Homepage This application is based on MiTeC Portable Executable Reader. It reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable) and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too. It enumerates introduced classes, used units and forms for files compiled by Borland compilers. Here are enumerated structures that are evaluated: DOS, File, Optional and CLR headers CLR Metadata streams Sections Directories Imports Exports Resources ASCII and Unicode Strings .NET Metadata Load Config Debug Thread Local Storage Exceptions Units Forms Packages Classes Package Flags Version Info Hexadecimal File Content View TypeLib Viewer Form Preview VirusTotal scan report Compiler and packer/protector identification
SOMMAIRE Chapitre I - Les bases Notions de bases : Le processeur et la mémoire Assembleur : Qu'est-ce que l'assembleur, premières instructions Ollydbg : Présentation, prise en main Mon premier crackme partie 1 : Recherche d'une string, remonter un saut, nopper une instruction Mon premier crackme partie 2 : Retrouver une adresse, breakpoints, pas à pas, lecture de la mémoire Crackme2 partie 1 : les APIs Window, list of windows (les contrôles), les labels dans le dump, les BP memory Crackme2 partie 2 : gérer les BP, l'Execute till return, les labels dans le code, remonter un call Chapitre II - Quelques principes Pré-analyse : Peid, RDG Packer Detector, Protection ID Le nagscreen : le principe des fenêtres, enregistrer nos modifications La limite de temps : les boites de dialogue, inverser un saut, les constantes, modifier une instruction Enregistrement via la base de registre (à venir) Enregistrement via un fichier licence (Keyfile) (à venir) NetCheck (à faire) Dongle (à faire)
handling the logout functionality on the iPhone Advanced Persistent Tweets: Zero-Day in 140 Characters The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the Chinese developers of those attack tools left clues aplenty about their identities and locations, with one apparent contender even Tweeting about having newly discovered a vulnerability days in advance of its use in the wild. Zero-day threats are attacks which exploit security vulnerabilities that a software vendor learns about at the same time as the general public does; The vendor has “zero days” to fix the flaw before it gets exploited. Bragging rights may play a part in the attackers’ lack of duplicity. “call [0x1111110+0x08].” “Wrote the firefox 0day. “ready? Source: FireEye “Who is this linxder?”
IDA: About What is IDA all about? IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive. An executive summary is provided for the non-technical user. Getting IDA IDA is available for many platforms, and can be licensed under different terms. Support & Community We have placed a sensible amount of support links and documentation online that can be valuable both to new, and advanced users. Additionally, our user board is a valuable source of hints and tips for the IDA Disassembler. Technical Documentation Intro to the IDA Debugger. Screenshots Objective-C memory model REMnux 1.0: the malware analyst's playground July 21, 2010 This article was contributed by Koen Vervloesem Security consultant Lenny Zeltser recently released the first version of REMnux, a Linux distribution that is specifically designed for malware analysis. For this purpose, the distribution includes some open source tools for analyzing and reverse engineering Flash malware, obfuscated JavaScript, shell code, malicious PDF files, and so on. Zeltser is an expert in malware analysis, and he is giving a course on Reverse-Engineering Malware at the SANS Institute. My hope is that by installing my favorite tools and configuring them the way I liked, I saved people some time and made it easier to enter the world of malware analysis. To create the VMware virtual appliance of REMnux, Zeltser installed Ubuntu 9.10 in a VMware virtual machine, removed unnecessary packages, added the tools he liked, and customized the setup. In addition to its home page on Zeltser's web site, REMnux also has a SourceForge page with some discussion forums.
Packer : UPX 1.23 Objectif : Reconstruire l'exe original manuellement Cible : Un crackme packé avec UPX 1.23 Outils nécessaires : Hex Workshop Lord-PE Fichiers joints : Index 1. UPX est très facile à unpacker manuellement afin de restituer l'exe tel qu'il l'était à l'origine. 2. On ouvre la cible avec Lord-PE et on récupère les infos suivantes : Entry-point : 000080E0 Import-Table : RVA = 00009058, size = 000000A4 Sections Table : names Voffset Vsize Roffset Rsize Flags UPX0 00001000 00005000 00000400 00000000 E0000080 UPX1 00006000 00003000 00000400 00002400 E0000040 .rsrc 00009000 00001000 00002800 00000200 C0000040 Première constatation, on voit deux section portant les noms UPX0 et UPX1 (attention ne pas se fier aux noms des sections pour identifier un packer, en effet le nom n'a pas grand intérêt et on peux très bien mettre n'importe quoi à la place, ça ne changerait rien). 3. On dump la cible avec Lord-PE ou un autre process dumper en s'assurant que ces options soit cochés avant de dumper : 4. a) MZ header
The Plumbing Revolution: Developers' Improving Toolbox - graysky The best advance in my life as a software developer recently is having to spend less time building (and re-building) plumbing. Much has rightly been made of the move to cloud computing and the virtualization of computing/storage, but in the last year the trend has continued up the stack to include all sorts of services. The benefit to developers is spending more time focused on your product, and less on the myriad of necessary-but-ancillary aspects of building a webapp. In my thinking about this trend, I'm making two assumptions. A few examples of what I'm thinking about: SendGrid - I hate the Yahoo! And it is easy to see why: developer's time is expensive and limited. I think there are a number of areas ripe for significant improvements in infrastructure and how developers spend their time: SEO - Having developers spend much time attempting to deeply understand Google is a net waste.
5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. Here's how to set up a controlled malware analysis lab—for free. A large number of computer intrusions involve some form of malicious software (malware), which finds its way to the victim's workstation or to a server. A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today's security incidents. Step 1: Allocate physical or virtual systems for the analysis lab A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. Another useful feature of many virtualization tools is the ability to take instantaneous snapshots of the laboratory system. Step 2: Isolate laboratory systems from the production environment
Biko Georges - Comment Cracker un logiciel (Extr. DVD) What iOS 4 does -- and doesn't do -- for business | Mobilize After all the hoopla since its April announcement, iOS 4 -- the new name for the old iPhone OS -- is now here for newer iPhone and iPod Touch models as a free download via iTunes, with iPad availability scheduled for "later this year." So what does it actually do? For business users and IT, not that much -- yet. The biggest new capability -- multitasking -- is for all intents and purposes not available, and it won't be until individual apps are updated to take advantage of it. [ Get the best iPhone and iPad apps for pros with our business iPhone apps finder. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ] The other big new capability for IT is the set of APIs that allow BlackBerry-like management of the iPhone, such as auditing of policies and apps, over-the-air provisioning of apps without iTunes, and over-the-air configuration and policy management. So what does that mean for users and IT today?
Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files. General Approach Locate potentially malicious embedded code, such as shellcode, VBA macros, or JavaScript. Extract suspicious code segments from the file. Microsoft Office Binary File Format Notes Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file. Data can be “storage” (folder) and “stream” (file). Excel stores data inside the “workbook” stream. PowerPoint stores data inside the “PowerPoint Document” stream. Word stores data inside various streams. Tools for Analyzing Microsoft Office Files OfficeMalScanner locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files. MalHost-Setup extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. Offvis shows raw contents and structure of an MS Office file, and identifies some common exploits.
Cracking-les-outils du bon Cracker , Bon la c'est l'étape ultime, on va voir tous les outils, vous allez apprendre pas mal de vocabulaire mais ca vous fait pas de mal Sommaire : Je vous ai pas fait de super image cette fois... 1) L'assembleur avec Windasm 2) Un autre dessassembleur : OllyDBG 3) L'Éditeur Héxadécimal 4)Stup Pe 5)Peid 7)ResHacker 8) Les Crackme Windasm ! A telecharger ici : Windasm 8.93 (version patchée) Windasm, c'est l'outil indispensable, c'est celui qui vous permettra de decompiler le programme en Assembleur afin de voir le code. Bon vous lancez windasm, en cliquant sur l'executable (.exe) et vous arrivez sur une écran un peu barbare avec south park Pour une meilleure lisibilité du code, cliquez sur options » select font et choissisez Courrier New a 8 pts de taille pour que ca soit mieux lisible (en général c'est par défaut) puis cliquez sur ok.. Cliquez sur File/open file to dissassemble ou alors cliquez sur : dans la barre d'outils. Selectionnez votre executable, qui doit se trouver a la racine et ouvrez-le. PEid