5:48 when a Mac/Linux user first encounters modern IE

Linux user being paranoid on Internet Explorer

Man, I don't know, but something in the way you explain things, the way you organize your thoughts, or maybe the way you confidently talk, makes your videos fun to watch. Not to mention the actual great information that you learn from them. Keep it up. You are really up for something great.

The funniest thing about that IE smiley is the keyboard shortcut for sending a frowny face.

5:51 LiveOverflow: "Is this a virus?"

"I decided to approach it again with logic" 😂👍

Maybe it was an NPAPI plugin, those stopped being supported in FF 52.

It would be amazing if you started a 0 to hero series explaining the basics of reverse engineering malware, as someone who also enjoys malware I find your videos fascinating but I would always love to learn more from you.

ur videos are amazingggg!!Thanks for bringing such quality content

Well... This is neat. Not entirely sure why youtube decided this is my jam, but I do appreciate a good explanation and seeing someone put a lot of effort towards something.

There is a function to get version of ur firefox in that .dll file. Btw, ur way to solve this challenge is awesomeeeee =]] i never imagine u can solve this challenge in ur way =]]]] amazing video

wow, didn't know about flare vm! Might get into analysing malware soon as well! thanks for the great video, as always!

your content is great, looking forward to see the next one!

6:00 *open IE *see the smile thing *OK this actually exist!

I dont understand shit here but i feel a lot smarter now, thanks @LiveOverflow.

This video gave me the missing clue to solve my first CTF (a different one of course) on my own! Thanks a lot! :D

I watch this video with no knowledge of hacking, but I really feel entertained and educated by your content ;'3

12:37 laughed my head off :D

i have little to no idea what youre talking about but im loving every second of it

You can try shutdown -a when you boot the VM. Also Ctrl + Alt + Del when shutting down and opening task manager from there actually interrupts the shutdown... I found the last one myself testing the very combination on shutdown

This is very complex but interesting, ty for your contents

I love your work!

Wow your analysis skill is so good bro

I don't understand most of the things you say but I'm sitting here enjoying your videos hoping one day I do understand.

you deserve more subscribers. subscribed!

Holy shit that was awesome. There is so much out there that i don't know!

What was the mechanism by which the browserassist.dll got loaded into the Firefox process? Did I miss something?

I love this chall, because like in real case technique at banking malware, it will injection with external dll, which means it hooking the PR_Write function and this only work at old firefox version, CMIIW

Microsoft does the smiley thing with ALL of their windows products (And some open source ones too) as far as I am aware.

Really enjoy your videos despite not really getting everything. Guess I need to start learning c#, .net etc. I follow along but I would really get stuck if it was me doing the task.

firefox changed the way they deal with addons in quantum, including dropping support for (i believe) dll/native code based plugins (java, flash, etc.)

Great Job man

Congrats ! You are one smart puppy :)

Nice content! Kudos

This was really interesting!

4:45 Oh wow, the old Office 2003 UI kit thing. -5:57-- That was there since Windows 8, and I believe Internet Explorer is still in Windows 10 only for backward compatibility with older applications that use the Trident engine (which IE uses) in order to render Web content.- 6:15

6:45 Hmm. First thing which came to my mind after I heared that the challenge surrounds around a Firefox maleware was: "Better use an older firefox version for the analysis. They might have patched something"

this is such a great content!

Thanks for the video =)

I got such a nostalgic feeling when you opened PEid.

I'm sure you're busy.. but... You should totally still make your handwriting into a font ❤

I think that if you find what is the vulnerability by analyzing the dll, you can search for something like "dll injection Firefox", etc. And you'll see approximately in what version it was fixed.

That was awesome! I'd love to be able to de this some day, is there a place where I can start learning the basics?

Flare-on 2018 was so hard. The hardest ever :-0. Took me a month to complete.

Impressive :-) Thanks!

Nice video....I love your videos...

wow! what valuable material 👍👍👍👍

The installer drops the dll and sets a registry key. My educated guess is that newer Firefox versions does not take that registry key into consideration when loading dlls, whereas the older version does. I solved the entire challenge statically, it was interesting to bypass a few checks and analyze all the dll requests. If I recall correctly, the dll has some checks then it does 2-3 HTTP requests, retrieves some encrypted data and after a few decryption stages and data manipulation it is possible to extract the javascript inserted into the browser alongside the JSON you observed in the stack trace. At this point, I manually injected the javascript code into my browser (after deobfuscation), ran the commands and got the flag. :)

i am addicted to watching your videos

Very Thanks !!

idk w a single thing in this video but they are fun to watch

I'm a simple man. I get notification of LiveOverFlow uploading a video. I watch.

As I remember the dll hooking some function to inject the javascript. In newer version of firefox those functions don't exist so it failed :)

Damn that’s such a complex challenge! Feeling dumb :( But at least learnt something. Gong to need a few more attempts to learn this well...

Can you include all the softwares and tools you used there in the vid description? Thanks a lot 😁

Off the top of my head, maybe using the latest Firefox version matching any datestamp found inside the binaries/strings?

Dont really understand, but it was interesting :)

What are some other websites you guys recommend for challenges like flare-on.com?

@LiveOverflow you might already know this, to solve complicated key comparisons/generation, we can use Z3

what would we do if the web shell didn't have sl

Could you have just set the model root to 1 and bypassed the need for reversing the password, or did the dll inject the extra stuff after the password was right?

I like puzzles. I want to obfuscate a whole bunch of code that, when deobfuscated, literally just congratulations you for solving the puzzle.

The smiley face got me LOL

yeah boiii

i love ur channel bro :P

Do you have a Discord channel? You should definitely make one!

I don't recall the exact details of the code but the DLL does do version check of Firefox. If I recall correctly, it's any version before or equals to 40 that works. After the check, the DLL downloads the encrypted javascript from a pastebin and decrypts it.

Would you please make a video (or post) at least listing all the software you use? (and preferably what you find them most useful for)

Heard on some other video that an older version of firefox had an java injection leak

Savage!

Umm is this normal on ie because i have some kind of smiley in ie and avast or malvare bytes does not reconize it?

@LiveOverflow doesn't work in newer FF as web extensions don't allow JS injection (from FF Quantom on-wards). Was actually one of the big motivations of why we moved over. Too bad FF Quantum messed up multiple tab handler, it is annoying. We're finally getting it backed in.

Can someone explain the part of code with XOR statement? I thought ^ is the symbol for AND / conjuction and don't really understand how it works.

I cant speak for the .exe as i skipped that during my run. However there was no easy way to figure out the version needed for the .dll other than realizing that it must have been patched. Personally I found twitter to be fairly useful and not really giving away anything.

Hallöle ^^ Ich interessiere mich schon seit einigen Jahren für das Thema... Nun, da ich jetzt weiß, dass man "einfach" an solchen CTF's teilnehmen kann: Könntest du mir "Beginner"-CTF's vorschlagen, um in das Thema noch besser rein zu kommen? Mit freundlichen Grüßen, R00T

I could imagine someone just had the old Firefox because he didn't use a virtual machine as advised.

This stuff looks really fun, but totally out of my skill level at the moment. Do you have / know of any places to find beginner reverse engineering challenges?

So if you update your Firefox because of some vulnerability, the old injected code may work on the latest version? It sounds like the upgrade should clear the cache every time you upgrade.

bit late, but laughed that it uses ConfuserEx to obfuscate the application. Easy to tell by the "ConfusedByAttribute" as well as the decrypting, decompressing method. Also, dnspy is a lot better for reversing .NET applications. It has a clean GUI, stable, gets updated a bit, a IL Viewer; which can be handy in removing anti-debugging calls, such as CheckRemoteDebuggerPresentEx, and more functionality.

Hey, ich studiere auch an der TU und wollte fragen ob du bei der IT-Sicherheits AG? Jeden Dienstag im TEL-Gebäude. Ich glaube die AG heißt Enoflag. Wäre richtig cool dich zu sehen :D

So is this exploit for Firefox universally, like on Linux or Mac. Cuz I'm worried now

Klasse Video

5:16 >this entry point It must be encrypted

What is your current computer setup?

I have been stuck on flare on challenge 2 of 2019 for a long period of time Kindly help Anyone ?

Does the requirement for the older version relate to Firefox x64 vs x86 ?

Hi, I recommend the OALabs youtube channel for some great video tutorials on RE!

bro can you give us a link to download your youtube videos for those who have bad network bandwith

Can someone explain why the dll was loaded to Firefox's memory map? I mean surely firefox did not request that dll and that dll wasn't even in the firefox folder. How does it get loaded with firefox?

JAJJAAJAJAJAJ 11:21 "Awghh... F!" so funny. I'm just discovering your videos! All of these things you explain are amazing! Even to devs like with some years on the back! :D Super pedagogical, fun, talking pretty advanced shit (I come from the XSS video series you made, so rad) looks like a pretty deserved subscribe, that material must be assimilated by my mind. Greetings from Argentina!

Great Video!!Very Helpful!! Can you'll help me with ".werd" file extension. All my file are encrypted. Is it possible to decrypt the files.

bruteforce all the versions ?

Me, a Firefox user: *I'm in danger*

Doesn't that mean you could use older versions of Firefox to mess with the newer versions?

A reminder that IE is not broken per se. It's designed like that.

0:18 bruh so I'm vulnerable to attacks and malware just because I want to be private on the internet?

oh wow

which also beg an important question, should browser update also invalidate the cache

Has somebody checked how does it affect other browsers, or just everybody went mozilla-hint way?

10:00 'su' doesnt mean switch user, it means super user (root). The Linux command which switches to the root user. That's why sudo runs a command as root (super user do).