The ghetto way of extracting the private key of superfish
posted February 2015
A realy entertaining piece by Errata Security where Robert Graham ghetto reverse the current controversial superfish of Lenovo.
The goal is to set the right break point before it actually infects your machine -- reversers have been known to infect themselves this way.
his ghetto way of reversing is first to infect himself with the "virus" and then using procdump to dump the process memory. Then dumping all the strings that the memory contains with the tool
strings and voila. You have have the private certificate in the clear.
But the private certificate is protected by a passphrase. But apparently not, it was just protected by a password contained in the memory in clear as well...
I advise you to read the article, it comes with screenshots and nice commands that use text processing tools:
grep "^[a-z]*$" super.txt | sort | uniq > super.dict
spoiler alert, the password to protect the certificate is komodia the name of the company who created this mitm adware.
Note that if they would have used an RSA whitebox this would not have happened... so quickly.