21 April 2015

flask login form csrf

hidden_tag() to generate csrf_token in flask form:


    user_manager = current_app.user_manager
    login_form = user_manager.login_form(request.form)
    token = login_form.hidden_tag()

18 April 2015

div idiv

div:
   div ebx     ;     eax = edx:eax  /  ebx  .   remainder will be put in edx


example:
   mov edx, 0
   mov eax, 0xd
   mov ebx, 5
   div ebx
   ;; result:   eax=2,  edx=3

#somehow my immunity debugger not accept 'div 0x75' instruction

idiv:
   signed version of div

inline hook




a) distance to jump, will be use at (d)
b) copy original instruction at original function to new area in memory.
c) put 'jmp' at original function
d) put (a) at (original_function +1). as parameter to jmp in (c)
 

17 April 2015

repne scasb, rep movsb




a) to count string length. Looks at how ECX is used, 'neg ecx' 
b) to copy string to somewhere in memory



NOTES

scasb:
   cmp al, [edi]
   ##add esi, 1
   add edi, 1


repne scasb:
  repeat 'not equal' or 'ECX times',



movsb:
  mov byte [edi], [esi]
  add esi, 1     ; depending on direction flag, might be decreased
  add edi, 1


rep:
  repeat ECX times

rep movsb:
   repeat while ecx not 0;
   sub ecx, 1
   (#repeat ecx times)





usually:
   'repne scasb' to count string lenght;
    'rep movsb' to copy string  

imul

mul:
  mul ebx ;     edx:eax =  eax * ebx
                 ;     decimal: 5,000,000,000
                 ;         edx          |   eax
                 ;     00000001     | 2A05F200


imul:
    imul eax, ecx, 0x2    ;    eax = ecx * 0x2

    imul ecx, 0x2           ;   imul ecx, ecx, 0x2  

16 April 2015

rep movsd

rep movsd


repeat for ecx times
cp 4bytes from [esi] to [edi]

15 April 2015

loopw x86


mov  edi, DWORD_00406904
mov  ecx, 0x0d
LOC_4010682
xor  [edi], 0x9C
inc  edi
loopw LOC_04010682




loopw:
  ecx--
  jump if ecx != 0