This post is written for aspiring reverse engineers and will talk about a technique called _API hashing_. The technique is used by malware authors to hinder reverse engineering. We will first discuss the reasons a malware author may even consider using API hashing. Then we will cover the necessary technical details around static and dynamic imports and finally, we will described API hashing and show a Python script that emulates the hashing method used in Sodinokibi/REvil ransomware. Read on


Earlier this year, I was thrilled to hear that my submission for a talk at this year's [FrOSCon](https://www.froscon.de/) (Free and Open Source Software Conference) was accepted. [The talk](https://programm.froscon.de/2019/events/2350.html) is about Ghidra, the reverse engineering tool which was recently release into open source by the NSA. Since I expected a very heterogeneous audience with people from all kinds of industries with all kinds of backgrounds, I decided to give a long introduction with a lot of motivation for reverse engineering and only use the last quarter or so of the talk to actually show Ghidra's capabilities. You can find the [slides here](https://blag.nullteilerfrei.de/wp-content/uploads/2019/08/FrOSConTalk2019-Ghidra.pdf), the source [of the slides on github](https://github.com/larsborn/FrOSCon2019-Ghidra-Talk) and a recording at [media.ccc](https://media.ccc.de/v/froscon2019-2350-ghidra_-_an_open_source_reverse_engineering_tool). Based on feedback after and during the talk, I added a bullet point under Motivation: a lot of people at FrOSCon seemed to be in the position where a wild binary blob appeared and they had to deal with it. Some because they found an old service running with source code not available (or readable) anymore and some because they want to re-implement a protocol that is not documented.


After a system crash, Ghidra greeted me with the message
Unsupported file system schema: idata
when I tried to open the project. Click here to see what happened next!


Say you want to write a C program, but you want to avoid including plain strings within the binary. This is something often done by malware authors, for example, to avoid easy extraction of so called indicators of compromise. I can also imagine a legitimate business that uses string obfuscation to make reverse engineering of their software harder to protect their intellectual property. This is often called string obfuscation. I want to use this knowledge to make the world a better place!


a.k.a. "My Bank does not support CSVs". When I asked my bank for "machine readable" versions of my bank statements, they where like: WAT! Their website has a CSV-export function. But only data from the last three months can be exported. Of course, it would have been smart to have performed this export every two months or so, but let's talk about something else. Sure!


I started to play around with ArangoDB and used Python to get some data into my first database. Long story short: if you want to set your own key for the documents, do it on the document, not on the initialization data. EDIT: this is only true for the most recent version 1.3.1 release on pypi by the time of writing1. Read the longer story!
  1. See conversation on github for details []


This post will be probably be very boring for everyone who doesn't have this problem. But since it cost me some time to figure out a solution, I think it is worth sharing. I care. You share. Read on!


In an attempt to piggyback on the people's vague fear of random lawsuits in Germany, I'll blog on how to remove the last octet of an IP in NGINX log files. Do you want to know more or get sued?


Recently I once again stumbled upon a detail of the HTTP specification involving the POST verb and "enforced" https. I'll document it here in an attempt to save other people the time (hopefully also future-me). Do you want to know more?


Flask pretty-prints response generated by the flask.json.jsonify function. Avoiding this on a per request basis doesn't seem to be intended: There is a configuration variable for the whole application: JSONIFY_PRETTYPRINT_REGULAR. But setting that to False minifies every JSON responses. And, in general, I enjoyed the pretty printed output. So implementing X-PrettyPrint - which seems to be a quasi-standard - also sounded like a the wrong way because it means replacing the call to jsonify by a custom implementation. This short story has a happy end though: Flask does not pretty-print the response if it receives an AJAX request. So one can just send the appropriate header:
curl -H 'X-Requested-With: XMLHttpRequest' "https://exmaple.com/api/endpoint.json";


I am not very disciplined. So trying not to be distracted while working at my computer is a major project for me. Since "deep work" is en vogue, it is possible to disable notifications in nearly every app nowadays. But there are often tiny bits one cannot change: Slack's icon in the notification area is one of those things: Whenever you have an unread message in any of the channels you are part of, Slack will show a small blue dot on its icon in the notification area. One can argue that it is not that hard to ignore that but fishing is also not that hard and I cannot do it. What I can do though is overwrite slack-taskbar-unread.png by slack-taskbar-rest.png in %APPDATA%\Local\slack\app-VERSION\resources\app.asar.unpacked\src\static\.


Spoiler: My main point in this post is not given away by the title. But first things first: What are all those words? Would you like to know more?


This blag post describes how to use a [Raspberry Pi](http://amzn.to/2wjICvo) to remotely "press" and potentially "hold" the power button on a PC. This is my first non-trivial (still pretty-trivial) hardware-related project. So don't expect anything too fancy. Would you like to know more?