thecreator
-
Posts
17 -
Joined
-
Last visited
Posts posted by thecreator
-
-
Tru say. Well anyways the fact remains that their/there/theyre irc server can't contact my port 113
-
My university blocks all incoming connection (because of NAT) so I guess that is the problem.
-
I would like to do that stuff that Steve @ grc did.
Everytime i join the #ubuntu channel (for example) i get kicked+banned. Like automatically. So i think they are doing a "VERSION" check and if client-x dosnt have a particular version reply then they get kickbanned. So i tried /ctcp evilbot VERSION on one of the bots but they dont reply to my version request so i have no clue. Once i can figure out what criteria they are using to ban i can get around it...then just chill in the channel and log.
I know with some bot programs you have to message the bot ".login my_password" before you can use it. Maybe if i could "look" like a bot and get the bot password then i could really abuse that stuff. But if i cant even get in the channel i wount be able to do that.
-
sorry about being such a dick before... ya i tried reading intels documentation but i was confused. I also tried reading other links from the ##asm channel with no luck.
so i decided that i would do a binary edit on the D3EEBF83 value to see how it affected that address that it would be jumped to.
the magic formula when using the E9 instruction turns out to be:
0xffffffff - current_address- 4 + dest_address
we do this because we can ONLY JMP forward. So to jump backward we pass a large enough number to overflow the value and go back to 0
the -4 is there because a whole JMP instruction is 5 bytes but "E9" takes 1 of the bytes... leaving 4 bytes
dest_address and current_address are obvious.
When doing memory modifications we have to remember to put our answer in memory backwards
eg: 0x83bfeed3 goes in memmory as 0xd3eebf83
because the stack goes bottom to top.
I feel kinda stupid for posting this because all it took was some playing around with the hex values to understand how the JMP instruction worked... well anywayz PEACE
-
And I quote: "The only thing I understand is that E9 is the 'JMP rel32' instruction".
Meaning I dont need help understanding the E9 part I need to get the "D3EEBF83" part.
-
Hi guys I'm sorry I'm such a noob and always have to ask these questions.
I've been messing around with Olly Debugger to modify a programs execution flow. I want to be able to automate this process so I will need to understand this thing...
I use a JMP instruction to go from the called function to mine. In ollydbg all i have to do is go to the function and enter "JMP 0040131A" and it will modify the memory accordingly for it to work.
It turns out that in hex "JMP 0040131A" became "E9 D3EEBF83".
I don't get how they get this. The only thing I understand is that E9 is the 'JMP rel32' instruction (from intels documentation). Ill dump the stuff i got from ollydbg.
7C802442 >-E9 D3EEBF83 JMP vic.0040131A
"7C802442" - The memory location I am changing. (its the memory location for Sleep() in windows sp2)
"E9 D3EEBF83" - What ollydbg makes **what i dont understand
"JMP vic.0040131A" - just a summary of what the instruction does i guess
tl/dr - how does "7C802442" + "JMP 0040131A" = "E9 D3EEBF83" ??
Help would be much appreciated.
-
ummm... that would be illegal...
Hey, I didnt do anything. I dont actually have the technical skills to do a botnet "takeover". I wish I did! If I did have those skills I wouldnt post what I found in the forums for other people to try to take it over too.
-
I know on the hak5 zine there was interest in botnets and I'm sure some of the fans of the show may be interested in the topic also. I was just browsing some irc servers and i found irc.geekpanties.com ... when i do a /list i get
#hakr 2 #help 1860 Geek Panties Support Channel - Public Network Services NickServ / ChanServ / HostServ / BotServ * 2 #chess 2 Geek Panties chess community where you can play chess, learn strategies and tactics. #girls 88 #politics 1717 History Politics and Philosophy #warez 1841 Download music, movies, games, software and much more. The world's largest XDCC and FServe channel! #ubuntu 1976 Ubuntu's unofficial community and professional support channel. #Christian 1913 Social networking community for Christians to meet and connect with friends from school, church, or work. #idlerpg 4 #geekpanties 11 Geek Panties - Experienceing maria: CS:S server css.geekpanties.com | Users without IDENT will be removed from the channel. [url="http://geekpanties.com/ident"]http://geekpanties.com/ident[/url] #CounterStrike 1
seemingly legit rite? when you join #ubuntu (or just do a "/names #ubuntu") for example there are a bunch of "users" with nicknames such as pantie1232, pantie435, ... etc. Smells like bots to me. SO, while this thing is still up maybe someone could poke around.
Maybe its just me who finds botnets fascinating, but if you like this kind of stuff maybe we can try and take this botnet down or take it over for our own evil purposes...
-
nvm http://hak5.org/forums/index.php?showtopic...st&p=109267 has a nice list of AV's in the thread.
-
Hey "Hacklings",
I am trying to compile a list of antivirus and firewall "exe names". I am willing to download the programs, install them, then note what executable are new in taskmanager but that seem like it will take too long. So I tried googeling for this but only lists of viruses or lists for the antivirus programs(without the exe names) came up. So I was wondering if anyone out there on/in the tubes has a list of these exe names...
If this list cannot be found we could always make a list of our own. Ill start. My school laptop comes with F-Secure AV and Anti-spyware
the exes that run are:
FSM32.exe
fsaua.exe
FSMA32.EXE
-
I like to use the ssh tunnel solution. The setup of putty for a socks5 proxy is easy.
The server is the "hard" part. I would go over to irc.hackthisbox.org and ask for a shell #hackthisbox
if you feel anxious about tunneling your traffic through that server there is a SICK deal at dreamhost...if you get a year off hosting and use the promo code "MAX2009" the year only comes out to 20 something dollars. And you can get shell access with that.
Hopes this helps.
theCreator3
-
that is what i will probably do now.
-
Ok, so I had a test app that I got from codeproject.com that uses raw sockets. Dosn't work in XP but works in my windows server 2003 VM. So I thought of copying the server 2003 dlls (mswsock.dll, ws2_32.dll, ws2help.dll and wshtcpip.dll) to my xp box. I did this but had no luck. I think I'm going to go with the driver idea. It would have been a lot easier with raw sockets than writing a NDIS driver (ive never used NDIS).
Thanks for the suggestions :)
Julzmb
-
Thats why i said _MY_ code needs to only be userland. I want to use raw sockets in windows, which is only userland code.
-
I thought WinPcap involves a driver...i need all my code to be in "userland"
(ill still check it out though, thanks)
-
I have an app I would like to make that requires raw sockets in XP. I have downloaded many examples of using sockets and raw sockets from various programming sites. None of these examples work and I think it is because windows XP has what microsoft calls 'limited' raw socket capabilities.
I hope that M$ took raw sockets out of XP by removing the code in winsock.dll (or whatever that dll is called, ws2_32?). If it is the case that only the dll is modified I was wondering if using the winsock dll from a windows server 2003 or 2008 box would work (note: raw sockets has 'full' support in windows server).
I dont know exactly how the windows API and dll work so i dont know if this is actually possible.
Any thoughts or comments?
If you are running windows server please send a copy of you winsock dll :)
Thanks
Active botnet?
in Security
Posted
The only rules in the internet are the RFC's (and not even hehe)