Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Recreation Class Share/Save - My123World.Com!

  1. #1

    Recreation Class

    Recreation Class
    Author: "Vinnu"
    Greetz to: Legion Of Xtremers and Hackers Garage
    Tutorial Take from orkut community, originally posted by "vinnu" bro

    A bug that is exploitable is also called a vulnerability.If anyone don't know what is an exploit and how to develop it, then he is not an hacker at all.To develop an exploit (The tool that handles error or bug in such a way to provide the exploit initiator the internal resource access upto certain extent), the following things are necessary:

    Before attacking any system in this world, we must know what kind of processor it is employing. and only after that we can .This world is dominated by two kind of processor technologies based upon the data handling:

    1. Big Endian
    2. Little Endian

    The bing endian processors handle data as is provided and in order to feed them the data we must have to put it in straight order in the memory, or in other words, the most significant byte goes into least address. And if least significant byte goes into the lower address and most sign. byte at higher address then, it will be the little endian processor, or we can say that the little endian processos handle the data in reverse order.
    Consider a memory address 0x77E81280 we have to process, so in case of big endian, we have to place it into memory as:
    0x0012ff13 0x77
    0x0012ff14 0xE8
    0x0012ff15 0x12
    0x0012ff16 0x80

    whereas in little endian case:

    0x0012ff13 0x80
    0x0012ff14 0x12
    0x0012ff15 0xE8
    0x0012ff16 0x77

    Sun SPARC processors are big endian and intel x86 architecture are little endian examples. Big endians are somewhat free from pointer bases off-by-one attack as it can shuffle the address space to out of admissible locations. big endians are faster and little endians are somewhat slower. the data in networks flow i big endian way, so to a network programmer, this knowledge is necessary.
    Now own we must also know about the operating systems. When we talk about an Operating system,actually we talk about the Kernel. The kernel is the main process that controls all hardware and applications and system resources and every kernel is developed by keeping in mind a special motto or task.

    The OS can also be devided into two main catagories:

    1. Monolithic Kernel OS
    2. Micro kernel OS

    The kernel comprises of many managers togather, like memory manager, file manager, disk manager,process manager, task time schedular or manager, hardware or device manager, and so on.If all managers execute within the space of one single process, then the operating system kernel will be the monolithic kernel, whereas if most of the managers have there own executing process indipendently, then this kind of operating system will be microkernel based.The linux is a micro kernel based os whereas windows are monolithic.Now consider if an error occurs in memory manager and it needs to be shutdown then in caseof monolithic os, the whole kernel will be shutdown making a crash in operating system.and if in case of microkernel, the respective memory manager will be detatched from rest of the kernel and shutdown and again restarted and attatched to the kernel process.This makes the micro kernel based os more reliable, moreover, we can make different managers to execute with different privilege level for security reasons.or every user connected to same server can have exclusively executing managers for himself.

    Now we have some kowledge of machines and os types. The hacking is carried out in steps and the following steps are performed:
    1. reconn or information gathering.
    2. secure urself
    3. attack
    4. priviledge escalation and do the stuff
    5. clearing the traces
    6. terminate

    But what if u are not trained and don't know what kind of arms to use and how to use or develop.Next we are first learning the hacking techniques and would study the attack technologies used by the recreation hackers or by the tools mostly kiddies used, so that u will be able to develop ur own tools, without investing any money, but ur brain and effort and time only.

    First thing u must remember be an optimistic and ach and every invironment is hackable, may it be satellite system, the missile control os, the planes, the ships, ..or whatever as the NSA (US)itself says that "The most secure safe of the world is also useless if someone forgets to shut its doors properly" and in hackers community its a common sayin abo't the foolproof security that "There is a fool in this world who will tresspass the foolproof security".So be patient and learn more and use ur brain rather than the tools.

    Here we go: First we will indulge into somewhat executable programs and security systems and cracking and
    patching them and hardening the security to fortify the security too (Remember u r a hacker and not a criminal, the future security system will be developed by anyone of u or we all the society). First thing, i ur systems, install the windows XP and Visual studio and an hexeditor. if u don't have no problem, then whatever u have for programming will chalega. but install any hexeditor, hex editors are freely availabe, any one will chalega. I am saying the visual studio becoz it contain some free utilities, which will help u in studying the os and software structures and the techniques behind attacks. for this tutorial i will be using the visual studio 6 for programming.
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  2. #2
    Memory fundamentals

    In this section we are going to discus the memory structure of programs in disc files and during execution.
    Note: This topic needs the observer to develop some visualizations in his/her brain
    about the program and memory structures.

    Each and every program is allocated 16GB memory during execution by windows.This 16GB memory does not all really exists, but most of it is a part f shared memory, which may have DLLs loaded into it or other shared data among other processes too, and a huge part is unused. The ram and cache memory loads only the essential parts of the programs. Most of the programs and DLLs are linked and loaded at a same constant address unless until, it is altered or a clash occurs. E.g. every software by default in windows XP and 2000, etc, is loaded at 0x0400000 and Kernel32.dll in windows xp is by default loaded at ox77E6000 in these addresses you will find the executable signature bytes "MZ" or in hex 0x4d 0x5a. This is the start of dos stub or MZ header. The MZ header comes into play if a win32 program is executed in DOS mode or in case if windows is booted in command console mode.
    The familiar message we get then is "This program cannot be run in DOS mode." Then the PE or 0x50 0x45 in hex is encountered and all the juicy information about an executable software is provided just after this PE header.

    The first 1000 bytes in windows executables constitute the header. These header bytes are essential to execute the software properly. We will discus about these header bytes in later sections, let us concentrate on the main object of this section now. Now a very obvious question here...I said above that by default all processes or
    several processes u'll find in ur system by debugging'em are sharing the same addresses in memory. And in code sections of multiple processes, the same address of different processes or programs have different code bytes and all these processes simultaneously executing. how can this happen?

    The answer is that these process have same virtual memory address starting from 0x00000000 to 0xffffffff and have all their stuff loaded inside this address space. But each and every and identical in several different processes which are simultaneously executing, mapped to an unique physical address in memory (Ram, cache, cpu registers, swap, disks..etc). in simple words, the virtual addresses are mapped to a physical address & these virtual addresses will be identical in different processes but have unique physical addresses in memory.
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  3. #3
    While task schedular switches the processes in execution queue, then, the special purpose cpu registers like, SS, Ds,...etc and so many there loads the necessary information from respetive process's PEB. The PEB is a structure (just like a struct in c language or a class) and this structure contains all the information about the physical location of the process's bytes, execution pointer, memory allocated, etc. and these PEB (Process execution block)
    are created into a table in memory and The task schedular (that makes an os multytasking) uses this information while switching the processes on a time shared Operating system.

    Now open the command console and change the directory to "%systemroot%\system32"
    and type in the following command:

    dumpbin /headers kernel32.dll >c:\kernelhdr.txt

    this command will create a file in c: drive with name kernelhdr.txt, open that file Under the heading "OPTIONAL HEADER VALUES" look for "77E60000 image base" This is the address where first bytes from disk file will be loaded into the memory. i.e. at address 0x77E60000 u'll find "MZ" in the memory.

    you can check it out by openning any process for debugging and then in memory windown address text box type in 0x77E60000 and then check for "MZ" bytes.
    under "summary" header u will find the following listing:
    5000 .data
    6000 .reloc
    66000 .rsrc
    7E000 .text

    These are the different sections of the kernel32.dll file.these sections are the blocks of same file into memory with different purposes and attributes or properties.
    The information about every section is provided under "SECTION HEADER #..." headings.
    The last listing contains the attributes about each section in the respective headers.

    Remember by convention every ection name starts with a "." but its not mandatory. The most important section out of all these four sections is the ".text" section.".text" section also termed as code section and contains the executable machine code. ".data" section contains the data used while execution. ".reloc" contains the initialized
    data. These sections are created by compiler itself, without the knowledge of programmer. we can also force a compiler to create a custom section, in next section we'll develop a program to do so.

    Remember in windows operating system class the kernel32.dll is the most important dll which gets loaded and mapped in each and every process by default. The attackers make use of this fact to sneak inside the systems. We'll discus the techniques throughout this tutorial. Can u tell me what is the main difference between windows xp's and vista's kernels? The windows Vista's kernel employs ASLR security. The ASLR (Address Space Layout Randomization)
    is not new security type in hacking world. But a real security boost-up. ASLR was already employed under several security operating systems earlier.Under ASLR, the address of loadable modules is changed randomly everytime. This avoids the pre-guessing of the memory offsets of DLL exportable functions, variables, and image bases
    of the code and valuable structures and tables. Leave this topic for later.Now let's come on to our practical work, i.e. open the VC++ 6.0 and code in the following:

    /* newsec.cpp */

    #include <iostream>

    using namespace std;

    #pragma data_seg (".vinnu")
    int a=49;
    char array[] = "vinnu! JaiDeva!!!";
    #pragma data_seg () // the rest will go in default data section.

    int main (int argc, char argv[]) {

    cout << "The integer is: " << a << endl;
    cout << "The buffer is: " << array << endl;

    system("PAUSE");
    return EXIT_SUCCESS;
    }

    /*---------end-of-code---------*/

    Save the file with name "newsec.cpp" and compile with following command:
    cl /Gs newsec.cpp

    Now using dumpbin :

    dumpbin newsec.exe

    we found following:

    4000 .data
    3000 .rdata
    11000 .text
    1000 .vinnu

    So we created a new section using the pragma header.To view full explanation use the "/header" switch in dumpbin commandline.And to isolate the contents of ".vinnu" section type the following command:
    Dumpbin /section:.vinnu /rawdata:bytes >nsvinnu.txt

    This will create a text file named "nsvinnu.txt" in same folder and check out its contents:after the section headers, the data is only given here:

    RAW DATA #4
    00419000: 31 00 00 00 76 69 6E 6E 75 21 20 4A 61 69 44 65 1...vinnu! JaiDe
    00419010: 76 61 21 21 21 00 va!!!.

    Can u tell me whatis the first byte 0x31, it is the integer 49 in int a=49; instruction in hex.

    For security reason, we can use the special characters in custom section names, by pressing
    the "Right Alt + Num keys" and even encrypt the whole section data. The attributes of a
    section can also be set by inserting a ".def" file and typing in the following:

    SECTIONS
    READ WRITE SHARED

    The section name comes first and the attributes then after.Also we need to understand some intructions of assembly language before proceeding:
    Instruction Meaning


    1) push pushes the contents on top of the stack.
    2) pop pops out the contents from top of the stack.
    3) jmp an unconditional jump.
    4) xor Exclusive OR operation on couple of registers.
    5) call calls a function.

    Note. After called function finishes its job, it returns the control to the instruction next to one, which called it.

    6) mov d, s moves the contents of s into d.
    7) test compares two values for equality.
    8) cmp checks two values for logical relation like equal, greater, lesser, etc. depending upon the operator used.

    And now the real heroes of the story comes, the cpu registers. There are several but most important are listed here:

    REGISTER DISCRIPTION
    -------- -----------
    EAX Work house, return, syscall no.
    EBX Base address, arguments.
    ECX counter, arguments, ‘this’ pointer
    EDX Data
    EDI Destination index
    ESI Source index
    ESP Stack pointer
    EBP Stack frame base pointer
    EFL Flags
    EIP Instruction Pointer

    The registers have different default jobs in different operating systems, like in Linux the eax register is used to hold the syscall number, but mostly it is used to get the return value of a function, these registers can also be used for other jobs too except the EIP register. The EIP and ESP registers are most important here, the EIP register holds the address of the instruction the cpu is executing, or in other words, the cpu lands on and executes that instruction, whose address the EIP (Extended Instruction Pointer) register holds. And a good thing about it is that at every return or at low level ret or retn instruction, the EIP loades an address from the stack memory and if an attacker by anyhow controls the memory block containing this address to be loaded
    into the EIP register will slave the CPU for himself, that means, he can hold the throne of cpu. This is a part of the concept behind the buffer-overflow attacks, which we'll discus in next sections.
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  4. #4
    Friends, pardon me, i forgot to explain the memory allocations, without its knowledge, no one can do anything in the field of hacking, so lets land there:
    The memory manager allocates the memory everytime the memory is required by the program.
    The memory manager can be of Operating system, or the executing software itself.

    The Operating system can increase the level oe decrease the overall memory needs instantly, whereas in case of the software's memory manager, it have to use the pre-allocated memory pool.
    Note: If we are allocating memory for several variables, then remember that the compiler vanishes the information of individual variables and will will request for a bunch ofthe whole memory i.e. the summation of all the needed memory bytes in all variables. e.g. if we want a variable to hold an array of 10 bytes, 2nd variable to hold the 15 bytes and a char type variable, then the compiler will place a code that will request the memory manager to allocate the 10 + 15 + 1 = 26 bytes.

    The allocated memory can be handled into several ways and in accordance these ways of handling or managing the memory pool, we name these memory type and these are:
    1. Stack or automatic memory
    2. Heap or dynamic memory
    3. Static memory.
    The static memory we have already discussed earlier. all that stuff was related to the static memory, now we'll scrutinize the stack and heap for details.

    Stack & Heap

    The stack memory is also called automatic because all the management is done automatically
    by the program withut any intervention of developer. The stack grows from higher memory addresses to the lower memory addresses, whereas the heap block grows from lower memory addresses to the higher memory addresses towards
    the stack. We can consider the starting ends of heap and stack at two ends of a strip or line and both growing and tending to reach towards each other. This kind of setup saves the extra amount of memory needed.

    This makes the stack and heap bothe unidirectional the following example better explains the theory:

    0x0012ff01 | HEAP growing downwards
    0x0012ff02 |
    0x0012ff03 +
    0x0012ff04
    ..........
    ..........
    ..........
    0x0012ff98 +
    0x0012ff99 |
    0x0012ff9A | Stack growing upwards

    The Stack gets the hold of function arguments by default and the memory addresses and variables. The arguments and variables gets pushed and popped and likewise the stack grows and shrinks. The heap also known as dynamic memory gets the hold of dynamic object instances in OOP world. Remember the dynamic object instanciation by using the new operator.That operator allocates the required number of bytes for an instance of the respective object in the heap and returns an address. The returned address points to the newly created instance of the object. E.g. the next code will generate a new instance named myInstance of myClass objects class:

    myClass myInstance = new myClass

    whereas the static object instances gets there place in stack. The following code will create a static instance of the class:

    myClass myInstance;

    The important thing i forgot to tell u, as i mentioned the stack unidirectional, it means the arguments are placed or pushed in a certain order on the top of the stack and are removed or popped in reverse order, or better say LIFO or Last In First Out.The heap has some comples structure, the objects instances gets removed by using the destructor of that very object class and can be removed or manipulated directly by object instance. I think its enough for now on stack and heap.The stack & heap needs more explaination for the understanding of their working and developing the attack techniques based on'em. But we'll discuss the required matters during the sections containing the respective attack techniques.We are starting from cracking techniques. Its a branch of hacking under which a security code is identified and is remved or patched. This will increase the understanding of the software structure and protection mechanisms and the machine codes. Then we'll proceede to much advance buffer overflows, "return to libc" attack (This attack is employed on linux and unixes but I modified it in such a way to use it on windows, it solves many problems retated to the shellcode execution), then DLL injection format string, XSS, Artificial Life or Worm development, encryption & decryption of machine code and program data on the fly during execution, privilege leveraging, etc....
    Now its time to get our hands dirty in security and cracking and patching and securing the code
    practically. Now it’s time to indulge into real action. Let us consider an example of a typical protection
    system employed in most kinds of security mechanisms.

    The stepwise actions are as follows:

    1) The initialization of program or system occurs.
    2) The program or the system then transfers control to the security protection system.
    3) The security system throws a challenge against the user or another program which
    initiated it. The challenge may be in the form of a login userID and password, a file,
    a physical property or object possessed by the user, like smartcard or disk,
    retinal scan, finger prints, voice recognition system, etc.
    4) The user responds to the challenge with his possession of the part of security like userID, password, diskette, file, etc.
    5) The user-supplied credentials undergo a cryptographic change.
    6) The secret security token file, which is a part of security subsystem is obtained into the memory.
    7) The crypt obtained from the user credentials is then matched into the security token file.
    8) If the match is found, then,
    9) Jump to next section where, the necessary tokens are generated and the system execution is started with necessary privileges, according to the generated tokens.
    10) If the match is not found then,
    11) Jump to the section in which, the login failed message is thrown to the user & if necessary as defined by programmer, the program pass out the control to the execution termination code.
    12) The program is terminated.

    It is not necessary that all steps are programmed in the software. But these steps are the average security measures. Below them security is rated as poor.Now the step 8, 9 and step 10, 11 are important for us. Although the step 4 is also important, the tracing of original secret passwords can be done by starting the tracing from step 4.

    Now, we have to consider the jumps at step 9 and step 11. Think about all possibilities
    to crack this security.

    1) If we interchange the jump addresses with each other. Then, the original credentials will be denied and the wrong one will get authenticated as legal ones.
    2) If we search for the address of the string of “login failed” which we have got from .data section then we will land directly into the section which gets control after jump at step 11.
    3) If we change the if condition it’s assembly equivalent is test or cmp (depending on the operators used). Change test (hex value 0x85) to xor, which has hex value 33. Thus the jump after test condition (the test returns zero or non-zero), the security check will always be passed OK (because the, xor always zeros out the register if xored with itself), irrespective of the credentials supplied.

    There are also other methods to crack the protection mechanism, which will get clear practically.

    Note: we are compiling the programs code in visual c++ 6.0, but it is advised that you must compile the code in different compilers and try to analyze the code. All compilers compile the code differently and thus generate different machine code.

    Tools of the Trade or RootKit:

    The toolkit used by hackers is known as tools of the trade or also rootkit. Before indulging into real action we need some software tools. Most of the hackers use SoftIce, IDA etc.In all advanced protection cracking techniques minimum of these three tools are essential. Our RootKit is composed of DUMPBIN.EXE, which is available with mostof the SDKs like visual studio. HHD Hex editor, any hex editor can be used. But HHD is freely available and is freely licensed to distribute as much as you can. And debugger in use will be one included in visual studio i.e. VC++ itself. This debugger is not friendly with code breakers. As it does not provide memory searching tools etc. But, still of much use.
    The Code Breaking Methods:

    The three methods are basically applied for code analysis. These are:
    1) Static code analysis
    2) Dynamic code analysis
    3) Fusion analysis

    In static method, the code is not executed, instead its static disassembled assembly and hex dump is analyzed may be in the form of text files. This method is pretty useful in analyzing the code of programs, which employ the anti-debugging techniques. But this method has several limitations like search for user passed strings cannot
    be done as code is not executed or traced and if the code is encrypted and can be decrypted only during execution then this technique again cannot be employed.

    In dynamic code analysis, the code is executed under debugger’s control. The breakpoints are employed at suspected instructions or places. The tracing of the protection mechanism is somewhat easier than static method.
    But this technique also falls if the developers employ the anti-debugging techniques in their code.

    In third method, the fusion analysis composed of both above listed techniques, which are employed side by side. This technique is useful in analyzing the code, which employs every kind of protection of code itself like checksum calculation, encryption, and anti-debugging techniques, with the help of a hex editor.
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  5. #5
    This was a small preview of vinnu bro's book Access denied: A Guide for code breakers. This book is wonderful for people wanting to learn code breaking and cracking. Prerequisite is knowledge of VC++> below is th download link of the book. I have uploaded it on my skydrive so that it dosent gets removed in future! So friends enjoy the book. Its password protected. But just unzip it and open the doc. Select the read only option when a box pops up

    http://cid-dca018b0abc58bcb.skydrive...d.rar?lc=16393
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  6. #6
    Damn so much to READ and So less time...
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  7. #7

  8. #8
    Excellent info bro Great share

  9. #9
    ThanQ guys..duty to share
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  10. #10
    Thanks for this great share

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •