## Shellcode to Scroll Your Desktop Horizontally

This is another fun shellcode I’ve written to scroll your desktop horizontally.

(more…)

## Shellcode to Invert Colors

This is a simple shellcode I wrote for fun. This is pretty useless but still it’s fun to experiment 🙂

## Patching Windows Media Player

I’m writing this post on the request of @rudr4_sarkar. This is a very simple patch in which you can open multiple instances of wmplayer. It basically uses the ‘CreateMutexW’ API to create a mutex object with the string “Local\Microsoft_WMP_70_CheckForOtherInstanceMutex”.

The pseudo code would be something like this

```HANDLE hMutex = CreateMutex(NULL, FALSE, L&quot;Local\Microsoft_WMP_70_CheckForOtherInstanceMutex&quot;);

}
```

You just need to patch the ‘JNZ’ to a ‘JMP’ instruction, that will always jump to the good boy 🙂

## Random CrackMe

This is an interesting crackme I found randomly. You can download it from here: http://www.mediafire.com/file/5r3a3uqsg1pbp4v/CrackMe1.zip

The algorithm uses the PID of the application for the serial key calculation. It also uses the ‘GetComputerName’ and ‘GetUserName’ win32 APIs in generating the serial key. The length of both results are used for the loops and each ascii value is added. These results are used in the final calculation in the serial key.
This graph is from the OllyGraph plugin.

View post on imgur.com

## Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

$al < 2^{5}$
$bl < 2^{3}$

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits

(more…)

## String Length Function in NASM

In certain situations when I want to print some string to stdout we need the length for the write syscall in linux. So we can’t always depend on the \$-string macro, which is valid for a defined string.

We use the REPNE (REPeat while Not Equal) instruction which will loop as long as CX != 0. Along with REPNE we use SCASB (scan byte string). It compares the content of the accumulator (AL, AX, or EAX) against the current value pointed at by ES:[EDI]. In the end we calculate the difference between offsets of the scanned string (EDI) and the original string (EBX) to find the length.

```_strlen:

push ebx
push ecx

mov   ebx, edi
xor   al, al
mov   ecx, 0xffffffff

repne scasb               ; REPeat while Not Equal [edi] != al

sub   edi, ebx            ; length = offset of (edi - ebx)
mov   eax, edi

pop ebx
pop ecx
ret
```

## Assault Cube Trainer

I recently wanted to explore the world of game hacking, which involves some cool reverse engineering tricks. This is a trainer written in C++.

Simply uses WriteProcessMemory to write the values into memory of the game.

This interface loads an SQLite extension library from the named file.

```int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);
```

You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be

```select load_extension(‘path\dll’, ‘EP’);
```

However this path, const char *zFile can be a SMB share too.
(more…)

## Making your Shellcode Undetectable using .NET

In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.

# VirtualProtect

This is how MSDN explains this:

Changes the protection on a region of committed pages in the virtual address space of the calling process.

```BOOL WINAPI VirtualProtect(
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
```

Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.

Here’s an example using C which I have implemented.
(more…)

## Satana Malware Analysis

I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿

Samples:

# Behavior Analysis

As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.

View post on imgur.com

The following is the disassembly corresponding to this event.

View post on imgur.com