Monday, December 16, 2013

Reverse Engineering Kit[Olly Tools 2013---with Plugins]

So someone asked me where he should get a good Kit for reverse Engenering .... well heres a link to a 2013 Olly T00lset :) p.s will upload to my dropbox so it doesnt run the risk of elimination....

0llyDBG T00Ls 2013-2014

have a blast :)

back to code, sawa?

My Rant - Katy

For the sake of this argument security is devoid of technology and Vic a Vic ..... And for further clarity.... This is a rant, zero security ,hacking, coding and development purpose....

She was beautiful, well I was sexually starved but in all aspects... She was beautiful ... It was around 2004 and we had attended the provincial drama festival... My ellocuent English had pulled me thus far (God had) I loved acting ... Being a thespian is something I pride myself with... Maybe because it came in 2nd in my nature or just my character.. Ok ... She was beautiful, sad part my geeky nerdy esteem kicked up a notch higher than my words.... I really did try talking to her, but sadly my courage would jolt beneath the Marian's trench in depth when making pleasants with a beautiful girl.

For the sake of this short rant... Let's call her Katy, Katy... Look for that song by Peter Bradley Adams... No relation to this story though... She was perfect, light skinned... 4 on a light skin completion meter she was medium height curvy , lord she had it long black natural hair ,ow do trust me .,, zero make up.... Except from the lip gloss on her full but very brief lips... You know the ones that leave you questioning if the kiss happened or you just bit your lower or upper lip depending on your formulae with kisses....dressed in her high school attire she played right into my geek fantasies so well I matched it with reality so quick my pecker jolted much ...ahem... She was beautiful in every sense.... She looked at me once in a while, making me fix my pullover so many times I think I switched it front to back a few more than enough times....She was beautiful... Her eyes full of energy and excitement yet shy not enough innocence could be in the world to match hers and her face... Enough to challenge the Greek sculptured philosophy in a frenzy.... She was....

Everything breaks, this is my most favorite quote, and standing by it ,I broke even and walked to her well not alone was she nor was I ,I had a fleet of men in wait... Or wingman if I may rephrase ,my salutations were met with a smile, something not many a folk do, reasons would fall in major categories noted as am very nerdy, too geeky and masculine appeal to ladies... I don't really pull that much trophies ,anyway she smiled setting a perfect display of one heck of a set of white leveled teeth, she was Beautiful, by jones she was a masterpiece.

I would love to tell you that to this day thoughts of her and me flaunt my mind that is true as she met my poor vibe with smiles that made me think i was either a very good clown or romeo himself.... to be really honest i dont know what she saw in me honestly, i dont mean to self me self short but i swear, she was too good to me, I remember when we left each other, we exchanged names , birth dates, (dont ask why) and school addresses, funny thing I never wrote, but she did... enough times to let me see she really like me... she even sent me er school tie for me to wear it, swear (this was a quintessence of a girls virginity back then) anyway.... she did and to this day I remember her as none other.

I mean to say there's always a person in mind who stirs your security, memory wise.... processor wise(mind) heck even your Operating Soul.... those are your exploits.... so exploits are good... right? they give access to the heart mean root. so .... let me code that android exploit then Katy i mean  exploit away :)

Security oriented Distro Kali Linux Header Installation Issues

So this is rather going to be short.

Many people especially in the forums have been nagging about the custom kernel on Kali Linux and how to install the kernel headers that come with the new security distro [currently at time of publish 1.0.5] and the header being 3.7-trunk-amd64, this kernel has a patch that allows packet injection hence another method i used by upgrading the kernel to 3.8.x worked for installing headers required for VMware/Virtual Box installation but i couldn't work on the wireless network security/pentest.

So here we go, first thing you will need to edit your sources list that is if they dont have this:

deb [arch=i386,amd64,armel,armhf] kali-dev main contrib non-free
deb [arch=i386,amd64,armel,armhf] kali-dev main/debian-installer
deb-src kali-dev main contrib non-free

deb [arch=i386,amd64,armel,armhf] kali main contrib non-free
deb [arch=i386,amd64,armel,armhf] kali main/debian-installer
deb-src kali main contrib non-free

deb [arch=i386,amd64,armel,armhf] kali/updates main contrib non-free
deb-src kali/updates main contrib non-free

sometimes after doing this and trying an update (apt-get update) you might get an exception that

E: Type 'deb[arch=i386,amd64,armel,armhf] ' is not known on line..... in source list /etc/apt.......
kindly eliminate the [arch=i386,amd64,armel,armhf] from everywhere it appears and try again .... this will work most of the time.
ok then ..... here are a few commands to kick in that virtual appliance NB.... this is before installing the virtual appliance

echo cups enabled >> /usr/sbin/update-rc.d
echo vmware-tools enabled >> /usr/sbin/update-rc.d
apt-get install gcc make linux-headers-$(uname -r) 

and voila.... this works ...well for me ... i hope it does for you too :)

Wednesday, December 11, 2013

Ok am better now :)

well the title is pretty much definitive, been a while since the September 13 demise of an accident , yes it was a Friday and a 13th to be precise .... any way I am well and back , few projects here and there but posts are due to continue streaming in:

An android spyware :) yes we will have that.
A mobile tracking system from what around  200$ system.
Owww and yes ... if you read my blog ... don't expect me to put up banners and notices that this is for educational purpose only.... ITS FOR SECURITY for chris* sake, if it looks bad that's because you need to patch yo system aight?

alright vented* so lets do security.

Thursday, October 17, 2013

Part 1: Stealing Internet :) again (this is becoming a habit)

Since this post is going to be a little bit long why dont I try to be as forth coming as I can, Its becoming very hard for me to blog with this projects that I am working on and no, am not complaining.
So Lets steal some more Internet Orange Ke.(Ok its Telkom but same difference)

Ok so I made an earlier Post about getting that free internet using a method that employed brute forcing usernames (still viable) but heres another method and woah unto you who use the method as this will also guarantee you making a huge  mistake (for Educational purposes only)

1. Get a CDMA/EVDO RUIM card that is not probably registered in your name.
2. Get TOR / (any suitable VPN you prefer (to me /for me .... I refer TOR for its Free sense and the fact that I get more than two hacks going here)<--- PS TOR is not that safe dont believe me (i will post that later))
3. Computer
4. CDMA/EVDO Modem best to strip off your IMEI/SN but hey its not much you just not paranoid enough ...YET
5.nmap :) (ok you dont need this i will do the scan for you)

Ok yes


..... Ok here we go:

So What we will be doing, using a VPN to bypass the billing server:

Make sure you dont have existing bundles to work this out (thats the point of it right?)

ok since this is step one I teach how to configure TOR to a specific country (why?.... TOR is used by a lot of  people, this slows down its network bandwidth, speed and we prefer high internet speeds do we not<--- alright here we go)

owww Install TOR and Vidalia  package for your OS. (If I need to show you this, ah ah....  am not going there)
then we need to access  this once we have finished the installation

Seeing what we have is the list for all servers and countries we can use for TOR .
Select a certain country you want e.g China
Click that server select and save the Fingerprint of the server to fingerprint.txt (copy like 4 of them)
Remove the spaces and add $ in front of each line & separate with ” , “. Save it as a single line.

Add “ExitNodes” and next line “StrictExitNodes 1″. It will look like … the above^

Now after that go to settings: advanced: open up the torc file you can see (mine gave me hell on my FreeBSD box so heres a VM switch up on XP ) 

once that is open edit that to give you the bellow instance:

What you will add is the ExitNodes lines to the top of that file, nothing more or less :)
save this information click open , OK , exit and done :) 
Restart the Vidalia package and voila, we are done :)

Ok from this steps we done with step one :) with step two i will explain what happens but with this if you connect your modem ... and start TOR you will be able to browse for free, OK (with disconnections every ten minutes (that's my fault --- ask orange who gave them the idea :) yes, iBrag.

anyway reality aside a simple batch/bash script would suffice over the problem.

So what do we have
(annoying coz of disconnection but sure you can chip in on how to bypass this) Internet

Monday, October 14, 2013

Obfuscation :That Part About Tormenting the Bastard Trying To Get In

I made a post about tormenting the culprit trying to get either (through) your code or through your network (well it was about code) and I never ( I did note down )


Simply put its jumbling up your code (in a pattern <---- this has a weakness also but hey I still said it also :P )
anyway lets keep the newbies and the lazy bums at bay for the least of the part.
So a Wikipedia explanation is as such: In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.

Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code.

So here goes nothing , different methods to do this,
1. Manual
2. Automated

(well mainly i use manual to decode)
Say we have this piece of code

<?php echo '<p>Hello World</p>'?> 

and we have this 


Well whats the diffrence? well none if we both run them (warning the second part might not but try this)


Well truth is all of the following pieces of PHP codes are the same, heres where i did a quick automated obfuscation FOPO and with this we can do PHP obfuscation . you can also do other languages just a matter of searching.

Now this is not 100% full proof also another issue is that some of this methods make it hard for servers/language virtual machines(java) to understand very heavily obfuscated code.
other issues on java are lack of proper reflection programming .

Any way with this method think of how many newbies even leet* hackers and reverse engineers go like huh say what?

anyway will teach decoding all this manually later 

back to code.

Unlocking BlackBerry [arg(For_free)] My Rants:

Well I don't normally do this until a friend (girl obviously) gave me a challenge to unlock her BlackBerry, well until then I never really cared about how the things work after all 1001 sites offer that for  a fee, but why pay while you can do it for free?

well the method should will not be really documented but if you want me to unlock it i do it for free... really am serious no cards, PayPal or M-pesa needed just free BlackBerry Unlock.

So what do I need simply put just write a comment containing the following:


thats an example to flow with

  • Does this work for the Z10/Z30/Q series           (well not for now)
  • Does this work for all networks               (for the once tested yes ...all possible once are tested)
  • How do I get the PRD                          (Remove battery read where it has the following 'PRD')
                                   look at figure below

  • Does this work for if i know MEP                         (Sure provide it as an option to also help)
  • How do I find my MEP         (Tricky but if you have BlackBerry Desktop Manager I can help)
  • What about IMEI                  (just dial *#06#)
Anyway Comment away :)

Friday, October 11, 2013

The Struggling Developer [arg:( MY_RANTS)]

Well an inspiration to this post comes from a simple explanation: là fait que --> Been There Done That.

haven't we all? ok from all the conferences, developer rants, side talks,forums (ok face to face) i swear only thing ave heard of is the developer struggles.... now most would say the salary expectancy, lets just say that's away from this picture as employment for IT techies,hackers,coders,developers and copy pasters has never really been an advisable path well from my side of the lawn.

Now i can tell you my stories from developing an excel macro system to websites that i charged 40USD (what.... wipe that look on your face probably higher than you will get ;) ) I kid , really what is the cure for all this SDS Struggling Developer Syndrome , well heres one or two options:

-Learn to Code
Yes , Learn to code, not :
google>copy>paste>run(repeat till module is finished)>package>deploy>sell 
-Learn to be Creative
Best instance .... give me one way you can improve a fully efficient system like lets say MPESA
-Learn to avoid the student apparel
Most common for students, see that torrent site.... in a few years it wont pay for shiet....see that Need For Speed ,trust me it will look better with money in your pocket.
-Learn to grow your experience
Get Projects, on odesk  ,elance wherever gather customer/client relations, coding skills, project management heck even just typing skills

this and many more skills will propel you much further. oww did the struggle stop :) well lets say if this is not the good life, this is the life :)

Back to code
Sawa Wazi

Sunday, September 29, 2013

Silence and it's meaning

Well I guess we all agree that I have been rather silent, all in an explanatory mode ... See I am not really a firm believer in superstition but the fact that 13th of Friday this month did not let me do so..... What am I referring to? Well I befell an accident <---- I am so sure that grammar is a mess but hey it's my blog, anyway I accidentally fell from a moving bus and though this might seem rather odd I th ink my best explanation was trying something clearly meant for some one else.

Now am typing this from an iPad and believe you me it's not that much fun all I can say is am thankfully to God I made it out just with a ripped hip torn right arm and fractured right leg, now this is a blessing after all I could have died! Not to seem dramatic but that's not really a good thing.

Anyway the silence is partially coz of that and also on incoming projects I will be glad to share the details once I get clearance ^wink.

As me mentor always said ,

Back to code

Saturday, September 28, 2013

Tribute to a fallen coder

Well this is really brief and rather painful last Tuesday ,my second mentor in IT. In basic words passed on this would be Idd Salim Kithinji , having an accolade from this genius was enough to propel my ideas to be a household IT name, his blog and personal website a favorite of mine and to hold on to it is a promise I am willing to bravely endure, thank you for the congratulatory messages you posted to me on Facebook and the mighty accolades that followed I appreciate your work and hold on to this words with uppermost honor:

Back to code

~thus speaketh Idd Salim

Wednesday, August 7, 2013

Safe Coding? <--- WTF is that.... nothing is safe or secure... just torment the bastard trying to get in [Part 1]

Well well well... I have been silent for a while... ok my bad, been in a very lazy blogging mood... but hey this mood has its perks as i have been active on other areas, ok so onto the topic...

I recently was sitting in a public service vehicle and next to me sat 2 guys (developers as i later came to learn) and to my awe they were discussing a system that they wanted to present to a client who would in turn present to a major local bank, MIDDLEMEN---> this now i just had to listen in...ok i know it ain't cool but dont act like you don't do that and give advice inside yo head .... ok anywho , this guys were talking just as your average and normal coders would.... how they will develop the system, and show the middleman and not give the source code to him....

SMH right there till it was actually visible i was listening to their conversation... now to be really honest it took a lot of guts if you know me very well to turn and say hi* to them, may i interject .... my name is ...... and heres my card, if you want to really talk about your system.... call me, i alighted at the next bus stop and walked off like a boss... problem is that wasnt my stop and yes , i know i was trying to be mystic but hey my cards say and state, Information Security and System Forensic consultant right at the top but this i had to sell ... wrong bus stop or moves incorperated now thats really beside the point....

today i got a call from my two developers having listened to their earlier conversation i was already guessing the worst for them to call me ... trust me IT Gurus and as they like to be called Geniuses hardly want any help from outside forces .. and i am down with that EGO thing after all 3 guys create a social application that even the FBI and CIA want to jump in so bad while other 2 create a search engine that every organization want.... hey its a god-complex we develop straight from the Hello-world application we started even if it was in HTML and called it programming / Coding....

Now let me skip all this gibber jabber and get on to what is really bugging my system.... a few blog-posts ago i had this really big issue with the lecturers /trainers / teachers/ consultants and newbie developers , why because people want to develop without security... how is this...

When i am called for a pentest and have a white box testing that sorta looks like its black box in the form that i have everything from my recon via your system developer... i already owned that pentest.... heres how:


Code reuse---- oww come on , i also have done that... am not a god in coding but honestly i have done that.... and though you may not actually now this but yes code reuse to me constitutes the biggest security flaw in my pages here is how
developerA creates a web application --- uses a form login .php/.ASP or so and sees no harm in re using the whole darn ish.... once i find any of his earlier systems chances are he has already done the same errors and configurations as before... his database tables are nearly the same and yes even the the naming structures are just a whole lot the same e.g {nameOfWebApp_tblUser} a little change on havij default table dictionary/wordlist and voila i might be in for good luck on his system... well its not always that easy but trust me sometimes you are as string as your weakest link....

Googled code----ok this is the most interesting one... its close to code reuse only worse.... why? because this is the last resolve to noob programmers.... worst is ... if it works... i don't need to know what its doing past that... what do i mean take this code for example

db_query('SELECT foo FROM {table} t WHERE = '.$_GET['user']);

db_query("SELECT foo FROM {table} t WHERE'%s'",$_GET['user']);

So which is the good code and which is the bad code... heck both of them will do the same especially in a drupal cage.... but one will let me do more than desired/required.... now if you google the first code chances are you will actually find it

and yes we actually do ..... find it. In a lot of forums by the way.

well this and a lot of practises that i normally do in my trainings and show the developers how this is really bad. PS the above vulnerable code does a very good SQL injection.... now

to my friends who contacted me... my lips are sealed on what the system is doing or going to do but honestly.... if possible... eliminate the middleman, copyright and patent your inventions because there is nothing like safe or secure coding/presentation .... part 2 will contain methods of tormenting the bugger trying to get your code

oww and my view of open-source , I ADORE OPENSOURCE..... p.s it doesnt mean its free coz its open-source HECK NO.... i hope you guys have your tools ready for part two looking for vulnerability in your code

Thursday, July 18, 2013

Software Cracking/Disassembly/Debugging ... call it what you may this is just the beginning

So recently i got a little of complains about not showing people how to crack software and how i have not shown how software is broken into using reverse engineering well here is the guide to doing all this... right here am using

Hackers disassembler
and more coffee
For this example i will be using a software that has been in the past been used and numerous tutorials have been published and video documented , the reason am going to do this is to:
elaborate what really happens in ASM and reverse engineering using various methods such as creating a software crack.
Also this is barely an easy task we will be breaking down a little about ASM in general though this is hardly a substitution to ASM tutorial... please understand ASM enough to indulge in this... numerous times have i been approached by people saying they cannot understand what is happening or what or why do we do JMP to NOP... well i will show you why but please if you have no idea what JE or JZE translates to and their similarity and maybe their relation to ZL please... refresh your understanding with assembly with the provided documentation and pdf tutorials on this site here

Moving on.... we can fairly start... here am using WinRAR ver 3.80 ... its quite old around 2008 release so its ok for us to use it for simple testing.... we can try the 5.0 beta 7 2013 release but lets get the basic understanding of what happens shall we?

so a copy of it can be found in our trusty site for old apps ---> good for finding old , previous versions of software. moving on we download our WinRAR
Then We install...

After the final Setup we can see what it tells us about the product

We Start it and the first thing we note is the program is an evaluation copy as we noted when downloading and installing that its a trial

opening its about we can see that it has 40 days for trial

I go back again to my method that is ... error generating ... :) in Vulnerability/exploits errors are a very good friend of yours in this method what i do is forward the date in my machine past forty days to see if the program is affected by that.... why? .... check out this post to in my earlier post explaining why i did that. Moving on when i change the date the program acts out with an error saying the time extension has been passed.... well thats a good thing... now what do we want to achieve....

1. to crack the software would mean to remove the (evaluation copy) message....
2. allow us to use the software without time restriction.... which is removing the message box about purchasing the software....
we good ? aight lets go...

we fire up our Hacker Disassembler ... let me refer it to HD for now aight
now loading up HD with the WinRAR executable we find tonnes of information and ASM code... now what we need is the required steps to activate* the software so here goes nothing...

we do a simple search for the string 'evaluation' ... we don't search for the whole bit to get the most outputs of the string 'evaluation' .. ok?

with that we get a string match

how do we know this is what string we want.... observe the code below circled in red.... there is an output that states in a comment (you all know how comments on ASM are made right with a semicolon) and its states.... and points that the ( <---- starts from there that is the first bracket to (evaluation copy) is there... this can be clarified by scrolling down and you will find the rest of the string there...

now looking at the above code what do we see.... well i will break it down to the most none-asm way possible but will explain every term we need ... we can see that the program moves registers first(this may not be the same as the programmer compiled it as asm has a way of optimizing code) so the first two mov are done then it calls a certain address to act moves a register again....performs an arithmetic function (eax) of subtraction (probably to check the time difference----we don't know yet since we have not gone to all the calls and functions here its just a cracker/programmer intuition ) we call an address again then we compare (cmp) a byte to an address  then the program does a jne---> hoping you know what a jne is ...which means it does a Jump if Not Zero which its a  conditional jump... A GOOD THING.... now we wont even go further since we find a condition that must be fulfilled so as the above error must be displayed... you get where am going with this... cool

now note down the address that the JNE is allocated and leave it at that... on my end its 00444B71

we move on from that.... now the next step is to go for the error thats thrown off when a certain period is past.... this is the message box telling us to register... now the box has a string message stating
'Please Purchase WinRAR license' ... now one thing about it is it was a Dialog box ... so we click on the D on the HD and we get all Dialog References..... here we search for it by typing Please.... well mine showed up just when typing plea* :)

we double click on the dialog reference to get to where its addressed it gives us the below address and with that we basically have the dialog right there in red... we see it has various options before it does a push of an address.... now this push is what we want/don't want... get what am saying... its what we want as of now ... i.e to see in the asm code ... but its what we ... DON'T want in the executable when it runs....


now what we so like before we note down the address the command holds.... on my end its 0048731A
and we move on

now here is where we fire up our little and mighty Ollydbg....  and load up the WinRAR executable

we now have the addresses we want to go to... so we right click on the frame that has loaded up the executable ... (top left frame) and click 'Go to' we can do this with a short cut that is CTRL+G ...

on this we paste/type our address... the first one and click Ok to go to that address that holds the conditional jump we want/need

highlighted in gray is the area of interest.... and we can see the JNZ that is loaded is the one we want... a lot of ASM new comers ask why do we get JNZ and we wanted JNE well here is a little analogy i use to help the predicament...

JNE is Jump if Not Equal
JNZ is Jump if Not Zero

the two assume a Jump condition is to be fulfilled only if the execution doesn't bring a Zero or anything equal to a Zero same thing right o___0 ... go figure

Now what we want is to do a simple thing;

 change the conditional jump to a none conditional jump

with that we can stop the execution of the string we want to get raid off.

with the above we right click... only this time we choose > Binary then Edit while we have selected the line of address ....
here we have HEX+01 which we need to edit.... now to change a JNE to a none conditional jump such as JE its opposite we have to have it as a minus one in the 85 field to become 84 seeing as:

Instruction Jump Condition          Test
JE                 Jump if Equal                  ZF=1
JNE                 Jump if Not Equal         ZF=0
JG                 Jump if Greater         (ZF=0) AND (SF=OF)
JGE          Jump if Greater or Equal SF=OF
JL                 Jump if Less                 SF≠OF
JLE           Jump if Less or Equal (ZF=1) OR (SF≠OF)

see this link for the whole table that will explain better and easier

we can give it any range as long as it will not be Zero result

Now after that we will get the below code having it changed to a JE....

moving on... we again head on to the second address which is the following

 we paste /type our address from before and ....

we land on our PUSH address .... that pushes our dialog box.... now what we want to do is kill the push.... how.... well simple by filling it with NOPs .... what are NOPs... this are No data/ No Command/ No assignment to addresses or registers.... so what do we do

We right click and it select the entire line go to
 > Binary
and select
> Fill with NOPs

.... filling with 00s in other programs also works... tweak around and observe....

as the diagram below shows the red code on the left that is filled with NOPs

Now what we want to do is save this cracked*/modified executable... with that we do as such....
right click go to....
> Copy to executable
>All Selections

you will get the below screen with the following notations at the top left D*
>Save file

Save it to a place like the desktop.... first or save it with a different name in the same folder and ....

Now after that close up your Ollybdg or whatever Disassembler .... and execute/run it.... the executable you created and saved... and like mine on the desktop.... see what it brings up... a cool interface that has no evaluation required....

As it goes thats the procedure..... well for most applications .... this is just the basics and we can move on to harder more complex applications... please use this knowledge for good but not to diminish people/companies from their sweat and products/services

as a developer you may ask how do i secure myself from this.... well in a lot of ways

  • Write code with the intentions of not letting people crack it... :) ... avoid being to easy when creating dialogs and strings for responses.
  • Comments are good but can also lead to fatalities.
  • Obfuscate your code...
  • Tweak methods to display errors when in need to only.
  • Optimise your program by also doing a jumble up of serial/product key functions.
  • Use sophisticated algorithms to create keys/serials .
  • Use files instead of Keys.
  • Activate product online(also helps).

Remember you are as strong as your weakest links :) with that.... I am out and CIAO

Wednesday, July 17, 2013

Exploit writing .... for humans .... yes its possible

I think this topic is a little hushed due to its nature of sophistication or learning curve....

going from my earlier post about software cracking (I hardly spilled the ASM beans on that one) hence a little offset will probably occur here.... on this.... what i will do is break down the barrier of programming language that is high level and low level...

so what will need to know before we start

  • a high level programming language.... e.g C,Java,Python,Perl or Ruby
  • and yes we need to know a little enough about ASM(for now ...if we advance we need to add more to our stack)
  • Metasploit is not a must but can be very helpful
  • math.... yes a lot of mathematics
this will be sort of long since i will break it down to the bare essential so if you think its too soft.... thats because it is... moving along

  • Reverse Engineering--- this is simply breaking down an object/code in our case and getting a look at the code from a decompiler
  • ASM--- assembly language (just google this part ... i will wait) yes its that.... but heres the trick about ASM... it has a lot of gibberish but its very understandable some terms
functions------- e.g POP, PUSH ,MOV,SUB ,RET
register ----    AX multiply/divide, string load & store

CX count for string operations & shifts
DX port address for IN and OUT
BX index register for MOVE
SP points to top of stack
BP points to base of stack frame
SI points to a source in stream operations
DI points to a destination in stream operations

Along with the general registers there are additionally the:

IP instruction pointer
segment registers (CS, DS, ES, FS, GS, SS) which determine where a 64k segment starts (no FS & GS in 80286 & earlier)
extra extension registers (MMX, 3DNow!, SSE, etc.) (Pentium & later only).

^borrowed from wikipedia

The IP register points to the memory offset of the next instruction in the code segment (it points to the first byte of the instruction). The IP register cannot be accessed by the programmer directly.

this are just examples and barely scratch the surface of what is happening.... explaining that would probably require another blog....
now here is the explanation to the above 

a register is a place you do stuff---that easy huh hehehe yaah for now... registers are work benches 
like EIP is what is about to happen next
and ESP is a workshop---when we working
and EAX mostly.. math is done in there ---> this simply my analogy from my teachers point of view.... 
now moving to disassembly (google that also) we have various tools that can do all this decompiling... now for me i will not dare recommend any tool ... just mess with them see what is your best method /tool to approach the code/apps here are some examples

  • Ollydbg
  • SoftIce(very old though)
  • IDA Pro(yes its expensive---but worth it)
  • Immunity is also a good option so also try it
moving on now something really cool about ASM.... ASM works on a step by step procedure... what do i mean... when ASM wants to work with an *object... it does so one step at a time... now here is the interesting part... if it had stacked an object under ten procedures... it will have to go back through the same ten procedures in reverse to pick it up again.... then start working from there....

ok moving on.... i wont spend more time here but if you came for exploit development am guessing you are ready for whats next.... 

Methods of attacking the application

now a lot of people ask me how do we even start by attacking a software ?

assume you have a sole responsibility to pentest a music/media software... our example will be a software known as Easy RM to MP3 Conversion Utility    its a small ,media oriented software 
we can also use vlc,adobe,word anything that will basically be an exe for now... but lets start with this aight...  

method of exploit... buffer overflow what is buffer overflow?... this is when an application cannot handle excessive data and spills it... well not exactly spilling it out but into another workbench /Register

then how do we know how to get a buffer overflow? we crush it... per say we bring out errors
... i mean how do we get errors from it ... well you broke the first code lassy... we get errors from it .. 
heres how fuzzing... what is fuzzing (google that ... am waiting).. got it? ok now here is where we create a fuzzer (yes not all tools are already made when hacking)

so here is a simple fuzzer

and when we run the fuzzer.... we get the following 

moving on from that what we have created is simply a file that will be read by the media app i.e Easy RM .... it contains a lot of data that is basically A's so here is our output when we get it to open (i changed to kali linux from mac here for reasons you will see just ahead)

now here is when the fun begins (well not all times will the app crush directly sometimes we need more As aka junk data so we multiply with more if we need to) so does it crush yes it does B) 
moving on we now want to see whats happening when it does that.... we fire up our trusty Debugger i will use Ollydbg for now so here is the open session screen and attach the running (new running )process of Easy RM... hanged the fuzzer to bring out Bs ... not thats its needed to just me being me....

so we attach the process to ollydbg and open our new crush file (with Bs---just checking if you following) and again baaam it crushes... this time with this showing on our ollydbg

let me do a little explaining.... on the window on the right side we have the Registers...
on our top left side we have a blank part but thats the because our program crushed on an earlier look it would be filled with the program functions the NOP POP MOV and what have you ....
lower left has a little of everything the hex,ascii (everything thats going on)

so we have something at the furthest end.... the top right corner... on that side we have a lot of BBBBB.... as u can see then we have a very interesting notation

looking at it we have Bs in EBX ,ESP then to our favourite Register EIP.... why is it our fav ... its because 1... programmers can't directly access that register... not even on an ASM level.... 2. EIP as i stated earlier is what is about to happen .... thats right ... NEXT .... so that means its what is unknown to the program at that time... hence we can call any function if we spill that called function inside there.... and that function is our... YAY hahaha no abbreviation for that, our ShellC0d3 <---- ok thats not so cool) but ....

hold your horses ... we far from that well not that far... depending on which high horse we decide to pull an allnighter on ... ok now what we need to do is know where excatly the code *breaks at.... how do we do that?.... we create a pattern

now EIP is only 4bytes big/in size so what happend is along all those Bs i sent or were loaded there is a place with the 4 bytes that caused the crush.... now what we wanna do is try and get the 4 bytes location... now this can be done it two ways... the manual way where we create a fuzzer with diffrent As and Bs characters as sucj 3000 As and 3000 Bs so is we get As only its in the range of 3000 if we get Bs its in the range of 3001 and above true?.... this is the deffrential method....
we also have a tool for doing that in metasploit... this tool is a ruby script called pattern.... so here it is working its magic....

and it creates a sequence that looks like so.....
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8..... and so on now we will modify our script to this

with that i can go on as now our script./fuzzer looks like so ...moving on now we can get a pattern that doesn't repeat itself and we can look for our 4 bytes 

and again BAAAM our sweet application crushes.... but this time we note our EIP .... now our EIP contains not 42424242 nope now it contains a sweet melody of 7A53307A with this we can tell how this is going to go down....

now here is where the math comes in.... P.S dont be surprised if you get a different Address it just depends on what your file path in the executable is... it may be longer or shorter now... to offset the data

where getting a tool to offset still in metasploit i get this

for my first offset.... now with this i can conclude the exact size of the buffer before i write my shell code... the center one being what am looking for.... now for this it means,35071 is the buffer length needed to overwrite EIP. So if i create a file with  35071 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42.
here is the result... and am all smiles with that

so what does that mean... we have found the soul important address that the register overflows at B) and that is a very good thing.... now the shell code ... ah ah not yet.... why... thats because we cant fit a whole command prompt/shell code in 4 BYTES!!! thats crazy .... but we do have something else... remember when we we busy filling the program with As or Bs .... on our bottom right on the debugger
we had something like such

with that.... we have a way in.... now what we have to do since the As or Bs were filled in a ESP register we have too look for a JMP ESP function.... why since we wanna jump to the code .... fill it with data.... and the register that is filled from the ESP code that is the EIP which we cant***** access programmatically and also awaits to execute the overflowing data........ runs the desired shellcode so... here we go

 on the above screen shot---- we click on E* to bring up the executables....
listed below are the executables....

now a little note to be noted <--- what hahaha alright .... the system processes we see are quite ok to use also... but this will be platform DEPENDANT in sense ... if we use them they can only be used by a person attacking the same platfrom e.g XP service pack 1 will work only on SP1 platform of XP and so on.... anyway using the same application executable really will save us much... plus its what we will do.... so here goes nothing..... we select the executable for Easy MP3.... if it had dlls we could use them if we wanted to....

so we select the executable since we dont want too many exploit restrictions..... and we search   in the code for the JMP ESP command..... this we get from here

wuuuu ..... with that.... we can set a break point to observe if the JMP ESP is going to hold any water..... now this is not a must its just a procedure if u run into an issue while working, now whats our address in the JMP ESP?  7CA7A787x86 processors have a habit of ending up in little endian encoding so we read addresses as  \x87\xA7\xA7\x7C .
now to generate our shellcode.... there are a lot of ways .... but best way is by use of metasploit... AGAIN B)..... here is how using the msfweb method 

and with that we generate a bind payload..... 
...... now lets go to our fuzzer....

after generating the payload.... and encoding it with ShikataGaiNai to evade a little and bring a little peek a boo .... we are ready to put the shell code into our fuzzer.... so here we go 'B)

we create a script/fuzzer that looks as such

 and with that we generate the playlist we want to be ran by the victim.... and we test to see if it works...

 what do you know... it opens and doesnt crush :P

ok lets see if the shellcode executes ok....
 VOILA!!!! ....there we go :)

our payload works and binds us to port 4444... wow nice huh... yeah ... anyway this is a very simple application to attack... adobe, vlc, java-dependant software have the same kind of feel and feed.... it gets a little tricky though if obfuscated and also if the program does not have 3rd party dlls... well i hope this is a start for you ...if you want more on ASM check out my links with PDF downloads ... here will be posting the video for this soon so please keep in touch.... ask questions in comments if you need any help ...where i can i will gladly help where i can.

CIAO happy hunting.


:) No longer posting, all articles should be treated as archived and outdated