Friday, February 28, 2014

List of available file types with the corresponding value of the file_type variable:

People asked me several times, what are file types and how many file are available?
Actually i come across few, such exe and dll files. And other few like image files, video files,etc. So, i asked my friend once, he got the good knowledge in most of file type, since he is virus researcher, he told me "go to virus total, you will find how many", so i want to share those details here:


File typeValue of file_type
Win32 EXEexecutable windows win32 pe peexe
Win32 DLLexecutable windows win32 pe pedll
Windows Installerinstaller windows msi
Win16 EXEexecutable windows win16 ne neexe
Win16 DLLexecutable windows win16 ne nedll
DOS EXEexecutable dos mz
DOS COMexecutable dos com
COFFexecutable coff
ELFexecutable linux elf
Linux kernellinux
Linux RPM packagelinux rpm
Linuxlinux
Mach-Oexecutable mac macho
Java Bytecodeexecutable java-bytecode
Windows shortcutwindows lnk
HTMLinternet html
XMLinternet xml
Flashinternet flash
FLAmultimedia video fla
IE cookieinternet iecookie
BitTorrent linkinternet bittorrent
Emailinternet email
JPEGmultimedia image jpeg jpg
TIFFmultimedia image tiff
GIFmultimedia image gif
PNGmultimedia image png
BMPmultimedia image bmp
GIMPmultimedia image gimp
Adobe InDesignmultimedia image indesign
Adobe Photoshopmultimedia image photoshop psd
Targamultimedia image targa
XWSmultimedia image xwd
DIBmultimedia image dib
JNGmultimedia image jng
ICOmultimedia image ico
FlashPixmultimedia image fpx
EPSmultimedia image eps
SVGmultimedia image svg
Windows Enhanced Metafilemultimedia image emf
OGGmultimedia video ogg
FLCmultimedia animation flc
FLImultimedia animation fli
MP3multimedia audio mp3
FLACmultimedia audio flac
WAVmultimedia audio wav
MIDImultimedia audio midi
AVImultimedia video avi
MPEGmultimedia video mpeg
QuickTimemultimedia video quicktime qt
ASFmultimedia video asf
DivXmultimedia video divx
FLVmultimedia video flv
WMAmultimedia audio wma
WMVmultimedia video wmv
RealMediamultimedia video realmedia rm
MOVmultimedia video mov
MP4multimedia audio mp4
3GPmultimedia video 3gp
Network captureinternet cap
PDFdocument pdf
PostScriptdocument ps postscript
MS Word Documentdocument msoffice text word doc
Office Open XML Documentdocument msoffice text word docx
MS PowerPoint Presentationdocument msoffice presentation powerpoint ppt
Office Open XML Presentationdocument msoffice presentation powerpoint pptx
MS Excel Spreadsheetdocument msoffice spreadsheet excel xls
Office Open XML Spreadsheetdocument msoffice spreadsheet excel xlsx
Rich Text Formatdocument msoffice text word rtf
OpenOffice Presentationdocument openoffice presentation odp
OpenOffice Spreadsheetdocument openoffice spreadsheet ods
OpenOffice Documentdocument openoffice text odt
Hangul (Korean] Word Processor documentdocument hangul text hwp
Samsung documentdocument samsungdoc text gul
E-bookdocument ebook
LaTeXdocument latex
TrueType Fontfont truetype ttf
ISO imagecompressed isoimage
ZIPcompressed zip
GZIPcompressed gzip
BZIPcompressed bzip
RZIPcompressed rzip
DZIPcompressed dzip
7ZIPcompressed 7zip
CABcompressed cab
JARcompressed jar
RARcompressed rar
MS Compresscompressed mscompress
ACEcompressed ace
ARCcompressed arc
ARJcompressed arj
ASDcompressed asd
BlackHolecompressed blackhole
KGBcompressed kgb
Texttext
Scriptscript
PHPsource php
Pythonsource python
Perlsource perl
Rubysource ruby
Csource c
C++source cpp
Javasource java
Shell scriptscript shell
Pascalsource pascal
AWKsource awk
Dyalogsource dyalog
Fortransource fortran
Apple relatedapple apple-gen
Macintosh relatedapple macintosh mac macintosh-gen
AppleSingle Formatapple applesingle
AppleDouble Formatapple appledouble
Macintosh HFSapple macintosh mac machfs
Apple Plistapple appleplist
Macintosh Libraryapple mac maclib
Symbianexecutable mobile symbian
PalmOSexecutable mobile palmos
WinCEexecutable mobile wince
Androidexecutable mobile android
iPhoneexecutable mobile iphone
Source: Virustotal

Post by

Wednesday, February 26, 2014

GetSystemTimeAsFileTime

0041E506   |.  50                            PUSH EAX                                                     ; /pFileTime = BB40E64E
0041E507   |.  FF15 B8204300                 CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>]      ; \GetSystemTimeAsFileTime
0041E50D   |.  8B45 F8                       MOV EAX,[LOCAL.2]                                            ;  kernel32.7C817064
0041E510   |.  3345 F4                       XOR EAX,[LOCAL.3]                                            ;  ntdll.7C90DC9C
0041E513   |.  8945 FC                       MOV [LOCAL.1],EAX
0041E516   |.  FF15 14214300                 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentThreadId>]           ; [GetCurrentThreadId
0041E51C   |.  3145 FC                       XOR [LOCAL.1],EAX
0041E51F   |.  FF15 4C204300                 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentProcessId>]          ; [GetCurrentProcessId
0041E525   |.  3145 FC                       XOR [LOCAL.1],EAX
0041E528   |.  8D45 EC                       LEA EAX,[LOCAL.5]
0041E52B   |.  50                            PUSH EAX                                                     ; /pPerformanceCount = BB40E64E
0041E52C   |.  FF15 34214300                 CALL DWORD PTR DS:[<&KERNEL32.QueryPerformanceCounter>]      ; \QueryPerformanceCounter

Tuesday, February 25, 2014

Useful Antivirus Terms (Technical Words)


  • A trojan is a type of malware which poses as legitimate software but once installed performs malicious actions.

  • Phishing is the act of attempting to obtain authentication information, credit card details or other personal account information via masquerading as a trustworthy entity (such as a bank). The URL or website is marked as containing phishing content by  an trusted external source (such as Google Safe Browsing or PhishTank).

  • A worm is a type of malware which replicates itself in order to spread to other computers. It usually attempts to spread via a network system and normally does not corrupt or modify files on an infected system.

  • A backdoor is a type of malware which bypasses normal authentication and allows illegal access to a computer. It may be used to obtain personal information and to control the computer system remotely.

A Post Virut- Computer Virus

Virut is a polymorphic file infecting
Virus, that aggressively
infects most exe files and screen saver
files on the system. It is to infecting
executables, Virut will also infect most
HTML based files on the system.


signs of Virut:

• Windows desktop wallpaper and screen saver
settings altered by itself
• Internet connection will be very slow and sluggish
browser and also Pc performance
• BSOD error due to the corrupt system files.
• Browser hijack and search hijack
• virut processes in Windows
leads to error bleep
sounds

Note: Some times windows firewalls get totally disabled and also the host files get overwritten.

(Host file is present in C:\Windows\System32\drivers\etc)


Usually Host files look this:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

This is an example of non-malicious host file.
The following is virut infected host file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       **.*****.pl
<some ip> <random domain name>

Like this way only it appends.


This Virus also have the ability to block list of antivirus websites to avoid the update of antivirus software:

• avira
• avast
• eset
• ahnlab
• centralcommand
• drweb
• grisoft
• nod32
• f-prot
• jotti
• kaspersky
• f-secure
• computerassociates
• networkassociates
• etrust
• panda
• sophos
• trendmicro
• mcafee
• norton
• symantec
• defender
• rootkit
• malware
• spyware
• avg
• windowsupdate
• wilderssecurity
• threatexpert
• castlecops
• spamhaus
• cpsecure
• arcabit
• emsisoft
• sunbelt
• securecomputing
• rising
• prevx
• pctools
• norman
• k7computing
• ikarus
• hauri
• hacksoft
• gdata
• fortinet
• ewido
• clamav
• comodo
• quickheal


Post by
newWorld

Monday, February 24, 2014

VB- Api Usage

'VA: 402F14
Private Declare Function EnumResourceNames Lib "kernel32" Alias "EnumResourceNamesA" (ByVal hModule As Long, ByVal lpType As String, ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long
'VA: 402EC8
Private Declare Function BroadcastSystemMessage Lib "user32" Alias "BroadcastSystemMessage" (ByVal dw As Long, pdw As Long, ByVal un As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
'VA: 402E6C
Private Declare Sub CloseEventLog Lib "kernel32"()
'VA: 402E24
Private Declare Sub GlobalMemoryStatus Lib "kernel32" Alias "GlobalMemoryStatus" (lpBuffer As MEMORYSTATUS)
'VA: 402DD8
Private Declare Function CreateDirectory Lib "kernel32" Alias "CreateDirectoryA" (ByVal lpPathName As String, lpSecurityAttributes As SECURITY_ATTRIBUTES) As Long
'VA: 402D8C
Private Declare Function GetLogicalDrives Lib "kernel32" Alias "GetLogicalDrives" () As Long
'VA: 402D40
Private Declare Function SetMapMode Lib "gdi32" Alias "SetMapMode" (ByVal hdc As Long, ByVal nMapMode As Long) As Long
'VA: 402CFC
Private Declare Function IsValidSid Lib "advapi32.dll" Alias "IsValidSid" (pSid As Any) As Long
'VA: 402CA4
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
'VA: 402C5C
Private Declare Sub FatalExit Lib "kernel32" Alias "FatalExit" (ByVal code As Long)
'VA: 402C18
Private Declare Sub IsWow64Process Lib "kernel32"()
'VA: 402BC4
Private Declare Function Escape Lib "gdi32" Alias "Escape" (ByVal hdc As Long, ByVal nEscape As Long, ByVal nCount As Long, ByVal lpInData As String, lpOutData As Any) As Long
'VA: 402B84
Private Declare Function CreateMutex Lib "kernel32" Alias "CreateMutexA" (lpMutexAttributes As SECURITY_ATTRIBUTES, ByVal bInitialOwner As Long, ByVal lpName As String) As Long
'VA: 402B3C
Private Declare Function GetPriorityClass Lib "kernel32" Alias "GetPriorityClass" (ByVal hProcess As Long) As Long
'VA: 402AF0
Private Declare Function VirtualProtect Lib "kernel32" Alias "VirtualProtect" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
'VA: 402AA8
Private Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long
'VA: 402A54
Private Declare Sub SetLastError Lib "kernel32" Alias "SetLastError" (ByVal dwErrCode As Long)
'VA: 4029F0
Private Declare Function GetArcDirection Lib "gdi32" Alias "GetArcDirection" (ByVal hdc As Long) As Long
'VA: 4029A8
Private Declare Function Rectangle Lib "gdi32" Alias "Rectangle" (ByVal hdc As Long, ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long) As Long
'VA: 402958
Private Declare Sub ClearEventLogA Lib "kernel32"()

Begin VB.Form Bruce

VERSION 5.00
Begin VB.Form Bruce
  Caption = "Interple famp"
  ScaleMode = 1
  AutoRedraw = False
  FontTransparent = True
  'Icon = n/a
  ClientLeft = 553
  ClientTop = 7205
  ClientWidth = -22416
  ClientHeight = -25091
  StartUpPosition = 3 'Windows Default
  Begin HScrollBar cruentous
    Left = 3156
    Top = 1702
    Width = 3143
    Height = 1217
    TabIndex = 0
  End
End

Attribute VB_Name = "Bruce"

Private sub- VB

Private sub Proc_4_0_408C04
  loc_00408C04: push ebp
  loc_00408C05: mov ebp, esp
  loc_00408C07: sub esp, 0000000Ch
  loc_00408C0A: push 004011B6h ; MSVBVM60.DLL.__vbaExceptHandler
  loc_00408C0F: mov eax, fs:[00h]
  loc_00408C15: push eax
  loc_00408C16: mov fs:[00000000h], esp
  loc_00408C1D: push 00000028h
  loc_00408C1F: pop eax
  loc_00408C20: call 004011B0h ; MSVBVM60.DLL.__vbaChkstk
  loc_00408C25: push ebx
  loc_00408C26: push esi
  loc_00408C27: push edi
  loc_00408C28: mov var_C, esp
  loc_00408C2B: mov var_8, 00401100h
  loc_00408C32: mov eax, arg_8
  loc_00408C35: and eax, 00000001h
  loc_00408C38: mov var_4, eax
  loc_00408C3B: mov eax, arg_8
  loc_00408C3E: and al, FEh
  loc_00408C40: mov arg_8, eax
  loc_00408C43: mov eax, arg_8
  loc_00408C46: mov eax, [eax]
  loc_00408C48: push arg_8
  loc_00408C4B: call [eax+04h]
  loc_00408C4E: push 00000000h
  loc_00408C50: push FFFFFFFFh
  loc_00408C52: push 00000001h
  loc_00408C54: push 00402860h
  loc_00408C59: push 00402858h
  loc_00408C5E: push 00402850h
  loc_00408C63: call 00401288h ; Replace(arg_1, arg_2, arg_3, arg_4, arg_5, arg_6)
  loc_00408C68: mov edx, eax
  loc_00408C6A: lea ecx, var_20
  loc_00408C6D: call 0040128Eh ; MSVBVM60.DLL.__vbaStrMove
  loc_00408C72: mov var_18, 00000001h
  loc_00408C79: push 00000001h
  loc_00408C7B: push 00402868h ; "DLILX"
  loc_00408C80: call 00401282h ; Right$(arg_1, arg_2)
  loc_00408C85: mov edx, eax
  loc_00408C87: lea ecx, var_1C
  loc_00408C8A: call 0040128Eh ; MSVBVM60.DLL.__vbaStrMove
  loc_00408C8F: cmp [00411024h], 00000000h
  loc_00408C96: jnz 408CB0h
  loc_00408C98: push 00411024h
  loc_00408C9D: push 004019D8h
  loc_00408CA2: call 0040127Ch ; MSVBVM60.DLL.__vbaNew2
  loc_00408CA7: mov var_38, 00411024h
  loc_00408CAE: jmp 408CB7h
  loc_00408CB0: mov var_38, 00411024h
  loc_00408CB7: mov eax, var_38
  loc_00408CBA: mov eax, [eax]
  loc_00408CBC: mov var_28, eax
  loc_00408CBF: push 00402878h ; "Medallary"
  loc_00408CC4: push 00402890h ; "Pellard"
  loc_00408CC9: call 00401276h ; &
  loc_00408CCE: mov edx, eax
  loc_00408CD0: lea ecx, var_24
  loc_00408CD3: call 0040128Eh ; MSVBVM60.DLL.__vbaStrMove
  loc_00408CD8: push eax
  loc_00408CD9: mov eax, var_28
  loc_00408CDC: mov eax, [eax]
  loc_00408CDE: push var_28
  loc_00408CE1: call [eax+54h]
  loc_00408CE4: fclex
  loc_00408CE6: mov var_2C, eax
  loc_00408CE9: cmp var_2C, 00000000h
  loc_00408CED: jnl 408D06h
  loc_00408CEF: push 00000054h
  loc_00408CF1: push 004027E4h
  loc_00408CF6: push var_28
  loc_00408CF9: push var_2C
  loc_00408CFC: call 00401270h ; MSVBVM60.DLL.__vbaHresultCheckObj
  loc_00408D01: mov var_3C, eax
  loc_00408D04: jmp 408D0Ah
  loc_00408D06: and var_3C, 00000000h
  loc_00408D0A: lea ecx, var_24
  loc_00408D0D: call 0040126Ah ; MSVBVM60.DLL.__vbaFreeStr
  loc_00408D12: mov var_4, 00000000h
  loc_00408D19: push 00408D3Ah
  loc_00408D1E: jmp 408D29h
  loc_00408D20: lea ecx, var_24
  loc_00408D23: call 0040126Ah ; MSVBVM60.DLL.__vbaFreeStr
  loc_00408D28: ret
End Sub

VB- API Usage

'VA: 402EB0
Private Declare Function CreatePatternBrush Lib "gdi32" Alias "CreatePatternBrush" (ByVal hBitmap As Long) As Long
'VA: 402E64
Private Declare Function GetLogicalDrives Lib "kernel32" Alias "GetLogicalDrives" () As Long
'VA: 402E18
Private Declare Function GetArcDirection Lib "gdi32" Alias "GetArcDirection" (ByVal hdc As Long) As Long
'VA: 402DB4
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
'VA: 402D6C
Private Declare Function Pie Lib "gdi32" Alias "Pie" (ByVal hdc As Long, ByVal X1 As Long, ByVal Y1 As Long, ByVal X2 As Long, ByVal Y2 As Long, ByVal X3 As Long, ByVal Y3 As Long, ByVal X4 As Long, ByVal Y4 As Long) As Long
'VA: 402D30
Private Declare Function EnumResourceNames Lib "kernel32" Alias "EnumResourceNamesA" (ByVal hModule As Long, ByVal lpType As String, ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long
'VA: 402CE4
Private Declare Function VirtualProtect Lib "kernel32" Alias "VirtualProtect" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
'VA: 402C9C
Private Declare Function CreateFontIndirect Lib "gdi32" Alias "CreateFontIndirectA" (lpLogFont As LOGFONT) As Long
'VA: 402C50
Private Declare Function RemoveFontResource Lib "gdi32" Alias "RemoveFontResourceA" (ByVal lpFileName As String) As Long
'VA: 402BE4
Private Declare Function GetSystemPaletteEntries Lib "gdi32" Alias "GetSystemPaletteEntries" (ByVal hdc As Long, ByVal wStartIndex As Long, ByVal wNumEntries As Long, lpPaletteEntries As PALETTEENTRY) As Long
'VA: 402B88
Private Declare Sub InitCommonControls Lib "comctl32"()
'VA: 402B2C
Private Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long
'VA: 402AD8
Private Declare Function QueryPerformanceCounter Lib "kernel32" Alias "QueryPerformanceCounter" (lpPerformanceCount As LARGE_INTEGER) As Long
'VA: 402A88
Private Declare Function AllocConsole Lib "kernel32" Alias "AllocConsole" () As Long
'VA: 402A28
Private Declare Function ReleaseMutex Lib "kernel32" Alias "ReleaseMutex" (ByVal hMutex As Long) As Long
'VA: 4029E0
Private Declare Sub CloseEventLog Lib "kernel32"()
'VA: 402998
Private Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
'VA: 402944
Private Declare Function IsValidSid Lib "advapi32.dll" Alias "IsValidSid" (pSid As Any) As Long

A Native VB Code

VERSION 5.00
Begin VB.Form canonicalness
  Caption = "Eromania obtusifo"
  ScaleMode = 1
  AutoRedraw = False
  FontTransparent = True
  Icon = "canonicalness.frx":0
  ClientLeft = 450
  ClientTop = 5893
  ClientWidth = 18788
  ClientHeight = 4754
  StartUpPosition = 3 'Windows Default
  Begin Toolbar Blinky2
    Left = 0
    Top = 0
    Width = 17340
    Height = 630
    TabIndex = 1
  End
  Begin ListView enddamage
    Left = 203
    Top = 1037
    Width = 2359
    Height = 2795
    TabIndex = 0
  End
  Begin Image Angakut1
    Picture = "canonicalness.frx":1083
    Left = 1875
    Top = 3165
    Width = 3960
    Height = 330
  End
End

Attribute VB_Name = "canonicalness"

Sunday, February 23, 2014

Life

Life is precious, but people are wasting their life to impress someone. The great people never waste their life to impress others. If it meant to be someone impress on you, it will happen otherwise it won't.
So, what is the point in wasting our own life to impress others.
* Don't waste your life trying to impress others.

A life time and living energy is very precious and more valuable. If you really want to use it properly then you should not think about others view about you. Because it is non of your business to think about others view on you.
We are living for own life. We bring the happiness to our parents and relatives on our birth time. We already impressed them. But we need to live our own life and not for others view.

Post by
newWorld

Buddha's Words On Happiness

A man asked Buddha, " I want happiness".
Buddha replied him, "remove the word 'I', that is ego, then remove the word 'want', it is desire, now see, you are left with 'Happiness'!!!

So, if our ultimate aim is to live happy and achieve the state of happiness, we must stop the desire and understand what is life. Once, we realize these words are true, we must start apply in our life. Finally, we will reach the state of happiness.


Post by
newWorld

Wednesday, February 12, 2014

Importance Of Sleeping

Sleeping is best way of meditation. It was quoted by Dalai Lama. Sleeping is the best medicine. Yes, it gives the rest to your body and mind. So our bio mechanism starts functioning smarter after wake up from sleep.

Is Scientist sleeps?

Yes, they do. Job of scientist might be tough like always rolling, but they also sleep. The time taken for them is very less than the common people. Great scientist like Edison, Einstein sleeps very less hours in a day. Edison use to take power nap, very short period sleep to refresh his body and mind.

Let me illustrate a point why sleeping is necessary for a scientist:

While working on mysterious problems or complex mechanism, he thinks in harder ways. Connection in our brains made by neurons, the impulses carried out and make them more tired. Finally, they unable to resolve it. After a deep sleep or power nap, the neurons get refreshed and make a fresh connection. If the scientist work again on the same problem, he will fetch the good solution by this.
So, sleeping is very important.

This illustration is not just for scientist. It includes all the people who struggling at one point while making decision or finding the answer for puzzle, sleeping will help them.


How many hours of sleep is needed?
It depends on the person to person. But minimum, human body needs atleast 5 hours.

If the person is a body builder or athelete, he needs more than 8 hours in order to give the rest for tissues refreshment.


Sleeping is not just one form of meditation and it is the best way of meditation.


Post by
newWorld

What is Motivation? And how it should be?

"The only way to get people to enjoy working is by motivating them. Today, people must understand the why they should work hard. Every individual in an organization is motivated by something different" - Rick Pinto

"Management is nothing more than motivating other people" -Lee lacocca

Motive means move. Motivation means influence to make the move. In other words, process of attempting to influence others to do their will through the possibility of gain or rewards.

It should be to make a win win situation by motivating them to get the target reached.

We will see more on this in upcoming posts


Post by
newWorld.

Tuesday, February 4, 2014

Assembler : The Basics In Reversing

Assembler : The Basics In Reversing





I. Pieces, bits and bytes:

·         BIT - The smallest possible piece of data. It can be either a 0 or a 1. If you put a bunch of bits together, you end up in the 'binary number system'

i.e. 00000001 = 1       00000010 = 2             00000011 = 3     etc.

·         BYTE - A byte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system'

·         WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d).

·         DOUBLE WORD - A double word is 2 words together or 32 bits. Max value = 0FFFFFFFF (or 4294967295d).

·         KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes.

·         MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes.


---------------------------------------------------------------------------------------------


II. Registers:

Registers are “special places” in your computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder.

On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are:

EAX:   Extended Accumulator Register
EBX:   Extended Base Register
ECX:   Extended Counter Register
EDX:   Extended Data Register
ESI:    Extended Source Index
EDI:   Extended Destination Index
EBP:   Extended Base Pointer
ESP:   Extended Stack Pointer
EIP:    Extended Instruction Pointer

Generally the size of the registers is 32bit (=4 bytes). They can hold data from 0-FFFFFFFF (unsigned). In the beginning most registers had certain main functions which the names imply, like ECX = Counter, but in these days you can - nearly - use whichever register you like for a counter or stuff (only the self defined ones, there are counter-functions which need to be used with ECX). The functions of EAX, EBX, ECX, EDX, ESI and EDI will be explained when I explain certain functions that use those registers. So, there are EBP, ESP, EIP left:

EBP:   EBP has mostly to do with stack and stack frames. Nothing you really need to worry about, when you start. ;)

ESP:   ESP points to the stack of a current process. The stack is the place where data can be stored for later use (for more information, see the explanation of the push/pop instructions)

EIP:    EIP always points to the next instruction that is to be executed.


There's one more thing you have to know about registers: although they are all 32bits large, some parts of them (16bit or even 8bit) can not be addressed directly.

The possibilities are:

32bit Register                       16bit Register                      8bit Register
EAX                                  AX                             AH/AL
EBX                                  BX                              BH/BL
ECX                                  CX                             CH/CL
EDX                                  DX                             DH/DL
ESI                                   SI                              -----
EDI                                   DI                              -----
EBP                        BP                             -----
ESP                                  SP                             -----
EIP                                   IP                              -----

A register looks generally this way:

     |--------------------------- EAX: 32bit (=1 DWORD =4BYTES) -------------------------|

                                               |------- AX: 16bit (=1 WORD =2 BYTES) ----|

                                               |- AH:8bit (=1 BYTE)-|- AL:8bit (=1 BYTE)-|

     |-----------------------------------------|--------------------|--------------------|
     |XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX|XXXXXXXXXXXXXXXXXXXX|XXXXXXXXXXXXXXXXXXXX|
     |-----------------------------------------|--------------------|--------------------|

So, EAX is the name of the 32bit register, AX is the name of the "Low Word" (16bit) of EAX and AL/AH (8bit) are the “names” of the "Low Part" and “High Part” of AX. BTW, 4 bytes is 1 DWORD, 2 bytes is 1 WORD.

REMARK: make sure you at least read the following about registers. It’s quite practical to know it although not that important.

All this makes it possible for us to make a distinction regarding size:

·         i. byte-size registers: As the name says, these registers all exactly 1 byte in size. This does not mean that the whole (32bit) register is fully loaded with data! Eventually empty spaces in a register are just filled with zeroes. These are the byte-sized registers, all 1 byte or 8 bits in size:

o    AL  and AH
o    BL  and BH
o    CL  and CH
o    DL  and DH

·         ii. word-size registers: Are 1 word (= 2 bytes = 16 bits) in size. A word-sized register is constructed of 2 byte-sized registers. Again, we can divide these regarding their purpose:

o    1. general purpose registers:

AX (word-sized) = AH + AL -> the '+' does *not* mean: 'add them up'. AH and AL exist independently, but together they form AX. This means that if you change AH or AL (or both), AX will change too!

-> 'accumulator':               used to mathematical operations, store strings,..

BX -> 'base':                         used in conjunction with the stack (see later)

CX -> 'counter'

DX -> 'data':                         mostly, here the remainder of mathematical operations is stored

DI  -> 'destination index':         i.e. a string will be copied to DI

SI  -> 'source index':              i.e. a string will be copied from SI

o    2. index registers:

BP  -> 'base pointer':               points to a specified position on the stack (see later)
     SP  -> 'stack pointer':              points to a specified position on the stack (see later)

o    3. segment registers:

     CS -> 'code segment':             instructions an application has to execute (see later)
     DS -> 'data segment':             the data your application needs (see later)
     ES -> 'extra segment':            duh! (see later)
     SS -> 'stack segment':            here we'll find the stack (see later)

o    4. special:
  
IP  -> 'instruction pointer':       points to the next instruction. Just leave it alone ;)

·         iii. Doubleword-size registers:

2 words = 4 bytes = 32 bits. EAX, EBX, ECX, EDX, EDI…

If you find an 'E' in front of a 16-bits register, it means that you are dealing with a 32-bits register. So, AX = 16-bits; EAX = the 32-bits version of EAX.


---------------------------------------------------------------------------------------------


III. The flags:

Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.

·         The Z-Flag:
o    The Z-Flag (zero flag) is the most useful flag for cracking. It is used in about 90% of all cases. It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later ;)

·         The O-Flag:
o    The O-Flag (overflow flag) is used in about 4% of all cracking attempts. It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.

·         The C-Flag:
o    The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.


---------------------------------------------------------------------------------------------


IV. Segments en offsets

A segment is a piece in memory where instructions (CS), data (DS), the stack (SS) or just an extra segment (ES) are stored. Every segment is divided in 'offsets'. In 32-bits applications (Windows 95/98/ME/2000), these offsets are numbered from 00000000 to FFFFFFFF. 65536 pieces of memory thus 65536 memory addresses per segment. The standard notation for segments and offsets is:

SEGMENT                                  :        OFFSET        =       Together, they point to a specific place (address) in memory.

See it like this:

A segment is a page in a book     :        An offset is a specific line at that page.


---------------------------------------------------------------------------------------------


V. The stack:

The Stack is a part in memory where you can store different things for later use. See t as a pile of books in a chest where the last put in is the first to grab out. Or imagine the stack as a paper basket where you put in sheets. The basket is the stack and a sheet is a memory address (indicated by the stack pointer) in that stack segment. Remember following rule: the last sheet of paper you put in the stack, is the first one you'll take out! The command 'push' saves the contents of a register onto the stack. The command 'pop' grabs the last saved contents of a register from the stack and puts it in a specific register.


---------------------------------------------------------------------------------------------


VI. INSTRUCTIONS (alphabetical)

Please note, that all values in ASM mnemonics (instructions) are *always* hexadecimal.


Most instructions have two operators (like "add EAX, EBX"), but some have one ("not EAX") or even three ("IMUL EAX, EDX, 64"). When you have an instruction that says something with "DWORD PTR [XXX]" then the DWORD (4 byte) value at memory offset [XXX] is meant. Note that the bytes are saved in reverse order in the memory (WinTel CPUs use the so called “Little Endian” format. The same is for "WORD PTR [XXX]" (2 byte) and "BYTE PTR [XXX]" (1 byte).

Most instructions with 2 operators can be used in the following ways (example: add):

add eax,ebx                                         ;; Register, Register
add eax,123                                         ;; Register, Value
add eax,dword ptr [404000]                    ;; Register, Dword Pointer [value]
add eax,dword ptr [eax]                         ;; Register, Dword Pointer [register]
add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value]
add dword ptr [404000],eax                    ;; Dword Pointer [value], Register
add dword ptr [404000],123           ;; Dword Pointer [value], Value
add dword ptr [eax],eax                         ;; Dword Pointer [register], Register
add dword ptr [eax],123                         ;; Dword Pointer [register], Value
add dword ptr [eax+404000],eax             ;; Dword Pointer [register+value], Register
add dword ptr [eax+404000],123             ;; Dword Pointer [register+value], value


---------------------------------------------------------------------------------------------

     ADD (Addition)
     Syntax: ADD destination, source

     The ADD instruction adds a value to a register or a memory address. It can be used in
     these ways:

     These instruction can set the Z-Flag, the O-Flag and the C-Flag (and some others, which
     are not needed for cracking).

---------------------------------------------------------------------------------------------

     AND (Logical And)
     Syntax: AND destination, source    

     The AND instruction uses a logical AND on two values.
     This instruction *will* clear the O-Flag and the C-Flag and can set the Z-Flag.
     To understand AND better, consider those two binary values:

                                    1001010110
                                    0101001101

     If you AND them, the result is 0001000100
     When two 1 stand below each other, the result is of this bit is 1, if not: The result
     is 0. You can use calc.exe to calculate AND easily.

---------------------------------------------------------------------------------------------

     CALL (Call)
     Syntax: CALL something

     The instruction CALL pushes the RVA (Relative Virtual Address) of the instruction that
     follows the CALL to the stack and calls a sub program/procedure.

     CALL can be used in the following ways:

     CALL        404000                             ;; MOST COMMON: CALL ADDRESS
     CALL        EAX                                 ;; CALL REGISTER - IF EAX WOULD BE 404000 IT WOULD BE SAME AS THE ONE ABOVE
     CALL        DWORD PTR [EAX]             ;; CALLS THE ADDRESS THAT IS STORED AT [EAX]
     CALL        DWORD PTR [EAX+5]                   ;; CALLS THE ADDRESS THAT IS STORED AT [EAX+5]

---------------------------------------------------------------------------------------------

     CDQ (Convert DWord (4Byte) to QWord (8 Byte))
     Syntax: CQD

     CDQ is an instruction that always confuses newbies when it appears first time. It is
     mostly used in front of divisions and does nothing else then setting all bytes of EDX
     to the value of the highest bit of EAX. (That is: if EAX <80000000, then EDX will be
     00000000; if EAX >= 80000000, EDX will be FFFFFFFF).

---------------------------------------------------------------------------------------------

     CMP (Compare)
     Syntax: CMP dest, source

     The CMP instruction compares two things and can set the C/O/Z flags if the result fits.

     CMP         EAX, EBX                          ;; compares eax and ebx and sets z-flag if they are equal
     CMP         EAX,[404000]                    ;; compares eax with the dword at 404000
     CMP         [404000],EAX                    ;; compares eax with the dword at 404000

---------------------------------------------------------------------------------------------

     DEC (Decrement)
     Syntax: DEC something

     dec is used to decrease a value (that is: value=value-1)

     dec can be used in the following ways:
     dec eax                                          ;; decrease eax
     dec [eax]                                        ;; decrease the dword that is stored at [eax]
     dec [401000]                                   ;; decrease the dword that is stored at [401000]
     dec [eax+401000]                            ;; decrease the dword that is stored at [eax+401000]

     The dec instruction can set the Z/O flags if the result fits.
   
---------------------------------------------------------------------------------------------

     DIV (Division)
     Syntax: DIV divisor

     DIV is used to divide EAX through divisor (unsigned division). The dividend is always
     EAX, the result is stored in EAX, the modulo-value in EDX.

     An example:
     mov eax,64                                     ;; EAX = 64h = 100
     mov ecx,9                                       ;; ECX = 9
     div ecx                                           ;; DIVIDE EAX THROUGH ECX

     After the division EAX = 100/9 = 0B and ECX = 100 MOD 9 = 1

     The div instruction can set the C/O/Z flags if the result fits.

---------------------------------------------------------------------------------------------

     IDIV (Integer Division)
     Syntax: IDIV divisor

     The IDIV works in the same way as DIV, but IDIV is a signed division.
     The idiv instruction can set the C/O/Z flags if the result fits.

---------------------------------------------------------------------------------------------

     IMUL (Integer Multiplication)
     Syntax:    IMUL value
                   IMUL dest,value,value
                   IMUL dest,value

     IMUL multiplies either EAX with value (IMUL value) or it multiplies two values and puts
     them into a destination register (IMUL dest, value, value) or it multiplies a register
     with a value (IMUL dest, value).

     If the multiplication result is too big to fit into the destination register, the
     O/C flags are set. The Z flag can be set, too.

---------------------------------------------------------------------------------------------

     INC (Increment)
     Syntax: INC register

     INC is the opposite of the DEC instruction; it increases values by 1.
     INC can set the Z/O flags.


---------------------------------------------------------------------------------------------

      INT
     Syntax: int dest

     Generates a call to an interrupt handler. The dest value must be an integer (e.g., Int 21h).
     INT3 and INTO are interrupt calls that take no parameters but call the handlers for
     interrupts 3 and 4, respectively.

---------------------------------------------------------------------------------------------

     JUMPS
     These are the most important jumps and the condition that needs to be met, so that
     they'll be executed (Important jumps are marked with * and very important with **):

JA*     -        Jump if (unsigned) above                        - CF=0 and ZF=0
JAE     -        Jump if (unsigned) above or equal            - CF=0
JB*     -        Jump if (unsigned) below                        - CF=1
JBE     -        Jump if (unsigned) below or equal            - CF=1 or ZF=1
JC       -        Jump if carry flag set                             - CF=1
JCXZ   -        Jump if CX is 0                                      - CX=0
JE**    -        Jump if equal                                        - ZF=1
JECXZ  -        Jump if ECX is 0                                    - ECX=0
JG*     -        Jump if (signed) greater                         - ZF=0 and SF=OF (SF = Sign Flag)
JGE*   -        Jump if (signed) greater or equal             - SF=OF
JL*      -        Jump if (signed) less                              - SF != OF (!= is not)
JLE*    -        Jump if (signed) less or equal                  - ZF=1 and OF != OF
JMP**  -        Jump                                                   - Jumps always
JNA     -        Jump if (unsigned) not above                   - CF=1 or ZF=1
JNAE   -        Jump if (unsigned) not above or equal       - CF=1
JNB     -        Jump if (unsigned) not below                   - CF=0
JNBE   -        Jump if (unsigned) not below or equal       - CF=0 and ZF=0
JNC     -        Jump if carry flag not set                        - CF=0
JNE**  -        Jump if not equal                                   - ZF=0
JNG     -        Jump if (signed) not greater                    - ZF=1 or SF!=OF
JNGE   -        Jump if (signed) not greater or equal        - SF!=OF
JNL     -        Jump if (signed) not less                         - SF=OF
JNLE    -        Jump if (signed) not less or equal             - ZF=0 and SF=OF
JNO     -        Jump if overflow flag not set                   - OF=0
JNP     -        Jump if parity flag not set                       - PF=0
JNS     -        Jump if sign flag not set                         - SF=0
JNZ     -        Jump if not zero                                    - ZF=0
JO       -        Jump if overflow flag is set                     - OF=1
JP       -        Jump if parity flag set                            - PF=1
JPE     -        Jump if parity is equal                            - PF=1
JPO     -        Jump if parity is odd                              - PF=0
JS       -        Jump if sign flag is set                            - SF=1
JZ       -        Jump if zero                                         - ZF=1

---------------------------------------------------------------------------------------------

     LEA (Load Effective Address)
     Syntax: LEA dest,src

     LEA can be treated the same way as the MOV instruction. It isn't used too much for its
     original function, but more for quick multiplications like this:

     lea eax, dword ptr [4*ecx+ebx]
     which gives eax the value of 4*ecx+ebx

---------------------------------------------------------------------------------------------

     MOV (Move)
     Syntax: MOV dest,src

     This is an easy to understand instruction. MOV copies the value from src to dest and src
     stays what it was before.

     There are some variants of MOV:

     MOVS/MOVSB/MOVSW/MOVSD EDI, ESI: Those variants copy the byte/word/dword ESI points to,
to the space EDI points to.

     MOVSX:   MOVSX expands Byte or Word operands to Word or Dword size and keeps the sign of the
value.

     MOVZX:   MOVZX expands Byte or Word operands to Word or Dword size and fills the rest of the
space with 0.

---------------------------------------------------------------------------------------------

     MUL (Multiplication)
     Syntax: MUL value

     This instruction is the same as IMUL, except that it multiplies unsigned. It can set the
     O/Z/F flags.

---------------------------------------------------------------------------------------------

     NOP (No Operation)
     Syntax: NOP

     This instruction does absolutely nothing
     That's the reason why it is used so often in reversing ;)

---------------------------------------------------------------------------------------------

     OR (Logical Inclusive Or)
     Syntax: OR dest,src

     The OR instruction connects two values using the logical inclusive or.
     This instruction clears the O-Flag and the C-Flag and can set the Z-Flag.

     To understand OR better, consider those two binary values:

                                    1001010110
                                    0101001101
    
     If you OR them, the result is 1101011111

     Only when there are two 0 on top of each other, the resulting bit is 0. Else the resulting
     bit is 1. You can use calc.exe to calculate OR. I hope you understand why, else
     write down a value on paper and try ;)

---------------------------------------------------------------------------------------------

     POP
     Syntax: POP dest

     POP loads the value of byte/word/dword ptr [esp] and puts it into dest. Additionally it
     increases the stack by the size of the value that was popped of the stack, so that the next
     POP would get the next value.

---------------------------------------------------------------------------------------------

     PUSH
     Syntax: PUSH operand

     PUSH is the opposite of POP. It stores a value on the stack and decreases it by the size
     of the operand that was pushed, so that ESP points to the value that was PUSHed.

---------------------------------------------------------------------------------------------

    REP/REPE/REPZ/REPNE/REPNZ
     Syntax: REP/REPE/REPZ/REPNE/REPNZ ins

     Repeat Following String Instruction: Repeats ins until CX=0 or until indicated condition
     (ZF=1, ZF=1, ZF=0, ZF=0) is met. The ins value must be a string operation such as CMPS, INS,
     LODS, MOVS, OUTS, SCAS, or STOS.

---------------------------------------------------------------------------------------------

     RET (Return)
     Syntax: RET
             RET digit

     RET does nothing but return from a part of code that was reached using a CALL instruction.
     RET digit cleans the stack before it returns.

---------------------------------------------------------------------------------------------

     SUB (Subtraction)
     Syntax: SUB dest,src

     SUB is the opposite of the ADD command. It subtracts the value of src from the value of
     dest and stores the result in dest.

     SUB can set the Z/O/C flags.

---------------------------------------------------------------------------------------------

     TEST
     Syntax: TEST operand1, operand2

     This instruction is in 99% of all cases used for "TEST EAX, EAX". It performs a Logical
     AND(AND instruction) but does not save the values. It only sets the Z-Flag, when EAX is 0
     or clears it, when EAX is not 0. The O/C flags are always cleared.

---------------------------------------------------------------------------------------------

     XOR
     Syntax: XOR dest,src

     The XOR instruction connects two values using logical exclusive OR (remember OR uses
     inclusive OR).

     This instruction clears the O-Flag and the C-Flag and can set the Z-Flag.
     To understand XOR better, consider those two binary values:

                                    1001010110
                                    0101001101

     If you OR them, the result is 1100011011

     When two bits on top of each other are equal, the resulting bit is 0. Else the resulting
     bit is 1. You can use calc.exe to calculate XOR.
     The most often seen use of XOR is “XOR, EAX, EAX”. This will set EAX to 0, because when
     you XOR a value with itself, the result is always 0. I hope you understand why, else
     write down a value on paper and try ;)

---------------------------------------------------------------------------------------------

VII.  Logical Operations
 
 
Here follow the most used in a reference table.
 
 
                   Reference Table
 
     operation        src     dest    result
        AND            1        1       1
                       1        0       0
                       0        1       0
                       0        0       0   
        OR             1        1       1
                       1        0       1
                       0        1       1
                       0        0       0   
        XOR            1        1       0
                       1        0       1
                       0        1       1
                       0        0       0  
        NOT            0       N/A      1
                       1       N/A      0  

---------------------------------------------------------------------------------------------





 source: From Internet


Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...