Jump to content
Tuts 4 You

Blogs

 

One More Time for fun...flash backs

So in my adventures to track down the elusive Phrozencrew ( last 2yrs), its come to my attention that they all grown up.. Not in a bad way of course, but just done with the scene...moved on....among other peeps from my love of 98...some great crackers of the day...just done. .  So now in this day and age who is active anymore? I went to the almighty ICU website...gone..maybe im out of the loop but the page is gone...FFF..not sure, SnD..nope efnet  is nearly closed..mostly bots ...what happen to ARTEAM..they had a bad ass e-magazine....C-YA ugh..Im lost. I tried to re-energize myself with OLLY, and like a bum i downloaded crackerskit 2.0  (so fresh in the day) where are the new packages? I find myself even more lazier then trying to do my own thing with OLLY and find a All In One ( AIO)..   oh well I miss those days..im back trying to find it..let me know...Im out here looking to get connected again!!   Peace, Overkill^

overkill

overkill

 

[PureBasic] Antivirus Grabber [Snippet]

Wrote this a while ago, to understand how trojans gets antivirus products when they request such information, turns out it works pretty good [For Educational Purposes and Usage ONLY] ; English Forum: https://forum.tuts4you.com/ ; Author: 0xNOP ; Date: 6.April.2016 ; OS: Windows ; Output Demo: ;==================== GLOBAL VARIABLES ================== Global.s Dim output(0) Global.s AntiVirus = "AntiVirusProduct" Global.s FireWall = "FirewallProduct" Global.s AntiSpyware = "AntiSpywareProduct" ;==================== GLOBAL VARIABLES ================== ;#===========================================================================================# ;# Function: explodeStringArray(_Out_ Array, _In_ s, _In_ delimiter) # ;#===========================================================================================# ;# Brief: Similar to the PHP Function explode(), this function helps you 'explode' a _ # ;# string by string. # ;#===========================================================================================# ;# _Out_ Array = An array that will store the things you split. # ;# _In_ s = String that contains the stuff you wanna split. # ;# _In_ delimiter = a delimiter used to split the string. # ;#===========================================================================================# Procedure explodeStringArray(Array a$(1), s$, delimiter$) Protected count, i count = CountString(s$,delimiter$) + 1 ;Debug Str(count) + " substrings found" Dim a$(count) For i = 1 To count a$(i - 1) = StringField(s$,i,delimiter$) Next ProcedureReturn count ;return count of substrings EndProcedure ;#===========================================================================================# ;# Function: getProduct(_In_ ProgID, _In_ Product) # ;#===========================================================================================# ;# Brief: This function does the actual search for the product(s) you specify. # ;#===========================================================================================# ;# _In_ ProgID = Valid program handle from WMI Query # ;# _In_ ProductType = "AV" or "FW" or "SPY" # ;#===========================================================================================# Procedure getProduct(ProgID, Product.s) Output$ = "" If ProgID While ProgramRunning(ProgID) If AvailableProgramOutput(ProgID) Output$ + ReadProgramString(ProgID) EndIf Wend CloseProgram(ProgID) ; *Let's prevent some leakage* Close the connection to the program. Debug Output$ EndIf SplittedString$ = "" FindStr$ = Left(Output$, 12) Occurences$ = Str(CountString(Output$, FindStr$)) If(Val(Occurences$) = 0) MessageRequester("Woops!", "No Security Product(s) Found!") Else If(Val(Occurences$) >= 1) ;This system has more than one Antivirus!" ; Do Split for 1 Security Product <- We want this value :) explodeStringArray(output(), Output$, "displayName=") If(Product.s = "AV") MessageRequester("We've Found an AntiVirus!", output(1)) EndIf If(Product.s = "SPY") MessageRequester("We've Found an AntiSpyWare!", output(1)) EndIf If(Product.s = "FW") MessageRequester("We've Found a FireWall!", output(1)) EndIf EndIf EndIf EndProcedure ;#===========================================================================================# ;# Function: GetSecurityProduct(_In_ Product, _In_ ProductType) # ;#===========================================================================================# ;# Brief: This function just an WMIC instance in a hidden console, the return is a valid _ # ;# Used in getProduct() in order to do the other operations to hunt for security products. # ;#===========================================================================================# ;# _In_ Product = "AntiVirusProduct" OR "AntiSpywareProduct" OR "FirewallProduct" # ;# _In_ ProductType = "AV" or "FW" or "SPY" # ;#===========================================================================================# Procedure GetSecurityProduct(Product.s, ProductType.s) ; WMI CHANGED THE WAY IT BEHAVES FROM VISTA SP2 AND ABOVE, EARLIER "ROOT\SECURITYCENTER" WAS NEEDED, NOW "ROOT\SECURITYCENTER2" IS NEEDED. If OSVersion() <= #PB_OS_Windows_Vista ProgID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter Path " + Product + " Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide) getProduct(ProgID, ProductType) Else ;Host OS is higher than Vista. We can rest assured and run it with the new WMIC statement :D ProgID = RunProgram("wmic", "/Node:localhost /Namespace:\\root\SecurityCenter2 Path " + Product + " Get displayName /Format:List", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide) getProduct(ProgID, ProductType) EndIf EndProcedure ;==================== MAIN ================== GetSecurityProduct(AntiVirus, "AV") GetSecurityProduct(AntiSpyware, "SPY") GetSecurityProduct(FireWall, "FW") ;==================== MAIN ================== Simply gets the listed Antivirus Adapted for PureBasic References:
WMIC Access Secuity Products https://blogs.msdn.microsoft.com/alejacma/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript/#comment-180 Explode String (Php2Pb): http://www.purebasic.fr/english/viewtopic.php?p=320348&sid=a3457eb3b08ec9dc6eb5b8ac3ee67656#p320348   *Updated 4/5/2016* Added Support for earlier versions of Windows (Vista and earlier), as I've read the structure of the WMI command changed a little bit for those versions of Windows   *Updated 3/6/2017* Added Support to detect three major security products, some little things in the code like `getAv()` is now `getProduct()`.   *Updated 3/7/2016* Just cleaned the code a tad more, documented the functions and added overall comments and also did some minor refactoring.

0xNOP

0xNOP

 

Quick & Dirty Way to Bypass Themida Anti-Attach!

[ATTENTION ! - BEFORE YOU READ ANYTHING!]
The following article you're about to read, have been written with the mentality to help other fellow members that currently have a job as Malware Analyst and
are working hard everyday against Malwares in the wild, given that this forum is publicly available to anyone, this article is intended to be
used only as an educational resource and should NOT BE put to the test with any kind of Commerical Programs / Applications / Softwares
protected by Themida, Breaking / Circumventing the protection of Themida -itself- or by any kind of Commercial Program / Application / Software is something
totally unlawful and you could be hold accountable for your actions in a court.  The author of this article ('0xNOP') and/or the hosters of this Blog ('www.tuts4you.com') does not takes
any kind of responsibility towards anything that, you ('the reader'), might do with such content.
Given this term of agreement, you are the sole and only person responsible of your own actions. If you agree with this, you may continue reading, if not, I advise you to discontinue reading,
close this page and continue browsing the forums as usual. If you continue reading it means you are automatically accepting this terms of agreement. Don't Speak English? - Translate HERE!  - No Eres Bueno en Ingles? - Traduce AQUI! - 不会说英语吗 - 英語を話すことはありません - Не говорить по-английски?  

0xNOP

0xNOP

 

[PureBasic] OS Grabber [Snippet]

Here we go guys! Yet another snippet! I keep digging with WMI and it's interface WMIC, and I find it pretty useful with all the things you can get, this time I've made this little nice snippet code which grabs the OS Name / Version ! Hope you like it and find it useful   ; English Forum: https://forum.tuts4you.com/ ; Author: 0xNOP ; Date: 6.April.2016 ; OS: Windows ; Output Demo: http://i.imgur.com/u37a35H.png ProgID = RunProgram("wmic", "os get caption", "", #PB_Program_Open | #PB_Program_Read | #PB_Program_Hide) Output$ = "" If ProgID While ProgramRunning(ProgID) If AvailableProgramOutput(ProgID) Output$ + Trim(ReadProgramString(ProgID)) Output$ = ReplaceString(Output$, "Caption", "") EndIf Wend MessageRequester("OS", Output$) CloseProgram(ProgID) ; Close the connection to the program EndIf   +1

0xNOP

0xNOP

 

ExtractIconEx Revisited...

With the excitement of Windows 10 and a host of bug fixes out of the way I can now concentrate some time on Tuts 4 You which also allows me to post some code on this blog. This blog entry is in regard to a recent query from LCF on viewing icons contained within DLL's, executables, icon files, etc. I coded a small tool for this a while ago that enabled me to quickly view icons contained primarily within shell32.dll and imageres.dll so that I could take advantage of those icons in other code. Most of the magic is done by Windows API ExtractIconEx function and from there we simply manipulate the icon images to display them in a gadget list window. As you can see from the code below I have taken advantage of mixing both Windows API with PureBasic API's to achieve the results. For those of you who have read my previous blog entries may be astute enough to see the similarities with the code posted in my PureBasic Adventures blog entry. The attached archive contains compiled code for those who would like to see use the end result and do not have PureBasic installed (shame on you!). The archive also contains the .pb code file(s) and some rough bonus code using DrawIconEx API to draw icons directly to a window... UsePNGImageEncoder() ; Declare the procedures... Declare Menu_ExtractIcon() Declare Menu_ExtractIconAll() Declare Menu_About() Declare Menu_Callback(hWnd, uMsg, wParam, lParam) ; Declare some global variables... Global Gadget Global FileName.s Global Title.s = "Quick Icon Viewer v0.1" Global Info.s = "A small program to view and extract icons as .BMP or .PNG."+Chr(13)+Chr(13)+"Code: Teddy Rogers"+Chr(13)+"URL: http://tuts4you.com"+Chr(13)+"E-Mail: teddyrogers@tuts4you.com" ; Create our window and explorer list gadget then let the magic happen... If OpenWindow(0, #Null, #Null, 600, 500, Title.s, #PB_Window_ScreenCentered | #PB_Window_SystemMenu) ExplorerListGadget(0, 1, 2, 598, 297, GetCurrentDirectory(), #PB_Explorer_GridLines | #PB_Explorer_AutoSort | #PB_Explorer_HiddenFiles | #PB_Explorer_FullRowSelect) ; Create the icon gadget windows and set the attributes to display small and large icons... ListIconGadget(1, 1, 300, 299, 176, "", #Null) ListIconGadget(2, 301, 300, 298, 176, "", #Null) ; Customise the list icon display mode... SetGadgetAttribute(1, #PB_ListIcon_DisplayMode, #PB_ListIcon_SmallIcon) SetGadgetAttribute(2, #PB_ListIcon_DisplayMode, #PB_ListIcon_LargeIcon) ; Create the status bar and text fields for some stats/counters... If CreateStatusBar(0, WindowID(0)) AddStatusBarField(#PB_Ignore) AddStatusBarField(#PB_Ignore) AddStatusBarField(#PB_Ignore) AddStatusBarField(#PB_Ignore) StatusBarText(0, 0, "Small Icons (16 x 16) :", #PB_StatusBar_Right) StatusBarText(0, 2, "Large Icons (32 x 32) :", #PB_StatusBar_Right) EndIf ; Create the popup menu and bind the menu events... If CreatePopupMenu(MyMenu) MenuItem(1, "Extract") MenuItem(2, "Extract All") MenuBar() MenuItem(3, "About") BindMenuEvent(MyMenu, 1, @Menu_ExtractIcon()) BindMenuEvent(MyMenu, 2, @Menu_ExtractIconAll()) BindMenuEvent(MyMenu, 3, @Menu_About()) ; Create the callback to process the events in the icon gadget lists... SetWindowCallback(@Menu_Callback()) EndIf Repeat MyEvent = WaitWindowEvent() Select MyEvent Case #PB_Event_Gadget Select EventGadget() Case 0 Select EventType() Case #PB_EventType_Change ; Auto size the four explorer list gadget columns... For i = 0 To 4 SendMessage_(GadgetID(0), #LVM_SETCOLUMNWIDTH, i, #LVSCW_AUTOSIZE_USEHEADER) Next i Case #PB_EventType_LeftClick ; Check if the user selected a different file in the explorer gadget list before processing new events... If FileName.s <> GetGadgetText(0) + GetGadgetItemText(0, GetGadgetState(0)) ; Get the directory and file name from ExplorerListGadget... FileName.s = GetGadgetText(0) + GetGadgetItemText(0, GetGadgetState(0)) ; Clear up any previously diaplyed icons... ClearGadgetItems(1) : ClearGadgetItems(2) ; Return the total number of icons in the specified file... IconNum = ExtractIconEx_(PeekS(@FileName), -1, #Null, #Null, #Null) ; Create a simple array for storing the small and large icons... Dim hIcon_Small(IconNum) : Dim hIcon_Large(IconNum) ; Extract the icons in to the array... If IconNum ExtractIconEx_(PeekS(@FileName), #Null, hIcon_Large(), hIcon_Small(), IconNum) EndIf ; Change the window icon. Using SHGetFileInfo retrieves file, folder, directory, and drive icons... If SHGetFileInfo_(PeekS(@FileName), #FILE_ATTRIBUTE_NORMAL, @FileIcons.SHFILEINFO, SizeOf(SHFILEINFO), #SHGFI_ICON | #SHGFI_SMALLICON | #SHGFI_USEFILEATTRIBUTES) SetClassLongPtr_(WindowID(0), #GCL_HICON, FileIcons\hIcon) DestroyIcon_(FileIcons\hIcon) EndIf ; Add the icons stored in the array to the gadget list and destroy the icon in the array... For a = 0 To IconNum - 1 If hIcon_Small(a) AddGadgetItem(1, -1, Str(a) + " / $" + Hex(a), hIcon_Small(a)) DestroyIcon_(hIcon_Small(a)) EndIf If hIcon_Large(a) AddGadgetItem(2, -1, Str(a) + " / $" + Hex(a), hIcon_Large(a)) DestroyIcon_(hIcon_Large(a)) EndIf Next a ; When we are finished displaying the icons in the gadget list free both arrays from memory... FreeArray(hIcon_Small()) FreeArray(hIcon_Large()) ; Count the items in each of the icon gadget windows... StatusBarText(0, 1, Str(CountGadgetItems(1)), #PB_StatusBar_Center) StatusBarText(0, 3, Str(CountGadgetItems(2)), #PB_StatusBar_Center) EndIf EndSelect Case 1 Select EventType() Case #PB_EventType_LeftClick ; First check to see if there are any icons in the gadget then change the window icon... If GetGadgetState(1) => 0 If ExtractIconEx_(PeekS(@FileName), GetGadgetState(1), #Null, @iIcon, 1) SetClassLongPtr_(WindowID(0), #GCL_HICON, iIcon) DestroyIcon_(iIcon) EndIf EndIf EndSelect Case 2 Select EventType() Case #PB_EventType_LeftClick ; First check to see if there are any icons in the gadget then change the window icon... If GetGadgetState(2) => 0 If ExtractIconEx_(PeekS(@FileName), GetGadgetState(2), @iIcon, #Null, 1) SetClassLongPtr_(WindowID(0), #GCL_HICON, iIcon) DestroyIcon_(iIcon) EndIf EndIf EndSelect EndSelect EndSelect Until MyEvent = #PB_Event_CloseWindow EndIf Procedure Menu_ExtractIcon() Protected MyImage, x, SaveFilename.s, ImageFormat, Extension.s ; If there are no icons selected create an error message then exit procedure... If GetGadgetState(Gadget) = -1 MessageRequester("Error!", "There is no image to save!", #MB_ICONINFORMATION | #MB_TOPMOST | #MB_SETFOREGROUND) ProcedureReturn EndIf ; Show the save dialogue and ask user to input file name, we can create a default filename based upon current date/time... SaveFilename.s = SaveFileRequester("Saving your image...", FormatDate("%yyyy.%mm.%dd-%hh.%ii.%ss", Date()), "PNG Format|*.png|BMP Format|*.bmp", #Null) ; Store the required extension and format type... Select SelectedFilePattern() Case 0 ; PNG ImageFormat = #PB_ImagePlugin_PNG Extension.s = ".png" Case 1 ; BMP ImageFormat = #PB_ImagePlugin_BMP Extension.s = ".bmp" EndSelect ; If called from small gadget list we want small icons and vice-versa for large, then extract a single icon... If Gadget = 1 ExtractIconEx_(PeekS(@FileName), GetGadgetState(Gadget), #Null, @iIcon, 1) x = 16 Else ExtractIconEx_(PeekS(@FileName), GetGadgetState(Gadget), @iIcon, #Null, 1) x = 32 EndIf ; Create a new image then draw the icon to it... If CreateImage(MyImage, x, x, 32) StartDrawing(ImageOutput(MyImage)) DrawingMode(#PB_2DDrawing_AllChannels) DrawImage(iIcon, 0, 0, x, x) StopDrawing() EndIf ; Destroy the icon in the array to prevent GDI leaks... DestroyIcon_(iIcon) ; If the image is a valid image save it then free the new image from memory when done... If IsImage(MyImage) If SaveImage(MyImage, SaveFilename.s + Extension.s, ImageFormat) FreeImage(MyImage) EndIf EndIf ProcedureReturn EndProcedure Procedure Menu_ExtractIconAll() Protected MyImage, x, a, SaveFilename.s, ImageFormat, Extension.s ; If there are no icons selected create an error message then exit procedure... If GetGadgetState(Gadget) = -1 MessageRequester("Error!", "There are no images to save!", #MB_ICONINFORMATION | #MB_TOPMOST | #MB_SETFOREGROUND) ProcedureReturn EndIf ; Show the save dialogue and ask user to input file name, we can create a default filename based upon current date/time... SaveFilename.s = SaveFileRequester("Saving all your images...", FormatDate("%yyyy.%mm.%dd-%hh.%ii.%ss", Date()), "PNG Format|*.png|BMP Format|*.bmp", #Null) ; Store the required extension and format type... Select SelectedFilePattern() Case 0 ; PNG ImageFormat = #PB_ImagePlugin_PNG Extension.s = ".png" Case 1 ; BMP ImageFormat = #PB_ImagePlugin_BMP Extension.s = ".bmp" EndSelect ; If called from small gadget list we want small icons and vice-versa for large, then extract all icons in to an array... If Gadget = 1 Dim iIcon(CountGadgetItems(1)) ExtractIconEx_(PeekS(@FileName), #Null, #Null, iIcon(), ArraySize(iIcon())) x = 16 Else Dim iIcon(CountGadgetItems(2)) ExtractIconEx_(PeekS(@FileName), #Null, iIcon(), #Null, ArraySize(iIcon())) x = 32 EndIf ; Create a new image then draw the icon to it... For a = 0 To ArraySize(iIcon()) - 1 If CreateImage(MyImage, x, x, 32) StartDrawing(ImageOutput(MyImage)) DrawingMode(#PB_2DDrawing_AllChannels) DrawImage(iIcon(a), 0, 0, x, x) StopDrawing() EndIf ; Destroy the icon in the array to prevent GDI leaks... DestroyIcon_(iIcon(a)) ; If the image is a valid image save it then free the new image from memory when done... If IsImage(MyImage) If SaveImage(MyImage, SaveFilename.s + Str(a) + Extension.s, ImageFormat) FreeImage(MyImage) EndIf EndIf ; Process next icon in the array until all complete then free the array... Next a FreeArray(iIcon()) ProcedureReturn EndProcedure Procedure Menu_About() MessageRequester(Title.s, Info.s, #MB_ICONINFORMATION | #MB_TOPMOST | #MB_SETFOREGROUND) EndProcedure Procedure Menu_Callback(hWnd, uMsg, wParam, lParam) If uMsg = #WM_CONTEXTMENU Select wParam Case GadgetID(1) DisplayPopupMenu(MyMenu, WindowID(0)) Gadget = 1 Case GadgetID(2) DisplayPopupMenu(MyMenu, WindowID(0)) Gadget = 2 EndSelect EndIf ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure   The "cycle icons" sample found in the attached archive...   Declare CycleIcons(void) If OpenWindow(0, 0, 0, 100, 100, "CycleIcons", #PB_Window_ScreenCentered | #PB_Window_SystemMenu) CreateThread(@CycleIcons(), #Null) Repeat Event = WaitWindowEvent() Until Event = #PB_Event_CloseWindow EndIf Procedure CycleIcons(void) FileName.s = GetCurrentDirectory() + "\test files\imageres.dll" IconNum = ExtractIconEx_(FileName.s, -1, #Null, #Null, #Null) Dim hIcon_Small(IconNum) Dim hIcon_Large(IconNum) ExtractIconEx_(FileName.s, 0, hIcon_Large(), hIcon_Small(), IconNum) hDC = GetDC_(WindowID(0)) For a = 0 To IconNum - 1 ExtFloodFill_(hDC, #Null, #Null, $f123, #FLOODFILLBORDER) SetWindowText_(WindowID(0), "Icon: " + a + "/" + Hex(a)) SetClassLongPtr_(WindowID(0), #GCL_HICON, hIcon_Small(a)) DrawIconEx_(hDC, 25, 30, hIcon_Small(a), #Null, #Null, #Null, #Null, #DI_NORMAL) DrawIconEx_(hDC, 65, 30, hIcon_Large(a), #Null, #Null, #Null, #Null, #DI_NORMAL) DestroyIcon_(hIcon_Small(a)) DestroyIcon_(hIcon_Large(a)) Sleep_(500) Next a DeleteDC_(hDC) EndProcedure
Ted. Quick Icon Viewer.zip

Teddy Rogers

Teddy Rogers

 

Just another cracker!

I put this out here to be diffrent, give ya something else to read besides all the other cool crap out there!   *** Really wanted to delete this because it sounds weak,but i think its a insight to people who are not like you!! ...My personal msg for crackers or coders or scene people..you might be something or someone to somebody out there who is got Nothing..you might be an idol, a hero. Shit when cats were naming super heros I was the kid naming crackers and scene groups..0days cats. ((regardless what anyone thinks)) I just put it out there.   I hope your not out there and thinking to yourself " im just a freakin coder bro, or a cracker or R.E.... grow up, move on, get a life.. 'get a real life'. If i'm judged because Im a fan of this scene of these groups, these people and your doing this for fun then whats the point of having an alias? To gain respect from others like you? maybe.
- mAYBE IM LOST. No one will read this or maybe I will just be flamed...I'm just putting it like this cats, I'm into bodybuilding as a hobby, I work at a major retailer...and know a tiny bit about R.E. but I think what you do is cool as shit, and would love to have half the knowledge you guys have forgot...
thanks for your time...
your friend Overkill^

overkill

overkill

 

System Up-Time Since BootTime...

Last week I read a blog entry by Raymond Chan regarding the way Task Manager computes the systems up-time and it reminded me of a bug I noticed in AID64's implementation. On Sunday I had a bit of free time before the Manchester United vs Arsenal game kicked off and decided to see what I could come up with.   There are a dozen different methods for calculating up-time, some methods are better and some of these do factor in leap years. Raymond's particular blog mentioned the use of GetTickCount API (contradictory to what he implies it does include sleep time), that method seems a little long winded if your end result is to format the result in to; years, month, days, hours, minutes and seconds. I'll show you a simpler way by using NtQuerySystemInformation and taking advantage of Windows API time functions. You can also use this method if you want to compute the time between two different dates such as how old someone is, although Windows Calculator has that covered with it's date calculations. Of course the example code below is in PureBasic, if you have queries regarding the code please comment...   Declare UpdateSystemTime(void) If OpenWindow(0, 0, 0, 400, 65, "System Up-Time Since BootTime...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) TextGadget(1, 10, 10, 95, 20, "System Boot Time :") TextGadget(2, 105, 10, 200, 20, "") TextGadget(3, 10, 35, 50, 20, "UpTime :") TextGadget(4, 60, 35, 400, 20, "") CreateThread(@UpdateSystemTime(), #Null) Repeat MyEvent = WaitWindowEvent() Until MyEvent = #PB_Event_CloseWindow EndIf Procedure UpdateSystemTime(void) #SystemTimeOfDayInformation = 3 #STATUS_SUCCESS = 0 Structure SYSTEM_TIMEOFDAY_INFORMATION ; We are only concerned about BootTime and CurrentTime members of this structure. BootTime.FILETIME CurrentTime.FILETIME EndStructure Protected SystemBootTime.SYSTEM_TIMEOFDAY_INFORMATION ; SystemInformation parameter should be large enough to hold an opaque SYSTEM_TIMEOFDAY_INFORMATION structure. Repeat ; Use NtQuerySystemInformation to retrieve BootTime and Current time information. Note "NtQuerySystemInformation may be altered or unavailable in future versions of Windows". If NtQuerySystemInformation_(#SystemTimeOfDayInformation, @SystemBootTime, SizeOf(SystemBootTime), #Null) = #STATUS_SUCCESS ; Subtract the high and low order parts of the file time from LocalTime and BootTime to calculate the time and date difference. SystemBootTime\CurrentTime\dwLowDateTime - SystemBootTime\BootTime\dwLowDateTime SystemBootTime\CurrentTime\dwHighDateTime - SystemBootTime\BootTime\dwHighDateTime ; Convert the FILETIME structure into a time that is easy to display to a user. FileTimeToSystemTime_(@SystemBootTime\BootTime, @lpSystemTime_BootTime.SYSTEMTIME) FileTimeToSystemTime_(@SystemBootTime\CurrentTime, @lpSystemTime_CurrentTime.SYSTEMTIME) ; Convert BootTime time in Coordinated Universal Time (UTC) to local time. SystemTimeToTzSpecificLocalTime_(#Null, @lpSystemTime_BootTime, @lpSystemTime_BootTime) ; Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC) - offset from this date. lpSystemTime_CurrentTime\wYear - 1601 lpSystemTime_CurrentTime\wMonth - 1 lpSystemTime_CurrentTime\wDay - 1 ; Display date and time difference as UpTime Since Last Reboot... SetGadgetText(2, Str(lpSystemTime_BootTime\wDay) + "/" + Str(lpSystemTime_BootTime\wMonth) + "/" + Str(lpSystemTime_BootTime\wYear) + " @ " + Str(lpSystemTime_BootTime\wHour) + ":" + Str(lpSystemTime_BootTime\wMinute) + ":" + Str(lpSystemTime_BootTime\wSecond)) SetGadgetText(4, Str(lpSystemTime_CurrentTime\wYear) + " years, " + Str(lpSystemTime_CurrentTime\wMonth) + " months, " + Str(lpSystemTime_CurrentTime\wDay) + " days, (" + Str(lpSystemTime_CurrentTime\wHour) + " hours, " + Str(lpSystemTime_CurrentTime\wMinute) + " minutes, " + Str(lpSystemTime_CurrentTime\wSecond) + " seconds)") ; Cycle once every second... Sleep_(1000) Else MessageBox_(#Null, "Could not retrieve system information...", "Peanut!", #MB_ICONERROR | #MB_TOPMOST | #MB_SETFOREGROUND) Break EndIf ForEver EndProcedure   Ted. System Up-Time Since BootTime.zip

Teddy Rogers

Teddy Rogers

 

Calendar Date Format...

A query was raised last week about how to determine the calendar date format for different regions; year/month/day, day/month/year, etc. After a bit of fruitless pondering whether this could be achieved via API I decided to see if it could be done via the registry. Multiple editions of Windows support the International registry subkey and from there we can use either sShortDate or sLongDate to help us reach our goal. The operating system kindly finds and formats the calendar date in the correct regional order when the user configures their region in the Control Panel or during installation. I chose sShortDate and replaced those known registry values with the values retrieved from the SYSTEMTIME structure. Below is the example...   ; Setup string and data sizes for storing date values... DateValue.s = Space(20) : DateSize = Len(DateValue) ; Open registry and retrieve the local calendar/date format If RegOpenKeyEx_(#HKEY_CURRENT_USER, "Control Panel\International", #Null, #KEY_READ, @DateFormat) = #ERROR_SUCCESS If RegQueryValueEx_(DateFormat, "sShortDate", #Null, #Null, @DateValue, @DateSize) = #ERROR_SUCCESS ; Receive the local date GetLocalTime_(@lpSystemTime.SYSTEMTIME) ; Find registry string values and replace string values from SYSTEMTIME structure DateValue = ReplaceString(DateValue, "yyyy", Str(lpSystemTime\wYear)) DateValue = ReplaceString(DateValue, "yy", Str(lpSystemTime\wYear)) DateValue = ReplaceString(DateValue, "MM", Str(lpSystemTime\wMonth)) DateValue = ReplaceString(DateValue, "M", Str(lpSystemTime\wMonth)) DateValue = ReplaceString(DateValue, "dd", Str(lpSystemTime\wDay)) DateValue = ReplaceString(DateValue, "d", Str(lpSystemTime\wDay)) ; Display the date MessageBox_(#Null, DateValue, "What is the date today?", #MB_ICONQUESTION | #MB_TOPMOST | #MB_SETFOREGROUND) EndIf RegCloseKey_(DateFormat) EndIf   If you know of a way this can be done purely by API please let me know...   Ted. Todays Date.zip

Teddy Rogers

Teddy Rogers

 

DebugBlocker()

Here is a simple example in PureBasic code for using a self-debugger, commonly referred to as Debug Blocker. Compile (or run one of the attached executables in the archive) and click on the "CLICK ME!" button to create a duplicate process being self-debugged. Any queries about the code please comment below...   ; ------------------------------------------------------------------ ; ; PureBasic DebugBlocker() function, creates a copy of the currently running ; process as a child and attaches to it for self-debugging. This method is ; commonly referred to as "self-debugging" or "Debug Blocker" and is used ; to protect the parent (now child) process from being debugged. Only one ; Ring-3 debugger can be attached to a process in Windows OS. ; ; Return Values: ; ; This function does not return a value. ; ; Remarks: ; ; Debugging events and actions are handled within the function. ; ; By Teddy Rogers / PureBasic 5.24 LTS ; ; ------------------------------------------------------------------ Declare DebugBlocker() If OpenWindow(1, #Null, #Null, 300, 60, "Self-debugging Example", #PB_Window_ScreenCentered | #PB_Window_SystemMenu) ButtonGadget(1, 5, 5, 290, 50, "CLICK ME!", #PB_Button_MultiLine) Repeat MyEvent = WaitWindowEvent() Select MyEvent Case #PB_Event_Gadget Select EventGadget() Case 1 DebugBlocker() EndSelect EndSelect Until MyEvent = #PB_Event_CloseWindow EndIf ; A very simple example of self-debugging (Debug-Blocker)... Procedure DebugBlocker() Protected ghMutex, EXIT_PROCESS_DEBUG_EVENT ; Create a mutex object, we can use it as an identity to limit the number of spawned processes to be self-debugged... ghMutex = CreateMutex_(#Null, #True, "Blocker_Mutex") If ghMutex = #Null Or GetLastError_() = #ERROR_ALREADY_EXISTS ; If return handle is the existing object GetLastError returns ERROR_ALREADY_EXISTS. CloseHandle_(ghMutex) MessageBox_(WindowID(1), "Self-debugging already in progress...", "Error", #MB_ICONERROR | #MB_TOPMOST | #MB_SETFOREGROUND) ProcedureReturn EndIf ; Find out who we are and create a duplicate process of ourselves... GetStartupInfo_(lpStartupInfo.STARTUPINFO) If CreateProcess_(#Null, GetCommandLine_(), #Null, #Null, #False, #DEBUG_PROCESS, #Null, #Null, @lpStartupInfo, @lpProcessInformation.PROCESS_INFORMATION) ; Infinitely wait for the debugging event EXIT_PROCESS_DEBUG_EVENT in our new process... Repeat If WaitForDebugEvent_(@myDebug.DEBUG_EVENT, -1) If PeekB(@myDebug\dwDebugEventCode) = #EXIT_PROCESS_DEBUG_EVENT EXIT_PROCESS_DEBUG_EVENT = #True EndIf EndIf ; Continue debugging the process... If Not ContinueDebugEvent_(myDebug\dwProcessId, myDebug\dwThreadId, #DBG_CONTINUE) MessageBox_(WindowID(1), "Debugging error!", "Error", #MB_ICONERROR | #MB_TOPMOST | #MB_SETFOREGROUND) EndIf Until EXIT_PROCESS_DEBUG_EVENT ; Tidy up process handles identified in the PROCESS_INFORMATION structure... CloseHandle_(lpProcessInformation\hProcess) CloseHandle_(lpProcessInformation\hThread) EndIf ReleaseMutex_(ghMutex) CloseHandle_(ghMutex) ; Destroy the created Blocker_Mutex EndProcedure   Ted. Debug Blocker.zip

Teddy Rogers

Teddy Rogers

 

PW_RENDERFULLCONTENT

Apparently... Windows 8.1 came with a new flag for PrintWindow called, PW_RENDERFULLCONTENT. This allows PrintWindow to properly capture window content that is displaying DirectX through DWM.   Below are some screenshots taken of Unreal Tournament. The first is how PrintWindow normally captures a window with DirectX content being rendered inside it, notice the window border is missing and there is corrupted graphics on the right. The second screenshot is taken with PW_RENDERFULLCONTENT...       Below is an example using PureBasic code, there isn't much information about PW_RENDERFULLCONTENT and it is currently undocumented on MSDN. I am sure if I had a bit more spare time I could find a more worthy example to show you than the above images. You get the idea though...   UsePNGImageEncoder() Declare PrintScreen(hWnd) Prototype.i PrintWindow(hWnd, hdcBlt, nFlags)Global PrintWindow.PrintWindow If OpenWindow(1, #Null, #Null, #Null, #Null, "Capture Window", #PB_Window_Invisible) Repeat MyEvent = WaitWindowEvent() If GetAsyncKeyState_(#VK_SNAPSHOT) & $8000 PrintScreen(FindWindow_(#Null, "Unreal Tournament")) EndIf If GetAsyncKeyState_(#VK_ESCAPE) & $8000 MyEvent = #PB_Event_CloseWindow EndIf Until MyEvent = #PB_Event_CloseWindow EndIf Procedure PrintScreen(hWnd) Protected r.RECT #PW_RENDERFULLCONTENT = $00000002 If OpenLibrary(User32, "User32.dll") PrintWindow = GetFunction(User32, "PrintWindow") If GetWindowRect_(hWnd, r.RECT) If CreateImage(CapImage, r\right-r\left, r\bottom-r\top, 32) hdc = StartDrawing(ImageOutput(CapImage)) ; PW_RENDERFULLCONTENT -> new in Windows 8.1, can capture DirectX screens through DWM Okay = PrintWindow(hWnd, hdc, #PW_RENDERFULLCONTENT) StopDrawing() If Okay SaveImage(CapImage, "C:\Users\Teddy\Downloads\" + FormatDate("%yyyy.%mm.%DD-%hh.%ii.%ss", Date()) + ".png", #PB_ImagePlugin_PNG) CloseLibrary(User32) ProcedureReturn EndIf EndIf EndIf CloseLibrary(User32) EndIf EndProcedure   If you have more information or details on PW_RENDERFULLCONTENT please tell me about it...   Ted.

Teddy Rogers

Teddy Rogers

 

Immdbg - scripting

It has been a while since this good debugger is available for download at immunity's homepage. Such debugger has a lot of improvements over his older brother - odbgr. One of such improvements is the ability of coding scripts on python integrated interface that runs over completely the obsolete odbgr scripting. It has got endless potential and I advice you to look elsewhere for more information on the use of immdbg's integrated APIs. Today I am posting a small script I coded to unpack upx code - keep in mind that no iat reconstruction will be preformed as this is merely an ilustrative script that may help you to get started at coding scripts over immunity if you feel interested. __VERSION__ = '1.0'import immlib import getoptimport immutilsfrom immutils import *imm = immlib.Debugger() #init debugger#functions#maindef main(args): imm.log("Started search for jmp at oep...") imm.updateLog() regtable = imm.getRegs() # gets all register table-like patt = "\x00\x00\x00\x00\x00\x00\x00\x00" #UPX-Target pattern count = 0 eip_curr = regtable["EIP"] #retrives current ep while (count < 768): mem = imm.readMemory(eip_curr+count, 8) if (mem == patt): imm.log("match: %08x" % (eip_curr+count)) break count = count + 1 if (mem != patt): imm.log( "No pattern found: YOU NEED TO BE AT OEP!" ) return "failure" imm.setBreakpoint(eip_curr+count-5) imm.run() imm.stepIn() imm.log( "code ep sucessfully found" ) return "success" Check the help file for the list of all Immunity API, keep in mind that this list does not describe the behaviour of the APIs - it just lists them. Also the unpacker seems to be working fine - report otherwise

xSRTsect

xSRTsect

 

IsUserAnAdministrator()

I needed some code in PureBasic to check if the logged in user and/or running process is a member of the Administrator group. There is IsUserAnAdmin function, it works and is easy to include in your code...   If IsUserAnAdmin_() Debug "Running as an Adminstrator" Else Debug "Running as a Limited User" EndIf   Unfortunately as Microsoft states on MSDN it's a wrapper on a short lifespan, support for it ended with Windows Vista but the function still works in Windows 8.1. Microsoft suggests using the CheckTokenMembership function with the SID identifier NtAthority which, requires a little bit more code to be backward and future proof. Fortunately Microsoft provides example C++ code on MSDN, porting it to PureBasic requires a bit more work, the code below is a translation of this code...   ; ------------------------------------------------------------------ ; ; PureBasic IsUserAnAdministrator() function to check if the callers process ; is a member of the Administrators group. Code taken from Microsofts ; example shown at CheckTokenMembership function. ; ; Return Value: ; ; TRUE - Caller has Administrators local group. ; FALSE - Caller does not have Administrators local group. ; ; http://msdn.microsoft.com/en-us/library/windows/desktop/aa376389%28v=vs.85%29.aspx ; ; See SID structures: ; ; http://msdn.microsoft.com/en-us/library/cc980032.aspx ; http://technet.microsoft.com/en-us/library/cc778824%28v=WS.10%29.aspx ; ; By Teddy Rogers / PureBasic 5.24 LTS ; ; ------------------------------------------------------------------ Prototype.i CheckTokenMembership(TokenHandle, SidToCheck, IsMember) Global CheckTokenMembership.CheckTokenMembership Prototype.i AllocateAndInitializeSid(pIdentifierAuthority, nSubAuthorityCount, dwSubAuthority0, dwSubAuthority1, dwSubAuthority2, dwSubAuthority3, dwSubAuthority4, dwSubAuthority5, dwSubAuthority6, dwSubAuthority7, pSid) Global AllocateAndInitializeSid.AllocateAndInitializeSid Prototype.i FreeSid(pSid) Global FreeSid.FreeSid Procedure IsUserAnAdministrator() Protected IsMember, *AdministratorsGroup Structure NtAuthority NtAuthority.b[6] EndStructure Define SECURITY_NT_AUTHORITY.NtAuthority If OpenLibrary(advapi32, "advapi32.dll") CheckTokenMembership = GetFunction(advapi32, "CheckTokenMembership") If CheckTokenMembership AllocateAndInitializeSid = GetFunction(advapi32, "AllocateAndInitializeSid") If AllocateAndInitializeSid FreeSid = GetFunction(advapi32, "FreeSid") If FreeSid SECURITY_NT_AUTHORITY\NtAuthority[5]=5 ; The AllocateAndInitializeSid function allocates and initializes a security identifier (SID) with up to eight subauthorities. If AllocateAndInitializeSid(SECURITY_NT_AUTHORITY, 2, #SECURITY_BUILTIN_DOMAIN_RID, #DOMAIN_ALIAS_RID_ADMINS, #Null, #Null, #Null, #Null, #Null, #Null, @*AdministratorsGroup) CheckTokenMembership(#Null, *AdministratorsGroup, @IsMember) EndIf FreeSid(*AdministratorsGroup) EndIf EndIf EndIf CloseLibrary(advapi32) EndIf ProcedureReturn IsMember EndProcedure Debug IsUserAnAdministrator()   Ted.

Teddy Rogers

Teddy Rogers

 

PureBasic Adventures...

Last year a friend of mine was talking about PureBasic and how easy and good it was for coding and how much he liked working with it. I didn't really take much notice of it - it was just another Basic language, right?! Earlier this year he started showing off some of his remade old school crack intro's and demos from way back in the early 80's and 90's from the Amiga scene including some general effects so I decided to download a copy of PureBasic and tried out some of the features of the language. I liked it so much that I ended up purchasing a licence for PureBasic and have been using it ever since when I've needed to quickly code some tool or another. Why do I like it? Simply because of the ease in which I can get something done with minimal fuss and time. I can access all Windows API's and code can be natively compiled (and switched) between 32 and 64 bit with a couple of mouse clicks and PureBasics own command set is extensive. It's a very good basic language. I don't normally do blogs, it's not my thing. I certainly don't have the time but I want to help spread the language. I'm likely not going to be posting amazing demo effects as I don't have the time to be spending on such things but I will post some snippets of code I needed to come up with in PureBasic for applications or tools. I can't promise you will be wowed or amazed by any of the samples I'm really just going to be posting things I've worked on and included in some programs or just code snippets to better understand how PureBasic works. The first PureBasic sample I am going to post is some test code for a tool I coded where I needed multiple animated tray icons to be displayed to provide various information to the user. I hadn't found any similar code in PureBasic either in the example or archived code libraries or in the PureBasic forums. This example creates two tray icons that cycles through imageres.dll via threads. Imageres.dll is basically an image library that comes with Windows, I believe its on Vista and later and its similar to shell32.dll but with nicer icons and a larger library. The example also listens out for the TaskbarCreated Windows message, if the taskbar crashes and has to reload and your application does not listen for the TaskbarCreated message your trayicon will not reappear. Cycling through the icons was a cheap way to get some "animation" to show up in the example. A callback is created to listen for events happening over the tray icons such as mouse clicks and mouse hover. Normally if you have only one icon in your program you don't have to use callbacks, I needed the callbacks because it was the only way I could get multiple icons working affectively in PureBasic. The threads are used to stop the trayicons locking up once the cycling of the icons is started. I have added some comments but if you have any particular questions about the example please ask... ; ; ------------------------------------------------------------------ ; ; Dual SysTray, Threaded & "Animated" "imageres.dll" System Icons ; "imageres.dll" is available on Window 7 & 8 (Vista??) ; ; By Teddy Rogers / PureBasic 5.22 ; ; ------------------------------------------------------------------ ; ; Declare our procedures Declare WinCallback_Icon1(WindowID, uMsg, wParam, lParam) Declare WinCallback_Icon2(WindowID, uMsg, wParam, lParam) Declare SetImage(Icon) Declare ChangeIcon(void) ; Declare some global variables... Global Num1 = 100 ; Set our default "imageres.dll" tray icon 1 Global Num2 = 101 ; Set our default "imageres.dll" tray icon 2 Global ThreadID ; This is used to end the thread Global IconNum = ExtractIconEx_("imageres.dll", -1, #Null, #Null, #Null) ; Register a message with the "TaskbarCreated" string Global TaskbarRestart = RegisterWindowMessage_("TaskbarCreated") ; Define two windows for seperate icons/menu's and callbacks If OpenWindow(1, 0, 0, 0, 0, "", #PB_Window_Invisible) If OpenWindow(2, 0, 0, 0, 0, "", #PB_Window_Invisible) ; These are the callbacks to watch for events on each of the icons SetWindowCallback(@WinCallback_Icon1(), 1) SetWindowCallback(@WinCallback_Icon2(), 2) ; Add the system tray icons using icons from "imageres.dll" AddSysTrayIcon(1, WindowID(1), SetImage(Num1)) AddSysTrayIcon(2, WindowID(2), SetImage(Num2)) ; Setup some tooltips... SysTrayIconToolTip(1, "You are hovering over icon 1") SysTrayIconToolTip(2, "You are hovering over icon 2") ; Create icon 1 menu with PureBasic modern look (we use "imageres.dll" for menu icons) If CreatePopupImageMenu(1, #PB_Menu_ModernLook) MenuItem(01, "Open", SetImage(174)) MenuItem(02, "Save", SetImage(39)) MenuItem(03, "Save as", SetImage(23)) MenuItem(04, "Quit", SetImage(84)) MenuBar() OpenSubMenu("Recent files") MenuItem(05, "PureBasic.exe") MenuItem(06, "Test.txt") CloseSubMenu() EndIf ; Create icon 2 menu with standard look (we use "imageres.dll" for menu icons) If CreatePopupImageMenu(2, 0) MenuItem(07, "Open", SetImage(174)) MenuItem(08, "Save", SetImage(39)) MenuItem(09, "Save as", SetImage(23)) MenuItem(10, "Quit", SetImage(84)) MenuBar() OpenSubMenu("Recent files") MenuItem(11, "PureBasic.exe") MenuItem(12, "Test.txt") CloseSubMenu() EndIf ; Wait for a MenuItem to be selected... then do some stuff... Repeat Event = WaitWindowEvent() Select Event Case #PB_Event_Menu Select EventMenu() ; Icon 1 menu actions... Case 01 : Debug "Menu: Open (Icon 1)" Case 02 : Debug "Menu: Save (Icon 1)" Case 03 : Debug "Menu: Save as (Icon 1)" Case 04 : End Case 05 : Debug "Menu: PureBasic.exe (Icon 1)" Case 06 : Debug "Menu: Text.txt (Icon 1)" ; Icon 2 menu actions... Case 07 : Debug "Menu: Open (Icon 2)" Case 08 : Debug "Menu: Save (Icon 2)" Case 09 : Debug "Menu: Save as (Icon 2)" Case 10 : End Case 11 : Debug "Menu: PureBasic.exe (Icon 2)" Case 12 : Debug "Menu: Text.txt (Icon 2)" EndSelect EndSelect Until Event = #PB_Event_CloseWindow EndIf EndIf ; We will use the Windows default system icons for our own the menu options Procedure SetImage(Icon) ExtractIconEx_("imageres.dll", Icon, 0, @iIcon, 1) If CreateImage(MyImage, 16, 16 ,32) StartDrawing(ImageOutput(MyImage)) Box(0, 0, 16, 16, GetSysColor_(#COLOR_MENU)) DrawingMode(#PB_2DDrawing_AllChannels) DrawImage(iIcon, 0, 0, 16, 16) StopDrawing() EndIf DestroyIcon_(iIcon) ProcedureReturn ImageID(MyImage) EndProcedure ; Icon Number 1 (clicking left mouse button starts automatic cycling through the icons, clicking left again end the thread) Procedure WinCallback_Icon1(WindowID, uMsg, wParam, lParam) ; End the thread if it is already running or start it... Select lParam Case #WM_LBUTTONDOWN If ThreadID ThreadID = #Null Else ThreadID = CreateThread(@ChangeIcon(), 0) EndIf ; Display popup-menu 1 Case #WM_RBUTTONDOWN DisplayPopupMenu(1, WindowID(1)) EndSelect ; Listen for "TaskbarCreated" broadcast to be sent to all windows if the taskbar is recreated then... ; Recreate our tray icon including the tool tip... Select uMsg Case TaskbarRestart AddSysTrayIcon(1, WindowID(1), SetImage(Num1)) SysTrayIconToolTip(1, "You are hovering over icon 1") EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure ; Icon Number 2 (clicking left mouse button manually cycles through the icons one at a time) Procedure WinCallback_Icon2(WindowID, uMsg, wParam, lParam) ; Cycle through "imageres.dll" icons. Windows 7 has 218 and Window 8 has 384!!! Select lParam Case #WM_LBUTTONDOWN Num2 = Num2 + 1 If Num2 > IconNum Num2 = 0 EndIf ChangeSysTrayIcon(2, SetImage(Num2)) ; Display popup-menu 2 Case #WM_RBUTTONDOWN DisplayPopupMenu(2, WindowID(1)) EndSelect ; Listen for "TaskbarCreated" broadcast to be sent to all windows if the taskbar is recreated then... ; Recreate our tray icon including the tool tip... Select uMsg Case TaskbarRestart AddSysTrayIcon(2, WindowID(2), SetImage(Num2)) SysTrayIconToolTip(2, "You are hovering over icon 2") EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure ; Create a thread to cycle through the icons, creating a thread allows us to continue using tray menu(s) Procedure ChangeIcon(void) ; Cycle through "imageres.dll" icons. Windows 7 has 218 and Window 8 has 384!!! Repeat Num1 = Num1 + 1 If Num1 > IconNum Num1 = 0 EndIf Sleep_(500) ChangeSysTrayIcon(1, SetImage(Num1)) Until ThreadID = #Null EndProcedure Ted. Animated Tray Icon.zip

Teddy Rogers

Teddy Rogers

 

Attacking Armadillo's Stolen Keys feature

Hello everyone, Lately I thought it would be good to share some of the stuff I did with Armadillo to the general public, this time it will be about Armadillo’s Stolen Keys feature. When I have some time available, I will update this blog, but in general I don’t like typing long essays so don’t expect too much from that promise. What are stolen keys? Quite obvious, stolen keys are stolen (or otherwise illegally obtained) serials for an Armadillo project. The project developer can maintain a list of these stolen keys and when one of them is entered in the registration dialog it will not be accepted. Very briefly, in Armadillo you have various types of keys and also various key levels. Except unsigned keys (level 0), all keys consist of two parts: [KEYBYTES][sIGNATURE] The signature is the digital signature of the keybytes, this is just to verify the integrity of a key. For this post, only it’s size is of importance. The keybytes also have a variable length. Every serial in Armadillo can store 5 so-called ‘otherinfo’ WORD, 1 date WORD, 1 DWORD (symmetric key) and optionally a keystring. The symmetric key is the key we are looking for when dealing with Armadillo. It is (together with some other constant values) used to decrypt certificate descriptors. These are used to decrypt the program code an optionally the secured sections. Here is a the outline of a key: [ [OTHERINFO][DATE][sYM][KEYSTRING] ][sIGNATURE] As you can see, our target is somewhere near the middle of a key that is fully filled. Luckily, with the correct info, we can strip out the signature, leaving us 1-6 WORDS (otherinfo+encoded date value) and possible a keystring. Before I continue I would like to point out that the stolenkeys are not stored unencrypted in the target file. Every key is encrypted using a simple XOR-encryption with the name bound to the key as seed. Encryption/Decryption goes as follows: char tmp[2048]="";CookText(tmp, name); //UPPERCASE and strip bad charactersunsigned int seed=crc32(tmp, strlen(tmp), NewCRC32); //CRC32 of nameInitRandomGenerator(seed); //Initialize random number generatorfor(int i=0; i<keylength; i++) keybytes[i]^= NextRandomRange(256); NextRandomRange gets a pseudo-random byte in the provided range, in this case a byte. Here is the source code from the random number generator: /* source start */#define m 100000000L#define m1 10000L#define b 31415821L unsigned long a; unsigned long mult(long p, long q){ unsigned long p1=p/m1, p0=p%m1, q1=q/m1, q0=q%m1; return (((p0*q1+p1*q0) % m1) * m1+p0*q0) % m;} void InitRandomGenerator(unsigned long seed){ a=seed;} void NextRandomSeed(){ a=(mult( a, b )+1) % m;} unsigned long NextRandomRange(long range){ NextRandomSeed(); return (((a/m1)*range)/m1);}/* source end */ Attacking Our goal is to find the decryption key of the stolen key. Let’s take a close look at the random number generator. Actually, when we look at NextRandomSeed, we can see one very easily: the final seed is divided by m (100000000) and the remainder becomes the actual new seed. This means that every seed is limited to 99999999 and that is a fairly small amount of brute force attempts! Our goal for today is to write a function, that returns a possible symmetric key from a seed and a piece of data collected from any stolen key (specifically the encrypted symmetric key). Before I start with that I would like to point out that the first two bytes of a stolen key can always be considered junk. This is because either the date, or various otherinfo parameters are always before the symmetric key. In reality, only a maximum of 4 otherinfo parameters is possible (the SoftwarePassport GUI does not have a use for the 5th otherinfo parameter). This means that we would only have to try a maximum of 5 times before we actually find the symmetric key. /* source start */unsigned long NextRandomRangeMod(unsigned int seed){ return (((a/m1)*256)/m1);} unsigned int NextRandomSeed(unsigned int seed){ return (mult( seed, b )+1) % m;} unsigned int decrypt_data(unsigned int seed, unsigned int data){ int next=seed; int res=NextRandomRangeMod(next)<<24; //no little edian next=NextRandomSeed(next); res|=NextRandomRangeMod(next)<<16; next=NextRandomSeed(next); res|=NextRandomRangeMod(next)<<8; next=NextRandomSeed(next); res|=NextRandomRangeMod(next); return res^data;} int main(){ stolen_data=0x????????; for(int i=0; i<m; i++) { unsigned int sym=decrypt_data(i, stolen_data); if(VerifySym(sym)) //imaginary function that checks the sym { printf(“found: %.8X”, sym); break; } }}/* end of code */ Conclusion When implemented in CUDA, brute forcing Armadillo v3-v7.2 goes from ~20 to less than a second. Armadillo v7.4 and higher goes from 2.5-3 hours to 4 minutes! Little tool I created for testing my theories, it actually works! In the attachment I included a DLL that implements the algorithm (and various other Armadillo-related algorithms) with multi-threaded support. I decided not to include the tool because this post is about how it works, not all the tools I created in my life. Last but not least, a hint to the guys at SiliconRealms: do not store (encrypted) keys in a protected file, just store a list of hashes I hope you learned something from this! Greetings, Mr. eXoDia PS If you have any remarks or found a mistake (not related to grammar please), feel free to PM me.

mrexodia

mrexodia

 

A simple way to make animations with Delphi.

I've made ​​more simple, I include source manually code with different code as well, Example + Source Code. This time I just use my 4-layer stacking horizontally so easy to understand, [120x80] [120x80] [120x80] [120x80] = [480 x 80] may can help. Download Source Code + Example ----------> ZNP Easy.zip Have Fun.

X-88

X-88

 

Bruteforcing Armadillo Encryption Template

I'm not really used to the whole 'blog' thing so bear with me while i simply spill some thoughts, Anybody who has seen the Keymaker.c source code for Armadillo keygenerating can see how the keys are built and put together, i'm not going to be explaining how i came to any conclusions aside from referring back to that document. The single most important thing to make genuine Level 10 Short V3 keys is the Encryption Template, from it the symmetric key is made as well as the private key being generated from it for ECDSA signing. People have already successfully attacked the signature verification as well as symmetric key verification, so this post isn't revealing anything new. The string is uppercased in a function called 'CookText' before it is hashed with the MD5 algorithm. Looking at the source code, we can see that the BasePointInit value for the elliptic curve used is also taken from the Encryption Template, the first unsigned long of the MD5 hash to be precise. So, what do we have at the moment?
// Hypothetical variables
unsigned long MD5Hash[4];
char temp[256];
unsigned long BasePointInit;
unsigned long Symmetric;

// Get the hash of the uppercased string
CookText(temp, EncryptionTemplate);
md5(MD5Hash, temp, strlen(temp));

// Set BasePointInit and Symmetric values
BasePointInit = MD5Hash[0];
Symmetric = MD5Hash[0] ^ MD5Hash[1];

// Remembering the ECDSAPrivateKey is derived from EncryptionTemplate.

Okay, not a lot to look at to begin with but with the BasePointInit, we have the first dword of the MD5 hash and we can perform a bruteforce lookup for any hashes that begin with that value. On its own, this would be totally useless because it returns a lot of false positives so incorporating a check to see whether or not the generated symmetric key will yield a matching checksum when passed through the symmetric checksum function was necessary. Now, using CUDA and the symmetric check plus a large charset, it finds a 6 character encryption template in 80 seconds. Nothing to jump up and down about but the main thing is it works at all! There would most likely be a way to speed it up more but i'm not sure where to start, it is only a PoC and i'm sharing the theory only so please don't ask me for a copy. I also had the brainwave idea of bruteforcing the 128 bit value which is the private key for ECDSA signing but couldn't find a way that was fast enough using my limited math experience, hehe. My conclusion from this little experiment is that although it is possible to recover the encryption template, the character set and probable length of the strings used by Armadillo's users will prevent it from becoming an attack vector for keygenning, especially when the ECDSA_Verify and symmetrickey can both be defeated with faster means. HR, Ghandi

ghandi

ghandi

 

Played 6 File [*. Xm] with Delphi.

Not for the Expert, just for amateur programmers. ~~~~~~~~~~~~~~~~~~~~~~~~~~BeGiN~~~~~~~~~~~~~~~~~~~~~~~~~~~ unit Unit1; interface uses Forms, uFMOD, Sfx, Sfx2, Sfx3, Sfx4, Sfx5, Sfx6, Classes, Controls, StdCtrls; type TForm1 = class(TForm) Label1: TLabel; procedure FormActivate(Sender: TObject); procedure FormDestroy(Sender: TObject); procedure FormKeyPress(Sender: TObject; var Key: Char); procedure FormCreate(Sender: TObject); private { By : X-88 } public { hmm.... } end; var Form1: TForm1; implementation {$R *.dfm} procedure TForm1.FormActivate(Sender: TObject); begin uFMOD_SetVolume(256); uFMOD_PlaySong(@SfxData, SfxSize, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end; procedure TForm1.FormDestroy(Sender: TObject); begin uFMOD_StopSong; end; procedure TForm1.FormKeyPress(Sender: TObject; var Key: Char); begin if (Key = '1') then begin uFMOD_StopSong; uFMOD_PlaySong(@SfxData, SfxSize, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '2') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx2Data, Sfx2Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '3') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx3Data, Sfx3Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '4') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx4Data, Sfx4Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '5') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx5Data, Sfx5Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '6') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx6Data, Sfx6Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '7') then begin uFMOD_StopSong; Label1.Caption := 'Press 1-6 to Change Sfx' +#13#10+ '7 = Stop'; end; end; procedure TForm1.FormCreate(Sender: TObject); begin Application.Title := 'Test'; end; end. ~~~~~~~~~~~~~~~~~~~~~~~~~~EnD~~~~~~~~~~~~~~~~~~~~~~~~~~ NB : Uses Sfx, Sfx2, Sfx3, Sfx4, Sfx5, Sfx6 if (Key = '1') then begin uFMOD_StopSong; uFMOD_PlaySong(@SfxData, SfxSize, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '2') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx2Data, Sfx2Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '3') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx3Data, Sfx3Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '4') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx4Data, Sfx4Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '5') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx5Data, Sfx5Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '6') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx6Data, Sfx6Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end ----------------------------------------------------------------> Unit Sfx2; Interface Const Sfx2Size = 268215; Sfx2Data : Array[1..Sfx2Size] of Byte = ( 69,120,116,101,110,100,101,100,32,77,111, .., .., .., .., .., .., .., .., .., .., .., .., .., .., .., .., .., Etc Done.

X-88

X-88

 

XM on x64

This is the result of trying to play back xm music on 64-bit Windows. I wrote a simple wrapper around libmodplug that reads its raw PCM output and writes it to the standard wave output. All you have to do is create an instance of ModPlay which needs a buffer + size of the xm file to be played. Then just call the play() function and voila I have to say that it roughly adds 40kb of code to your binaries, you have to decide if that is worth it for you. Personally I don't care, especially because you can compress the **** out of it with UPX Attached are the wrapper C++ files, WINMM import libraries from the Windows SDK and 2 static libraries of libmodplug (compiled with VS 2008, you might need to build libmodplug yourself for other compilers/configs, see below for tips) Any problems, questions, suggestions, let me know. PS: If you want/need to compile libmodplug, just make sure you define these to keep the library size as small as possible: MODPLUG_BASIC_SUPPORT MODPLUG_FASTSOUNDLIB MODPLUG_NO_FILESAVE NO_PACKING For VC++ I added this version of stdint.h, added the libmodplug subfolder to the include dirs and it pretty much compiled out of the box.

Killboy

Killboy

 

From: [ARTeam] ActiveMark "dismembered"

Hi all, guess what, we again targeted activemark new version and this time we are releasing an updated tool for inlining the protection beside of course a tutorial which explains the technique. You can grab them all from here: tutorial: http://www.accessroo...ad.php?view.324 tool: http://www.accessroo...ad.php?view.325 thanks to SSlEviN for his great work. Beside this is the first tool he coded on his own! Veery nice beginning Source: [ARTeam] ActiveMark "dismembered"

E33

E33

  • Blog Comments

    • Arttomov
      To Someone likes to solve crossword, somebody likes to play chess.
      I like RE because I need to strain my brain like when I solve a crossword, think and analyze like when I play chess. After every cracking, I get a moral satisfaction, I'm happy with my success, success in cracking my friends.
      I'm glad when I receive a message from the developers, where they are grateful for cracking  of their program and promise to eliminate the hole in the protection of the program in the next release.
      I thank everyone who writes articles about RE, makes tutorials, new tools, shares my knowledge with others.
    • abdelhamid
      am just a beginner , and believe me... Reverse Engineering is taking a huge part in my personal life
      i wanna be that professional cracker ! programmer , i need to learn more and more
      i won't stop what am doing because i love it ! from deep of my heart
      this is not just a hobby for me , its a way of thinking .
    • abdelhamid
      CriticalError  ==> this is the password
    • TheMind
      time factor maybe...I got an interest on reversing sometime 6 yrs ago but work schedule is pushing me away. I still remember the old days where a good site (astatalk) emerge and helping each other. Yes, reversing is a long process, if you put space on the process then you'll be lost just like me, been idle in re for so many years..
    • collins
      to CC.
  • Blog Statistics

    • Total Blogs
      23
    • Total Entries
      49
×