Archive for January, 2010

OllyDBG_tut22!!

Posted: January 29, 2010 in OllyDbg Tutorials, OllyDbg_tut22
Tags:

I. Giới thiệu chung

Tiếp tục với chủ đề Anti-Debug, ở phần 22 này chúng ta sẽ tìm hiểu thêm hai “thủ thuật” mới, thường được áp dụng cùng nhau hoặc riêng lẻ. Crackme để chúng ta nghiên cứu trong phần này là Sphynx.exe, của tác giả có nick name là d@b. Mặc định tôi xem như các bạn đã hiểu hết những gì tôi viết ở các phần trước, trong phần này chúng ta sẽ sử dụng bản Olly đã được chỉnh sửa bởi chương trình repair0.6 mà tôi giới thiệu ở bài 21. Trên máy của tôi bản OllyDbg gốc được repair0.6 sửa lại và đặt tên là Ltp10.exe, thêm vào đó plugin HideDebugger được cấu hình như sau :

……..

Download toàn bộ bài viết tại đây:

http://www.mediafire.com/download.php?n0jzmzahnmy

Best Regards

m4n0w4r

My foobar lolz :)

Posted: January 28, 2010 in Uncategorized
Tags:

Tập tành với foobar để còn theo kịp thời đại, không thì không biết người ta hay dùng nó để nghe nhạc Lossless 😀

foobar

My favourite band…


Malware unpacking in OllyDbg

March 26th, 2008 by mkrakvik (1) Tips & Tricks, Videos

From time to time, we come across malware that is more interesting than others. A couple of months ago we saw a trojan bot with MSN spreading capabilities. And as usual, the malware was packed. However, I was not able to identify the packer being used (using PEiD, and similar tools). So I tried unpacking this sample manually in OllyDbg, and discovered that it was actually using threads to unpack itself, something I haven’t seen before.

Below you can find my very first screencast, showing how this sample was unpacked. Enjoy! 🙂

Unpacking in OllyDbg

Unpacking in OllyDbg

(will open in new window)

via Norwegian Honeynet Project » Blog Archive » Malware unpacking in OllyDbg.


Analysing malicious PDF documents and shellcode

August 24th, 2008 by mkrakvik (1) Analysis, Videos

It’s time for another video-post, and this time we’re going to look at a malicious PDF document attempting to exploit a known vulnerability in the Collab.collectEmailInfo() function. We’re going to show how you can extract the shellcode and perform some static code analysis using tools like HT and IDA Pro.

Analysing malicious PDF documents and shellcode

Analysing malicious PDF documents and shellcode

Click on image to show video (opens in new window)

For references, here are the tools used in the video:

* SpiderMonkey

* Python

* HT

* IDA Pro

* s2b

* pefile

Hope you’ll find it useful! 🙂

via Norwegian Honeynet Project » Blog Archive » Analysing malicious PDF documents and shellcode.


Cuối tháng mở cửa REA cho anh em reg acc! 🙂

Regards

m4n0w4r


Title: [Original] how to make vc a static link library IDA SIG files?
Author: tnttools
Time: 2008-04-17,18:52
Link: http://bbs.pediy.com/showthread.php?t=63292

Many days ago, someone raised this question. It did not occur with lib.exe, that they have to re-invent a wheel ar2.exe, it could parse out the MS LIB file in the OBJ file. Today also saw someone post thoughts, again, dig about, much better than this …

The following is the command line on the production process, the environment is WinXP + NTFS + VS2003, on my machine to run correctly. References between the dash are the command line.

SIG attachment is to produce a good document, can accurately parse out the printf () function, of course, there are other many, many library functions.

Step 1:
Will be libc.lib, libcd.lib, libcmt.lib, libcmtd.lib from the original folder copied.
For:
To avoid the command line, enter the path too long

Step 2:

-----------------
set path =% path%; C: \ Program Files \ Microsoft Visual Studio. NET 2003 \ Vc7 \ bin
set path =% path%; C: \ Program Files \ IDA \ addons \ Flair.v5.20 \ bin
-----------------

To invoke the procedure to set the path on your machine is not necessarily the case

Step 3:

-----------------------------
for% i in (*. lib) do md% i.fdr
-----------------------------

For: New folder store object files

Step 4:

-----------------------------
cd v: \ libc.lib.fdr
for / F "skip = 3"% i in ( 'link.exe-lib / list .. \ libc.lib') do link.exe-lib / extract:% i .. \ libc.lib

cd v: \ libcd.lib.fdr
for / F "skip = 3"% i in ( 'link.exe-lib / list .. \ libcd.lib') do link.exe-lib / extract:% i .. \ libcd.lib

cd v: \ libcmt.lib.fdr
for / F "skip = 3"% i in ( 'link.exe-lib / list .. \ libcmt.lib') do link.exe-lib / extract:% i .. \ libcmt.lib

cd v: \ libcmtd.lib.fdr
for / F "skip = 3"% i in ( 'link.exe-lib / list .. \ libcmtd.lib') do link.exe-lib / extract:% i .. \ libcmtd.lib

-----------------------------

For: turn extraction libc.lib, libcd.lib, libcmt.lib, libcmtd.lib all the object file.

Step 5:

--------------------------
for% i in (. \ libc.lib.fdr \ *. obj) do pcf.exe-g0% i
for% i in (. \ libcd.lib.fdr \ *. obj) do pcf.exe-g0% i
for% i in (. \ libcmt.lib.fdr \ *. obj) do pcf.exe-g0% i
for% i in (. \ libcmtd.lib.fdr \ *. obj) do pcf.exe-g0% i
-------------------------
pcf.exe-g0. \ libc.lib.fdr \ *. obj
pcf.exe-g0. \ libcd.lib.fdr \ *. obj
pcf.exe-g0. \ libcmt.lib.fdr \ *. obj
pcf.exe-g0. \ libcmtd.lib.fdr \ *. obj
-------------------------

For: from. Obj file generation. Pat file. In order to avoid pcf.exe in the implementation of the process of dealing with non-COFF file interrupted, see a message “is not ar / coff file \ npress enter to exit”, with parameter “-g0”.

Step 6:

-------------------------
sigmake-n "VC7 Static Lib (ST / MT & Rel / Dbg) By TnTTools" libc.lib.fdr \ *. pat + libcd.lib.fdr \ *. pat + libcmt.lib.fdr \ *. pat + libcmtd . lib.fdr \ *. pat vc7libc
See the documentation to learn how to resolve collisitions.
: Modules / leaves: 9021136/3610, COLLISIONS: 2690
-------------------------
sigmake-n "VC7 Static Lib (ST / MT & Rel / Dbg) By TnTTools" libc.lib.fdr \ *. pat + libcd.lib.fdr \ *. pat + libcmt.lib.fdr \ *. pat + libcmtd . lib.fdr \ *. pat vc7libc
--------------------------

For: into SIG file vc7libc.sig, where I put together four static library file, of course, you can be divided into open. The first time by running sigmake, aware of the existence of conflict. Manual editing. EXE files to run again after sigmake, generating vc7libc.sig. In the annex.

[For example]

Before use
. text: 00402A03 push offset aUsage; "Usage: \ n"
. text: 00402A08 call sub_403772
. text: 00402A0D add esp, 4
. text: 00402A10 push offset aHashH; "hash-h \ n"
. text: 00402A15 call sub_403772
. text: 00402A1A add esp, 4

After use
. text: 00402A03 push offset aUsage; "Usage: \ n"
. text: 00402A08 call _printf
. text: 00402A0D add esp, 4
. text: 00402A10 push offset aHashH; "hash-h \ n"
. text: 00402A15 call _printf
. text: 00402A1A add esp, 4

TnTTools
The Art Of Reverse Engineering
Enjoy it.

Note that I have discussed here is only a very special case: VC static library files libc.lib, libcmt.lib. Originated in the forum because netizens a question. If the direct call pcf.exe these two documents will have problems.
No need to write what procedure is to wrap it, First, it is not a panacea SIG production process, in practice, various situations are likely to be encountered; Second, we need to understand the CONSOLE under a variety of STDOUT output (most of them was not interested); 3 is automatically handled after EXC manual editing necessary (at least in my opinion the case)

Debug Tutorial.

Posted: January 26, 2010 in Debug tutorial, Other Tutorials
Tags:

Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD

http://www.codeproject.com/KB/debug/cdbntsd.aspx

Learn how to debug problems in software.

Debug Tutorial Part 2: The Stack

http://www.codeproject.com/KB/debug/cdbntsd2.aspx

Introduction to the most important ally in the fight against bugs, the stack.

Debug Tutorial Part 3: The Heap

http://www.codeproject.com/KB/debug/cdbntsd3.aspx

Introduction to the heap.

Debug Tutorial Part 4: Writing WINDBG Extensions

http://www.codeproject.com/KB/debug/cdbntsd4.aspx

This tutorial we will attempt to write a simple debug extension.

Debug Tutorial Part 5: Handle Leaks

http://www.codeproject.com/KB/debug/cdbntsd5.aspx

Learn how to debug handle leaks in Windows.

Debug Tutorial Part 6: Navigating The Kernel Debugger

http://www.codeproject.com/KB/debug/cdbntsd6.aspx

Learn the basics of the kernel debugger.

Debug Tutorial Part 7: Locks and Synchronization Objects

http://www.codeproject.com/KB/debug/cdbntsd7.aspx

Learn the basics of debugging deadlocks and other issues.

Regards

m4n0w4r