Wednesday, May 28, 2008

Automated Command Line Kaspersky Update in M$ Windows

For those of you doing some manual updates on your command line AV scanners here's one you can use to automate the task. This is used in updating Kaspersky, all you need is the wget tool and include the instructions below in a batch file.

wget.exe --directory-prefix=kav
FOR /F "tokens=1" %%i IN ('type .\kav\avp.set') DO wget.exe --directory-prefix=kav

You can get wget in here

Sunday, May 25, 2008

PicLens :: Firefox Add-on

This one is a great add-on for your Mozilla Firefox Internet Browser.
It saves you time browsing through photos in the following websites

* Flickr, Smugmug, DeviantArt, Photobucket, Picasa, FotoTime, Fotki.
* Facebook, MySpace, Bebo, Hi5, Friendster
* YouTube (via the PicLens search bar only)
* Image search on Google, Yahoo, Ask, Live, and AOL
* A growing number of Media RSS-enabled web sites and blogs (see
(excerpt from website

Here is a demo ...

I searched Jennifer Hawkins in Google images ... here is what i got ...

This way you can just check a photo that you want to see ... saves time ...

everything is presented to you ... all you need to do is scroll and choose.



Thursday, May 22, 2008

What's with the ^H?

This is often used in a joke by a techie person.

Excerpt from wiki ....

Pressing the backspace key on a computer terminal would generate the ASCII code 08, BS or Backspace, which would delete the preceding character. That control code could also be accessed by pressing Control-H, as H is the eighth letter of the Latin alphabet. Terminals which do not have the backspace code mapped to the function of moving the cursor backwards and deleting the preceding character would display the symbols ^H (caret, H — see Caret notation) when the backspace key was pressed. This sequence is still used humorously by computer literates to denote the deletion of a pretended blunder, much like overstriking.

Example: My slave-dri^H^H^H^H^H^H^H^H^H boss decided to stall the project.

ironman inspired

ironman inspired CPU ....

i will definitely get one of these... and my wife will never know ehheheh

Monday, May 19, 2008

de0bfuscating ne0spl01t manually ...

This advance exploit framework contains obfuscated script to make analysis harder.

Here is a way to bypass its obfuscation technique without tools.
(I am not providing the original script in here, I'm sure there are a lot of compromised websites out there ... ehheheh ... and this example is applicable just to this one I am working on)

VirusTotal result

Below is the screenshot of the script, in word wrap.

The script is dependent on arguments.callee.toString() and to the location.href. This means we need to have the original script function and the correct location.href (Referrer).

So how are we going to deobfuscate this script?

First, we need to check the original code. In my case I changed the format so I can understand what the program does.

I keep on highlighting "arguments.callee.toString() + location.href" because the program will depend on the value of these instructions. Another dependency is the parameter passed to the function.

Below is a screenshot of the script's original format, I highlighted the parameter used.

Based from my analysis of the script code, the parameter is the string we need to decrypt.

Below shows the part of the decryption process.

Ok ... now lets get to the part where we will deobfuscate the script.

What the program needs to execute properly?
1. The parameter passed to the function.
2. The calling function's code, untampered.
3. The location.href value
4. Our drop file or document.write.

Just a quick background

JavaScript Location Object
The JavaScript location object is a property of the window object. It can be used to control the web page displayed by the browser.

href - The entire URL.

Now ... it will look like this

We can get a copy of the code by adding the following at the end of the decryption process.

var fso = new ActiveXObject("Scripting.FileSystemObject");
var a = fso.CreateTextFile("c:\\testfile.txt", true);

or you can just add the instructioon below.


after this we will get the second obfuscated code, we just have to apply what we did here to the second code. Then from there you can get the deobfuscated code.

Hope this help ...

Just a note for me ... 1 of many .... Getting EP manually

How to get Portable Executable entry point manually ...

1. Get entry point value (4 bytes)
-> MZ + 3C = PE offset
-> PE + 28 = Entry point (EP)
2. Identify which section the EP value will fall within RVA + Virtual Size
3. Subtract the section RVA to EP value
4. Add the pointer to raw data of the section where EP can be found.


argument.callee in javascript shows the entire function where this instruction is being called.
It includes the code and the format it was written.

For example:
function ShowMe() { alert(arguments.callee.toString());}

is different from

function ShowMe()

This instruction (arguments.callee) can be used to make sure that the script had not been tampered.

So where am I going here ...
(I need to show you how this instruction is used by javascript malware writers to create an obstacle in analyzing them ... thats where ...)

Ok thats it for now ... next I will show you how this instruction is used by javascript malwares and how we can overcome it.