h1

MAC Address spoofer

August 3, 2007

A brief introduction to MAC address. Its the address your network adapter used to communicate with the router, a layer deeper before IP address. It actually tells the router which network adapter to direct the traffic to, so MAC address is also known as physical address.

The last 3 bytes of MAC address represents Organizationally Unique Identifier (OUI), aka manufacturer of your network card. Let us take MAC address “00-08-74-4C-7F-1D” as an example, the “00-08-74″ is the OUI of Dell Computer Corp, therefore we can safely imply your PC is a also a Dell.

MAC address is hard-coded within your network adapter, because it is supposed to be constant and not to be changed. But there is a reason why would you override it, just because you can. ;)

Its pretty much a registry hack, and might not work for some cases. This program is written in VB6 with source code included. It demonstrates how to reset the network adapter using your own code, in which requires access to COM objects that doesnt support IDispatch interface such as INetConnectionManager. It also demonstrates how to retrieve the MAC address through GetAdaptersInfo() API.

MACSpoof
http://opcode0×90.googlecode.com/files/MACSpoof.zip

Posted in Black Hat | 3 Comments »

h1

My second crackme, this time a VM crackme

June 21, 2007

My second crackme. It is a VM crackme, means the whole is written and interpreted by a VM engine. I didnt add any anti-debug trick except a nice anti-PEiD trick in it. ;)

Again, patching is allowed. Tick ZF is not accepted as a solution, as the effect is not permanent. Learn how to patch dude. If you patch the crackme, submit the patched version here.

If possible, do take some time write up a tutorial on how you cracked it so others can learn from it. :D

crackme_nop_vm
http://crackmes.de/users/opcode0×90/crackme_nop_vm/

Posted in Reverse Engineering | 2 Comments »

h1

Thwarting VM Detection by Tom Liston and Ed Skudis

June 6, 2007

I believe most of you have at least heard of VMware, Microsoft Virtual PC, or the recent VirtualBox (http://www.virtualbox.org/) These are virtualization software. They create virtual machine environment (called guest) that runs on your local computer (called host). These software are pretty useful especially when it comes to analyzing malwares or other uses. *ahem* ;)

This is a neat paper about how to detect a VME, and about how to prevent it against detection. Recommended read.

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

Posted in Uncategorized | 2 Comments »

h1

KiFastSystemCall Hook

May 18, 2007

A little trick I invented to hook syscall made by gamemon.des sometime ago. It only works on Windows XP and above, due to the design of syscall mechanism itself. So how it works? Lets get into some research about syscall mechanism.

As you know NT-based Windows (Windows NT/2k/XP/2k3/Vista) have ring0 and ring3 layer, each of them holds the kernelmode and usermode stuff respectively. Usermode is isolated from kernelmode, means you cannot access kernelmode in anyway from usermode. So in order to communicate with kernelmode, you make a syscall. Processor will transfer control to kernelmode, kernelmode processes your syscall and transfer the control back to usermode again.

Each version of Windows have different syscall mechanism. For Windows 2000 and older, the syscall mechanism is as shown below.

MOV EAX, SyscallNumber ; requested syscall number
LEA EDX, [ESP+4] ; EDX = params...
INT 2Eh ; throw the execution to the KM handler
RET 4*NUMBER_OF_PARAMS ; return

Each syscall number is moved into EAX and invoked through INT 2Eh. In Windows XP and later, the syscall mechanism had changed.

MOV EAX, 101h ; syscall number: NtTerminateProcess
MOV EDX, 7FFE0300h ; EDX = 7FFE0300h
CALL EDX ; call 7FFE0300h
RETN 8

Notice the difference. Instead of INT 2Eh, now it is replaced by CALL EDX which leads us to ntdll.KiFastSystemCall, a tiny stub containing the SYSENTER instruction.

MOV EDX, ESP
SYSENTER
RETN

This is where KiFastSystemCall hook came in. We can install hook on the stub to catch all syscalls made by the process, including undocumented NtUser*, NtGdi* syscalls.

——————————————————————————————-

KiFastSystemCall Hook
http://w14.easy-share.com/3759571.html

Posted in Reverse Engineering | 9 Comments »

h1

user32.__ClientLoadLibrary(x)

May 11, 2007

Anti SetWindowsHookEx DLL injection made possible :D Read on.

After spending some time reversing the user32 internals, I discovered this undocumented function. This function is responsible to load the SetWindowsHookEx() registered DLL into your process. This blog will only focus on usermode, where the actual DLL loading takes place.

user32.__ClientLoadLibrary(lpHook)

This function takes only 1 argument, a pointer to an undocumented structure allocated in process stack. It holds the path of the DLL, pointer to notification function and some yet to be known data.

_USERHOOK struct
    unknown_00	DWORD ?	           ; 0x00
    unknown_04	DWORD ?	           ; 0x04
    nCount	DWORD ?	           ; 0x08 numbers of pointer to fix up
    unknown_0C	DWORD ?	           ; 0x0C
    offCbkPtrs	DWORD ?	           ; 0x10 offset to callback pointers
    bFixed	DWORD ?	           ; 0x14 indicates if the pointer is fixed
    lpDLLPath	UNICODE_STRING {}  ; 0x18 DLL path
    lpfnNotify	DWORD ?	           ; 0x20 offset to notification procedure
                                     (called when DLL is injected)
_USERHOOK ends

Read the rest of this entry »

Posted in Reverse Engineering | 10 Comments »

h1

MSPro is detected by GameGuard rev 1004 through … hotkey

May 4, 2007

Sometime ago somebody told me MSPro is detected and I put it to test yesterday. Yeah, MSPro gets detected by GameGuard rev 1004 (MapleSEA). Guess what?  MSPro runs fine in-game until I press F10 to activate auto-attack. Poof, I got disconnected. I went back into game with auto-attack still on, my cute little sin kept waving his arm hitting the air. I pressed F10 to turn off auto-attack. This time I get BSOD, aka instant reboot.

So what it means?

  • GameGuard is detecting MSPro’s hotkey instead of MSPro itself.
  • MSPro’s key input simulating method still works.

I will release another version to cope with this issue, … hopefully soon. Final exam is at the end of the horizon.

Posted in MapleStory | 7 Comments »

h1

ollydbg – Analyzer floating-point bug

April 29, 2007

Perhaps some of you already known, some may not. This bug is not yet widely known, so I blog it here much as documentation purpose.

This bug was originally found by the flatassembler community. Later then it made its way to the Themida developers, whom have included this anti-ollydbg trick in their protector.

———————————————————————————————————-

A random discovery
http://board.flatassembler.net/topic.php?t=5820

Source Code + Exe
http://www.mediafire.com/?404jwzfmmvm

Posted in Reverse Engineering, ollydbg | 6 Comments »

h1

Windows loader does it differently

April 22, 2007

You think what documented on Microsoft website is exactly how the Windows loader works? Think again. In this blog I will crash your disassembler/debugger by modifying some fields in the PE header.

IMAGE_FILE_HEADER.NumberOfRvaAndSizes

In pecoff_v8.doc it says NumberOfRvaAndSizes contains the number of data directories we have. But Windows loader just ignores it when you have a value larger than 0×10 bytes. When it is less than 0×10 bytes Windows loader will just skip over some of the data directories. You can use this trick to strip some bytes out of your executable file.

Let say we have something like this.

Read the rest of this entry »

Posted in Portable Executable, Reverse Engineering | 1 Comment »

h1

Shield from thread injection

April 17, 2007

Originally posted on rootkit.com
http://www.rootkit.com/blog.php?newsid=640

——————————————————————————————

This method was discovered when I was doing some random debugging. Sudden idea came to my mind when I inject some DLL into olly-debugged process. Olly log traced that one thread was created and terminated. Then I thought since the DLL loading takes place in user-mode, why cant I prevent it from loading by hooking some function ?

So I put a bp on kernel32.LoadLibraryA() and inject DLL again. ollydbg halted. I traced the stack frame to one function in kernel32.dll. I inject some DLL again, and yet I traced to the same function.

My sense tell me that is the function I’m looking for. So I began coding and hook that function. Voila, now Winject reports DLL-injection failed. But wait, our job is not done yet.

After more debugging I found that my hook was preventing the our own thread from creating too. So I need a method to distinguish rogue thread from our own thread.

Finally, I found a method used by Piotr Bania to prevent shellcode execution. He used VirtualProtect() to determine whether a code is rouge or not. Usually shellcode is injected as a result of stack-overflow or any other memory-based leak. These memory should be writable. If any pointer is pointing to a writable memory section, we can conclude that it is altered by the shellcode.

Yet, this method has a flaw. Most packer and protector modifies PE and mark the image as writable (to decompress or decrypt the content) and doesn’t bother to restore them. It would raise false alarm when we use VirtualProtect() to check the protection. So I thought of a better solution.

I used VirtualQuery() to check for memory type. Usually when we create a thread, it should point to code within the image. (marked by loader as MEM_IMAGE) Any VirtualAllocEx() allocated memory would not have that flag set.

——————————————————————————————

Trypanophobia
http://code.google.com/p/opcode0×90/source/browse/trunk/snippets/Trypanophobia/

——————————————————————————————

Coming soon – Stopping SetWindowsHookEx() injection. ;)

Posted in Reverse Engineering | 1 Comment »

h1

MSPro v4 Beta 5

April 16, 2007

Something to start my blog with. ;) This thing is made months ago, and overwhelming loads of coursework kept me from further updating it. Anyway, I made this much like a POC of my new idea on simulating key strokes, so dont nag about lack of features.

So what about it?

Currently it has the most common botting functions, auto-clicker, auto-loot, auto-attack and auto-pot, and it (supposed to) works on all versions of MapleStory. Feel free to comment anything here if you have questions, ideas or found a bug (!).

Behind the scene

  • Simulating Inputs

It doesnt use any driver! No SendInput() or whatsoever. ;) The idea is simple, inject a DLL into MapleStory.exe and then directly invoke the MapleStory’s WndProc(). So how are we going to find the WndProc(), read on.

  • Code Signature (aka Array of Bytes)

Again another simple idea, I made a simple pattern finder to find the address of codes, very much similar to AV engine. I did the same thing to all other codes, therefore MSPro is version-independent, since it is able to find the addresses each time it is loaded. (see SigSeek.inc for source code)

Current Issues

  • The auto-clicker crashes MapleStory !

Trying to figure out a fix for this… Since WndProc() is invoked from a different thread, overwhelming torrents of WM_LBUTTONDBLCLK message might cause reenterency problem and corrupt MapleStory. So, use AC with care.

  • Auto-pot spams pot on my char !

Your PC is probably lagging. MSPro keeps potting until your HP is more than the alarm level. If you lag when MSPro is potting, your HP value is not updated and MSPro keeps potting thinking your HP is dangerously low. So it “spams” pot.

——————————————————————————————

MSPro v4 Beta 5
http://filexoom.com/files/2007/3/27/65350/MSPro%20v4%20Beta%205.zip

SigSeek.inc
http://code.google.com/p/opcode0×90/source/browse/trunk/snippets/SigSeek.inc

Posted in MapleStory | 18 Comments »

« Newer Entries