<![CDATA[RCE Messageboard's Regroupment]]>

<![CDATA[RCE Messageboard's Regroupment]]> http://www.woodmann.com/forum Serious reversing, cracking and programming discussions en Sat, 06 Sep 2008 02:34:14 GMT vBulletin 60 http://www.woodmann.com/forum/images/misc/rss.jpg <![CDATA[RCE Messageboard's Regroupment]]> http://www.woodmann.com/forum Rainbow super pro (copier) http://www.woodmann.com/forum/showthread.php?t=12048&goto=newpost Fri, 05 Sep 2008 18:11:32 GMT hi, I have a copier machine and need a rainbow super pro dongle to use the email, fax... etc, then my idea was to connect the dongle to my pc usb port and with a filter driver and library to write a program for capture the raw data of usb and redirect it to copier machine in other usb port (+ - an... hi, I have a copier machine and need a rainbow super pro dongle to use the email, fax... etc, then my idea was to connect the dongle to my pc usb port and with a filter driver and library to write a program for capture the raw data of usb and redirect it to copier machine in other usb port (+ - an usb proxy...), but when I've tried this, the program only show me URB data...

I wish know if it is posible, capture the dongle raw data(with my idea(proxy)) and burn a microcontroller for emulation(using dongle capture) and connect it to copier machine or I must to crack the firmware of copier....

ideas?

sorry, English is not my mother tongue... ]]> The Newbie Forum ZEALOT http://www.woodmann.com/forum/showthread.php?t=12048 {smartassassin} v1.0 http://www.woodmann.com/forum/showthread.php?t=12046&goto=newpost Thu, 04 Sep 2008 09:32:14 GMT {smartassassin} is a reversing engineering tool used to remove string encryption from {smartassembly} protected files, its also possible to decompress resources compressed by {smartassassin}. If the original file was strong name signed {smartassassin} will create a new keypair and re-sign the... {smartassassin} is a reversing engineering tool used to remove string encryption
from {smartassembly} protected files, its also possible to decompress resources
compressed by {smartassassin}.

If the original file was strong name signed {smartassassin} will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manaualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to {smartassassin}.snk
now {smartassassin} will use this key for the re-sign process.

Hope this tool is of any use

Check the tool section on www.reteam.org for the download ]]> Tools of our Trade (TOT) Messageboard LibX http://www.woodmann.com/forum/showthread.php?t=12046 White-Box Cryptography http://www.woodmann.com/forum/showthread.php?t=12045&goto=newpost Thu, 04 Sep 2008 07:44:23 GMT "White-box cryptography is a technique to hide a secret key into a cryptographic software implementation in a white-box model. In such a model, an adversary has full control over the execution environment.

A white-box DES encryption binary with embedded secret key. If you like, try to extract the secret key, using all information you can find from this implementation (input-ouput attacks, so called black box attacks, are not allowed). "

here is there demo link (cygwin1.dll is needed):
https://www.cosic.esat.kuleuven.be/sopro/wbc/wbDES.exe

here is there website:
https://www.cosic.esat.kuleuven.be/sopro/
https://www.cosic.esat.kuleuven.be/sopro/wbc/

i'm currently working on this and look at the attached file that i have made :P

come and join to reverse this protection ... sooner the better

regards,
LaBBa.

Attached Files

sub_401050.zip (3.3 KB)

]]> Rce Cryptographics LaBBa http://www.woodmann.com/forum/showthread.php?t=12045 Allocating Memory below imagebase http://www.woodmann.com/forum/showthread.php?t=12044&goto=newpost Wed, 03 Sep 2008 19:23:56 GMT hi guys , ive encountered a little problem ... im trying to allocate some free memory below imagebase ..but doesent seem to be doable ..so im wondering is this possible at all from ring3 ? ( hacks ? hehe ) , or will i have to go ring3 to get the power needed to preform this deed .. looking forward... hi guys , ive encountered a little problem ... im trying to allocate some free memory below imagebase ..but doesent seem to be doable ..so im wondering is this possible at all from ring3 ? ( hacks ? hehe ) , or will i have to go ring3 to get the power needed to preform this deed .. looking forward to your responses

just seems wierd , since i can VirtualQuery them without a problem

and yes i did check my virtualAlloc call :) if i allocate addr above image..it works ]]> The Newbie Forum Arcane http://www.woodmann.com/forum/showthread.php?t=12044 <![CDATA[Kernel Detective - new security & analysis tool]]> http://www.woodmann.com/forum/showthread.php?t=12043&goto=newpost Tue, 02 Sep 2008 21:23:12 GMT Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD !!

Supported NT versions : XP(sp1-sp2-sp3) - Vista Ultimate build 6000

With Kernel Detective you can:

Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes

Enumerate a specific running processe Dynamic-Link Libraries. Also show every Dll ImageBase, EntryPoint, Size and Path .

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

Coded by GamingMasteR -AT4RE

Download

http://www.at4re.com/tools/Releases/GamingMasteR/Kernel_Detective_v1.0.zip ]]> Tools of our Trade (TOT) Messageboard GamingMasteR http://www.woodmann.com/forum/showthread.php?t=12043 Cracking kit 2010 http://www.woodmann.com/forum/showthread.php?t=12042&goto=newpost Mon, 01 Sep 2008 18:10:38 GMT The contents of the CDs are bundled up with the download. Image: http://img148.imageshack.us/img148/5967/imgra4.jpg ---Quote--- Cracking kit 2010 is the *biggest* collection of reverse engineering tools ever compiled. It consists of two ISOs that when unpacked yield over 2GB worth... The contents of the CDs are bundled up with the download.

Quote:

Cracking kit 2010 is the biggest collection of reverse engineering tools ever compiled.

It consists of two ISOs that when unpacked yield over 2GB worth of toolz.

]]> Tools of our Trade (TOT) Messageboard ZZZXXX http://www.woodmann.com/forum/showthread.php?t=12042 bit of a simple one here http://www.woodmann.com/forum/showthread.php?t=12041&goto=newpost Mon, 01 Sep 2008 16:51:28 GMT Hi all Within Ollydbg I am having difficulty finding the part of assembly code i want to add a break point in. What i want to to do is put a break point in the very first instruction the program goes in to after a click of a certain button but i cannot find where this is in the code, is it... Hi all

Within Ollydbg I am having difficulty finding the part of assembly code i want to add a break point in. What i want to to do is put a break point in the very first instruction the program goes in to after a click of a certain button but i cannot find where this is in the code, is it possble to set an instant breakpoint on submission of any operation.

I've only been doing simple key gens in the past and been able to manually set my breakpoint.:whoops: ]]> The Newbie Forum GES1234 http://www.woodmann.com/forum/showthread.php?t=12041 NEW! http://www.woodmann.com/forum/showthread.php?t=12040&goto=newpost Mon, 01 Sep 2008 14:24:30 GMT Hey guys and gals, just thought I'd intro myself and congratulate you on a very informative site.

Keep up the good work, I'll be watching as usual :) ]]> The Newbie Forum Enter7ainer http://www.woodmann.com/forum/showthread.php?t=12040 Anybody has used Microsoft Base Smart Card CSP yet? http://www.woodmann.com/forum/showthread.php?t=12039&goto=newpost Mon, 01 Sep 2008 05:47:56 GMT Hi all Is there anybody who has ever used Microsoft Base Smart Card CSP? It is a CSP that works with a small DLL in order to work with Smart Cards. I have written one of these DLL and it works well when I use web enrollment of my Smart Card, but when I try to use autoenrollment, it fails. is... Hi all
Is there anybody who has ever used Microsoft Base Smart Card CSP?
It is a CSP that works with a small DLL in order to work with Smart Cards.
I have written one of these DLL and it works well when I use web enrollment of my Smart Card, but when I try to use autoenrollment, it fails.
is there any idea what happens that causes failing autoenrollment operation?

Regards ]]> Advanced reversing and programming Hero http://www.woodmann.com/forum/showthread.php?t=12039 CRC_DRx crackme http://www.woodmann.com/forum/showthread.php?t=12038&goto=newpost Sun, 31 Aug 2008 16:09:51 GMT ROSASM burnt yet another cr0ckme mit SRC! kill yO-self now! ~ = D edit: who will BRUTE, will LEAST PENsIL.. ROSASM burnt yet another cr0ckme mit SRC!

kill yO-self now! ~ = D

edit:
who will BRUTE, will LEAST PENsIL..

Attached Files

jE!_CRC_DRx.zip (3.7 KB)

]]> Mini Project Area evaluator http://www.woodmann.com/forum/showthread.php?t=12038 .NET question http://www.woodmann.com/forum/showthread.php?t=12037&goto=newpost Sun, 31 Aug 2008 08:37:09 GMT What can this class actually accomplish?

It's from a target that I completed, but decided to go have a look around. Using DotNET Tracer 0.3, it shows that this class actually DOES some stuff, and I don't see how.

Code:

.class private auto ansi a1 extends [mscorlib]System.Object implements TARGET.IEdition

{

  .field public initonly value class [mscorlib]System.DateTime a



  .field private static class a1 a



  .field private class [mscorlib]System.EventHandler a



  .field private bool a



  .field private class [SKCLNET]SKCLNET.LFile a



  .field private value class [resource]TARGET.TARGETEdition a





  .method private hidebysig specialname void .ctor() noinlining

  {

    ldarg.0

    call void [mscorlib]System.Object::.ctor()

    ret

  }



  .method public static hidebysig class a1 a() noinlining

  {

    ldnull

    ret

  }



  .method public hidebysig void a(int32 A_0) noinlining

  {

    ret

  }



  .method public hidebysig bool a() noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig bool b() noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig int32 a(int32 A_0, int32 A_1, int32 A_2, int32 A_3, int32 A_4, class System.String A_5) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig int32 a(int32 A_0, class System.String A_1, int32& A_2) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig bool a(value class [resource]TARGET.TARGETEdition A_0) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public final virtual hidebysig newslot bool a(value class [resource]TARGET.TARGETEdition A_0, bool A_1) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig specialname void a(class [mscorlib]System.EventHandler A_0) synchronized noinlining

  {

    ret

  }



  .method public hidebysig specialname void b(class [mscorlib]System.EventHandler A_0) synchronized noinlining

  {

    ret

  }



  .method family hidebysig void c() noinlining

  {

    ret

  }



  .method private hidebysig int32 a(int32 A_0, int32 A_1, int32 A_2, int32& A_3) noinlining

  {

    ldc.i4.0

    ret

  }



  .method private hidebysig void b() noinlining

  {

    ret

  }



  .method private hidebysig void a() noinlining

  {

    ret

  }



  .method private hidebysig void a(bool A_0) noinlining

  {

    ret

  }



  .method public hidebysig specialname bool c() noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig specialname class [SKCLNET]SKCLNET.LFile a() noinlining

  {

    ldnull

    ret

  }



  .method public final virtual hidebysig newslot specialname value class [resource]TARGET.TARGETEdition a() noinlining

  {

    ldnull

    unbox [resource]TARGET.TARGETEdition

    ldobj [resource]TARGET.TARGETEdition

    ret

  }



  .method private static hidebysig specialname void .cctor() noinlining

  {

    ret

  }

}

To ME, it looks like a whole lotta nothing.

Anyone see the magic that I missed?

Here's the output from DotNET Tracer. (At least the pertinent parts)

Code:

JIT compilation started,  name: a1..cctor

JIT compilation started,  name: a1..ctor

Assembly load started,  ID: 1780144

Module load started,  name: C:\WINDOWS\assembly\GAC\SKCLNET\4.3.1.0__d5770e63406d04a0\SKCLNET.dll

Module C:\WINDOWS\assembly\GAC\SKCLNET\4.3.1.0__d5770e63406d04a0\SKCLNET.dll attached to assembly SKCLNET

JIT compilation started,  name: a1.b

JIT compilation started,  name: SKCLNET.LFile..cctor

JIT compilation started,  name: SKCLNET.LFile..ctor

JIT compilation started,  name: .__crt_dll_initialize

JIT compilation started,  name: SKCLNET.LFile.IsDebugLic

JIT compilation started,  name: SKCLNET.LFile.SetDefaultValues

JIT compilation started,  name: SKCLNET.SomeClass.dummy

JIT compilation started,  name: SKCLNET.LFile.set_StatusChkInterval

JIT compilation started,  name: SKCLNET.LFile.SetStatusTimer

JIT compilation started,  name: SKCLNET.LFile.InitStatusTimer

JIT compilation started,  name: SKCLNET.LFile.set_UseEZTrigger

JIT compilation started,  name: SKCLNET.LFile.set_EZTrial

JIT compilation started,  name: .a

JIT compilation started,  name: SKCLNET.LFile.set_LFPassword

JIT compilation started,  name: cw.m

JIT compilation started,  name: SKCLNET.LFile.set_LFName

JIT compilation started,  name: SKCLNET.LFile.Open

JIT compilation started,  name: SKCLNET.LFile.CheckStatus

JIT compilation started,  name: SKCLNET.LFile.raise_StatusChanged

JIT compilation started,  name: SKCLNET.LFile.CheckError

JIT compilation started,  name: a1.a

JIT compilation started,  name: SKCLNET.LFile.GetUserNumber

JIT compilation started,  name: SKCLNET.LFile.GetVar

JIT compilation started,  name: SKCLNET.LFile.get_IsDemo

JIT compilation started,  name: SKCLNET.LFile.get_ExpireMode

JIT compilation started,  name: SKCLNET.LFile.GetVar

JIT compilation started,  name: SKCLNET.LFile.add_StatusChanged

JIT compilation started,  name: a1.a

JIT compilation started,  name: a1.a

]]> The Newbie Forum FrankRizzo http://www.woodmann.com/forum/showthread.php?t=12037 SSPro - sproRead questons http://www.woodmann.com/forum/showthread.php?t=12034&goto=newpost Sat, 30 Aug 2008 13:08:43 GMT Read Address=21 (0x15) Out:> Read Address=21 (0x15) -> Status=0x3 Data=255 (0xFF)]]> Hello,

I'm working on Sentinel Super Pro. I have two questions:

1) sproREAD()
Output from Toro:
In:> Read Address=21 (0x15)
Out:> Read Address=21 (0x15) -> Status=0x3
Data=255 (0xFF)

What does Data=255 (0xFF) mean? (Did any error occured reading from cell15?)
Why do I get from some other cells the output: Data=0 (0x0)? What's the difference?

2) How should Cell0 be treated?

quote from SDK:
"Key serial number; sequentially assigned per key."

I read in a tutorial that this cell needs to be filled with the dongle serial number. Is there any general way to find the dongle serial number or what has to be put into this cell?

Thank you for help!

Best regards
keen

PS: I read all tutorials from CrackZ and the SDK-Doc. ]]> The Newbie Forum keen2k http://www.woodmann.com/forum/showthread.php?t=12034 Reversing a QT-GUI-Framework based Application http://www.woodmann.com/forum/showthread.php?t=12033&goto=newpost Sat, 30 Aug 2008 00:05:42 GMT Hi there,

what i'm trying to do is to patch away a popup-window in a QT-GUI-Framework (_http://trolltech.com/products/qt) based application written in VC++.

As the framework has its own routines to create windows, there's no way to set breakpoints on createwindow and stuff (or at least I wasn't able to do it).

A small sample of code for a window in QT looks like this

Code:

QWinWidget *w = new QWinWidget(hWnd, 0, 0);

             w->showCentered();

             QMessageBox *mb = new QMessageBox("Qt on Win32 - modeless",

                 "Is this dialog modal?",

                 QMessageBox::NoIcon,

                 QMessageBox::Yes | QMessageBox::Default,

                 QMessageBox::No  | QMessageBox::Escape,

                 QMessageBox::NoButton, w);

             mb->setModal(false);

             mb->setAttribute(Qt::WA_DeleteOnClose);

             mb->show();

My question is how can I identify this code in the debugger? My idea was to break in where the show() function (in its compiled state of course :-) ) is called ...

Thanks for any hint!

fxxx ]]> The Newbie Forum fxxx http://www.woodmann.com/forum/showthread.php?t=12033 Find all Commands Plugin http://www.woodmann.com/forum/showthread.php?t=12032&goto=newpost Fri, 29 Aug 2008 23:01:21 GMT Hi,
I'm looking for a plugin that will "Find all Commands", without the "Too few Operands" you get with Olly.
To be able to type in any command such as "mov" and have all the mov commands show would be great!
Does anyone know of such a plugin or is that able to be done?
Thanks for your help! ]]> The Newbie Forum Cougar http://www.woodmann.com/forum/showthread.php?t=12032 does this tmp5.tmp install any driver http://www.woodmann.com/forum/showthread.php?t=12031&goto=newpost Fri, 29 Aug 2008 20:01:50 GMT found this in %alluserprofile%\startup folder seems to be autorunning av doesnt sound any alarm creates two three files using MoveFileEx (....,...,DELAY_UNTIL_REBOOT) and LoadLibs this tmp_tmp# (i did not let it and just grabbed this) the original launcher is Finding DeviceIoControl... found this in %alluserprofile%\startup folder seems to be autorunning
av doesnt sound any alarm

creates two three files using MoveFileEx (....,...,DELAY_UNTIL_REBOOT)

and LoadLibs this tmp_tmp# (i did not let it and just grabbed this)

the original launcher is Finding DeviceIoControl through GetProcAddress

so if someone want to check if there is any driver involved

i googled the random name of MOVEFILE (msupd123456 blah)

looks like a driver is involved from google

http://support.microsoft.com/kb/894278

but i couldnt locate any random driver

so may be it was dormant and hadnt yet spat out its venom coz the comp in question hasnt been rebooted for some time

MALWARE BEWARE

password malware

Attached Files

somevirus.rar (36.3 KB)

]]> Malware Analysis and Unpacking Forum blabberer http://www.woodmann.com/forum/showthread.php?t=12031