Wednesday, May 28, 2008
Automated Command Line Kaspersky Update in M$ Windows
wget.exe --directory-prefix=kav ftp://updates2.kaspersky-labs.com/updates_ext/avp.set
FOR /F "tokens=1" %%i IN ('type .\kav\avp.set') DO wget.exe --directory-prefix=kav ftp://updates2.kaspersky-labs.com/updates_ext/%%i
You can get wget in here
http://gnuwin32.sourceforge.net/packages/wget.htm
Sunday, May 25, 2008
PicLens :: Firefox Add-on
It saves you time browsing through photos in the following websites
* Flickr, Smugmug, DeviantArt, Photobucket, Picasa, FotoTime, Fotki.
* Facebook, MySpace, Bebo, Hi5, Friendster
* YouTube (via the PicLens search bar only)
* Image search on Google, Yahoo, Ask, Live, and AOL
* A growing number of Media RSS-enabled web sites and blogs (see http://www.piclens.com/lite/)
(excerpt from website
https://addons.mozilla.org/en-US/firefox/addon/5579)
Here is a demo ...
I searched Jennifer Hawkins in Google images ... here is what i got ...
This way you can just check a photo that you want to see ... saves time ...
everything is presented to you ... all you need to do is scroll and choose.
Add-on
https://addons.mozilla.org/en-US/firefox/addon/5579
Website
http://www.piclens.com/site/firefox/win/
Thursday, May 22, 2008
What's with the ^H?
This is often used in a joke by a techie person.
http://en.wikipedia.org/wiki/Backspace
Excerpt from wiki ....
Pressing the backspace key on a computer terminal would generate the ASCII code 08, BS or Backspace, which would delete the preceding character. That control code could also be accessed by pressing Control-H, as H is the eighth letter of the Latin alphabet. Terminals which do not have the backspace code mapped to the function of moving the cursor backwards and deleting the preceding character would display the symbols ^H (caret, H — see Caret notation) when the backspace key was pressed. This sequence is still used humorously by computer literates to denote the deletion of a pretended blunder, much like overstriking.
Example: My slave-dri^H^H^H^H^H^H^H^H^H boss decided to stall the project.
ironman inspired
Monday, May 19, 2008
de0bfuscating ne0spl01t manually ...
Here is a way to bypass its obfuscation technique without tools.
(I am not providing the original script in here, I'm sure there are a lot of compromised websites out there ... ehheheh ... and this example is applicable just to this one I am working on)
VirusTotal result
http://www.virustotal.com/analisis/20c0debb36bd8d75f33b15c0ab077931
Below is the screenshot of the script, in word wrap.
The script is dependent on arguments.callee.toString() and to the location.href. This means we need to have the original script function and the correct location.href (Referrer).
So how are we going to deobfuscate this script?
First, we need to check the original code. In my case I changed the format so I can understand what the program does.
I keep on highlighting "arguments.callee.toString() + location.href" because the program will depend on the value of these instructions. Another dependency is the parameter passed to the function.
Below is a screenshot of the script's original format, I highlighted the parameter used.
Based from my analysis of the script code, the parameter is the string we need to decrypt.
Below shows the part of the decryption process.
Ok ... now lets get to the part where we will deobfuscate the script.
What the program needs to execute properly?
1. The parameter passed to the function.
2. The calling function's code, untampered.
3. The location.href value
4. Our drop file or document.write.
Just a quick background
reference: http://www.comptechdoc.org/independent/web/cgi/javamanual/javalocation.html
JavaScript Location Object
The JavaScript location object is a property of the window object. It can be used to control the web page displayed by the browser.
Properties
href - The entire URL.
Now ... it will look like this
We can get a copy of the code by adding the following at the end of the decryption process.
var fso = new ActiveXObject("Scripting.FileSystemObject");
var a = fso.CreateTextFile("c:\\testfile.txt", true);
a.WriteLine(T5ctkgA8R);
a.Close();
or you can just add the instructioon below.
document.write()
after this we will get the second obfuscated code, we just have to apply what we did here to the second code. Then from there you can get the deobfuscated code.
Hope this help ...
Just a note for me ... 1 of many .... Getting EP manually
1. Get entry point value (4 bytes)
-> MZ + 3C = PE offset
-> PE + 28 = Entry point (EP)
2. Identify which section the EP value will fall within RVA + Virtual Size
3. Subtract the section RVA to EP value
4. Add the pointer to raw data of the section where EP can be found.
arguments.callee.toString()
It includes the code and the format it was written.
For example:
=============================================
=============================================
=========================================
function ShowMe()
{
alert(arguments.callee.toString());
}
=========================================
(I need to show you how this instruction is used by javascript malware writers to create an obstacle in analyzing them ... thats where ...)
Ok thats it for now ... next I will show you how this instruction is used by javascript malwares and how we can overcome it.