Monday, December 28, 2009

A way to work with SoftIce on XP SP3 through VMware

Hi to all,
after a couple of month I return to write on my blog...

This time I want to provide you a very usefull pack with everything needed to work with SoftIce on XP SP3 through VMware.

Follow these steps:

1. Copy compuware.dat to your C:\windows\system32\drivers folder;

2. Start Autorun.exe and while you are installing, You use the serial: 7888-5842DD-DD ( you can also use the keygen provided with this pack ) ;

3. When you must choose for option 14-day trial or select the file license, choose the file license, don't choose 14-daytrial!
Make the path to : C:\windows\system32\drivers\compuware.dat
Finish the installation;

4. Restart;

5. Copy OSINFO.DAT to your C:\windows\system32\drivers folder and overwrite if it exists;

6. Disable DEP by modifying c:\boot.ini

/noexecute=alwaysoff


7. Modify *.vmx:

svga.maxFullscreenRefreshTick = 5
vmmouse.present = "FALSE"


8. Copy dbghelp.dll and symsrv.dll to C:\Programmi\Compuware\DriverStudio [or DriverSuite]\Softice\SymbolRetriever directory and overwrite if them exist;

Now run SIce and it'll work [ hopefully ;) ] fine on NT and XP on VMware.

Here the link to download the Pack: SIce Pack

Thx to all ExeTool's Member but a special thx for WhoCares!!!

Sorry for my bad English. :P

Bye, see you to the next post =)

Thursday, October 1, 2009

Win32Hlp for Windows 7 x86 and x64

How many people have noticed, Windows 7 can't read .hlp files natively!!! A couple of days ago I found WinHlp for Windows 7 x86 and x64, so I decided to share with you ;P

This is the link when u'll download it:WinHlp

See you in the next post. =)

Monday, September 28, 2009

P-Code Opcodes List

I have backuped a Database of P-Code Opcodes so it can help you and me to reverse a VB program makes with P-Code.

Original URL: Database

HTML File Backuped: OpCode

See you in the next post!!!

Bye. =)

Monday, September 7, 2009

DLL Export Comparer

My friend Evilcry has released a new useful tool; DLL Export Comparer!!!

Dll Export Comparer can be used to differentiate DLLs and log differences into file.

It's developed in Qt.

Here a screenshoot:

ExpComparer

Qt DLLs NOT INCLUDED!!!

You must have 3 Qt Library:
- QtCore4.dll;
- QtGui4.dll;
- mingwm10.dll.

DLL Export Comparer

Bye, see you in the next post. =)

Wednesday, September 2, 2009

Patch Diff 2: A useful plugin for IDA Pro

PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.2).
The plugin can perform the following tasks:

  • Display the list of identical functions;

  • Display the list of matched functions;

  • Display the list of unmatched functions (with the CRC);

  • Display a flow graph for identical and matched functions.


The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs.
Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.

Patch Diff 2

See you in the next post!!!

Bye. :)

Thursday, August 20, 2009

Virus Win32:Induc

Hi all,

this morning while I was programming in Delphi, with my IDE Delphi 7, I noticed that the exe that has been compiled it has been detected by my AV as a Virus.

My AV is Avast! and the exe compiled has been detected as Win32:Induc specifically.

Win32:Induc is a new emerging threat, exactly of 18/08/09.

I have google and looked on my PC and I can say this:

The virus, first searchs in the registry path HKLM\Software\Borland\Delphi\X.0\ RootDir key, that specifies the folder location of your Delphi IDE.

[ X indicates the version of your Delphi IDE installed on your PC ]

When it has been done this, the virus infects the file SysConst.pas, that is Delphi library source file, located in Source\Rtl\Sys\ .
Then, it searchs the directory \lib in the delphi's root directory, then it copies SysConst.pas to \bin directory and it injects malicious code in it.

Then, this Virus renames the original Delphi library file \lib\SysConst.dcu to \lib\SysConst.bak.

Instead of the original file .dcu, the virus invokes the Delphi compiler [ bin\dcc32.exe ] and it compils a new SysConst.dcu infected Delphi library file.

Soon, it erases the previous file .pas, infected with malicious code, or else SysConst.pas, and it sets the date and the time of new file SysConst.dcu with the same time/data of original file.

After all this things has been done, any project compiled with Delphi IDE will be infected automatically.
Indeed this is what happened to me :P

I resolved, or at least it seems, to this problem in this way:

- I deleted both SysConst files, or else .bak and .dcu from \lib;

- I replaced the original file of setup file folder SysConst.pas at path \Source\Rtl\Sys and I compiled it when I was going to compile my project.

These two simple steps appear to have solved the problem, in fact the exe file compiled didn't has been detected as infected file.

For this time is all, see you in the next post :)

Bye.

Wednesday, August 19, 2009

Hello World!!!

Hi all
this is first post in my blog.

I hope that you'll found here many interesting posts; Reverse Engineering, Solutions for Malware and other malicious programs, Technical News and much more   ;)

See you in the next post!!!

bye.