The Legend Of Random

Tavis Ormandy has come out with an amazing article on exploiting .rar files. Apparently, there is a virtual machine that runs with rar files (used for filtering) but can be programmed manually. Tavis shows how a hello world can be executed automatically when opening a .rar file. I am sure we will hear more about this exploit in the future. In the meantime, read the article . It’s fascinating…

I just wanted to take a minute and give a shout out to the moderators of this site. Without them, this site would not be anywhere near as great a site as it is. Besides the constant bombardment of spam they must deal with (the benefits of a site growing in popularity) they also answer questions with lightning speed and help contribute a great deal behind the scenes.

So cheers to Nwokiller and Xor06 (Rip06), and thanks for all the hard work!

There are a couple ways of injecting a splash screen into a binary. Unfortunately, none of them easy. The way I will show in this tutorial is the easiest I’ve come across, though there may be simpler options out there. The problem arises from the fact that a bitmap is a resource, and as such, goes in the resources section of a binary. Injecting resources into a compiled binary’s resource section is a recipe for a quick headache.

The method we’ll be using is to create a DLL file with the resource included in it, and then call this DLL from our target binary. Because it’s a DLL, we can load it automatically by changing very little in the binary, as we can just add it to the list of DLLs the binary requires. This also gives us the benefit of running the code in our DLL automatically instead of having to create a code cave.

In this tutorial we will be creating a DLL from scratch using assembly, so you will need an assembly language compiler. I use RadASM (and it will be more convenient if you use this IDE as well as your code will exactly match mine), but it is not a requirement. If you are not comfortable using RadASM and want to learn, please see my series of tutorials on RadASM on the tutorials page, which comes with a full download of the RadASM suite and everything you need to run it.

As with all of my tutorials, the required files for this tutorial are in the downloads, available on the tutorials page. In addition to these files, we will be using IIDKing, available on the tools page.

If you haven’t already read my previous tutorials on modifying binaries, I highly recommend you do (at least the tutorial on injecting a message box).

(continue reading…)

I came across this nice intro to assembly on Windows while looking at another site. It is by Jeff Huang. Deffinitely not all-encompasing, but a nice intro to the subject.

Ayoub Faouzi has just started a series of odd interesting tutorials at Infosec comparing assembly to Java, and how they are different. Very intriguing angle. Check it out.

DPOHS BUVMB UJPOT ZPVIB WFTPM WFEBT JNQMF DJQIF
STUPQ UIJTN FBOTZ PVIBW FUIFT LJMTB OEUIF EFTJS
FUPGJ HVSFU IJOHT PVUTU PQJGZ PVTPM WFUIJ TDJQI
FSQNN FBOEM FUNFL OPXZP VSVTF SOBNF BTJBN NBLJO
HBMJT UPGDJ QIFSI FBETEP OPUQP TUBOZ UIJOH BCPVU
UIJTT UPQTU BZUVO FEGPS NPSFJ OTUSV DUJPO TTUPQ
SBOEPN

@walliedassar has released a new article on a very old anti-debugging trick. Has to do with page access and debuggers changing this access characteristic. Pretty technical, but a good trick nonetheless.

May be the perfect thing to place in a TLS callback…

Adding an Icon

Let’s start by adding an icon. Load up our HelloWorld project from the last tutorial. Click on Project->Resources. This will bring up the Resources window:

(continue reading…)

Unfortunately, our lives as reverse engineers is not always easy. If all it took to patch an app was a deleted resource or a quick patch, a lot more people would do it. Sometimes we must get a little ‘low-level’, wallow around in the operating system files, single-step an exception handler, or reverse engineer an unknown packer. To have a well-rounded skill set as a cracker, we must know a lot about a lot (or at least where to look about a lot) and it can get pretty technical.

This tutorial is about one of those technical areas: TLS callbacks. It is not easy, nor is it simple, but it can ruin an otherwise nice day of a reverse engineer that doesn’t at least understand the basics of what they are, when they are used, and how to overcome them.

As in all tutorials on my site, the required files are included in the download of this tutorial on the tutorials page. We will be looking at three binaries, all  included. We will also be using an Olly plugin called TLSCatch by Walliedassar, also included. Lastly, we will be using CFF Explorer, available on the tools page.

(continue reading…)

“Web of Trust (WOT) completed an analysis of nearly 1.7 billion shortened URL links and found that the URL shortening services are often used to drive traffic to suspicious websites”

No kidding (my most cynical smiley goes here).

Here’s the article .