Random’s Ramblings

The Year So Far (In Spam)

Securelist has released a report on spam usage for this year. apparently, overall spam has dropped 1.6% (yippee) to 70.2%. Of this 70.2%, 69.8% is directed at this site, so at least the Legend Of Random moderators are keeping all other sites on the internet pretty spam-free.

Another interesting statistic is that the vast majority of US spam originated in the US (bastards):

and the biggest categories for spam are finance and medicine:

Here’s my suggestion. We create a botnet from half of the spammers computers by sending them emails containing malicious programs. We then commandeer this botnet to mass spam the other half of the spammers computers. Maybe the first set will blow up the second set…

1 Comment more...

Detailed View of the IAT

The IAT, or Important Address Table, is a collection of just that; important addresses. These can include the address of the White House, the address of that hot little number in accounting, or the address of your grandmother. The last address speaks to the fact that these address are obviously relative; you may think that the girl from accounting is hot, but I may think she needs some serious plastic surgery, but that’s all beside the point. All of this is why we have RVAs, which tells us exactly how relative these addresses are in importance.

RVA stands for Relative’s Virtual Address, for example, your grandmothers Facebook address or your mother’s LinkedIn address- basically any ‘virtual’ address of one of your relatives.

Inside the IAT are various entities called IMPORT_DESCRIPTORs. You can tell that these are very important as they are always written in UPPERCASE LETTERS. IMPORT_DESCRIPTORs describe imports, like iPhone rip-offs from Korea, Hello Kitty backpacks from Japan, and those cool blankets from Mexico (they’re kind of scratchy but boy are they warm!)

Here are the various fields in an IMPORT_DESCRIPTOR, along with descriptions of each one:


“Thunk”, in this case, is like “I thunk I knew how many bytes there were in the IAT, but I guess I was wrong” or “You probably thunk that there were 16 bytes in an IMPORT_DESCRIPTOR, but there are actually 20.” The original first thunk is obviously the first thunk in history, probably “Who am I?” or “Why am I here?”.


Time is the current date, in stamp form.


This is similar to those old chain letters, where everyone sends $1 to the first person on the list of 10 people, and eventually everyone would be rich. But this field is the digital equivalent of that.


In case you cant thunk of the name of this field, the name is conveniently written here.


This is the first thunk of the day, as opposed to the original first thunk, which is the first thunk in history. This also points to a hint, just in case you forgot the name and can’t thunk of it.

Each one of these entries is devoted to a specific DLL, or Distributed List of Lies. DLLs add functionality to a program, like an amazing haircut, incredibly fast weight loss, or the ability to read the screen with your eyes closed. Though, as the name would suggest, they really can’t be trusted, so you do probably look fat in that dress.

All of these entities are inside the PE file (PE stands for Poorly Executed), as opposed to a COFF file (and sister files BURP, SNEEZE and HICCUP). There are other items inside these files, like voodoo Magic (which for some reason is spelled MZ), the Address of Entry Point (in case you need additional help with that sexy number in accounting), and the .bss section, where you put jokes, funny sayings and other BS.

Lastly, of course, all of this is put into memory, which doesn’t explain why you need so many hints and fields with the name and so forth. I guess with all of these acronyms, thunking of the right one when you need it is probably a daunting task!

I hope this helped in understanding the IAT. Please stay tuned for my next tutorial on “Break-points” (mine is waiting more than an hour in the dentists office).

-Till next time


Wait, Has Anyone Seen Internet Explorer? He Was Just Here…

I ran an interesting report on the Legend Of Random site, basically seeing what browser people are connecting to us on. I have to say, it was very interesting.

Of the top 40 browser configurations (with hits close to 1 million), Firefox had 31 of them. Chrome was in the third position. Safari was 17th. Opera was number 24 (they still make that?). And Internet Explorer? Not on the list. Even Linux wget was on the list (at #40).

Just goes to show you; us reverser engineers likey the open source…
Good by IE. I’d like to say it was fun, but……..

The Man, The Legend, Me

A lot of people have asked me about myself and how I got into reverse engineering.  Sometimes you spend so much time writing detailed tutorials that you forget people are interested in lives as well. So just to add a little ‘humanity’ into the blog, here is a little about me…
(continue reading…)

R4ndom’s Ramblings: Captcha alternatives (besides suicide)

Is it me or are you starting to feel less human too?

Captchas, or those annoying pictures at the bottom of forms that are supposed to prove that you are human, are everywhere. CAPTCHA stands for “Create A Picture to Chastise Humanity’s Aptitude”. You know what I’m talking about, you must enter the displayed text that looks like a drunk epileptic wrote during their first Taiwanese writing lesson and then was photocopied 13,000 times before photographed by a broken Polaroid and emailed to the site over dial-up. And I’m not human unless I can read this? No one can read this, not even the drunk epileptic who first wrote it!

The ironic thing is that Captchas are becoming so difficult to read, we’re going to need to start using computers, with their vast processing powers, to decipher these images, thereby proving that computers are actually human and we are not. The social networking sites will then be overrun with computers and we all know that computers have no personality (which I guess the Captchas were originally there to prevent) and pretty soon us humans will be caste into doing what the computers think is boring remedial work, which I can only guess is coming up with more Captchas…

(continue reading…)

Copyright © 1996-2010 The Legend Of Random. All rights reserved.
Jarrah theme by Templates Next | Powered by WordPress