Friday, July 31, 2009

Revolution OS

This is one of the "must watch" movie for all computer user, especially open source software lover.


" Revolution OS is a 2001 documentary which traces the history of GNU, Linux, and the open source and free software movements. It features several interviews with prominent hackers and entrepreneurs (and hackers-cum-entrepreneurs), including Richard Stallman, Michael Tiemann, Linus Torvalds, Larry Augustin, Eric S. Raymond, Bruce Perens, Frank Hecker and Brian Behlendorf..."

For trailler,



Here the full version of the video.

Monday, July 27, 2009

GSVideo with JAVA

As project needed, i need to use GSVideo for webcam recording.

" GSVideo is a library for the Processing programming language that offers video playback, capture and recording capabilities through the use of the GStreamer multimedia framework. "

1. Download the gsvideo-0.6-pre.zip here

2. Attention:

For eclipse

Need to import all 3 jar files in Library to our app lib. Edit the project properties --> libraries

3. Run the example file Capturelinux. It works with my webcam.

Sunday, July 26, 2009

From TiGa IDA video

Just finish TiGa IDA Pro RCE tutorial, 8 set totally.

Note:

1 - Visual Debugging with IDA - The Interactive Disassembler
F4 - run to cursor
F7 - step into
F8 - step over
F2 - breakpoint
F9 - start process


2 - Remote Debugging with IDA Pro
-at terminal
#share
#share user 192.168.0.1 IDA
#cd /mnt/share ( if the connection success, share should be work)
#./linuxserver //run the ida linuxserver

-at gdb
$file crackme
$dis main /let the program start from Main
$break strrcmp
$run

-let e"X"amine the "S"tring pointed by EAX, it is the dummy pasword
$ x/s $eax
$step
$ins $eax //let's INSpect EAX
$clear strcmp //clear the breakpoint that created

To paste thing in IDA cmd, use SHIFT+INSERT , not Ctrl + V


3 - Tracing a buggy Application with IDA Pro (Training Package)
-sizeof(iInterger) calculate the length of the array in bytes, but in in count element

-Hardware breakpoint needed when deal with Data. A normal BP inserts an opcode (0xCC) at the

beginning of an instruction to generate an exception when that line is about to be executed.
- if the fucntion will reading integers,the BP needed to be 4 bytes wide
- F2 to set breakpoint
- F9 to run

-High-light the viarable, then add the vairable to the watch list (click the button), the value should be

same as the specified register

modifying the tracing option

-at Tracing Option the tracing buffer size is the number of lines to log before overwriting ( 0 mean

unlimited buffer)

-we can specify the tracing stop at the end of this function rather than at the end of main. Just change

the Stop Condition at Tracing options

-we can disable breakpoint by right click, but not remove it
( the color of the breakpoint will turn from red to green)

-run to cursor
-pressing the H key will switch a value from hex to decimal. pressing H again will change it back from

decimal to hex

-A HWBP set on execute will perform the same way as a regular BP but without adding the 0xCC bytecode.

Max 4 HWBP. All pc CPUs are limited in this way.

-Tooggle Tracing intruction. tracing panel will show.

-from tracing windows, we can know what API has used.

-we can make a Breakpoint without Break, but it will only break under certain condition

-we can set all Trace mode or Break mode in Tracing options. It will have added a red marker in the

tracing window


4 - How to solve Crackmes for Dummies in Video
(part 1)
-F4 for run til cursor
-[ebx] mean the data pointed by EBX
-some time use this as breakpoint condition al=al-2 because al -2+1=al-1

- we can use breakpoint condition to avoid a nag, at the nag address, set a breakpoint, with condition

that "EIP=0x4014E2" (this address is the place where nag can be bypass.)

(part 2)
-In Visual C++, CTRL-T to test the dialog
-MSC ClassWizard

void CKeygenDlg : OnChangeEname()
{
UpdateData(true);
}

//MFC version of printf

m_sSerial.Format("%i",iSum);


5 - x64 Disassembling and Fixing obfuscated APIs
-Press C to convert the Data to Code ---> Renalysis the segment
-Debugger --> take memory snapshot //IDA can dump volatile memory and intergrate with the database,
-let check the import section (pink area of memory bar)
-some informatiom is not loaded in the database,especially a segment of memory disappear,
solution : reload the file without checking " create imports section"
-IDA Options---> Analysis-->Reanalysis program
-edit the segment size, edit the starting segment address, the truncated segment will show
-SHIFT--, SHIFT + "minus" to change the 0xFFFFFFFF value to a signed decimal number, -1
-x64 disasambling need do in remotely in 64bit OS
-why not dissable IDA-64 locally?
Reason : IDA-64 is a 32-bit program, the server acts as tranlator only
Solution : set the server address and port if want to debug 64bit app locally in 64bit OS

EAX -> RAX
EBX -> RBX
ECX -> RCX
EDX -> RDX
ESI -> RSI
EDI -> RDI
EBP ->RBP
ESP -> RSP
EIP -> RIP

-fastcall-like convention has to be used rather than the usual stdcall from win32
Rule :
1. the first 4 arguments of a call are not pushed on the stack but assignned to specific registers in that

order:

RCX -> RDX -> R8 -> R9

2. The remaining arguments are pushed normally on the stack

3 The stack has to be aligned before the argumetns declaration

4. Enough space must be reserved on the stack in case the registers are needed.


6 - TLS-CallBacks and Preventing debugger detection
-press Ctrl+E to display a list of entry points
-TLS = Thread Local Storage, used by packers for anti-debugging tricks, acting as a debugger detector
-TLS-Callback allows to run code before the OEP
- Edit --> Plugins ---> Stealth hide IDA debugger ,it will put breakpoint inside certain APIs to prevent

debugger detection.
-IsDebuggerPresent ( 3 instruction)
Instruction #1:
eax = NT_TIB.Self
eax becomes the address of Thread Information Block
Instruction #2 :
eax = TEB.Peb
eax becomes the address of Process Environment Block
instruction #3:
eax = PEB.BeingDebugged
this value is set by the OS on execution from inside a debugger.


7 - Unwrapping a Flash Video Executable (exe2swf)
-press A to turn the charc into.a string
-paste the url into firefox mozilla


8 - Stop fishing and start keygenning

-let's use a symbolic constant to represent the first message comparison

-The IsDebuggerPresentAPI is used to check if the program is being debugged.It returns 0 for false or 1

for true.

-at breakpoint condition, we specify the condition eax=0, eax will always be 0 when the BP is reached.

- the FindWindowsA API tried to find a window with the Class Name OLLYDGB. And IDA doesn't have one

of those.

- 0x6954 = 26964 decimal

Friday, July 10, 2009

PIX, IOS, ACLs

/////////Different of IOS ACLs and PIX ACLs////////////

IOS router ACLs will use Wildcard mask. Pix ACLs use subnet mask.

Quite often, a wildcard mask can basically be thought of as a subnet mask, with ones and zeros inverted; for example, a wildcard mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. A wildcard mask is usually used in combination with an IP address. For example, in a standard ACL, a statement like the following:

access-list 10 permit 10.0.3.0 0.0.0.255

allows data from subnet 10.0.3.0/24 to pass, that is, the first three bytes must match exactly, whereas all the bits in the fourth octet can take on any value.


////////// Special Feature of Cisco PIX //////////////

PIX only lets you use inbound (to an interface) rules. The PIX default allows traffic from a higher security interface (inside=100) to a lower security interface (outside=0). The return traffic would be allowed, because the PIX would notice the outbound traffic and temporarily open the port for the traffic back in.

////////// Access Control List /////////////////

access-list 101 permit tcp any range 1024 65535 host 192.168.5.1 eq www

access-list 101 permit tcp any host 192.168.5.1 eq www

If both ACE as the above order, Rule 1 will be overide by Rule 2. Thus all port range will allow to access host 192.168.5.1 port 80.

Friday, July 3, 2009

NIpper : PIX, IOS, Juniper Firewall audit

Tool : Nipper

My Notes

\\\\\\\\\\\\\\\\\\\\\\\\CISCO IOS\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

ip access-list standard access-list-number
remark description
permit ip-address wildcard [log]


access-class access-list-number in

ip access-group ACL [in | out]


Different of access group and access class

Example ( from internet):

"A good example is that one would apply an acl to an interface using access-group...
router(config)#access-list 101 deny tcp any 192.168.1.48 0.0.0.15 eq http
router(config)#access-list 101 permit ip any any
router(config)#int fa0/1
router(config)#ip access-group 101 in
When applying an acl to a virtual line, like for telnet, one would apply it using access-class
router(config)#access-list 10 deny host 10.10.15.3
router(config)#access-list 10 permit any
router(config)#line vty 0 4
router(config-line)#access-class 10 in
"


\\\\\\\\\\\\\\\\\\\\\\\\ PIX \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

1. We generally put a global command on each lower security interface we want our internal users to have access to,

2. we put nat commands on the higher security interfaces, allowing users to start connections to lower security level interfaces with global commands on them.


3. If you've used NAT before, you'll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level. When NAT exists between two interfaces the command takes the form of "static (high,low) low high" . Without address translation, the format of the static command becomes different: "static (high,low) high high".

PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0 //10.0.0.0 is subnet
PIX1(config)# global (outside) 1 1.1.1.2


\\\\\\\\\\\\\\\\\\\\\\\\\ Juniper firewall \\\\\\\\\\\\\\\\\\\\

set admin auth server "Local" //what this mean?