Archive for September, 2008


Đợt rồi bên Unpack.cn mới xuất hiện một cái tên rất lạ TTProtect. Tuy mới ra đời những không vì thế mà giang hồ đánh giá thấp về nó. Theo như nhận xét của Còm đại ca thì “Về cơ bản, tính năng của TTProtect có vẻ nhái lại của Themida/Winlic. Là đàn em, có vẻ nó có tính năng antidebug tốt hơn”. Công nhận thằng này cũng ác, thử đủ kiểu nhưng không làm sao run/attach được trong Olly:

1. Run unpackme và Attach vào Olly tèo.
2. Load program bình thường và run cũng tèo.

Sau một hồi nghịch ngợm config cái đống Plug-in để Anti-Debug, không hiểu thế nào mà cuối cùng cũng run được nó.

Mấy hôm nay chú UnRegistered! cứ hỏi “Sao anh bypass Anti-Debug được để run trong Olly thế? Chỉ cho em với”. Tôi cũng chẳng biết trả lời thế nào, đành quay cái movie minh họa :

Download movie tại đây:

Run TTProtect in OllyDbg

Best Regards

kienmanowar

Advertisements

PE.Explorer.v1.99.R4

Posted: September 29, 2008 in RE Tools

PE.Explorer.v1.99.R4.Incl.Keyfilemaker.READ.NFO-EMBRACE

Designed for inspection and editing of Windows executable files, PE Explorer offers powerful static analysis and editing tools for working with EXE, DLL, ActiveX controls, and other executable file formats that run on MS Windows 32-bit platforms.

Whether you are an advanced computer user just wondered what makes an executable file tick, or software developer suffered from hard-to-find program bugs, PE Explorer is the software solution that will make it easy to find the answers.

All the Tools You Need in One Interface

PE Header and Section Viewer/Editor
Resource Viewer and Editor
Exported/Imported API Function List Viewer
Disassembler
Dependency Scanner
Digital Signature Viewer
UPX, Upack and NsPack Static Unpackers

What You Can Do with PE Explorer

See what’s inside an executable
Customize GUI elements of your favorite Windows programs
Track down what a program accesses and which DLLs are called
Understand the way a program works and interacts
Validate and verify signed PE files
Special support for Delphi applications
Open UPX-, Upack- and NsPack-compressed files seamlessly in
PE Explorer, without long workarounds

Download here:

PE.Explorer.v1.99.R4


ARTeam: bypassing geolocalizazion with TOR, to download web things..

Hi all,
sometimes you find things that cannot be download from outside a specific country, like for example several trygames programs or some other geo-localized filters.

If you need it’s extremely simple to bypass these limits using TOR

This the procedure more or less

This is a general procedure you can use to bypass any geological block that block you from accessing a specific http resource (it doesn’t works only for the browser, but for any program that opens an InternetOpen connection). It’s useful to change your IP to a specific nation or to take chance of some specific promotions (es. http://torandskype.blogspot.com/)

Anyway here are the steps:

  • You must first of all install TOR, particularly the vidalia bundle distribution (http://tor.eff.org)
  • Then configure it and launch just to see that everything works with TOR
  • Close TOR
  • Go to this web address http://torstatus.kgprog.com/index.php?SR=C…Code&SO=Asc and take the exit nodes names (first column) of the country (search for the flag icon) you need to exit to. Take care to select those with the bigger bandwidth available.
  • open the torrc text file that usually is found here c:\Documents and Settings\username\Application Data\Vidalia\torrc where username is your WinXP username of course. shocking.gif
  • Then open this file and add at the end a line with the nodes you selected above: for example this one:

Exitnodes ephemer, figure, bob, tor2uk4iravedahs, oinniun, hattor, gigatux

  • Now open again TOR and set the intenet explorer to browse the web through TOR. If you use internet explorer don’t ask me how! Anyway the usual settings are: 127.0.0.1:9050

If you use Firefox, it helps installing FoxyProxy, an extension that allows to set proxies automatically depending on specific url patterns (for example in order to always anonymously -through TOR- browse some specific sites or some specific URL patterns, helpful this one, to anonymously browse entire domains), or you can use the TorButton distributed with vidalia (but it’s worst).

If you have done all correctly you can use the following site to test how the net sees you:

Hope helps. If someone wants to do a video tutorial of this it’s welcome!

BR,
Shubby

IDA Pro Demo Video

Posted: September 25, 2008 in IDA Pro Demo Video, Other Tutorials

IDA Pro Demo Video

Description:  This is a demo video for IDA. The video is an analysis of a dynamic link library on a system compromised by spyware. It goes through and explains how to use some of the key features found in IDA.

Author : Network Solutions Center ( http://ccso.com/ )

Download : http://ccso.com/demo.wmv

Best Regards


Description : The Hex-Rays Decompiler converts executable programs into a human readable C-like pseudo code text.

Author : Network Solutions Center (http://ccso.com/)

Download : http://ccso.com/files/hexraysdemo.swf

Regards

diablo2oo2’s Ollydbg

Posted: September 25, 2008 in RE Tools

diablo2oo2’s Ollydbg

News

[20.09.2008]
Final version of dUP v2.18 is released today.  dUP 2 now can be translated to any language. Check out the forum for more information.

Also there is a new version of my PEID plugin “advanced scan” out.

And last i also updated my custom ollydbg package.

Download diablo2oo2’s Ollydbg

http://diablo2oo2.di.funpic.de/downloads/d2k2.ollydbg.public.rar


ARTeam: IDA plugin to analyze dumped memory regions inside IDA

Hi all,
this is another interesting release from deroko/ARTeam.

A set made of two programs (an IDA plugin and a dumper) useful to analyze dumped memory regions inside IDA. Useful for malware or VMs to analysis of dynamically allocated memory code sections (full sources included)

dump_all/load_all set of tools by deroko ARTeam

dump_all.exe is program which will dump all regions of a certain executable into
specified folder. All dumps are stored as r00000000.dmp where
00000000 is virtual address of a paticilar memory region.
Advice is to create always new folder for these dumped regions, as
load_all will load all of these regions to IDA database. Just to keep
everything organized, and to avoid loading of wrong files, which could
occur under some cicumstances.

load_all.plw is and IDA plugin which will actually load all of these memory regions
into IDA database. Example plugin is compiled with IDA 5.2 SDK, but you
may compile it for other versions too.
Plugin will prompt you for file, so you are free to select any of these
.dmp, and plugin will load all of them into database. This could be useful
when analyzing malware or some protection with many buffers, for better
analyze of a VM, or import protection. This will avoid need to dump regions
manually.

http://arteam.accessroot.com/releases.html

BR,
Shubby