I recently wanted to explore the world of game hacking, which involves some cool reverse engineering tricks. This is a trainer written in C++.
Simply uses WriteProcessMemory to write the values into memory of the game.
Download game: https://assault.cubers.net/download.html
Download trainer: https://github.com/OsandaMalith/GameHacking/blob/master/AssaultCube/Hack.7z
This interface loads an SQLite extension library from the named file.
[code language=”C”]
int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);
[/code]
More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be
[code language=”sql”]
select load_extension(‘path\dll’, ‘EP’);
[/code]
However this path, const char *zFile can be a SMB share too.
(more…)
In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.
This is how MSDN explains this:
Changes the protection on a region of committed pages in the virtual address space of the calling process.
[code language=”c”]
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
[/code]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx
Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.
Here’s an example using C which I have implemented.
(more…)
I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿
Samples:
As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.
The following is the disassembly corresponding to this event.
For this year’s birthday the most awesome gift I received was from hasherazade 🙂
I am very thankful to her for making my birthday so special 🙂
This crackme is a bootloader written in 16-bit assembly. This is how this look like.
This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.
Syntax:
[code language=”sql”]
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);
[/code]
So an Example POC would be:
[code language=”sql”]
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
[/code]
[code language=”sql”]
—————————————————————————————————————
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect…
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘localhost’ (10061)
ERROR:
Can’t connect to the server
mysql>
—————————————————————————————————————
[/code]
By checking the parent process of a given process we can determine if the process is being debugged or not by expecting “explorer.exe” to be the usual parent process started by the user.
For this technique the following Windows APIs are used.
We also use a pointer to PROCESSENTRY32 structure which will store the information of each process taken from the snapshot.
[code language=”C”]
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;
[/code]
This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.
When the process is being debugged the NtGlobalFlag is set to 0x70.
I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:
[code language=”C”]
/*
* IsDebuggerPresent Example
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: http://osandamalith.wordpress.com
*/
#include <windows.h>
int main() {
MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}
[/code]
If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.
[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]
(more…)
When we try to open a compiled AutoIT application in a debugger we get this error message.
Let’s try to find the return address from the MessageBoxA API from the stack.
(more…)
