I received a piece of malware today and as one will do, I of course opened it up on my test machine. Like with a lot of phishing-types of emails, it was really just trying to get at a password (in this case it was a fake Office365 login). One thing that jumped out at me was that the payload was a bunch of base64 encoded blobs. The machine was offline, so I couldn’t use one of the many online decoders to see what it was doing. Thus, time to bust out the old openssl and base64 commands. Let’s start with a quick example of encoding a string object into…
-
-
What’s Really In A VPP Token File from Apple’s VPP?
Apple’s Volume Purchase Program allows you to export a VPP token and then import that token into a server to create a connection between an MDM solution (e.g. Bushel, Apple’s Profile Manager, Casper, etc) and apps you purchase through the VPP portal. But what’s in a token? The VPP token is a base64 encoded file. You can cat the file and it will show you a bunch of garbly-gook (technical term): base64 --decode /Users/charlesedge/Desktop/kryptedcom.vpptoken But there’s more to it than all that. We can run the base64 command to see: base64 --decode /Users/charlesedge/Desktop/kryptedcom.vpptoken In some cases, this file can display improperly, if it fails use the following command: echo `cat…