You are browsing the archive for Silly.

Cryptarithms (sort of DFIR-related ;))

August 15, 2015 in Puzzles, Silly

Last year I was looking at my very old programs and I came across a cryptarithm solver that I wrote in khem… Pascal. I wrote it to solve one such riddle published in a crossword magazine back in a day (as a side note: when I found it I was actually looking for something completely different in a first place /as it is usually the case/).

As per wikipedia: cryptarithm or word addition, is a type of mathematical game consisting of a mathematical equation among unknown numbers, whose digits are represented by letters. The goal is to identify the value of each letter.

Since I came across it I started wondering if there was a generic solution for this type of puzzle and after googling around I found out that it is possible – some people created dedicated web sites that handle all the solving work for you.

Using these available tools I created these 2 below so if you are bored, you can try to solve them 😉 [as you can see it is DFIR-related 😉 ]

  • RCE+DFIR=ELEET
         RCE
      + DFIR
       ----- 
     = ELEET
  • MFT+FILE+FILE+FILE+FILE=NTFS
          MFT
       + FILE
       + FILE
       + FILE
       + FILE
       ------
       = NTFS

And if you struggle you can always cheat and use this solver by Naoyuki Tamura (that’s how I created these anyway :) )

Trivial AppID Impersonation

February 20, 2014 in Others, Silly

I was wondering what would happen if one tried to impersonate the AppID of the common applications i.e. run my own application and change its AppID to that of a well-known application during run-time. Kinda lame, I know.

To test it, I wrote a quick PoC that uses SetCurrentProcessExplicitAppUserModelID API to pretend it is Internet Explorer, Remote Desktop and Sticky Notes using their respective AppIDs. I also added the AppID for Notepad – while it doesn’t have a standard AppID like the 3 other applications I just wanted to show that we can still enforce the AppID association using Notepad’s normalized path {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe (for details see my older post about AppIDs).

Here’s a list of AppIDs used:

  • Internet Explorer – Microsoft.InternetExplorer.Default
  • Remote Desktop – Microsoft.Windows.RemoteDesktop
  • Sticky Notes – Microsoft.Windows.StickyNotes
  • Notepad – {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe

I pinned all these 4 applications to the Taskbar on Windows 8.1. and then ran my test application, pausing it each time I changed the AppID to take a screenshot I got the result combined on the below picture. Not surprisingly anytime I changed the AppID a different pinned taskbar icon got highlighted (the test application needs to do some GUI operation for it to work; it can simply show a message box).

appid_rotation

This is quite a tiny level of impersonation – hard to really come up with some really useful scenarios here – perhaps one could use it to enforce social engineering attempts (e.g. escalation of privileges triggered by malware while pretending to be from some legitimate Windows application, or perhaps AV) ? But aren’t existing GUI manipulation tricks better than that? Oh well, trivial is trivial.