tty666

Members
  • Content count

    70
  • Joined

  • Last visited

Community Reputation

0 Neutral

About tty666

  • Rank
    Member
  • Birthday 05/05/1983
  1. even if it's python 2.X it's still used yeah ... ( Maybe not this script but python in general ) In fact Python like to get clean code so indentation is really important
  2. ok so now I see that jecxz noHash; makes it jump directly to the noHash: strip. so ... I will continue looking and deep dive debug it ...
  3. Hello, I am doing a transition from Delphi to C++ ( using VC++ ). And I am doing a test of a snippet I found here : https://www.tophertimzen.com/blog/shellcodeTechniquesCPP/ Should not be so complicated to implement it's a Kernel32 base address resolution, a ROR13 hash calculation and a loop through PEB of kernel32 to find the ROR13 hash corresponding to function address. but after compilation I get a memory violation error and I am pretty sure it's located inside the PEB look through which then returns a bad adress for the fuction to be called. unsigned int __stdcall findSymbolByHash(unsigned int dllBase, unsigned int symHash) { __asm { pushad; mov edi, symHash; mov ebp, dllBase; mov eax, [ebp + 0x3c]; //PEheader mov edx, [ebp + eax + 0x78]; //export table add edx, ebp; mov ecx, [edx + 0x18]; //numberOfNames mov ebx, [edx + 0x20]; //numberOfExports add ebx, ebp; search_loop: jecxz noHash; dec ecx; //decrement numberOfNames mov esi, [ebx + ecx * 4]; //get an export name add esi, ebp; push ecx; push ebx; push edi; push esi; //setup stack frame and save clobber registers call hashString; pop edi; pop ebx; pop ecx; //restore clobber registers cmp eax, edi; //check if hash matched jnz search_loop; mov ebx, [edx + 0x24]; //get address of the ordinals add ebx, ebp; mov cx, [ebx + 2 * ecx]; //current ordinal number mov ebx, [edx + 0x1c]; //extract the address table offset add ebx, ebp; mov eax, [ebx + 4 * ecx]; //address of function add eax, ebp; jmp done; noHash: mov eax, 1; done: mov[esp + 0x1c], eax; popad; }; } First chance exception at 0x00000001 in stub.exe *: 0xC0000005 : Access violation while reading from location 0x00000001. Unhandled exception at 0x00000001 in stub.exe *: 0xC0000005 : Access violation while reading from location 0x00000001 . Has somebody an idea where it could stuck ? It's just a copy as is of the code for testing... And it starts bad Thanks if somebody has the answer cause I am doing OllyDBG and cannot find the location of the issue.
  4. Indeed it could be really interesting to hook and inject html locally ( I am not talking about carding/fraud but more about traffic redirection ). I would like to investigate this as well if I have time.
  5. still one of the two best I got DeadlyVermilion = R0x0r !
  6. So basically you drop a tor server run it and connect to the tor proxy socks port with the botnet ... Am I right ? Do you hide the port open ? using a rootkit ? because it's really visible either.
  7. Uh ? there is also 32 version of explorer exe on 64 bit versions dummy version which gives the hand to 64 and I was guessing that this exploit is based on this one not on the other explorer.exe ( full 64 bit ).
  8. Protocol I can understand it's not clean but almost it becomes common options like coin miners and ddos even if it's maybe bad it's actual projects that people are looking to learn too ... Anyway you are the boss just giving my opinion
  9. post is from 2010 ... is it necessary to refresh ?
  10. Bwah it depends on if you want to make it like a pro, like a good coder or like a crap Pro : include your key somewhere in the exe itself like a section or somewhere that you know it will not be erased and code your stub to read himself ( with a payload section ), find the key, decrypt the rest of the code which is not payload. Good coder : Like they all said already, create a resource with the key inside into the stub make the stub able to read his own resources, take the key, decrypt the packed exe ( probably also in the resources ). Crap : write the key at the FULL END of the exe like if it was a simple text binary file between two recognizable parsing flag and do the same for the EXE encrypted/packed, read your own code from the stub to find the flags take the text between take the exe code and decrypt ( Will it work ? of course because it doesn't break the exe code or any termination the exe will just ignore it like a shit and will not crash ... ) What I was surprised by testing the crap method into one project was the fact that if you do it with an exe really giving the feel it is just "trusted"/"correct" with a window but not displaying it, with some buttons on the same window, using VCL ( haha but true ) and so on the AV just ignore this addition at the end of the code and aren't seeing it as abnormal Anyway 1 & 2 are the most clean way but experiences are always good to do make your own labo...
  11. Clearly everything is good to take and learn
  12. Dude ic0de is not a leeching forum This guy is already sharing with you his stuff and as it's a source code you are able to change it like you want ! Want unicode ? translate it to use widestrings ! or extand the character table ! Why are you wanting a Delphi project ? it's a simple console application using just one unit ... Come on please you could also click on the "thanks" button ! @bgeraghty : Nice share dude
  13. it's clearly simple but easy to integrate, not using dependencies or other headers. It's nice I didn't touched c++ for some time now and restarted this weekend so sorry if I post on old topics
  14. seems not working with windows7 x64 ... I got an exception ... How do you retrieve PEB ?