@walliedassar has released a new article on a very old anti-debugging trick. Has to do with page access and debuggers changing this access characteristic. Pretty technical, but a good trick nonetheless.
May be the perfect thing to place in a TLS callback…
Let’s start by adding an icon. Load up our HelloWorld project from the last tutorial. Click on Project->Resources. This will bring up the Resources window:
Unfortunately, our lives as reverse engineers is not always easy. If all it took to patch an app was a deleted resource or a quick patch, a lot more people would do it. Sometimes we must get a little ‘low-level’, wallow around in the operating system files, single-step an exception handler, or reverse engineer an unknown packer. To have a well-rounded skill set as a cracker, we must know a lot about a lot (or at least where to look about a lot) and it can get pretty technical.
This tutorial is about one of those technical areas: TLS callbacks. It is not easy, nor is it simple, but it can ruin an otherwise nice day of a reverse engineer that doesn’t at least understand the basics of what they are, when they are used, and how to overcome them.
As in all tutorials on my site, the required files are included in the download of this tutorial on the tutorials page. We will be looking at three binaries, all included. We will also be using an Olly plugin called TLSCatch by Walliedassar, also included. Lastly, we will be using CFF Explorer, available on the tools page.
“Web of Trust (WOT) completed an analysis of nearly 1.7 billion shortened URL links and found that the URL shortening services are often used to drive traffic to suspicious websites”
No kidding (my most cynical smiley goes here).
Here’s the article .
I have just posted this week’s challenge. It is a very simple patch, but unfortunately, you can’t patch it 
The object is to use code caves in order to display a message box that, after entering a username/password combo, says “Please try this password: XXXXXX” where “XXXXXX” is the correct password for the target for that username. Then, after entering the proper username/password, the target should display the goodboy.
For extra credit, have the target copy the proper password into the clipboard, so that when we re-run the target, we enter the username and simply paste in the correct password from the clipboard.
The challenge is located on the challenges page as “crackme #4″.
Good luck.
Securelist has released a report on spam usage for this year. apparently, overall spam has dropped 1.6% (yippee) to 70.2%. Of this 70.2%, 69.8% is directed at this site, so at least the Legend Of Random moderators are keeping all other sites on the internet pretty spam-free.
Another interesting statistic is that the vast majority of US spam originated in the US (bastards):
and the biggest categories for spam are finance and medicine:
Here’s my suggestion. We create a botnet from half of the spammers computers by sending them emails containing malicious programs. We then commandeer this botnet to mass spam the other half of the spammers computers. Maybe the first set will blow up the second set…
We continue our tutorials on RadASM by creating a new project that creates a dialog box with two bitmaps and two buttons. You can download the required files in the download of this tutorial on the tutorials page.
Just in time for my next tutorial on TLS callbacks, Waliedassar has been gracious enough to release a new version of his awesome plugin TLSCatch for OllyDBG 1.0. In case you don’t know, TLS callbacks allow code to be run BEFORE Olly has a chance to trap execution. This technique is used often (and more and more so recently) by malware to thwart reverse engineers. TLSCatch enables Olly to stop execution at the beginning of a TLS callback, allowing the very first code that is run in the executable to be viewed.
You can download v 0.3 on the tools page. I will also be including it in the download of my next tutorial.
As some of you know, in the forums I brought up what the ultimate cracking/reversing tool would look like. There are several cracking tools out there. By ‘cracking tool’ I mean tools that are specifically designed to make a cracker/reverse engineer’s life easier. These currently include such features as
I decided to have a look at some of the various tools that perform some of these functions, just to get a frame of reference on what’s available and what’s not. I have thus compiled a list of the more popular ones, what their functions are, and my opinion of them. At the end, I will propose some addition features that would go into an ‘ideal’ tool. Who knows, maybe someone will pick up the charge.
Note: I will not be including any tools that just do one thing, for example packer detectors that only identify packers.
