Sunday, August 12, 2012

Notepad++ as default TXT Editor

Hi all,
in this brief blog post I want show you how replace the Windows notepad.

Ok, let's go.

First you must download Notepad++ ( of course :P ) from this link. Then install it.

Once you have installed Notepad++:
  • open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key;
  • Create a subkey a this location named 'notepad.exe';
  • Then create a String value named 'Debugger';
  • Download from here the npp.vbs VBScript and place it where you want ( i.e. C:\Program Files\Notepad++\ )
  • Now edit Debugger key value by inserting the follow string: ' wscript.exe "C:\Program Files\Notepad++\npp.vbs" ' [ You must change the path with your own ];
  • Create a new text file on your desktop and double click on it to open.
P.S. : A special thanks to notepad++'s forum users.

If it's all OK the file should open with Notepad++.

See you in the next post. Bye... =)

Saturday, August 4, 2012

Configure Volatility framework on Windows OS

Hi all,
it's past almost a year since I last wrote here in my blog, but the University is like a job and as well as all jobs, there isn't enough time to devote for hobbies. But as always I found a bit time to write some usefull/unuseful post :P.

This time I would like illustrate how to configure Volatility framework  on Windows OS.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Volatility under Linux OS has no problem to setup instead on Windows OS it is a little bit boring.
For this that I decided to post about volatility.

Below a list of all occurrences:

  • Python 2.7, the volatility core;
  • Volatility Framework ( no link because we'll use SVN later );
  • Visual C++ Express , to compile distorm3 library;
  • TortoiseSVN ( or other tools like this ), to download from SVN the last volatility and distorm3 source code;
  • YARA ,  a tool aimed at helping malware researchers to identify and classify malware samples, to resolve volatility plugin dependencies;
  • PyCrypto , Python cryptography package, also to resolve volatility plugin dependencies;
  • Distorm3, a Powerful Disassembler Library, also this to resolve volatility plugin dependencies ( no link because we'll use SVN later );
  • DumpIt, to memory dump.
Ok, now that we have all the ingredients let's go to cook a volatility cake. ;)

1. First of all download Python installer ( ver. 2.7 ) and install it. Don't change default install dir path, this must be C:\Python27. In the Path Environment Variable add ' C:\Python27 ' to call python.exe anywhere:



2. Then download and install TortoiseSVN.



- Create a directory under C:\ named 'Volatility';
- Mouse right-click in C:\ and click on SVN checkout. See figure below to set your own.
- Click ok and download starts. When it finished, click OK button and you can see in C:\Volatility directory all files like this:



3.  Now download yara-python-1.6.win32-py2.7.exe and install it. This setup solves dependencies for more plugin like yarascan command:


If installation is OK, in Python write import yara.  If no error occurred it's all OK.

4. Like YARA, download pycrypto-2.3.win32-py2.7.zip, unzip and install it. This setup also solves other dependencies:


If installation is OK, in Python write import Crypto.  If no error occurred it's all OK otherwise Google is your friend. ;)

5. Now download Visual C++ Express because we will compile distorm3 library. 
- When Visual C++ Express installation finishes let's go to C:\;
- Create in it a directory named 'distorm3';
- Mouse right-click and click on SVN checkout option;
- See below picture to configure your own:


- Click ok and download stars. When download finishes you can see all distorm files in distorm3 folder like follow screenshot:

- A this point we must set 2 Environment Variables otherwise we will have trouble building distorm library ( see also picture below ):

* Name: VS90COMNTOOLS         Value: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\


* Name: VS100COMNTOOLS         Value: C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\


 - Open a command prompt: cd C:\distorm3python setup.py --verbose buildpython setup.py install. These 3 commands build distorm3 library.


- Now if all OK, in C:\Python27\Lib\site-packages we have a distorm3 folder as result of the build&install commands:




If installation is OK, in Python write import distorm3.  If no error occurred it's all OK otherwise check this link. ;)


OK, we finished installation phase. Now we try to launch volatility framework.

Open command prompt and go to C:\Volatility with cd then python vol.py -h. We will see similar to screenshot below:


No errors are prompted so it's all OK.

N.B. : The only problem that I encountered is with apihooks command. Shortly I'll try to post this problem at volatility community to see what's wrong in my configuration steps. Obviously if I'll resolve the problem I'll post about solution ( if there is one ). =)

So, volatility framework is configured now remains only to test it.

At top of the post I listed also DumpIt tool. This tool allows us to dump memory ( RAM ). Infact when you are analysing a malware you can run it ( in a safe environment of course ) and launch DumpIt to obtain a full memory dump which also includes malware run before and its informations. So a this point comes into play Volatility which helps us to carved out all digital artifacts and usefull information.



To see Volatility in action I recommend Evilcry's tutorial:

- Shylock via volatility
- Carberp Reverse Engineering

But also Frank Boldewin's paper

By the way a simple google search it is always a best action.

I hope this post is helpful to the reader.

Ok, for today is all, see you in the next post. =)

Tuesday, September 13, 2011

One scam E-Mail

This morning I received an E-Mail from Mr. Jida Jame; just one scam E-Mail.

This is the content:

Good day,


I am sorry to encroach into your privacy in this manner; I am Mr. Jida James a chartered chief auditor with BANK OF AFRICA Burkina Faso Ouagadougou West Africa. In my department which I am heading now, I discovered an account opened in this bank since 2004 and since then till now nobody have operated on this very account.


I wish to solicit your attention concern this funds. The amount involved in this discovered account is US$ 15.5.Million and I want the total fund to a safe bank account overseas. The purpose of my contacting you is because my status would not permit me to do this alone. I will send you the full details and more information about the funds. In your respond, please provide me the listed below information to be confuse about you.


Your Full Name.........
Your Country...........
Your Present Residence...
Your Telephone Number....
Your Fax..........if available.
Your Age......................
Your Sex...............


Best Regards,
Mr. Jida James
Chartered Auditor.

This the info carved out by E-Mail Header:


So keep out from jidaj7051@gmail.com E-Mail address.

Bye, see you in the next post. =)

Wednesday, September 7, 2011

Morto Malware Analysis

After one year of total absence for various reasons from my blog, I'm returned here to present my one recent research in my new blog ;).

Introduction

Today we're going to analyze Morto.A a malware which, in this weeks, is spreading in many Internet places. It's a worm that allows unauthorized access to an infected computer and tries to compromise administrator passwords for Remote Desktop connections, through RDP protocol, on a network. Indeed this threat infecting computers by targeting accounts that have "weak" passwords.
[ Contact me for sample. ]

Malware Identification

Below I report how this malware is identified by some AV:

  • AhnLab-V3 -> Win-Trojan/Npkon.49969
  • AntiVir -> TR/Agent.49969.1
  • Antiy-AVL -> Worm/Win32.Morto.gen
  • Avast -> Win32:Malware-gen
  • Avast5 -> Win32:Malware-gen
  • AVG -> Agent3.ACOR
  • BitDefender -> Win32.Worm.Morto.A
  • ByteHero -> Trojan.Win32.Heur.Gen
  • CAT-QuickHeal -> Worm.Morto.a
  • ClamAV -> Worm.Morto
  • Commtouch -> - Not detected
  • Comodo -> TrojWare.Win32.Trojan.Agent.Gen
  • DrWeb -> BackDoor.Tsclient.1
  • Emsisoft -> Worm.Win32.Morto!IK
  • eSafe -> Win32.Dropper
  • eTrust-Vet -> Win32/Morto.A
  • F-Prot -> - Not detected
  • F-Secure -> Worm:W32/Morto.A
  • Fortinet -> W32/Morto.B!worm.im
  • GData -> Win32.Worm.Morto.A
  • Ikarus -> Worm.Win32.Morto
  • Jiangmin -> Backdoor/DsBot.dov
  • K7AntiVirus -> Riskware
  • Kaspersky -> Net-Worm.Win32.Morto.c
  • McAfee -> W32/Morto
  • McAfee-GW-Edition -> W32/Morto
  • Microsoft -> Worm:Win32/Morto.gen!A
  • NOD32 -> Win32/Morto.B
  • Norman -> W32/Morto.D
  • nProtect -> Worm/W32.Morto.49969
  • Panda -> Trj/MereDrop.B
  • PCTools -> Trojan.Dropper
  • Prevx -> - Not detected
  • Rising -> - Not detected
  • Sophos -> Mal/Morto-A
  • SUPERAntiSpyware -> - Not detected
  • Symantec -> Trojan.Dropper
  • TheHacker -> Trojan/Agent.syl
  • TrendMicro -> - Not detected
  • TrendMicro-HouseCall -> WORM_MORTO.SMA
  • VBA32 -> - Not detected
  • VIPRE -> Trojan.Win32.Generic!BT
  • ViRobot -> Backdoor.Win32.DsBot.53076
  • VirusBuster -> Trojan.Agent!MYoVp4jcZjs

This is Virustotal result: 37/ 44 (84.1%). Good rate detection, isn't it uh?
Other additional information are:

MD5 Hash: 2EEF4D8B88161BAF2525ABFB6C1BAC2B
SHA-1 HASH: 0BBB014657BF4459FAA2E6FAF11D0559B196187C

to uniquely identify our malware.

Before Analysis

Power on your Virtual Machine, set up your best reversing malware tools, disable Drag'n'Drop and any Shared Folder, finally take a Snapshot of your clean machine so you can go back everytime you want.

Now take also another snapshot, this time of your Windows Registry so that you can compare it with another one after launching the malware, to see any change and every modification performed. For this RegShot is helpful ;)

So now that it's all ready let's start the malware analysis.


Morto Analysis

Before we run malware and make a dynamic analysis with SySAnalyzer, open morto.exe in CFF Explorer to see if it give us some interesting information. As you can see, Morto it's compiled with Microsoft Visual C++ 6.0. This inform us that it isn't packed/compressed (hopefully :P). You can also scan the executable with any packer detector for the sake of curiosity like PEiD, ProtectionID, RDG Packer Detector, etc...


Than let's go to the Import Directory and you notice 3 imported libraries:
  1. MFC42.dll
  2. MSVCRT.dll
  3. Kernel32.dll
There isn't doubt that this malware was built with MFC framework. If you don't know what is MFC framework just ask Google. It isn't really good news because applications builted with MFC Framework are very boring to reverse but don't worry, just read Pn's Tutorial about Basic MFC Reversing and continue reversing.

Open SysAnalyzer, choose morto.exe and Start; morto.exe is running.

Make a second snapshot with RegShot and compare with the first one to see the differences.

In short:
  1. morto.exe is launched;
  2. Creates:
    1. clb.dll in C:\WINDOWS ( this is the payload );
    2. ntshrui.dll in C:\WINDOWS\temp;
    3. Sens32.dll in C:\WINDOWS\system32;
    4. 1.40_TestDdos in C:\WINDOWS\Offline Web Pages;
    5. cache.txt in C:\WINDOWS\Offline Web Pages;
    6. ~MTMP<4RandomDigits>.exe, example ~MTMP657C.exe.
  3. Operates some Registry modifications:
    1. rename at next reboot Sens32.dll to cache.txt through key HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations;
    2. hides any type of error message thorugh key HKLM\SYSTEM\ControlSet001\Control\Windows\NoPopUpsOnBoot;
    3. install ntshrui.dll and Sens32.dll as service;
    write some encrypted code in HKLM\SYSTEM\WPA\ ( This code is used then by clb.dll ).
Just for information and to clarify, clb library is a legitimate and benign Microsoft system dll which is used with regedit.exe to perform operations in Windows Registry, so the name has been chosen for this reason.

Now that we have gathered enough information let's go to analyze our malware in OllyDbg.

Debugging Session

Once opened it we land to the EP. Being builted with MFC Framework we must find WinMain function, indeed it's at 0x4019B3:



 
.text:004019A8     push    eax                 ; nShowCmd
.text:004019A9     push    esi                 ; lpCmdLine
.text:004019AA     push    ebx                 ; hPrevInstance
.text:004019AB     push    ebx                 ; lpModuleName
.text:004019AC     call    ds:GetModuleHandleA
.text:004019B2     push    eax                 ; hInstance
.text:004019B3     call    _WinMain@16         ; Jump to WinMain function
.text:004019B8     mov     [ebp+var_68], eax   ; Dig Deeper
.text:004019BB     push    eax                 ; Code
.text:004019BC     call    ds:exit

Step into (F7) to dig deeper and we land here, at 401BE0 address in AfxWinMain like every application built with MFC:

.text:00401BE0     push    [esp+nShowCmd]  ; int
.text:00401BE4     push    [esp+4+lpCmdLine] ; char *
.text:00401BE8     push    [esp+8+hPrevInstance] ; struct HINSTANCE__ *
.text:00401BEC     push    [esp+0Ch+hInstance] ; struct HINSTANCE__ *
.text:00401BF0     ; AfxWinMain(HINSTANCE__ *,HINSTANCE__ *,char *,int)
.text:00401BF0     call    ?AfxWinMain@@YGHPAUHINSTANCE__@@0PADH@Z 
.text:00401BF5     retn    10h

Step into (F7) when you arrive to the AfxWinMain. We land in the JMP NEAR DWORD PTR DS:[<&MFC42.#1576>], Step Over (F8) and we arrive into AfxWinMain function:


Now we'll get the address of VFT, that is the Virtual Functions Table! Why? Because you can see there are some call [EAX+XXh]. Indeed in EAX there will be the VFT address so then, added with a specific constant, we'll obtain a precise function. In our case the address is 0x402110. Open morto.exe also in IDA disassembler to get more info, let's go to 402110 address and you can see the VFT. So the first call in disassembler is the InitInstance function of CWinApp class (MSDN for more information) because 402110 + 8C = 40219C, now back in IDA, scroll down till 40219C address and you can verify that it corresponds to InitInstance. Through same reasoning you get information about other function calls.


The call that execute important tasks is CALL NEAR DWORD PTR DS:[EAX+58], Step into...

Through call at address 40165F we obtain the address of a encrypted block. This encrypted block is the one which will be copied in wpa registry key and it is contained in morto.exe. This address in my PC is 8F1796. Step by step and you will understand more better all this. See follow:


After this call there is a malloc function which allocates a memory block of BBDFh (48095d bytes) size. Once executed it, in EAX there's the address of this memory block ( in my PC is 3339C0, keep in mind! ) Than there are some important things, look below:


- First it prepares ESI and EDI register with address of previously encrypted code and memory block allocated before respectively;

- Second it prepares ECX counter register for REP instruction.

Properly with 2 REP instuctions it moves the content of encrypted block into memory block allocated by malloc before; from 8F1796 to 8FC375 hence from 3339C0 to 33E59F. Take a look at the ESI and EDI registers and follow them in dump to verify!

The call at address 40169C do nothing of important, replace the content of some stack address with 0s.

Another important call is the call at address 4016b2, hence step into and when you meet next call F7 again and we land here in one important piece of code:


As you can see, first through a loop it's rewritten the encrypted block, then there is a VirtualAlloc API which commits a region of pages. In my PC the address of this committed page is 9F0000 with excecutable-read-write permits (XRW flag in LordPE). All this it's important because in this committed page there will be write the clb library, that is the payload. The next call instead writes some things into committed page. Let's continue the analysis.

As in all other cases, after VirtualAlloc API follow LoadLibrary and GetProcAddress to write IT (Import Table), step now into the call at address 40110D and you will see the code below:


Comments on the image and your debugging steps will be the icing on the cake to understand much more!

If you continue debugging you'll arrive to call EDX. This instruction call the dll (in this case cld.dll) which it was prepared through previously explained steps. Now it's time to use LordPE to dump the dll to analyze further. To do that, step into call EDX and we land here, EP of dll ;) :

009FE8A2    55              PUSH    EBP
009FE8A3    8BEC            MOV     EBP, ESP
009FE8A5    53              PUSH    EBX
009FE8A6    8B5D 08         MOV     EBX, DWORD PTR SS:[EBP+8]
009FE8A9    56              PUSH    ESI
009FE8AA    8B75 0C         MOV     ESI, DWORD PTR SS:[EBP+0C]
009FE8AD    57              PUSH    EDI
009FE8AE    8B7D 10         MOV     EDI, DWORD PTR SS:[EBP+10]
009FE8B1    85F6            TEST    ESI, ESI
009FE8B3    75 09           JNE     SHORT 009FE8BE
009FE8B5    833D 75D8A300 0 CMP     DWORD PTR DS:[0A3D875], 0
009FE8BC    EB 26           JMP     SHORT 009FE8E4

Now, open LordPE -> select our morto.exe -> right click -> Dump Region and select the address 9F0000, the only with XRW flag. This is the memory region before being committed by VirtualAlloc (see above if you don't remember) Give a name at dump, then open it with one HexEditor and delete everything before MZ signature and save it, i.e. as clbDump.dll. As I said before this dll is the payload, that performs most of the main actions, said with simple words.

If you open it in CFF Explorer you can confirm that it's a dll, just look in File Header -> Characteristics -> 'File is a DLL' is checked.

Once call EDX is executed morto.exe "jump" into clb.dll to perform the most important features, but we'll deal with it in the next tutorial!

[ Update: 29/09/2012 ]

Ok, time is passed and I didn't write 2nd part of the Morto Analysis as I said in the last part of this tutorial. Write about it now doesn't make sense but, at least, I can list main payload operations once it's allocated in memory, decrypted, re-allocated again and started by dropper.

Below the operations:

- Morto tries to connect to infected computer and exploits Remote Desktop connection ( RDP  protocol ) to the 3389 port. The usernames used are listed below

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5


with follow passwords

 !@#$%
%u%12
*1234
000000
111
1111
111111
123
123123
123321
12345
123456
1234567
12345678
123456789
1234567890
1234qwer
168168
1q2w3e
1qaz2wsx
369
520520
654321
666666
888888
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user


It's clear now because I said "weak passwords". ;)

- Morto downloads r.reg file, and through it starts rundll32.exe with Administration privilege to execute clb.dll malicious DLL at next OS startup. All this by way of the \\tsclient\a

- Malicious domains contacted by Morto below

210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
jifr.net
qfsl.net
qfsl.co.cc
qfsl.co.be


- Morto is also capables to download new components and new payload variants, which moreover it's installed also as Windows Service named 6o4.

- More, Morto has hardcoded string like these:

ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu

which is used to stop some processes of most popular security software.

Ok, I want to clinch that this update is only to conclude the post in different way because I hadn't time to publish the payload analysis made by me one year ago. Again, this update didn't add new informations compared to that you can find reading other analysis.


The new/last variant

The new Morto variant mainly has added file infection capability through Code Injection but the goal is the same of the first variant; compromise RDP connections with weak Admin password.

Morto Injects its code to svchost.exe Windows OS file system, then creates a Mutex, to avoid multiple injections to the same file, named Global\_PPIftSvc.
The file infected, after injection, has in the MZ Header PPIF string as Infection Marker.

Malicious domains contacted by Morto to download other files, updates, etc are:

d.ppns.info
e.ppift.net
e.ppift.com
e.ppift.in


In addition to these operations, there are no significant changes compared to the previous variant of the malware, so this is all.


Greetings

Greetings goes to Quequero, Evilcry, Giada and all other UIC members! =)

Antelox

Sunday, July 11, 2010

Just some Acrobat exploits

In this second post I will explain the functions in the javascript code carved out used to exploit the Acrobat vulnerability.

First of all we take a look at the function that acts as a version-check of Acrobat with which the victim opened to read the pdf infected.

This is the function:



the function name is GDUvmppC (). Inside, yVXd variable is declared, and through app.viewerVersion.toString () function is initialized with the respective version number of Acrobat. At last, through Iterations will start the respective exploit depending on the detected version.

If the version is less than 8, then performs the waDmT () function.
If the version is greater than 8, then performs the FdAY () function.
If the version is less than 9.1, then performs the mLU() function.
If the version is less than version 9.2, then performs the breakfast() function.

As you can see there are 4 functions.

The waDmT() function exploits the collectEmailInfo vulnerability
-> collectEmailInfo({ subj:"",msg:mmk })



The FdAY() function exploits the util.printf vulnerability
-> util.printf("%45000f",uzpymeSR)



The mLU() function exploits the getIcon vulnerability
-> app.doc.Collab.getIcon(gGsYFcss)



The breakfast() function exploits the util.printd vulnerability
-> util.printd(GDagaCuyNfRSFzaSZLO, new Date())



All functions contain shellcode, and in particular we find them some interesting links:

- http://*/yogetheadshot.php?ids=UdPDF
- http://*/yogetheadshot.php


From these two links are downloaded same malware. Malware are identical because they are only called from two different links depending on the version of Acrobat ;)

In the next post I'll try to explain what makes the malware downloaded through the PDF.

Bye, see you in the next post. =)

Analysis of a malformed and exploited PDF

Hi
today I'm going to analyze an infected PDF which allows Acrobat exploitation :)

The file target is called soreheadprattler.pdf
md5: AF485196F31F66B07D87E63DFCA41239
At moment when I'm writing, referring to Virustotal, PDF is detected by 29.27% of AV ( 12/41 ), to be honest, very low rate to the potential of the exploit in question. This PDF, using the Sophos nomenclatur, is identified as Troj/PDFJs-LJ

Let's go to analyze the PDF.

First of all I take this opportunity to thank my friend Daniel for giving me the opportunity to act as tester, being still under development. Thx =)
The tool in question is PDF Insider, for more info visit ntcore.com.

Opening the PDF file in PDF Insider we immediately notice a malformation.



We warned of an unresolved xref. The xref keyword ( Cross-reference ) in PDF format are used to search the objects, in fact for this problem we have no object apparently, but this is not a problem because PDF Insider provides us special functions for finding objects to solve these mishaps ;).
In fact clicking on Detect Object we get 4 objects: 1.0, 2.0, 3.0 and 4.0.
Here a screenshot:



Each object may contain the JS code and / or compressed Stream. Of course in our case being merely 4 would not be a problem to go through each object and check for interesting content, but if it was a pdf with many object was a real suicide, unless you are masochistic :P.

PDF Insider intervenes again to our aid, showing what object or stream contains JavaScript code.



We can see that the 4.0 object contains both Stream ( compressed ) and Javascript code, as well as being the only one!
But let's go to see what's interesting inside it:



We note immediately between the Info, interesting Filters:

- LZWDecode: This indicats that data are compressed, as I said before. LZW ( Lempel-Ziv-Welsh ) is more used as a data compression algorithm in PDF;
- ASCII85Decode: Other encryption algorithm, also known as Base85 encoding used for communication protocols;
- ASCIIHexDecode: Decodes data encoded in an ASCII hexadecimal
representation, reproducing the original binary data;
- RLE: The RLE ( Run Length Decode ) decompresses data encoded using a byte-oriented run-length encoding algorithm, reproducing the original text or binary data.

Now that we have this info we can also do proper analysis of 4.0 Object. PDF Insider supports LZW algorithm and thus is able to decompress it easily to show the contents of the Stream:



What is immediately evident is the declaration of a variable, specifically named B0b. Skip to the eye because it contains a very long string. But scrolldown to see how this variable is used!

As I thought! It is used in a function that operates a character replacement. It's easy to see that there are many "@" and indeed this character will be replaced by another. Better explain the whole, below the rest of the code:



First are declared some variables. At z variable is assigned the value app.doc which is then chained to complete the function with syncAnnotScan().
Immediatly below B0b varaible is worked. BOb.replace (/ @ / g, String.fromCharCode (32-1 +6) makes a global research (-> /g) throughout the data block to find "@" char and then replace it by the function String.fromCharCode () with the symbol related to hex code 37 (32-1 +6 == 37) that corresponds to the symbol "%". Well, we obtein a new data block:



Before I mentioned app.doc and syncAnnotScan so now I report the explanation from Adobe documentation:

- app: The app object is a static object that represents the Acrobat application itself. It offers a
number of Acrobat-specific functions in addition to a variety of utility routines and
convenience functions.

- doc: The doc object is the primary interface to the PDF document, and it can be used to access
and manipulate its content. The doc object provides the interfaces between a PDF
document open in the viewer and the JavaScript interpreter.

- syncAnnotScan: The syncAnnotScan method guarantees that all annotations in the documents are scanned.

Once we've done all, we find the classic eval () function and inside the unescape() function.
First of all through the unescape function data block which we talked about before is decoded getting the horrible javascript code and then run through eval () function, so oN ().

In the next post I will explain how functions in the javascript code, which we got after these simple steps, are used to exploit vulnerabilities in various versions of Adobe.

Bye, see you in the next post. =)

Friday, June 25, 2010

Qt Creator 2.0 is Out!

Then OllyDbg 2.0 news, another one good; Qt Creator 2.0 is out. This last version integrates more nice features, improvements and it's makes to develop more fast and easy with mobile development kit. Qt Libraries 4.6.3 is also out. More info:



Nokia today released Qt Creator 2.0, an updated version of its cross-platform integrated development environment (IDE) for use with the Qt framework. Qt Creator 2.0 brings a range of new features specifically designed to make mobile development for Symbian, MeeGo and other platforms faster and easier.


Qt Creator 2.0 is available as part of the Nokia Qt SDK 1.0 – also released today – as part of an updated build of the Qt SDK, or as a standalone binary or source download. All Qt releases are available for download from http://qt.nokia.com/downloads.


Qt Creator 2.0 part of Nokia Qt SDK 1.0

Released today, the Nokia Qt SDK provides developers with a single package containing all tools they need – including Qt Creator and the Qt framework – to code, simulate, debug and build cross-platform applications for Symbian, Maemo, and in the future, MeeGo devices. For more information, and to download, visit http://www.forum.nokia.com/Develop/Qt/Tools/.


For a detailed list of changes introduced in Qt Creator 2.0, consult the changes file found in the packages or browse the information in the Qt Developer Zone at http://qt.nokia.com/developer/changes/changes-qtcreator-2.0.


New Qt APIs for Mobile Development Updates

Also released today is an update to the New Qt APIs for mobile development – Mobility 1.0.1. The patch release provides new Symbian backends, finalizes the Qt Multimedia API and includes bug fixes. For more information, visit the New Qt APIs for mobile development catalog.


To download SDK: Qt

Bye. =)