david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

The ghetto way of extracting the private key of superfish February 2015

A realy entertaining piece by Errata Security where Robert Graham ghetto reverse the current controversial superfish of Lenovo.

(if you have been living under a rock

The goal is to set the right break point before it actually infects your machine -- reversers have been known to infect themselves this way.

his ghetto way of reversing is first to infect himself with the "virus" and then using procdump to dump the process memory. Then dumping all the strings that the memory contains with the tool strings and voila. You have have the private certificate in the clear.

But the private certificate is protected by a passphrase. But apparently not, it was just protected by a password contained in the memory in clear as well...

I advise you to read the article, it comes with screenshots and nice commands that use text processing tools:

grep "^[a-z]*$" super.txt | sort | uniq > super.dict

spoiler alert, the password to protect the certificate is komodia the name of the company who created this mitm adware.

Note that if they would have used an RSA whitebox this would not have happened... so quickly.

Well done! You've reached the end of my post. Now you can leave me a comment :)