This is static copy of The Legend of Random as it was on Thu, 19 Sep 2013. Some of the links are not functional. View the source code on GitHub.

Archive for September, 2012

An Anti-Debugging Trick So Old That It’s New

@walliedassar has released a new article on a very old anti-debugging trick. Has to do with page access and debuggers changing this access characteristic. Pretty technical, but a good trick nonetheless.

May be the perfect thing to place in a TLS callback…

R4ndom’s Guide to RadASM: Adding an Icon and Menu

Adding an Icon

Let’s start by adding an icon. Load up our HelloWorld project from the last tutorial. Click on Project->Resources. This will bring up the Resources window:

(continue reading…)

R4ndom’s Tutorial #23: TLS Callbacks

Unfortunately, our lives as reverse engineers is not always easy. If all it took to patch an app was a deleted resource or a quick patch, a lot more people would do it. Sometimes we must get a little ‘low-level’, wallow around in the operating system files, single-step an exception handler, or reverse engineer an unknown packer. To have a well-rounded skill set as a cracker, we must know a lot about a lot (or at least where to look about a lot) and it can get pretty technical.

This tutorial is about one of those technical areas: TLS callbacks. It is not easy, nor is it simple, but it can ruin an otherwise nice day of a reverse engineer that doesn’t at least understand the basics of what they are, when they are used, and how to overcome them.

As in all tutorials on my site, the required files are included in the download of this tutorial on the tutorials page. We will be looking at three binaries, all  included. We will also be using an Olly plugin called TLSCatch by Walliedassar, also included. Lastly, we will be using CFF Explorer, available on the tools page.

(continue reading…)

And The ‘Obvious’ Award Goes To…

“Web of Trust (WOT) completed an analysis of nearly 1.7 billion shortened URL links and found that the URL shortening services are often used to drive traffic to suspicious websites”

No kidding (my most cynical smiley goes here).

Here’s the article .

New Weekly Challenge

I have just posted this week’s challenge. It is a very simple patch, but unfortunately, you can’t patch it :)

The object is to use code caves in order to display a message box that, after entering a username/password combo, says “Please try this password: XXXXXX” where “XXXXXX” is the correct password for the target for that username. Then, after entering the proper username/password, the target should display the goodboy.

For extra credit, have the target copy the proper password into the clipboard, so that when we re-run the target, we enter the username and simply paste in the correct password from the clipboard.

The challenge is located on the challenges page as “crackme #4″.

Good luck.

The Year So Far (In Spam)

Securelist has released a report on spam usage for this year. apparently, overall spam has dropped 1.6% (yippee) to 70.2%. Of this 70.2%, 69.8% is directed at this site, so at least the Legend Of Random moderators are keeping all other sites on the internet pretty spam-free.

Another interesting statistic is that the vast majority of US spam originated in the US (bastards):

and the biggest categories for spam are finance and medicine:

Here’s my suggestion. We create a botnet from half of the spammers computers by sending them emails containing malicious programs. We then commandeer this botnet to mass spam the other half of the spammers computers. Maybe the first set will blow up the second set…

1 Comment more...

R4ndom’s Guide to RadASM: Creating Our First Project

We continue our tutorials on RadASM by creating a new project that creates a dialog box with two bitmaps and two buttons. You can download the required files in the download of this tutorial on the tutorials page.

(continue reading…)

Shellcode Converter Released by Levis

Levis (of the REPT team) has released a new shellcoder’s tool, ShellOp Converter. This tool allows you to enter shellcode, then view the appropriate opcodes, as well as a disassembly of the code:

You can download the tool on the tools page.

New Version of TLSCatch Olly Plugin Released

Just in time for my next tutorial on TLS callbacks, Waliedassar has been gracious enough to release a new version of his awesome plugin TLSCatch for OllyDBG 1.0. In case you don’t know, TLS callbacks allow code to be run BEFORE Olly has a chance to trap execution. This technique is used often (and more and more so recently) by malware to thwart reverse engineers. TLSCatch enables Olly to stop execution at the beginning of a TLS callback, allowing the very first code that is run in the executable to be viewed.

You can download v 0.3 on the tools page. I will also be including it in the download of my next tutorial.

Looking for That Perfect Cracking Assistant

As some of you know, in the forums I brought up what the ultimate cracking/reversing tool would look like. There are several cracking tools out there. By ‘cracking tool’ I mean tools that are specifically designed to make a cracker/reverse engineer’s life easier. These currently include such features as

  • Conversion between hex, decimal, binary, ASCII etc.
  • Trying out various encoding/decoding algorithms for text.
  • Running various hashes on a string.
  • Bruteforcer.
  • Performing various encryption schemes (AES, Blowfish…).
  • Scanning for cryptographic signatures.
  • Performing various bit modifications (AND, OR, XOR…)

I decided to have a look at some of the various tools that perform some of these functions, just to get a frame of reference on what’s available and what’s not. I have thus compiled a list of the more popular ones, what their functions are, and my opinion of them. At the end, I will propose some addition features that would go into an ‘ideal’ tool. Who knows, maybe someone will pick up the charge.

Note: I will not be including any tools that just do one thing, for example packer detectors that only identify packers.

(continue reading…)

Copyright © 1996-2010 The Legend Of Random. All rights reserved.
Jarrah theme by Templates Next | Powered by WordPress