Neoma Fong neomafo88

MD5 Collision with CRC32 Preimage

Here's the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.

In other words, we want an MD5 collision attack and a CRC32 preimage attack.

This might seem like a contrived scenario, but it's exactly the one I faced while producing my PNG hashquine (Yes OK maybe that's also a contrived scenario, cut me some slack).

On its own, a CRC32 preimage attack is trivial. You can craft a 4-byte suffix that gives any message a specific checksum, calculated using a closed-form expression (which I am too lazy to derive, not even with assistance from Z3). It's not an attack per-se, since CRC32 was never meant to be cryptograpically secure in the first place.

Binary Ninja Python API Cheat Sheet

This is a work in progress by someone who is learning about Binary Ninja.

References

Metadata Details

Get database name

	"""
	This POC is based on example from https://frida.re/news/#child-gating
	and is aimed to instrument child processes along with the main one.
	"""

	from __future__ import print_function
	import frida
	from frida_tools.application import Reactor
	import threading

	# Copyright: (c) 2022, Jordan Borean (@jborean93) <[email protected]>
	# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

	<# Example Code to Run on the Server
	$pipeServer = [System.IO.Pipes.NamedPipeServerStream]::new("jordan-test", [System.IO.Pipes.PipeDirection]::InOut)
	$pipeServer.WaitForConnection()
	try {
	$tokenStat = Get-NamedPipeClientStatistics -Pipe $pipeServer
	$appKey = Get-SMBApplicationKey -LogonId $tokenStat.AuthenticationId
	[System.Convert]::ToBase64String($appKey.Applicationkey)

	"""
	extracts config from sample: 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159
	0xca7
	"""

	from elftools.elf.elffile import ELFFile


	def read_elf(path) -> bytes:

	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'

	' Proof of Concept: retrieving SSN for syscalling in VBA
	' Author: Juan Manuel Fernandez (@TheXC3LL)


	'Based on:
	'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
	'https://www.crummie5.club/freshycalls/


	Private Type LARGE_INTEGER

	"""
	summary: drawing custom graphs
	description:
	Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
	show how to write actions that can be performed on those.
	keywords: graph, actions
	"""

	from __future__ import print_function
	# -----------------------------------------------------------------------

	#![allow(non_snake_case)]

	use std::arch::global_asm;
	use std::mem::size_of;

	use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, PHANDLE, NTSTATUS};
	use winapi::um::winnt::{ACCESS_MASK, PROCESS_VM_WRITE, PROCESS_VM_READ};

	#[cfg(not(target_arch = "x86_64"))]
	compile_error!("Only x86_64 machines");

	function javaPost(url, data) {
	const thread = Java.use("java.lang.Thread").$new();
	const Tjava = Java.ClassFactory.get(thread.getContextClassLoader());
	const Url = Tjava.use("java.net.URL").$new(url);
	let connection = Url.openConnection();
	connection = Java.cast(connection, Tjava.use("java.net.HttpURLConnection"));
	connection.setRequestMethod("POST");
	connection.setDoOutput(true);
	connection.setRequestProperty("Content-Type", "application/json;");
	const postData = Tjava.use("java.lang.String").$new(data);