Skip navigation.

my blog

.. and my reverse diary

Snow Lake

Saturday, 2. January 2010, 17:53:06

No comments

ONDA Modem - Driver

Monday, 28. December 2009, 06:06:15

, ,

This is a mini dump caused propabilly from a device on my workstation.. a PCMCIA (plugged into pci adapter manufactured by ricoh) device. Propabilly the driver is not compatible with Vista 64. I need to upgrade my system to Windows 7 ... Will happen?

MODULE_NAME: usbohci

FAULTING_MODULE: fffff80002618000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  479199d4

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 fffffa6008d08014 

CURRENT_IRQL:  0

FAULTING_IP: 
usbohci+34ed
fffffa60`00bc84ed ??              ???

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

LAST_CONTROL_TRANSFER:  from fffff8000266c46e to fffff8000266c6d0

STACK_TEXT:  
fffffa60`017ea448 fffff800`0266c46e : 00000000`0000000a fffffa60`08d08014 00000000`00000002 00000000`00000001 : nt+0x546d0
fffffa60`017ea450 00000000`0000000a : fffffa60`08d08014 00000000`00000002 00000000`00000001 fffffa60`00bc84ed : nt+0x5446e
fffffa60`017ea458 fffffa60`08d08014 : 00000000`00000002 00000000`00000001 fffffa60`00bc84ed 00000000`00000018 : 0xa
fffffa60`017ea460 00000000`00000002 : 00000000`00000001 fffffa60`00bc84ed 00000000`00000018 00000000`00000000 : 0xfffffa60`08d08014
fffffa60`017ea468 00000000`00000001 : fffffa60`00bc84ed 00000000`00000018 00000000`00000000 00000000`00000000 : 0x2
fffffa60`017ea470 fffffa60`00bc84ed : 00000000`00000018 00000000`00000000 00000000`00000000 00000000`00000000 : 0x1
fffffa60`017ea478 00000000`00000018 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : usbohci+0x34ed
fffffa60`017ea480 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x18


STACK_COMMAND:  kb

FOLLOWUP_IP: 
usbohci+34ed
fffffa60`00bc84ed ??              ???

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  usbohci+34ed

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  usbohci.sys

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------

1: kd> lmvm usbohci
start             end                 module name
fffffa60`00bc5000 fffffa60`00bd0000   usbohci  T (no symbols)           
    Loaded symbol image file: usbohci.sys
    Image path: \SystemRoot\system32\DRIVERS\usbohci.sys
    Image name: usbohci.sys
    Timestamp:        Sat Jan 19 07:33:56 2008 (479199D4)
    CheckSum:         00014EDD
    ImageSize:        0000B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

No comments

POSTCARD - Cartoline.it / carta

Saturday, 26. December 2009, 23:23:25

,

Virus Total Permanent Analisys

The sample is available on OffensiveComputing (registration required).

I received from a friend (so.. I have no friend with name "carta" that send me a postcard with hyperlink to exe file available now at address http://vps10.web4ce.cz/phpmyadmin/config/carta.exe) an invite to view a postcard ... yes.. I do :smile:

The post card is a dropper that create into \WINDOWS\TEMP a folder spoolsv and put into these files:
  1. a.reg
  2. aliases.ini
  3. com.mrc
  4. control.mrc
  5. fullname.txt
  6. ident.txt
  7. mirc.ico
  8. mirc.ini
  9. remote.ini
  10. run.bat
  11. s.mrc
  12. servers.ini
  13. spoolsv.exe
  14. users.ini
  15. xmass.jpg
  16. [download]
  17. [sounds]


spoolsv.exe is the mIRC v6.03 version, licensed to "WhiteHat"
the exe file have no icon

This is a block of "mirc.ini" settings:
[mirc]
user=A true story never die ! *
nick=havok13z
anick=xib20mumh
email=X
host=CoolSERVER:remuser.strangled.net:6667GROUP:Cool


This is the default list of servers available on Undernet (and also on "Cool" group)
[servers]
n1=CoolSERVER:remuser.strangled.net:6667GROUP:Cool
n2=CoolSERVER:remuser.hopto.org:6667GROUP:Cool
n3=CoolSERVER:remuser.myz.info:6667GROUP:Cool
n4=CoolSERVER:drone.homelinux.com:6667GROUP:Cool
n5=LelystadSERVER:Lelystad.NL.EU.UnderNet.Org:6667GROUP:Undernet
n6=HelsinkiSERVER:Helsinki.FI.EU.Undernet.Org:6667GROUP:Undernet
n7=Mesa2SERVER:Mesa2.AZ.US.Undernet.Org:6667GROUP:Undernet
n8=EdeSERVER:Ede.NL.EU.UnderNet.Org:6667GROUP:Undernet
n9=TampaSERVER:Tampa.FL.US.Undernet.Org:6667GROUP:Undernet
n10=ZagrebSERVER:Zagreb.Hr.EU.UnderNet.Org:6667GROUP:Undernet
n11=LondonSERVER:London.UK.Eu.Undernet.Org:6667GROUP:Undernet
n12=DiemenSERVER:Diemen.NL.EU.Undernet.Org:6667GROUP:Undernet
n13=NewyorkSERVER:Newyork.NY.US.Undernet.Org:6667GROUP:Undernet
n14=MesaSERVER:Mesa.AZ.US.Undernet.Org:6667GROUP:Undernet
n15=LosAngeles2SERVER:LosAngeles2.CA.US.Undernet.org:6667GROUP:Undernet
n16=LosAngelesSERVER:LosAngeles.CA.US.Undernet.Org:6667GROUP:Undernet
n17=ElseneSERVER:Elsene.Be.Eu.Undernet.Org:6667GROUP:Undernet
n18=BucharestSERVER:Undernet.rdsnet.ro:6667GROUP:Undernet
n19=LelystadSERVER:dana.basefreak.nl:6667GROUP:Undernet
n20=HelsinkiSERVER:195.197.175.21:6669GROUP:Undernet
n21=Mesa2SERVER:69.16.172.40:7000GROUP:Undernet
n22=EdeSERVER:193.109.122.67:6660GROUP:Undernet
n23=TampaSERVER:208.83.20.130:6667GROUP:Undernet
n24=ZagrebSERVER:161.53.178.240:6669GROUP:Undernet
n25=DiemenSERVER:194.109.20.90:6662GROUP:Undernet
n26=NewyorkSERVER:64.18.128.86:70000GROUP:Undernet
n27=MesaSERVER:69.16.172.34:7000GROUP:Undernet
n28=ElseneSERVER:195.144.12.5:6667GROUP:Undernet
n29=VancouverSERVER:72.51.18.254:6667GROUP:Undernet
n30=grazSERVER:129.27.9.248:6667GROUP:Undernet
n31=osloSERVER:82.196.213.250:6667GROUP:Undernet
n32=trondheimSERVER:217.168.95.245:6667GROUP:Undernet
n33=DallasSERVER:38.114.116.5:6667GROUP:Undernet
n34=SantaAnaSERVER:66.186.59.50:6667GROUP:Undernet
n35=montrealSERVER:66.198.80.67:6667GROUP:Undernet
n36=Lidingo.SE.EU.Undernet.org:6667GROUP:Undernet


a.reg contain:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
"Application"="\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""
"AppDirectory"="\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""

[HKEY_CURRENT_USER\Software\mIRC]

[HKEY_CURRENT_USER\Software\mIRC\Channels]

[HKEY_CURRENT_USER\Software\mIRC\License]
@="5662-546732"

[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
@="0,4096"

[HKEY_CURRENT_USER\Software\mIRC\UserName]
@="WhiteHat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolsv"="\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""


File com.mrc and s.mrc are two mIRC scripts file for "botnet".

My antivirus (comodo personal firewall) don't throw warning/alert... It's a clean file (mIRC client!) used to create a botnet? or what?

1 comment

Nokia E63 - 3 Italia - Xseries

Thursday, 19. November 2009, 08:52:37

, ,



3 ITA
Per chiunque fosse in possesso di un Nokia E63, e avesse sottoscritto un piano tariffario 3 con l'opzione X-series, non è possibile usufruire di skype, in quanto il client non risulta disponibile tra le applicazioni compatibili. Poco male. Il file skype.sis è un'applicazione per Symbian S60 disponibile sul sito 3 X-series se si usa un E71, o uno di quei device compatibili per 3. Scaricatelo ed installatelo sul vostro E63. Funziona benissimo, il traffico generato viene decurtato dalle soglie Xseries di 3 senza alcun problema. Per la ricezione delle chiamate usando Skype di 3 è necessario avere un piano flat, mentre per le chiamate in uscita si passa da un centralino SIP.

3 UK
Anyone have a Nokia E63 and use the mobile operator 3 (It, Uk, Ireland?) can use the option x-series (free web using wwww3, skype and msn). The device Nokia E63 for 3 is not compatible with Skype .. this is not true. You can get the file skype.sis to use with your Nokia E63 and your x-series option on 3 (it work only if you have subscribed the x-series pack).

No comments

Trojan Horse

Tuesday, 17. November 2009, 07:31:19

2 comments

RE of Win32 DD

Monday, 9. November 2009, 22:25:11

I'm reversing win32dd, the tool of Matthieu Suiche, used to dump the entire content of RAM.

The software, in the latest release, can use:

  • \\Device\PhysicalMemory
  • MmMapIoSpace
  • PFN database


The article of Anton Bassov describe step by step what do to use \\Device\PhysicalMemory ..

* the post continue ... tomorrow, I'm sleeping now *

No comments

Vodafone Huawei

Sunday, 8. November 2009, 13:00:50

An year I subscribed a contract with Vodafone Italy for mobile broadband.. the Huawei K3715 with Vodafone software can't allow to use other SIM into modem.. apparently lock on Vodafone Network.

All days after the 8am o'clock the connection is not fast.. the modem use HSDPA network.. but the speed is like a GPRS connection :smile:

Yesterday evening I bought a Huawei modem of TIM... and with surprise the software of TIM can use also the VODAFONE modem (same manufacture) with other sim..

So, I'm stupid.. because before to buy a new modem I must patch software to try other sim.. then, anyone have vodafone huawey modem and same problems with connection can retrieve the Alice TIM software and to use other sim..

No comments

Aspire 751H

Thursday, 5. November 2009, 20:55:17

I have a new netbook ... an Aspire One 751h

Processor1.33GHz Intel Atom Z520
Memory 1GB, 533MHz DDR2
Hard drive160GB 5,400rpm
ChipsetIntel SCH US15W
GraphicsMobile Intel GMA 500 (integrated)
Operating SystemWindows XP
Dimensions (WD)11.8 x 8.5 inches (8.8 inches with battery)
Height1.0 inches
Screen size (diagonal)11.6 inches
System weight / Weight with AC adapter3.0/3.6 pounds

Today I tried Visual Studio 2008 on Aspire and it's work without problem.. but the project is small actually .. but I'm hope to expand it on weekend..

Tomorrow I will install DDK, Debuggers and other utilities for a mad guy :smile:

The only problem is linux.. I tried Ubuntu Netbook Remix 9.10 .. but the chipset is not supported.. without support X don't work properly ... the supported resolution of monitor is 1366x768, without driver ubuntu use only a 1024x768 pixel .. and it's too bad

I need the support for chipset!!

2 comments

close my blog?

Wednesday, 21. October 2009, 19:05:44

Actually I have no time to write on this blog, or to reverse applications or o.s. only for me ... In the week I work in a company but in evening and weekends I'm busy with others ...

A first "result" of my new position is available on Mentat Solutions web site.

good bye (but nobody read my posts :smile:)

2 comments

how not use a dongle

Monday, 28. September 2009, 04:10:32

So, I will be brief..

do You think to use a dongle to protect your software from piracy? Ok.. it be a beginning but..

Please don't write code like this

bool check_dongle()
{
   SKEY_LINK struc1;
   CHAR login_passphrase[] = { /* array of value */ };
   CHAR response_passprase[] = { /* array of value */ };

   struc1.command = 'A';

   int x = rand() % 0x14;

   memcpy(&struc1.data1, &login_passphrase[x*8], 8);

   if (smartlink(&struc1) == 0)
      return false;

   if (memcpy(&struc1.data1, &response_passphrase[x*8], 8) != 0)
      return false;

   return true;
}


I know it's possible to bypass this dongle check putting nop after two if to bypass check..
but, whereas login_passphrase and response_passphrase are respectively the input buffer before ?AES? encryption and response buffer after ?AES? encryption.. and they are into program binary .. why choose this dongle??

I suppose that the encryption function is AES, it's supported by dongle.. and actually this allow me to write an emulator, replacing smartkey dll with custom dll

No comments

1 2 3 4 5 ... 18 Next »

Showing posts 1 - 10 of 176.