Reverse engineering CISSP practice exams

thank you for the introduction I hope you hear me and see the screen awesome welcome to today's talk on reverse engineer in CSP practice exams and this is not a talk about cheating CISSP exam so I warn you I have a over a decade of programming experience writing code and then I have several years of application security experience mostly breaking code but this is talking it's not about me either if you don't know what cissp is it's a very popular security certification I decided to get it some time ago and when I took an exam last year I was presented with 250 multiple-choice questions and they gave me up to 6 hours to finish it so it's

pretty big this year they changed the format a little bit it's now up to 150 questions up to 3 hours basically computer decides how many questions to ask depending on how you perform so of course as with any kind of studies you want to practice right and several resources were available to me when when I did that like this official practice test book or this unofficial third-party practice exams by Sean Harris and also I downloaded some software that that you can run on computer and kind of just emulate the exam and we're going to talk about this particular software today so when I first ran it on my computer and I had a Windows machine with a 4k monitor

I saw this this is the like the first dialog window and as you can see it looks pretty bad the content is cropped there are no buttons I mean it's completely unusable so I had to downgrade my resolution just to use it and let me switch to my Windows virtual machine just to show you how the software looks oh how is supposed to look so you start it and it has 1011 I don't know why 11 but it has over a thousand thousand questions and you can click on the bottom like let's let's let's try an exam and it picks 250 random questions out of that 1011 started the exam and you answer these questions then you

grade it yes and you fail it right and you and you want to do it again so let's let's do another one and it picks 250 questions randomly again the problem is it picks these two these questions out of the same set so you did 250 first and then you try another set and it picks out of the same and so you see repeating questions like over and over again and I thought well this is not this is not good this is not something that I'm interested in I want to hit all these all these 1011 questions and try to answer them okay so I thought can I fix it so can I can I get those questions

somehow in a format that I like not that what's given to me which means open it crack opening this program and trying to get to the data and before you ask the software license did not prohibit reverse engineering and that's what we're gonna do now okay so let me get out of here let's take a look where this program is located first so it's in this directory and I can press this button and it takes me right there and what I see is I see an executable I see a Java directory and this directory just has the standard JRE nothing interesting here is Java Runtime environment and I also also have a data directory with just a couple of files in

it so that's probably where the data is right now windows is not my favorite operating system so I'm more comfortable in other environments so I just copied this whole stuff this whole thing to Linux so here on my Linux machine I have this executable Java directory data directory and I want to take a look at stuff and see what I have so let's go to the data directory

and I have a couple of files there right so the first thing to do is to run the Linux file command which analyzes the file signature if you will and tells you what the phallus so I have a properties file which is expectedly ASCII text and I have this other file with dot Ser extension and this file is Java serialization data and it's pretty large it's almost 800 K so that's probably where all these questions are so that's my that's that's gonna be my target but how do I get there how do I read this is binary format the civilized Java data is not very it's not actually human readable I mean you could kind of

see the text here but it's not nice there is a utility called JD serialize and you can find it online and what it does it loads the data the serialize java data and prints it out in a in a more like in human readable form so first what it does it it prints the declarations of the classes that are serialized there are in that in that object so here's an interesting one question javabean that's probably the one that I am looking for with question text and answers and choices text and so on and there's a scroll down here are some more declarations the scroll down I see the actual practice practice questions data here's the question for example when is

the emergence state actually over for a company here are the possible answers [Music] and here is the explanation that the answer B is correct so this is this is kind of okay but it's still not very I mean it has a lot of junk here so if I if I practice my sis be taxed the test it's not something that I want to so I have two choices now I can maybe write some kind of Python script to parse this this is pretty much tax easy to parse maybe and then output it in format that I like and this the second option is to just crack open this program this tester program because it's written in Java and it already has all

the code to read the serialized data into some kind of internal structure and present it in that GUI so I decided well I'm not a developer anymore I don't want to write a whole new program I'm a hacker now right so let's let's hack into that program but first of all where is the Java code we don't have any jar file here we don't have a like normally you see a jar right we don't have a jar here we have this dot exe file so I guess the my compiled Java code is somewhere inside that file so I thought okay it's probably some kind of like self extracting executable that that unpacks on the fly and feeds the

compulsion classes to JVM and I had this crazy idea can I can I just do this can I just try to unzip it with a standard unzip utility even though it doesn't make much sense this executable and to my surprise when I hit enter I saw this Wow pretty awesome here all these classes right and just let me show you so it did complain that I had some extra bytes at the beginning of the file but then I decided to proceed anyway good ok so let me just can you maybe I should move this up a little bit this is better okay so I'm creating a directory and I'm going to go into this directory and unzip everything and this

is what I have now so I have some compulsion code in this directory and some other stuff that I'm not really interested in now where is the entry point of the program so I thought well let me just list all the files in the directory and search for I think that the entry point will be some kind of main class would have main in the name and yeah there's a few of them and this looks like maybe a good candidate now the question is can I just give it to my own JVM village run let's see and it did there was an issue though it come in said that data directory could not be found

okay remember the data directory where we had that those two files it's actually one level above it's right here so I'll go ahead and create can type a symbolic link so I have the data directory in my current folder I'm not directory symbolic link to directory and let me run it again Wow so what did we just do we reported Windows program to Linux in two minutes or five minutes yeah thanks of course it's Java code so it's supposed to run anywhere even on your phone right okay cool so it runs I hear I have everything that I need now to to decompile it don't need it I'm still trying to get those to those questions

correct so when it comes to decompile in java code my go-to tool is JD short for java decompiler variables or JD GUI they have a really nice GUI and it's written in Java of course it supports several file formats you can open individual classes I have maybe a hundred of them on the disk right now but I I don't want to open their each one of them individually I won't like the whole package but I don't have a jar file right I have that executable and I don't see that Exe here but there's a it supports a zip file so let me just zip whatever I have on the desk

and give it to JD gray it's okay so it opened that zip file and I can now I can navigate through all these classes and I can click on them and on the right hand side it shows me Java code this is not the original Java source of course it's decompiled but as you can see it's not appreciated you can read it as it was written by by by a good programmer who knows how to do the right syntax and stuff okay was the quickest quickest way to get to the data that I need now remember that file had that ser extension so in in this tool I can just search for I can search for types

constructions method I can also search for strings so I'm searching for a CR string and here's a few candidates I'm gonna pick this one

and you can see here that it builds the filename here right and then we open the file then we create input stream and then we finally call read object method and this this method in Java DC realizes data and puts it in in an internal object which goes in this return value cool so I did find the code that actually reads that data that I need from the disk now what can I do with it can I just copy because I'm lazy copy this whole method and put it in my own program so I'm creating a brand new program called parser the Java it's gonna be my new class called parser and now I'm just gonna paste that code that

I just copied from the decompiler here and I'll need to rename this it doesn't make sense this is gonna be my constructor and then I guess I also need all these import statements so it so it can pass

it's hard to navigate without Mouse okay I've got all the imports I've got my class I've got my methods let's compile and run right away and i've got a few compile errors so i need to fix them that's normal stuff right here are these two variables that are completely useless I'm just gonna come in them out since this is a constructor we no longer return anything so I need to remove remove that return value this one and we also had an issue with this call which is again useless okay try now okay to compile but then it complained that I didn't have the main method of course so again I hate to type so I'm just gonna

copy and paste okay should I

here's my main method in and in here we are going to create a new instance of our parser object and we need to supply a couple of arguments suite abbreviation and exam number and these it's how this file name is built so the first part is read abbreviation cissp pract and the number is 1 I don't know what the point what's the point but they have they had the reason to do it ok let's try now it ran and it gave me this debugging window which again doesn't doesn't give me a lot of value so I'm just going to comment that out as well I was get rid of of the useless stuff and now it ran it didn't print anything

but I believe it read the data from the disk and if we can if I can get back to my source code so and it put put the data in this return value so now I need to get those those practice questions all 1011 of them and print them out first thing I'm gonna do is I'm gonna move that object to the class scope and I don't like return value I'm going to rename it to exam ok now this exam is of this type exam job would be an abstract v3 what can I do at this kind of class let's go back to the D compiler and nice thing about this tool again it's pretty cool tool you can

just click on any class name and it will take you directly to the Declaration and here we see the very first method of this class is get question bins so I'm again I don't want to type just want to copy and paste and I'm declaring a local variable questions and assigned and now in the interest of time I'm just gonna copy some code that I wrote before and I just explain it to you oh wait wait

okay so this is a hashmap and we we are reiterate through this hash map and we get um each iteration we get a single question and it's of this type and again we go back to your decompiler click on this class name and it takes us directly to the Declaration we see what methods are available and the methods are like get question text and get explanation and get choices and these are the methods that some of them are gonna use here so we're gonna print the question text first and get and the all the possible choices alright save it run it again and another compile error it's okay so I need to add a couple of Java utils

so I'm just gonna wall card this yeah of course I forgot I forgot this

alright now this makes more sense and I forgot to declare it as static this is normal Java stuff right you see it every day

1011 questions and choices and then I you know and I can do other things with it I can break this down to for practice exams 200 250 questions each and do anything else I want now that I have the object in in my program I can just pull the data I can randomly you know select out of that hash map and do other things mission achieved so in conclusion if things are not in the plain sight think of side of the box dig deeper like who would think that you could unzip an executable it might be possible might sound crazy but Java bytecode not a problem you can in lots of cases you can D compile it and and see Java source

code now if you're on a pen test for example and it's black box and you see a jar file a war file and your rules of engagement did not prohibit you from from decompiling feel free to do it you'll find good stuff you'll find credentials you'll find other things if you hate to write code there are lots of ways to reuse code I show you just one example where I just copied and pasted it and then I just had a bunch of import statements that we use to compile classes and if you see an imperfect application I can improve it and come back next year and share with all of us thank you [Applause] do you have time for questions are there

any questions what's that yes yeah I I did write Java code before

well I thought it it's probably some kind of self unpacking program and then I just had a crazy thought you know I just came out of nowhere yes

yeah so the question is could hack randomize function to return one to 50 so the questions do not repeat maybe yeah I guess that's possible so instead of doing this I could hack the original program and maybe modify it and repackage it and make it do whatever I want it would probably be more work then just bring him out this in the text form though so I spent like maybe 2 3 3 hours on this and I got my results and I could yeah that's a great question what if the code is obfuscated yeah if it is it's very difficult to read the code but in this particular example I didn't have to understand much about what what the code

is doing I just copied the method that I thought would work for me and then did a couple of extra things so in this case it would probably not take me a lot of effort to to achieve my goal but yeah I don't know I'm I've not worked a lot with obfuscated code so yeah yes yes I believe so yeah I have yeah totally yes do I have my code on github no not this code thank you very much

you