Lab01-02 Analysis

This program is packed using UPX and can be easily unpacked.

At the start we see a call to ‘StartServiceCtrlDispatcher’ which is used to implement a service and the service control manager will call the service entry point provided. In here I have labeled the service entry point as ‘ServiceMain’. The name of the service created would be ‘Malservice’.

Continue reading


Patching Windows Media Player

I’m writing this post on the request of @rudr4_sarkar. This is a very simple patch in which you can open multiple instances of wmplayer. It basically uses the ‘CreateMutexW’ API to create a mutex object with the string “Local\Microsoft_WMP_70_CheckForOtherInstanceMutex”.


The pseudo code would be something like this

HANDLE hMutex = CreateMutex(NULL, FALSE, L"Local\Microsoft_WMP_70_CheckForOtherInstanceMutex");
if (GetLastError() == ERROR_ALREADY_EXISTS) {


You just need to patch the ‘JNZ’ to a ‘JMP’ instruction, that will always jump to the good boy 🙂

disass Continue reading

Random CrackMe

This is an interesting crackme I found randomly. You can download it from here:

The algorithm uses the PID of the application for the serial key calculation. It also uses the ‘GetComputerName’ and ‘GetUserName’ win32 APIs in generating the serial key. The length of both results are used for the loops and each ascii value is added. These results are used in the final calculation in the serial key.
This graph is from the OllyGraph plugin.

Continue reading

Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

al < 2^{5}
bl < 2^{3}

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits


; al < 2 ^ 5, bl < 2 ^ 3
mov al, bl
shl dl, 3
or dl, bl ; xor would also work fine


mov cl, dl ; Make a copy of dl
and dl, 111b ; Extract lowest 3 bits (b)
mov bl, dl
shr cl, 3 ; Extract highest 5 bits (a)
mov al, cl

Continue reading

Fun with SQLite Load_Extension

What is load_extension?

This interface loads an SQLite extension library from the named file.

int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */

More information:
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here
The syntax would be

select load_extension(‘path\dll’, ‘EP’);

However this path, const char *zFile can be a SMB share too.
Continue reading

Making your Shellcode Undetectable using .NET

In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.


This is how MSDN explains this:

Changes the protection on a region of committed pages in the virtual address space of the calling process.

BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect

Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.

Here’s an example using C which I have implemented.
Continue reading