Activity Stream

Filter
Sort By Time Show
Recent Recent Popular Popular Anytime Anytime Last 24 Hours Last 24 Hours Last 7 Days Last 7 Days Last 30 Days Last 30 Days All All Photos Photos Forum Forums Articles Articles Blog Blogs
  • WaxfordSqueers's Avatar
    June 3rd, 2020, 15:25
    WaxfordSqueers started a thread real DOS in Off Topic
    Had a bit of a laugh today. Reading up on ntvdm.exe which is the DOS emulator for Windows. I am running XP and I opened a CMD window to see if it...
    0 replies | 9 view(s)
  • evaluator's Avatar
    June 3rd, 2020, 00:49
    evaluator replied to a thread ReverseMe in Off Topic
    those are text-char range opcodes, I met likes of them previously in shell code analyzes. however in 32bit, code needs to find self address, thus...
    12 replies | 264 view(s)
  • WaxfordSqueers's Avatar
    June 2nd, 2020, 15:28
    WaxfordSqueers replied to a thread ReverseMe in Off Topic
    Sorry...I posted a bad link above. My reference to the Eicar test file was on Wayback Machine and I supplied the address of the bad URL rather than...
    12 replies | 264 view(s)
  • evaluator's Avatar
    June 2nd, 2020, 09:54
    evaluator replied to a thread ReverseMe in Off Topic
    'alternatively' you can make from those "text" chars "test.com" file and it will execute in dos mode.
    12 replies | 264 view(s)
  • Kayaker's Avatar
    June 1st, 2020, 18:20
    Kayaker replied to a thread ReverseMe in Off Topic
    I decided to try to emulate the self modifying code in the Eicar test file just for fun. The original bytes can't be used because of the requirement...
    12 replies | 264 view(s)
  • WaxfordSqueers's Avatar
    May 31st, 2020, 14:11
    WaxfordSqueers replied to a thread ReverseMe in Off Topic
    I saw no obvious start point so I presumed the first POP statement had AX initialized to 0. I started following the statements one by one, doing the...
    12 replies | 264 view(s)
  • evaluator's Avatar
    May 30th, 2020, 23:19
    evaluator replied to a thread ReverseMe in Off Topic
    well, that explanation assumes code as 16bit, while I assumed as 32bit shell-code
    12 replies | 264 view(s)
  • WaxfordSqueers's Avatar
    May 29th, 2020, 13:08
    WaxfordSqueers replied to a thread ReverseMe in Off Topic
    Click the Spoiler button on my last post. It reveals a couple of links explaining exactly what it is. The first link gives a step by step solution to...
    12 replies | 264 view(s)
  • evaluator's Avatar
    May 29th, 2020, 08:09
    evaluator replied to a thread ReverseMe in Off Topic
    I tried to 'imagine' environment of this 'shellcode' but ESI & EDI are unknown. well we can think about EDI in range of this code.. but nothings...
    12 replies | 264 view(s)
  • Kayaker's Avatar
    May 29th, 2020, 07:19
    Kayaker replied to a thread ReverseMe in Off Topic
    If you're protected you shouldn't be able to make a copy of that file (ctrl-c ctrl-v). Avast won't let me unless I do it in one of my 'excluded from...
    12 replies | 264 view(s)
  • blabberer's Avatar
    May 29th, 2020, 06:56
    blabberer replied to a thread ReverseMe in Off Topic
    the file itself tells what it is Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 58 35 4F 21 50 25 40 41 50 5B 34 5C 50...
    12 replies | 264 view(s)
  • Kayaker's Avatar
    May 28th, 2020, 18:55
    Kayaker replied to a thread ReverseMe in Off Topic
    I've been looking at the Windows Antimalware Scan Interface (AMSI) lately, and its relation to exploits particularly with PowerShell. ...
    12 replies | 264 view(s)
  • WaxfordSqueers's Avatar
    May 28th, 2020, 14:43
    WaxfordSqueers replied to a thread ReverseMe in Off Topic
    I started working through it with the assumption that first statement POP AX was 0000. Got about 10 steps down then decided to check 'and ax,...
    12 replies | 264 view(s)
  • Kayaker's Avatar
    May 28th, 2020, 10:56
    Kayaker started a thread ReverseMe in Off Topic
    This is well known code. Harmless. What is it? Disassembly of File: reverseme.com Code Offset = 00000000, Code Size = 00000044 Data Offset =...
    12 replies | 264 view(s)
  • WaxfordSqueers's Avatar
    May 24th, 2020, 20:26
    @kayaker... procmon on the target did not react to the host machine running windbg in k-mode. I'll have to check out apimon or maybe logger.exe in...
    12 replies | 688 view(s)
  • WaxfordSqueers's Avatar
    May 24th, 2020, 20:24
    Thanks for info Blabbs, very helpful. Re symenumtypes, I got it from the debug help library in dbghelp.chm. Maybe I am using the command...
    12 replies | 688 view(s)
  • blabberer's Avatar
    May 24th, 2020, 01:34
    i don't recall any command named synenumtype so obviously it errs because s is command for Searchmemory and it cant resolve ymen or symen as a...
    12 replies | 688 view(s)
  • WaxfordSqueers's Avatar
    May 22nd, 2020, 16:53
    Hey...back in the bad old days, I used to program Basic straight into a computer to set up the heads on a disk drive. I actually wrote little...
    12 replies | 688 view(s)
  • Kayaker's Avatar
    May 22nd, 2020, 06:37
    I remember doing some parallel port programming with QBasic, but I don't think that would help here :p OK, crazy reversing idea, would running an...
    12 replies | 688 view(s)
  • WaxfordSqueers's Avatar
    May 21st, 2020, 19:29
    Thanks Kayaker. I have tried all the obvious things, now I need to do some reversing and find out where things are getting hung up. I have sent a...
    12 replies | 688 view(s)
  • Kayaker's Avatar
    May 21st, 2020, 13:00
    Hey Wax. You seem to have had this problem for a long time. I've never set up anything like that, debugging over 2 computers, but the docs seem to...
    12 replies | 688 view(s)
  • WaxfordSqueers's Avatar
    May 18th, 2020, 13:32
    Wracking my brain trying to find a scientific way to detect what is wrong with my k-mode connection between my W7 host and my XP target. It's the...
    12 replies | 688 view(s)
  • evaluator's Avatar
    May 16th, 2020, 04:55
    Kayaker, cmon.. 0F 3F is just illegal intruction, artifically used by software as opcode; sure you heard about such like VBox "opcodes".. while...
    11 replies | 753 view(s)
  • blabberer's Avatar
    May 15th, 2020, 19:47
    the 0f 3f opcodes were used by virtual pc as some backdoor communication with host (vmsti,vmcli etc (set interrupt , clear interrupt hooks ) you...
    11 replies | 753 view(s)
  • Kayaker's Avatar
    May 15th, 2020, 15:11
    Kayaker replied to a thread XGETBV trickies in General Reversing
    Not xgetbv but another opcode I hadn't come across before, VPCEXT 7, 0Bh, used to detect the presence of VirtualPC. This is just an observation...
    11 replies | 753 view(s)
  • evaluator's Avatar
    May 13th, 2020, 22:59
    these code shows XGETBV for ecx=0, where it seems for "check the AVX registers restore at context switch". look for case ecx=1, which seems about...
    11 replies | 753 view(s)
  • Kayaker's Avatar
    May 10th, 2020, 16:36
    Kayaker replied to a thread XGETBV trickies in General Reversing
    Just for fun I started grepping system files for XGETBV (0F 01 D0) and XSETBV (0F 01 D1) to see how they were used. I found them in many files,...
    11 replies | 753 view(s)
  • evaluator's Avatar
    May 7th, 2020, 04:13
    so there is paired instruction XSETBV, so debugger probably sets values in RING0.. tested under Windbg and for ecx=1 > eax=7 ; PS: seems, this is...
    11 replies | 753 view(s)
  • WaxfordSqueers's Avatar
    May 6th, 2020, 16:44
    Everyone OK out there in the deep code woods? Kayaker is likely out there paddling up a stream, hopefully watching for bears, but is everyone else...
    0 replies | 178 view(s)
No More Results