Comments for KOrUPt http://korupt.co.uk Disassembling logic at its best... Sat, 13 Feb 2010 01:35:26 +0000 hourly 1 Comment on Unpacking ASPack by XPN http://korupt.co.uk/?p=42&cpage=1#comment-2387 XPN Sat, 13 Feb 2010 01:35:26 +0000 http://korupt.co.uk/?p=42#comment-2387 Excellent tut mate, just getting into unpacking and this was a good first step. Thanks again XPN Excellent tut mate, just getting into unpacking and this was a good first step.

Thanks again
XPN

]]> Comment on Revised PE infecter source by Bill http://korupt.co.uk/?p=112&cpage=1#comment-2322 Bill Fri, 05 Feb 2010 15:26:40 +0000 http://korupt.co.uk/?p=112#comment-2322 KOrUPt thanks for sharing it with us. I need your help though; I tried to infect a packed exe with UPX, and now it does not start at all. It says "Error executing program". Do you have any idea why ? Thanks in advance. KOrUPt thanks for sharing it with us.
I need your help though; I tried to infect a packed exe with UPX, and now it does not start at all. It says “Error executing program”. Do you have any idea why ?
Thanks in advance.

]]> Comment on PE Infection by sunorr http://korupt.co.uk/?p=75&cpage=1#comment-2218 sunorr Wed, 13 Jan 2010 14:25:07 +0000 http://korupt.co.uk/?p=75#comment-2218 if we move the exe file which infected by this program to the other windows OS Version. I don`t think it can run normaly. sorry,my English is poorrr~ if we move the exe file which infected by this program to the other windows OS Version. I don`t think it can run normaly.

sorry,my English is poorrr~

]]> Comment on JmpFinder by Pradeep http://korupt.co.uk/?p=80&cpage=1#comment-2002 Pradeep Mon, 12 Oct 2009 13:36:48 +0000 http://korupt.co.uk/?p=80#comment-2002 Hi, Can we conclude anything if JMP instruction is found in code. Hi,

Can we conclude anything if JMP instruction is found in code.

]]> Comment on PE Infection by Pradeep http://korupt.co.uk/?p=75&cpage=1#comment-2001 Pradeep Mon, 12 Oct 2009 12:56:59 +0000 http://korupt.co.uk/?p=75#comment-2001 Hi, very good post KOrUPt!! How would you detect this kind of infection. Hi,

very good post KOrUPt!!
How would you detect this kind of infection.

]]> Comment on Unpacking DLL’s without LoadDLL by Twink http://korupt.co.uk/?p=25&cpage=1#comment-1478 Twink Fri, 11 Sep 2009 22:03:32 +0000 http://korupt.co.uk/?p=25#comment-1478 Thanks! Good work. Thanks! Good work.

]]> Comment on Defcon CTF 09 Quals… by psifertex http://korupt.co.uk/?p=135&cpage=1#comment-1279 psifertex Tue, 25 Aug 2009 23:23:17 +0000 http://korupt.co.uk/?p=135#comment-1279 Matang_Lawin: Depends on what role you'd like to take. I've got a lot of suggestions in the talk. The updated slides are online on the Defcon site but also here: http://capture.thefl.ag/2009/DefconPresentation/ As soon as I can dig up audio or video I'll put it online. Unfortunately I forgot to record audio myself. :-( Matang_Lawin: Depends on what role you’d like to take. I’ve got a lot of suggestions in the talk.

The updated slides are online on the Defcon site but also here: http://capture.thefl.ag/2009/DefconPresentation/

As soon as I can dig up audio or video I’ll put it online. Unfortunately I forgot to record audio myself. :-(

]]> Comment on Revised PE infecter source by KOrUPt http://korupt.co.uk/?p=112&cpage=1#comment-1138 KOrUPt Sat, 15 Aug 2009 17:07:50 +0000 http://korupt.co.uk/?p=112#comment-1138 Gary, what kind of further information are you looking for? Please be specific. Thanks in advance. Now, C++Noob... Take note of the call to UnloadFile() and the following LoadFile() call just after, the file is first unloaded an then re-mapped into memory in the expanded form... lpMapInfo = LoadFile(target, dwStubSize); This line appends dwStubSize bytes to the file and maps it into memory. dwWriteOffset = (GetFileSize(lpMapInfo->hFile, NULL)) - dwStubSize; This line acquires the length of the file including the newly appended null bytes and subtracts the size of the stub in bytes to make sure there's enough room to place the stub into the file. I hope this helps to clarify the issue, if not, please let me know. Apologies for late approval of comments. KOrUPt. Gary, what kind of further information are you looking for? Please be specific. Thanks in advance.

Now, C++Noob…

Take note of the call to UnloadFile() and the following LoadFile() call just after, the file is first unloaded an then re-mapped into memory in the expanded form…

lpMapInfo = LoadFile(target, dwStubSize);

This line appends dwStubSize bytes to the file and maps it into memory.

dwWriteOffset = (GetFileSize(lpMapInfo->hFile, NULL)) – dwStubSize;

This line acquires the length of the file including the newly appended null bytes and subtracts the size of the stub in bytes to make sure there’s enough room to place the stub into the file.

I hope this helps to clarify the issue, if not, please let me know.

Apologies for late approval of comments.

KOrUPt.

]]> Comment on Revised PE infecter source by C++Noob http://korupt.co.uk/?p=112&cpage=1#comment-1135 C++Noob Sat, 15 Aug 2009 07:55:55 +0000 http://korupt.co.uk/?p=112#comment-1135 Hey Korupt, I was examining the source and im a little confused on something... InfectionHelper.cpp line 168: Wouldnt using GetFileSize on the handle from CreateFile return the original size of the file? therefore, writing to GetFileSize - dwStubSize would be overwriting part of the original PE file wouldnt it? Hey Korupt, I was examining the source and im a little confused on something… InfectionHelper.cpp line 168: Wouldnt using GetFileSize on the handle from CreateFile return the original size of the file? therefore, writing to GetFileSize – dwStubSize would be overwriting part of the original PE file wouldnt it?

]]> Comment on Favourite Wargame Level… by dong http://korupt.co.uk/?p=65&cpage=1#comment-1066 dong Mon, 10 Aug 2009 06:28:26 +0000 http://korupt.co.uk/?p=65#comment-1066 likewise, any pointers or just tough luck? likewise, any pointers or just tough luck?

]]>