🇺🇦 Nate Warfield🌻Feb 3, 2023

I accomplished a new milestone in my reverse engineering today. A colleague asked me to figure out how the “getfw” tool used in some Cisco images to decrypt firmware out of their downloadable images works so he could use Python to extract them at-scale.

So I threw it in IDA, narrowed in on a function called “fwdec” then dropped the assembly into ChatGPT … wait wut?

https://alperovitch.sais.jhu.edu/an-experiment-in-malware-reverse-engineering/

My good friend @jags recently showed that ChatGPT is extremely useful for RE newbs like me so I ran with it.

It was able to explain the assembly code was loading strings into memory and those strings?

OpenSSL decryption commands; including the passphrase, actually 2 passphrases (one from 2017, one from 2018). Worked like a charm once my colleague plugged it into his code and 100% of the images were decrypted.

Yeah, it’s not reversing stuxnet but considering it took me - with nearly zero IDA skills - under an hour to figure it out I thought it was pretty damn cool.

An Experiment in Malware Reverse Engineering – The Alperovitch Institute

Show threadJ. A. Guerrero-SaadeFeb 3, 2023
@n0x08 this is what I’ve been obsessing over! If it hadn’t been for ChatGPT I’m not sure we could’ve gotten twenty students of completely different backgrounds and technical skills to go through that course. I’m really glad you had a similar experience!
Show threadVissFeb 3, 2023

@jags @n0x08 yesterday, as a test and just for fun, i asked chatgpt to write me a python code snippett that I wrote myself backin 2010, when I was doing a bunch of redis research. i told it to write a script that did a bunch of stuff, in plain english.

it gave me code that worked, first try, and did exactly what I asked. i was gobsmacked.

then i asked it to make changes, and it did, successfully.

Show thread🇺🇦 Nate Warfield🌻Feb 3, 2023
@Viss @jags I got it to to write me a powershell clipboard monitor to swap BTC wallet addresses and a Python port scanner for an F5 (Python2, no scapy). It’s neat.
Show threadJ. A. Guerrero-SaadeFeb 3, 2023
@n0x08 @Viss if you like the results generating python, try Golang! The formatting is so strict that the code output is basically fire ready.
Show threadVissFeb 3, 2023
@jags @n0x08 im taking over dev for orbital soon as these consulting gigs conclude, and i was very much not looking forward to that - but now? .. [evil cackling]
Show threadJ. A. Guerrero-SaadeFeb 3, 2023
@Viss @n0x08 it’s a serious game changer. Gotta wade past the ambulance chasers crying about it being ‘used by threat actors’ (as if threat actors aren’t doing just fine with open source tools) and see how insanely empowering it is for defenders.
Show thread🇺🇦 Nate Warfield🌻Feb 3, 2023
@jags @Viss not to give too much away but if I pull it off I’ll have a fantastic LABScon abstract about that 😉
Show threadJ. A. Guerrero-Saade
@n0x08 @Viss your mind is in the right place 😅
Feb 3, 2023 at 1:48amWeb