a matter of minutes.

One thing you can do to make his/her life harder ( but not impossible ) is embedding your encrypted data as code … how?

Read More

Dynamically Inject a Shared Library Into a Running Process on Android/ARM

If you’re familiar with Windows runtime code injection you probably know the great API CreateRemoteThread which lets us force an arbitrary running process to call LoadLibrary and load a DLL into its address space, this technique called DLL Injection is often used to perform user space API hooking, you can find a good post about it on Gianluca Braga’s blog.

Unfortunately there’s no CreateRemoteThread equivalent on Linux system, therefore we can only rely on ptrace and our brain :D
In this post I’ll explain how to perform DLL Injection on Linux systems and more specifically on Android/ARM.

Part 2 of this post on “Android Native API Hooking with Library Injection and ELF Introspection.”

Read More

Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )

It’s been a few weeks I’ve been playing with afl-fuzz ( american fuzzy lop ), a great tool from lcamtuf which uses binary instrumentation to create edge-cases for a given software, the description on the website is:

American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time
instrumentation and genetic algorithms to automatically discover clean, interesting test cases
that trigger new internal states in the targeted binary.
This substantially improves the functional coverage for the fuzzed code. The compact synthesized
corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive
testing regimes down the road.

Ok nice … but what does this actually mean?

Read More

SuperFish AdWare Found Inside X-Notifier Browser Extension Code.

You probably already heard about SuperFish around the web, an adware that Lenovo pre-installed on its computers since mid-2014. The danger does not reside inside the adware itself, that basically just injects some advertisment inside user web searches, but in the fact that, in order to handle HTTPS search engines ( Google ), it installs a root CA on the computer and replaces every HTTPS certificate sent by the web server with this one, leaving the victim vulnerable to SLL man in the middle attacks.

As soon as I heard the name “SuperFish”, it suddenly was somehow familiar to me … “Where the hell did I hear this name before?”

Read More

RuberTooth - a Complete Ruby Porting of the Ubertooth Libraries and Utilities.

Today, finally my ubertooth arrived and I immediately started hacking with it.


I installed its libraries and tools both on OS X and on my Linux virtual machine, and after a while I noticed a few things:

  • The compilation process is not well documented for newer versions of OS X, thus manual code patching here and there is required.
  • Some of the tools are only available for GNU/Linux.
  • Some of the tools are unstable.
  • There’s no way to create my own UberTooth scripts without using C.

Regarding the last point, there is a Python porting which is incomplete, it lacks most of the features that the native libraries have, so ubertooth is definitely not a scriptable device … or maybe not :)

I studied the USB communication protocol implemented inside libubertooth and found out that is very easy and well implemented, so I started to write some Ruby code ( I hate Python! ) using the libusb gem and a new project was born :)

Read More