The fundamental thing about reverse engineering is that you absolutely need to know how things work in forward first.  You cannot reverse without knowing how things go forwards.  So I studied the compilation process in depth and discovered that the compilation is a three-step process.  The BlackBerry compile process is not, in actuality, something magical.  It first runs javac on a plain old .java file.  The resulting .class file is then preverified (a process by which you alter the class file in a way that you save the device JVM significant processing time).  After this, the BlackBerry compiler (rapc.jar) is executed to covert the .class file into a .cod file.  This .cod file is significantly smaller than the .class file.  It also appears to be compressed.  It is not a simple task to reverse this process.  Primarily because rapc.jar is obfuscated like a mofo and you need to spend countless hours refactoring and getting things to play well together.  But you don’t want to hear that do you?  No, instead you want to hear that I am able to reverse .cod files to the point at which I have pristine .java source code, right?  Well, yes.  I can do that.

As I often need to appease my evil personality, I did what most anyone else in my position would do.  I looked at a few programs out there to see if I can bypass their license key requirements.  The result?  Can you say “Shooting fish in a barrel”?  Ordinarily, I would take this moment to chide all the developers out there to use better protection, I am not going to do this today.  These days, any capable person with a laptop can write and sell applications for the iPhone or the BlackBerry.  Gone are the days where you see only larger software houses publishing commercial applications.  Now just about anyone can do it.  What each individual is willing to lose to piracy and the amount of effort they wish to spend on writing software protection is entirely up to them.  All I’m going to do today is say this: Everything can be reversed.  Everything.

Don’t be lulled into a false sense of security that when you write an app for the BlackBerry, your code is safe; it is not.  Your commercial protections CAN and WILL be broken.  Unless you want to lose money to this problem, the only suggestion I can offer is to consider spending more effort in designing better protections.  If not, then just forget it and go about your business as you normally would.  But be aware that an increasing number of people have the means to reverse your code.  It will only be a matter of time before sites will pop up with real working keygens that you can run on your BlackBerry device.  It will be like the second coming of the PC era where good old DOS games had keygens and keygenning groups flourished.  For those interested, what would good protection consist of?

• Don’t do any calculations within your app that you can compare to.
• Consider activating your app over the internet.
• When activating your app over the internet, use SSL, and more important, VERIFY your server certificate.
• If you need to offer trials, write two separate programs: 1 less functional trial and 1 full featured version.

To sum up, make sure that you protect what is important to you.  If your application generates revenue for you, then you will want to protect it.  Spend a little extra effort on designing a better software protection framework.  To everyone those who don’t know where to start, the company I work for offers consulting on this subject.  Get in touch with me if you’re serious about it.

Description

The program has 2 options.  One is the Reveal option.  This option is only visible in your Menu when the Etisalat BlackBerry Spyware is detected on your handheld.  If it isn’t there, then the option doesn’t show up.

The second option is the Show Hidden Programs.  As the name suggests, it gives you a look into all the programs that are marked as hidden on your handheld.  This also includes libraries.

For now, I would urge you to browse around the hidden programs and see if you come across anything suspicious.  I think, as a general rule of thumb the net.rim.* libraries and programs can be trusted.

How to use

Start the program, it should tell you whether or not the spyware was detected on your handheld.  If it is detected, then press the Menu and select Reveal.  Then quit the application, go to Options->Advanced Options->Applications, click on Registration and uninstall it.  That should be it.

I would really like to hear your comments and most importantly would like to have your help in improving this program.  Please try it out and either post a comment or mail me directly.  My email address is in the About option.

Thanks, and be safe!

Disclaimer (sorry, got to put this in)

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Navigation

• You can download the software revealer here
• You can download the spyware removal guide here
• You can download the whitepaper here

Now onto the rest of the original article:

Okay, so I put aside the write up for awhile to complete my BlackBerry App that will reveal the Etisalat Spyware if it is installed on your BlackBerry.  So far, I have tested it on my simulators and it works well.  I’ve posted some screenshots here.  Now as luck would have it, I did get a hold of a set of BlackBerry Code Signing Keys.  This would allow me to distribute this app and people would be able to use it and, hopefully, benefit from it.  But not all of that luck was good.  I tried installing the keys and the registration with the central BlackBerry servers is failing.  I have mailed RIM about this and I am waiting their response.  What does this mean?  Well, sadly, I cannot release the tool because of this so no-one is going to be able to clean their BB’s over the weekend.  Bummer.  I’ve got the source which I will release at the same time.  In the meantime, if anyone is interested in the source, leave a comment and I’ll pick it up from there on.  So while I wait for the Keys to come through, I’ll get to work on the writeup.

The App:

I called it the Hidden Program Revealer (yeah, I know, as original as some of the shop names in Dubai.)  So far all the app does is start up and look for the name of the Etisalat application and determines if it is installed.  It detects if it is hiddenand will give you an option to reveal it if it is.  At that point, you can go to Options->Advanced Options->Applications->Registration->Delete to remove the spyware completely.  Additionally, I wanted to make the app a bit more useful for the future and I put in an option to reveal all hidden programs and libraries on your handheld.  This will give you an opportunity to search for anything suspicious.  If you do find some other suspicious apps, then mail me the name and I’ll ship a custom app for you to reveal it and uninstall it.  I think a good rule of thumb, much like Tripwire is to install a known, good copy of the BlackBerry device software, run my utility and baseline the hidden apps on your device.  That way, you will know if anything is changed.  This is actually the direction I want to go with my app as well.

For now, only screenshots.

Screenshots of my BlackBerry App running on the sim:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

004046D7  /$  55            PUSH EBP               ;  Main Encrypter
004046D8  |.  8BEC          MOV EBP,ESP
004046DA  |.  51            PUSH ECX
004046DB  |.  51            PUSH ECX
004046DC  |.  837E 14 00    CMP DWORD PTR DS:[ESI+14],0
004046E0  |.  8BC6          MOV EAX,ESI
004046E2  |.  0F84 CC000000 JE 004047B4
004046E8  |.  53            PUSH EBX
004046E9  |.  8B5E 14       MOV EBX,DWORD PTR DS:[ESI+14]
004046EC  |.  895D FC       MOV DWORD PTR SS:[EBP-4],EBX
004046EF  |.  57            PUSH EDI
004046F0  |.  4B            DEC EBX
004046F1  |.  8BFB          MOV EDI,EBX
004046F3  |.  E8 A0010000   CALL 00404898
004046F8  |.  0FB608        MOVZX ECX,BYTE PTR DS:[EAX]
004046FB  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004046FE  |.  6A 05         PUSH 5
00404700  |.  33D2          XOR EDX,EDX
00404702  |.  5F            POP EDI
00404703  |.  F7F7          DIV EDI
00404705  |.  8BFB          MOV EDI,EBX
00404707  |.  C1E2 08       SHL EDX,8
0040470A  |.  66:0FB68411 4>MOVZX AX,BYTE PTR DS:[EAX+ECX+427F48]
00404713  |.  0FB7C0        MOVZX EAX,AX
00404716  |.  8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
00404719  |.  8BC6          MOV EAX,ESI
0040471B  |.  E8 78010000   CALL 00404898
00404720  |.  66:8B00       MOV AX,WORD PTR DS:[EAX]
00404723  |.  66:25 00FF    AND AX,0FF00
00404727  |.  66:0B45 FC    OR AX,WORD PTR SS:[EBP-4]
0040472B  |.  0FB7C0        MOVZX EAX,AX
0040472E  |.  8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
00404731  |.  8BC6          MOV EAX,ESI
00404733  |.  E8 60010000   CALL 00404898
00404738  |.  66:8B4D FC    MOV CX,WORD PTR SS:[EBP-4]
0040473C  |.  66:8908       MOV WORD PTR DS:[EAX],CX
0040473F  |.  8BC6          MOV EAX,ESI
00404741  |.  E8 52010000   CALL 00404898
00404746  |.  0FB700        MOVZX EAX,WORD PTR DS:[EAX]
00404749  |.  6A 05         PUSH 5
0040474B  |.  99            CDQ
0040474C  |.  59            POP ECX
0040474D  |.  F7F9          IDIV ECX
0040474F  |.  33FF          XOR EDI,EDI
00404751  |.  85DB          TEST EBX,EBX
00404753  |.  8955 FC       MOV DWORD PTR SS:[EBP-4],EDX
00404756  |.  76 58         JBE SHORT 004047B0
00404758  |>  8BC6          /MOV EAX,ESI
0040475A  |.  E8 39010000   |CALL 00404898
0040475F  |.  0FB600        |MOVZX EAX,BYTE PTR DS:[EAX]
00404762  |.  8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]
00404765  |.  C1E1 08       |SHL ECX,8
00404768  |.  66:0FB68408 4>|MOVZX AX,BYTE PTR DS:[EAX+ECX427F48]
00404771  |.  0FB7C0        |MOVZX EAX,AX
00404774  |.  8945 F8       |MOV DWORD PTR SS:[EBP-8],EAX
00404777  |.  8BC6          |MOV EAX,ESI
00404779  |.  E8 1A010000   |CALL 00404898
0040477E  |.  66:8B00       |MOV AX,WORD PTR DS:[EAX]
00404781  |.  66:25 00FF    |AND AX,0FF00
00404785  |.  66:0B45 F8    |OR AX,WORD PTR SS:[EBP-8]
00404789  |.  0FB7C0        |MOVZX EAX,AX
0040478C  |.  8945 F8       |MOV DWORD PTR SS:[EBP-8],EAX
0040478F  |.  8BC6          |MOV EAX,ESI
00404791  |.  E8 02010000   |CALL 00404898
00404796  |.  66:8B4D F8    |MOV CX,WORD PTR SS:[EBP-8]
0040479A  |.  66:8908       |MOV WORD PTR DS:[EAX],CX
0040479D  |.  8B45 FC       |MOV EAX,DWORD PTR SS:[EBP-4]
004047A0  |.  47            |INC EDI
004047A1  |.  6A 05         |PUSH 5
004047A3  |.  40            |INC EAX
004047A4  |.  33D2          |XOR EDX,EDX
004047A6  |.  59            |POP ECX
004047A7  |.  F7F1          |DIV ECX
004047A9  |.  3BFB          |CMP EDI,EBX
004047AB  |.  8955 FC       |MOV DWORD PTR SS:[EBP-4],EDX
004047AE  |.^ 72 A8         \JB SHORT 00404758
004047B0  |>  5F            POP EDI
004047B1  |.  8BC6          MOV EAX,ESI
004047B3  |.  5B            POP EBX
004047B4  |>  C9            LEAVE
004047B5  \.  C3            RET

The code above is for the Encrypter and the code below is the Decrypter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

004047B6  /$  55            PUSH EBP                 ;  Main Decrypter
004047B7  |.  8BEC          MOV EBP,ESP
004047B9  |.  51            PUSH ECX
004047BA  |.  51            PUSH ECX
004047BB  |.  53            PUSH EBX
004047BC  |.  8B5E 14       MOV EBX,DWORD PTR DS:[ESI+14]
004047BF  |.  85DB          TEST EBX,EBX
004047C1  |.  8BC6          MOV EAX,ESI
004047C3  |.  0F84 CC000000 JE 00404895
004047C9  |.  57            PUSH EDI
004047CA  |.  4B            DEC EBX
004047CB  |.  8BFB          MOV EDI,EBX
004047CD  |.  E8 C6000000   CALL 00404898
004047D2  |.  0FB700        MOVZX EAX,WORD PTR DS:[EAX]
004047D5  |.  6A 05         PUSH 5
004047D7  |.  99            CDQ
004047D8  |.  59            POP ECX
004047D9  |.  F7F9          IDIV ECX
004047DB  |.  33FF          XOR EDI,EDI
004047DD  |.  85DB          TEST EBX,EBX
004047DF  |.  8955 FC       MOV DWORD PTR SS:[EBP-4],EDX
004047E2  |.  76 58         JBE SHORT 0040483C
004047E4  |>  8BC6          /MOV EAX,ESI
004047E6  |.  E8 AD000000   |CALL 00404898
004047EB  |.  0FB600        |MOVZX EAX,BYTE PTR DS:[EAX]
004047EE  |.  8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]
004047F1  |.  C1E1 08       |SHL ECX,8
004047F4  |.  66:0FB68408 4>|MOVZX AX,BYTE PTR DS:[EAX+ECX+428448]
004047FD  |.  0FB7C0        |MOVZX EAX,AX
00404800  |.  8945 F8       |MOV DWORD PTR SS:[EBP-8],EAX
00404803  |.  8BC6          |MOV EAX,ESI
00404805  |.  E8 8E000000   |CALL 00404898
0040480A  |.  66:8B00       |MOV AX,WORD PTR DS:[EAX]
0040480D  |.  66:25 00FF    |AND AX,0FF00
00404811  |.  66:0B45 F8    |OR AX,WORD PTR SS:[EBP-8]
00404815  |.  0FB7C0        |MOVZX EAX,AX
00404818  |.  8945 F8       |MOV DWORD PTR SS:[EBP-8],EAX
0040481B  |.  8BC6          |MOV EAX,ESI
0040481D  |.  E8 76000000   |CALL 00404898
00404822  |.  66:8B4D F8    |MOV CX,WORD PTR SS:[EBP-8]
00404826  |.  66:8908       |MOV WORD PTR DS:[EAX],CX
00404829  |.  8B45 FC       |MOV EAX,DWORD PTR SS:[EBP-4]
0040482C  |.  47            |INC EDI
0040482D  |.  6A 05         |PUSH 5
0040482F  |.  40            |INC EAX
00404830  |.  33D2          |XOR EDX,EDX
00404832  |.  59            |POP ECX
00404833  |.  F7F1          |DIV ECX
00404835  |.  3BFB          |CMP EDI,EBX
00404837  |.  8955 FC       |MOV DWORD PTR SS:[EBP-4],EDX
0040483A  |.^ 72 A8         \JB SHORT 004047E4
0040483C  |>  8B46 14       MOV EAX,DWORD PTR DS:[ESI+14]
0040483F  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
00404842  |.  8BFB          MOV EDI,EBX
00404844  |.  8BC6          MOV EAX,ESI
00404846  |.  E8 4D000000   CALL 00404898
0040484B  |.  0FB608        MOVZX ECX,BYTE PTR DS:[EAX]
0040484E  |.  8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
00404851  |.  6A 05         PUSH 5
00404853  |.  33D2          XOR EDX,EDX
00404855  |.  5F            POP EDI
00404856  |.  F7F7          DIV EDI
00404858  |.  8BFB          MOV EDI,EBX
0040485A  |.  C1E2 08       SHL EDX,8
0040485D  |.  66:0FB68411 4>MOVZX AX,BYTE PTR DS:[ECX+EDX+428448]
00404866  |.  0FB7C0        MOVZX EAX,AX
00404869  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
0040486C  |.  8BC6          MOV EAX,ESI
0040486E  |.  E8 25000000   CALL 00404898
00404873  |.  66:8B00       MOV AX,WORD PTR DS:[EAX]
00404876  |.  66:25 00FF    AND AX,0FF00
0040487A  |.  66:0B45 F8    OR AX,WORD PTR SS:[EBP-8]
0040487E  |.  0FB7C0        MOVZX EAX,AX
00404881  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
00404884  |.  8BC6          MOV EAX,ESI
00404886  |.  E8 0D000000   CALL 00404898
0040488B  |.  66:8B4D F8    MOV CX,WORD PTR SS:[EBP-8]
0040488F  |.  66:8908       MOV WORD PTR DS:[EAX],CX
00404892  |.  8BC6          MOV EAX,ESI
00404894  |.  5F            POP EDI
00404895  |>  5B            POP EBX
00404896  |.  C9            LEAVE
00404897  \.  C3            RET

I will leave you with the python source code for the encryption and decryption routines so that you can look at the algorithm and get a feel for what was going on. You will need the static data which can be found in the .rdata section. This is the cipher text that is looked up during the encryption and decryption phase. I have included it in the tool as a separate file.
I may decide to start developing a Linux variant for checking my GoDaddy mail, but don’t hold your breath. Mail me any questions you may have. If you’re interested.

The tool can be found here.

You must be wondering why the hell I chose OllyDbg to make a simple hex edit in the previous post. The truth is, I was using it to try and study at exactly what point the SSL protocol is chosen and I found it at 0×414356.

By changing the CMP operation as in the picture above with 0×2E instead of 0×00, I can get the client to select plain old HTTP to speak to the main server. This is good, because I can now look at all the Web Service calls it makes and hopefully try to write a Linux version.
One other reason I chose OllyDbg is to study what the client actually does. My next quest is to study where my credentials are stored. Since this is Windows, I figure the first place to look would be the registry. By sniffing around the “string references” of the client, I did notice a specific registry key which is referenced: “HKEY_CURRENT_USER\Software\Starfield\WBEN\Settings”
 
Examining this registry key with regedit, I see the following:

That looks interesting. If I count the characters, it equates to the exact number for both my email address and password*. This means that their encryption algorithm generates fixed length cipher text. This most likely means that they’re using a substitution algorithm. Tsk, tsk, tsk. Substitution algorithms rely on some form of calculation (if any) and lookup in order to generate cipher text. Again, by looking at the encrypted strings, it is possible to determine the fact that a calculation involving the string length is also done. How do I deduce this? By looking at the last two characters in my email address (d1). They are both “qq” for “om” the last two letters in “.com”. This means that both “o” and “m” are equal to “q”. Not possible in direct lookups with calculation.

Another good thing is the fact that I know the credentials are stored in the registry. This shortens my hunt significantly because I only have to trace any specific registry calls to find out where the Encryption/Decryption algorithms are lurking. If I trace any references or calls to the specific registry key, then I will most likely find where the algorithms exist.

Using the “search for all string references” in Olly, I try to pull up all the calls to “HKEY_CURRENT_USER\Software\Starfield\WBEN\Settings”. I end up with this list:

The column “Called from” is what I’m interested in. This list contains all the addresses where the call to this registry key is made. I now have to follow each one and see if there is a “RegistrySetValue” call made. I look through each call one by one until I stumble upon this one:

It’s interesting because of the entry I have highlighted. This Unicode “d1” that’s on the stack is the registry entry for my email address. I follow this one to see where it goes and wind up discovering both the encryption and decryption algorithm. I will list them in the next part of this series. I think this post is dragging on long enough and I think it is about time I wrap it up. I will do just that in the next post and save everyone a lot of misery. I have successfully reversed the encryption/decryption algorithm and will post the python source code in my next post.

Like I described in my previous post, I hooked up an stunnel/replug proxy chain to try and decrypt traffic, sniff it, and encrypt the traffic back on its way to the server. I first setup stunnel in both daemon and client modes. Here is a description of each:

Daemon mode. This instance of stunnel will listen on localhost:443 and forward traffic to localhost:8888 all over SSL.

sheran@azazel:~$ sudo stunnel -d 443 -r localhost:8888

Client mode. This instance will listen in non-SSL mode on port 8889 and re-establish the connection in SSL mode to the server. (When sniffing traffic, the DNS lookup for the notifier was noted. It looks up email.secureserver.net)

sheran@azazel:~$ sudo stunnel -c -d 8889 -r email.secureserver.net:443

How do we plug the hole in the middle? Simple, use replug found in BlackBag. Here’s how:

sheran@azazel:~$ bkb replug localhost:8889@8888

This will start replug and listen on localhost:8888. Whatever it listens to on this port it will forward down to localhost:8889. The way traffic flows will be similar to this:

Client ---> localhost:443 (stunnel) ---> localhost:8888 (replug) ---> localhost:8889 (stunnel) ---> email.secureserver.net:443

Now for the client to think it’s talking to an authentic server, I need to replicate the server certificate as well. This is not going to be an easy task since I don’t own a CA; especially not the one that issues GoDaddy’s certificates. So I do the next best thing and create a self-signed certificate almost identical to the GoDaddy certificate (weirder things have worked for me in the past). No dice. The client notifier program refuses to negotiate SSL with my first instance of stunnel. Shit.

Since this is not going to be as simple as I thought, I will have to resort to the next best thing: disassemble the notifier executable and try to patch it to talk non-SSL. So I fire up my favorite disassembler OllyDbg and try to locate any strings in the executable to give me a clue as to where the connection is made.

Well, here’s something. Looking through strings (Right-click->Search for->All Referenced Strings) gives me several entries to a string reference called “http://” and “https://”. I wonder if changing “https://” to “http://” will have any effect. Let’s see:

In the “Strings window”, right click and do a “Follow in Disassembler”; then when you’re in the disassembler window, right click on the line with the “https://” and do a “Follow in Dump”->”Immediate Constant”

This should then bring the string up on the lower left window where you can change the “https://” entry to “http://”. Then, right-click, choose “Copy to Executable”, right-click on the window that opens up and select “Save File”. Save it as another name and try it out for yourself. Now you can see all the traffic flowing between the client and server on Wireshark.

At this point, you will notice that GoDaddy’s email notifier uses SOAP to transfer XML messages to and from the server. The URL is https://email.secureserver.net/soap/public.php and a listing of available operations and WSDL file.

I personally felt that it was easier to get the client to do various operations and sniff the traffic to get an idea of how things are implemented. I think I’m well on my way to writing my linux variant of the notifier.

Next time, I’ll look into how the credentials are stored and if they are encrypted and if this is a trivial encryption to break.

Anyway, GoDaddy has this email notifier which will check your mailbox to see if you’ve got new mail without logging into the horribly slow Web Based email client. It’s fairly convenient, but only installs on Windows. I wanted to do two things with this notifier:

1.See how safely it actually kept my credentials.
2. See how it communicated with the server and if it was secure as well.

I then wanted to see how easy it was to have a version written for Linux so that I can use it on my Ubuntu box.

I don’t know how many of you have nodded off by now and how many of you wondering why I even bother. The truth is, its important to me, its my blog and it will also hopefully enlighten you on how you can go about conducting an analysis on a network application. In this regard, this is what I will be doing with this application:

1. Examining the communication between notifier and server
2. Identifying how the credentials are stored and if they are encrypted
3. Attempting to decrypt the credentials if it proves easy to do so
4. Writing my own Linux version of the tool. Either a Gnome Applet or Firefox Extension (whichever is easier)

Since this will be an ongoing saga of sorts, I will break it down into several posts for managability’s sake. It also gives me time to conduct my research and publish the findings without waiting till the end.

Right, let’s begin…

As with all applications, I downloaded and installed the tool. The notifier is in the form of a small envelope that sits in your taskbar . You can configure it to check up to 5 email addresses and specify such settings as duration between email checks, how long to display messages for and how many new messages to display in a small popup window. All fairly simple.

My first order of business is to check how the tool communicates with the server. So I fire up Wireshark and sniff a few packets. Immediately, it is apparent that the tool uses SSL. Points for GoDaddy. No casual sniffing can be done. This puts a dent in my plans of attempting to write a Linux version. How can I write one, when I don’t know what it says to the server? I can always try an MITM SSL sniffing exercise. The idea for this one is as simple as this:

This can all be achieved by using stunnel and the replug tool found in Matasano’s BlackBag. As a matter of fact, Dave Goldsmith has an article on the Matasano Blog about how he did this for a Java Application. In his case, it was a fairly easy workaround to bypass the certificate validation. I don’t know how easy it will be for this specific application. But I’m getting ahead of myself. Join me for the next post where I setup the stunnel/replug proxy chain, discover if proper certificate validation is done and look for a way around the SSL communication.