[Vol-users] Password recovery from memory dump

Massimo Canonico Tue, 17 May 2016 07:12:34 -0700

Hi,

thanks to your suggestion, I make great progresses but I still not getthe target: localize the master password of an android app.

I run the app and set a password as "mypassword2016". With yarascan Iwas able to see that this password is store in memory in unicode (I run"python vol.py linux_yarascan -W -A -Y "mypassword2016"").

Then, I would like to see if there some "signature" that helps me tolocate the password. So I decide to use volshell and see around thepasswod, but I have no luck (see the attachment, where I showed thatthere is before and after of the two occurrences of the password"mypassword2016").

Of course I've repeated the same workflow for other two passwords, but Idid not get anything that helps me to figure out if there is way tolocate where the password is store.


Do you have any suggestion, please?

Thanks in advance,

Massimo

Password: mypassword2016

--------------Prima occorrenza------------
0xb2ef1098  13 00 00 00 01 00 00 00 f0 e3 c6 b2 1b 00 00 00   ................
0xb2ef10a8  90 c3 ad b2 00 00 00 00 f0 cc e3 b2 70 9e 62 b7   ............p.b.
0xb2ef10b8  18 9e 62 b7 23 00 00 00 50 99 ab b2 00 00 00 00   ..b.#...P.......
0xb2ef10c8  04 00 00 00 00 00 00 00 55 00 53 00 00 00 00 00   ........U.S.....
0xb2ef10d8  31 11 30 0f 23 00 00 00 e0 90 ab b2 00 00 00 00   1.0.#...........
0xb2ef10e8  c0 10 ef b2 00 00 00 00 00 00 00 00 02 00 00 00   ................
0xb2ef10f8  63 72 6f 73 1b 00 00 00 48 93 d2 b2 00 00 00 00   cros....H.......
0xb2ef1108  68 97 d2 b2 78 10 ef b2 63 72 6f 73 4b 00 00 00   h...x...crosK...
0xb2ef1118  50 99 ab b2 00 00 00 00 1a 00 00 00 00 00 00 00   P...............
0xb2ef1128  6d 00 79 00 70 00 61 00 73 00 73 00 77 00 6f 00   m.y.p.a.s.s.w.o.
0xb2ef1138  72 00 64 00 32 00 30 00 31 00 36 00 00 00 00 00   r.d.2.0.1.6.....
0xb2ef1148  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2ef1158  00 00 00 00 1b 00 00 00 90 8e ab b2 00 00 00 00   ................
0xb2ef1168  01 00 00 00 00 00 00 00 00 11 ef b2 4b 00 00 00   ............K...
0xb2ef1178  c0 7e af b2 00 00 00 00 00 00 c0 3f f0 00 00 00   .~.........?....
0xb2ef1188  20 03 00 00 00 00 c0 3f f0 00 00 00 20 03 00 00   .......?........
0xb2ef1198  00 00 c0 3f e0 01 00 00 00 00 70 43 00 00 70 43   ...?......pC..pC
0xb2ef11a8  00 00 c0 3f e0 01 00 00 00 00 70 43 00 00 70 43   ...?......pC..pC
0xb2ef11b8  48 00 00 00 1b 00 00 00 b0 78 ac b2 00 00 00 00   H........x......
0xb2ef11c8  02 00 00 00 a0 13 ef b2 01 00 00 00 2b 00 00 00   ............+...
0xb2ef11d8  f8 a4 b7 b2 00 00 00 00 04 00 00 00 00 00 00 00   ................
0xb2ef11e8  98 0c ef b2 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2ef11f8  00 00 00 00 23 00 00 00 60 88 ac b2 00 00 00 00   ....#...`.......
0xb2ef1208  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2ef1218  20 00 00 00 23 00 00 00 e0 90 ab b2 00 00 00 00   ....#...........


--------------Seconda occorrenza------------
0xb2f77150  50 99 ab b2 00 00 00 00 0e 00 00 00 00 00 00 00   P...............
0xb2f77160  73 00 65 00 63 00 72 00 65 00 74 00 5f 00 61 00   s.e.c.r.e.t._.a.
0xb2f77170  63 00 63 00 6f 00 75 00 6e 00 74 00 23 00 00 00   c.c.o.u.n.t.#...
0xb2f77180  e0 90 ab b2 00 00 00 00 a0 71 f7 b2 79 ab 00 5a   .........q..y..Z
0xb2f77190  00 00 00 00 10 00 00 00 52 53 e3 eb 43 00 00 00   ........RS..C...
0xb2f771a0  50 99 ab b2 00 00 00 00 10 00 00 00 00 00 00 00   P...............
0xb2f771b0  65 00 78 00 69 00 73 00 74 00 69 00 6e 00 67 00   e.x.i.s.t.i.n.g.
0xb2f771c0  5f 00 61 00 63 00 63 00 6f 00 75 00 6e 00 74 00   _.a.c.c.o.u.n.t.
0xb2f771d0  50 44 e5 b2 50 3c e9 b2 40 00 00 00 4b 00 00 00   PD..P<[email protected]...
0xb2f771e0  50 99 ab b2 00 00 00 00 1a 00 00 00 00 00 00 00   P...............
0xb2f771f0  6d 00 79 00 70 00 61 00 73 00 73 00 77 00 6f 00   m.y.p.a.s.s.w.o.
0xb2f77200  72 00 64 00 32 00 30 00 31 00 36 00 00 00 00 00   r.d.2.0.1.6.....
0xb2f77210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f77220  00 00 00 00 43 04 00 00 f0 4a b5 b2 00 00 00 00   ....C....J......
0xb2f77230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f77240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f77250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f77260  08 ff f9 b2 00 00 00 00 00 00 00 00 78 df fa b2   ............x...
0xb2f77270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f77280  38 47 ef b2 f0 e8 d8 b2 68 76 f7 b2 00 00 00 00   8G......hv......
0xb2f77290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f772a0  00 00 00 00 00 ed f1 b2 68 9c f9 b2 00 00 00 00   ........h.......
0xb2f772b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xb2f772c0  d8 e4 e2 b2 00 00 00 00 68 01 00 00 00 00 00 00   ........h.......
0xb2f772d0  00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff   ................
0xb2f772e0  ff ff ff ff ff ff ff ff a6 02 00 80 68 01 00 40   ............h..@

_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users

[Vol-users] Password recovery from memory dump

Reply via email to