Journal Issues
| Vol.5, No.1, 2008 | | Vol.4, No.2, 2007 | | Vol.4, No.1, 2007 | | Vol.3, No.2, 2006 | | RECON2006 Conf. Proc. | | Vol.3, No.1, 2006 | | RECON2005 Conf. Proc. | | Vol.2, No.1, 2005 | | Vol.1, No.2, 2004 | | Vol.1, No.1, 2004 |
Statistics
Members: 1928
News: 293
Web Links: 1
Visitors: 5256213
Who's Online
We have 4 guests online
|
 Damn Vulnerable Linux (DVL) is a Linux-based (modified Damn Small Linux) tool for IT-Security & IT-Anti- Security and Attack & Defense. [ CLICK HERE FOR MORE INFOS! ]
|
Featured Conference Video
 OllyBone - Semi-Automatic Unpacking on IA-32. View the conference video here!
|
Home  Articles - Black Hat Methods CodeBreakers Journal Vol.4, No.1, 2007
Vol.4, No.1, 2007
 The CodeBreakers Journal deals with IT-Security & IT-Anti-Security and Attack & Defense. The CodeBreakers Journal is publishing articles after full peer review. All articles are published, without barriers to access, immediately upon acceptance. The CodeBreakers Journal is published frequently.
| Linux anti-debugging techniques (fooling the debugger)
|  | Linux anti-debugging techniques (fooling the debugger)
This article describes anti debugger techniques for x86/Linux (though
some of these techniques are not x86 specific). That is techniques to
either fool, stop, or modify the process of debugging the target
program. This can be useful to the development of viruses and also to
those implementing software protection.
Read More >> |
| |
|
|
| Code Optimisation, A Beginner's Guide
| | Code Optimisation, A Beginner's Guide
When writing a virus, size is a primary concern. A bloated virus
carrying unnecessary baggage will run slower than its optimised
counterpart and eat up more disk space.
Never optimise any code before it works fully, since altering code
after optimisation often messes up the optimisation and, in turn,
messes up the code. After it works, the focus can shift to
optimisation. Always keep a backup of the last working copy of the
virus, as optimisation often leads to improperly workin...
Read More >> |
| |
|
|
| EPO: Entry-Point Obscuring
| | EPO: Entry-Point Obscuring
In order to recive control a virus can modify an executable in several ways:
- Modifying the entry-point field making it point to the virus code
- Inserting a jump to the virus over the programs code
The first way is easy, but almost every decent antivirus nowadays will mark infected files as suspicious. The reason? A file whose entry-point is outside code section is, at last, suspicious.
Read More >> |
| |
|
|
|
|
| Defeating HyperUnpackMe2 With an IDA Processor Module
|  | Defeating HyperUnpackMe2 With an IDA Processor Module
This article is about breaking modern executable protectors. The target, a
crackme known as HyperUnpackMe2,
is modern in the sense that it does not follow the standard packer model of
yesteryear wherein the contents of the executable in memory, minus the import
information, are eventually restored to their original forms.
Modern protectors mutilate the original code section, use virtual machines
operating upon polymorphic bytecode languages to slow reverse engineering, and
take... Read More >> |
| |
|
|
| Defeating the Debugger
| | Defeating the Debugger
Let me start by saying this -
Quote:
you cannot and will not ever write a program that is not crackable
. But that's not to say you can't make it extremely difficult!
That being said, let's begin. In this document, we are going to
learn some anti-debugging tricks that you can incorporate in your own
applications.
In my first article
for Osix I discussed Self Modifying Code, and attempting to throw off
disassemblers. Now we'll talk about defeating (or at... Read More >> |
| |
|
|
|
|
| An in depth analysis of ASProtect 2.22
| | An in depth analysis of ASProtect 2.22
The name ASProtect sends shivers the spine to any want to be reverse
engineer. Every time a new version comes out, new tricks follow. My target is Notepad.exe and I have packed it with ASProtect
2.22 demo version. This version of ASPR has advanced import protection.
Let’s begin to tackle it.
Read More >> |
| |
|
|
| Writing Shellcode for Linux and Windows Tutorial
| | Writing Shellcode for Linux and Windows Tutorial
Shellcoding in its most literal sense, means writing code
that will return a remote shell when executed. The meaning of shellcode has evolved,
it now represents any byte code that will be inserted into an exploit to accomplish a
desired task. Yes, you are correct, there are tons of repositories all around the internet for
shellcoding. Namely, the metasploit project seems to be the best.
Writing an exploit can be difficult, what happens when all of the prewritten blocks of code
cease t...
Read More >> |
| |
|
|
| EAX-56 KGM Under Attack: A Thorough Examination of SCA
| | EAX-56 KGM Under Attack: A Thorough Examination of SCA
This paper is a continuous work of my previous published article (RCE Profiling: Counterbalancing the Algo.this.Key) at CodeBreakers Journal Vol. 4, No. 1, 2007. What I’ll try to establish in this paper is to continue the analysis of another KGM; Keygen it to a higher level of simulation, blowing up the SCA, inline assembly code. The new thing is how to find the bugs inside the compiled executable file and how to deal with them so that not to expose your software for malicious attacks based o... Read More >> |
| |
|
|
| Another Way of Hooking APIs
| | Another Way of Hooking APIs
System research mainly depends on the ability to easily instrument, ease to reverse engineer, monitor and/or extend existing operating system and application functionality. If the source code is available then it’s quite easy to insert new instrumentations and extend the OS & applications’ abilities. But in today’s commercial environment researchers have seldom access to the source code. So to fulfill these requirements a different mechanism is commonly used called API hooking.
Though API h...
Read More >> |
| |
|
|
| 64-Bit - Programming and Assembly Issues
| | 64-Bit - Programming and Assembly Issues
The 64-Bit technology introduces
several new and complex tasks for software-developers. Even that the hardware
developing industry claims that future software development should take care
about the new introduced compiler systems, it is necessary to have a deep
inside view on how the new underlying 64-Bit assembly language works. This
paper describes what 64-Bit means for future software developments, how 64-Bit
influences assembly programming and how to port applications programmed unde...
Read More >> |
| |
|
|
| Dll Injection
| | Dll Injection
In this tutorial i'll try to cover all of the
known methods(or at least, those that I know =p) of injecting dll's
into a process.
Dll injection is incredibly useful for TONS of stuff(game hacking,
function hooking, code patching, keygenning, unpacking, etc..).
Though there are scattered tutorials on these techniques available
throughout the web, I have yet to see any complete tutorials detailing
all of them(there may even be more out there than I have here, of
course), and com... Read More >> |
| |
|
|
| Reversing Malware: Analysis of the worm
| | Reversing Malware: Analysis of the worm "Tibick.D"
Malware is a serious threat to computer systems. The term 'malware' is
a superset of many different types of malicious code, including
viruses, worms, rootkits, spyware and other threats. A long formal
definition of 'malware' or the variants of malware is beyond the scope
of this article, so I'll only give a very brief distinction of viruses
and worms. A virus replicates itself by attaching it to some forms of
executable code, for example PE-Files(.exe,.dll,..) on Win... Read More >> |
| |
|
|
| Protection and Reverse Engineering under .Net
| | Protection and Reverse Engineering under .Net
This
issue mainly discuss some popular protection means under Microsoft .Net
framework, including strongname, name obfuscation, flow obfuscation,
metadata encryption, packing and some anti analysis tricks. With each
protection, I will also provide some advice on how to reverse them.
This issue is not a newbie tutorial, it targets on those guys who
already get some experience in .Net programming and reversing.
...
Read More >> |
| |
|
|
| Reversing HDSpoof - A Tutorial
| | Reversing HDSpoof - A Tutorial
A while back I needed to find out what an executable named HDSPOOF.EXE
was doing to my system (This article is based upon an early version of
the program found in the WinRAR file -- an updated version of the program is available at www.taurine.game-deception.com
as hwspoofv2.1.rar -- the points and code fragments noted throughout
this discussion are the same, only the addresses have changed in the
newer version).
Read More >> |
| |
|
|
| Microsoft Patching Internals
| | Microsoft Patching Internals
This article was not written to read like a novel. It is a to-the-point
technical dump describing the inner workings of Microsoft's cold and
hot patching process. The majority of the symbolic names listed below
have been derived from NTDLL and NTOSKRNL. Please post any questions
you may have directly (for the benefit of others) to this article and
the author will gladly respond. The article may be updated in the
future to include some of these answers inline.
A companion downloa... Read More >> |
| |
|
|
| RCE Profiling: Counterbalancing the Algo.this.Key
| | RCE: Profiling: Counterbalancing the Algo.this.Key
In this paper I will try to demystify the commingled relations between the inner working of the behavioral serial checking algorithm in its core with some genetic modifications for better protection against simple reversing attacks. The study will be based on reversing the serial generator algorithm structurally for modified commercial application in conjunction with another KeygenMe victim to a higher level of modeling. Adding some layers of protections: Obfuscation/Encryption, Anti-Debugging...
Read More >> |
| |
|
|
| Virtual Machine Rebuilding
| | Virtual Machine Rebuilding
Virtual Machines are one of the most controversial protection methods used nowadays. I try to show how virtual machines are created by examining the full reversed source code of the VM used in the T2'06 challenge, worth $1'500. It explains how to code a VM and helps those who wanted to analyse such challenge by giving direct access to its source code and its structures. The RE-built source code of T2'06 is in appendix. ...
Read More >> |
| |
|
|
| Tracing for Hardware, Driver, and Binary Reverse Engineering in Linux
| | Tracing for Hardware, Driver, and Binary Reverse Engineering in Linux
This paper introduces the new Linux Trace Toolkit Next Generation (LTTng) kernel tracer and its analysis counterpart, Linux Trace Toolkit Viewer (LTTV), a fully extensible text and graphical trace viewer. It will focus on how these tools can be used in the security field, particularly for reverse engineering. Using a tracer to reverse engineer a software "black box" can help understanding its behavior. Such a software can be a either a driver, a library or a multithreaded applicat...
Read More >> |
| |
|
|
|
